Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Understand Database Security Concepts

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Systems Analysis and Design in a Changing World, 6th Edition

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 7 HARDENING SERVERS.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Functions of a Database Management System. Functions of a DBMS C.J. Date n Indexing n Views n Security n Integrity n Concurrency n Backup/Recovery n Design.

Chapter 19 Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Troubleshooting Windows Vista Security Chapter 4.

Attacking Applications: SQL Injection & Buffer Overflows.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.

Additional Security Tools Lesson 15. Skills Matrix.

The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 Databases, Controls, and Security.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.

File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.

Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

SQL Database Management

CS457 Introduction to Information Security Systems

Blackboard Security System

SQL Server Security & Intrusion Prevention

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Security and Administration Transparencies

Secure Software Confidentiality Integrity Data Security Authentication

SQL Server 2000 and Access 2000 limits

Functions of a Database Management System

Radius, LDAP, Radius used in Authenticating Users

Transparent Data Encryption (TDE)

Lecture 2 - SQL Injection

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng

Overview Why need of database security. Threats to Database and counter-measures Methods of securing database. ❖ Through firewall ❖ Database Abstraction

The Importance of Security - To prevent unauthorized data observation. - To prevent unauthorized data modification. - To ensure the data confidential. - To make sure the data integrity is preserved. - To make sure only the authorized user have access to the data.

The Importance of Security It is important to define who can access what data, who is allowed and who is restricted, whether passwords are used and how to maintain it, what sort of firewalls and anti-malware solutions to use, how to train the staff and to enforce data security.

The Importance of Security The most interrupted system is Microsoft Windows NT, but UNIX based operating systems have also been maltreated.

The Importance of Security

Database Security in E-commerce Database

1.Operating System layer

2. Network Layer

3. Web Servers

4. Firewalls

●use multiple passwords to access multi-functions of a server such as using one password to access the single system for administration; ●apply a different password for another operation; ●be audited for each and every transaction of the database; ●utilize application specific user name and password and should never use a default user name or password; ●back up the system thoroughly for late recovery in case of accidentally break down 5. Database Server

Threats to database SQL Injection. Unauthorized access Brute Force cracking of Passwords / Usernames. Network EavesDropping Stolen backup (unencrypted) tapes Targeting Unpatched database vulnerabilities.

SQL Injection A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

Unauthorized Access

Password cracking

Network Eavesdropping

Authorization - Restricted privileges, views. Encryption - public key / private key, secure sockets. Authentication – passwords. Logical - firewalls, net proxies. Access Control Stored procedures Parameterised queries. Methods of securing database

Authorization Read authorization - allows reading, but not modification of data Insert authorization - allows insertion of new data, but not modification of existing data. Update authorization - allows modification, but not deletion of data. Delete authorization - allows deletion of data

Security of the database through FIREWALLS

How database firewall works

Diagramatic representation

Advantages of firewalls

Security of the database Through Abstraction Data encryption enables to encrypt sensitive data, such as credit card numbers, stored in table columns. Encrypted data is decrypted for a database user who has access to the data. Data encryption helps protect data stored on media in the event that the storage media or data file gets stolen. Using Stored Procedures adds an extra layer of abstraction. Parameterised Queries.

Stored procedure Is a group of one or more SQL statements Accept input parameters and return multiple values in the form of output parameters to the calling program. Using procedure parameters helps guard against SQL injection attacks. When calling a procedure over the network, only the call to execute the procedure is visible. Therefore, malicious users cannot see table and database object names, embed Transact-SQL statements of their own, or search for critical data.

Parameterised Queries(Prepared Statements) Prepared statement is a feature used to execute the same SQL statements repeatedly with high efficiency. Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

How data Encryption Works Data encryption is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table. When a table contains encrypted columns, a single key is used regardless of the number of encrypted columns. This key is called the column encryption key. The column encryption keys for all tables, containing encrypted columns, are encrypted with the database server master encryption key and stored in a dictionary table in the database. The master encryption key is stored in an external security module that is outside the database and accessible only to the security administrator.

Case: Oracle Server

Advantages of Data Encryption

Summary Encrypt sensitive data. Access the database using an account with the least privileges necessary. Install the database using an account with the least privileges necessary. Ensure that data is valid. Do a code review to check for the possibility of second-order attacks. Use parameterised queries. Use stored procedures. Re-validate data in stored procedures. Ensure that error messages give nothing away about the internal architecture of the application or the database.

Thank You!!