Database Security “Protection of database data against accidental or intentional loss, destruction, or misuse.” —Modern Database Management “Your goal as a database developer is to adequately protect your database and the information it contains, without imposing unnecessary restrictions on the people who use it. The type of security required to protect a database depends on how many people are using it and where it is stored.” —Steve Lambert
From a Job Posting Because of the increasing levels of hacking and the sensitive nature of data stored, security and disaster recovery have become increasingly important aspects of the work.
Threats 1.Accidental Loss –Human Error, Hardware/Software Failure 2.Theft & Fraud 3.Loss of Privacy/Confidentiality 4.Loss of Data Integrity 5.Loss of System Availability –For critical systems, lose sales, customers
Physical “Act of God” Earthquake Fire Flood Disk Failure “Act of (Hu-)Man” Hacker Cracker DoS –Denial of Service Programmer Error
Levels Hardware Operating System Database Management System Software Applications Program Network People Procedures –Twin for Signatures, Overrides, etc. –Only Supervisor Adds Vendors
Physical Protection Video Surveillance (Eye in the Sky) Token Devices: Key, card, etc. you must have to gain access Biometrics: Fingerprint, Retina Policy: >= 2 people in the room Policy re removal of Hardware/Software
Privacy “Get over it. You have no Privacy.” — Scott McNealy of Sun Microsystems Customer/Employee Confidential Data Fiduciary Responsibility –Legal –“Due Diligence” Ethical Business Impact –Embarrassment –Loss of Trust
Privilege Grant Revoke System Object View Security Classes/Groups
Logs & Audit Trails Camera doesn’t prevent crime, It witnesses Log Records Changes Every Credit Card Number Access Audit Trail any Sensitive Actions Someone Should Review
Data Encryption You can encrypt a database, which does not prevent it from being opened and viewed in Access, but does keep people who don’t have a copy of Access from reading or making sense of the data.
If They Don’t Know You If there is no info about you, they’re crooks –Login pmcdermott, don’t know it’s Patrick Too good the be True –Nigerian $$$Millions Don’t Click: You find the website –If FBI calls, say “I’ll call you” Get number from Phone Book
Pass- Word/Code Login Credentials Different for each System Not in any Dictionary Change Frequently Arbitrary, thus not deducible Type I vs. Type II Errors Security vs. Sharing Can’t Remember
The Data that wouldn’t Die!!! “Erased” data is merely de-referenced: It’s still there! Printouts, Listings Search employees but not the mail Nuclear password: 235 shredder 1.0 Mark Napier
Backup Remote Site Not in Same Earthquake Zone Nuclear War Plan: Forgettaboutit If you have it, you won’t need it. If you need it, you won’t have it.
Honey Pot To attract Hackers Catch Mislead Distract Red Spy vs. Blue Spy “I know” “I know he knows” “I know he knows I know” “I know he knows I know he knows” “I know he knows I know he knows I know” I Didn’t Know That!
My SSN Rant “I believe recent business practices to exploit the Internet have directly enabled identity theft to proliferate. When ID theft occurs, the institution that granted the credit using what in the previous history of banking would have been unthinkable negligence should have to compensate the victim, as opposed to the current system where the victim is lucky if the institution, after considerable effort and hassle, will even correct their records.” —Patrick McDermott