Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3357 Managing Cyber Risk

Published byShanon Harold Murphy Modified over 5 years ago

Similar presentations

Presentation on theme: "COMP3357 Managing Cyber Risk"— Presentation transcript:

1 COMP3357 Managing Cyber Risk
Richard Henson University of Worcester March 2017

2 Week 7 – Assessing Risk based on Information System architecture
Objectives: Understand Data Modelling for Relational Databases Relate Context Diagram/Level 1 DFD to an Entity Relationship Model Relate External Data Flow to internal data stores… identify those that are potentially high risk Balance the risk between: having high risk data stores open to the Internet allowing employees in the field to do their jobs v external attack on data

3 In the beginning was the database… (!)
Ideally, an organisation should model its data into a logically linked data structure… write queries to ask questions of that data structure guard the completed database structure & queries like it’s Fort Knox!

4 “Flatfile” data stores and Databases
Some so-called databases in organisations are just lists of data organised according to “fields” (e.g. spreadsheets…) retrieval of search strings or numerical data can take a looonnnggg… time sometimes many such datafiles! Proper database logically links data: hierarchically relationally object-oriented Relational still popular mainly because of SQL

5 SQL keeps on giving! SQL invented… back in 1967(!)
navigate through links to retrieve data store new data in the appropriate place in the structure ORACLE made relational databases/SQL popular for small systems (1988) Web Connectivity/SQL made relational databases usable remotely

6 Relational Databases Tight data structure
saved data can be rapidly located… Real advantage of a true relational database… SQL can be used for read/write & query database operations across whole system BUT… all has to be properly designed

7 Database Design (1) Same principles apply as with any other relational database management system (RDBMS)… identify entities (data “objects”) produce entity relationships (links) define logic relationships between entities (using one/more common attributes

8 Database Design (2) For an optimised structure…
make sure data is fully normalised create tables &links created scripted SQL statements to: extract data from specific fields in particular tables put data into specific fields in particular tables If “self-taught”, a dynamic web developer are may be unaware of data modelling... may build the data round the processing… should be the other way round (!)

9 Resolving the “Many-Many” relationship
Essential… many information systems have failed through lack of knowledge of entity modelling… Product Customer many:many relationship…!!!

10 Link Entity… Many of each won’t work!
option 1: “programme” the whole thing from scratch as OO database, allowing “repeats” (!) option 2: use Relational Database… and use “link” entities to remove many:many problem Product XYZ (order?) Customer

11 Relational Data Model: is one more entity enough?
One customer makes the order can make multiple orders 1:many relationship One or more products… make order but product and order still many:many Product & Order need a further entity between them…

12 Possible basic data (entity) model for a Shopping System
order product Order line No entity relationships shown! customer Where does Shopping Cart fit?

13 Possible “sales” Data Model with entities/attributes added
Field names may vary but the principle is the same… Queries: field names must match with server script variables (parameters)

14 Data Model to include sales, purchasing, HR, accounts (1)
A typical retail organisation will have to: buy/store goods sell those goods (with value added?) at a higher price Need a digital information system to manage all of this… minimal human intervention (!)

15 Data Model for Online Shop
Orderlines Suppliers Customers Stock Orders Employees Products

16 Data model including fields (music shop…)

17 Additional Function… For completeness, the data model will need an “accounts” or “admin” function link to “orders” entity store financial data interact with relevant external agencies…

18 (Internally & Externally)
Accessing a database (Internally & Externally) Internal: use an Intranet.. External: use an Extranet Use server-scripts with embedded SQL commands to link to and communicate smoothly with database tables

19 Server Scripts Very different from client-side embedded code... (!)
provide close control of relational databases via SQL commands… run only on a web server only interact with client & HTML browser through a client-server model

20 Demands of Applications using centralised data storage!
If a remote web app is to be used… the database must be: secure readily accessible (read) from all clients alterable (write) only by specific persons

21 How Server Scripts can Interact with Databases
Contain embedded SQL code that can extract data from or send data to a database

22 How Server Scripts can Interact with Databases
Whenever a database is updated… updated data picked up by server-script when it runs updated data displayed on client

23 How Server Scripts can Interact with Databases
Whenever a browser form captures data… data transferred directly to relevant server then stored in specified database field(s)

24 How Server Scripts Interact with Databases
Whenever database information needs to be presented: database fields and records taken into server memory data sent to local machine to be displayed within a HTML format

25 Remote Parameter Passing
Essential in web searches find a match with database contents using keyword(s) Essential for online shopping product selection passing data into a remote SQL query Parameters need to be secure when passed to/from a remote source otherwise, false data can be introduced

26 Mechanism for variable passing between Dynamic Web Pages
Use HTML “forms” <form>..... </form> HTML “GET” or “POST”? Disadvanges of HTML “GET” function: parameter/s tagged on to the URL e.g. GET /thetest.aspx?firstname=richard&password=holid ays&lastname=henson&action=transferbankfunds v. long URLs… PLUS… easily changed by man-in-the-middle attack

27 Protecting Database Queries
Essential, and relatively inexpensive so an obvious course of action? BUT… code generator may not make validation options obvious may require programming skills (!) best practice to have… client-side validation (on HTML form) AND server-side validation (on search strings that invoke an SQL query)

28 Conclusion Relational databases still very popular Need correct design
Dependent on SQL queries Query strings (parameters) between internal and external agencies often use HTML can be a big (non-coding) vulnerability important to identify and label

29 Further Reading The GDPR will dominate developments over the next couple of years. Here is a good summary of GDPR and security of web apps: impact-of-gdpr-on-companies-providing-web-access- to-applications/

Download ppt "COMP3357 Managing Cyber Risk"

Similar presentations

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.

An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
N-Tier Architecture.

N-Tier Architecture.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Server-side Scripting Powering the webs favourite services.

Server-side Scripting Powering the webs favourite services.
COMP3241 E-Business Technologies Richard Henson University of Worcester October 2012.

COMP3241 E-Business Technologies Richard Henson University of Worcester October 2012.
COMP3241 E-Commerce Technologies Richard Henson University of Worcester October 2012.

COMP3241 E-Commerce Technologies Richard Henson University of Worcester October 2012.
COMP3241 E-Commerce Technologies Richard Henson University of Worcester November 2012.

COMP3241 E-Commerce Technologies Richard Henson University of Worcester November 2012.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2012.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2012.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.

Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
M1G505190 Introduction to Database Development 6. Building Applications.

M1G Introduction to Database Development 6. Building Applications.
HNDComputing – DeMontfort University  DeMontfort University 2011 Database Fundamentals wk2 Database Design ConceptsDatabase Design Concepts Database Design.

HNDComputing – DeMontfort University  DeMontfort University 2011 Database Fundamentals wk2 Database Design ConceptsDatabase Design Concepts Database Design.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
COMP3241 E-Commerce Technologies Richard Henson University of Worcester October 2014.

COMP3241 E-Commerce Technologies Richard Henson University of Worcester October 2014.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester October 2010.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester October 2010.
COMP3241 E-Business Technologies Richard Henson University of Worcester October 2014.

COMP3241 E-Business Technologies Richard Henson University of Worcester October 2014.
Creating PHPs to Insert, Update, and Delete Data CS 320.

Creating PHPs to Insert, Update, and Delete Data CS 320.

Similar presentations

Ads by Google