Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database SecurityCmpe 226Fall 2015

By Akanksha Jain Jerry Mengyuan Zheng

Overview

Why need of database security.

Threats to Database and counter-measures

Methods of securing database.❖Through firewall❖Database Abstraction

The Importance of Security

- To prevent unauthorized data observation. - To prevent unauthorized data modification. - To ensure the data confidential. - To make sure the data integrity is preserved. - To make sure only the authorized user have access to the data.

The Importance of Security

It is important to define who can access what data, who is allowed and who is restricted,

whether passwords are used and how to maintain it, what sort of firewalls and anti-malware

solutions to use, how to train the staff and to enforce data security.

The Importance of Security The most interrupted system is Microsoft Windows NT, but UNIX based operating

systems have also been maltreated.

The Importance of Security

Database Security in E-commerce Database

1. Operating System layer

2. Network Layer

3. Web Servers

4. Firewalls

● use multiple passwords to access multi-functions of a server such as

using one password to access the single system for administration;

● apply a different password for another operation;

● be audited for each and every transaction of the database;

● utilize application specific user name and password and should never

use a default user name or password;

● back up the system thoroughly for late recovery in case of

accidentally break down

5. Database Server

Threats to database

SQL Injection.Unauthorized accessBrute Force cracking of Passwords / Usernames.Network EavesDroppingStolen backup (unencrypted) tapesTargeting Unpatched database vulnerabilities.

SQL InjectionA form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet , bypassing the firewall.

Unauthorized Access

Password cracking

Network Eavesdropping

Authorization - Restricted privileges, views.Encryption - public key / private key, secure sockets.Authentication – passwords.Logical - firewalls, net proxies.Access ControlStored proceduresParameterised queries.

Methods of securing database

Authorization

Read authorization - allows reading, but not modification of dataInsert authorization - allows insertion of new data, but not modification of existing data.Update authorization - allows modification, but not deletion of data.Delete authorization - allows deletion of data

Security of the database through FIREWALLS

How database firewall works

Diagramatic representation

Advantages of firewalls

Security of the database Through Abstraction

Data encryption enables to encrypt sensitive data, such as credit card numbers, stored in table columns.

Encrypted data is decrypted for a database user who has access to the data.Data encryption helps protect data stored on media in the event that the storage

media or data file gets stolen.Using Stored Procedures adds an extra layer of abstraction.Parameterised Queries.

Stored procedure

Is a group of one or more SQL statements

Accept input parameters and return multiple values in the form of output parameters to the calling program.

Using procedure parameters helps guard against SQL injection attacks.

When calling a procedure over the network, only the call to execute the procedure is visible. Therefore, malicious users cannot see table and database object names, embed Transact-SQL statements of their own, or search for critical data.

Parameterised Queries(Prepared Statements)

Prepared statement is a feature used to execute the same SQL statements repeatedly with high efficiency.

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

How data Encryption Works

Data encryption is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table.

When a table contains encrypted columns, a single key is used regardless of the number of encrypted columns. This key is called the column encryption key.

The column encryption keys for all tables, containing encrypted columns, are encrypted with the database server master encryption key and stored in a dictionary table in the database.

The master encryption key is stored in an external security module that is outside the database and accessible only to the security administrator.

Case: Oracle Server

Advantages of Data Encryption

SummaryEncrypt sensitive data.

Access the database using an account with the least privileges necessary.

Install the database using an account with the least privileges necessary.

Ensure that data is valid.

Do a code review to check for the possibility of second-order attacks.

Use parameterised queries.

Use stored procedures.

Re-validate data in stored procedures.

Ensure that error messages give nothing away about the internal architecture of the application or the database.

Thank You!!