DATABASE SECURITY

INFORMATION / DATA is one of the most valuable assets in any organization

Definition the mechanism that protect the database against intentional or accidental threats

In actual terms database security is to prevent the confidential data which is stored in repository 

Organizations functioning well have asked for the confidentiality of their database. They do not allow the illegitimate user to access their data/information. And they also claim the assurance that their data is protected from any malicious

Various security layers in a database exist database administrator system admin security officer, developers employee

security can be violated at any of these layers by an attacker

attacker can be classified into 3 INTRUDER INSIDER ADMINISTRATOR

INTRUDER an unauthorized user who inordinately accessing a computer system and tries to fetch beneficial information is called an intruder

INSIDER A person who is one of the representative of trusted users and misconduct of his/her authority and tries to get information beyond his own

ADMINISTRATOR an authorized user who has permission to administer a computer system, but uses his/her administration privileges illegally as per organization’s security policy

DIFFERENT TYPES OF ATTACKS

Direct attacks Directly hitting the target data is known as direct attack. These attacks are accessible and successful only if the database does not accommodate any protection system

Indirect attacks As its name implies indirect attacks are not directly executed on the target but data from or about the target can be collected through other transitional objects. For purpose to cheat the security system, some of the combinations of different queries are used

Passive attacks In this, attacker only inspects data present in the database and do not perform any alteration

Active attack actual database values are modified. can misguide a user. Splicing – in this, a cipher text value is replaced by different cipher text value

Interruption Interception: penghentian sebuah proses yang sedang berjalan. Performing denial of service: menutup database dari aplikasi Web, sehingga menyangkal layanan kepada pengguna lain Interception: menyela sebuah proses yang sedang berjalan. Determining database schema : mengekstrak data dari database, untuk mengetahui informasi skema database, seperti nama tabel, nama kolom, dan tipe data kolom.

Modification: Fabrication: mengubah data tanpa ijin dari pihak otoritas. Adding or modifying data : menambah atau mengubah informasi dalam database. Fabrication: perusakan secara mendasar pada sistem utama. Injection through user input:  penyerang menyuntikkan perintah SQL dengan menyediakan input pengguna yang sengaja dibuat sesuai. 

BUSINESS REQUIREMENT -- COMPLIANCE -- DATA INTEGRITY regulation designed to prevent fraud and ensure that data changes are appropriately managed DATA CONFIDENTIALITY regulations designed to protect personal,medical, financial data from theft and exposure

REGULATION NAME SECURITY REQUIRMENT Payment Card Industry Da ta Security Standard (PCIDSS) Reuires that mrerchants track and monitor all access to cardholder data. secure audit trails so they can’t be altered Remove/disable inactive user accounts at least every 90 days EU Privacy Directive Protects personal data that is processed or transferred. … Government & industry regulations require organizations to protect regulated data from unauthorized access & changes

The required controls include… Keeping a complete database act’ audit trail Limiting access to business need-to-know In case of a breach, notifying those individuals whose data has been breached

DATABASE SECURITY REQUIREMENT ORGANIZATIONS MUST IMPLEMENT A COMPREHENSIVE DATABASE SECURITY STRATEGY

DISCOVER & CLASSIFICATION SENSITIVE DATA IDENTIFYING ALL SENSITIVE DATA WILL HELP ORGNIZATIONS PRIOROTIE RISK

USER RIGHTS MANAGEMENT Organizations should limit user rights to data to ‘business need-to-know’. This helps reduce and better control the risk of a data breach.

Database & Application Attack Prevention To protect database data, organization should identify, and optionally block, an intelligent Web application firewall to provide the first line of defense against

Security Levels On Relational Databases Relasi The user is allowed or not allowed to access directly a relation Read Authorization The user is allowed to read the data, but can not modify. Insert Authorization The user is allowed to add new data, but can not modify existing data

Tingkat Pengamanan Pada Database Relasional Update Authorization The user is allowed to modify the data, but can not delete the data. Delete Authorization user allowed to delete the data.