Presentation is loading. Please wait.

Presentation is loading. Please wait.

SE571 Security in Computing

Published bySamuel Pearson Modified over 8 years ago

Similar presentations

Presentation on theme: "SE571 Security in Computing"— Presentation transcript:

1 SE571 Security in Computing
Chap 6: Database and Data Mining Security

2 This Chapter Examines…
Integrity for databases: record integrity, data correctness, update integrity Security for databases: access control, inference, and aggregation Multilevel secure databases: partitioned, cryptographically sealed, and filtered Security in data mining applications SE571 Security in Computing Dr. Ogara

3 Research… Top 10 Database Security Threats(Shulman, CTO Imperva, Inc)
Excessive privilege abuse Legitimate privilege abuse Privilege elevation Database platform vulnerabilities SQL injection Weak audit trail Denial of service (DOS) Database communication protocol vulnerabilities Weak authentication Back up data exposure SE571 Security in Computing Dr. Ogara

4 Research… Major Database Security Threats(Sybase Users Group, 2010)
Human error (56%) Malicious insiders abusing privileges (24%) SE571 Security in Computing Dr. Ogara

5 Research… Database auditing and real time protection report (Forrester Report, 2007) DBAs spending approx. 5% of their time on database security 80% of organizations do not have a database security plan that addresses critical threats 20% of enterprises employ advanced security measures Environmental complexity – cloud computing, grids, SOA, etc 60% of enterprises are behind in database security patches, making database highly vulnerable 75% of attacks are internal, often difficult to detect SE571 Security in Computing Dr. Ogara

6 Research… Top Security Tips to Ensure Database Security (Application Security, Inc., 2007) Devise a database security plan Fix default, blank, and weak password Regularly patch databases Minimize attack surface Review user privileges Locate sensitive information Encrypt sensitive data at rest or in motion Train and enforce corporate best practices SE571 Security in Computing Dr. Ogara

7 Three Pillars of Database Security (Forrester Research, Inc., 2010)
SE571 Security in Computing Dr. Ogara

8 Database and Data Mining Security
Collection of data and a set of rules that organize the data by specifying certain relationships among the data Database administrator Person who defines the rules that organize the data Controls access to data Database Management System (DBMS) Program that allows user to interact with database SE571 Security in Computing Dr. Ogara

9 Database and Data Mining Security
Components of a database Records Fields Schema – logical structure of database Queries – commands used in DBMS to retrieve, modify, add or delete records in a database SE571 Security in Computing Dr. Ogara

10 Database and Data Mining Security
Advantages of a database shared access minimal redundancy data consistency data integrity controlled access SE571 Security in Computing Dr. Ogara

11 Database and Data Mining Security
Security of a database (Requirements) Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability SE571 Security in Computing Dr. Ogara

12 Database Security Requirements
Integrity How ? Field checks – appropriateness of values Access control – who has access to what Change log – what changes have been made Auditability Establish audit record of all access Access control Establish who has access to which data Specify privileges to read, change, delete, or append records or fields User authentication Supplement OS authentication e.g. password and time-of- day check SE571 Security in Computing Dr. Ogara

13 Database Reliability and Integrity
Database integrity Concern - disk failure, corruption of master database index Solution - OS integrity controls and recovery procedures Element integrity Concern – Is data changed or written by authorized users only? Solution – access control SE571 Security in Computing Dr. Ogara

14 Database Reliability and Integrity
Element accuracy Concern – are correct values written into elements of the database? Solution – constraints conditions to detect incorrect values SE571 Security in Computing Dr. Ogara

15 Sensitive Data Inherently sensitive From a sensitive source
Value reveals sensitivity, e.g. location of defensive missiles From a sensitive source Source may suggest confidentiality, e.g. an informer identity Declared sensitive Database admin declares them sensitive Part of a sensitive attribute or record An attribute may be sensitive, e.g. salary In relation to previously disclosed information Sensitive in the presence of other data SE571 Security in Computing Dr. Ogara

16 Access Decisions Database admin determines who gets access to what
Access decisions are based on three factors Availability of data block access during updates Acceptability of access Release sensitive info to authorized users only Assurance of authenticity Allow access during certain times/working hours SE571 Security in Computing Dr. Ogara

17 Types of Disclosures Exact data Bounds Negative result
Most serious disclosure User is aware about sensitive data Bounds Disclose sensitive data lies between two values, L and H. Negative result Disclosing that a value is not 0, e.g. # of felonies SE571 Security in Computing Dr. Ogara

18 Types of Disclosures Existence Probable value
Knowing that certain data exists Probable value Possibility of determining that the probability of certain element has a certain value SE571 Security in Computing Dr. Ogara

19 Inference Ways of deriving sensitive data values from the database
Direct attack – uses queries to seek for values directly, e.g. List NAME where SEX=M ^ DRUGS=1 Indirect attack - infer final result based on one or more statistical results SE571 Security in Computing Dr. Ogara

20 Controlling Inference
Suppress obviously sensitive information May be used to limit queries accepted /data provided Track what the user knows May be used to limit queries accepted /data provided Costly/information of all users must be obtained Disguise the data Applicable to released data only SE571 Security in Computing Dr. Ogara

21 Multilevel Databases The Case for Differentiated Security
The security of a single element may be different from the security of other elements of the same record Two levels—sensitive and non-sensitive The security of an aggregate—a sum, a count, or a group of values in a database—may differ from the security of the individual elements SE571 Security in Computing Dr. Ogara

22 Multilevel Databases SE571 Security in Computing Dr. Ogara

23 Multilevel Databases Granularity
How do we associate a sensitivity level with each value of a database? Access control policy - which users have access to what data? Guarantee – an unauthorized person does not change data SE571 Security in Computing Dr. Ogara

24 Multilevel Secure Databases
Must provide both Integrity and Confidentiality Separation can be implemented physically, logically, or cryptographically SE571 Security in Computing Dr. Ogara

25 Proposal for Multilevel Security
Separation Partitioning - divide database into separate database with their own level of sensitivity Encryption – encrypt data Integrity lock – to limit access Entrust database manager with trusted procedure Sensitivity lock – combination of unique identifier (e.g. record number) and sensitivity level SE571 Security in Computing Dr. Ogara

26 Five Approaches to Confidentiality Multilevel Database Security
Integrity lock Actual data Sensitivity level – sensitivity of data Error detecting code - checksum Trusted front end Serves as one-way filter – removes results not needed by users Cumulative filters Filters reformats query to allow database manager to screen out unacceptable records Provides second screening to select data which user has access SE571 Security in Computing Dr. Ogara

27 Design for Secure Multilevel Security
Distributed databases Trusted front end controls access to all low- sensitivity data and all high-sensitivity data If user is cleared for high-sensitivity data, the front end submits queries to both the high- and low-sensitivity databases If user is not cleared for high-sensitivity data, the front end submits a query to only the low- sensitivity database SE571 Security in Computing Dr. Ogara

28 Design for Secure Multilevel Security
Window/view DBMS creates picture of the data reflecting only what the user needs to see/different views A window is a subset of a database, containing exactly the information that a user is entitled to access Subset guarantees that the user does not access values outside the permitted ones SE571 Security in Computing Dr. Ogara

29 Data Mining Data mining uses statistics, machine learning, mathematical models, pattern recognition, and other techniques to discover patterns and relations on large datasets SE571 Security in Computing Dr. Ogara

30 Security Problems with Data Mining
Confidentiality/Privacy and Sensitivity Difficult to maintain Inference across multiple databases is a threat to confidentiality Data Correctness and Integrity Data owned and controlled by one party Mining of different databases from different users Correcting Mistakes in Data – have data in one place Using Comparable Data Eliminating False Matches Availability of Data Missing data may lead to incorrect data mining results SE571 Security in Computing Dr. Ogara

Download ppt "SE571 Security in Computing"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
C6 Databases.

C6 Databases.
Understand Database Security Concepts

Understand Database Security Concepts
Security and Integrity

Security and Integrity
Database Management System

Database Management System
Information Security Policies and Standards

Information Security Policies and Standards
Information Security Principles & Applications

Information Security Principles & Applications
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
SE571 Security in Computing

SE571 Security in Computing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Last time Finish OTR Database Security Introduction to Databases

Last time Finish OTR Database Security Introduction to Databases
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Database Systems: Design, Implementation, and Management Ninth Edition

Database Systems: Design, Implementation, and Management Ninth Edition

Similar presentations

Ads by Google