Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Name September 98 Security by Adrienne Watt.

Published byVirginia Maxwell Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter Name September 98 Security by Adrienne Watt."— Presentation transcript:

1 Chapter Name September 98 Security by Adrienne Watt

2 Security The protection of data against unauthorized disclosure, alteration, or destruction. GENERAL CONSIDERATIONS: - Legal, social, and ethical aspects - Physical controls - Company policies - Operational concerns - Hardware controls - Operating system security - Data ownership

3 DATA SECURITY Threat: Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization. Theft and fraud Unauthorized amendment of data Program alteration Wire tapping Illegal entry by hacker Loss of confidentiality (secrecy) Blackmail Illegal Entry by hacker Inadequate or ill-thought out procedures that allow confidential output to be mixed with normal output. Staff shortage or strikes Inadequate staff training

4 DATA SECURITY Loss of privacy Inadequate staff training Viewing unauthorized data and disclosing it Loss of integrity Electronic interference and radiation Fire (electrical fault/lightning strike) Loss of availability Flood

5 DATA SECURITY Hardware failure resulting in a corrupt disk.
The extent of loss depends upon factors such as the impact of the threat balanced against countermeasures and contingency plans.  e.g. Hardware failure resulting in a corrupt disk. Does alternative hardware exist that can be used? Is this alternative hardware secure? Can we legally run our software on this hardware? If no alternative hardware exists, how quickly can problem be fixed? When were the last backups taken of the database and log files? Are the backups in a fireproof safe or offsite? If the most current database needs to be recreated by restoring the backup with the log files, how long will it take? Will there by any immediate effects on our clients? If we restore the system, will the same or similar breach of security occur again unless we do something to prevent it from happening? Could our contingency planning be improved?

6 COMPUTER BASED CONTROLS
The security of a DBMS is only as good as that of the operating system. Authorization: The granting of a right or privilege which enables a subject to legitimately have access to a system or object. Authentication: A mechanism by which a subject is determined to be the genuine subject that they claim to be. Logon Passwords

7 COMPUTER BASED CONTROLS
The types of privileges that an authorized subject may be given include: Use of specific named databases Selection or retrieval of data Creation of tables and other objects Update of data (may be restricted to certain columns) Deletion of data (may be restricted to certain columns) Insertion of data (may be restricted to certain columns) Unlimited result set from a query (that is, a user is not restricted to a specified number of rows) Execution of specific procedures and utility programs Creation of databases Creation (and modification)of DBMS user identifiers and other types of authorized identifiers Membership of a group of users, and consequent inheritance of the group’s privileges

8 Ownership and Privileges
Different ownership for different objects Ownership of objects gives the owner all appropriate privileges on the objects owned. Newly created objects are automatically owned by their creator who gains the appropriate privileges for the object. Privileges can be passed on to other authorized users. DBMS maintains different types of authorization identifiers. (users and groups)

9 DBMS SUPPORT The above policy decisions are enforced by the dbms
DISCRETIONARY CONTROL   - privileges or authorities on different objects - policy decisions - flexible   Examples:   GRANT SELECT ON S TO CHARLEY   GRANT SELECT, UPDATE (STATUS, CITY) ON S TO JUDY   GRANT ALL PRIVILEGES ON S TO TED   GRANT SELECT ON P TO PUBLIC   GRANT DBA TO PHIL   REVOKE SELECT ON S FROM CHARLEY   REVOKE UPDATE ON S FROM JUDY The above policy decisions are enforced by the dbms The systems catalog contains:  - Sysuserlist  - Sysauthlist

10 DBMS SUPPORT MANDATORY CONTROL - each object has a classification level (top secret, confidential, etc.) - each user has a clearance level - not supported by any current DBMS - very rigid

11 DBMS SUPPORT Views: Can be used to represent only the data which is relevant to a user, by effectively hiding other fields. Backing-up: The process of periodically taking a copy of the database and journal (and possibly programs) onto offline storage media. Various depending on size of data Journaling: The process of keeping and maintaining a journal or log of all changes made to the database to enable recovery to be undertaken effectively in the event of a failure. must be enabled copies of journal on other disks record all security violations

12 DBMS SUPPORT Checkpointing: The point of synchronization between the database and the transaction log file. All buffers are force-written to secondary storage. Encryption: The encoding of the data by special algorithm that renders the data unreadable by any program without the decryption key. encrypt/decrypt degradation of performance

13 Associated Procedures
To ensure controls are effective:  Authorization and Authentication: Password lengths Password duration Backup:  Determine procedures Frequency Recovery: Determine procedures

14 Audit Check that all proper controls are in place.
Ensuring accuracy of input data Ensuring accuracy of data processing Prevention and detection of errors during program execution Properly testing and documenting program development and maintenance Avoiding unauthorized program alteration Granting and monitoring access to data Ensuring documentation is up to date

15 Non-Computer Based Controls
Establishment of a Security Policy: The area of the business it covers Responsibilities and obligations of employees Procedures that must be followed Establishment of a Contingency Plan: Who the key personnel are and how they can be contacted If key personnel are unavailable, a list of alternative personnel and how they can be contacted. Who decides that a contingency exists and how that is decided The technical requirements of transferring operations elsewhere Additional equipment needed Will communication lines need to be installed Operational requirements of transferring operations elsewhere Staff needed to work away from home Staff needed to work unusual hours Staff will need to be compensated Any outside contacts who may be help, for example: Equipment manufacturers Whether any insurance exists to cover the situation

16 Non-Computer Based Controls
Secure Positioning of Equipment Restrict access to printers especially if used for sensitive information Locate computer terminals sensibly if likely to display sensitive information Site cabling to avoid damage Secure Data and Software Ensure a secure storage area is available on-site Have an off-site secure storage area Index all the material

17 Non-Computer Based Controls
Physical Access Controls:   Internal Controls: Govern access to areas within a building   External Controls: Govern Access to the site Emergency Arrangement  Cold Site Warm Site Hot Site PC Security Viruses

18 Statistical Databases
A collection of confidential information on individuals  Preventing queries from operating on only a few database entries Randomly adding in additional entries to the original query result set, which produces a certain error but approximates to the true response Using only a random sample of the database to answer the query Maintaining a history of the query results and rejecting queries that use a high number of records identical to those used in previous queries.

19 Risk Analysis Establish a Security Team
Define the scope of the analysis and obtain system details Identify all existing countermeasures Identify and evaluate all assets Identify and assess all threats and risks Select countermeasures, undertake a cost/benefit analysis and compare with existing countermeasures Make recommendations Test security system

20 Data Protection and Privacy Laws
Privacy: Concerns the right of an individual not have personal information collected, stored and disclosed either willfully or indiscriminately. Data Protection: The protection of personal data from unlawful acquisition, storage and disclosure, and the provision of the necessary safeguards to avoid the destruction or corruption of the legitimate data held. Since the 1970s different countries have instituted various laws that deal with these issues.

Download ppt "Chapter Name September 98 Security by Adrienne Watt."

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Security and Integrity

Security and Integrity
Database Management System

Database Management System
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.

Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Chapter 19 Security.

Chapter 19 Security.
Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.
 Mechanism for restoring a database quickly and accurately after loss or damage  RESPONSIBILITY OF ?????  Recovery facilities: Backup Facilities Backup.

 Mechanism for restoring a database quickly and accurately after loss or damage  RESPONSIBILITY OF ?????  Recovery facilities: Backup Facilities Backup.
DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.

DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Similar presentations

Ads by Google