...CSS330-1502A-01 Database Security Individual Project Key Assignment Chris Pangburn 27 April, 2015 Table of Contents Week 1: Database Security Architecture 4 Differentiate between a Database Management System and a database 4 Network Infrastructure for the best security posture 4 Additional Security mechanisms to protect the Database Server 6 Week 2: User Account Security 7 Creating Schemas 7 Creating Users, Creating Roles, Assigning Privileges based on Access Control Lists 7 Creating Views 10 Week 3: Database Vulnerabilities 11 Description of tools used to perform scans 11 Scan Information 11 False Positive Information 12 Discuss SQL injection attack 12 Week 4: Auditing Techniques 14 Security hardened network design 14 Research of auditing features 14 Description of a trigger 14 Implementation of auditing 14 Week 5: Auditing Policies 15 Write SQL 15 Report based on access 15 Report based on system privileged 15 Audit report showing connection details 15 Report showing object access 15 References 16 Week 1: Database Security Architecture Differentiate between a Database Management System and a database Databases at their essence are nothing more than a collection of organized information (Mullins, 2013). A database can contain stored procedures, tables, fields, indexes, functions, views, security, and many other objects. Relationships between the data can be created which brings more meaning to how the data can be...
Words: 1807 - Pages: 8
...* Security in Database System * GROUP 5: * Chandra Muthineni Marat Talantov Bharath Rao Sinan Albayrak * Agenda * Introduction * Threats Of DataBase Security * Classification of Database Security * Process of Creating Database Architecture * Advantages * Conclusion * Q & A * References * Introduction * Database security is a crucial area that a firm should enhance in order to run its day to day activities smoothly. * It is a deliberate effort to protect an organization data against threats such as accidental or intentional loss destruction or misuse. * Threats Of DataBase Security * Loss of availability * Elevated Privileges * Weak Audit Trial * Data corruption, Network flooding and Resource overload * Weak System and Procedures for performing authentication * Intrusion * CLASSIFICATION OF DATABASE SECURITY * Physically security * Logical security * PROCESS OF CREATING DATABASE ARCHITECTURE * Assessment and analysis. * Design and model the system * Deployment * Management and support * ADVANTAGES * Sharing * Privacy * Consistency * Decision Making * Productivity * CONCLUSION * The paper has generally discussed the database security concerns and research into various issues surrounding the sector. * Database security research paper has attempted to explore the issues of threats that may be poised to database...
Words: 281 - Pages: 2
...CS674 Database Security – Spring 2, 2011 MET Boston University Enhanced Database Security (Research Paper) Submitted by Shahid Sami April 24, 2011 Table of Contents PAPER OVERVIEW 3 DETAILED DESCRIPTION 3 IMPLEMENTATION 3 1. Removing Default Passwords 3 2. Configuring Oracle Binary Permissions 6 3. Use of UMASK 7 4. Limiting SYSDBA login 9 5. Protecting the Listner 10 6. Limiting the privileges 12 PITFALLS AND RECOMMENDATIONS 13 RESOURCES 14 PAPER OVERVIEW I will be researching on the following topics. • Removing Default Passwords • Configuring Oracle Binary Permissions • Use of UMASK • Limiting SYSDBA login • Protecting the Listener • Limiting the privileges DETAILED DESCRIPTION Based on the Oracle 11g database, I will research on the above topics in detail. I will look into the shortcomings of the earlier versions of Oracle, the risks involved in those. I will also look into different types of authentications. How the binaries of the database can be protected. How to protect and secure the listener? IMPLEMENTATION 1. Removing Default Passwords When Oracle software is installed and a new database is created, the database create some common users. These users will have default passwords which are well know to many oracle users and hackers may try using them. So as a first...
Words: 2160 - Pages: 9
...Database Security Dr. Ali El-Bastawissy Textbooks Elmasri/Navathe (3rd ed.) Chapter 22 Elmasri/Navathe (2nd ed.) Chapter 20 Connolly, Begg (3rd ed.) Chapter 18 and Chapter 6 (sec. 6.6) Security & Integrity Security is to ensure that: Users are allowed to do the things they are trying to do. Integrity is to ensure that: Things that users are trying to do are correct Security & Integrity Similarities Security To protect data against intruders (unauthorized users) Described using DCL Maintained in systems Catalog Integrity To ensure data accuracy or validity Described using constraints in DDL Maintained in systems Catalog DBMS must know Who is authorized to do What Example: Emp(e#, ename, addr, d#, Salary, Assessment) Types of security controls: Operations Subset of Rows Subset of columns Time interval Terminal Location Statistical Functions Etc. Identification & Authentication Identification users have to identify themselves by: Identity Number/Name Machine Readable Identity Card/Badge .. Authentication users have to authenticate their identifications; Password ٍSecret Number Signature Voice Print Finger Print Answers Recognition … Data Classification Approach Each data object is assigned a Classification Level: Top Secret Secret Confidential Unclassified Each user is assigned a Clearance level Control Rules: User I can see object j if: Clearance level (i) >= Classification level (j) User I can modify object j if: Clearance level (i)...
Words: 367 - Pages: 2
...CSS330-1404B-01: Database Security Phase 5 IP: Auditing Policies Database Security Project Plan Reginald “Reggie” Lee Colorado Technical University Online Professor Anita Arceneaux December 22, 2014 Figure 1: (Microsoft.com, 2014) Table of Contents Database Security Architecture 3 Differences between a database and a DBMS 3 Types of database designs 4 Network Infrastructure for Database Security 5 Common Security Threats for Database Servers: 6 Additional Security Mechanisms for Protecting Database Server 9 User Account Security 11 1. New Schema for HR Database 11 2. Corporate Directory & Manager Information Views: 12 3. Created Users: 14 4. Created Roles: 15 5. Implemented the Following Access Control List using SQL: 15 6. Implementation and Utilization of Roles: 16 7. HR Database SQL 16 Database Vulnerabilities 29 Auditing Techniques 47 Example database Trigger 50 Creating and Implementing a Database Audit 50 Access Reports 61 Logon Activity History 63 Complete Audit Trail 65 DML History 67 Auditing Policies 69 SQL Server 2014 Audit Report Generation 78 Database Security Architecture Differences between a database and a DBMS When discussing the database management systems (DBMS) and databases, the lines can become blurred between the two. Many people consider a DBMS and a database to be one in the same. However, nothing could be further from the truth as they are two separate distinct entities that server...
Words: 8566 - Pages: 35
...London Metropolitan University Faculty of Computing Course Code CCP121N: Security Management Coursework Proposal: Role Based Security System SURNAME: IDUMWONYI FIRST NAME: DEAN STUDENT ID NUMBER: 11039099 Title: Role Based Security System (RBS) for Commercial Database Introduction: In the recent years Role Based Security System has been receiving considerable attention as a promising alternative to traditional discretionary and mandatory access control for the database. Mainly the business organisations are investing in software applications to automate business processes to support employees depending in their roles which means these programs required to able to reflect the roles to play in the organisation (Edward. J.C et al, 1996). In the commercial sectors this RBS is associated with roles, and users which these permissions are made number of appropriate roles, hence requiring the role’s permissions. In this project the user access privileges will allows certain user types of groups to access the particular component of the Commercial Database, therefore the system will greatly simplify the organisation’s system management permissions. For an example if you are an senior manager and a senior architect for a company and now if you have given a role which a technical support engineer, then first of all this new role has to be defined and authorised also have be given. Then the senior architect role will provide you the...
Words: 832 - Pages: 4
...Maximum Security in Database Management Maximum Security in Database Management Rackspace Introduction In the current world there people and organization experience un-eventualities and risk of their confidential information. My organization, Rackspace, is a hosting and cloud system organization. For this company it is vital that information is stored in data bases that are run by organizations, locally hosted on personal computers. Intruders can access this information if it is not properly secured. Therefore the purpose of this study is to inform about the current savvy technologies that can be applied to completely thwart intruders from accessing such delicate information within Rackspace. Part 1: Project Identification and Business Environment For this project to go on in a smooth and effective manner different individuals must carry on certain specified task. For Rackspace, this means that every person must hold on to a responsibility to properly and pursue it to the end. Some of the responsibilities are interdepended and other are depended. In case of an interdependent responsibility there will be a proper communicated channel of events that will ensure that information is traversed from one source to another to smoothen up events. Therefore, the following a list of responsible individuals who will implement the process of securing the database of an organization. Company Chief Executive Officer Responsible for overseeing the success of...
Words: 3927 - Pages: 16
...iTrust Database Software Security Assessment Security Champions Corporation (fictitious) Assessment for client Urgent Care Clinic (fictitious) Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root University of Maryland University College Author Note Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College. This research was not supported by any grants. Correspondence concerning this research paper should be sent to Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College, 3501 University Blvd. East, Adelphi, MD 20783. E-mail: acnwgirl@yahoo.com, rogalskibf@gmail.com, kzhang23@gmail.com, sscaramuzzino86@hotmail.com and Chad.Root@gmail.com Abstract The healthcare industry, taking in over $1.7 trillion dollars a year, has begun bringing itself into the technological era. Healthcare and the healthcare industry make up one of the most critical infrastructures in the world today and one of the most grandiose factors is the storage of information and data. Having to be the forerunner of technological advances, there are many changes taking place to streamline the copious amounts of information and data into something more manageable. One major change in the healthcare industry has been the implementation...
Words: 7637 - Pages: 31
...Database Security Solutions Defined There are six different categories of solutions in the matrix above that align with your organization’s compliance and security objectives. • Discovery and Assessment locate where database vulnerabilities and critical data reside. • User Rights Management identifies excessive rights over sensitive data. • Monitoring and Blocking protect databases from attacks, unauthorized access, and theft of data. • Auditing helps demonstrate compliance with industry regulations. • Data Protection ensures data integrity and confidentiality. • Non-Technical Security instills and reinforces a culture of security awareness and preparedness. Discovery and Assessment Scan for Vulnerabilities: Understanding vulnerabilities that expose databases to input injection is essential....
Words: 458 - Pages: 2
...Database Security Challenges with Regards to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Paul T. MacDonald University of Maryland University College DBST670 Fall 2013 Professor Jon McKeeby Abstract With the expansion of healthcare administration now further into more levels of federal and state governments, the amount of sensitive patient data has increased incrementally This data is moved from within and without of all stages of the healthcare process. From an office visit to the doctor, to the medications filled at the local pharmacy, to the bills handled by multiple insurance agencies, delicate patient information is being viewed, handled and passed along. The list of individuals who access the confidential information can include office staff, laboratory personnel, nurses, doctors, insurance agents, case managers and many more. The Health/Insurance Portability and Accountability Act of 1996 (HIPAA) was created to safeguard patients’ medical data security and privacy. HIPAA incorporates requirements that allow for a comprehensive review that will show anyone who has looked at confidential medical patient information. HIPAA is structured to provide a complete security access and auditing for Oracle database information. This framework designates data access points such as User Access Control, System Administration, Object Access and Data Changes that should be monitored and controlled. An accurate HIPAA compliant security execution assures...
Words: 4360 - Pages: 18
...Security Database integrity Database integrity is a central underlying issue in the implementation of database technology. Trust in the Correctness of the data that is held by the database system is a prerequisite for using the data in business, research and decision making applications. Data base Integrity refers to the trustworthiness of system resources over their entire life cycle. [In a database system, a method to ensure data integrity is fundamental to providing database reliability and security. In particular, as data is communicated or distributed over networks, a method to validate information as authentic is required. The value of a database is dependent upon a user’s ability to trust the completeness and soundness of the information contained in the data] Three basic types of database integrity constraints are: • Entity integrity • Domain • Referential integrity Integrity means that the data will be safe and will not be subject to changes wither they were initial or accidental. There are many, many causes that change data over time such as human error, system malfunction ect. Integrity keeps the data intact and in its original form. Disk Storage Systems “Disks can fail when a single bit or few bits will flip. This problem can often be detected and corrected at the hardware level by using error correcting codes in the embedded system of the drive”. It can also happen at the software level. RAID Disk Technology The one way to prevent data...
Words: 1160 - Pages: 5
...Web Server Security and Database Server Security Databases involve distributed updates and queries, while supporting confidentiality, integrity, availability, and privacy (Goodrich, & Tamassia, 2011). This entails robust access control as well as tools for detection and recovering from errors (2011). When database information is masked, there is still a possibility of an attacker garnishing sensitive data from additional database information that is available, this can be achieved and called an inference attack (2011). For databases, strategies have been designed to mitigate against inference attacks. Cell suppression is a technique used to combat an inference attack, by removing various cells in a database, and are left blank for published versions (2011). The objective is to suppress the critical cells that have relatively important information in them from being obtained in an attack (2011). Another strategy is called Generalization, and this involves replacing published versions of database information with general values (2011). Such as stating a specific date of birth with a range of years, thus a person born in 1990 could be generalized as a range 1985-1992. The critical values are intertwined with the actual values, so they are less discernable in an inference attack (2011). A Noise Addition technique can also be utilized. This requires adding randomized values to real values in a published database (2011). This provides “noise” for all the records of the...
Words: 2494 - Pages: 10
...Database Encryption Solution Introduction Critical data in a database needs to be protected against internal and external threats. A database encryption solution can be used to achieve this protection in addition to providing the regulatory requirements. In the past, access control was used as a means of protecting information against access by unauthorized users. Access control did not prove very effective and this has led to the adoption of encryption where information is transformed into some form that cannot be understood by unauthorized users. Decryption is the process by which the transformed text is retransformed into a form that can be understood. This paper will seek to analyze a database encryption solution that will protect critical data against internal and external threats and at the same time meet regulatory requirements. 2. Choosing the Point of Encryption Encryption can be done at different places within an enterprise. Encryption is used to minimize the number of people who access the encryption keys. Before encryption, implementation decisions needs to be made (Mattsson, (2005, p.2). The most important thing is choosing the point of implementation. This helps in determining the work that needs to be done so that integration is effective and also determining the security model. Data needs to be protected both when at rest and during movement between applications and the database. 2. 1. Database-Layer Encryption In this case, an enterprise...
Words: 1274 - Pages: 6
...Databases are powerful tools that can provide businesses with an edge over the competition. Databases can help keep track of, inventory, billing, payroll, phone numbers, and much more. Databases are essential for almost every company in today's business world. The company that I used to work for custom built their database in-house to suit their business needs. The company uses Oracle, SQL, and Microsoft Access. The company asked me to develop a helpdesk database using SQL and Microsoft Access. The server-based database that the company uses is the Structured Query Language (SQL) Server to run security. One of the draw backs of the server is that it has many security problems that constantly need to be patched. These patches are important to keep integrity of the data and security and should be scheduled to be applied on regular bases. Microsoft Access is a relational database management system which, allows users to create, edit, and maintain sophisticated databases. When developing the helpdesk database I found the wizard to be easy to use and helpful when creating the tables, data entry screens, display screens, and generating reports. The visual capabilities are user friendly and the user does not need to have programming experience. The wizard is an excellent internal tool to help the user with creating data entry forms and display screens. Microsoft Access also has its security problems. Microsoft Access is restricted to how much data can be stored before needing to...
Words: 706 - Pages: 3
...7: Key requirements for writing SQL server audits to Windows Security Log x American Military University ISSC 431 Professor Christopher Weppler 20 April 2016 Security audits are is a report that identifies and brings about weaknesses of an organization. Security audits allow companied to focus on items that they have to improve on. There are multiple types of security audits: informal audits, formal audits, internal audits, external audits and automated audits (Basta, 2011). Therefore the goal of an audit is to provide accurate view of the organizations internal security controls in order to improve the organization’s security plan. When an audit is first being conducted it needs to be first planned out and everyone needs to prepare for it. In the planning phase, the audit scope is determined. The systems, departments and items that are being audited are determined (Basta, 2011). Some examples of items that get audited are the web server management, e-mail server management, file server administration, web applications, server security, databases and many other components. Some vendors contain their own unique automatic tools in order to help the auditing go a little smoother, such as logging user and database activity. In Microsoft SQL server allows the function to track the logging activities throughout all levels of the database. In order to create audits in Microsoft SQL server the...
Words: 356 - Pages: 2
