UNIT-1

15CS338E – DATABASE SECURITY AND PRIVACY
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of Computer Science and
Engineering
SRMIST, Chennai
References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage

Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.
Dr.B.Muruganantham /AP/CSE/SRMIST
15CS338E – DATABASE SECURITY AND PRIVACY
UNIT I : SECURITY ARCHITECTURE & OPERATING SYSTEM SECURITY FUNDAMENTALS
✔ Security Architecture:
▪ Introduction
▪ Information Systems
▪ Database Management Systems
▪ Information Security Architecture
▪ Database Security
▪ Asset Types and value
▪ Security Methods
✔ Operating System Security Fundamentals:
▪ Introduction
▪ Operating System Overview
▪ Security Environment
▪ Components
▪ Authentication Methods
✔ User Administration
✔ Password Policies
✔ Vulnerabilities
✔ E-mail Security
Security Architecture: Introduction
✔ Security is Avoiding unauthorised access ( with limited time

duration , not always)
✔ There is no 100% Security in all kind of software and hardware .
✔ Security violations and attacks are increased globally at an average rate of 20%.
✔ Statistics shows that virus alerts, email spamming, identity theft, data theft, and types
of security breaches on the rise.
✔ Database Security is the degree to which all the data is fully protected from
tampering or unauthorised acts.
✔ The great challenge is to develop a new database security policy to secure data and
prevent integrity data violations.
✔ Most of the DBMS did not have a security mechanism for authentication and
encryption until recently.
Information Systems
✔ In today’s global market , corporate companies all
over the world to gain a portion of market share.
✔ Wise decisions are not made without accurate and timely

information.
✔ At the same time integrity of information is more important.
✔ The integrity of the information depends on the integrity of its data

source and the reliable processing of the data.
✔ Data is processed and transformed by a collection of components

working together to produce and generate accurate information.
These components are known as INFORMATION SYSTEM.
Information Systems …
✔ An information can be a back bone of the day-to-day operations of a company as well as
the beacon of long-term strategies and vision.
✔ Information systems are categorized based on usage.
✔ The following figure shows the typical use of system applications at various management
levels
✔ Information System mainly classified into three categories
1) Transaction Processing System (TPS)
2) Decision Support System (DSS)
3) Expert System (ES)
Characteristics of Information System categories
Category Characteristics Typical Application

System
✔ Also Known as ONLINE TRANSACTION ▪ Order tracking
PROCESSING (OLTP)
▪ Customer service
✔ Used for operational tasks
Transaction ▪ Payroll
Processing ✔ Provides solutions for structured problems
System (TPS) ▪ Accounting
✔ Includes business transactions
▪ Student Registration
✔ Logical Components of TPS applications ( Derived
from business procedures , business rules and policies) ▪ Sales
✔ Deals with nanostructured problems and provide ▪ Risk Management
recommendations or answer to solve these problems
Decision ✔ Is capable of “What-if?” analysis
Support ✔ Contains collection of business models ▪ Fraud Detection
System (DSS) ✔ Is used for tactical management tasks ▪ Sales forecasting
▪ Case resolution
Characteristics of Information System categories …
Category Characteristics Typical Application
System
✔ Captures reasoning of human experts ✔ Virtual University
Simulation
✔ Executive Expert Systems(EESs) are a type of
expert system used by top level management for ✔ Financial Enterprise
strategic management goals
✔ Statistical Trading
✔ A branch of Artificial Intelligence within the
field of computer science studies ✔ Loan Expert
Expert System
(ES) ✔ Software consists of : ✔ Market Analysis
Knowledge Base
Inference Engine
Rules
✔ People Consists of :
Domain Experts
Knowledge Engineers
Power Users
Components of Information System
✔ Data – The information stored in the Database for future references

or processing
✔ Procedures – Manual , Guidelines, Business rules and Policies
✔ Hardware – Computer System, Fax, Scanner, Printer, Disk
✔ Software – DBMS, OS, Programming Languages, Other

Utilities or Tools
✔ Network – Communication Infrastructure
✔ People – DBA, System Admin, Programmers, Users,

Business Analyst, System Analyst
• Components of Information System …
Database Management System
Database :
✔ A collection of meaningful Integrated Information System
✔ It is both Physical and Logical
✔ Representing the logical information in a physical device
✔ Mainly used for storing and retrieving the data for processing
✔ Using CLIENT / SERVER Architecture
✔ Request and Reply protocols are used to communicate client and server
Database Management System …
DBMS
✔ Set of programs to access the database for data manipulation or processing
✔ DBMS contains information about a particular enterprise
✔ DBMS provides an environment that it both convenient and efficient to use
Purpose of DBMS
✔ Data redundancy and inconsistency
✔ Difficulty in accessing data

✔ Data isolation – multiple files and format
✔ Integrity problems
✔ Atomicity of updates
✔ Concurrent access by multiple users
✔ Security problems
Database Management System …
DBMS Architecture
Information Security Architecture
Information Security
✔ Information is one of the most valuable asset in an organization
✔ Many companies have Information Security Department
✔ Information Security consists of the procedures and measures taken to

protect each component of the information systems involved in protecting
information
✔ According to the National Security Telecommunications and Information

Systems Security Committee (NSTISSC) , the concept of CIA Triangle , in
Which “C” stands for “Confidentiality”, “I” stands for “Integrity” and “A”
stands for “Availability”
Information Security Architecture …
CIA Triangle
Confidentiality Integrity
Information is classified into Information is accurate and
different levels of protected from tampering by
confidentiality to ensure that unauthorised persons
only authorised users access Information is consistent and
the information validated
Availability
Information is available all the times only
for authorised and authenticated persons
System is protected from being shutdown
due to external or internal threats or attacks
Confidentiality Integrity Availability

▪ Privacy Laws ▪ Security Technology ▪ Threats and Attacks
▪ Confidential Classification ▪ Security Models ▪ System Vulnerabilities
▪ Policies and Procedures ▪ Cryptography Technology ▪ Authorization methodology
▪ Access Rights ▪ DBMS Technology ▪ Authentication Technology
▪ Customer Concerns ▪ Database and Data Design ▪ Network Interface
▪ Social and Cultural issues ▪ Application Technology ▪ Disaster and Recovery Strategy
Information Security Architecture
Logical
and
Physical Assets
Components of Information Security Architecture
✔ Policies and Procedures
- Documented procedures and company policies that
elaborate on how security is to be carried out
✔ Security personnel and Administrators
- People who enforce and keep security in order
✔ Detection equipment
- Devices that authenticate employees and Detect equipment that is
prohibited by the company
✔ Security Programs
- Tools that protect computer systems’ server
✔ Monitoring Equipment
- Devices that monitor physical properties , employees and other
important assets
✔ Monitoring Applications
- Utilities and applications used to monitor network traffic and Internet
activities
✔ Auditing Procedures and Tools
- Checks and Controls put in place to ensure that security measures are
working
Database Security
✔ One of the functions of DBMS is to empower DBA to implement and enforce
security at all levels of security
✔ A security access point is a place where database security must be protected
and applied
✔ The Security access points illustrated in the below figure
Database Security Access Points
✔ People – Individuals who have been granted privileges and permissions to access
networks, workstations, servers, databases, data files and data
✔ Applications – Application design and implementation , which includes

privileges and permissions granted to people
✔ Network – One of the most sensitive security access points. Protect the
network and provide network access only to applications, operating systems
and databases.
✔ Operating Systems – This access point is defined as authentication to the

system, the gateway to the data
✔ DBMS – The logical structure of the database, which includes memory ,

executables and other binaries
✔ Data files – Another access point that influences database security

enforcement is access to data files where data resides.
✔ Data – The data access point deals with data design needed to enforce data
integrity
Database security enforcement
Data Integrity violation process
✔ Security gaps are points at which security is missing and the systems is vulnerable.
✔ Vulnerabilities are kinks in the system that must be watched because they can become
threats.
✔ In the world of information security , a threat is defined as a security risk that has high
possibility of becoming a system breach.
Database Security Levels
Menaces to Databases
✔ Security vulnerability
– A weakness in any of the information system components that can be
exploited to violate the integrity , confidentiality, or accessibility of the
system
✔ Security Threat
– A security violation or attack that can happen any time because of
a security vulnerability
✔ Security risk
– A known security gap that a company intentionally leaves open
Types of Vulnerabilities
✔ Vulnerability means “ Susceptible to Attacks” ( Source :www.dictionary.com)
✔ Intruders, Attackers and Assailers exploit vulnerabilities in Database environment to
prepare and start their attacks.
✔ Hackers usually explore the weak points of a system until they gain entry
✔ Once the intrusion point is identified , Hackers unleash their array of attacks
▪ Virus
▪ Malicious Code
▪ Worms
▪ Other Unlawful violations
✔ To protect the system the administrator should understand the types of vulnerabilities
✔ The below figure shows the types of vulnerabilities
Types of Vulnerabilities …
Category Description Examples
Installation and ✔ Results from default ✔ Incorrect application
Configuration installation configuration
✔ Configuration that is known ✔ Failure to change default
publicly passwords
✔ Does not enforce any security ✔ Failure to change default
measures privileges
✔ Improper configuration or ✔ Using default installation
Installation may result in which does not enforce high
security risks security measures
User Mistakes ✔ Security vulnerabilities are ✔ Lack of Auditing controls
tied to humans too ✔ Untested recovery plan
✔ Carelessness in implementing ✔ Lack of activity monitoring
procedures ✔ Lack of protection against
✔ Failure to follow through malicious code
✔ Accidental errors ✔ Lack of applying patches as
they are released
✔ Bad authentication or
implementation
✔ Social Engineering
✔ Lack of technical information
✔ Susceptibility to scam
Types of Vulnerabilities …
Category Description Examples

Software ✔ Vulnerabilities found in commercial ✔ Software patches that are not applied
software for all types of programs ( ✔ Software contains bugs
Applications, OS, DBMS, etc.,) ✔ System Administrators do not keep
track of patches
Design and ✔ Related to improper software ✔ System design errors

Implementation analysis and design as well as ✔ Exceptions and errors are not
coding problems and deficiencies handled in development
✔ Input data is not validated
Types of threats
✔ Threat is defined as “ An indication of impending danger or harm”

✔ Vulnerabilities can escalate into threats
✔ DBA , IS Administrator should aware of vulnerabilities and threats
✔ Four types of threats contribute to security risks as shown in below figure
Types of threats , definitions and examples
Threat type Definition Examples
People People intentionally or ✔ Employees
unintentionally inflict damage, ✔ Govt. Authorities or Person who
violation or destruction to all or are in charge
any of the database components ✔ Contractors
(People, Applications, ✔ Consultants
Networks, OS, DBMS, Data ✔ Visitors
files or data) ✔ Hackers
✔ Organised Criminals
✔ Spies
✔ Terrorists
✔ Social Engineers
Malicious Software Code that in most ✔ Viruses
Code cases is intentionally written to ✔ Boot Sector Viruses
damage or violate one or more ✔ Worms
database environment ✔ Trojon Horses
components (People, ✔ Spoofing Code
Applications, Networks, OS, ✔ Denial-of-service flood
DBMS, Data files or data) ✔ Rookits
✔ Bots
✔ Bugs
✔ E-Mail Spamming
✔ Back Door
Types of threats , definitions and examples
Threat type Definition Examples

Natural Calamities caused by Nature, which can destroy ✔ Hurricanes
Disasters any or all of the Database Components (People, ✔ Tornados
Applications, Networks, OS, DBMS, Data files ✔ Eartquakes
or data) ✔ Lightning
✔ Flood
✔ Fire
Technological Often caused by some sort of malfunction in ✔ Power failure

Disasters equipment or hardware. ✔ Media failure
Technological disasters can inflict damage to ✔ Hardware failure
Networks, OS, DBMS, Data files or data ✔ Network failure
Examples of Malicious Code
✔ Virus – Code that compromises the integrity and state of the system
✔ Boot Sector Virus – Code that compromises the segment in the hard disk that
contains the program used to start the computer
✔ Worm – Code that disrupts the operation of the system
✔ Trojon Horses – Malicious code that penetrates a computer system or network by
pretending to be legitimate coded
✔ Spoofing Code – Malicious code that looks like a legitimate code
✔ Denial-of-service-flood – The act of flooding a web site or network system with
many requests with the intent of overloading the system and forcing it to deny
service legitimate requests
✔ Rootkits and Bots – Malicious or Legitimate code that performs such functions as
automatically retrieving and collecting information from computer system
✔ Bugs - Code that is faulty due to bad design, logic or both
✔ E-Mail Spamming – E-Mail that is sent to may recipients without their permission
✔ Back door – An intentional design element of software that allows developers of the
system to gain access to the application for maintenance or technical problems
Types of Threats
✔ Risks are simply the a part of doing business
✔ Managers at all the levels are constantly working to assess and mitigate risks to ensure the
continuity of the department operations.
✔ Administrators should understand the weakness and threats related to the system
✔ Categories of database security risks are shown in the below figure
Definitions and examples of Risk types
Risk Type Definition Examples

People The loss of people who are ✔ Loss of key persons ( Registration,
vital components of the Migration, Health problems)
database environments and ✔ Key person downtime due to sickness
know critical information can personal or family problems, or burnout
create risks
Hardware A risk that mainly results in ✔ Downtime due to hardware failure, mal
hardware unavailability or functions, or inflicted damages
interoperability ✔ Failure due to unreliable or poor quality
equipment
Data Data loss or data integrity is a ✔ Data loss
major concern of the database ✔ Data corruption
administration and ✔ Data Privacy loss
management
Confidence The loss of public confidence ✔ Loss of procedural and policy
in the data produced by the documentation
company causes a loss of ✔ DB performance degradation
public confidence in the ✔ Fraud
company itself ✔ Confusion and uncertainty about database
Integration of security vulnerabilities, therats
and risks in a database
Asset Types and Their Values
✔ People always tend to protect assets regardless of what they are
✔ Corporations treat their assets in the same way

✔ Assets are the infrastructure of the company operation
✔ There are four main types of assets
▪ Physical assets – Also known as tangible assets, these include buildings, cars,
hardware and so on
▪ Logical assets – Logical aspects of an information system such as business
applications, in-house programs, purchased software, OS, DBs, Data
▪ Intangible assets – Business reputation, quality, and public confidence
▪ Human assets – Human skills, knowledge and expertise
Database Security Methods
Security methods used to protect database environment components
Database
Component Security Methods
Protected
People ✔ Physical limits on access to hardware and documents
✔ Through the process of identification and authentication make certain
that the individual is who is claim s to be through the use of devices,
such as ID cards, eye scans, and passwords
✔ Training courses on the importance of security and how to guard assets
✔ Establishment of security policies and procedures
Applications ✔ Authentication of users who access applications
✔ Business rules
✔ Single sign-on ( A method for signing on once for different applications
and web sites)
Network ✔ Firewalls to block network intruders
✔ Virtual Private Network (VPN)
✔ Authentication
Database Security Methods …
Database Component
Protected Security Methods
OS ✔ Authentication
✔ Intrusion Detection
✔ Password Policies
✔ User accounts
DBMS ✔ Authentication
✔ Audit Mechanism
✔ Database resource limits
✔ Password poilicy
Data files ✔ File permission
✔ Access Monitoring
Data ✔ Data Validation
✔ Data Constraints
✔ Data Encryption
✔ Data Access
Database Security Methodology
The below figure presents database security methodology side by side
with the software development life cycle (SDLC) methodology
Database Security Methodology…
The following list presents the definition of each phase of the
database security methodology
Identification – Entails the identification and investigation of resources

required and policies to be adopted
Assessment – This phase includes analysis of vulnerabilities, threats and risks
for both aspects of DB security
Physical – Data files
Logical – Memory and Code
Design – This phase results in a blueprint of the adopted security model that is
used to enforce the security
Implementation – Code is developed or tools are purchased to implement the
blueprint outlined in the previous phase
Evaluation – Evaluate the security implementation by testing the system
against attacks, hardware failure, natural disasters and human errors
Auditing – After the system goes into production , security audits should be
performed periodically to ensure the security state of the system
Database Security Definition Revisited
At the start of the chapter database security was defined as

“the degree to which all the data is fully protected from tampering and unauthorised
acts”.
After discussing a lot of database security , various information systems and

information security the definition of database security can be expanded as follows:
Database security is a collection of security polices and procedures, data constraints,

security methods , security tools blended together to implement all necessary
measures to secure the integrity, accessibility and confidentiality of every
component of the database environment.
Operating System Security Fundamentals
An Operating System (OS) is a collection of programs that allows the to operate

the computer hardware.
✔ OS is also known as “ RESOURCE MANAGER”
✔ OS is one of the main access point in DBMS
✔ A computer system has three layers

▪ The inner layer represents the hardware
▪ The middle layer is OS
▪ The outer layer is all different software
Operating System Security Fundamentals …
An OS is having number of key functions and capabilities as outlined
in the following list
✔ Multitasking
✔ Multisharing
✔ Managing computer resources
✔ Controls the flow of activities
✔ Provides a user interface to operate the computer
✔ Administers user actions and accounts
✔ Runs software utilities and programs
✔ Provides functionalities to enforce the security measures
✔ Schedules the jobs and tasks to be run
✔ Provides tools to configure the OS and hardware
Operating System Security Fundamentals …
There are different vendors of OS
✔ Windows by Microsoft
✔ UNIX by companies such as Sun Microsystems, HP and IBM
✔ LINUX “flavours” from various vendors such as Red Hat
✔ Macintosh by Apple
The OS Security Environment
✔ A compromised OS can compromise a

Database Environment
✔ Physically protect the computer running the
OS( Padlocks, Chain locks, Guards,
Cameras)
✔ Model :
▪ Bank Building – OS
▪ Safe – DB
▪ Money - Data
The Components of an OS Security Environment
✔ The three components (layers) of the

OS are represented in the figure
✔ Memory component is the hardware
memory available on the system
✔ Files component consists of files stored
on the disk
✔ Service component compromise such
OS features and functions as N/W
services, File Management and Web
services
Services
✔ The main component of OS security environment is services.
✔ It consists of functionality that the OS offers as part of its core utilities.

✔ Users employ these utilities to gain access to OS and all the features the
users are authorised to use.
✔ If the services are not secured and configured properly , each service
becomes a vulnerability and access point and can lead to a security threat.
Files
✔ Files are another one component of OS.
✔ It has more actions

✔ File Permission
✔ File Transfer
✔ File Sharing
Files …
File Permission
• Every OS has a method of implementing file permission to grant read, write or execute
privileges to different users.
• The following figure gives how the file permissions are assigned to a user in windows
Files …
✔ In UNIX, file permissions work differently than windows.
✔ For each file there are three permission settings
✔ Each setting consists of rwx ( r – read, w – write and x – execute)
1. First rwx is Owner of the file
2. Second rwx is Group to which owner belongs
3. Third rwx is All other users
✔ The given images gives the details of UNIX file permission.
Files …
✔ File Transfer – moving the file from one location to another location in a
disk/web/cloud
✔ FTP is an Internet service that allows transferring files from one computer to
another
✔ FTP clients and servers transmit usernames and passwords in plaintext format(
Not Encrypted). This means any hacker can sniff network traffic and be able to get
the logon information easily.
✔ Files also transferred as plaintext format

✔ A root account cannot be used to transfer file using FTP
✔ Anonymous FTP is the ability to log on to the FTP server without being
authenticated.
✔ This method is usually usedDr.B.Muruganantham
to provide access to files in the public domain.
/AP/CSE/SRMIST
Files …
✔ Here are some best practices for transferring files
✔ Never use the normal FTP Utility. Instead, use the secure FTP utility , if
possible.
✔ Make two FTP directories: one for file uploads with write permission only
and another one file is for file downloads with read permission.
✔ Use specific accounts for FTP that do not have access to any files or
directories outside the file UPLOAD and DOWNLOAD directories.
✔ Turn on logging , and scan the FTP logs for unusual activities on a regular
basis.
✔ Allow only authorized operators to have FTP privileges.
Files …
✔ Sharing files naturally leads to security risks and threats
✔ The peer-to-peer technology is on rise( very well developed now)
✔ Peer-to-Peer programs allow users to share the files over internet
✔ If you were conduct a survey of users that use Peer-to-Peer programs, majority
of the users’ machines are infected with some sort of virus, spyware, or worm.
✔ Most companies prohibit the use of such programs.
✔ The main reason for blocking these programs are
▪ Malicious Code
▪ Adware and spyware
▪ Privacy and confidentiality
▪ Pornography
▪ Copy right issues
Memory
✔ You may wonder how memory is an access points to security violations
✔ There are many badly written programs and utilities that could change the
content of memory
✔ Although these programs do not perform deliberate destructions acts.
✔ On the other hand , programs that intentionally damage or scan data in
memory are the type that not only can harm the data integrity, but may also
exploit data for illegal use.
Authentication Methods
✔ Authentication is the fundamental service of the OS

✔ It is a process to very the user identity
✔ Most security administrators implement two types of authentication
methods
✔ Physical authentication method allows physical entrance to the company
properties
✔ Most companies use magnetic cards and card readers to control the entry to a
building office, laboratory or data center.
✔ The Digital authentication method is a process of verifying the identify of the
user by means of digital mechanism or software
Digital Authentication used by many OS
✔ Digital Certificate
▪ Widely used in e-commerce
▪ Is a passport that identifies and verifies the holder of the certificate
▪ Is an electronic file issued by a trusted party ( Known as certificate authority ) and cannot be
forged or tampered with.
✔ Digital Token (Security Token)

▪ Is a small electronic device that users keep with them to be used for authentication to a
computer or network system.
▪ This device displays a unique number to the token holder, which is used as a PIN (
Personal Identification Number) as the password
✔ Digital Card
▪ Also known as security card or smart card
▪ Similar to credit card in dimensions but instead of magnetic strip
▪ It has an electronic circuit that stores the user identification information
✔ Kerberos
▪ Developed by Massachusetts Institute of Technology (MIT) , USA
▪ It is to enable two parties to exchange information over an open network by assigning a unique
key. Called ticket , to each user.
▪ The ticket is used to encrypt communicated messages
Digital Authentication used by many OS …
✔ Lightweight Directory Access Protocol (LDAP)
▪ Developed by University of Michigan, USA
▪ Uses centralized directory database storing information about people, offices
and machines in a hierarchical manner
▪ LDAP directory can be easily distributed to many network servers.
▪ You can use LADP to store information about
• Users (User name and User id)
• Passwords
• Internal telephone directory
• Security keys
▪ Use LADP for these following reasons
• LDAP can be used across all platforms ( OS independent )
• Easy to maintain
• Can be employed for multiple purposes
▪ LDAP architecture is Client / Server based
✔ NTLM (Network LAN Manager)

▪ Was developed by Microsoft
▪ Employs challenge / response authentication protocol uses an encryption and
decryption mechanism to send and receive passwords over the network.
▪ This method is no longer used or supported by new versions of Windows OS
✔ Public Key Infrastructure (PKI)
▪ Also known as Public Key Encryption
▪ It is a method in which a user keeps a private key and the authentication firm
holds a public key .
▪ The private key usually kept as digital certificate on the users system.
✔ RADIUS ( Remote Authentication Dial-In User Services )
▪ It is a method commonly used by a network device to provide centralized
authentication mechanism.
▪ It is Client / Server based, uses a dial-up server, a Virtual Private Network
(VPN) , or a Wireless Access Point communicating to a RADIUS server
✔ SSL (Secure Sockets Layers)

▪ Was developed by Netscape Communications
▪ To provide secure communication between client and server.
▪ SSL is a method in which authentication information is transmit over the
network in encrypted form.
▪ Commonly used by websites to source client communications.
✔ SRP ( Secure Remote Password )
▪ Was developed by Stanford University, USA
▪ It is a protocol in which the password is not secure locally in an encrypted
or plain text form.
▪ Very easy to install.
▪ Does not require client or server configuration .
▪ This method is invulnerable to brute force or dictionary attacks.
Authorization
✔ Authentication is the process of providing that users really are who they
claim to be.
✔ Authorization is the process that decides whether users are permitted to
perform the functions to they request.
✔ Authorization is not performed until the user is authenticated.
✔ Authorization deals with privileges and rights that have been granted to the
user.
User Administration
✔ Administrators use this functionality to create user accounts,

set password policies and grant privileges to user.
✔ Improper use of this feature can lead to security risks and

threats.
✔ Note : User Administration and Password policies will be

discussed in Next Unit (Chapter III and Chapter IV in Text
book)
Vulnerabilities of OS
✔ The top vulnerabilities to Windows ✔ The top vulnerabilities to UNIX Systems
Systems ▪ BIND Domain Name System
▪ IIS (Internet Information Server)
▪ RPC (Remote Procedure Call)
▪ MSSQL (Microsoft SQL Server)
▪ Apache Web Server
▪ Windows Authentication ▪ General UNIX authentication accounts with no
▪ IE (Internet Explorer) / weak passwords
▪ Windows Remote Access Services ▪ Clear text services
▪ MDAC (Microsoft Data Access ▪ Sendmail
Components) ▪ SNMP (Simple Network Management Protocol

▪ Secure Shell
▪ WSH ( windows Scripting Host)
▪ Misconfiguration of Enterprise Services NIS/
▪ Microsoft Outlook and Outlook Express
NFS
▪ Windows Peer-to-Peer File Sharing (P2P)
▪ Open SSL ( Secure Socket Layer)
▪ SNMP (Simple Network Management
Protocol
E-mail Security
✔ E-mail may be the tool most frequently used by hackers to exploit viruses, worms,
and other computer system invaders.
✔ E-mail is widely used by public and private organizations as a means of communication
✔ E-mail was the medium used in many of the most famous worm and virus attacks
✔ For example :
▪ Love Bug Worm

▪ I LOVE YOU worm
▪ Mydoom worm
▪ Melissa virus
✔ E-mail is not only to used to send viruses and worms, nut to send spam e-mail, private and
confidential data as well as offensive messages
✔ To prevent from these activities ,
▪ Do not configure e-mail server on a machine in which the sensitive data resides
▪ Do not disclose the e-mail server technical details

UNIT-1

Uploaded by

Copyright:

Available Formats

UNIT-1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UNIT-1

Uploaded by

Copyright:

Available Formats

15CS338E – DATABASE SECURITY AND PRIVACY

1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage

✔ Security is Avoiding unauthorised access ( with limited time

✔ There is no 100% Security in all kind of software and hardware .

✔ Wise decisions are not made without accurate and timely

✔ At the same time integrity of information is more important.

✔ The integrity of the information depends on the integrity of its data

✔ Data is processed and transformed by a collection of components

✔ Information System mainly classified into three categories

1) Transaction Processing System (TPS)

2) Decision Support System (DSS)

3) Expert System (ES)

Category Characteristics Typical Application

✔ Data – The information stored in the Database for future references

✔ Procedures – Manual , Guidelines, Business rules and Policies

✔ Hardware – Computer System, Fax, Scanner, Printer, Disk

✔ Software – DBMS, OS, Programming Languages, Other

✔ Network – Communication Infrastructure

✔ People – DBA, System Admin, Programmers, Users,

✔ A collection of meaningful Integrated Information System

✔ It is both Physical and Logical

✔ Representing the logical information in a physical device

✔ Using CLIENT / SERVER Architecture

✔ Set of programs to access the database for data manipulation or processing

✔ DBMS contains information about a particular enterprise

✔ DBMS provides an environment that it both convenient and efficient to use

✔ Data redundancy and inconsistency

✔ Difficulty in accessing data

✔ Concurrent access by multiple users

✔ Information is one of the most valuable asset in an organization

✔ Many companies have Information Security Department

✔ Information Security consists of the procedures and measures taken to

✔ According to the National Security Telecommunications and Information

Confidentiality Integrity Availability

Information Security Architecture

✔ Applications – Application design and implementation , which includes

✔ Operating Systems – This access point is defined as authentication to the

✔ DBMS – The logical structure of the database, which includes memory ,

✔ Data files – Another access point that influences database security

Category Description Examples

Design and ✔ Related to improper software ✔ System design errors

✔ Threat is defined as “ An indication of impending danger or harm”

Threat type Definition Examples

Technological Often caused by some sort of malfunction in ✔ Power failure

✔ Categories of database security risks are shown in the below figure

Risk Type Definition Examples

✔ Corporations treat their assets in the same way

▪ Human assets – Human skills, knowledge and expertise

Identification – Entails the identification and investigation of resources

At the start of the chapter database security was defined as

After discussing a lot of database security , various information systems and

Database security is a collection of security polices and procedures, data constraints,

An Operating System (OS) is a collection of programs that allows the to operate

✔ OS is also known as “ RESOURCE MANAGER”

✔ OS is one of the main access point in DBMS

✔ A computer system has three layers

in the following list

✔ Managing computer resources

✔ Controls the flow of activities

✔ Provides a user interface to operate the computer