Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand Database Security Concepts

Published byEleanore Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Understand Database Security Concepts"— Presentation transcript:

1 Understand Database Security Concepts
LESSON 5.1 Database Administration Fundamentals Understand Database Security Concepts

2 Lesson Overview Security plans
Security is a major concern for database administrators. There are hackers and external attacks, but security must include problems with local access. Without security measures in place, valuable data can be damaged or stolen. In this lesson, you will learn about: Security plans Physical security Access control Common attacks User accounts Roles

3 Security Plans A security plan must identify which users can perform which action(s) to which data in the database. The plan involves external and internal methods. Physical security A secure location with documentation of who has access Backups and operational continuity Run backups regularly and periodically store offsite. Test the restore capability periodically.

4 Security Plans (continued)
Internal security Access control ensures and restricts who can connect and what they can do to the database. Users should be limited to only the data they need. All users should have strong passwords. Use the administrator or root account only when absolutely necessary. Disable or delete old or unused accounts that belong to people who no longer need access.

5 Types of Attacks Brute—the forced cracking of weak or default user names/passwords  Privilege escalation—a user is granted more access and privileges than needed. Exploiting unused and unnecessary database services and functionality Targeting unpatched database vulnerabilities (software security holes) Stolen backup (unencrypted) tapes Inference SQL injection 

6 Inference Attack  A data mining technique in which, by analyzing data, the user illegitimately gains knowledge about a subject or database. Inference occurs when users are able to piece together information at a low security level that should be available only to a higher security level. Protocols, such as cryptography, can prevent users from inferring data. Careful database design and user access control are also used.

7 SQL Injection Allows a user to execute arbitrary Structured Query Language (SQL) code to access the database. Occurs when user input is not filtered for escape characters or executes unexpectedly. For example, at the login screen for user name and password, a hacker provides a SQL statement or database command (instead of the login name) that goes directly to the database. To protect against SQL injection attacks: Check parameters. When asking for a customer number, check that input is the proper data type, length, etc., before executing the query. Limit the permissions of the account that executes SQL queries. Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code.

8 User Accounts Database administrators protect their data from unauthorized outsiders and insiders attempting to exceed their authority by locking access to the database with required user names and passwords. This feature is built into SQL. Server-based databases all have user accounts similar to computer operating systems (such as Windows Vista or Windows 7). Create individual database user accounts for each person who will be accessing your database. Use strong passwords with eight or more characters and combine letters, numbers, and symbols. With a small number of users, creating user accounts and assigning permissions directly to them will be sufficient for your needs in most cases.

9 User Accounts (continued)
The SQL GRANT statement grants appropriate database permissions to users and roles. Example: GRANT permissions  ON table TO user/role WITH GRANT OPTION GRANT—table permissions (SELECT, INSERT, UPDATE, DELETE)or database permissions (CREATE TABLE, ALTER DATABASE,GRANT) More than one can be granted in a single GRANT statement. Table-level and database-level permissions cannot be used in a single statement.  ON—is the affected table for table-level permissions. TO—is the user or role that is being granted permissions.  WITH GRANT OPTION—the user (not roles) is permitted to grant the same permissions to other users.

10 Database Roles With a large number of users, the task of maintaining accounts and proper permissions can be overwhelming. A group user account or single account can be assigned to a role or roles. Permissions are then assigned to the role rather than the individual user. We could create a SuperUser role and then add the user accounts of our teachers to this role We can then assign a specific permission to all present (and future) users by simply assigning the permission to the role, such as the right to use a special color printer. CREATE ROLE SuperUser AUTHORIZATION Administrator

11 Using Roles in a GRANT Statement
First, create user accounts for each operator and then add them all to a new role called DataEntry. A group of teachers will be adding grades to the student records. They need to be able to access the Class Info table to modify or add new records to the table. They are not able to delete a record from the database. Using the role (DataEntry) for this group of teachers lets the teacher accomplish the tasks of adding grades. GRANT SELECT, INSERT, UPDATE ON Class Info TO DataEntry

12 Lesson Review What is a security plan?
What types of security must be considered? What types of attacks can occur? What are inference attacks? What is SQL injection? Distinguish between user accounts and database roles. 1. What is a security plan? A security plan must identify which users can do what action to which data in the database. It involves external and internal methods. What are inference and SQL injection? They are two common database security risks. SQL injection allows a malicious individual to execute arbitrary SQL code on your server. Inference attacks occur when users are able to piece together information at a low security level that should be only be available to higher security level. How are user accounts and roles different? User accounts should be used by one user to access the database. Roles grant rights and permissions to groups of users.

Download ppt "Understand Database Security Concepts"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
1 Chapter 13 Securing an Access Application. 13 Chapter Objectives Learn about the elements of security Explore application-level security Use user-level.

1 Chapter 13 Securing an Access Application. 13 Chapter Objectives Learn about the elements of security Explore application-level security Use user-level.
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.
Data and Applications Security Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases October 2014.

Data and Applications Security Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases October 2014.
Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 10 Managing a Database.

Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 10 Managing a Database.
Living in a Digital World Discovering Computers 2010.

Living in a Digital World Discovering Computers 2010.
Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.

Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
MS Access Advanced Instructor: Vicki Weidler Assistant:

MS Access Advanced Instructor: Vicki Weidler Assistant:
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.

Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.
Your Interactive Guide to the Digital World Discovering Computers 2012.

Your Interactive Guide to the Digital World Discovering Computers 2012.
Discovering Computers Fundamentals, 2012 Edition Your Interactive Guide to the Digital World.

Discovering Computers Fundamentals, 2012 Edition Your Interactive Guide to the Digital World.

Similar presentations

Ads by Google