Database Security

Free Powerpoint TemplatesPage 1

Free Powerpoint Templates

DATABASE SecurityLillian Nasharitah

http://www.powerpointstyles.com/



What is Database?

A structured set of data held in a computer, esp. one that is

accessible in various ways.



What is inside Database?



Database Schema

A database schema of a database system is its structure

described in a formal language supported by the database

management system (DBMS) and refers to the organization

of data to create a blueprint of how a database will be

constructed (divided into database tables).



Concepts of Database Security



Confidentiality

Confidentiality can be enforced by encrypting the data

stored in the database.

Encryption is a technique or process by which data is

encoded in such a way only authorized users be able to read

the data.

In other words, encryption means rendering sensitive data

unreadable to unauthorized users.



Integrity

Integrity can be enforced by setting User Access Controls

(UAC) that define which users have to be given what

permissions in the database.

For example, data related to employee information is

stored in a database.

An employee may have permission for viewing the records

and altering only part of information like his contact details,

whereas a person in the human resources department will

have more privileges.



How to ensure integrity of the database?

Once the database is installed, the password has to be

changed. Similarly, periodic checks have to be conducted to

ensure the password is not compromised.

User accounts that are not in use have to be locked. If one

is sure that these user accounts will never be used again,

then the best step is to remove such user accounts.

Policies to set strong passwords have to be enforced. A

good idea is to have a policy of changing the passwords

once per a month.



How to ensure integrity of the database?

Check for the roles each user has and set the rules

accordingly. You must ensure that users are given

permissions to do what they are allowed to do. I know this is

a time consuming job when the database is huge, but once

the permissions are set the right way, it is easy to check

unauthorized entry or access.

Does your company have multiple database

administrators? If yes, segregate the duties among these

database administrators.



Availability

To ensure availability, following steps have to be taken:

Restrict the amount of storage space given to each user in

the database.

Limit the number of concurrent sessions made available to

each database user.

Backup the data at periodic intervals to ensure data

recovery in case of application issues.



Availability

Databases should be secured against security

vulnerabilities.



Threats to Database Security?



Threats to Database Security

1. Privilege abuse

When database users are provided with privileges that exceeds their day-to-day

job requirement, these privileges may be abused intentionally or unintentionally.

Take, for instance, a database administrator in a financial institution. What will

happen if he turns off audit trails or create bogus accounts? He will be able to

transfer money from one account to another thereby abusing the excessive

privilege intentionally.

2. Operating System Vulnerabilities

Vulnerabilities in underlying operating systems like Windows, UNIX, Linux, etc.,

and the services that are related to the databases could lead to unauthorized

access. This may lead to a Denial of Service (DoS) attack. This could be

prevented by updating the operating system related security patches as and when

they become available.




3. Database Rootkits

A database rootkit is a program or a procedure that is hidden inside the database

and that provides administrator-level privileges to gain access to the data in the

database. These rootkits may even turn off alerts triggered by Intrusion Prevention

Systems (IPS).

4. Weak Authentication

Weak authentication models allow attackers to employ strategies such as social

engineering and brute force to obtain database login credentials and assume the

identity of legitimate database users.




5. Weak Audit Trails

A weak audit logging mechanism in a database server represents a critical risk to

an organization especially in retail, financial, healthcare, and other industries with

stringent regulatory compliance. Regulations such as PCI, SOX, and HIPAA

demand extensive logging of actions to reproduce an event at a later point of time

in case of an incident. Logging of sensitive or unusual transactions happening in a

database must be done in an automated manner for resolving incidents. Audit

trails act as the last line of database defense. Audit trails can detect the existence

of a violation that could help trace back the violation to a particular point of time

and a particular user.



Example of Database

MySQL

Oracle

PostgreSQL

Microsoft Visual Foxpro

MariaDB



What is SQL Injection?



What is SQL Injection?



SQL Injection Steps



What ShouldYou Look For?









SQL Injection Techniques



How to test for SQL Injection Vulnerability?



How does it work?



BadLogin.aspx.cs



Getting Output of SQL Query



Getting Data from Database Using

ODBC Error Message



Hacking Tools

AutoMagic SQL

Absinthe Automated SQL



Automated SQL Injection Tool



Absinthe Automated SQL Injection Tool



SQL Injection in Oracle



SQL Injection in MySQL









SQL Injection Countermeasures









SQL Injection Attack Prévention

Minimize the privileges of database connections

Disable verbose error messages

Protect the system account “sa”

Audit source codes

• Escape single quotes

• Input validation

• Reject known bad input

• Input bound checking




Never trust user input

• Validate all textbox entries using validation controls,

regular expressions and code

Never use dynamic SQL

• Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account

• Use limited access account to connect to the database

regular expressions and code




Do not store secrets in plain text

• Encrypt or hash passwords and other sensitive data, you

should also encrypt connection strings.

Exceptions should divulge minimal information

• Do not reveal too much information in error message,

use custom error messages



SQL Injection Blocking Tool



Acunetix Web Vulnerability Scanner



What happened next?



ThankYou


Database Security

Documents

free powerpoint

sql injection

sql injection

audit trails

ensure integrity

user accounts

database security

ensure