Ma. Anna Barbara R. Villanueva October 6, 2013 Advanced Organization of Database Project 1-Documentation

Download 148.45 Kb.
Size148.45 Kb.
  1   2   3   4
Ma. Anna Barbara R. Villanueva October 6, 2013

Advanced Organization of Database

Project 1-Documentation

I. Research Statement

database is an organized collection of data. The data are typically organized to model relevant aspects of reality in a way that supports processes requiring this information. For example, modeling the availability of rooms in hotels in a way that supports finding a hotel with vacancies.

Database management systems (DBMSs) are specially designed applications that interact with the user, other applications, and the database itself to capture and analyze data. A general-purpose database management system (DBMS) is a software system designed to allow the definition, creation, querying, update, and administration of databases. Well-known DBMSs include MySQL,PostgreSQL, SQLite, Microsoft SQL Server, Microsoft Access, Oracle, SAP, dBASE, FoxPro, IBM DB2, LibreOffice Base andFileMaker Pro. A database is not generally portable across different DBMS, but different DBMSs can inter-operate by using standard ssuch as SQL and ODBC or JDBC to allow a single application to work with more than one database.

Database Development and Maintenance

A "flat" database holds all of the information about a record. The name, address, phone number, meeting attendance, publications ordered, committee membership, and any other information you choose is kept in a single database.

A flat database is very easy to manage. All the information is stored in one source. You can see how many board members have e-mail addresses, or how many donors are also volunteers. You can create a variety of different ways to look at the data with input screens, reports, mailing lists and special queries.

The limits of a flat database is not in the number of records you can put in, but in how much information you can track per record. As your organisation grows, and more people need to track a great deal of different information about each record, you may want to change to using a relational or shared database. This allows one of your staff to track meeting attendance and program involvement in detail, while another may search detailed information about each record's donation history. But you do not need this when you are starting up. Go with a simple, reliable data base program.

Information Security should always be part of technology but because of different innovations that are happening in the society, SECURITY is sometimes taken for granted. Database security is part of information security.

We all know that database is a centralized storage or repository of files in a particular organization. Let’s just imagine how unlawful it will be if the company’s database is not secured. Different contents of the database will be exposed to different unauthorized users that may/will make the database unreliable.

Specific Problems:

  • Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to sensitive data, metadata or functions within databases, or inappropriate changes to the database programs, structures or security configurations);

  • Malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services;

  • Overloads, performance constraints and capacity issues resulting in the inability of authorized users to use databases as intended;

  • Physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and obsolescence;

  • Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation), data loss/corruption, performance degradation etc.;

  • Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage etc.

Databases contain the largest -- and most sensitive -- store of enterprise data, making them a prime target for attackers. But it's often the enterprise's internal staff -- database developers, administrators, and even users -- who create the vulnerabilities that attackers exploit to compromise that data.

II. Study of Related Literature

These are some examples of documentations, articles of narrative explanation that comes from different source and authors that discusses about database security:

Database Security is ITs Biggest Problem
At the Black Hat conference David Litchfield, security guru and managing director of UK company NGS, exposed over 20 vulnerabilities in IBMs Informix database products.

At the opening day of the Black Hat conference on Wednesday David Litchfield, security guru and managing director of UK company NGS, exposed over 20 vulnerabilities in IBM's Informix database products, demonstrating exactly how attackers could exploit the Informix security holes to create malicious files and libraries, gain database administrator (DBA)-level privileges, access sensitive data and cause a denial of service. He said the flaws illustrate the growing perils of database security in general and that IT shops must pay more attention to database security.

"In my opinion, database security is riddled with holes and it's the biggest problem we face in IT today," said Litchfield

Database attacks, he said, "offer the biggest potential for fraudulent activity and damage to companies' reputations and customer confidence." The long string of data breaches of the past year and a half, he said, are proof of this.

As more and more companies rely upon databases to support mission critical business activity, the problem is growing fast. In this instance Litchfield has focused his attention on vendor vulnerabilities but the issues he highlights apply just as well to database deployment errors. Vulnerabilities in vendor solutions can be mitigated to some extent by timely patching. Deployment errors caused for example by poorly configured databases, inappropriate access permissions or badly engineered applications accessing the database can be much tougher to tackle.

There are a number of steps business can take to deal with these issues. One of the key ones is to implement a policy of least privilege. The burning question is "Who is asking the database to do what?"

Organisations really need to be ahead of the game with a system that effectively asks the "McEnroe" question for each and every request made to the database that is inconsistent with what should normally be going on: "Surely - you cannot be serious!?" and prevents the database ever being asked to do something that they really would prefer it didn't do.

Unique new technology being introduced by Oxford-based Secerno uses machine learning algorithms to allow users to build up a rich understanding of application-to-database behaviour and to insist on database interactions conforming only to allowable behaviours. It represents the world's first database application assurance platform. This approach is not constrained by the usual black list/white list approach which prevents traditional tools from dealing effectively with Zero Day attacks or carefully crafted SQL injections. Secerno provides a number of proactive capabilities which help prevent database attacks:

  • determines true least privilege access to the database

  • creates an efficient logging environment demonstrating audit compliance

  • determines where engineering quality can be improved

  • and automatically identifies dormant software features

Technically the two most prevalent areas of weakness in database as highlighted in the SANS Top 20 are:

  • Buffer overflows

  • SQL injections

SQL Injections
SQL injections are certainly a seriously growing problem and are a worrying example of attackers using invasive procedures which cannot be easily patched. These make Slammer and other attacks seem like a piece of cake. In this exploit, an attacker takes advantage of incorrectly filtered SQL queries and other input information to pull any information he wants from a database. Without a victim knowing it, an attacker can simply write a line of code and let it piggyback on another, returning vast amounts of data to the hacker making the request.

That includes everything from Social Security numbers, to credit card information, to information about customer buying patterns or company products. Clearly the damage of such incidents can be extreme. But attacks involving SQL injections are rarely reported as such because most companies whose computer networks fall prey to this flaw don't want to admit that their code is flawed and vulnerable to such attacks.

According to Gartner analyst, John Pescatore: "There have definitely been Gartner clients who said 'we had a problem, we brought somebody in and they said it looks like we had a SQL injection vulnerability," "But you don't read it in a newspaper because it's targeted."

A few well-publicised examples do exist however. The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.

The Web Application Security forum lists 15 incidents. The emerging - and rather scary - trend is that many of these attacks are now targeted. An attacker is trying to obtain specific data from a specific company and the effect on business and reputation loss can be extreme. As David Litchfied demonstrated this week at Black Hat the precise way the attack is mounted is tuned to the specific database and the exact environment it is in. In other words, every attack becomes a Zero Day attack.

Secerno's technology - largely because it is protocol based and not constrained by the pattern matching of traditional techniques - alerts on all statements - even ones that have never been seen before and may be outside of the approved/appropriate behaviour of the application being scanned.

Buffer Overflow
This is the other key database problem highlighted by SANS who advocate patching as the solution. Although this is the preferred remedy todate it presents a number of real problems. Patching means shutting down a mission-critical database, disrupting 24x7 business and costing real money in both operational down-time and database management labour. Often companies apply patches later, leaving a yawning gap in the window of vulnerability.

Using Secerno, the threat may already have been closed, if not it can easily be closed, freeing the company to apply the db patches at a time that suits its operations; rather than to a schedule that is under the attackers' control.

This approach puts the company back on the front foot - proactive security rather than just-too-late reactivity.

Authorized Access/Database Sharing

The largest concerns people have about Internet privacy is the fear that their credit card information will be stolen by hackers breaking into their bank. This problem seems to be secondary to the problems with authorized access. Many people have "legitimate" access to databases with sensitive personal information. Oftentimes, there is a dichotomy between those people who we believe should have access, and those who do. Moreover, we are often not aware that people are accessing our information. An obvious example is unlisted phone numbers. People make their phone numbers unlisted to avoid unwanted callers and to protect their privacy. However, unlisted phone numbers have sometimes been released by phone companies. Such was the case with AT&T, who provided as a service the ability to look up the name of the person at a particular phone number, even if that phone number was unlisted. Another incident may have involved the selling of a phone companies database (including unlisted numbers) to telemarketers. Increasingly, databases of information are being sold to individuals to whom we did not give the information, and who are using the information in entirely different ways that we expected . Other companies routinely share, swap, or sell their databases without customer notification. Hospitals will often sell their database of newborn babies to maternity catalogs. Credit card companies also sell databases of their clients buying habits to other retailers who might be interested. In addition, some databases of information we assume to be private are now generally accessible. For example, the State of Texas made its license plate database available for anyone to do searches. The database could easily be abused by stalkers and marketers, who would now be able to find the current address of anyone, given their license plate number. In Colorado, students entire records were provided to anyone claiming to be doing educational research. Student's records contain a great deal of sensitive information including problems in school, learning disabilities, and the current location of students family. The bottom line on authorized access is this: there is no protection of information. Today, your information may be freely distributed without your consent.

Unauthorized Access

Unauthorized access is certainly the problem most people think about regarding online databases. Online credit card number databases were compromised by Kevin Mitnick in one of the most publicized examples. Certainly it is an issue that is becoming more important as more databases are put online, where they are vulnerable to attack from the Internet. Security at some of these databases has been lacking. Nonetheless, the real impact of security problems has been negligible, as much database information is already available through "legitimate" means (or by means of "social engineering"). However, some past examples are troubling, such as the HMO whose patient's psychological records were being kept online in questionable security. Currently, some universities have the Social Security Numbers of their students inadvertently online and accessible to the rest of the world. Also, some databases may require different levels of security, which has not been adequately addressed. An example of different security levels is the DMV's fingerprint database; some fingerprints, such as those of Witness Protection Program persons, may need higher level of security than others.


Another problem we are likely to see more of is sub-contracting, in which a private company actually maintains a database for the government. The risk of abuse (authorized and unauthorized) is obvious. Yet, health care reform in California and elsewhere now contract their patient databases to private companies. It is also likely that other government agencies will do likewise.

Database Security Issues

  • Daily Maintenance: Database audit logs require daily review to make certain that there has been no data misuse. This requires overseeing database privileges and then consistently updating user access accounts. A database security manager also provides different types of access control for different users and assesses new programs that are performing with the database. If these tasks are performed on a daily basis, you can avoid a lot of problems with users that may pose a threat to the security of the database.

  • Varied Security Methods for Applications: More often than not applications developers will vary the methods of security for different applications that are being utilized within the database. This can create difficulty with creating policies for accessing the applications. The database must also possess the proper access controls for regulating the varying methods of security otherwise sensitive data is at risk.

  • Post-Upgrade Evaluation: When a database is upgraded it is necessary for the administrator to perform a post-upgrade evaluation to ensure that security is consistent across all programs. Failure to perform this operation opens up the database to attack.

  • Split the Position: Sometimes organizations fail to split the duties between the IT administrator and the database security manager. Instead the company tries to cut costs by having the IT administrator do everything. This action can significantly compromise the security of the data due to the responsibilities involved with both positions. The IT administrator should manage the database while the security manager performs all of the daily security processes.

  • Application Spoofing: Hackers are capable of creating applications that resemble the existing applications connected to the database. These unauthorized applications are often difficult to identify and allow hackers access to the database via the application in disguise.

  • Manage User Passwords: Sometimes IT database security managers will forget to remove IDs and access privileges of former users which leads to password vulnerabilities in the database. Password rules and maintenance needs to be strictly enforced to avoid opening up the database to unauthorized users.

  • Windows OS Flaws: Windows operating systems are not effective when it comes to database security. Often theft of passwords is prevalent as well as denial of service issues. The database security manager can take precautions through routine daily maintenance checks.

These are just a few of the database security problems that exist within organizations.

1. Heartland Payment Systems

  • Date: March 2008

  • Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.

2. TJX Companies Inc.

  • Date: December 2006

  • Impact: 94 million credit cards exposed.

There are conflicting accounts about how this happened. One supposes that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall's stores in Miami, Fla. The other has them breaking into the TJX network through in-store kiosks that allowed people to apply for jobs electronically. According to KNOS Project cofounder and chief architect Kevin McAleavey, this was possible because TJX's network wasn't protected by any firewalls. Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted and sentenced to 40 years in prison, while 11 others were arrested.

3. Epsilon

    • Date: March 2011

    • Impact: Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms like CitiGroup Inc. and the non-profit educational organization, College Board.

The source of the breach is still undetermined, but tech experts say it could lead to numerous phishing scams and countless identity theft claims. There are different views on how damaging the Epsilon breach was. Bruce Schneier, chief security technology officer at BT and a prolific author, wrote in a blog post at the time that, "Yes, millions of names and e-mail addresses (and) other customer information might have been stolen. Yes, this personal information could be used to create more personalized and better-targeted phishing attacks. So what? These sorts of breaches happen all the time, and even more personal information is stolen." Still, Kevin McAleavey of the KNOS Project says the breach is being estimated as a $4 billion dollar loss. Since Epsilon has a client list of more than 2,200 global brands and handles more than 40 billion e-mails annually, he says it could be, "the biggest, if not the most expensive, security breach of all-time."

4. RSA Security

    • Date: March 2011

    • Impact: Possibly 40 million employee records stolen.

The impact of the cyber attack that stole information on the company's SecurID authentication tokens is still being debated. The company said two separate hacker groups worked in collaboration with a foreign government to launch a series of spear phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company's network. EMC reported last July that it had spent at least $66 million on remediation. But according to RSA executives, no customers' networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the matter by initially being vague about both the attack vector, and (more importantly) the data that was stolen," he says. "It was only a matter of time before subsequent attacks on Lockheed-Martin, L3, and others occurred, all of which are believed to be partially enabled by the RSA breach." Beyond that, Linkous says, is the psychological damage. "The breach of RSA was utterly massive not only from a potential tactical damage perspective, but also in terms of the abject fear that it drove into every CIO who lost the warm-and-fuzzy feeling that the integrity of his or her enterprise authentication model was intact. Among the lessons, he says, are that even good security companies like RSA are not immune to being hacked. Finally, "human beings are, indeed, the weakest link in the chain," Linkous says.

5. Stuxnet

    • Date: Sometime in 2010, but origins date to 2007

    • Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.

The immediate effects of Stuxnet were minimal -- at least in this country -- but eIQnetworks' John Linkous ranks it among the top large-scale breaches because, "it was the first that bridged the virtual and real worlds. When a piece of code can have a tangible effect on a nation, city or person, then we've truly arrived in a strange, new world," he says. Linkous says Stuxnet is proof that nation-states, "are definitely actors -- both attackers and victims -- in the cyberwarfare game." He adds that the more that electro-mechanical industrial and energy systems migrate to larger networks -- particularly the Internet -- "the more we're going to see these real-world intrusions."

6. Department of Veterans Affairs

    • Date: May 2006

    • Impact: An unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.

The breach pointed once again to the human element being the weakest link in the security chain. The database was on a laptop and external hard drive that were both stolen in a burglary from a VA analyst's Maryland home. The analyst reported the May 3, 2006 theft to the police immediately, but Veterans Affairs Secretary R. James Nicholson was not told of it until May 16. Nicholson informed the FBI the next day, but the VA issued no public statement until May 22. An unknown person returned the stolen items June 29, 2006. The VA estimated it would cost $100 million to $500 million to prevent and cover possible losses from the theft.

7. Sony's PlayStation Network

    • Date: April 20, 2011

    • Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.

This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions of user data records?'" says eIQnetworks' John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, "Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets."

8. ESTsoft

    • Date: July-August 2011

    • Impact: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider.

It is called South Korea's biggest theft of information in history, affecting a majority of the population. South Korean news outlets reported that attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft's ALZip compression application. Attackers were able to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network. ESTsoft CEO Kim Jang-joon issued an apology and promised to, "strengthen the security system of our programs."

9. Gawker Media

    • Date: December 2010

    • Impact: Compromised e-mail addresses and passwords of about 1.3 million commenters on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the source code for Gawker's custom-built content management system.

Online forums and blogs are among the most popular targets of hackers. A group calling itself Gnosis claimed responsibility for the attack, saying it had been launched because of Gawker's "outright arrogance" toward the hacker community. "They're rarely secured to the same level as large, commercial websites," says the KNOS Project's Kevin McAleavey, who adds that the main problem was that Gawker stored passwords in a format that was very easy for hackers to understand. "Some users used the same passwords for email and Twitter, and it was only a matter of hours before hackers had hijacked their accounts and begun using them to send spam," says McAleavey.

10. Google/other Silicon Valley companies

    • Date: Mid-2009

    • Impact: Stolen intellectual property

In an act of industrial espionage, the Chinese government launched a massive and unprecedented attack on Google, Yahoo, and dozens of other Silicon Valley companies. The Chinese hackers exploited a weakness in an old version of Internet Explorer to gain access to Google's internal network. It was first announced that China was trying to gather information on Chinese human rights activists. It's not known exactly what data was stolen from the American companies, but Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China. For users, the urgent message is that those who haven't recently updated their web browser should do so immediately.

11. VeriSign

    • Date: Throughout 2010

    • Impact: Undisclosed information stolen

Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it -- poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, through a new SEC-mandated filing. "How many times were they breached?" asks eIQnetworks' John Linkous. "What attack vectors were used? The short answer is: we don't know. And the response to that is simply: we should." "Nearly everyone will be hacked eventually," says Jon Callas, CTO for Entrust, in a post earlier this month on Help Net Security. "The measure of a company is how they respond." VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised, but did say that, "access was gained to information on a small portion of our computers and servers." It has yet to report what the information stolen was and what impact it could have on the company or its customers. Linkous says the company's "failure to disclose until legally required to do so is going to haunt VeriSign for some time."

12. CardSystems Solutions

    • Date: June 2005

    • Impact: 40 million credit card accounts exposed. CSS, one of the top payment processors for Visa, MasterCard, American Express is ultimately forced into acquisition.

Hackers broke into CardSystems' database using an SQL Trojan attack, which inserted code into the database via the browser page every four days, placing data into a zip file and sending it back through an FTP. Since the company never encrypted users' personal information, hackers gained access to names, accounts numbers, and verification codes to more than 40 million card holders. Visa spokeswoman Rosetta Jones told Wired News at the time that CSS received an audit certification in June 2004 that it was compliant with data storage standards, but an assessment after the breach showed it was not compliant. "Had they been following the rules and requirements, they would not have been compromised," Jones said. The company was acquired by Pay-by-touch at the end of 2005.

13. AOL

    • Date: August 6, 2006

    • Impact: Data on more than 20 million web inquiries, from more than 650,000 users, including shopping and banking data were posted publicly on a web site.

In January 2007, Business 2.0 Magazine ranked the release of the search data in among the "101 Dumbest Moments in Business." Michael Arrington, a lawyer and founder of the blog site TechCrunch, posted a comment on his blog saying, "The utter stupidity of this is staggering." AOL Research, headed by Dr. Abdur Chowdhury, released a compressed text file on one of its websites containing 20 million search keywords for more than 650,000 users over a three-month period. While it was intended for research purposes, it was mistakenly posted publicly. AOL pulled the file from public access by the next day, but not before it had been mirrored and distributed on the Internet. AOL itself did not identify users, but personally identifiable information was present in many of the queries, and as AOL attributed the queries to particular user accounts, identified numerically, an individual could be identified and matched to their account and search history by such information. The breach led to the resignation of AOL's CTO, Maureen Govern, on Aug. 21, 2006.


    • Date: August 2007

    • Impact: Confidential information of 1.3 million job seekers stolen and used in a phishing scam.

Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc. said were stolen from its clients. Reuters reported that the attack was launched using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program. The company said the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded. But one problem was that Monster learned of the breach on Aug. 17, but didn't go public with it for five days. Another, reported by Symantec, was that the hackers sent out scam e-mails seeking personal financial data, including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software. Once that information was stolen, hackers e-mailed the victims claiming to have infected their computers with a virus and threatening to delete files unless the victims met payment demands.

15. Fidelity National Information Services

    • Date: July 2007

    • Impact: An employee of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.

Network World reported that the theft was discovered in May 2007, and that a database administrator named William Sullivan, said to own a company called S&S Computer Services in Largo, Fla., had been fired. But the theft was not disclosed until July. Sullivan allegedly sold the data for an undisclosed amount to a data broker, who in turn sold it to various marketing firms. A class action lawsuit was filed against FIS and one of its subsidiaries, charging the companies with negligence in connection with the data breach. Sullivan agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine. On July 7, 2008, a class-action settlement entitled each person whose financial information was stolen to up to $20,000 for unreimbursed identity theft losses.

III. Analysis and Findings

The most common cause of database vulnerabilities is the lack of care with which they are deployed. Sure, databases are often functionally tested to make sure they provide core functions for calling applications. In fact, the majority of pre-deployment tests are designed to verify that a database is doing what it should do; very few are checking to ensure that it isn't doing something it should not do.

Every database should pass a long checklist of tests prior to deployment. That list covers just about every facet of the database, but most map directly to common exploit vectors leveraged by attackers. Every relational database platform (including Oracle, DB2, SQL Server, Sybase, Postgres, and MySQL) is insecure after a fresh installation, and it will remain that way until you fix it.

Some DBAs forget about network security. The common mindset is that the databases are in the "back office," a network secured from the Internet, so data communications to and from databases don't have to be encrypted. What these IT pros are forgetting -- or ignoring -- is the networking interface of their database. But make no mistake: It's trivial for an attacker to capture network traffic and parse interesting data from multiple user connections to the database -- in essence, seeing all data moving in and out.

In all cases, you should enable Transport Layer Security. Secure Sockets Layer has minimal impact on network performance and makes it very difficult for someone to collect data from the wire. Most relational platforms provide SSL- or TLS-encrypted communications as part of the basic database package, enabled through a simple configuration setting change.

For platforms that don't include encrypted network communications features, you will have to add a third-party option. Many good TLS options are available from the open source community.

To read about the other seven most common vulnerabilities in enterprise databases -- and what you can do about them

The main influence of this project is the need for improvement in terms of database security and facilities. This research study will focus on how database security will be implemented in an organization. This will also discuss some advantages of using the given techniques as well as its disadvantages and risks too. This research will give an option to users in how are they going to prevent attacks and malfunctioning of different databases that they are using within their organization. If in case that the given techniques will be successfully implemented, there will also be an improvement in terms of running a specific database. An innovation in technology can also be introduces in IT.

IV. Conclusions

With this research study, the users of database, computerized systems and web-based system may be able to be informed with the risks of using technology, the security. Security is not always around. In order to attain it, we must be able to know and study some of the techniques that can achieve security in database systems. With the given problems in terms of security in database, there are also some techniques that can be used in order to solve those problems. This research topic will briefly focus on the following summarized data and will give importance to the following concerns:

1. A false sense of security. While large organizations tend to believe that most of their data is protected, they also suffer from continuing data breaches, face new threats, rely on manual processes, and don’t have the controls in place to keep up. In contrast to many user illusions, ESG can only conclude that database security has become a weak link in the overall data security chain.

2. Regulatory compliance remains a monumental effort. To meet regulatory compliance mandates, large organizations are forced to rely on manual tasks and time consuming processes. This is a growing problem as enterprises increase data capacity, add new databases, and share data with external constituents. The result? Many organizations are failing compliance audits. This is especially concerning since compliance audits are often “checkbox” exercises that are only marginally effective at addressing real risks. ESG believes that this data should be a wake-up call. Large organizations must move from inefficient compliance exercises to automated risk management ASAP.

3. Database security spending is not keeping up. While CIOs continue to spend on security, specific database security safeguards remain underserved. This may be a result of the communications gap between IT and business executives previously described in Figure 4 or the misguided belief that database vendors provide all the integrated security needed. Regardless of the reason, ESG’s data indicates that database security suffers from a lack of investment. Clearly, large organizations are spending on the wrong things in the wrong places. Dedicated tools that can help address real risks, automate processes, and streamline compliance efforts are sorely needed.


Educate business and financial executives. The data presented herein should be used as third-party validation illustrating pervasive data security problem to business executives. When presenting this case to business executives, IT managers should highlight the following points:

o Data breaches continue, therefore data security must remain a high priority.

o Threats are changing and growing, therefore new countermeasures and security skills are always needed.

o Database security shortcomings can pose regulatory compliance issues for the entire organization; security is a business and not just a technology issue.

o Organizational problems can impede database security; therefore security leadership must come from the executive office suite.

Re-examine security spending priorities. While most firms invest in security tools like firewalls, IDS/IPS, and PC security suites, they remain behind with regard to database specific security tools. Database-specific tools can help scan for these problems, automate processes, monitor controls, and streamline audits. Given the risks uncovered in this report, CISOs may want to prioritize database security investments over other more pedestrian needs sooner rather than later.

Conduct a cost/benefit analysis. Since incremental security budget dollars may be unlikely at this time, use the data presented here as a basis of a cost/benefit analysis.

Determine database security ownership. Database security oversight must become more centralized in the hands of a subset of security and database professionals with a greater understanding of threats, vulnerabilities, and risks. CIOs should assess current database security problems and then re-structure IT organizational responsibilities and accountability around security, systems administration, and database administration. Again, centralized database security tools can help ease this transition by automating processes and providing role-based management capabilities.

The research topic will also focus on the following fields and questions:

1. What does the IT environment look like within organizations? Do size and complexity play a part in determining priorities?

2. How critical is the need to deploy database security measures to protect sensitive or confidential information?

3. How important is database security relative to other information security measures or practices?

4. What are the priorities that drive database security initiatives within business and governmental entities?

This will result onto the following:

ƒ1. Trusted insiders remain a significant, and largely unmonitored risk

ƒ2. A majority of organizations do not have the technology or processes required to effectively manage against insider threat

ƒ 3. Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property

ƒ4. The vast majority of data exposed in the past two years has been confidential customer and employee information

ƒ 5. Over ninety-five percent of respondents would value solutions that enabled them to understand and prioritize database security needs within their organization.

V. Recommendations

Download 148.45 Kb.

Share with your friends:
  1   2   3   4

The database is protected by copyright © 2024
send message

    Main page