database
play

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: - PowerPoint PPT Presentation

Oct 17, 2022 •367 likes •591 views

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

  1. DATABASE SECURITY CS4750 – Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1

  2. Levels of DB Security  There are 6 levels that impact database security  Database Level – database users and authorization  Application Level – information management and processing  Operating System Level – data storage and protection  Network Level – data transmission  Physical Level – computer equipment protection  Human Level – social engineering protection Security is important not only at the database level, but the entire database application. Breaches can happen at any of these levels. 2

  3. Question:  Which DB level is the cause of the most DB break-ins ?  Database Level  Application Level  Operating System Level  Network Level  Physical Level  Human Level  Think about it as we go through this material 3

  4. Database Level 4

  5. Why shouldn’t you give “ global privileges ” to user accounts? Database Level  If you are a super-user on your own database, and you have the grant permission, you are able to grant permissions onto your database for other users  Can even grant permissions on certain tables (or cols/rows)  General user:  No global privileges  But global on a particular DB (their own) including the grant option  Select/insert/update privileges on the DB 5

  6. User types (log-in user and other categories of user types) Database Level  Consider the classification of users (E.g. TA application system)  What is a classification of user that would use that system? Student/TA/prof  There is, however, always another type of classification, especially when you have a log in system  A user that only knows how to read the login table, and only knows how to read username and password  That is the user that most people are going to try to break into  That is the user automatically available to anyone that is trying to log in  Rule of thumb: if you are going to have a log in system with username/password you should have a separate user , that is ONLY going to read that login table. That’s it. That user does not need any privileges to do anything else – just reads the login table. Once login is successful, you should change DB users based on the category of user that you are using 6

  7. Once authenticated, switch to DB user based on category Give permissions based on user type (no more, no less!) Database Level  Somewhere in the DB your username exists, along with your password  When you log in, it gets your user type (e.g. professor, student, etc)  In some php file…  if type == professor  Dbuser = CS4750abc3dAlpha  Change your DB user based on the category  All students have the same db user because they are all part of the same classification  Think of the different permissions a student has vs. professor  However, neither should have global permissions (i.e. neither should be able to drop a table or alter the schema in any way)  Paying attention to privileges is important, helps prevent against SQL injection attacks because a drop all tables command will fail! 7

  8. Global / too many permissions gives greater abilities to attackers Database Level  However what happens is people create a DB user that has global permissions and then use that same user in every aspect and in every part of their program. Running as super-user  If someone breaks in, then that attacker has the ability to do anything and everything! That is bad! 8

  9. Access Control Policy Access control – identify permissions individuals can have/do There are three variations of access control:  RBAC (Role-Based Access Control)  Group-level permission – “ what can users of this role do ”  Permissions per role; users are only granted role  MAC (Mandatory Access Control)  Classification or privacy level  Permissions per classification  DAC (Discretionary Access Control)  Personal permission – “ who has access, what he/she can do ”  Permissions per resource; change often  Least restrictive 9

  10. https://en.wikipedia.org/wiki/Role-based_access_control RBAC – Role-Based Access Control  In computer systems security, RBAC is an approach to restricting system access to authorized users  It is used by the majority of enterprises with more than 500 employees, and can (also) implement mandatory access control (MAC) or discretionary access control (DAC)  [Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.]  When a system implements both MAC and DAC simultaneously, DAC may refer to one category of access controls that subjects can transfer among each other, and MAC may refer to a second category of access controls that imposes constraints up on the first 10

  11. https://en.wikipedia.org/wiki/Role-based_access_control RBAC – Role-Based Access Control  Privileges/limitations defined by roles/job responsibilities  A policy neutral access control mechanism defined around roles and privileges. Users with the same role have the same privileges  Privileges are not assigned to users directly (rather, to their role)  Permissions/privileges per role are normally static  Typically have very few roles, centrally administered, and thus easy to manage  Commonly used by large organizations such as commercial and government organizations. 11  Must grant each user the correct role(s)

  12. https://en.wikipedia.org/wiki/Discretionary_access_control DAC – Discretionary Access Control  DAC a type of access control that allows people to manage the content they own. The controls are discretionary in the sense that…  A business owner is responsible for deciding who are allowed to do what on which part of the database  A data owner can manage the content they own – decide who has access, add or remove people from the list, and pass the permission to other users ( unless restrained by MAC )  It allows people to revoke or forward privileges easily and immediately 12

  13. https://en.wikipedia.org/wiki/Discretionary_access_control DAC – Discretionary Access Control  Since an individual has complete control over any objects he/she owns, DAC is the least restrictive compared to the other access control policy  Permissions given to an individual are inherited into other programs they use, potentially leading to malware being executed without the end user being aware of it  Permissions per resource are often changed 13

  14. https://en.wikipedia.org/wiki/Mandatory_access_control MAC – Mandatory Access Control  MAC a type of access control that is centrally controlled by a security policy administrator. It constrains the ability of a user to access or generally perform some sort of operation on an object.  Typically viewed as a classification or privacy level  Users do not have the ability to override the policy (either accidentally or intentionally.) For example, a user cannot grant access to a restricted table to another user  Policy administrators to implement organization-wide security policies. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users  Not used much in database system nowadays 14

  15. Choosing Access Control  If you have highly confidential or sensitive information on your business platform, use MAC or RBAC  If you need to allow certain people to enter, DAC is simplest and most popular.  However, if you need a lot of high security, DAC is not a good option since it is the least restrictive and privileges can inherit and transfer. 15

  16. Database Level  Encryption  An option inside of a database  MySQL has hashing methods built into it  You can encrypt but you may have to worry about overhead  Only thing that really needs to be encrypted in the DB is the passwords  In fact, they should be hashed. Store the hash of the password, not the password itself  When you log into MySQL it does a select on the user table where username=x and password=hash(y) and host like ‘%something%’  If have more than one match returned – it’ll always take the top tuple (order matters in this case) 16

  17. Granting privileges  We talked about various kinds of access control and privileges being granted/revoked  So, how do we grant privileges/authorization?  Can use SQL and the “ GRANT ” command 17

  18. SQL Data Control Language  Authorization sublanguage to grant privileges to, and revoke privileges from, users  Privilege = action (such as creating, executing, reading, updating, deleting) that a user is permitted to perform on a database object Give GRANT { ALL PRIVILEGES | privilege-list } authorization ON { object-name } TO { PUBLIC | user-list | role-list } [WITH GRANT OPTION]; Retract REVOKE { ALL PRIVILEGES | privilege-list } authorization ON object-list FROM { PUBLIC | user-list | role-list } [CASCADE | RESTRICT];  Next: See “part2” for GRANT command >>>>>>>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on the Menu Bar DC/Win Database Utilities Options Vary Depending on Database Two Types of Databases Sequel (SQL) Database Access Database

460 views • 6 slides
Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation Organization =How to implement a database system and have fun doing it ;-) 01: Introduction Boris Glavic Slides: adapted from a course taught by

198 views • 7 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Goals Database Administration All large and small databases need database Database

Goals Database Administration All large and small databases need database Database

PHP Miscellaneous $db->insert_id IT420: Database Management and Retrieves the ID generated for an Organization AUTO_INCREMENT column by the previous INSERT query Return value: Managing Multi-user The ID generated for an

140 views • 11 slides
Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @ Andy_Pavlo // 15- 721 // Spring 2018 DATABASE TALK Oracle In-Memory Database Engine Monday February 26 th @ 4:30pm GHC 4401

709 views • 60 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database Consulting was founded in 2009 as an outsourcing and Oracle Database 5. Forms to APEX migration specialised education centre with in-house

850 views • 19 slides
National Address Database National Address Database What is a National Address Database?

National Address Database National Address Database What is a National Address Database?

White House Initiative Open Government Partnership National Action Plan National Address Database National Address Database What is a National Address Database? How does it work? Why do we need a National Address Database? What

374 views • 18 slides
Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR Uniform Financial Report (I think) What is a database? 3 What is a database? Collection of data Files, notes, to do list, patient records,

1.13k views • 26 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

387 views • 17 slides
Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams Represent logical structure simply, clearly Rectangles : entity sets Ellipses : attributes Diamonds : relationship sets Lines : linking elements Double

794 views • 54 slides
Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

DATABASE DESIGN I - 1DL300 Fall 2010 An introductory course on database systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht10/ Manivasakan Sabesan Uppsala Database Laboratory Department of Information Technology, Uppsala University,

372 views • 34 slides
A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E D F I G H J L M K O R N P S Q D2 D1 D3 D4 A T T E S T A T T E S T Testing Exposing externally visible internal stats /

485 views • 34 slides
Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

DATABASE DESIGN I - 1DL300 Spring 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt12/ Erik Zeitler Uppsala Database Laboratory Department of Information Technology, Uppsala University,

515 views • 13 slides
ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic

ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic

SUPPORTING OECD COUNTRIES CLIMATE ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic impacts of climate change require a systemic response Sector Adaptation example Agriculture Alter crop species

485 views • 5 slides
THE JOY OF CIRCUITS Richard Schreier Jan. 9 2013 ANALOG DEVICES Todays Message

THE JOY OF CIRCUITS Richard Schreier Jan. 9 2013 ANALOG DEVICES Todays Message

ANALOG INTEGRATED THE JOY OF CIRCUITS Richard Schreier Jan. 9 2013 ANALOG DEVICES Todays Message Analog IC design taps many areas of expertise: physics, geometry, analysis, algorithms, modeling, . Creativity (= Fun) is

458 views • 20 slides
Data Analytic Cluster Software Environment David Henty, EPCC d.henty@epcc.ed.ac.uk

Data Analytic Cluster Software Environment David Henty, EPCC d.henty@epcc.ed.ac.uk

Data Analytic Cluster Software Environment David Henty, EPCC d.henty@epcc.ed.ac.uk www.epcc.ed.ac.uk www.archer.ac.uk Hardware 1 login node two Intel Ivy Bridge 10-core processors, 128 GB memory 12 standard compute nodes two

302 views • 12 slides
Digital to Analog Converters Dag T. Wisland Spring 2014 Outline Resistor string DACs

Digital to Analog Converters Dag T. Wisland Spring 2014 Outline Resistor string DACs

INF4420 Digital to Analog Converters Dag T. Wisland Spring 2014 Outline Resistor string DACs Charge redistribution DACs Current source DACs Spring 2014 Digital to Analog Converters 2 Introduction Digital to analog converters

492 views • 27 slides
STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit,

STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit,

STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit, voltage output digital-to-analog converter. The DAC can be configured in 8- or 12-bit mode and may be used in conjunction with the DMA

209 views • 10 slides
Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15

Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15

Third Quarter 2017 Conference Call Presenters: Yvon Charest, President and CEO Ren Chabot, EVP, CFO and Chief Actuary November 8, 2017 1 Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15 Acquisitions

748 views • 36 slides
Wallet Security Wallets Keep track of the world If you want Synchronize with the

Wallet Security Wallets Keep track of the world If you want Synchronize with the

Wallet Security Wallets Keep track of the world If you want Synchronize with the network if you fall behind Address end user needs Send coin Receive coin Answer queries What is my balance? What is my activity

772 views • 37 slides
NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO ,

NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO ,

NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO , LOTFI BENMOHAMED, ABDELLA BATTOU NATIONA NA ONAL L INS NSTITUTE OF OF STAND NDARDS DS AND ND TECHNOL NOLOG OGY (NI NIST) NDN vs IP IP

478 views • 11 slides

More recommend