Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAN A DATABASE REALLY BE SECURE? PRESENTED BY AUDREY WILLIAMS.

Similar presentations


Presentation on theme: "CAN A DATABASE REALLY BE SECURE? PRESENTED BY AUDREY WILLIAMS."— Presentation transcript:

1 CAN A DATABASE REALLY BE SECURE? PRESENTED BY AUDREY WILLIAMS

2 2 OVERVIEW What’s the purpose of a database security system? What’s the purpose of a database security system? Why should an organization bother to implement a database security system? Why should an organization bother to implement a database security system? What kinds of database security features can protect the DBMS? What kinds of database security features can protect the DBMS? What are the responsibilities of the database administrator? What are the responsibilities of the database administrator? Exposing classic database intruders Exposing classic database intruders Summation Summation Bibliography Bibliography

3 3 DATABASE SECURITY What’s the purpose of a Database Security System? What’s the purpose of a Database Security System? To protect the stored data that is being collected to use in meaningful ways such as documents, charts, reports. To protect the stored data that is being collected to use in meaningful ways such as documents, charts, reports. Also, to secure the data from intruders Also, to secure the data from intruders Spafford implies, “the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.” Spafford implies, “the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”

4 4 DATABASE SECURITY In response to Mr. Spafford’s statement – Why should an organization bother to implement a database security system? Why should an organization bother to implement a database security system? To protect the company’s clientele from predators that will sell the data to the highest bidder. To protect the company’s clientele from predators that will sell the data to the highest bidder. Database intrusions and thefts will destroy or reduce the company’s credibility & profits. Database intrusions and thefts will destroy or reduce the company’s credibility & profits.

5 5 DATABASE SECURITY [Figure 1] demonstrates that the path of a source message comes from the client and is sent to the LAN/WAN router. [Figure 1] demonstrates that the path of a source message comes from the client and is sent to the LAN/WAN router. Next, the source message is passed to the server. The requested data is passed to the internet, internet router, and firewall to the DBMS to retrieve requested information. Next, the source message is passed to the server. The requested data is passed to the internet, internet router, and firewall to the DBMS to retrieve requested information. After the destination server receives the message, the DBMS sends the message back to the client as it was forwarded in the same order. After the destination server receives the message, the DBMS sends the message back to the client as it was forwarded in the same order. So, the entry point for Hackers to breach the system is the internet, internet router, and firewall connection which places the DBMS in jeopardy of data intrusion. So, the entry point for Hackers to breach the system is the internet, internet router, and firewall connection which places the DBMS in jeopardy of data intrusion.

6 6 DATABASE SECURITY FEATURES What kinds of database security features can protect the DBMS? What kinds of database security features can protect the DBMS? Digital Certificate is a unique identifier given to an entity to provide authentication of a computer, document, or webpage. Then, a third party such as Equifax certifies that the document is legal or illegal. Digital Certificate is a unique identifier given to an entity to provide authentication of a computer, document, or webpage. Then, a third party such as Equifax certifies that the document is legal or illegal. Encryptions alter the data so unauthorized users cannot view data information. Encryptions alter the data so unauthorized users cannot view data information. Firewalls protect a network from unauthorized access from the internet. Firewalls protect a network from unauthorized access from the internet. Proxy Servers shield the requests between the client computers inside a private network and the internet. Proxy Servers shield the requests between the client computers inside a private network and the internet. Security Socket Layer connects and transmits encrypted data. Security Socket Layer connects and transmits encrypted data. S-HTTP (secure hypertext transport protocol) transmits web pages securely. S-HTTP (secure hypertext transport protocol) transmits web pages securely. So, by configuring these features with internet and network components, it is possible to provide privacy and security to reduce database security intrusions. So, by configuring these features with internet and network components, it is possible to provide privacy and security to reduce database security intrusions.

7 7 RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR To assign unique password & user identification for users to have permission to access, read and or manipulate specific information at a given time. To assign unique password & user identification for users to have permission to access, read and or manipulate specific information at a given time. Enable various data layers that secure the access control, auditing and authentication, encryption, and integrity controls. Enable various data layers that secure the access control, auditing and authentication, encryption, and integrity controls. Perform a “vulnerability scan” on a routine basis to locate configuration problems in the data layers of the DBMS software. Perform a “vulnerability scan” on a routine basis to locate configuration problems in the data layers of the DBMS software. Evaluate and perform a “vulnerability assessment” against the database. This assessment makes an effort to locate the cracks in the database security. Evaluate and perform a “vulnerability assessment” against the database. This assessment makes an effort to locate the cracks in the database security.

8 8 RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR To continually monitor the database security standards to make sure that the company’s DBMS is in compliance with the database security standards. To continually monitor the database security standards to make sure that the company’s DBMS is in compliance with the database security standards. Two features of the database security compliance must be utilized. Two features of the database security compliance must be utilized. Patch Management Method that locates problems in the software, fixes and updates the cracks in the database security. Patch Management Method that locates problems in the software, fixes and updates the cracks in the database security. Management & Review of Public & Granted Data Access relates to locating data objects in the database, such as the table that holds data and evaluates who is entitled to manipulate or view the data objects. Management & Review of Public & Granted Data Access relates to locating data objects in the database, such as the table that holds data and evaluates who is entitled to manipulate or view the data objects.

9 9 RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR Always keep in mind that whenever a system has internet and network connections attached to a DBMS, security breaches will occur. Always keep in mind that whenever a system has internet and network connections attached to a DBMS, security breaches will occur. Perform routine backup recovery procedures incase of electrical outage and intruder attacks that can damage the DBMS. Perform routine backup recovery procedures incase of electrical outage and intruder attacks that can damage the DBMS.

10 10 THE CLASSIC DATABASE INTRUDERS The Shifty Employees & Malicious Hackers The Shifty Employees & Malicious Hackers

11 11 THE CLASSIC DATABASE INTRUDERS Employees Employees For example, a salesperson in the sales department should have access to company prices of the product list instead of data access of employee birth dates, extensive clientele information, home addresses, and salary information. For example, a salesperson in the sales department should have access to company prices of the product list instead of data access of employee birth dates, extensive clientele information, home addresses, and salary information. Adding to the example above, the salesperson learns that they will be fired or laid off; the salesperson could alter and copy the database information for the purpose of using the client list with their new job. Adding to the example above, the salesperson learns that they will be fired or laid off; the salesperson could alter and copy the database information for the purpose of using the client list with their new job. So, the company and the database administrator are to blame for the employee having access to various amounts of data to steal. So, the company and the database administrator are to blame for the employee having access to various amounts of data to steal.

12 12 THE CLASSIC DATABASE INTRUDERS The Black Hat Hacker The Black Hat Hacker Is a person that hacks into a security system to retrieve data from a computer, network, and database system with the intent to commit and terrorize the victims in a criminal and maliciously act of blackmail, damage and larceny. Is a person that hacks into a security system to retrieve data from a computer, network, and database system with the intent to commit and terrorize the victims in a criminal and maliciously act of blackmail, damage and larceny. The purpose is to gain system controls of the individual or the organization. The purpose is to gain system controls of the individual or the organization.

13 13 THE CLASSIC DATABASE INTRUDERS Hackers believe: “The best hackers never get caught!” However in 2006, 42% of cybercrimes were committed by hackers. However in 2006, 42% of cybercrimes were committed by hackers. Then, the manpower from law enforcement is limited in size to fully pursue every high-tech crime that is committed, so the most costly crimes are the cases that are pursued by law enforcement. Then, the manpower from law enforcement is limited in size to fully pursue every high-tech crime that is committed, so the most costly crimes are the cases that are pursued by law enforcement. Yet, in 2006, global tasks forces in major cities are developing and devoting more manpower for the goal of locating, charging, arresting, and sentencing hackers for their cybercrimes. Yet, in 2006, global tasks forces in major cities are developing and devoting more manpower for the goal of locating, charging, arresting, and sentencing hackers for their cybercrimes. In 2006, one hacker stole 165,000 consumer identities and another hacker stole $800,000 from local banks through identity thefts. In 2006, one hacker stole 165,000 consumer identities and another hacker stole $800,000 from local banks through identity thefts.

14 14 SUMMATION It seems that companies cannot deter or stop predators from hacking into DBMS through the internet and network connections. It seems that companies cannot deter or stop predators from hacking into DBMS through the internet and network connections. So, by applying database security features and routine maintenance on the DBMS to: So, by applying database security features and routine maintenance on the DBMS to: Monitor the database security compliances Monitor the database security compliances Perform vulnerability assessments and scans to discover cracks in the database security Perform vulnerability assessments and scans to discover cracks in the database security Reconfigure data access parameters to lock out imminent attackers Reconfigure data access parameters to lock out imminent attackers Prevent employees from accessing and viewing more data than necessary should maintain the database security to protect the data from most intrusions and thefts. Prevent employees from accessing and viewing more data than necessary should maintain the database security to protect the data from most intrusions and thefts.

15 15 THE END BIBLIOGRAPHY WIKIPEDIA WIKIPEDIA DOJ & FBI DOJ & FBI Merriam-Webster Merriam-Webster L.A.P.D. L.A.P.D. N.Y.P.D N.Y.P.D Spafford. Eugene H. O'Reilly. S. Garfinkel. Web Security & Commerce. Retrieved from Internet 31.Mar.2007. http://en.wikipedia.org/wiki/Hacker. Article was created in 1997. Spafford. Eugene H. O'Reilly. S. Garfinkel. Web Security & Commerce. Retrieved from Internet 31.Mar.2007. http://en.wikipedia.org/wiki/Hacker. Article was created in 1997. http://en.wikipedia.org/wiki/Hacker


Download ppt "CAN A DATABASE REALLY BE SECURE? PRESENTED BY AUDREY WILLIAMS."

Similar presentations


Ads by Google