SEC835 Practical aspects of security implementation Part 1.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

Understand Database Security Concepts

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Security and Integrity

Database Management System

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Systems Analysis and Design in a Changing World, 6th Edition

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Chapter 5 Database Application Security Models

Database Features Lecture 2. Desirable features in an information system Integrity Referential integrity Data independence Controlled redundancy Security.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.

Database Application Security Models

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Chapter 6 Physical Database Design. Introduction The purpose of physical database design is to translate the logical description of data into the technical.

CST221: Database Systems Dr. Zhen Jiang Computer Science Department West Chester University West Chester, PA

1 Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

TM 7-1 Copyright © 1999 Addison Wesley Longman, Inc. Physical Database Design.

Database Application Security Models Database Application Security Models 1.

Chapter 12 Information Systems. 2 Managing Information Information system Software that helps the user organize and analyze data Electronic spreadsheets.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Computer Security: Principles and Practice

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 5 – Database Security.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Metadata, Security, and the DBA Chapter 8.1 V3.0 Napier University Dr Gordon Russell.

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 Databases, Controls, and Security.

Database Security and Data Protection Suseel Pachalla, CISSP.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.

IMS 4212: Database Security 1 Dr. Lawrence West, Management Dept., University of Central Florida Data & Database Administration Security.

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

Security fundamentals Topic 9 Securing internet messaging.

Academic Year 2014 Spring Academic Year 2014 Spring.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Designing Databases 9.1.

Chapter 9 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.

Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Network Security Celia Li Computer Science and Engineering York University.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.

Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.

ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.

Database and Cloud Security

Database System Implementation CSE 507

Security Using Armstrong Numbers and Authentication using Colors

Hash Functions Which of these problems is easier to solve:

Database Security and Authorization

Modern Systems Analysis and Design Third Edition

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

SEC835 Practical aspects of security implementation Part 1

Apply security services Databases security security

STRIDE Spoofing Any person or technology (Actor) component can be spoofed Tampering Data, or source code, or configuration parameters can be tampered Repudiation A user’s actions can be repudiated Information disclosure Data, or any other information including system architectural design, are vulnerable to information disclosure Denial of Service Any technology resource is vulnerable to DoS Elevation of Privileges Any user or technology related level of privileges is vulnerable to elevation of privileges

Databases Spoofing: DBA ODBC driver Tampering Data Configuration parameters Information disclosure Data DB structure ODBC credentials Denial of service RDB as the technology resource Elevation of privileges DBA RPC

DB security Strong access control Database Tables Columns In most cases RBAC has been implemented SQL language allow runtime granting of access privileges to users or roles

DB security The GRANT command: GRANT {privileges/role} [ON table] TO {user/role/public} [IDENTIFIED BY password] [WITH GRANT OPTION] The command allows granting of privileges and/or roles to another user or to another role thus providing a lot of flexibility in runtime privileges management

DB security What to GRANT? Select – grantee is allowed to read entire DB, table, or columns Insert – grantee may insert rows in a table, or insert rows with values for specific columns in a table Update – similar to insert Delete – delete rows from a table References – grantee is allowed to define foreign keys in another table that refer to the specified columns

DB security REVOKE {privileges/ role} [ON table] FROM {user/role/public}

DB security Cascading authorization Allow a user granting access to another user, and so on Revoke assumes cascading revoking of access Be aware about security issues: May be exploited to elevate privileges Complicated grant schema may confuse revoking, leaving a user with the access granted

DB security Tampering and Information Disclosure Discrete storing Store sensitive data only when it is really necessary Encryption Symmetric encryption for confidentiality Hash for integrity Strong encryption Secure key management

DB encryption Encryption may apply to The whole table The attribute (column) The field (just a single cell) Encryption makes a negative impact on the DB searching when encrypted values must be used as searching criteria To help, the table partitioning may apply, where each partition has the unique index used to identify the range of records

DB encryption Table partitioning example Employee salary is a searching criteria but must be encrypted The table partitioning is supported by the index that is mapped to the range of rows, e.g.: 1 – values from 35K to 75K 2 – values from 76 K to 95 K 3 – values from 96 and up The table rows contain encrypted values and indices that replace real values

DB encryption (cont.) To decrypt the table that was encrypted and partitioned the map of indices and the ranges is required in addition to encryption keys This map must be stored on the client, not on the server Decryption and converting data into its original value also has been performed on the client Make sure that encryption key on client side is safe

DBMS technology components Must be protected from DoS attack Strong access control for all type of interfaces: Users Admins API Bulk data loading Strong data input validation Protect against SQL injection attacks

DB backups DB must be regularly backups Media – tapes, or mirror servers, or both Backups must be stored at different (remote) location

DB backups Mode of backups: Full backup Incremental – backup files changed after last backup Differential – backup any file that are changed since the last full backup

Records retention Policy exists to specify the period of keepng data available Secure destruction Shredding Magnetic destruction

DB Security Inference problem A possibility to derive additional information from small pieces or fraction of data Fractions or pieces can be not confidential but derived data is Often may be completed by combining queries Protection: Splitting tables and assigning fine-grained access control Separation of duties Perturbation of data

DB security Privacy issue For some databases, in particular for healthcare and financial data, personal identifiers must not be present in the records Achieved by applying data sanitization service That is about applying the algorithms of “masking” data in store, or in a user’s view That is in addition to cryptography

Secure Major threats Unauthorized access (confidentiality, integrity) Viruses sent with attachments Spam Spoofing addresses

Protection Encryption PGP – encryption technology used to protect confidentiality, integrity and authenticate a sender. This is a hybrid technology. The following is in use: Public/private key (RSA) Secret key for symmetric encryption (AES, 3DES) Digital signature (MD5, SHA-1)

Protection ANTI-virus protection Install and keep up-to-date Spam Anti-spam software