Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC835 Practical aspects of security implementation Part 1.

Published byRachel Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "SEC835 Practical aspects of security implementation Part 1."— Presentation transcript:

1 SEC835 Practical aspects of security implementation Part 1

2 Apply security services Databases security Email security

3 STRIDE Spoofing Any person or technology (Actor) component can be spoofed Tampering Data, or source code, or configuration parameters can be tampered Repudiation A user’s actions can be repudiated Information disclosure Data, or any other information including system architectural design, are vulnerable to information disclosure Denial of Service Any technology resource is vulnerable to DoS Elevation of Privileges Any user or technology related level of privileges is vulnerable to elevation of privileges

4 Databases Spoofing: DBA ODBC driver Tampering Data Configuration parameters Information disclosure Data DB structure ODBC credentials Denial of service RDB as the technology resource Elevation of privileges DBA RPC

5 DB security Strong access control Database Tables Columns In most cases RBAC has been implemented SQL language allow runtime granting of access privileges to users or roles

6 DB security The GRANT command: GRANT {privileges/role} [ON table] TO {user/role/public} [IDENTIFIED BY password] [WITH GRANT OPTION] The command allows granting of privileges and/or roles to another user or to another role thus providing a lot of flexibility in runtime privileges management

7 DB security What to GRANT? Select – grantee is allowed to read entire DB, table, or columns Insert – grantee may insert rows in a table, or insert rows with values for specific columns in a table Update – similar to insert Delete – delete rows from a table References – grantee is allowed to define foreign keys in another table that refer to the specified columns

8 DB security REVOKE {privileges/ role} [ON table] FROM {user/role/public}

9 DB security Cascading authorization Allow a user granting access to another user, and so on Revoke assumes cascading revoking of access Be aware about security issues: May be exploited to elevate privileges Complicated grant schema may confuse revoking, leaving a user with the access granted

10 DB security Tampering and Information Disclosure Discrete storing Store sensitive data only when it is really necessary Encryption Symmetric encryption for confidentiality Hash for integrity Strong encryption Secure key management

11 DB encryption Encryption may apply to The whole table The attribute (column) The field (just a single cell) Encryption makes a negative impact on the DB searching when encrypted values must be used as searching criteria To help, the table partitioning may apply, where each partition has the unique index used to identify the range of records

12 DB encryption Table partitioning example Employee salary is a searching criteria but must be encrypted The table partitioning is supported by the index that is mapped to the range of rows, e.g.: 1 – values from 35K to 75K 2 – values from 76 K to 95 K 3 – values from 96 and up The table rows contain encrypted values and indices that replace real values

13 DB encryption (cont.) To decrypt the table that was encrypted and partitioned the map of indices and the ranges is required in addition to encryption keys This map must be stored on the client, not on the server Decryption and converting data into its original value also has been performed on the client Make sure that encryption key on client side is safe

14 DBMS technology components Must be protected from DoS attack Strong access control for all type of interfaces: Users Admins API Bulk data loading Strong data input validation Protect against SQL injection attacks

15 DB backups DB must be regularly backups Media – tapes, or mirror servers, or both Backups must be stored at different (remote) location

16 DB backups Mode of backups: Full backup Incremental – backup files changed after last backup Differential – backup any file that are changed since the last full backup

17 Records retention Policy exists to specify the period of keepng data available Secure destruction Shredding Magnetic destruction

18 DB Security Inference problem A possibility to derive additional information from small pieces or fraction of data Fractions or pieces can be not confidential but derived data is Often may be completed by combining queries Protection: Splitting tables and assigning fine-grained access control Separation of duties Perturbation of data

19 DB security Privacy issue For some databases, in particular for healthcare and financial data, personal identifiers must not be present in the records Achieved by applying data sanitization service That is about applying the algorithms of “masking” data in store, or in a user’s view That is in addition to cryptography

20 Secure Email Major threats Unauthorized access (confidentiality, integrity) Viruses sent with attachments Spam Spoofing email addresses

21 Protection Encryption PGP – encryption technology used to protect confidentiality, integrity and authenticate a sender. This is a hybrid technology. The following is in use: Public/private key (RSA) Secret key for symmetric encryption (AES, 3DES) Digital signature (MD5, SHA-1)

22 Protection ANTI-virus protection Install and keep up-to-date Spam Anti-spam software

Download ppt "SEC835 Practical aspects of security implementation Part 1."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
Understand Database Security Concepts

Understand Database Security Concepts
Database Security CS461/ECE422 Spring 2012. Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Security and Integrity

Security and Integrity
Database Management System

Database Management System
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Systems Analysis and Design in a Changing World, 6th Edition

Systems Analysis and Design in a Changing World, 6th Edition
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Database Features Lecture 2. Desirable features in an information system Integrity Referential integrity Data independence Controlled redundancy Security.

Database Features Lecture 2. Desirable features in an information system Integrity Referential integrity Data independence Controlled redundancy Security.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.

Similar presentations

Ads by Google