database security
play

Database Security Catalin Bidian University of Toronto November - PowerPoint PPT Presentation

Apr 09, 2024 •10 likes •460 views

CCT395, Week 10 Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010 CCT395F 1 Database Security Main Objectives 1. Confidentiality (aka Secrecy): a. Data must be kept private b. Information

  1. CCT395, Week 10 Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010 CCT395F 1

  2. Database Security – Main Objectives 1. Confidentiality (aka Secrecy): a. Data must be kept private b. Information should NOT be disclosed to unauthorized users 2. Integrity: data are accurate – protected from unauthorized modification and/or destruction 3. Availability: a. Data are accessible when needed b. Authorized users are not denied access c. Protecting the network from events that would render data unavailable (including power outages) November 10, 2010 CCT395F 2

  3. To Achieve the Main Objectives 1. Security policies (the 3-C’s): a. Must be clear b. Must be consistent c. Must be concise 2. Security mechanisms: a. Internal (e.g. Operating System, DBMS, firewalls, etc) b. External (e.g. restrict physical access, outside-the- network attacks, social engineering attacks, etc.) November 10, 2010 CCT395F 3

  4. Sources of Threats 1. Internal (aka insiders): a. Employee attacks (deliberate or accidental) b. Accidents and security oversights 2. External: a. Physical attacks b. Software attacks November 10, 2010 CCT395F 4

  5. * Who are Insiders? An insider is any entity that has authorized access to the organization’s network and data/information resources 1. Employees: a. Full/Part-time employees and their families b. Former employees c. Contractors, co-op students 2. Network users: a. Partners (recent mergers and acquisitions) b. Clients, customers November 10, 2010 CCT395F 5

  6. * Who are Insiders? (cont’d) 3. IT product/service suppliers – software development, hardware maintenance, remote support 4. Automated systems and processes (e.g. CIBC faxes to US Allstar and Wade Peer, Quebec and who knows where else… ☺ ) - http://www.priv.gc.ca/incidents/2005/050418_02_e.cfm and http://www.theglobeandmail.com/report-on-business/article959327.ece November 10, 2010 CCT395F 6

  7. * The Insider Advantage • Knowledge of asset value • Access to assets • Knowledge of business operations and procedures • Knowledge of protective controls and how to bypass them • Knowledge of corporate culture • Trusted by management and “dog watchers” November 10, 2010 CCT395F 7

  8. * What do Insiders Do? • Information leakage (knowingly or not) • Inappropriate activity • Inappropriate use of corporate resources • Access to internal information • Malicious activity • Inappropriate or illegal access to accounts/resources • Fraud and/or identity theft • Sabotage November 10, 2010 CCT395F 8

  9. * Information Leakage • Job postings • Newsgroups and blogs • Social networking sites • Instant messaging services • Newspapers • Legal investigations and court trials November 10, 2010 CCT395F 9

  10. * An Insider’s Profile • Sense of entitlement (“I’ve been here 20 years and you wouldn’t dare restrict my access” or “I work 17 hours a day and never got a bonus”) • Any challenge on “entitlement” leads to more resistance and frustration � prerequisite for revenge! • Frequently frustrated in the workplace (may also be personally and/or socially frustrated) May possess strong computer skills (or think they do ☺ ) • • Tend to plan their revenge (watch out for the early signs) • Financial gain is emerging as a significant motivating factor November 10, 2010 CCT395F 10

  11. The Insider’s MO 1. Employee attacks: a. Hacking techniques b. Take advantage of legitimate access c. Break into computer rooms d. Social engineering 2. Accidents and security oversights: a. Victims of social engineering b. Accidents causing physical damage c. Misuse of system(s) d. Installing personal hardware/software on the network November 10, 2010 CCT395F 11

  12. * Lessons Learned from Internal Attacks • Negative impact on corporate finances • Negative impact on corporate reputation • Internal threats ARE a corporate problem • Sometimes corporations refuse to acknowledge this… ☺ • Internal threats cannot be solved by technology alone • Growing lack of reporting and information sharing November 10, 2010 CCT395F 12

  13. External Threats 1. Physical attacks: a. Physical access to computer rooms b. Leaving Admin accounts logged-in 2. Software attacks: a. White-hat hackers b. Black-hat hackers c. Script kiddies d. Cyber-terrorists (p. 326) November 10, 2010 CCT395F 13

  14. Types of External Attacks 1. (Distributed) Denial of Service (D/DoS): • Easy to detect ** ; difficult to defend against • Can be in fact both internal and external • First incidents – 2001 – Register.com, Dept. of Finance • 2002 and 2007 attempts to bring down the Internet (DDoS attack against the DNS Backbone) • Facebook, Twitter, Livejournal, Amazon, Google, etc, etc, etc… • Prevention Tools: Firewalls � not very efficient on port 80 (Internet) for DDoS • • Switches and routers (ACL capability) to limit and shape traffic • Intelligent hardware – bandwidth management, deep packet inspection • Intrusion Prevention Systems (IPS) November 10, 2010 CCT395F 14

  15. Types of External Attacks (cont’d) 2. Buffer Overflow: • Almost impossible to detect by network/software engineers • Hackers can insert their own code into a program and take control of the system ** • Variations : stack-based and heap-based • Attacks are not very common – 2001 “Code Red” worm (MS IIS), 2003 Xbox exploit and “SQL Slammer” • Prevention Tools: • NOP slide (no-operation instructions) • “Jump to Address” technique • Choice of programming language (C/C++ not a very good choice if used without the C++ libraries) November 10, 2010 CCT395F 15

  16. Types of External Attacks (cont’d) 3. SQL Injections: • Exploit openings in SQL statements to insert and execute code, altering the database and taking control of the system ** • Variations : • Incorrectly filtered escape characters (application layer) November 10, 2010 CCT395F 16

  17. * SQL Injections (cont’d) 3. SQL Injection Variations: • Incorrectly filtered escape characters (application layer) SELECT authorization_level FROM Users WHERE user_name = ‘$email’; Normal user input: catalin.bidian@utoronto.ca � SELECT authorization_level FROM Users WHERE user_name = ‘catalin.bidian@utoronto.ca’ � Auth Level: Admin SQL Injection attack: test@test.com ’ OR ‘ 1 ’ = ‘ 1 � SELECT authorization_level FROM Users WHERE (user_name = ‘test@test.com’ OR ‘1’ = ‘1’ � Auth Level : ???? (LIST ALL) November 10, 2010 CCT395F 17

  18. * SQL Injections (cont’d) 3. SQL Injection Variations: • Incorrect type handling (application layer) SELECT * FROM Users WHERE user_id = ‘” + $variable + ‘” ; Normal user input: catalin � SELECT * FROM Users WHERE user_id = ‘catalin’ SQL Injection attack: a) test ’; DROP TABLE Users � SELECT * FROM Users WHERE user_id = ‘test’; DROP TABLE Users b) test ’; INSERT INTO Users (user_id, password, auth_level) VALUES (‘catalin’, ‘cct395’, ‘Admin’) � SELECT * FROM Users WHERE user_id = ‘test’; INSERT INTO…. c) test ’; UPDATE Users SET authorization_level = ‘Admin’ WHERE user_id = ‘catalin November 10, 2010 CCT395F 18

  19. * SQL Injections (cont’d) 3. SQL Injection Variations: • Brute force attacks (application layer) SELECT * FROM Users WHERE user_name = ‘$email’ AND password = ‘$user_password’; SQL Injection attack: • The attacker tries countless values for user_password until he/she succeeds • Assumes knowing at least one user name • Time consuming • Not generally feasible November 10, 2010 CCT395F 19

  20. * SQL Injections (cont’d) 3. SQL Injection Variations: • Blind SQL injection • Conditional responses • Conditional errors • Time delays • Schema field mapping (sequential queries) • WHERE field = ‘x’ AND user_email IS NULL; • WHERE user_email = ‘x’ AND user_id IS NULL; • Routine data base design (e.g. user_id ) • Exploiting vulnerabilities in SQL/mySQL server November 10, 2010 CCT395F 20

  21. * SQL Injections (cont’d) Mitigation Tools: • Cleanup the user input • Limit input boxes to a certain number of characters • Validate input programmatically (e.g. phone numbers, SIN, etc) - some numbers have check digit logic embedded • Quote-safe the input (e.g. John O’Connell) • Use bound parameters • myQuery = “SELECT *…WHERE user_id = $email;” Sth � execute($email); • • Use xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask • Limit permissions on the database • Use stored procedures • Hide URL address in web-browser • Configure error reporting, monitor logs, trigger alerts, etc November 10, 2010 CCT395F 21

  22. * 22 Some Examples CCT395F November 10, 2010

  23. * Some Examples (cont’d) Using mysql_real_escape_string Not very good: $owner = $_GET['owner']; $query = "select name, species from pet where owner='" . $owner . "'"; Better: $owner = mysql_real_escape_string($_GET['owner']); $query = "select name, species from pet where owner='" . $owner . "'"; November 10, 2010 CCT395F 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

317 views • 9 slides
Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel Secure Databases RBAC in Commercial DBMS Statistical Database Security Simone Fischer-Hbner Applied Security, DAVC17 Relational Database

194 views • 6 slides
DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

591 views • 21 slides
DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

380 views • 18 slides
Course Content Database Management Systems Introduction Database Design Theory

Course Content Database Management Systems Introduction Database Design Theory

Course Content Database Management Systems Introduction Database Design Theory Query Processing and Optimisation Winter 2003 Concurrency Control Data Base Recovery and Security CMPUT 391: Database Recovery and Security

274 views • 12 slides
Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is

Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Database Security

384 views • 24 slides
Database Security CS461/ECE422 Spring 2012 Overview Database

Database Security CS461/ECE422 Spring 2012 Overview Database

Database Security CS461/ECE422 Spring 2012 Overview Database model RelaAonal Databases Access Control Inference and StaAsAcal Databases Database

548 views • 27 slides
Security Control Methods for Statistical Database Li Xiong CS573 Data Privacy and Security

Security Control Methods for Statistical Database Li Xiong CS573 Data Privacy and Security

Security Control Methods for Statistical Database Li Xiong CS573 Data Privacy and Security Statistical Database A statistical database is a database which provides statistics on subsets of records OLAP vs. OLTP Statistics may be

397 views • 37 slides
NEBC Database Course 2008 Database Users And Security Backing-Up Data Tim Booth :

NEBC Database Course 2008 Database Users And Security Backing-Up Data Tim Booth :

NEBC Database Course 2008 Database Users And Security Backing-Up Data Tim Booth : tbooth@ceh.ac.uk Overview Areas covered: Controlling who can connect Table-level privileges Defining user groups Remote connections to

557 views • 17 slides
Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Security in Web applications Web, Databases & Security http://xkcd.com/327/ C . C

952 views • 47 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security Database Security Relational Databases constructed from tables of data each column holds a particular type of data each row contains a

935 views • 24 slides
EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth :

EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth :

EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth : tbooth@ceh.ac.uk Environmental Genomics Thematic Programme Data Centre http://envgen.nox.ac.uk Overview Areas covered: Controlling who can connect

344 views • 16 slides
TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Many of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and Navathe. Before

572 views • 24 slides
TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Several of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and

555 views • 27 slides
TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Several of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and

284 views • 27 slides
Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil, David J. Parish Akhtar H Khalil, David J. Parish a.h.khalil@lboro.ac.uk , , d.j.parish@lboro.ac.uk d.j.parish@lboro.ac.uk a.h.khalil@lboro.ac.uk

630 views • 18 slides
Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare Outline 1. HTTPS Interceptors and How to Find Them: Common sources of MITM (Monsters in the Middle). 2. A technique for

701 views • 37 slides
dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team Motivation & System Overview Why not just use CWSandbox, Anubis, Normans , JoeBox , Malware are Analys lysis is Sandbox Solutions

604 views • 24 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,

316 views • 17 slides
RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The

RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The

Header of slide goeshere AlphaKOR RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The Facts of the Presentation The 2019 AlphaKOR Ransomware Report is comprised of statistics pulled from a survey of

513 views • 23 slides
ANTIALIASING Based on slides by Kurt Akeley ALIASING Aliases are low frequencies in a rendered

ANTIALIASING Based on slides by Kurt Akeley ALIASING Aliases are low frequencies in a rendered

ANTIALIASING Based on slides by Kurt Akeley ALIASING Aliases are low frequencies in a rendered image that are due to higher frequencies in the original image. 2 JAGGIES Original: Rendered: 3 CONVOLUTION THEOREM Let f and g be the

672 views • 19 slides
Sampling Theory The world is continuous Like it or not, images are discrete. Intro to

Sampling Theory The world is continuous Like it or not, images are discrete. Intro to

Sampling Theory The world is continuous Like it or not, images are discrete. Intro to Sampling Theory We work using a discrete array of pixels We use discrete values for color We use discrete arrays and subdivisions for

316 views • 7 slides

More recommend