Unit - 5
Database Security
Database protection is the strategy that protects the database from malicious or unintended attacks and secures it against them. Security issues may not only be applicable to the data residing in the database of an organization: breaching security could damage other sections of the system, which will eventually affect the structure of the database.
Consequently, hardware parts, software parts, human resources, and data are included in database security. Relevant controls, which are different in a particular mission and purpose for the device, are to be effectively used for security needs.
While often forgotten or ignored in recent days, the need for adequate protection is now more and more carefully reviewed by the various organisations.
We consider the protection of databases in the following situations:
- Theft and fraudulent.
- Loss of confidentiality or secrecy.
- Loss of data privacy.
- Loss of data integrity.
- Loss of availability of data.
Authentication
Authentication of the database is the mechanism or act of ensuring that a user who wishes to log in to a database is allowed to do so and that only the privileges to conduct activities that he or she has been authorised to do are given.
For almost all, the notion of authentication is common. A cell phone conducts authentication by asking for a PIN, for example. Similarly, by asking for the respective password, a computer authenticates a username.
However, authentication acquires one more dimension in the sense of databases since it can occur at various levels.This may be achieved by the database itself, or the configuration may be updated to allow users to be authenticated either by the operating system or by some other external means.
For example, a user must define whether to use database authentication, operating system authentication, or both when building a database on Microsoft's SQL Server (the so-called mixed-mode authentication). Near-foolproof authentication modes including fingerprint recognition and retinal scans are used among other databases in which protection is paramount.
The several different elements used by the system to verify one's identity before granting the user access to something are determined by authentication factors. The identity of a person can be determined by what the individual knows, and at least two or all three authentication factors must be checked in order to give the device permission to anyone when it comes to protection.
Authentication factors can differ from one of the following, depending on the security level:
- Single - factor Authentication
This is the easiest form of authentication that requires a password to provide access to a specific device, such as a website or network, to the user.Using only one of the credentials for verifying one's identity, the user may request access to the system. For instance, a way to verify a login credential using single-factor authentication would be to only request a password against a username.
- Two - factor Authentication
A two-step verification process requires this authentication, which not only requires a username and password, but also a piece of information that only the user knows. It is also harder for hackers to steal valuable and personal information by using a username and password along with confidential information.
- Multi - factor Authentication
This is the most sophisticated authentication approach that involves two or more levels of protection from independent authentication categories to grant access to the system to the user. In order to avoid any data disclosure, this method of authentication utilises factors that are independent of each other. It is popular to use multiple-factor authentication for financial institutions, banks, and law enforcement agencies.
Key takeaway :
- Database protection is the strategy that protects the database from malicious or unintended attacks and secures it against them.
- authentication acquires one more dimension in the sense of databases since it can occur at various levels.
Authorization takes place after the system has successfully authenticated your identity, which then allows you full access to resources such as records, files, databases, funds, etc. However, only after assessing your eligibility to access the system and to what degree does authorization validate your rights to allow you access to services.
Authorization, in other words, is the method of deciding whether an authorised user has access to specific resources. A good example of this is that the next step will be to decide which employee has access to which floor and that is achieved by authorization after employee ID and passwords are checked and validated by authentication.
Authentication and authorization secure access to a device, and they are often used in combination with each other. While they both have different concepts behind them, they are vital to the architecture of the web service, particularly when access to a system is granted. It is very important and a key aspect of security to understand each word.
It is decided in the authorization process if the user (who is already authenticated) is given access to a resource. Authorization, in other words, specifies what a consumer is and is not authorised to do.
The level of authorization to be granted to a user is determined by the metadata relating to the account of the user. Such details may indicate whether the user is a member of the 'Administrators' or 'Customers' or whether the user has paid-subscribed for certain content.
The processes of authorization often encompass Authorization Management which denotes establishing authorization laws. An administrator can, for example, be able to create such a rule that allows another user to publish content on a web page.
When using social media, we build authorization policies: millions of users have Facebook, LinkedIn, Twitter or Instagram, but we can allow (to some extent) which of those users can communicate with us.
Authorization technologies allow organisations to monitor what workers are able to access, or when and on which computer they are able to access data.
A small degree of regulation enables organisations to ensure that confidential data can be accessed by their workers on a protected computer working inside the firewall of the organisation.
Access control
The word Control of access is something of an elusive term. For others, it may be interpreted as restricting access from an external source to a device (for example controlling the login process via which users gain access to a server or desktop system).
Currently, the word Access Control refers to the control of access to system resources after authenticating the account credentials and identity of a user and granting access to the system.
For instance, a single user, or a group of users, might be able to access certain files only after logging into a system, while refusing access to all other resources at the same time.
The required protection for a specific resource is applied in the process of access control.
When we decide who the user is and what they can access, we must actively stop the user from accessing something they can not access. Access control can also be seen as the merger of authentication and authorization with some additional controls, such as IP-based restrictions.
Instead of unreliable authentication or authorization mechanisms, security flaws in software most frequently stem from insufficient access control mechanisms. The reasoning is that access control is more difficult and complex than the other two.
Main types of access control are :
DAC (discretionary access control)
MAC (mandatory access control)
RBAC (role-based access control) and
ABAC (attribute based access control) .
Key takeaway :
- Authorization, in other words, is the method of deciding whether an authorised user has access to specific resources.
- Authentication and authorization secure access to a device, and they are often used in combination with each other.
- It is decided in the authorization process if the user is given access to a resource.
- The word Control of access is something of an elusive term. For others, it may be interpreted as restricting access from an external source to a device.
5.3.1 DAC
Discretionary Access Control (DAC) enables each user to control access to their own data, unlike Mandatory Access Control (MAC), where access to system resources is managed by the operating system (under the control of a system administrator). For most desktop operating systems, DAC is usually the default method for access control.
Each resource object on a DAC based device has an Access Control List (ACL) associated with it instead of a security label in the case of a MAC. An ACL includes a list of users and groups to which access has been granted by the administrator, along with the access level for each user or group.
For addition, User A can provide read-only access to User B on one of its files, read and write access to User C on the same file, and full control of any user belonging to Group 1.
It is necessary to remember that a user can only set access permissions under DAC for resources they already own. Therefore, a hypothetical User A can not adjust the access control on a file owned by User B. However, User A can set access permissions on a file that she owns. It is also possible for the system or network administrator to decide which permissions users are allowed to set in their resource ACLs under some operating systems.
5.3.2 MAC
This model is the complete opposite of the DAC model. Users do not have the discretion to decide who can access objects in a mandatory access control (MAC) model, as in a DAC model. An operating system based on a MAC model significantly decreases the amount of privileges, permissions, and features a user has for security purposes.
You'd certainly have seen movies where Ethan Hunt or Jason Bourne try to access top secret or classified files that they don't have access to either. Ok, in order to better enforce it, the MAC model uses security marks. All objects are attached to security labels; each file, directory, and system therefore has its own security label with its classification information. In environments where data classification and confidentiality are of the utmost importance, such as military organisations, government agencies, and government contract firms, this type of model is used.
The issue with DAC was that all permissions that the user had and could instal themselves on the device could be inherited by the malware. However, this is not the case for MAC systems. Since software can not be installed by users working inside a MAC system, the operating system does not allow any form of software, including malware, to be installed while the user is logged in.
But while MAC systems can seem to be a response to all our safety prayers, they have very limited user features, require a lot of administrative overhead, are very costly, and are not user-friendly. General-purpose computers are DAC systems, while MAC systems have a very particular purpose.
5.3.3 RBAC
Often known as Non Discretionary Access Control, Role Based Access Control (RBAC) takes more of a real-world approach to structuring access control. RBAC access is based on the job role of a user within the organisation to which the computer system belongs.
In essence, RBAC grants permissions to unique positions in an organisation. Users will then be allocated to the specific position. For example, an accountant in an organisation would be allocated to the Accountant position, gaining access to all the resources allowed for all accountants on the system. Similarly, the developer position could be assigned to a software engineer.
Roles vary from groups in that, while users can belong to several groups, only a single position in an organisation can be allocated to a user under RBAC. Furthermore, there is no way to provide additional permissions for individual users over and above those required for their function. The accountant mentioned above earns the same licences, nothing more and nothing less, as all other accountants.
Key takeaway :
- DAC enables each user to control access to their own data, unlike Mandatory Access Control.
- For most desktop operating systems, DAC is usually the default method for access control.
- This MAC model is the complete opposite of the DAC model.
- An operating system based on a MAC model significantly decreases the amount of privileges, permissions, and features a user has for security purposes.
- RBAC access is based on the job role of a user within the organisation to which the computer system belongs.
An Intrusion Detection System (IDS) is a system that, when such activity is detected, monitors network traffic for unusual activity and issues warnings. It is a software programme that checks for malicious behaviour or policy violations on a network or device.
Any malicious undertaking or infringement is usually recorded either to an administrator or centrally collected using a system of security information and event management (SIEM). In order to distinguish malicious behaviour from false alarms, a SIEM system incorporates outputs from several sources and uses warning filtering techniques.
While networks are monitored for potentially malicious behaviour by intrusion detection systems, false alarms are often disposed of. Hence, when they first instal them, companies need to fine-tune their IDS products. It means setting up the intrusion detection systems properly to know what regular network traffic looks like in contrast to malicious activity.
Intrusion detection systems also track the system's inbound network packets to verify the malicious activities involved and submit alert alerts at once.
Classification of intrusion detection system
IDS is categorized into five forms:
- Network Intrusion Detection System
At a planned point within the network, Network Intrusion Detection Systems (NIDS) are set up to inspect traffic from all devices on the network. It conducts an analysis of moving traffic on the entire subnet and matches the traffic that is transmitted to the list of documented attacks on the subnets. The warning can be sent to the administrator until an assault is detected or suspicious activity is observed.
2. Host Intrusion Detection System
Host intrusion detection (HIDS) systems operate on the network's individual hosts or computers. A HIDS only tracks incoming and outgoing packets from the system, and if unusual or malicious behaviour is detected, warns the administrator. It takes a snapshot of and contrasts current device files with the previous snapshot. An warning is sent to the administrator to investigate whether the analytical device files have been edited or removed.
3. Protocol - based Intrusion Detection System
The protocol-based intrusion detection system (PIDS) involves the monitoring and interpretation of the protocol between a user/device and the server of a system or agent that would consistently reside at the front end of a server. By controlling the HTTPS protocol stream on a regular basis and accepting the relevant HTTP protocol, it attempts to protect the web server.
4. Application Protocol - based Intrusion Detection System
The APIDS (Application Protocol-based Intrusion Detection System) is a system or agent that is normally located within a server party. By tracking and interpreting the correspondence on application-specific protocols, it detects the intrusions.
5. Hybrid Intrusion Detection System
The combination of two or more approaches to the intrusion detection system creates a hybrid intrusion detection system. Host agent or device data is combined with network information in the hybrid intrusion detection system to develop a full view of the network system.
Detection method
- Signature - based method
Signature-based IDS detects attacks on the basis of unique patterns in the network traffic, such as the number of bytes or the number of 1's or the number of 0's. It also detects on the basis of the malicious instruction sequence used by the malware that is already documented. The patterns observed are known as signatures in the IDS.
2. Anomaly - based method
To recognise the unidentified malware attacks, anomaly-based IDS was implemented as new malware is rapidly generated. Machine learning is used in anomaly-based IDS to construct a trustful model of behaviour and everything that comes is compared with that model and if it is not found in the model, it is declared suspicious.
Key takeaway :
- ID is a software programme that checks for malicious behaviour or policy violations on a network or device.
- An Intrusion Detection System is a system that, when such activity is detected, monitors network traffic for unusual activity and issues warnings.
- Intrusion detection systems also track the system's inbound network packets to verify the malicious activities involved and submit alert alerts at once.
SQL Injection (SQLi) is a type of injection attack that allows malicious SQL statements to be executed. A database server behind a web application is powered by these claims. Attackers may use vulnerabilities in SQL Injection to circumvent security measures for the application.
They can go around a web page or web server authentication and authorization and retrieve the contents of the entire SQL database. They can also add, alter, and delete records in the database using SQL Injection.
SQL injection is a method used for inserting SQL commands as statements to manipulate user data from web page inputs. Basically, these statements can be used by malicious users to exploit the web server of the application.
- SQL injection is a method for inserting code that could kill your database.
- One of the most prevalent web hacking methods is SQL injection.
- SQL injection is the placement of malicious code through web page input into SQL statements.
Injection errors with SQL occur when:
- Data is entered from an untrusted source into a programme.
- Data used for the dynamic construction of a SQL query
The key implications are:
❏ Confidentiality: As SQL databases typically carry sensitive data, a common issue with SQL Injection vulnerabilities is lack of confidentiality.
❏ Authentication : If weak SQL commands are used to validate user names and passwords, it may be possible to connect to another user's device without any prior password knowledge.
❏ Authorization : If the authorization information is stored in a SQL database, it could be possible to alter this information by successfully leveraging the weakness of SQL Injection.
❏ Integrity : Much as it might be possible to read confidential information, a SQL Injection attack may also allow modifications or even erase this information.
SQL in web pages
In general, SQL injection happens when you ask a user for information, such as their username/userid, and the user gives you a SQL statement instead of a name/id that you can unknowingly run on your database.
Look at the example below, which generates a SELECT statement by adding a variable (txtUserId) to the string you select. The variable is taken from the input of the user (getRequestString):
Example :
TxtUserId = getRequestString("UserId");
TxtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
SQL injection based on 1 = 1 is always true
Look at the example above again. The original purpose of the code was to create a SQL statement to select a user, with a given user id.
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId: 105 OR 1=1
Then, the SQL statement will look like this:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
Does the example above look dangerous? What if the "Users" table contains names and passwords?
The SQL statement above is much the same as this:
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.
Key takeaway:
- SQL Injection (SQLi) is a type of injection attack that allows malicious SQL statements to be executed.
- SQL injection is a method used for inserting SQL commands as statements to manipulate user data from web page inputs.
References:
- “Database System Concepts”, 6th Edition by Abraham Silberschatz, Henry F. Korth, S. Sudarshan, McGraw-Hill
- “Principles of Database and Knowledge – Base Systems”, Vol 1 by J. D. Ullman,
Computer Science Press.
3. “Fundamentals of Database Systems”, 5th Edition by R. Elmasri and S. Navathe, Pearson Education
