Presentation is loading. Please wait.

Presentation is loading. Please wait.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Published byVivian Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015."— Presentation transcript:

1 D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015

2 Why is database security important? Properties of Database Security Categories of Attacker Different Types of Attacks Web Security Threats Database Security Considerations Recent Used Database Security Techniques Outline

3 Databases often store data which is sensitive in nature Incorrect data or loss of data could negatively affect business operations Databases can be used as bases to attack other systems from Why is Database Security Important ?

4 Confidentiality Integrity Availability The Properties of Database Security

5 What does confidentiality mean ? Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One principles of confidentiality is “ Need-to-Know” or “Least Privilege”. The most common method: Encryption Authentication Access Control Confidentiality

6 Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Authenticity : The ability to verify content has not changed in an unauthorized manner Non-repudiation & Accountability: The origin of any action on the system can be verified and associated with a user. Integrity :( Data Integrity)

7 Availability is the proportion of time a system is in a functioning condition. As the reliability increased, so does the availability. Availability

8 Intruder : An unauthorized user means accessing a computer system in an illegal manner and attempts to take out valuable information. Insider : Trusted users who make violence of his/her privileges and tries to get information beyond his own access permissions. Administrator: An authorized user who uses the administration privileges in unauthorized way according to organization’s security policy to get valuable information. Categories of Attacker

9 Direct attacks Attacking the targeted data directly These types of attacks are successful only if the database does not contain any protection mechanism. Indirect attacks These attacks are not directly executed on the target but information from or about the target can be received through other intermediate objects. Difficult to find out or track Combinations of different queries Different Types of Attacks

10 Passive Attack Attacker only observes data present in the database. Static leakage Linkage leakage Dynamic leakage Active Attack Actual database values are modified. These are more problematic than passive attacks because they can mislead a user. There are different ways of performing such kind of attack: Spoofing - Splicing - Replay Attacks on Database classified into two types

11 AJAX Security: In recent years, adding AJAX elements in sites has become a very popular style JavaScript : is a widely client-side scripting language, it has been broadly used to reduce the load on the server Run-time error can only be found during running time of program Web Security Threats

12 Cross site scripting (also known as XSS or CSS): By utilizing the XSS bugs in the web programs, malicious attackers construct a trap page and the malicious script can be saved in the page content or URL If the visitors visit URL, the JavaScript will be executed by attackers’ browser.

13 Every organization must having its own security policy and that security policy should be strictly enforced. A strong security policy must contain well defined security features. Database Security Considerations

14 Ensures all communications with the databases and other system objects are according to the policies and controls defined. No obstruction occurs by any attacker neither internally nor externally Protects the databases from potential errors. Minimizing the risks that may directly impact the security of the database. Access Control

15 Inference policy is required to protect the data at a particular level. Some data are required to be protected at a certain higher security level. The policy also determines how to protect the information from being released. Inference Policy

16 The identification method describes a set of people that are allowed to access data and provides a complete mechanism of accessibility To ensure security, the identity is authenticated and it keeps the sensitive data secure and from being modified by any ordinary user. User Identification/ Authentication

17 These two checks are required to ensure physical integrity of the data which requires defined access to the databases and that is managed through auditing and record keeping. Helps in analysis of information held on servers for authentication, accounting and access of a user. Accountability and Auditing

18 Encryption is the process of transforming information by means of a cipher or a code so that it becomes unreadable to all other people except those who hold a key to the information. Various Types of encryption offered by SQL : Column Level Database Level Instance Level This encrypts ALL traffic to and from SQL server Encryption

19 Securing Database using Cryptography Securing Database using Steganography Securing Database using Access Control Recent Used Database Security Techniques

20 A database encryption scheme users are divided into two levels: Level 1: users have access to their own private encrypted data and the unclassified public data. Level 2: users have access to their own private data and also classified data which is stored in an encrypted form. A novel database encryption mechanism Classify the data into sensitive data and public data. Encrypt only the sensitive and critical data Helps the performance is not degraded. Mixed Cryptography Database scheme designing a framework to encrypt the databases. the data is grouped depending upon the ownership and on other conditions. Securing Database using Cryptography

21 Various techniques in steganography that can be implemented to hide critical data and prevent them from unauthorized and direct access. the data is embedded in the least-significant-bit’s of the pixel values. The pixels values are categorized into different ranges and depending on the range certain number of bits is allocated to hide the sensitive data. Securing Database using Steganography

22 the access to the database only after verifying the credentials of that user The credentials may not just be the user-id but it may be the characteristics There two techniques: A generalized authorization model An authorization model Securing Database using Access Control

23 A generalized authorization model involves integrating the three most common and widely used access control mechanisms namely: Mandatory – Discretionary – and role-based model into a single framework to allow unified access to the protected data An authorization model queries are acceptable only when the queries can be verified using the information contained in the authorization rules. Securing Database using Access Control Techniques:

24 Questions or Comments?

Download ppt "D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015."

Similar presentations

Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Access Control Methodologies

Access Control Methodologies
Database Management System

Database Management System
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.

Similar presentations

Ads by Google