Database security 12.pdf

PAAVAI ENGINEERING COLLEGE,NAMAKKAL
(AUTONOMOUS)
DATABASE SECURITY AND PRIVACY

References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage
Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.

UNIT I : SECURITY ARCHITECTURE & OPERATING SYSTEM SECURITY
FUNDAMENTALS
✓ Security Architecture:
▪ Introduction
▪ Information Systems
▪ Database Management Systems
▪ Information Security Architecture
▪ Database Security
▪ Asset Types and value
▪ Security Methods
✓ Operating System Security Fundamentals:
▪ Introduction
▪ Operating System Overview
▪ Security Environment
▪ Components
▪ Authentication Methods
✓ User Administration
✓ Password Policies
✓ Vulnerabilities
✓ E-mail Security

Security Architecture: Introduction
✓ Security is Avoiding unauthorised access ( with limited
time duration , not always)
✓ There is no 100% Security in all kind of software and hardware .
✓ Security violations and attacks are increased globally at an average
rate of 20%.
✓ Statistics shows that virus alerts, email spamming, identity theft, data
theft, and types of security breaches on the rise.
✓ Database Security is the degree to which all the data is fully protected
from tampering or unauthorised acts.
✓ The great challenge is to develop a new database security policy to secure
data and prevent integrity data violations.
✓ Most of the DBMS did not have a security mechanism for authentication
and encryption until recently.

Information Systems
✓ In today’s global market , corporate companies all
over the world to gain a portion of market share.
✓ Wise decisions are not made without accurate and timely
information.
✓ At the same time integrity of information is more important.
✓ The integrity of the information depends on the integrity of
its data source and the reliable processing of the data.
✓ Data is processed and transformed by a collection of
components working together to produce and
generate accurate information. These components
are known as INFORMATION SYSTEM.

Information Systems …
✓ An information can be a back bone of the day-to-day operations of a company
well as the beacon of long-term strategies and vision.
✓ Information systems are categorized based on usage.
✓ The following figure shows the typical use of system applications at
various management levels

✓ Information System mainly classified into three categories
1) Transaction Processing System (TPS)
2) Decision Support System (DSS)
3) Expert System (ES)

Characteristics of Information System categories
Category Characteristics Typical Application
System
Transaction
Processing
System (TPS)
✓ Also Known as ONLINE TRANSACTION
PROCESSING (OLTP)
✓ Used for operational tasks
✓ Provides solutions for structured problems
✓ Includes business transactions
✓ Logical Components of TPS applications ( Derived
from business procedures , business rules and
policies)
▪ Order tracking
▪ Customer service
▪ Payroll
▪ Accounting
▪ Student Registration
▪ Sales
Decision
Support
System (DSS)
✓ Deals with nanostructured problems and provide
recommendations or answer to solve these
problems
✓ Is capable of “What-if?” analysis
✓ Contains collection of business models
✓ Is used for tactical management tasks
▪ Risk Management
▪ Fraud Detection
▪ Sales forecasting
▪ Case resolution

Characteristics of Information System categories …
Category Characteristics Typical Application
System
Expert System
(ES)
✓ Captures reasoning of human experts
✓ Executive Expert Systems(EESs) are a type of
expert system used by top level management
for strategic management goals
✓ A branch of Artificial Intelligence within the
field of computer science studies
✓ Software consists of :
Knowledge Base
Inference Engine
Rules
✓ People Consists of :
Domain Experts
Knowledge Engineers
Power Users
✓ Virtual University
Simulation
✓ Financial Enterprise
✓ Statistical Trading
✓ Loan Expert
✓ Market Analysis

Components of Information System
✓ Data – The information stored in the Database for future
references or processing
✓ Procedures – Manual , Guidelines, Business rules and Policies
✓ Hardware – Computer System, Fax, Scanner, Printer, Disk
✓ Software – DBMS, OS, Programming Languages, Other
Utilities or Tools
✓ Network – Communication Infrastructure
✓ People – DBA, System Admin, Programmers, Users,
Business Analyst, System Analyst

• Components of Information System …

Database Management System
Database :
✓ A collection of meaningful Interelated Information System
✓ It is both Physical and Logical
✓ Representing the logical information in a physical device
✓ Mainly used for storing and retrieving the data for processing
✓ Using CLIENT / SERVER Architecture
✓ Request and Reply protocols are used to communicate client and
server

Database Management System …
DBMS
✓ Set of programs to access the database for data manipulation or processing
✓ DBMS contains information about a particular enterprise
✓ DBMS provides an environment that it both convenient and efficient
to use Purpose of DBMS
✓ Data redundancy and inconsistency
✓ Difficulty in accessing data
✓ Data isolation – multiple files and format
✓ Integrity problems
✓ Atomicity of updates
✓ Concurrent access by multiple users
✓ Security problems

Database Management System …
DBMS Architecture

Information Security Architecture
Information Security
✓ Information is one of the most valuable asset in an organization
✓ Many companies have Information Security Department
✓ Information Security consists of the procedures and measures taken
to protect each component of the information systems involved in
protecting information
✓ According to the National Security Telecommunications and
Information Systems Security Committee (NSTISSC) , the concept
of CIA Triangle , in Which “C” stands for “Confidentiality”, “I”
stands for “Integrity” and “A” stands for “Availability”

Information Security Architecture …
Confidentiality
Information is classified
into different levels of
confidentiality to ensure
that only authorised users
access the information
Integrity
Information is accurate and
protected from tampering by
unauthorised persons
Information is consistent and
validated
Availability
Information is available all the times only
for authorised and authenticated persons
System is protected from being shutdown
due to external or internal threats or
attacks
CIA Triangle

▪ Threats and Attacks
▪ System Vulnerabilities
▪ Authorization methodology
▪ Authentication Technology
▪ Network Interface
▪ Disaster and Recovery Strategy
Availability
▪ Security Technology
▪ Security Models
▪ Cryptography Technology
▪ DBMS Technology
▪ Database and Data Design
▪ Application Technology
Integrity
▪ Privacy Laws
▪ Confidential Classification
▪ Policies and Procedures
▪ Access Rights
▪ Customer Concerns
▪ Social and Cultural issues
Confidentiality
Logical
and
Physical Assets
Information Security Architecture

Components of Information Security Architecture
✓ Policies and Procedures
- Documented procedures and company policies that
elaborate on how security is to be carried out
✓ Security personnel and Administrators
- People who enforce and keep security in order
✓ Detection equipment
- Devices that authenticate employees and Detect equipment that is
prohibited by the company
✓ Security Programs
- Tools that protect computer systems’ server
✓ Monitoring Equipment
- Devices that monitor physical properties , employees and other
important assets
✓ Monitoring Applications
- Utilities and applications used to monitor network traffic and Internet
activities
✓ Auditing Procedures and Tools
- Checks and Controls put in place to ensure that security measures are
working

Database security
Database Security
✓ One of the functions of DBMS is to empower DBA to implement and
enforce security at all levels of security
✓ A security access point is a place where database security must be
protected and applied
✓ The Security access points illustrated in the below figure

Database Security Access Points
✓ People – Individuals who have been granted privileges and permissions to
access networks, workstations, servers, databases, data files and data
✓ Applications – Application design and implementation , which includes
privileges and permissions granted to people
✓ Network – One of the most sensitive security access points. Protect the
network and provide network access only to applications,
operating systems and databases.
✓ Operating Systems – This access point is defined as authentication to the
system, the gateway to the data
✓ DBMS – The logical structure of the database, which includes memory ,
executable and other binaries
✓ Data files – Another access point that influences database security
enforcement is access to data files where data resides.
✓ Data – The data access point deals with data design needed to enforce data
integrity

Data Integrity violation process
✓ Security gaps are points at which security is missing and the systems is vulnerable.
✓ Vulnerabilities are kinks in the system that must be watched because they can
become threats.
✓ In the world of information security , a threat is defined as a security risk that has
high possibility of becoming a system breach.

Menaces to Databases
✓ Security vulnerability
– A weakness in any of the information system components that can be
exploited to violate the integrity , confidentiality, or accessibility of the
system
✓ Security Threat
– A security violation or attack that can happen any time because of
a security vulnerability
✓ Security risk
– A known security gap that a company intentionally leaves open

Types of Vulnerabilities
✓ Vulnerability means “ Susceptible to Attacks” ( Source :www.dictionary.com)
✓ Intruders, Attackers and Assailers exploit vulnerabilities in Database environment to
prepare and start their attacks.
✓ Hackers usually explore the weak points of a system until they gain entry
✓ Once the intrusion point is identified , Hackers unleash their array of attacks
▪ Virus
▪ Malicious Code
▪ Worms
▪ Other Unlawful violations
✓ To protect the system the administrator should understand the types of
vulnerabilities
✓ The below figure shows the types of vulnerabilities

Types of Vulnerabilities …
Category Description Examples
Installation
and
Configuration
User Mistakes
✓ Results from default
installation
✓ Configuration that is known
publicly
✓ Does not enforce any
security measures
✓ Improper configuration or
Installation may result in
security risks
✓ Security vulnerabilities are
tied to humans too
✓ Carelessness in
implementing procedures
✓ Failure to follow through
✓ Accidental errors
✓ Incorrect application
configuration
✓ Failure to change default
passwords
✓ Failure to change default
privileges
✓ Using default installation
which does not enforce high
security measures
✓ Lack of Auditing controls
✓ Untested recovery plan
✓ Lack of activity monitoring
✓ Lack of protection against
malicious code
✓ Lack of applying patches as
they are released
✓ Bad authentication or
implementation
✓ Social Engineering
✓ Lack of technical
information
✓ Susceptibility to scam

Types of Vulnerabilities …
Category Description Examples
Software ✓ Vulnerabilities found in
commercial software for all types
of programs ( Applications, OS,
DBMS, etc.,)
✓ Software patches that are not
applied
✓ Software contains bugs
✓ System Administrators do not
keep track of patches
Design and
Implementation
✓ Related to improper software
analysis and design as well as
coding problems and deficiencies
✓ System design errors
✓ Exceptions and errors are not
handled in development
✓ Input data is not validated

Types of threats
✓ Threat is defined as “ An indication of impending danger or harm”
✓ Vulnerabilities can escalate into threats
✓ DBA , IS Administrator should aware of vulnerabilities and threats
✓ Four types of threats contribute to security risks as shown in below figure

Types of threats , definitions and examples
Threat type Definition Examples
People
Malicious
Code
People intentionally or
unintentionally inflict
damage, violation or
destruction to all or any of the
database components
(People, Applications,
Networks, OS, DBMS, Data
files or data)
Software Code that in most
cases is intentionally written
to damage or violate one or
more database environment
components (People,
Applications, Networks, OS,
DBMS, Data files or data)
✓ Employees
✓ Govt. Authorities or Person who
are in charge
✓ Contractors
✓ Consultants
✓ Visitors
✓ Hackers
✓ Organised Criminals
✓ Spies
✓ Terrorists
✓ Social Engineers
✓ Viruses
✓ Boot Sector Viruses
✓ Worms
✓ Trojon Horses
✓ Spoofing Code
✓ Denial-of-service flood
✓ Rookits
✓ Bots
✓ Bugs
✓ E-Mail Spamming
✓ Back Door

Types of threats , definitions and examples
Threat type Definition Examples
Natural
Disasters
Calamities caused by Nature, which can
destroy any or all of the Database
Components (People, Applications,
Networks, OS, DBMS, Data files or data)
✓ Hurricanes
✓ Tornados
✓ Eartquakes
✓ Lightning
✓ Flood
✓ Fire
Technological
Disasters
Often caused by some sort of malfunction in
equipment or hardware.
Technological disasters can inflict damage to
Networks, OS, DBMS, Data files or data
✓ Power failure
✓ Media failure
✓ Hardware failure
✓ Network failure

Examples of Malicious Code
✓ Virus – Code that compromises the integrity and state of the system
✓ Boot Sector Virus – Code that compromises the segment in the hard disk that
contains the program used to start the computer
✓ Worm – Code that disrupts the operation of the system
✓ Trojan Horses – Malicious code that penetrates a computer system or network
by pretending to be legitimate coded
✓ Spoofing Code – Malicious code that looks like a legitimate code
✓ Denial-of-service-flood – The act of flooding a web site or network system with
many requests with the intent of overloading the system and forcing it to
deny service legitimate requests
✓ Rootkits and Bots – Malicious or Legitimate code that performs such functions
as automatically retrieving and collecting information from computer system
✓ Bugs - Code that is faulty due to bad design, logic or both
✓ E-Mail Spamming – E-Mail that is sent to may recipients without their
permission
✓ Back door – An intentional design element of software that allows developers of
the system to gain access to the application for maintenance or technical
problems

Types of Threats
✓ Risks are simply the a part of doing business
✓ Managers at all the levels are constantly working to assess and mitigate risks to
ensure the continuity of the department operations.
✓ Administrators should understand the weakness and threats related to the system
✓ Categories of database security risks are shown in the below figure

Definitions and examples of Risk types
Risk Type Definition Examples
People The loss of people who are
vital components of the
database environments and
know critical information can
create risks
✓ Loss of key persons ( Registration,
Migration, Health problems)
✓ Key person downtime due to sickness
personal or family problems, or
burnout
Hardware A risk that mainly results in
hardware unavailability or
interoperability
✓ Downtime due to hardware failure, mal
functions, or inflicted damages
✓ Failure due to unreliable or poor quality
equipment
Data Data loss or data integrity is a
major concern of the
database administration and
management
✓ Data loss
✓ Data corruption
✓ Data Privacy loss
Confidence The loss of public confidence
in the data produced by the
company causes a loss of
public confidence in the
company itself
✓ Loss of procedural and policy
documentation
✓ DB performance degradation
✓ Fraud
✓ Confusion and uncertainty about
database information

Integration of security vulnerabilities, therats
and risks in a database

Asset Types and Their Values
✓ People always tend to protect assets regardless of what they are
✓ Corporations treat their assets in the same way
✓ Assets are the infrastructure of the company operation
✓ There are four main types of assets
▪ Physical assets – Also known as tangible assets, these include buildings, cars,
hardware and so on
▪ Logical assets – Logical aspects of an information system such as business
applications, in-house programs, purchased software, OS, DBs, Data
▪ Intangible assets – Business reputation, quality, and public confidence
▪ Human assets – Human skills, knowledge and expertise

Database Security Methods
Security methods used to protect database environment components
Database
Component
Protected
Security Methods
People ✓ Physical limits on access to hardware and documents
✓ Through the process of identification and authentication make
certain that the individual is who is claim s to be through the use of
devices, such as ID cards, eye scans, and passwords
✓ Training courses on the importance of security and how to guard
assets
✓ Establishment of security policies and procedures
Applications ✓ Authentication of users who access applications
✓ Business rules
✓ Single sign-on ( A method for signing on once for different
applications and web sites)
Network ✓ Firewalls to block network intruders
✓ Virtual Private Network (VPN)
✓ Authentication

Database Security Methods …
Database Component
Protected Security Methods
OS ✓ Authentication
✓ Intrusion Detection
✓ Password Policies
✓ User accounts
DBMS ✓ Authentication
✓ Audit Mechanism
✓ Database resource limits
✓ Password poilicy
Data files ✓ File permission
✓ Access Monitoring
Data ✓ Data Validation
✓ Data Constraints
✓ Data Encryption
✓ Data Access

Database Security Methodology
The below figure presents database security methodology side by side
with the software development life cycle (SDLC) methodology

Database Security Methodology…
The following list presents the definition of each phase of the
database security methodology
Identification – Entails the identification and investigation of resources
required and policies to be adopted
Assessment – This phase includes analysis of vulnerabilities, threats and
risks for both aspects of DB security
Physical – Data files
Logical – Memory and Code
Design – This phase results in a blueprint of the adopted security model
that is used to enforce the security
Implementation – Code is developed or tools are purchased to implement the
blueprint outlined in the previous phase
Evaluation – Evaluate the security implementation by testing the system
against attacks, hardware failure, natural disasters and human
errors
Auditing – After the system goes into production , security audits should
be performed periodically to ensure the security state of the
system

Database Security Definition Revisited
At the start of the chapter database security was defined as
“the degree to which all the data is fully protected from tampering and
unauthorised acts”.
After discussing a lot of database security , various information systems and
information security the definition of database security can be expanded as
follows:
Database security is a collection of security polices and procedures, data
constraints, security methods , security tools blended together to implement
all necessary measures to secure the integrity, accessibility and confidentiality
of every component of the database environment.

Operating System Security Fundamentals
An Operating System (OS) is a collection of programs that allows the to
operate the computer hardware.
✓ OS is also known as “ RESOURCE MANAGER”
✓ OS is one of the main access point in DBMS
✓ A computer system has three layers
▪ The inner layer represents the hardware
▪ The middle layer is OS
▪ The outer layer is all different software

Operating System Security Fundamentals …
An OS is having number of key functions and capabilities as outlined
in the following list
✓ Multitasking
✓ Multisharing
✓ Managing computer resources
✓ Controls the flow of activities
✓ Provides a user interface to operate the computer
✓ Administers user actions and accounts
✓ Runs software utilities and programs
✓ Provides functionalities to enforce the security measures
✓ Schedules the jobs and tasks to be run
✓ Provides tools to configure the OS and hardware

Operating System Security Fundamentals …
There are different vendors of OS
✓ Windows by Microsoft
✓ UNIX by companies such as Sun Microsystems, HP and IBM
✓ LINUX “flavours” from various vendors such as Red Hat
✓ Macintosh by Apple

The OS Security Environment
✓ A compromised OS can compromise a
Database Environment
✓ Physically protect the computer running
the OS( Padlocks, Chain locks, Guards,
Cameras)
✓ Model :
▪ Bank Building – OS
▪ Safe – DB
▪ Money - Data

The Components of an OS Security Environment
✓ The three components (layers) of
the OS are represented in the figure
✓ Memory component is the hardware
memory available on the system
✓ Files component consists of files
stored on the disk
✓ Service component compromise
such OS features and functions as
N/W services, File Management and
Web services

Services
✓ The main component of OS security environment is services.
✓ It consists of functionality that the OS offers as part of its core utilities.
✓ Users employ these utilities to gain access to OS and all the features
the users are authorised to use.
✓ If the services are not secured and configured properly , each service
becomes a vulnerability and access point and can lead to a security
threat.

Files
✓ Files are another one component of OS.
✓ It has more actions
✓ File Permission
✓ File Transfer
✓ File Sharing

Files …
File Permission
• Every OS has a method of implementing file permission to grant read, write or
execute privileges to different users.
• The following figure gives how the file permissions are assigned to a user in
windows

Files …
✓ In UNIX, file permissions work differently than windows.
✓ For each file there are three permission settings
✓ Each setting consists of rwx ( r – read, w – write and x – execute)
1. First rwx is Owner of the file
2. Second rwx is Group to which owner belongs
3. Third rwx is All other users
✓ The given images gives the details of UNIX file permission.

Files …
✓ File Transfer – moving the file from one location to another location in a
disk/web/cloud
✓ FTP is an Internet service that allows transferring files from one computer to
another
✓ FTP clients and servers transmit usernames and passwords in plaintext
format( Not Encrypted). This means any hacker can sniff network traffic and
be able to get the logon information easily.
✓ Files also transferred as plaintext format
✓ A root account cannot be used to transfer file using FTP
✓ Anonymous FTP is the ability to log on to the FTP server without being
authenticated.
✓ This method is usually used to provide access to files in the public domain.

Files …
✓ Here are some best practices for transferring files
✓ Never use the normal FTP Utility. Instead, use the secure FTP utility , if
possible.
✓ Make two FTP directories: one for file uploads with write permission
only and another one file is for file downloads with read permission.
✓ Use specific accounts for FTP that do not have access to any files or
directories outside the file UPLOAD and DOWNLOAD directories.
✓ Turn on logging , and scan the FTP logs for unusual activities on a
regular basis.
✓ Allow only authorized operators to have FTP privileges.

Files …
✓ Sharing files naturally leads to security risks and threats
✓ The peer-to-peer technology is on rise( very well developed now)
✓ Peer-to-Peer programs allow users to share the files over internet
✓ If you were conduct a survey of users that use Peer-to-Peer programs,
majority of the users’ machines are infected with some sort of virus,
spyware, or worm.
✓ Most companies prohibit the use of such programs.
✓ The main reason for blocking these programs are
▪ Malicious Code
▪ Adware and spyware
▪ Privacy and confidentiality
▪ Pornography
▪ Copy right issues

Memory
✓ You may wonder how memory is an access points to security violations
✓ There are many badly written programs and utilities that could change
the content of memory
✓ Although these programs do not perform deliberate destructions acts.
✓ On the other hand , programs that intentionally damage or scan data
in memory are the type that not only can harm the data integrity, but
may also exploit data for illegal use.

Authentication Methods
✓ Authentication is the fundamental service of the OS
✓ It is a process to very the user identity
✓ Most security administrators implement two types of
authentication methods
✓ Physical authentication method allows physical entrance to the
company properties
✓ Most companies use magnetic cards and card readers to control the entry to
a building office, laboratory or data center.
✓ The Digital authentication method is a process of verifying the identify
of the user by means of digital mechanism or software

Digital Authentication used by many OS
✓ Digital Certificate
▪ Widely used in e-commerce
▪ Is a passport that identifies and verifies the holder of the certificate
▪ Is an electronic file issued by a trusted party ( Known as certificate authority ) and cannot
be forged or tampered with.
✓ Digital Token (Security Token)
▪ Is a small electronic device that users keep with them to be used for authentication to a
computer or network system.
▪ This device displays a unique number to the token holder, which is used as a PIN
( Personal Identification Number) as the password
✓ Digital Card
▪ Also known as security card or smart card
▪ Similar to credit card in dimensions but instead of magnetic strip
▪ It has an electronic circuit that stores the user identification information
✓ Kerberos
▪ Developed by Massachusetts Institute of Technology (MIT) , USA
▪ It is to enable two parties to exchange information over an open network by assigning a
unique key. Called ticket , to each user.
▪ The ticket is used to encrypt communicated messages

Digital Authentication used by many OS …
✓ Lightweight Directory Access Protocol (LDAP)
▪ Developed by University of Michigan, USA
▪ Uses centralized directory database storing information about people,
offices and machines in a hierarchical manner
▪ LDAP directory can be easily distributed to many network servers.
▪ You can use LADP to store information about
• Users (User name and User id)
• Passwords
• Internal telephone directory
• Security keys
▪ Use LADP for these following reasons
• LDAP can be used across all platforms ( OS independent )
• Easy to maintain
• Can be employed for multiple purposes
▪ LDAP architecture is Client / Server based

✓ NTLM (Network LAN Manager)
▪ Was developed by Microsoft
▪ Employs challenge / response authentication protocol uses an encryption
and decryption mechanism to send and receive passwords over the network.
▪ This method is no longer used or supported by new versions of Windows OS
✓ Public Key Infrastructure (PKI)
▪ Also known as Public Key Encryption
▪ It is a method in which a user keeps a private key and the authentication
firm holds a public key .
▪ The private key usually kept as digital certificate on the users system.
✓ RADIUS ( Remote Authentication Dial-In User Services )
▪ It is a method commonly used by a network device to provide centralized
authentication mechanism.
▪ It is Client / Server based, uses a dial-up server, a Virtual Private Network
(VPN) , or a Wireless Access Point communicating to a RADIUS server

✓ SSL (Secure Sockets Layers)
▪ Was developed by Netscape Communications
▪ To provide secure communication between client and server.
▪ SSL is a method in which authentication information is transmit
over the network in encrypted form.
▪ Commonly used by websites to source client communications.
✓ SRP ( Secure Remote Password )
▪ Was developed by Stanford University, USA
▪ It is a protocol in which the password is not secure locally in an
encrypted or plain text form.
▪ Very easy to install.
▪ Does not require client or server configuration .
▪ This method is invulnerable to brute force or dictionary attacks.

Authorization
✓ Authentication is the process of providing that users really are who
they claim to be.
✓ Authorization is the process that decides whether users are permitted
to perform the functions to they request.
✓ Authorization is not performed until the user is authenticated.
✓ Authorization deals with privileges and rights that have been granted
to the user.

User Administration
✓ Administrators use this functionality to create user
accounts, set password policies and grant privileges to
user.
✓ Improper use of this feature can lead to security risks and
threats.
✓ Note : User Administration and Password policies will be
discussed in Next Unit (Chapter III and Chapter IV in Text
book)

Vulnerabilities of OS
✓ The top vulnerabilities to UNIX Systems
▪
▪
▪
▪
BIND Domain Name System
RPC (Remote Procedure Call)
Apache Web Server
General UNIX authentication accounts with
no / weak passwords
▪
▪
▪
Clear text services
Sendmail
SNMP (Simple Network Management
Protocol
▪
▪
Secure Shell
Misconfiguration of Enterprise Services
NIS/ NFS
▪ Open SSL ( Secure Socket Layer)
✓ The top vulnerabilities to Windows
Systems
▪ IIS (Internet Information Server)
▪
▪
▪
MSSQL (Microsoft SQL Server)
Windows Authentication
IE (Internet Explorer)
▪
▪
Windows Remote Access Services
MDAC (Microsoft Data Access
Components)
▪
▪
▪
WSH ( windows Scripting Host)
Microsoft Outlook and Outlook Express
Windows Peer-to-Peer File Sharing (P2P)
▪ SNMP (Simple Network Management
Protocol

E-mail Security
✓ E-mail may be the tool most frequently used by hackers to exploit viruses, worms,
and other computer system invaders.
✓ E-mail is widely used by public and private organizations as a means of communication
✓ E-mail was the medium used in many of the most famous worm and virus attacks
✓ For example :
▪ Love Bug Worm
▪ I LOVE YOU worm
▪ Mydoom worm
▪ Melissa virus
✓ E-mail is not only to used to send viruses and worms, nut to send spam e-mail, private and
confidential data as well as offensive messages
✓ To prevent from these activities ,
▪ Do not configure e-mail server on a machine in which the sensitive data resides
▪ Do not disclose the e-mail server technical details

UNIT II : ADMINISTRATION OF USERS & PROFILES,
PASSWORD POLICIES,PRIVILEGES AND ROLES
✓ Administration of Users
▪ Introduction
▪ Authentication
▪ Creating Users
✓ SQL Server
▪ User Removing
▪ Modifying Users
▪ Default Users
✓ Remote Users
✓ Database Links
✓ Linked Servers
✓ Remote Servers
✓ Practices for administrators and Managers- Best Practices
✓ Profiles, Password Policies, Privileges and Roles
▪ Introduction
▪ Defining and Using Profiles
▪ Designing and Implementing Password Policies
✓ Granting and Revoking User Privileges
✓ Creating, Assigning and Revoking User Roles-Best Practices

Administration of Users
✓ Introduction
▪ Authentication and Authorization are essential services for every
OS
▪ Another service is Administration of Users
▪ Administrators use this functionality
• Creating users
• Set Password Policies
• Grant privileges

Documentation of User Administration
✓ At every type of organization, many security violations are caused by negligence
and ignorance and in particular by failing to consider documentation
✓ Documentation is a main part of administration process
✓ There top three excuses for failing to incorporate documentation
▪ Lack of Time
▪ Belief that the administration process is already in documented in the
system
▪ Reluctance to complicate a process that is simple
✓ Everything is documented for two reasons
▪ To provide a paper trail to retrace exactly what happened when breach of
security occurs
▪ To ensure administration consistency

Documentation of User Administration …
Documentation in Administration context includes the following
✓ Administration Policies
▪ Documentation includes all policies for handling new and terminated employees, managers,
system and database administrator, database managers, operation managers, and human
resources.
▪ A detailed document should describe guidelines for every task that is required for all common
administrative situations.
✓ Security Procedures
▪ This is an outline of a step-by-step process for performing administrative task according to
company policies.
✓ Procedures implementation scripts and programs
▪ This is documentation of any script or program used to perform an administrative task.
▪ This includes user’s manual and operational manual

Documentation in Administration context includes the following …
✓ Predefined roles description
▪ This provides the full description of all predefined roles, outlining all
tasks for which the role is responsible and the role’s relationship to
other roles
✓ Administration staff and management
▪ This is usually a detailed description of each administration staff and
management position.
▪ This document includes an organizational chart.

Department Approval
Operational Approval
Account application Completion
Many companies develop procedures and forms used to perform any security-related
process. The following figure presents a sample process of creating a database user
account that you can customize per your business requirements and company policies.
DBA Completes all the paper work and documentation for new employees
DBA provides list of access operations that are necessary for employees to
perform their jobs
DBA completes the database user account application form
DBA obtains department Manger’s approval on the application
DBA obtains operational Manger’s approval on the application
DBA or Operator creates the account
Account holder verifies access
Test Access
Implement Access
Access Identification
Document Completion

Creating users
✓ Creating users is one of the main tasks you will perform as a
database operator or DBA
✓ In most organization , this process is standardized , well
documented, and surely managed
✓ The DBA had written a script to create a user for every developer
working on the project
✓ This script granted privileges to read and write data to the
database scheme
✓ Regardless of the database you use , creating the user is generally
an easy task once a policy is documented and followed

Creating users …
Creating an ORACLE 10g User

Creating users …
user
✓ Specify the name of the user to be created. This name can contain only characters from
your database character set and must follow the rules described in the section "Schema
Object Naming Rules". Oracle recommends that the user name contain at least one
single-byte character regardless of whether the database character set also contains
multibyte characters.
IDENTIFIED Clause
✓ The IDENTIFIED clause lets you indicate how Oracle Database authenticates the user.
BY password
✓ The BY password clause lets you creates a local user and indicates that the user must
specify password to log on to the database. Passwords are case sensitive. Any
subsequent CONNECT string used to connect this user to the database must specify the
password using the same case (upper, lower, or mixed) that is used in
this CREATE USER statement or a subsequent ALTER USER statement. Passwords can
contain any single-byte, multibyte, or special characters, or any combination of these,
from your database character set
EXTERNALLY Clause
✓ Specify EXTERNALLY to create an external user. Such a user must be authenticated by
an external service, such as an operating system or a third-party service. In this case,
Oracle Database relies on authentication by the operating system or third-party service to
ensure that a specific external user has access to a specific database user.

Creating users …
AS 'certificate_DN'
✓ This clause is required for and used for SSL-authenticated external users only.
The certificate_DN is the distinguished name in the user's PKI certificate in the
user's wallet.
GLOBALLY Clause
✓ The GLOBALLY clause lets you create a global user. Such a user must be
authorized by the enterprise directory service (Oracle Internet Directory).
DEFAULT TABLESPACE Clause
✓ Specify the default tablespace for objects that the user creates. If you omit this
clause, then the user's objects are stored in the database default tablespace. If no
default tablespace has been specified for the database, then the user's objects are
stored in the SYSTEM tablespace.
✓ Restriction on Default Tablespaces You cannot specify a locally managed
temporary tablespace, including an undo tablespace, or a dictionary-managed
temporary tablespace, as a user's default tablespace.

Creating users …
TEMPORARY TABLESPACE Clause
✓ Specify the tablespace or tablespace group for the user's temporary segments. If you omit this
clause, then the user's temporary segments are stored in the database default temporary
tablespace or, if none has been specified, in the SYSTEM tablespace.
✓ Specify tablespace to indicate the user's temporary tablespace.
✓ Specify tablespace_group_name to indicate that the user can save temporary segments in any
tablespace in the tablespace group specified by tablespace_group_name.
✓ Restrictions on Temporary Tablespace
▪ This clause is subject to the following restrictions:
▪ The tablespace must be a temporary tablespace and must have a standard block size.
▪ The tablespace cannot be an undo tablespace or a tablespace with automatic segment-
space management.

Creating users …
✓ QUOTA Clause
▪ Use the QUOTA clause to specify the maximum amount of space the user can
allocate in the tablespace.
▪ A CREATE USER statement can have multiple QUOTA clauses for multiple
tablespaces.
▪ UNLIMITED lets the user allocate space in the tablespace without bound.
▪ Restriction on the QUOTA Clause You cannot specify this clause for a
temporary tablespace.
✓ PASSWORD EXPIRE Clause
▪ Specify PASSWORD EXPIRE if you want the user's password to expire. This
setting forces the user or the DBA to change the password before the user can
log in to the database.
✓ ACCOUNT Clause
▪ Specify ACCOUNT LOCK to lock the user's account and disable access.
Specify ACCOUNT UNLOCK to unlock the user's account and enable access to
the account.

Creating users …
✓ The following create user statement implements the creation of
user called bmnantha
SQL> CREATE USER bmnantha IDENTIFIED BY bmnantha23
2 DEFAULT TABLESPACE users
3 TEMPORARY TABLESPACE temp
4 QUOTA 25M ON users
5 PROFILE default
6 PASSWORD EXPIRE
7 ACCOUNT UNLOCK
8 /
User created
✓ Once the user is created you can modify a user account with an
ALTER USER statement using clause listed in the previous
example

DBA_USERS View
✓ DBA_USERS describes all users of the database.
Column Datatype NULL Description
USER
NAME
VARCHAR2(30) NOT NULL Name of the user
USER_ID NUMBER NOT NULL ID number of the user
PASSWORD VARCHAR2(30) This column is deprecated in favor of
the AUTHENTICATION_TYPE column
ACCOUNT_
STATUS
VARCHAR2(32) NOT NULL Account status:
✓ OPEN
✓ EXPIRED
✓ EXPIRED(GRACE)
✓ LOCKED(TIMED)
✓ LOCKED
✓ EXPIRED & LOCKED(TIMED)
✓ EXPIRED(GRACE) & LOCKED(TIMED)
✓ EXPIRED & LOCKED
✓ EXPIRED(GRACE) & LOCKED

DBA_USERS View …
LOCK_DATE DATE Date the account was locked if account
status was LOCKED
EXPIRY_DATE DATE Date of expiration of the account
DEFAULT_
TABLESPACE
VARCHAR2(30) NOT NULL Default tablespace for data
TEMPORARY_
TABLESPACE
VARCHAR2(30) NOT NULL Name of the default tablespace for
temporary tables or the name of a
tablespace group
CREATED DATE NOT NULL User creation date
PROFILE VARCHAR2(30) NOT NULL User resource profile name
INITIAL_RSRC
_CONSUMER_
GROUP
VARCHAR2(30) Initial resource consumer group for the user

DBA_USERS View …
EXTERNAL_
NAME
VARCHAR2(4000) User external name
PASSWORD_
VERSIONS
VARCHAR2(8) Database version in which the password was
created or changed
EDITIONS_
ENABLED
VARCHAR2(1) Indicates whether editions have been enabled
for the corresponding user (Y) or not (N)
AUTHENTICATI
ON_TYPE
VARCHAR2(8) Indicates the authentication mechanism for the
user:
✓ EXTERNAL - CREATE
USER user1 IDENTIFIED EXTERNALLY;
✓ GLOBAL - CREATE
USER user2 IDENTIFIED GLOBALLY;
✓ PASSWORD - CREATE
USER user3 IDENTIFIED BY user3;

Creating a SQL Server User
✓ To create a login id in SQL server can be member of SYSTEMADMIN OR
SECURITYADMIN
✓ There are two types of login IDs:
▪ Windows Integrated (Trusted) Logins
▪ User can associate a Microsoft Windows account or group with
either the server in which SQL Server is installed or the domain in
which the server is a member
▪ SQL Server Login

Creating a SQL Server User …
Creating Windows integrated Logins
✓ From the command Line
To create a new login associated with a Window account (Windows Integrated) , in the
Query Analyser tool use the SP_GRANTLOGIN system Procedure .
✓ The syntax is as follows:
✓ The login syntax is the fully qualified name of the Windows user account
in the form of machine_nameuser_name for local Windows users.
✓ domainusername for Windows domain accounts.
✓ Windows integrated login can also be associated can also be associated
with windows groups on either the local server or domain
sp_grantlogin [@login =] ‘login’

exec sp_grantlogin ‘myserverbmnantha’
exec sp_grantlogin ‘mydomainmanish’
exec sp_grantlogin ‘myserversql_dba
Creating a SQL Server User …
For example,
✓ If you have a local windows account named ‘bmnantha’ on the SQL Server itself
where the server name is myserver, you enter the following
✓ For windows domain account named ‘manish’ in the mydomain, you are entering
the following
✓ To associate local windows group called SQL_DBA , you are entering
✓ NOTE : A login must be between 1 to 128 characters in length and cannot contain
any spaces.

Creating a SQL Server User from Enterprise Manager
To create a new login associated with a Windows account (Windows Integrated) in Enterprise Manager,
take the following steps
1. Open Enterprise Manager

SQL Serve Login …
2. Expand the server group in which your server is functioning
3. Expand the server you want to create the login for
4. Expand the security container
5. Click Logins
6. On the menu bar , click action , then click new login

SQL Serve Login …
7. Type the name of user
8. Depending on the type of Windows account you are creating , select either
the local server name or the domain name from the domain drop-down
list. Enterprise Manager automatically fills in
the machine or domain name in front of the username
9. Select the default database for the login from the Database drop-down list.
10. Select the default language for the login from the language drop-down list.

SQL Serve Login …
11. Click OK

SQL Serve Login …
sp_addlogin [@loginame = ] ‘login’
[ , [ @passwrd = ] ‘password’ ]
[ , [ @dbdef=] ‘database’]
[ , [ @deflanguage = ] ‘language’]
[ , [ @sid =] sid]
[ , [ @encryptopt =] ‘encryption_opotion’]
✓ The second type of login is a SQL Server Login, sometimes called a SQL Server
active login.
✓ This login associated with a windows account, instead , it is a security account
created within SQL Server itself.
✓ Creating SQL Server Logins from command line
▪ To create a SQL Server login from the Query analyzer , you use the
SP_ADDLOGIN system stored procedure.
▪ The syntax is as follows :
@loginame – choose for the login
@dbdef – Name of the default database for the user, The default is NULL
@deflanguage – The default language for the user.
The default is the current default language of the SQL Server Instance
@sid – Security Identification Number (SID).
The default is NULL, if it is NULL SQL Server
automatically generates SID for the login
@encryptopt – Specifies weather or not to encrypt the password in the database

SQL Serve Login …
exec sp_addlogin ‘bmnantha’ , ‘manish’
exec sp_addlogin ‘bmnantha’, ‘manish’, ‘Northwind’
For example
✓ To create a SQL Server login named ‘bmnantha’ with password ‘manish’
you issue the following command
✓ To specify a default database of Northwind for bmnantha, enter the
following

SQL Serve Login …
From Enterprise Manager
To create a new SQL Server login in Enterprise Manager , follow these steps
2. Expand the server group your is in
3. Expand the server you want to create the login for.
4. Expand the Security container
5. Click Logins
6. On the menu bar , Click Action, then click New Login
7. Type the name of the user, in this case , bmnantha
8. Click the SQL Server Authentication option button
9. Provide a password for the user in the password textbox. The password is marked as
you type
10. Click OK

SQL Serve Login …
The following figure gives the Server login properties – new login screen
(Latest Version)

Removing Users
✓ Removing an ORACLE User
SQL > DROP USER SCOTT;
User Dropped
✓ If the user does not have any objects , the command is successfully executed. If the user own
any objects CASECADE option should be used
SQL> DROP USER SCOTT CASCADE;
User Dropped
✓ SQL Server: Removing Windows Integrated Logins
From the command Line : Use the SP_DENYLOGIN system procedures
sp_denylogin [ @loginame = ] ‘login’
✓ The following statement drop the login account bmnantha.
exec sp_denylogin ‘myserverbmnantha’
✓ From the Enterprise Manager
To drop the login in Enterprise Manager simply highlight the desired login and choose delete
from the action menu

Modifying Users
The existing user account can be changed such as password, database,
tablespace, quota, password profile, account by the DBA
✓ Modifying an ORACLE User
SQL > ALTER USER SCOTT IDENTIFIED BY LION;
User Altered
✓ SQL Server : Modifying Windows Integrated Login Attributes
✓ From the Command Line
The default database for the user initially set to master, to change the
database SP_DEFAULTDB system stored procedure is used.
sp_default [ @loginame = ] ‘login’ ,
[ @defdb =] ‘database’
✓ To change the default database to the login mydomainbmnantha , issue the
following statement
exec sp_defaultdb ‘mydomain bmnantha’ ,’Northwind’

Default Users
✓ ORACLE default users, will be created at the time of ORACLE software
installation
▪ SYS (Super user will all DBA rights , can’t be changed)
▪ SYSTEM (With Minimal DBA rights
▪ SCOTT (User without DBA rights)
✓ SQL server default users, will be created at the time of SQL Server
software installation
▪ SA ( System Administrator , It is equivalent to SYS in Oracle and can’t be
changed)
▪ BUILT-INAdministrators ( Associated with the local administrators’ group
on the Windows server)

Remote Users
✓ All the DB user accounts are created and stored in the DB regardless of
whether they are connected locally or remotely.
✓ When a user logs on to the DB through the machine where the DB is
located , called as Local user.
✓ When a user logs on to the DB through the machine where the DB is
not located , called as remote user.
✓ ORACLE10g , remote users can be authenticated by the OS provided
the REMOTE_OS_AUTHENT initialization parameter is set to TRUE.
If the parameter is set to FALSE , user can’t login from remote.
✓ SQL Server does not support this type of remote user authentication.

Database Links
DB2
DB LINK
✓ It is a connection from one DB to another DB
✓ The linked DBs can be like
▪ Both be ORACLE10g
▪ Both be SQL Server
▪ Mix of ORACLE10g and SQL Server
✓ A DB link enables a user to perform Data Manipulation Language (DML) or
any other valid SQL statements on a DB.
✓ The following figure gives the architecture of DB Link
✓ In Oracle 10g ,DB Links can be created in two ways as
1. Public – Which makes the database links accessible by every user in DB
2.Private – Which gives the ownership of the database to a user
The DB is not accessible by any other user unless the user has
been access by the owner
DB1

Database Links …
SQL > CONNECT SYSTEM@DB1
Enter password: ******
Connected
SQL > CREATE PUBLIC DATABASE LINK DB2
2 CONNECT TO CURRENT_USER
3 USING ‘DB2’
4 /
Database link created
Authentication Methods
✓ Authentication methods for connecting ORACLE10g DB using DB link
mechanism.
✓ There are three types of authentication methods when creating a DB link.
✓ Authentication Method 1: CURRENT USER
▪ This authentication method orders ORACLE10g to use the current user
credentials for authentication to the DB to which the user is trying to link.

Database Links …
2 CONNECT TO SCOTT IDENTIFIED BY TIGER
3 USING ‘DB2’
4 /
✓ Authentication Method 2: FIXED USER
This authentication method orders ORACLE10g to use the user
password provided in this clause for authentication to the DB to
which the user is trying to link.

Database Links …
2 USING ‘DB2’
3 /
✓ Authentication Method 3: CONNECT USER
This authentication method orders ORACLE10g to use
credentials of the connected user who has an existing account in
the database to which the user is trying to link.

Linked Servers
Server manish
Server bmnantha
Linked Server
✓ Linked serves allow you to connect to almost any object Linking
Embedding Database (OLEDB) or Open Database Connectivity .
✓ Microsoft SQL Server 2000 also uses the concept of linked serves.
✓ OLEDB is a Microsoft component that allows Windows applications to
connect and access different database systems.
✓ ODBC is a Microsoft protocol used for connecting Windows
applications to different DB systems
✓ The following figure represents the Linked server architecture using SQL
Server

Linked Server …
Creating a new linked server with SQL Server

Remote Servers
✓ Along the same line as Linked Servers , you can communicate with
another SQL server by creating remote server
✓ Instead of using OLEDB , communications occurs across a Remote
Procedure Call (RPC)

Best Practices for Administrators and Managers
✓ The DBA job is never ending and very challenging
✓ DBA is constantly performing other administrative tasks such as backup,
recovery and performance tuning.
✓ To make wise decisions DBA have the sizable responsibility of keeping up
with database practices, database technology and database security issues.
✓ These are the best practices for administrating users, privileges , and roles.
▪ Follow you company ‘s procedures and policies to create , remove or modify
database users.
▪ Always change the default password and never write it, or save it in a file that
neither encrypted nor safe.
▪ Never share the user accounts with anyone , especially DBA accounts.
▪ Always document and create logs for changes to removals of database user
accounts.

Best Practices for Administrators and
Managers …
✓ These are the best practices for administrating users, privileges , and
roles…
▪ Never remove an account even if it is out dated, Instead disable or revoke
connections privileges of the account.
▪ Give access permission to users only as required and use different logins
and passwords for different applications.
▪ Educate users, developers and administrators on user administration best
practices as well as the company policies and procedures.
▪ Keep abreast (up-to date) of database and security technology. Should be
aware of all new vulnerabilities that may increase database security risks.
▪ Constantly review and modify the procedures as necessary to be in line up
with the company’s policies and procedures. Keep procedures up to date
with the dynamic nature of database and security technology

Profiles, Password Policies, Privileges and
Roles
Introduction
✓ The key to the house is the password
✓ Put the scenario into the context of computer passwords.
✓ For home security , in addition to changing the key , you might install an
alarm, , motion detector, camera, etc.,
✓ A company’s user accounts should have equal protection.
✓ The company needs to protect its assets and enforce stringent (strict,
precise, and exacting) guidelines to protect the keys to computer accounts.
✓ This key is the password

Defining and Using Profiles
• A profile is a security concept that describes the limitation of database
resources that are granted database uses.
• A profile is a way of defining database user behaviour to prevent users
from wasting resources such as memory and CPU consumption
• For this reason some DBMSs have implemented the profile concept.
• Not every DBMS offers profile concept.
• ORACLE does and Microsoft SQL Server 2000 doesn’t.

Defining and Using Profiles…
RESOURCES
PASSWORD
PROFILE
✓ Creating Profiles in ORACLE
✓ A profile in ORACLE helps define two elements of Security
✓ Restrictions on Resources
✓ Implementation of password policy
✓ The following figure shows the two aspects of a profile in ORACLE
Aging
Usage
Verification
CPU
Memory
Connections

ORACLE allows you to create a profiles using the CREATE PROFILE
statement. The full syntax of the statement follows
Create profile
Resource parameters Password parameters

Resource Limits
Password Limits
CREATE PROFILE Profile_name
LIMIT
SESSIONS_PER_USER number
CPU_PER_SESSION hunderth of seconds
CPU_PER_CALL hunderth of seconds
CONNECT_TIME UNLIMITED minutes
IDLE_TIME minutes
LOGICAL_READS_PER_SESSION DEFAULT db_blocks
LOGICAL_READS_PER_CALL DEFAULT db blocks
COMPOSITE_LIMIT DEFAULT number
PRIVATE_SGA bytes
FAILED_LOGIN_ATTEMPTS number
PASSWORD_LIFE_TIME days
PASSWORD_REUSE_TIME number
PASSWORD_REUSE_MAX number
PASSWORD_LOCK_TIME days
PASSWORD_GRACE_TIME days
PASSWORD_VERIFY_FUNCTION function_name;

✓ In this syntax:
▪ First, specify the name of the profile that you want to create.
▪ Second, specify the LIMIT on either database resources or password
✓ Resource Parameters
▪ SESSIONS_PER_USER – specify the number of concurrent sessions that a user can have when
connecting to the Oracle database.
▪ CPU_PER_SESSION – specify the CPU time limit for a user session, represented in hundredth of
seconds.
▪ CPU_PER_CALL – specify the CPU time limit for a call such as a parse, execute, or fetch,
expressed in hundredths of seconds.
▪ CONNECT_TIME – specify the total elapsed time limit for a user session, expressed in minutes.
▪ IDLE_TIME – specify the number of minutes allowed periods of continuous inactive time during a
user session. Note that the long-running queries and other operations will not subject to this
limit.
▪ LOGICAL_READS_PER_SESSION – specify the allowed number of data blocks read in a user
session, including blocks read from both memory and disk.
▪ LOGICAL_READS_PER_CALL – specify the allowed number of data blocks read for a call to
process a SQL statement.
▪ PRIVATE_SGA – specify the amount of private memory space that a session can allocate in the
shared pool of the system global area (SGA).
▪ COMPOSITE_LIMIT – specify the total resource cost for a session, expressed in service units. The
total service units are calculated as a weighted sum of
of CPU_PER_SESSION CONNECT_TIME, LOGICAL_READS_PER_SESSION,

✓ Password_parameters
▪ You use the following clauses to set the limits for password parameters:
▪ FAILED_LOGIN_ATTEMPTS – Specify the number of consecutive failed login attempts
before the user is locked. The default is 10 times.
▪ PASSWORD_LIFE_TIME – specify the number of days that a user can use the same
password for authentication. The default value is 180 days.
▪ PASSWORD_REUSE_TIME – specify the number of days before a user can reuse a
password.
▪ PASSWORD_REUSE_MAX – specify the number of password changes required before
the current password can be reused. Note that you must set values for
both PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters make
these parameters take effect.
▪ PASSWORD_LOCK_TIME – specify the number of days that Oracle will lock an
account after a specified number of a consecutive failed login. The default is 1 day if you
omit this clause.
▪ PASSWORD_GRACE_TIME – specify the number of days after the grace period starts
during which a warning is issued and login is allowed. The default is 7 days when you
omit this clause.
✓ Note that to create a new profile, your user needs to have the CREATE PROFILE system
privilege.

Setting Profile Resource Limits: Example The following statement
creates the profile app_user:
SQL> CREATE PROFILE app_user
2 LIMIT
3 SESSIONS_PER_USER UNLIMITED
4 CPU_PER_SESSION UNLIMITED
5 CPU_PER_CALL 3000
6 CONNECT_TIME 45
7 IDLE_TIME 15
8 LOGICAL_READS_PER_SESSION DEFAULT
9 LOGICAL_READS_PER_CALL 1000
10 PRIVATE_SGA 15K
11 COMPOSITE_LIMIT 5000000;
12 /
Profile created

✓ To view all profiles created in the database , query the data dictionary view,
DBA_PROFILES
SQL> select * from dba_profiles where profile = 'DEFAULT';
PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED
16 rows selected.

✓ To Modify a limit for profile , you use ALTER PROFILE as follows
SQL> ALTER PROFILE APP_USER
2 LIMIT IDLE_TIME 30;
Profile altered
✓ To assign a profile , use ALTER USER as follows
SQL> ALTER USER BMNANTHA PROFILE APP_USER
2 /
User altered
✓ In SQL Server 2000 or 2005 profiles of similar objects are not available

Designing and Implementing password policies
✓ Password is key to opening the user account.
✓ The stronger the password, the longer it takes a hacker to break it.
✓ Many hackers security violations begin with breaking password.
✓ If you joining any financial company the orientation program on
security administration including password selection, password
storage, and the company’s policies on password.

Designing and Implementing password policies …
✓ Password policy is a set of guidelines that enhances the
robustness of the password and reduces the likelihood of its
being broken
✓ Importance of Password Policies
▪ The frontline defence of your account is your password.
▪ If your password is weak, the hacker can break in, destroy your
data, and violate your sense of security .
▪ For this specific reason, most of the companies invest
considerable resources to strengthen authentication by adopting
technological measures that protect their assets.

Designing password policies
✓ Most companies use a standard set of guidelines for their password policies
✓ These guidelines can comprise one or more of the following
✓ Password Complexity – A set of guidelines used when selecting
password, for example minimum 8
characters, 1 special character, 1 Capital
letter, etc.,
The purpose of password complexity is to
decrease the chances of a hacker guessing or
breaking a password.
✓ Password Aging – Indication of how long the password
can be used before it expires
✓ Password usage – Indication of how many times the same
password can be used
✓ Password storage – A method of storing a password in an
encrypted manner

✓ Implementing Password Policies
✓ How to implement password policy depends on whether or not DBMS provides
functions that support password security
✓ ORACLE has invested heavily in providing mechanism to enforce security ,
including implementation of password policies.
✓ Whereas a Microsoft SQL Server depends on the OS to implement password
policies.

✓ Password Policies in ORACLE
CREATE PROFILE PASSWORD _POLICY
LIMIT
{ {
|PASSWORD_LIFE_TIME 365
|PASSWORD_GRACE_TIME 10
|PASSWORD_REUSE_TIME UNLIMITED
|PASSWORD_REUSE_MAX 0
|FAILED_LOGIN_ATTEMPTS 3
|PASSWORD_LOCK_TIME UNLIMITED;
}
{ expr | UNLIMITED | DEFAULT }
|PASSWORD_VERYFY_FUNCTION
{function | NULL | DEFAULT }
}

✓ Oracle password security profile parameters
✓ Here are the password security parameters:
▪ failed_login_attempts - This is the number of failed login attempts before locking the
Oracle user account. The default in 11g is 10 failed attempts.
▪ password_grace_time - This is the grace period after the password_life_time limit is
exceeded.
▪ password_life_time - This is how long an existing password is valid. The default in
11g forces a password change every 180 days.
▪ password_lock_time - This is the number of days that must pass after an account is
locked before it is unlocked. It specifies how long to lock the
account after the failed login attempts is met. The default in 11g
is one day.
▪ password_reuse_max - This is the number of times that you may reuse a password and
is intended to prevent repeating password cycles (north, south,
east, west).
▪ password_reuse_time - This parameter specifies a time limit before a previous
password can be re-entered. To allow unlimited use of
previously used passwords, set password_reuse_time to
UNLIMITED.
▪ password_verify_function - This allows you to specify the name of a custom password
verification function.

✓ Profile creation using ORACLE Enterprise Manager Security Tools

Password Policies in SQL Server
✓ Microsoft SQL Server 2000 as a stand-alone product, does not provide for password policy
enforcement when logging on a SQL Server
✓ Microsoft architecture follows a model known as an Integrated Server System.
✓ In this method all the server applications and the resources they provide are tightly
integrated with the Windows server system and its security architecture.
✓ Password policy enforcement in a SQL Server environment handled by implementing SQL
server in Windows authentication mode and applying polices within the Windows Server
System
✓ There are two authentication protocols supported by Windows
▪ NTLM (Network LAN Manager)
▪ Kerberos 5

NTLM
✓ NTLM authenticates using a challenge / response methodology
✓ When the user attempt to access a resource , the server hosting the
resource “challenges” , user to prove his / her identity.
✓ User then issue a “response” to that challenge
✓ If the response is correct then the user is authenticated to the server.
✓ The server goes through an authorization process for the requested
resource.

Workstation Server
Message 1
Message 2
Message 3
✓ Authentication process consists of three messages
✓ Message 1 : Sent from the client to the server and is the initial request for authentication
✓ Message 2 : Sent from the server to client, contains challenge ( Eight bytes of Random
Data)
✓ Message 3 : Sent from client to server , contains response to the challenge
✓ The response is a 24-byte DES encrypted hash of the 8 byte challenge that can be decrypted
only by a set of DES keys created using the user’s password.
✓ The benefit to NTLM is that password are verified without ever actually sending the
password across the Web

Kerberos
✓ Kerberos authentication differs from NTLM in many ways.
✓ Instead of using password encrypt / decrypt challenge / response messages, a secret key,
known only to the server and client and also unique to the session, used to encrypt the
handshake data.
✓ This allows not only for the server to validate the authenticity of client , but for the client
to validate the authenticity of the server.
✓ This is an important difference and is one the reason Kerberos is more secure than NTLM
✓ Kerberos authentication requires a trusted third resource known as Key Distribution
Center (KDC).
✓ The KDC generates the secret key for each session established.
✓ The new session ticket , containing the new key, has a time-out value associated with it.

✓ Once the secret key is obtained from the KDC
▪ The client encrypts its request for a resource with the secret key.
▪ The server decrypts the message using the same key, decrypts just
on time stamp on the message and send back to client.
▪ This tells the server and the client has the same key for the session
which is established.

Workstation Server
Clients wants to access a Server
KDC issues key : Kclient {Scs for Server} , ticket = Kserver {Scs for Client}
KDC generates a key and issues a session ticket to the client
Workstation Server
Scs { Client Credentials , time}, ticket = Kserver { Scs for Client }
Scs { time }
Client sends authentication proof to the server
The following figures explain the authentication process in Kerberos

Granting and Revoking User Privileges
✓ Privilege is a method to permit or deny access to data or to perform
database operations (Data Manipulation)
✓ Privileges in ORACLE
▪ System Privileges – Privileges granted only by DBA or users who have
been granted the administration option.
▪ Object Privileges – Privileges granted to an ORACLE user by the scheme
owner of a database object or a user who has been
granted the GRANT option.

Granting and Revoking User Privileges …
✓ Object Privileges:
All DML are come
into object privileges
▪ INSERT
▪ UPDATE
▪ DELETE
▪ SELECT
▪ INDEX
▪ REFERENCES
✓ System Privileges :
There are more than 100
system privileges in
ORACLE , these are some
important frequently used
privileges
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
CREATE USER
CREATE SESSION
CREATE ROLE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TABLESPACE
CREATE TYPE
CREATE DATABASE LINK
CREATE TABLE
CREATE VIEW
CREATE SEQUENCE
DROP VIEW
DROP USER
DRO P TABLE

SQL GRANT Command
SQL GRANT is a command used to provide access or privileges on
the database objects to the users.
✓ The Syntax for the GRANT command is:
GRANT privilege_name ON object_name TO {user_name |PUBLIC
|role_name} [WITH GRANT OPTION];
✓ privilege_name is the access right or privilege granted to the user. Some of the access
rights are ALL, EXECUTE, and SELECT.
✓ object_name is the name of an database object like TABLE, VIEW, STORED PROC and
SEQUENCE.
✓ user_name is the name of the user to whom an access right is being granted.
✓ PUBLIC is used to grant access rights to all users.
✓ ROLES are a set of privileges grouped together.
✓ WITH GRANT OPTION - allows a user to grant access rights to other users.
Eaxmple :
SQL > Grant select on emp to bmnantha;
Grant succeeded
The schema owner of emp object gave select privilege to user bmnantha

SQL REVOKE Command:
The REVOKE command removes user access rights or privileges to the
database objects.
✓ The Syntax for the REVOKE command is:
REVOKE privilege_name ON object_name
FROM {user_name |PUBLIC |role_name}
✓ Example :
SQL > Revoke select on emp from bmnantha;
Revoke succeeded
The schema owner of emp object get back the select privilege to user
bmnantha

Privileges in SQL Server
✓ SQL Server has four levels of permissions
▪ System or Server level
▪ Database level
▪ Table (Object) level
▪ Column level
✓ Note : It is important to note that having server or database level permission
doesn’t mean you have access to subordinate objects.

Server Privileges
✓ Sysadmin – Can perform any function within the system
✓ Serveradmin – Can perform certain server-level functions.
✓ Setupadmin – Can manage linked servers and startup procedures
✓ Securityadmin – Can manage logons, change passwords
✓ Processadmin – Can manage processes running
✓ Dbcreator – Create, Alter and Drop Databases
✓ Diskadmin – Can manage the disk files for the server and database
✓ Bulkadmin – Can insert bulk insert operations

Database Privileges – Fixed Database Roles
✓ db_owner – Have complete access to the database
✓ db_accessadmin – Can add or remove users
✓ db_securityadmin – Can change all permissions, object ownership, roles and role
membership
✓ db_ddladmin – Can execute all DDL statements
✓ db_backupoperator – Can execute DBCC statements ( DBCC is a SQL Server tool
used for DB performance)
✓ db_datareader – Can issue SELECT and READTEXT statements
✓ db_datawriter – Can issue INSERT, UPDATE, DELETE and UPDATENEXT
statements
✓ db_denydatareader – Explicitly denied SELECT and READTEXT statements
✓ db_denydatawriter – Explicitly denied INSERT, UPDATE, DELETE and
UPDATENEXT statements

Database Privileges – Statement permissions
✓ CREATE TABLE
✓ CREATE VIEW
✓ CREATE PROCEDURE
✓ CREATE FUNCTION
✓ CREATE DEFAULT
✓ CREATE ROLE
✓ BACKUP DATABASE
✓ BACKUP LOG

Table and Database Objects privileges and Column level privileges
✓ Same as ORACLE Grant and Revoke command.
✓ Refer Slide numbers : 68 and 69

Creating , Assigning and Revoking User Roles
Creating role with ORACLE
✓ NOT IDENTIFIED Clause - Specify NOT IDENTIFIED to indicate that this role is
authorized by the database and that no password is
required to enable the role.
✓ IDENTIFIED Clause - Use the IDENTIFIED clause to indicate that a user must be
authorized by the specified method before the role is
enabled with the SET ROLE statement.

CREATE ROLE dw_manager;
CREATE ROLE dw_manager IDENTIFIED BY warehouse;
CREATE ROLE warehouse_user IDENTIFIED GLOBALLY;
CREATE ROLE warehouse_user IDENTIFIED EXTERNALLY;
Creating , Assigning and Revoking User Roles …
Creating role with ORACLE – Example
✓ The following statement creates the role dw_manager:
▪ Users who are subsequently granted the dw_manager role will inherit all of the
privileges that have been granted to this role.
✓ You can add a layer of security to roles by specifying a password, as in the following
example:
▪ Users who are subsequently granted the dw_manager role must specify the
password warehouse to enable the role with the SET ROLE statement.
✓ The following statement creates global role warehouse_user:
✓ The following statement creates the same role as an external role:

SQL > GRANT CREATE SESSION TO dw_manager;
Grant succeeded
SQL > GRANT dw_manager to bm_nantha;
Grant succeeded
Assigning Role to User in ORACLE - Example
✓ To assign privileges to role issue the following statement
✓ To assign a role to a user (Ex: bm_nantha) issue the following
statement

sp_addrole [ @rolename = ] ‘role’ [ , [ @ownername = ] ‘owner’ ]
use northwind
exec sp_addrole ‘sales’
exec sp_addrolemember ‘sales’ , ‘bm_nantha’
Create Roles with SQL Server
✓ To create a new database role using Query Analyzer , execute the
SP_ADDROLE system stored procedure
@rolename – The name of the new role
@ownername – The owner of new role , default is dbo
✓ To add the role of “sales” to the database Northwind
✓ To add the user bm_nantha to the role sales

DROP ROLE dw_manager;
use northwind
exec sp_droprolemember ‘sales’ , ‘jason’
Dropping a Role in ORACLE
✓ Example : To drop the role dw_manager, issue the following statement
Dropping a Role in SQL Server
✓ Example : To drop the user ‘bm_nantha’ from the role sales, issue the following
statement

Creating , Assigning and Revoking User Roles
Best Practices
✓ Never store passwords in plain text, make sure it is encrypted
✓ Change passwords frequently
✓ Make sure the passwords are complex
✓ Pick password that you can remember
✓ Use roles to control administer privileges
✓ Should report the compromise or loss of password security
✓ Should report to security any violation of company guidelines like roles, profiles,
privileges, passwords, etc.,
✓ Never give / share the password
✓ Never give the password over the phone
✓ Never type your password in an e-mail
✓ Use Windows integrated security mode for securing SQL Server
✓ Use Kerberos
✓ When Configuring Policies:
Require complex passwords , Set an account lockout threshold Do not allow
passwords to automatically reset , Expire end-user passwords , Enforce password
history

References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition,
Cengage Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”:
Models and Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”,
Elsevier Digital Press, 2005.
4) http://adrem.ua.ac.be/sites/adrem.ua.ac.be/files/securitybook.pdf
5) www.docs.oracle.com

UNIT III - Database Application Security Models &
Virtual Private Databases
✓ Introduction
✓ Types of Users
✓ Security Models
✓ Application Types
✓ Application Security Models
✓ Data Encryption
✓ Overview of VPD
✓ Implementation of VPD using Views
✓ Application Context in Oracle
✓ Implementing Oracle VPD
✓ Viewing VPD Policies and Application contexts using
Data Dictionary
✓ Policy Manager Implementing Row
✓ Column level Security with SQL Server

Introduction
✓ A Database user being used to log on ( be authenticated ) to an
application
✓ For each application user , a database account must be created and
assign specific privileges.
✓ Application
▪ A program that solves a problem or performs a specific business
function
✓ Database
▪ A collection of related data files used by an applications
✓ DBMS
▪ A collection of programs that maintain data files (Database)

Types of Users
✓ Application Administrator – Has application privileges to administer application
users and their roles ( do not require any special database privileges )
✓ Application owner – User who owns application tables and objects
✓ Application user – Perform tasks within the application
✓ DBA – Perform any administration tasks
✓ Database user- user account that has database roles and/or privileges assigned
to it
✓ Proxy user – User is employed to work on behalf of an application user
✓ Schema owner - User that owns database objects
✓ Virtual user – An account that has access to the database through another
database account; a virtual user is referred to in some cases as a proxy user

Security Models
✓ There are two security models
▪ Access Matrix Model
▪ Access Modes Model

Security Models…
✓ Access Matrix Model
▪ A conceptual model that specifies the right that each subject
– possesses for each object
▪ Subjects in rows and objects in columns
Object 1 Object 2 . . . Object m
Subject 1 Access
[S1,01]
Access
[S1,02]
. . . Access
[S1,0m]
Subject 2 Access
[S2,01]
Access
[S2,02]
. . . Access
[S2,0m]
.
.
.
.
.
.
.
.
.
.
.
.
Subject n Access
[Sn,01]
Access
[Sn,02]
. . . Access
[Sn,0m]

Security Models…
Access Matrix Model - Example

Security Models…
Access Modes Model
✓ This model based on the Take-Grant models
✓ It uses both subject and object
✓ Object is the main security entity
✓ Access mode indicates that the subject can perform any task or not
✓ There are two modes
▪ Static Modes
▪ Dynamic Modes

Security Models…
Access Modes – Static Modes
Access Mode Level Description
Use 1 Allows the subject to access the object without
modifying
Read 2 Allows the subject to read the content of the object
Update 3 Allows the subject to modify the content of the object
Create 4 Allows the subject to add instance to the object
Delete 4 Allows the subject to remove instance to the object

Security Models…
Access Modes – Dynamic Modes
Access Mode Level Description
Grant 1
Allows the subject to grant any static access mode to any
other subject
Revoke 1
Allows the subject to revoke a granted static access mode
from the subject
Delegate 2
Allows the subject to grant the grant privileges to other
subjects
Abrogate 2
Allows the subject to grant the revoke privileges to other
subjects

Application Types
✓ Mainframe applications
✓ Client / Server Applications
✓ Web Applications
✓ Data warehouse applications

Workstation Mainframe
Server
CODE
DB
Server
Application Types …
Mainframe applications
✓ Years back computing in corporations was centralized in the Management Information
System(MIS)
✓ MIS department is responsible for all information
✓ MIS mainly developed for Mainframe projects The following figure is Mainframe
application architecture

Client / Server Applications
✓ To overcome the limitations in MIS department the client / server architecture was
introduced
✓ It is based on a business model, client request and the server respond
✓ Client / Server architecture became a dominating configuration for all applications
▪ Flexible
▪ Scalable
▪ Processing power
✓ Three main components typically found in Client / Server architecture
▪ User interface component – Represents all screens, reports, etc.,
▪ Business logic component – Contains all the codes related to data
validations
▪ Data access component – Contains all the codes related to retrieves,
inserts, deletes and updates

CLIENT
Tier 5
Tier 4
Business
Logic
Tier 3
Business
Logic
Tier 2
User
Interface
Tier 1
SERVER
✓ A client / server application consists of minimum of two tiers .
✓ Normally four to five tiers is the maximum configuration
✓ The following figure represents the logical components of a client server architecture

Client Server
Business
Logic
DB
Server
Data
Access
User
Interface
✓ The following figure represents the physical architecture of a client/server
application
✓ The data access component of client server architecture is the component
responsible for retrieving and manipulating data.
✓ The security model should be embedded in this component.

CLIENT
Web Applications
✓ Client server application once dominated but not for long.
✓ Another architecture evolved with rise of dot-com and Web-based companies
✓ The new client / server architecture is based on the web and it is referred as a web
application or a Web-based application
✓ Web application uses HTTP protocol to connect and communicate to the server.
✓ Web pages are embedded with other web services.
✓ The following figure represents the logic components of Web application
architecture
Web browser layer Tier 1
Web server layer Tier 2
Application server layer Tier 3
Business logic layer Tier 4
Database server layer Tier 5
SERVER

Components of Web application
✓ Web browser layer - Atypical browser program that allows user to
navigate through web pages found on the internet.
✓ Web server layer – A software program residing on a computer
connected to Internet
✓ Application server layer - A software program residing on a computer that is
used for data processing
✓ Business logic layer – A software program that implements business rules
✓ Database server layer – A software program that stores and manages data

✓ The following figure shows a physical architecture that is typical for a
web-based application.
✓ In this architecture , each layer resides on a separate computer
✓ One or more web application layers could be housed on one computer
✓ The main reason for separating web application layers to reside on different
computers is to distribute the processing load
Server
Client
DB
Server
Internet
Business
Logic
Web
Server
Application
Server

Data Warehouse Applications
✓ DW is subject oriented , time variant, non volatile and integrated system.
✓ DWs are decision support system.
✓ DW is a collection of many types of data taken from different data sources.
✓ The architecture of these types of data warehousing applications is typically of
a database server on which the application resides.
✓ The DW is accessed by software applications or reporting applications called
OLAP ( OnLine Analytical Processing)

✓ The following figure shows the Physical and Logical structure of a data
warehouse
Server
Client Server
DB
Server
DB
Server
Transform
Data Application
Server
Server
Data
Warehouse
Database
DB
Server
Application
Data
Source

Application Security Models
✓ Database role based
✓ Application role based
✓ Application function based
✓ Application role and function based
✓ Application table based

Application Security Models …
Security Model based on Database Roles
✓ This model depends on the application to authenticate the application users
by maintaining an end users in a table with their encrypted passwords
✓ In this model each end user is assigned a database role
✓ The user can access whatever the privileges are assigned to the role
✓ In this model proxy user needed to activate assigned roles
✓ The following figure shows the data model for this application (Security data
model based on database roles)
APPLICATION USERS APPLICATION USERS ROLES
ROLE_NAME
CTL_INS_DTIM
CTL_UPD_DTIM
CTL_USER_USER
CTL_USER_STAT
APP_USER-ID (FK)
APP-USERNAME
APP_ENC_PASSWORD
FIRST_NAME
LAST_NAME
CTL_INS_DTIM
CTL_UPD_DTIM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID

The following list presents the a brief description of these columns

Tables used in security data model based on database roles
TABLE NAME DESCRIPTION
APPLICATION_USERS
Stores and maintain all end users of the
applications with their encrypted
passwords
APPLICATIONS_USERS_ROLES
Contains all roles defined by the
application and for each role that a
privilege is assigned , the privileges can be
read, write or read/write

Authorization table
All application tables are owned
by schema owner including
authorization table
Architecture of a security data model based on database roles
Application
End User
Schema Owner
Proxy user has read access
to authorization table and
Is assigned to all application
roles
Application User with
no database privileges
Contains three columns:
Username, password and role

The following points on this type of security model are worth noting:
✓ This model uses the DB role functionality
✓ Therefore it is DB independent
✓ If the roles are implemented poorly , the model does not work properly
✓ Privileges to table are also DB dependent
✓ Can isolate the application security from the DB
✓ Maintenance of the application security does not require specific DB privileges
✓ Password must be surely encrypted
✓ The application must use proxy users to log on and connect to the application
database and activate specific roles for each database session

Implementation in ORACLE
1. Creating the users by entering the following code:
Creating Application Owner
SQL > CREATE USER APP_OWNER IDENTIFIED BY APP_OWNER
2 DEFAULT TABLESPACE USERS
3 TEMPORARY TABLESPACE TEMP
4 QUOTA UNLIMITED ON USERS;
User created
SQL> GRANT RESOURCE, CREATE SESSION TO APP_OWNER;
Grant succeeded
Creating Proxy User
SQL > CREATE USER APP_PROXY IDENTIFIED BY APP_PROXY
2 DEFAULT TABLESPACE USERS
3 TEMPORARY TABLESPACE TEMP;
User created
SQL> GRANT CREATE SESSION TO APP_PROXY;
Grant succeeded

Creating Application tables
SQL> CONN APP_OWNER@DB
Enter password : *********
Connected
SQL> CREATE TABLE CUSTOMERS
2 ( CUSTOMER_ID NUMBER PRIMARY KEY,
3 CUSTOMER_NAME VARCHAR2(50) );
Table created
SQL> CREATE TABLE AUTH_TABLE
2 ( APP_USER_ID NUMBER,
3 APP_USERNAME VARCHAR2(20),
4 APP_PASSWORD VARCHAR2(20),
5 APP_ROLE VARCHAR2(20) );
Table created

Creating Application Roles
SQL> CONNECT SYSTEM@DB
Enter password: *******
Connected
SQL> CREATE ROLE APP_MGR;
Role created
SQL> CREATE ROLE APP_SUP;
Role created
SQL> CREATE ROLE APP_CLERK;
Role created
SQL> GRANT APP_MGR, APP_SUP, APP_CLERK TO APP_PROXY;
Grant succeeded
SQL> ALTER USER “APP_PROX” DEFAULT ROLE NONE;
User altered

Assign grants
SQL> CONNECT APP_OWNER@DB
Connected
SQL> GRANT SELECT,INSERT,UPDATE,DELETE ON CUSTOMER TO APP_MGR;
Grant succeeded
SQL> GRANT SELECT,INSERT,UPDATE,DELETE ON CUSTOMER TO APP_SUP;
Grant succeeded
SQL> GRANT SELECTON CUSTOMER TO APP_CLREK;
Grant succeeded
SQL > GRANT SELECT ON AUTH_TABLE TO APP_PROXY;
Grant succeeded

2. Add rows to the CUSTOMER table
SQL> CONN APP_OWNER@DB
Connected
SQL> INSERT INTO CUSTOMERS VALUES (1, ‘Tom’);
1 row inserted
SQL> INSERT INTO CUSTOMERS VALUES (2, ‘Linda’);
1 row inserted
SQL> COMMIT
Commit complete

3. Add a row for an application user called APP_USER:
SQL> INSERT INTO AUTH_TABLE VALUES (100, ’APP_USER’
‘d323deq4fdfgdgg’, ‘APP_CLERK’);
1 row inserted
4. Now assume that APP_USER is trying to log in through PROXY_USER.
Your application should look up the role of the user by using the SELECT
statement and activating that role:
SQL> SELECT APP_ROLE FROM AUTH_TABLE WHERE APP_USERNAME =
‘APP_USER’;
APP_ROLE
APP_CLERK

5.Activate the role for this specific APP_USER session:
SQL> CONN APP_PROXYUSER
Enter password : **********
Connected
SQL> SET ROLE APP_CLERK;
Role set
SQL> SELECT * FROM SESSION_ROLES;
ROLE
APP_CLERK

Implementation in SQL Server
✓ In SQL Server 2000 you are using application roles.
✓ Application roles are the special roles you create in the database, that are then
activated at the time of authorization.
✓ Application roles requires a password and cannot contain members
✓ Application roles are inactive by default
✓ Application roles can be activated using the SP_SETAPPROLE , system stored
procedure

sp_addapprole [ @rolename = ] ‘role’, [@password =] ‘password’
exec sp_addapprole ‘clerk’, ‘Clerk@ccess’
Creating Application Roles using the command line
✓ To create an application role in the Query Analyzer, use the SP_ADDPROFILE
system-stored procedure
Where :
@rolename – The name of the application role ( The value must be a valid
identifier and cannot already exist in the database)
@password – The password required to activate the role. (SQL Server stores
the password as an encrypted hash)
Example :
To create the application role of clerk for your Pharmacy database , use this command

Creating Application Roles using SQL
Server Enterprise Manager
Follow the steps
2. Expand the Role container for your
Pharmacy database. Right click in the
right pane, the select New Database
Role
3. Type the name db_accessadmin in the
name box
4. Select Application Role under
Database role type
5. Enter password db@ccess in the text
box
6. Click OK to create the role.

sp_dropapprole [@rolename = ] ‘role’
Dropping application Roles using Command line
✓ To drop an application role , using the Query Analyzer ,use the
SP_DROPAPPROLE system-stored procedure
Where
@rolename – The Application role to drop.
Dropping application Roles using Enterprising Manager
✓ Follow the steps
2. Expand the roles container of the database from which you are dropping
the role
3. Select and Delete the desired role

APP_ROLE_NAME
APP_ROLE_DESCRIPTION
APP_ROLE_PRIVILEGE
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_ROLE_ID
Security Model based on Application Roles
✓ Depends on the application authenticate the application users.
✓ Authentication is accomplished by maintaining all end users in a table with their
encrypted passwords.
✓ Each end user is assigned an application role to read / write specific modules of
the applications.
✓ The following table contains the description of tables used for this model.
APPLICATION_USERS
APPLICATION USERS
APP_ROLE_ID (FK)
APP_USERNAME
APP_ENC_PASSWORD
FIRST_NAME
LAST_NAME
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID

Authorization table
authorization table
Architecture of Security Model based on Application Roles
Application
End User
Schema Owner

Security Model based on Application Roles
✓ When considering this security model , keeps this point in mind
▪ This model is primitive and does not allow the flexibility required to make
changes necessary for security
▪ Privileges are limited to any combination like read, add, read / update /
admin and so on
✓ The following list presents characteristics of this security model
▪ Isolating the application security from the database
▪ Only one role is assigned to an application user
▪ This lowers the risk of database violations
▪ Passwords must be securely encrypted
▪ The application must use a real database user to log on and connect to the
application database

APP_FUNCTION_PRIVILEGE_OPERATION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_FUNCTION_PRIVILEGE_ID
Security Model based on Application Functions
✓ Based on application functions depends on the application to authenticate the
application users
✓ Application divided into functions
✓ The following figure represents a data model for this type of application
APPLICATION_USERS APPLICATION_USERS_FUNCTIONS APPLICATION_FUNCTIONS
APPLICATION_FUNCTION_PRIVILEGE
APP_FUNCTION_NAME
APP_FUNCTION_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_FUNCTION_ID
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID (FK)
APP_FUNCTION_ID (FK)
APP_FUNCTION_PRIVILEGE_ID (FK)
APP_ROLE_ID (FK)
APP_USERNAME
APP_ENC_PASSWORD
FIRST_NAME
LAST_NAME
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID

Application
End User
Schema Owner
Authorization
tables owned
by application
owner
authorization table
Architecture of Security Model based on Application Functions
Schema Owner

The following list presenting the characteristics of this security model
▪ Isolating the application security from the database
▪ Only one role is assigned to an application user
▪ This lowers the risk of database violations
▪ Passwords must be securely encrypted
▪ The application must use a real database user to log on and connect to the
application database
▪ The application must be designed in a granular module.

Security model based on Application Roles and Functions
✓ It is a combination of both the role and function security model
✓ Depends on the application to authenticate the application users
✓ The application authenticates users by maintaining all end users in a table with
their encrypted passwords
✓ Applications are divided into functions and roles are assigned to functions that
are in turn assigned to users.
✓ This model is highly flexible in implementing application security.

APP_USERNAME
APP_ENC_PASSWORD
FIRST_NAME
LAST_NAME
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID
CTL_INS_DTIM
CTL_UPD_DTIM
CTL_USER_USER
CTL_USER_STAT
APP_USER-ID (FK)
APP_ROLE_ID (FK)
✓ The following figure represents a data model for Security Model Based
on Application showing the ER Diagram
APPLICATION_USERS
APPLICATION_FUNCTIONS
APPLICATION USERS ROLES
APPLICATION_ ROLE_FUNCTIONS
APPLICATION _ROLES
APPLICATION_FUNCTION_PRIVILEGE
APP_FUNCTION_PRIVILEGE_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_FUNCTION_PRIVILEGE_ID
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_FUNCTION_ID (FK)
APP_ROLE_PRIVILEGE (FK)
APP_ROLE-ID (FK)
APP_FUNCTION_NAME
APP_FUNCTION_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_FUNCTION_ID
APP_ROLE-ID
APP_ROLE_NAME
APP_ROLE_DESCRIPTION
APP_ROLE_PRIVILEGE
CTL_INS_DTIM
CTL_UPD_DTIM
CTL_USER_USER
CTL_USER_STAT

Contains columns for
Username, password , role
function and privilege
authorization table
✓ Architecture of a Security data model based on application roles and
function
Application
Schema Owner
Schema Owner
Authorization
table

✓ The following list presents the characteristics of security model based
on application roles and functions
▪ Provides utmost flexibility for implementing application security
▪ Isolate the application security from the database
▪ Maintenance of the application security does not require specific database
privileges
▪ Lowers the risk of database violations
▪ Password must be surely encrypted
▪ The application must be designed in a very granular fashion

APP_TABLE_PRIVILEGE_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_TABLE_PREVILIGES_ID
Security Model Based on Application Tables
✓ Depends on application to authenticate users by maintaining all end users in a
table with their encrypted passwords
✓ All application provides privileges to the user based on tables
✓ User is assigned access privilege to each table owned by the application owner
✓ The following figure represents a data model for this security model
APPLICATION_USERS APPLICATION_USER_TABLES APPLICATION_TABLES
APPLICATION_TABLE_PRIVILEGES
APP_TABLE_NAME
APP_TABLE_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_TABLE_ID
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID (FK)
APP_TABLE_ID (FK)
APP_TABLE_PRIVILEGE_ID (FK)
APP_USERNAME
APP_ENC_PASSWORD
FIRST_NAME
LAST_NAME
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APP_USER_ID

Schema Owner
authorization table
Authorization
table
Authorization table has four columns
Username, password , table and
accesss (0,1,2,3,4,5)
Application
Schema Owner
Architecture of a Security Model Based on Application Tables

✓ The following list presents the characteristics of security model based on
application tables
▪ Isolate the application security from the database
▪ Maintenance of the application security does not require specific database
privileges
▪ Lowers the risk of database violations
▪ Security is implemented easily by using table access privileges

Characteristics of Security Model
Security Model Database
Role
based
Application
Role based
Application
Function
Based
Applicatio
n Role and
Function
Based
Application
Table Based
Characteristics
Is flexible in implementing
application security No No No Yes No
Isolates application security
from the DB Yes Yes Yes Yes Yes
Maintenance of application
security does not require
specific DB privileges
No No No Yes No
Password must be securely
encrypted Yes Yes Yes Yes Yes
Uses real DB user to log on No Yes Yes Yes Yes
Is business-function specific
No No Yes Yes No

Data Encryption
✓ Encryption is a security method in which information is encoded in
such a way that only authorized user can read it.
✓ It uses encryption algorithm to generate ciphertext that can only be read
if decrypted.
✓ Types of Encryption
✓ There are two types of encryptions schemes as listed below:
▪ Symmetric Key encryption
▪ Public Key encryption

Data Encryption
✓ Symmetric key encryption algorithm uses same cryptographic keys for both
encryption and decryption of cipher text.
✓ Public key encryption algorithm uses pair of keys, one of which is a secret key and
one of which is public. These two keys are mathematically linked with each other.

✓ VPD (Virtual Private Database) is shared database schema containing data
that belongs to many users , and each user can view or manipulate
the data the user owns
User can only see and
modify data of deptno 20
Schema Owner
User can only see and
modify data of deptno 10

✓ Not every database system offers a mechanism to implement VPD with
out VIEW objects.
✓ ORACLE offered VPD in several versions before the release of 10G
✓ ORACLE uses two other names to refer VPDs
▪ Row Level Security (RLS)
▪ Fine Grain Access (FGA)

DBMS_RLS
Package
Submits
SELECT * FROM PRODUCTS
Architecture of Virtual Private Database
VPD policy automatically adds a
WHERE clause predicate Deptid = 20 Schema Owner
-----
------
-----
EMP Table
Query is rewritten to become
SELECT * FROM PRODUCTS
WHERE DEPTID = 20
Policy
Function

✓ Setup Test Environment
✓ Create an Application Context
✓ Create Login Trigger
✓ Create Security Policies
✓ Apply Security Policies to Tables
✓ Test VPD

Setup Test Environment
✓ First we must create a user to act as the schema owner for this example. Obviously,
you will perform the following tasks using your current schema owner.
CONNECT sys/password@service AS SYSDBA;
CREATE USER schemaowner IDENTIFIED BY schemaowner DEFAULT TABLESPACE
users TEMPORARY TABLESPACE temp;
GRANT connect, resource TO schemaowner;
CREATE USER user1 IDENTIFIED BY user1 DEFAULT TABLESPACE users TEMPORARY
TABLESPACE temp;
GRANT connect, resource TO user1;
CREATE USER user2 IDENTIFIED BY user2 DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp;
GRANT connect, resource TO user2; GRANT EXECUTE ON DBMS_RLS TO PUBLIC;

CONN schemaowner/schemaowner@service
CREATE TABLE users (id NUMBER(10) NOT NULL, ouser VARCHAR2(30) NOT
NULL, first_name VARCHAR2(50) NOT NULL, last_name VARCHAR2(50) NOT
NULL);
CREATE TABLE user_data (column1 VARCHAR2(50) NOT NULL, user_id
NUMBER(10) NOT NULL);
INSERT INTO users VALUES (1,'USER1','User','One');
INSERT INTO users VALUES (2,'USER2','User','Two');
COMMIT;
GRANT SELECT, INSERT ON user_data TO user1, user2;

Create an Application Context
✓ Grant CREATE ANY CONTEXT to the schema owner then create the context and
context package.
GRANT create any context, create public synonym TO schemaowner;
CONNECT schemaowner/schemaowner@service;
CREATE CONTEXT SCHEMAOWNER USING SCHEMAOWNER.context_package;
CREATE OR REPLACE PACKAGE context_package AS PROCEDURE
set_context;
END;
/

✓ Next we create the context_package body which will actually set the user context.
CREATE OR REPLACE PACKAGE BODY context_package IS
PROCEDURE set_context IS v_ouser VARCHAR2(30); v_id NUMBER;
BEGIN
DBMS_SESSION.set_context('SCHEMAOWNER','SETUP','TRUE');
v_ouser := SYS_CONTEXT('USERENV','SESSION_USER');
BEGIN
SELECT id INTO v_id FROM users WHERE ouser = v_ouser;
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', v_id);
EXCEPTION WHEN NO_DATA_FOUND THEN
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', 0);
END;
DBMS_SESSION.set_context('SCHEMAOWNER','SETUP','FALSE');
END set_context;
END context_package;

✓ Next we make sure that all users have access to the Context_Package.
GRANT EXECUTE ON SCHEMAOWNER.context_package TO PUBLIC;
CREATE PUBLIC SYNONYM context_package FOR SCHEMAOWNER.context_package;
Create Login Trigger
✓ Next we must create a trigger to fire after the user logs onto the database.
CREATE OR REPLACE TRIGGER SCHEMAOWNER.set_security_context
AFTER LOGON ON DATABASE
BEGIN
SCHEMAOWNER.context_package.set_context;
END;

Create Security Policies
✓ In order for the context package to have any effect on the users interaction with
the database, we need to define a security_package for use with the security
policy. This package will tell the database how to treat any interactions with the
specified table.
CONNECT schemaowner/schemaowner@service;
CREATE OR REPLACE PACKAGE security_package AS
FUNCTION user_data_insert_security(owner VARCHAR2, objname VARCHAR2)
RETURN VARCHAR2;
FUNCTION user_data_select_security(owner VARCHAR2, objname VARCHAR2)
RETURN VARCHAR2;
END security_package;

✓ Next we create the security_package body.
CREATE OR REPLACE PACKAGE BODY Security_Package IS
FUNCTION user_data_select_security(owner VARCHAR2, objname VARCHAR2) RETURN VARCHAR2 IS
predicate VARCHAR2(2000);
BEGIN
predicate := '1=2';
IF (SYS_CONTEXT('USERENV','SESSION_USER') = 'SCHEMAOWNER') THEN
predicate := NULL;
ELSE
predicate := 'USER_ID = SYS_CONTEXT(''SCHEMAOWNER'',''USER_ID'')';
END IF;
RETURN predicate;
END user_data_select_security;
FUNCTION user_data_insert_security(owner VARCHAR2, objname VARCHAR2) RETURN VARCHAR2 IS
predicate VARCHAR2(2000);
BEGIN
predicate := '1=2';
IF (SYS_CONTEXT('USERENV','SESSION_USER') = 'SCHEMAOWNER') THEN
predicate := NULL;
ELSE
predicate := 'USER_ID = SYS_CONTEXT(''SCHEMAOWNER'',''USER_ID'')';
END IF;
RETURN Predicate;
END user_data_insert_security;
END security_package;

✓ Next we make sure that all users have access to the Security_Package.
GRANT EXECUTE ON SCHEMAOWNER.security_package TO PUBLIC;
CREATE PUBLIC SYNONYM security_package FOR SCHEMAOWNER.security_package;
Apply Security Policies to Tables
✓ The DBMS_RlS package is used to apply the security policay, implemented by
security_package, to the relevant tables.
BEGIN
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_INSERT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_INSERT_SECURITY',
'INSERT', TRUE);
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_SELECT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_SELECT_SECURITY',
'SELECT');
END;

Test VPD
✓ Finally, test that the VPD is working correctly.
CONNECT user1/user1@service;
INSERT INTO schemaowner.user_data (column1, user_id) VALUES ('User 1', 1);
COMMIT;
CONNECT user2/user2@service
COMMIT;
CONNECT schemaowner/schemaowner@service
SELECT * FROM schemaowner.user_data;
CONNECT user1/user1@Service;
CONNECT user2/user2@Service

Column level Security with SQL Server
✓ Column level permissions provide a more granular level of security for data in
your database. You do not need to execute a separate GRANT or DENY
statements for each column; just name them all in a query:
GRANT SELECT ON data1.table (column1, column2) TO user1;
GO
DENY SELECT ON data1.table (column3) TO user1;
GO
✓ If you execute a DENY statement at table level to a column for a user, and after
that you execute a GRANT statement on the same column, the DENY permission
is removed and the user can have access to that column. Similarly, if you execute
GRANT and then DENY, the DENY permission will be in force.

UNIT IV-AUDITING DATABASE ACTIVITIES
✓ Introduction
✓ Using Oracle Database Activities
✓ Creating DLL Triggers with Oracle
✓ Auditing Database Activities with Oracle Auditing
✓ Server Activity with SQL Server 2000
✓ Security and Auditing Project Case Study

Introduction
✓ Security is the buzzword of this decade
✓ It’s on everyone’s mind
✓ Today , crime brings to a mind a whole new set of risks to privacy and
confidentiality
✓ Security requires action
✓ Many private and public Institutions / Organizations are taking
serious action against security risks
✓ These actions encompass not only the establishment and enforcement
of new security measure, but also the reinforcement of those measures
through tough audit controls

Introduction
Auditing is the responsibility of developers,
DBA, and Business Managers
The auditing mechanism would enable
users to trace changes to sensitive data
As DBA , you might be summoned to yours
manager’s incident that left the DB is
unavailable for hours.
SECURITY
AUDITING

Auditing Overview
Definitions
✓ In general, an audit examines the documentation that reflects the action, practices
and conduct of business or individual.
✓ Database auditing follows this general definitions
✓ The list that follows contains general auditing and database auditing definitions.
▪ Audit / Auditing - The process of examining and validating documents, data,
processes, systems, or other activities to ensure that the
audited entity complies with its objective
▪ Audit log – A document that contains all activities that are being audited
ordered in a chronological manner.
▪ Audit objectives – A set of business rules, system controls, government
regulations or security policies against which the audited
entity is measured to determine compliance

Auditing Overview
Definitions …
▪ Auditor – A person with proper qualifications and ethics, who is authorized to examine, verify,
and validate documents, data, processes, systems, or activities and to produce an
audit report
▪ Audit procedure – A step-by-step instructions for performing auditing process
▪ Audit report – A document that contains the audit findings and is generated by an
individual(s) conducting the audit
▪ Audit trail – A chronological record of document changes, data changes, system activities, or
operational events
▪ Data audit – A chronological record of data changes stored in a log file or a database table
object
▪ Database auditing - A chronological record of database activities , such as shutdown, startup,
logons, and data structure changes of database objects
▪ Internal auditing – Auditing activities conducted by the staff members of the organization.
▪ External auditing - Auditing activities conducted by the staff members outside of the
organization.

Auditing Activities
✓ Auditing activities are performed as a part of an audit, audit process or audit plan
✓ The following list presents the auditing activities
(Note : Activities are not listed in any specific order)
▪ Evaluate and apprise the effectiveness and adequacy of the audited entity
according to the auditing objectives and procedures
▪ Ascertain and review the reliability and integrity of the audited entity
▪ Ensures the organization being audited is in compliance with the policies,
procedures, regulations, laws, and standards of the government and the
industry.
▪ Establish plans , policies, and procedures for conducting audits.
▪ Keep abreast of all changes to the audited entity.
▪ Keep abreast of updates and new audit regulations, laws, standards, and
policies set by industry, government, or the company itself.
▪ Provide all audit details to all company employee involved in the audit. These
details include : resources requirements, audit plans, and audit schedules.

Auditing Activities…
▪ Publish audit guidelines and procedures to the company itself and its partners
and clients when appropriate.
▪ Act as liaison between the company and the external audit team.
▪ Act as a consultant to architects, developers and business analysts to ensure
that the company being audited is structured in accordance with the audited
objectives
▪ Organize and conduct internal audits
▪ Ensure all the contractual items are met by the organization being audited.
▪ Identify the audit types that will be used
▪ Work jointly with the Security Department to identify security issues that
must be addressed
▪ Provide consultation to the Legal Department to identify regulations and laws
with the company must comply

Auditing Environment
Components of Auditing Environment
✓ Objectives
▪ An audit without objectives is useless
▪ To conduct audit you must know what the audit you must know what the audited entity is
to be measured
▪ Usually , the objectives are set by the organization , industry standards, or government
regulations and laws
✓ Procedures
▪ To conduct an audit, step-by-step instructions and tasks must be documented ahead of
time.
▪ In the case of government conducted audit, all instructions are available public
▪ In the case of organizational audit, specialized personal document the procedure to be
used not only for the business itself, but also for the audit
✓ People
▪ Every auditing environment must have an auditor , even in the case of automatic audit
▪ Other people involved in the audit are employees, manager, and anyone being audited
✓ Audited entities
▪ This includes people, documents, processes, systems, activities or any operation that are
being audited

AUDITING
EINVIRONMENT
Auditing Environment …
✓ The following figure shows the four major components of the auditing
environment

Database
AUDITING
EINVIRONMENT
Database Auditing Environment …
✓ The following figure shows the five major components of the auditing
environment

Auditing Process
✓ Database applications widely used by major corporate companies, mostly large
financial and online trading companies.
✓ The Quality Assurance (QA) team retested every database application function
and try to find bugs.
✓ This type of auditing resembles QA or even performance monitoring
✓ The purpose of QA process in software engineering to make sure that the system
is bug free and that the system is functioning according to its specification.
✓ The auditing process ensures that the system is working and complies with the
policies, standards, regulations or laws set forth by organization, industry or
government.

Auditing Process …
✓ Another way to distinguish between QA and Auditing Process is by examining
the timing of each
✓ QA – during development phase, before the implementation of the system.
✓ Auditing Process – After the system is implemented and in production.
✓ Auditing is also not the same as performance monitoring
✓ Auditing objectives are totally different
✓ Performance Monitoring is to observe the degradation in performance
✓ Auditing validates compliance to policy not performance

✓ Differences in QA , Auditing and Performance Monitoring processes
PROCESS ACTIVE TIMING OBJECTIVES
QA During development and
before the product
commissioned into
production
Test the product to make sure it is
not working properly and is not
defective
Auditing After the product
commissioned into
production
Verify that the product or system is
working and complies with the
policies, standards, regulations or
laws
Performance
Monitoring
After the product
commissioned into
production
Monitor Performance in terms of
Response time,

Planning, Analysis,
Design, Development,
Testing, and
Implementation
PRODUCTION
UNDERSTAND
OBJECTIVE
REPORT &
DOCUMENT
REVIEW, VERIFY &
VALIDATE
✓ The below figure illustrates the auditing process flow
Make sure all
objectives are
well defined
Ensures that
auditing
objectives are
met according
to business
policies and
specifications
Identify the
changes and
provide
feedback to the
system
development
phase
System Development Life Cycle
Policies , Laws ,
Regulations and
Industry standards
must be
incorporated as the
part of System
requirements and
Specification

Auditing Objectives
✓ Auditing objectives are established as a part of the development process of the entity to
be audited
✓ For example , when a software application is being coded, the developers include in their
software development design objectives the capability to audit the application
✓ Auditing objectives are established and documented for the following reasons:
▪ Complying – Identify all company policies , government regulations, laws and the
industry standards with which your company comply.
▪ Informing – All policies, regulations, laws and standards must be published and
communicated to all parties involved in the development and operation
of the audited entity.
▪ Planning – Knowing all the objectives enables the author to plan and document
procedures to asses the audited entity.
▪ Executing – Without auditing objectives, the person conducting the audit
cannot evaluate, verify, or review the audited entity and cannot
determine if the auditing objectives have been met

Auditing Objectives
✓ The top ten database auditing objectives
▪ Data Integrity – Ensure that data is valid and in full referential integrity
▪ Applications Users and roles – Ensures that users are assigned roles that correspond
to their responsibilities and duties
▪ Data Confidentiality – Identify who can read data and what data can be read
▪ Access Control – Ensures that the application records times and duration when a
user logs onto the database or application
▪ Data changes – Create an audit trail of all data changes
▪ Data Structure Changes – Ensures that the database logs all data structure changes
▪ Database or application availability – Record the number of occurrences and
duration of application or database shutdowns all the startup times . Also, record all
reason for any unavailability.
▪ Change Control – Ensure that a change control mechanism is incorporated to track
necessary and planned changes to the database or application.
▪ Physical Access – Record the physical access to the application or the database where
the software and hardware resides.
▪ Auditing Reports – Ensure that reports are generated on demand or automatically ,
showing all auditable activities

Auditing Classification and Types
Audit Classifications
✓ Every industry and business sector uses different classifications of audits.
✓ Definition of each classification can differ from business to business.
✓ Will discuss most generic definition of audit classifications.
Internal Audit
✓ An internal audit is an audit that is conducted by a staff member of the company
being audited
✓ The purpose and intention of an internal audit is to :
▪ Verify that all auditing objectives are met by conducting a well-planned and
scheduled audit
▪ Investigate a situation that was promoted by an internal event or incident.
This audit is random , not planned or scheduled.

Auditing Classification and Types …
External Audit
✓ An external audit is conducted by a party outside the company that is being
audited.
✓ The purpose and intention of an External audit is to :
▪ Investigate the financial or operational state of the company . This audit is
initiated at will by the government or promoted by suspicious activities or
accusations.
▪ The person conducting this audit is usually employed and appointed by the
government.
▪ Verify that all objectives are met. This audit is typically planned and
scheduled.
▪ Ensure objectivity and accuracy.
▪ This audit is typically performed to certify that the company is complying
with standards and regulations.

✓ Automatic Audit
▪ An automatic audit is promoted and performed automatically.
▪ Automatic audits are mainly for systems and DB systems.
▪ Some systems that employ this type of audit to generate reports and logs.
✓ Manual Audit
▪ Completely performed by humans
▪ The team uses various methods to collect audit data, including interviews, document
reviews and observation.
▪ The auditors may even perform the operational task of the audited entity.
✓ Hybrid Audit
▪ Combination of Automatic and Manual Audits

Audit Types
Financial Audit – Ensures that all financial transactions are accounted for an
comply with law.
Ex : Companies save all trading transactions for a period of time
to comply with government regulations
Security Audit – Evaluates if the system is as secure as it should be.
The audit identifies security gaps and vulnerabilities
Ex: Company might ask a hacker to break the company’s
network system to determine how secure or vulnerable the
network is.
Compliance Audit – Verifies that the system complies with industry standards,
government regulations, or partner and client policies
Ex: All pharmaceutical companies must keep paper trails of all
research activities to comply with industry standards as well
government regulations

Operational Audit –Verifies if an operation is working according to the policies of the
company
Ex: When a new hire starts work, the HR department provides ID
Card, Sign disclosure , Confidentiality papers, tax forms , etc.,
Investigative Audit – Performed in response to an event, request, threat, or incident to
verify the integrity of the system.
Ex: Employee might have committed a fraudulent activity
Product Audit – Performed to ensure that the product complies with industry
standards. This audit sometimes confused with testing, but it
should not be.
A product audit does not include auditing of its functionality but
entails how it was produced and who worked on its development.
Preventive Audit – Performed to identify problems before they occur.
Ex: Company should conduct both random and routine audits to
verify that the business operations are being performed
according to specifications.

Benefits and Side Effects of Auditing
✓ Benefits
▪ Enforces company policies, government regulations and laws
▪ Lowers the incidence of security violations
▪ Identifies the security gaps and vulnerabilities
▪ Provides an audit trail of activities
▪ Provides another means to observe and evaluate operations of the audited entity
▪ Provides the sense or state of security and confidence in the audited entity
▪ Identifies or removes doubts
▪ Makes the organisation being audited more accountable
▪ Develops controls that can be used for purposes other than auditing

Benefits and Side Effects of Auditing
✓ Side Effects
▪ Performance problems due to preoccupation with the audit instead of the
normal work activities
▪ Generation of many reports and documents that may not be easily or quickly
disseminated
▪ Disruption to the operations of the audited entity
▪ Consumption of resources, and added costs from downtime
▪ Friction between operators and auditor
▪ From a DB perspective
• Could degrade the performance of the system
• Also generate a massive number of logs, reports, and that require a system
purge

Yes
Yes
Yes
Auditing Models
✓ Before auditing models, it is more
important that , understand how
audit is processed for data and DB
activities
✓ The flowchart presents data auditing
✓ The flowchart shows what happens
when a user perform an action to a
DB object
✓ Specific checks occur to verify if the
action , the user or the object are
registered in auditing repository
✓ If they are registered the followings
are recorded
▪ State the object before the
action was taken along with the
time of action
▪ Description of the action that
was performed
▪ Name of the user or userid who
performed the action
Action
Start
Check if
user is
registered
in audit
repository?
No
No
Action
Completed
Is action
registered
for
current
user?
Is action
registered
for
current
user?
Get Previous value and record it in
the database
Get Username and Credentials
No
Continue with action

Auditing Models …
APP_AUDIT _DATA
AUDIT_DATE_ID
ENTITY_ID (FK)
ACTION_TYPE_ID (FK)
AUDIT_START_DATE
AUDIT_EXPIRE_DATE
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
AUDIT_ACTION_ID
ACTION_TYPE_DESC
CTL_REC_STAT
ACTION_TYPE_ID
ENTITY_NAME
ENTITY_TYPE
CTL_REC_STAT
ENTITY_ID
Simple Auditing Model 1
✓ The first auditing model is The given figure illustrates this SIMPLE MODEL 1
called ‘SIMPLE” because it is
easy to understand and
develop.
✓ This model registers audited
entities in the audit model
repository to
chronologically track
activities performed on or
by these entities.
✓ An entity can be a user,
table, column, and an
activity can be a DML
transaction and logon and
logoff times.
APP_ENTITY
APP_AUDIT _ACTION
APP_ACTION _TYPE
AUDIT_ACTION_ID (FK)
AUDIT_DATA
AUD_INS_DTTM
AUD_UPD_DTTM
AUD_UPD_USER
AUD_REC_STAT

TABLE_ID (FK)
AUDIT_DATA
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
AUDIT_DATA_ID
Auditing Models …
Simple Auditing Model 2
✓ In this model , only column
value changes are stored for
audit purposes.
✓ The audit data table
APP_AUDIT_DATA contains
chronological data on all
changes on column that are
registered in
APP_AUDIT_TABLE.
✓ There is a purging and archiving
mechanism is used to help
reduce the amount of data
stored in DB.
The given figure illustrates this Simple auditing
model 2
APP_AUDIT_TABLE
APP_AUDIT_DATA
TABLE_NAME
TABLE_DESCRIPTION
AUDIT
ARCHIVE
ARCHIVE_COUNT
PURGE
PURGE_COUNT
COLUMNS
COLUMNS_COUNTSR
START_DATE
END_DATE
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
TABLE_ID

Auditing Models …
Advanced Auditing Model
✓ This Model is called “advanced” because of its flexibility
✓ More flexible than simple models
✓ Used as an auditing application with a user interface
✓ Of course the repository for tis model is more complex than previous models
✓ It contains data stores to register all entities that can be audited

6
View
Audit
Data
Objects
Auditing Models …
The following figure presents the flow of the user interface
Table
Data
Table
Name
Table
Name
Table
Name
Populate
Request Table
Data
User
Name
Table
Name
Column
Name
2
Perform
Audit
Table
Name
Audit
Data
Table
Name
Audit
Data Audit
Data
Table
Name
Name Table
User
Data
Audit Data
Columns
Audit Table
4
Perform
audit
check
7
Build
Audit
View
1
Populate
tables
Table
3
Set
tables
for
audit
5
Set
Users
for
Audit
Data
Audit Table Audit User
Audit User
Interface

Auditing Models …
ENTITY_ID (FK)
ENTITY_TYPE
ACTION_TYPE_ID (FK)
AUDIT_START_DATE
AUDIT_EXPIRE_DATE
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
AUDIT_ACTION_ID
ACTION_TYPE_DESC
CTL_REC_STAT
ACTION_TYPE_ID
✓ Data model of the repository for an Advanced Auditing Model
APP_COLUMNS
APP_TABLES APP_USERS
APP_AUDIT_ACTION
APP_AUDIT_DATA
APP_ACTION_TYPE
TABLE_NAME
CTL_REC_STAT
ENTITY_ID
TABLE_ID
TABLE_NAME
CTL_REC_STAT
ENTITY_ID
USER_ID
COLUMN_NAME
TABLE_ID (FK)
CTL_REC_STAT
ENTITY_ID
AUDIT_ACTION_ID
(FK)
AUDIT_DATA
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STA
AUDIT_DATA_ID

Auditing Models …
APP_DATA_TABLE
APP_DATA_TABLE _HISTORY
DATA_COLUMN_01
DATA_COLUMN_02
…………………………….
…………………………….
…………………………….
DATA_COLUMN_n
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
PRIMARY_KEY_COLUMN
PRIMARY_KEY_COLUMN
DATA_COLUMN_01
DATA_COLUMN_02
…………………………….
…………………………….
…………………………….
DATA_COLUMN_n
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Historical Data Model
✓ This model is used for applications that require a record of the whole row
when a DML transaction is performed on the table
✓ Typically used in most financial applications
✓ With this model , the whole row is stored in the HISTORY table, before it is
changed or deleted
✓ The following figures illustrates this model

Auditing Models …
Auditing Application Actions Model
✓ There may be a requirement for an application to audit specific operations or
actions
✓ The following figure represents a Data Model of a repository for auditing
application actions
APP_AUDIT_ACTIONS APP_AUDIT_TRAIL APP_DATA_DICTIONARY
ACTION_DESC
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
ACTION_ID
OBJECT_ID
CLASS_ID (FK)
ACTION_ID (FK)
REASON
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
ACTION_TRAIL_ID
ACTION_DESC
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
ACTION_ID

Auditing Models …
C2 Security
✓ C2 security is a type of security rating that evaluates the security framework for
computer products used in government and military organizations and institutes.
✓ The standard was conceived by the U.S. National Computer Security Center (NCSC)
to create a minimum security benchmark for all computing products and
applications that process confidential government and military information.
✓ The National Security Administration has given a C2 security rating to Microsoft SQL
Server 2000.
✓ This means that the server passes requirements set by the Department of Defence
and is typically implemented in military and government applications
✓ When configured as C2 system, SQL Server utilizes DACLs (Discretionary Access
Control to manage security and audit activity

Auditing Models …
✓ Requirements for enabling C2 auditing in SQL Server include the following :
▪ The Microsoft Windows Server must be configured as C2 system
▪ Windows Integrated Authentication is supported, but SQL native security
is not supported
▪ Only transactional replication is supported
▪ The following SQL Server services are not included in a C2 evaluation
• SQL Mail
• Full Test Search
• English Query
• DTC
• Meta Data Services
• Analysis Services (OLAP)

Oracle Triggers
✓ Trigger is an event driven program
✓ Executed automatically based on event occurs
✓ It is a PL/SQL procedure
✓ ORACLE has six DML events also known as trigger timings
✓ Trigger mainly used for the following purposes
✓ Performing audits (Primary use)
✓ Preventing invalid data from being inserted into the tables
✓ Implementing business rules ( Not highly recommended if the business rule is
complex)
✓ Generating values for columns

Oracle Triggers …
BEFORE INSERT
TRIGGER
PL/SQL Code
BEFORE DELETE
TRIGGER
PL/SQL Code
Application
User
INSERT
Statement
UPDATE
Statement
DELETE
Statement
BEFORE UPDATE
TRIGGER
PL/SQL Code
TABLE ROW
✓ ORACLE trigger timings or events for DML events
BEFORE DELETE
TRIGGER
PL/SQL Code
BEFORE UPDATE
TRIGGER
PL/SQL Code
BEFORE INSERT
TRIGGER
PL/SQL Code

Trigger Timing
Row Level
Oracle Triggers …
Trigger Syntax
CREATE [ OR REPLACE ] TRIGGER <trigger_name>
[BEFORE | AFTER | INSTEAD OF ]
[INSERT | UPDATE | DELETE .....]
ON<name of underlying object>
[FOR EACH ROW]
Trigger Event
[WHEN<condition for trigger to get execute> ]
DECLARE <Declaration part>
BEGIN <Execution part>
EXCEPTION <Exception handling part>
END;
Conditional Clause
Error Handling Mechanism

Oracle Triggers …
The given syntax shows the different optional statements that are present in trigger
creation.
✓ BEFORE/ AFTER will specify the event timings.
✓ INSERT/UPDATE/LOGON/CREATE/etc. will specify the event for which the
trigger needs to be fired.
✓ ON clause will specify on which object the above-mentioned event is valid. For
example, this will be the table name on which the DML event may occur in the
case of DML Trigger.
✓ Command "FOR EACH ROW" will specify the ROW level trigger.
✓ WHEN clause will specify the additional condition in which the trigger needs to
fire.
✓ The declaration part, execution part, exception handling part is same as that of
the other PL/SQL blocks. Declaration part and exception handling part are
optional.

Oracle Triggers …
ORACLE Trigger Execution
✓ A trigger can be in either of two distinct modes:
✓ Enabled - An enabled trigger executes its trigger action if a triggering statement is
issued and the trigger restriction (if any) evaluates to TRUE.
✓ Disabled - A disabled trigger does not execute its trigger action, even if a triggering
statement is issued and the trigger restriction (if any) would evaluate to
TRUE.
✓ For enabled triggers, Oracle automatically
▪ executes triggers of each type in a planned firing sequence when more than one
trigger is fired by a single SQL statement
▪ performs integrity constraint checking at a set point in time with respect to the
different types of triggers and guarantees that triggers cannot compromise integrity
constraints
▪ provides read-consistent views for queries and constraints
▪ manages the dependencies among triggers and objects referenced in the code of the
trigger action
▪ uses two-phase commit if a trigger updates remote tables in a distributed database
▪ if more than one trigger of the same type for a given statement exists, Oracle fires
each of those triggers in an unspecified order

ROW
3 BEFORE Trigger
4 AFTER Trigger
Row
level
Oracle Triggers …
✓ The following figure gives the Order of trigger execution
Statement
level
1 BEFORE Trigger
2 AFTER Trigger
TABLE

Oracle Triggers …
Example : Row level Trigger
CREATE OR REPLACE TRIGGER customers_update_credit_trg
BEFORE UPDATE OF credit_limit
ON customers
FOR EACH ROW
WHEN (NEW.credit_limit > 0)
BEGIN
-- check the credit limit
IF :NEW.credit_limit >= 2 * :OLD.credit_limit THEN
raise_application_error(-20101,'The new credit ' || :NEW.credit_limit ||
' cannot increase to more than double, the current credit ' || :OLD.credit_limit);
END IF;
END;

Oracle Triggers …
Example : Statement level Trigger
CREATE OR REPLACE TRIGGER customers_credit_trg
BEFORE UPDATE OF credit_limit
ON customers
DECLARE
l_day_of_month NUMBER;
BEGIN
-- determine the transaction type
l_day_of_month := EXTRACT(DAY FROM sysdate);
IF l_day_of_month BETWEEN 28 AND 31 THEN
raise_application_error(-20100,'Cannot update customer credit from 28th to 31st');
END IF;
END;

Oracle Triggers …
✓ User can view all triggers created on a table by using USER_TRIGGERS data
dictionary view.
✓ The structure of USER_TRIGGERS view is as follows
SQL > DESC USER_TRIGGERS
Name Null? Type
TRIGGER_NAME VARCHAR2(30)
TRIGGER_TYPE VARCHAR2(16)
TRIGGERING_EVENT VARCHAR2(227)
TABLE_OWNER VARCHAR2(30)
BASE_OBJECT_TYPE VARCHAR2(16)
TABLE_NAME VARCHAR2(30)
COLUMN_NAME VARCHAR2(4000)
REFERENCING_NAMES VARCHAR2(128)
WHEN_CLAUSE VARCHAR2(4000)
STATUS VARCHAR2(8)
DESCRIPTION VARCHAR2(4000)
ACTION_TYPE VARCHAR2(11)
TRIGGER_BODY LONG

SQL Server Triggers
CREATE TRIGGER trigger_name
ON table_name
AFTER {[INSERT],[UPDATE],[DELETE]}
[NOT FOR REPLICATION]
AS
{sql_statements}
SQL Server Triggers
✓ Similar to ORACLE, SQL Server provides a trigger mechanism that fires
automatically when a DML statement occurs
✓ The CREATE TRIGGER statement allows you to create a new trigger that is
fired automatically whenever an event such as INSERT, DELETE,
or UPDATE occurs against a table.
✓ The following illustrates the syntax of the CREATE TRIGGER statement:

SQL Server Triggers…
In this syntax:
✓ The schema_name is the name of the schema to which the new trigger belongs.
The schema name is optional.
✓ The trigger_name is the user-defined name for the new trigger.
✓ The table_name is the table to which the trigger applies.
✓ The event is listed in the AFTER clause. The event could be INSERT, UPDATE,
or DELETE. A single trigger can fire in response to one or more actions against
the table.
✓ The NOT FOR REPLICATION option instructs SQL Server not to fire the trigger
when data modification is made as part of a replication process.
✓ The sql_statements is one or more Transact-SQL used to carry out actions once
an event occurs.

Auditing Database Activities with ORACLE
✓ ORACLE provides the mechanism for auditing everything:
▪ From tracking who is creating and modifying the structure
▪ Who is granting privileges to whom
✓ The activities are divided into two types based on the type of SQL command
statement used :
▪ Activities defined by DDL (Data Definition Language)
▪ Activities defined by DCL (Data Control Language)

Auditing Database Activities with ORACLE
Auditing DDL Activities
✓ ORACLE uses a SQL-based audit command
✓ The following figure presents the audit syntax diagram ( ORACLE 10g)

Auditing Database Activities with ORACLE …
Where :
Statement option – Tells ORACLE to audit the specified
DDL or DCL statement
DDL – CREATE, ALTER, DROP and TRUNCATE
DCL – GRANT , REVOKE
System privilege – Tell ORACLE to audit the specified
privilege such as SELECT, CREATE ANY, or ALTER ANY
Object_option – Specifies the type of privileges for the
specified object to be audited
BY SESSION – Tells ORACLE to record audit data once
per session even if the audited statement issued multiple
times in session
BY ACCESS - Tells ORACLE to record audit data every
time audited statement is issued.
WHENEVER SUCCESSFUL – Tells ORACLE to capture
audit data only when the audited command is successful
WHENEVER NOT SUCCESSFUL- Tells ORACLE to
capture audit data only when the audited command fails
Audit command syntax
AUDIT
{
{ { statement_option | ALL }
[,{statement_option | ALL }] ……
|,{syetem_privilege | ALL
PRIVILEGES }
}
[BY { proxy [,proxy]…..
| user [,user]…..
]
|
{Object_option [, object_option ] …… |
ALL }
ON { [ schema. ] object
|DIRECTORY directory_name
|DEFAULT
}
}
[ BY {SESSION | ACCESS } }
[WHENEVER [NOT] SUCESSFUL ] ;

SQL> CREATE TABLE CUSTOMER
2
3
4
5
6
(
ID
NAME
NUMBER ,
VARCHAR2 (20),
CR_LIMIT NUMBER
);
Table created
DDL activities Example :
✓ Suppose you want to audit a table named CUSTOMER every time it is altered or
every time a record from a table deleted.
✓ The following steps show you how to do this.
✓ Before perform , drop are disable all triggers associated with CUSTOMER table.
Step 1 : Use any user other than SYS or SYSTEM to create the CUSTOMER

SQL > INSERT INTO CUSTOMER VALUES (2, ‘BMNANTHA’, 200);
1 row created
SQL > INSERT INTO CUSTOMER VALUES (3, ‘MURUGAN’, 300);
1 row created
SQL > INSERT INTO CUSTOMER VALUES (1, ‘GANESH’, 100);
1 row created
SQL > COMMIT;
Commit complete
Step 2 : Add three rows into the CUSTOMER table and commit changes

SQL > CONNECT SYSTEM @ SEC
Enter password : ******
Connected.
SQL > AUDIT ALTER ON DBSEC.CUSTOMER BY ACCESS WHENEVER
2 SUCCESSFUL;
Audit succeeded.
SQL > AUDIT DELETE ON DBSEC.CUSTOMER BY ACCESS
WHENEVER
2 SUCCESSFUL;
Audit succeeded.
Step 3 : Log on as SYS or SYSTEM to enable auditing , as specified in this example
the first statement for ALTER and the next is for DELETE

SQL > CONNECT DBSEC@ SEC
Connected.
SQL > DELETE FROM CUSTOMER WHERE ID = 3;
1 row deleted.
SQL > ALTER TABLE CUSTOMER MODIFY NAME VARCHAR2(30);
Table altered
Step 4 : Login as the owner of CUSTOMER table, DBSEC delete a row and modify
the structure of the table, as specified in the following code

In this step you will see the audit records stored in the auditing tables caused by the DELETE
and ALTER statements issued in step 4.
Step 5 : Login in as SYSTEM and view the DBA_AUDIT_TRAIL
Two records will be available as shown in the figure below

SQL > NOAUDIT ALTER ON DBSEC.CUSTOMER;
Noaudit succeeded.
SQL > NOAUDIT DELETE ON DBSEC.CUSTOMER;
Noaudit succeeded.
✓ When audit process got over of a specific object or command, you may turn it
off by using the NO AUDIT statement.
✓ The following step turns off auditing on the two statements issued in step 3.

SQL> CONN SYSTEM
Connected
SQL> DELETE SYS.AUD$;
1 row deleted.
SQL> COMMIT;
Commit complete.
SQL> AUDIT GRANT ON DBSEC.TEMP;
Audit succeeded
DCL Activities Example:
✓ You are auditing the GRANT privilege issued on a TEMP table owned by DBSEC.
✓ The following steps shows how to audit the DCL statements audited.
✓ The same steps to be followed for all DCL Commands.
Step 1 : Log on as SYSTEM or SYS and issue an AUDIT statement as follows

SQL> SELECT USERNAME, TIMESTAMP, OWNER, OBJ_NAME FROM
2 DBA_AUDIT_TRAIL;
SQL> CONN DBSEC
Enter password : *****
Connected.
SQL> GRANT SELECT ON TEMP TO SYSTEM;
Grant succeeded.
SQL> GRANT UPDATE ON TEMP TO SYSTEM
Grant succeeded.
Step 2: Log on as DBSEC and grant SELECT and UPDATE privileges to SYSTEM on
TEMP table
Step 3: Log on as SYSTEM and display the contents of DBA_AUDIT_TRAIL.
USERNAME TIMESTAMP OWNER OBJ_NAME
DBSEC 20-Jan-20 DBSEC TEMP
DBSEC 20-Jan-20 DBSEC TEMP
2 rows selected

Auditing Server Activity with SQL Server 2000
✓ Microsoft SQL Server 2000 provides auditing as a way to track and log activity for
each SQL Server occurrence
✓ User must be a member of the sysadmin fixed server role to enable or modify
auditing
✓ Every modification of an audit is an auditable event
✓ There are two types of auditing in SQL Server 2000
▪ Auditing
▪ C2Auditing
✓ Auditing can have significant impact on performance
✓ The audit trail analysis can also be costly in terms of system
✓ It is recommended that SQL profiler be run on a server separate from the
production server

Auditing Server Activity with SQL Server
2000 …
Implementing SQL Profiler
✓ One of the tools that accompanies SQL Server 2000 is SQL Profiler
✓ This tool provides the user interface for auditing events.
✓ You can audit several types of events using SQL Profiler
EVENT DESCRIPTION For each event, you can
audit
End user events All SQL commands, LOGIN/LOGOUT,
enabling
✓ Date and time of the
event
✓ User who caused the
event to occur
✓ Type of Event
✓ Success or failure of
the event
✓ Origin of the request
✓ Name of the object
accessed
✓ Text of the SQL
statement (Passwords
replace with *****)
DBA events DDL (other than security events),
Configuration (DB or Server)
Security events GRANT/REVOKE/DENY/ LOGIN USER
ROLE/ADD/REMOVE/CONFIGURE
Utility events BACKUP/RESTORE/BULK INSERT/ BCP/
DBCC Commands
Server events SHUTDOWN , PAUSE, START
Audit events ADD AUDIT, MODIFY AUDIT, STOP AUDIT

2000 …
✓ Security audit should be enable first
✓ This is done by setting the security auditing level under the SQL server
properties in Enterprise Manager
✓ Security events can be audited on success, failure or both
✓ Follow these steps
1. Open the Enterprise Manager
2. Expand the appropriate SQL Server group
3. Right click on the desired server
4. Click properties
5. On the security tab, select the desired security level as shown in the
figure in slide no 61

2000 …
✓ SQL Server configuration

2000 …
✓ After the audit level is set, you can then use SQL Profiler to monitor security
events.
✓ The following events can be audited
▪ ADD DB USER
▪ ADD LOGIN TO SERVER ROLE
▪ ADD MEMBER TO DB ROLE
▪ ADD ROLE
▪ APP ROLE CHANGE PASSWORD
▪ BACKUP / RESTORE
▪ CHANGE AUDIT
▪ DBCC
▪ LOGIN
▪ LOGOUT
▪ LOGIN CHANGE PASSWORD
▪ LOGIN CHANGE PROPERTY
▪ LOGIN FAILED
▪ Login GDR ( GRANT, DENT, REVOKE )
▪ Object Derived Permissions
▪ Object GDR
▪ Object Permissions
▪ Server Start and Stop
▪ Statement GDR
▪ Statement Permission

2000 …
✓ You can start SQL Profiler by selecting it from the program group on the Start
menu or from the tools menu in Enterprise.
✓ To start a new Audit Trace from the file menu, Click New , then Trace
✓ It is shown in the below figure

2000 …
The new trace dialog box appears,
as shown in the figure
On the general tab, you provide:
▪ A name for the trace
▪ The server you want to audit
▪ The base template to start with
▪ Where to save the audit data, either to
a file or to a DB
▪ A stop time, if you don’t want the trace
to run indefinitely

2000 …
✓ On the events tab, you specify
events to be audited and in which
category they belong
✓ As shown in the figure

2000 …
Dr.B.Muruganantham
AP / CSE /SRMIST
12-11-2021 66
Add the Login Change Password
security event to the trace by
performing following steps
✓ Expand the Security Audit node
under Available event classes
✓ Click Audit Login Change
Password Event
✓ Click the Add button
Audit Login Change Password Event
should now appear under security
Audit in Selected event classes, as
shown in the figure

2000 …
Dr.B.Muruganantham
AP / CSE /SRMIST
12-11-2021 67
Data Definition Auditing
✓ To audit DDL statements, on the
Events tab of your trace, you select
Object:Created and Object:Deleted
under the objects Category
✓ These two events audit all CREATE
and DROP statements.
✓ It is shown in the figure

2000 …
Database Auditing with SQL Server
✓ To audit operations to the database
files, select events under the Database
category as shown in the figure

2000 …
Database errors auditing with SQL
Server
✓ To audit errors that occur within
the database, select the events
under the Errors and Warnings
category on the Events tab of your
trace, as shown in the figure

Security and Auditing Project Case Study
Introduction
✓ A DB developer is assigned to new database application project and is asked to
develop an auditing scheme to comply with the industry standards
✓ Developers often face this problem
✓ DBA are often asked to provide an effective data security and auditing design
✓ The case studies follow require you to use these concepts, methods, and
techniques to solve data accessibility
✓ This cases can be implemented in either ORACLE or SQL Server

CASE 1 : Developing an Online Database
✓ A new dot-com has decided to launch an affiliated Web site, specifically
for individuals interested in database issues.
✓ The main mission of the Web site is to provide a forum for database
technical tips, issues, and scripts.
✓ The CIO and his technical team held a meeting to draft the requirements
for the new web site and decided that it would include the following.
▪ Technical documents
▪ A forum where members can exchange ideas and share experiences
▪ Online access
▪ A tips section
▪ Technical support for error messages

✓ Immediately after the meeting, the newly appointed project manager asks you to
implement security for the site.
✓ The manager mentions that the security of a public database is so important that
the CIO himself / herself has outlined the security requirements, as follows
✓ The online DB will have 10 public host database accounts that allow multiple
sessions
✓ The password of a public host account must be reset to its original setting whenever
disconnects or logoffs occur
✓ The maximum duration for a session is 45 minutes
✓ Allocations will be set on memory and CPU

✓ Storage for each public host account must be limited to 1 MB
✓ The public host accounts will have privileges to create the most common
database objects
✓ All newly created database objects must be removed before logoff
✓ The database must have the default human resources user account enabled.
✓ When number of logs onto the database, all session information, such as IP
address, terminal , user session information must be recorded for future
analysis.
Note : You may add other security auditing features, as long as you do not
overlook any of the requirements in this list

Case 2 : Taking Care of Payroll
✓ Acme Payroll Systems is a small payroll services company that has been in
business for two years and has had only one major customer
✓ Suddenly, it lands a contract with another large corporation
✓ If the company hired you as Database consultant to design and implement a
virtual private database for the existing payroll application.
✓ The main objective of the virtual private database feature is allow each client to
administer his own payroll data without violating the privacy of other clients.

COMPANY_ID (FK)
FIRST_NAME
LAST_NAME
SYSTEM_USERNAME
CA_ID
PP_ID (FK)
CONTACT_NAME
STREET_NAME
CITY
STATE
ZIPCODE
PHONE
FAX
EMAIL
URL
STATUS
COMPANY_ID
TS_ID (FK )
WORK_DAY
WORK_HOURS
SICK_HOURS
DWH_ID
EMPLOYEE_ID (FK)
START_DATE
END_DATE
WORK_HOURS
SICK_HOURS
TS_ID
The given figure represents the payroll application model for case 2
EMPLOYEE COMPANY PAYROLL_PERIOD
COMPANY_ADMINISTRATORS
TIMESHEET
DAILY_WORK_HOURS
PP_DESCRIPTION
PP_ID
COMPANY_ID (FK)
TAX_ID
FIRST_NAME
LAST_NAME
HOURLY_SALARY
FED_CODE
STATE_CODE
MEDICAL_ELECTION
FOUR01_ELECTION
MEDICAL_DEDUCTION
OTHER_DEDUCTION
SICK_DAYS
VACATION_DAYS
EMPLOYEE_ID

Case 3 : Tracking Town Contracts
✓ A small town has hired you as a database specialist on contract
✓ Your job is to develop a new database application to keep track of the jobs
awarded to different contractors
✓ All town hall employees will use the application
✓ After several interviews with clerks and managers , you found out that a prior
attempt at application development by a consulting company resulted in a
draft of an entity – relationship ( ER ) diagram
✓ The ER diagram depicts all the required information about the contractors
and the awarded jobs.

The given figure presents Contractor job data model for case 3
CONTRACTOR
CONTRACTOR
JOB
JOB_TYPE
JOB_TYPE_DESCRIPTION
JOB_TYPE_ID
CONTRACTOR_TYPE_DESCRIPTION
CONTRACTOR_TYPE_ID
CONTRACTOR_ID ( FK )
JOB_TYPE_ID ( FK )
JOB_DESRIPTION
JOB_CLASSIFICATION
JOB_RATE
START_DATE
COMPLETION_DATE
DAILY_PENALTY
PAYMENT_AGREEMENT
JOB_ID
TAX_ID
CONTRACTOR_TYPE_ID ( FK )
CONTRACTOR_NAME
STREET_ADDRESS_01
STREET_ADDRESS_02
CITY
STATE
ZIPCODE
CONTACT_NAME
PHONE
FAX
MOBILE_PHONE
EMAIL
URL
CONTRACTOR_STATUS
CONTRACTOR_ID

✓ During your meeting with the project manager for this application , you are
asked to design an application with the following capabilities
▪ Track all changes made to the application data
▪ Obtain the approval of project manager before accepting any contract job
for more than $10,000
▪ Alert the project manager whenever an awarded job is modified to a value
greater than $10,000
▪ Implement three levels of security
▪ The DEPARTMENT CLERK level allows clerks to add and update records
▪ The DEPARTMENT MANAGER level allows clerks to add, update, delete
and approve records
▪ The EXTERNAL CLERK level allows employees outside the department
only to view data.

Case 4 : Tracking Database Changes
✓ A friend recommended you to the company he/she works for
✓ The need your help to solve a series of database and application violations
✓ When you meet with the hiring manager, he/she explains that there has been
a series of inexplicable, suspicious activities on the applications and
production databases
✓ The company wants to know
▪ Who accessed these databases?
▪ Who modified data?
▪ Who changed the data structure?

✓ Also the company want to have an audit trail for all these activities but that
company was not interested in historical changes trail
✓ As a consultant, your job is to design an audit model to meet these
requirements
✓ The following is the summary of the project requirements
▪ Audit of database connections
▪ Audit trail of users that are performing DML operations
▪ Audit trail of users that are modifying structures of the application schema
tables

Sample data model for case 4
✓ You may use two tables illustrated in the given figure as sample of application
schema tables.
PHYSICIAN ALERT_SCHEDULE
PHYSICIAN_ID ( FK )
ALERT_TIMESTAMP
ALERT_STATUS
ALERT_COUNT
RESPONSE
ALERT_ID
FIRST_NAME
LAST_NAME
MOBILE_NUMBER
PAGER_NUMBER
PHYSICIAN_ID

Case 5 : Developing a Secured Authorization Repository
✓ A small retail company has asked you to provide them with database security
services
✓ The main requirement of this project is to create a security data model that
will be used for by the central authorization module
✓ This model should include an auditing repository
✓ This model will store
▪ Application users
▪ Roles
▪ Applications
▪ Application Modules

✓ Your mission is to create an authorization data model with a relevant auditing repository
✓ The following is a summary of the project security requirements
▪ There must be one database user account for the application schema owner
▪ Database – assigned roles are not followed
▪ There must be application roles only
▪ Each application use is assigned to application modules
▪ Each application user is assigned a security level that indicates the type of operations the
user can perform within the application.
▪ Operations are READ,WRITE, DELETE and ADMINISTER
▪ Passwords must be stored within the designed security module
▪ Each user has a logon identification number to the application
▪ The security model should have the flexibility to logically lock, disable and remove
accounts
▪ Application accounts must have an activation date and expiry date

✓ The security module must be coupled with an auditing module that meets these
auditing requirements
▪ It must have an audit trail of the date and time a user connects and disconnects
from application
▪ It must have an audit trail of application operations that includes the date and
time operations were performed by the application user
▪ It must have an audit trail of all activities and operations performed on the
security module
▪ The auditing module must be coupled with the security module
Note : You are provide only a design solution , not an implementation

References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition,
Cengage Learning, 2009
3) Ron Ben Natan, ”Implementing Database Security and Auditing”,
Elsevier Digital Press, 2005.
5) http://charuaggarwal.net/toc.pdf
6) http://adrem.ua.ac.be/sites/adrem.ua.ac.be/files/securitybook.pdf

UNIT V - PRIVACY PRESERVING DATA MINING
TECHNIQUES
✓ Introduction
✓ Privacy Preserving Data Mining Algorithms
✓ General Survey
✓ Randomization Methods
✓ Group Based Anonymization
✓ Distributed Privacy Preserving Data Mining
✓ Curse of Dimensionality
✓ Application of Privacy Preserving Data Mining

Introduction - privacy-preserving data mining
✓ The problem of privacy-preserving data mining has become more important in
recent years because of the increasing ability to store personal data about users,
and the increasing sophistication of data mining algorithms to leverage this
information.
✓ The problem has been discussed in multiple communities such as the
database community, the statistical disclosure control community and the
cryptography community.
✓ This tutorial will try to explore different topics from the perspective of different
communities and give a fused idea of the work in different communities.

Privacy Preserving Data Mining Algorithms
✓ A number of techniques such as randomization and k-anonymity have been
suggested in recent years in order to perform privacy-preserving data mining.
✓ Furthermore, the problem has been discussed in multiple communities such as the
database community, the statistical disclosure control community and the
cryptography community.
✓ The key directions in the field of privacy-preserving data mining are as follows:
▪ Privacy-Preserving Data Publishing
▪ Changing the results of Data Mining Applications to preserve privacy
▪ Query Auditing
▪ Cryptographic Methods for Distributed Privacy
▪ Theoretical Challenges in High Dimensionality

Privacy Preserving Data Mining Algorithms …
Privacy-Preserving Data Publishing:
✓ These techniques tend to study
✓ different transformation methods associated with privacy
✓ These techniques include methods such as randomization ,
k-anonymity ,and l-diversity .
✓ Another related issue is how the perturbed data can be used in
conjunction with classical data mining methods such as association rule
mining
✓ Other related problems include that of determining privacy-preserving
methods to keep the underlying data useful (utility-based methods), or
the problem of studying the different definitions of privacy, and how
they compare in terms of effectiveness in different scenarios.

Changing the results of Data Mining Applications to
preserve privacy :
✓ In many cases, the results of data mining applications such as
association rule or classification rule mining can compromise the
privacy of the data.
✓ This has spawned a field of privacy in which the results of data mining
algorithms such as association rule mining are modified in order to
preserve the privacy of the data.
✓ A classic example of such techniques are association rule hiding
methods, in which some of the association rules are suppressed in order
to preserve privacy.

Query Auditing:
✓ Such methods are akin to the previous case of modifying the results of
data mining algorithms
✓ Here, we are either modifying or restricting the results of queries.
Cryptographic Methods for Distributed Privacy:
✓ In many cases, the data may be distributed across multiple sites, and the
owners of the data across these different sites may wish to compute a
common function.
✓ In such cases, a variety of cryptographic protocols may be used in order
to communicate among the different sites, so that secure function
computation is possible without revealing sensitive information.

Theoretical Challenges in High Dimensionality:
✓ Real data sets are usually extremely high dimensional, and this
makes the process of privacy-preservation extremely difficult both
from a computational and effectiveness point of view.
✓ It has been shown that optimal k-anonymization is NP-hard.
Furthermore, the technique is not even effective with increasing
dimensionality, since the data can typically be combined with
either public or background information to reveal the identity of
the underlying record owners.

General Survey:
✓ There is a broad survey of privacy preserving data-mining methods.
✓ It provides an overview of the different techniques and how they relate
to one another.
✓ The idea is to provide an overview of the field for a new reader from the
perspective of the data mining community.
✓ However, more detailed discussions are deferred to future chapters
which contain descriptions of different data mining algorithms.

Privacy Preserving Data Mining Algorithms –
A General Survey
12-11-2021 11
✓ Statistical Methods for Disclosure Control
✓ Measures of Anonymity
✓ The k-anonymity Method
✓ The Randomization Method
✓ Quantification of Privacy
✓ Utility Based Privacy-Preserving Data Mining
✓ Mining Association Rules under Privacy Constraints
✓ Cryptographic Methods for Information Sharing and Privacy
✓ Privacy Attacks
✓ Query Auditing and Inference Control
✓ Privacy and the Dimensionality Curse
✓ Personalized Privacy Preservation
✓ Privacy-Preservation of Data Streams
✓ Conclusions and Summary

A General Survey
Statistical Methods for Disclosure Control
✓ The topic of privacy-preserving data mining has often been studied
extensively by the data mining community without sufficient attention to
the work done by the conventional work done by the statistical disclosure
control community.
✓ Detailed methods for statistical disclosure control have been presented
along with some of the relationships to the parallel work done in the
database and data mining community.
✓ This includes methods such as k-anonymity, swapping, randomization,
micro-aggregation and synthetic data generation.
✓ The idea is to give the readers an overview of the common themes in
privacy-preserving data mining by different communities.

A General Survey
Measures of Anonymity
✓ There are a very large number of definitions of anonymity in the
privacy-preserving data mining field.
✓ This is partially because of the varying goals of different privacy-
preserving data mining algorithms.
✓ For example, methods such as k-anonymity, l-diversity and t-closeness
are all designed to prevent identification, though the final goal is to
preserve the underlying sensitive information.
✓ Each of these methods is designed to prevent disclosure of sensitive
information in a different way.

A General Survey
The k-anonymity Method
✓ An important method for privacy de-identification is the method of k-
anonymity.
✓ The motivating factor behind the k-anonymity technique is that many
attributes in the data can often be considered pseudo-identifiers which can
be used in conjunction with public records in order to uniquely identify
the records.
✓ For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.
✓ For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.

A General Survey
The Randomization Method
✓ The randomization technique uses data distortion methods in order to
create private representations of the records
✓ In most cases, the individual records cannot be recovered, but only
aggregate distributions can be recovered.
✓ These aggregate distributions can be used for data mining purposes. Two
kinds of perturbation are possible with the randomization method:
✓ Additive Perturbation:
✓ In this case, randomized noise is added to the data records. The overall
data distributions can be recovered from the randomized records.
✓ Data mining and management algorithms re designed to work with
these data distributions.
✓ Multiplicative Perturbation:
✓ In this case, the random projection or random rotation techniques are
used in order to perturb the records.

A General Survey
Quantification of Privacy
✓ A key issue in measuring the security of different privacy-preservation
methods is the way in which the underlying privacy is quantified.
✓ The idea in privacy quantification is to measure the risk of disclosure
for a given level of perturbation.

A General Survey
Utility Based Privacy-Preserving Data Mining
✓ Most privacy-preserving data mining methods apply a transformation
which reduces the effectiveness of the underlying data when it is
applied to data mining methods or algorithms.
✓ There is a natural trade-off between privacy and accuracy, though this
trade-off is affected by the particular algorithm which is used for
privacy preservation.
✓ A key issue is to maintain maximum utility of the data without
compromising the underlying privacy constraints.

A General Survey
Mining Association Rules under Privacy Constraints
✓ Since association rule mining is one of the important problems in data
mining
✓ There are two aspects to the privacy preserving association rule mining
problem
1. When the input to the data is perturbed, it is a challenging problem to
accurately determine the association rules on the perturbed data.
2. A different issue is that of output association rule privacy.
In this case, to ensure that none of the association rules in the
output result in leakage of sensitive data.
This problem is referred to as association rule hiding by the
database community, and that of contingency table privacy-
preservation by the statistical community.

A General Survey
Cryptographic Methods for Information Sharing and Privacy
✓ In many cases, multiple parties may wish to share aggregate private data,
without leaking any sensitive information at their end
✓ For example, different superstores with sensitive sales data may wish to
coordinate among themselves in knowing aggregate trends without
leaking the trends of their individual stores.
✓ This requires secure and cryptographic protocols for sharing the
information across the different parties. The data may be distributed in
two ways across different sites:
✓ Horizontal Partitioning: In this case, the different sites may have different
sets of records containing the same attributes.
✓ Vertical Partitioning: In this case, the different sites may have different
attributes of the same sets of records.

A General Survey
Privacy Attacks
✓ It is useful to examine the different ways in which one can make
adversarial attacks on privacy-transformed data.
✓ This helps in designing more effective privacy-transformation methods.
✓ Some examples of methods which can be used in order to attack the
privacy of the underlying data include SVD-based methods, spectral
filtering methods and background knowledge attacks.

A General Survey
Query Auditing and Inference Control
✓ Many private databases are open to querying. This can compromise the
security of the results, when the adversary can use different kinds of
queries in order to undermine the security of the data.
✓ For example, a combination of range queries can be used in order to
narrow down the possibilities for that record. Therefore, the results over
multiple queries can be combined in order to uniquely identify a record,
or at least reduce the uncertainty in identifying it.
✓ There are two primary methods for preventing this kind of attack:
✓ Query Output Perturbation: In this case, we add noise to the output of the
query result in order to preserve privacy.
✓ Query Auditing: In this case, we choose to deny a subset of the queries, so
that the particular combination of queries cannot be used in order to violate
the privacy

A General Survey
Privacy and the Dimensionality Curse
✓ In recent years, it has been observed that many privacy-preservation
methods such as k-anonymity and randomization are not very effective
in the high dimensional case
Personalized Privacy Preservation
✓ In many applications, different subjects have different requirements for
privacy.
✓ For example, a brokerage customer with a very large account would
likely have a much higher level of privacy-protection than a customer
with a lower level of privacy protection.
✓ In such case, it is necessary to personalize the privacy-protection
algorithm.

A General Survey
Privacy-Preservation of Data Streams
• A new topic in the area of privacy preserving data mining is that of
data streams, in which data grows rapidly at an unlimited rate.
• In such cases, the problem of privacy-preservation is quite challenging
since the data is being released incrementally.
• In addition, the fast nature of data streams obviates the possibility of
using the past history of the data.

A General Survey
Conclusions and Summary
✓ The broad areas of privacy are as follows:
Privacy-preserving data publishing:
This corresponds to sanitizing the data, so that its privacy remains preserved.
Privacy-Preserving Applications:
This corresponds to designing data management and mining algorithms in such a way that
the privacy remains preserved. Some examples include association rule mining,
classification, and query processing.
Utility Issues:
Since the perturbed data may often be used for mining and management purposes,
its utility needs to be preserved. Therefore, the data mining and privacy transformation
techniques need to be designed effectively, so to preserve the utility of the results.
Distributed Privacy, cryptography and adversarial collaboration:
This corresponds to secure communication protocols between trusted parties, so that
information can be shared effectively without revealing sensitive information about
particular parties.

Randomization Method
✓ The randomization method is a technique for privacy-preserving data
mining in which noise is added to the data in order to mask the attribute
values of records.
✓ The noise added is sufficiently large so that individual record values
cannot be recovered.
✓ Therefore, techniques are designed to derive aggregate distributions
from the perturbed records.
✓ Subsequently, data mining techniques can be developed in order to work
with these aggregate distributions.

Randomization Method …
The method of randomization can be described as follows.
✓ Consider a set of data records denoted by X = {x1 . . .xN}
✓ For record xi ∈X
✓ we add a noise component which is drawn from the
probability distribution fY (y).
✓ These noise components are drawn independently, and are denoted y1 . . . yN.
✓ Thus, the new set of distorted records are denoted by
x1 +y1 . . .xN +yN.
✓ We denote this new set of records by
z1 . . . zN.
✓ In general, it is assumed that the variance of the added noise is large enough, so that
the original record values cannot be easily guessed from the distorted data.
✓ Thus, the original records cannot be recovered, but the distribution of the original
records can be recovered.

✓ Thus, if X be the random variable denoting the data distribution
for the original record
✓ Y be the random variable describing the noise distribution
✓ Z be the random variable denoting the final record
We have:
Z = X + Y
X = Z − Y
✓ Now, we note that N instantiations of the probability distribution Z
are known, whereas the distribution Y is known publicly.
✓ For a large enough number of values of N, the distribution Z can be
approximated closely by using a variety of methods such as kernel
density estimation.
✓ By subtracting Y from the approximated distribution of Z, it is
possible to approximate the original probability distribution X

✓ One key advantage of the randomization method is that it is relatively
simple, and does not require knowledge of the distribution of other
records in the data.
✓ This is not true of other methods such as k-anonymity which require the
knowledge of other records in the data.
✓ Therefore, the randomization method can be implemented at data
collection time, and does not require the use of a trusted server
containing all the original records in order to perform the
anonymization process.
✓ While this is a strength of the randomization method, it also leads to
some weaknesses, since it treats all records equally irrespective of their
local density.

Privacy Quantification
✓ The quantity used to measure privacy should indicate how closely the
original value of an attribute can be estimated.
✓ A measure that defines privacy as follows:
If the original value can be estimated with c% confidence to
lie in the interval [α1, α2], then the interval width (α2 − α1)
defines the amount of privacy at c% confidence level.
✓ For example,
If the perturbing additive is uniformly distributed in an interval
of width 2α, then α is he amount of privacy at confidence level 50%
and 2α is the amount of privacy at confidence level 100%.
✓ However, this simple method of determining privacy an be subtly
incomplete in some situations.

Randomization Methods for Data Streams
✓ The randomization approach is particularly well suited to privacy-
preserving data mining of streams, since the noise added to a given
record is independent of the rest of the data.
✓ However, streams provide a particularly vulnerable target for
adversarial attacks with the use of PCA (Principle Component
Analysis) based techniques because of the large volume of the data
available for analysis.

Multiplicative Perturbations
✓ The most common method of randomization is that of additive
perturbations.
✓ However, multiplicative perturbations can also be used to good effect
for privacy-preserving data mining.
✓ Many of these techniques derive their roots in the work of which
shows how to use multi-dimensional projections in order to reduce the
dimensionality of the data.
✓ This technique preserves the inter record distances approximately, and
therefore the transformed records can be used in conjunction with a
variety of data mining applications.

✓ As in the case of additive perturbations, multiplicative perturbations are not
entirely safe from adversarial attacks.
✓ In general, if the attacker has no prior knowledge of the data, then it is
relatively difficult to attack the privacy of the transformation.
✓ However, with some prior knowledge, two kinds of attacks are possible
✓ Known Input-Output Attack:
✓ In this case, the attacker knows some linearly independent collection of
records, and their corresponding perturbed version. In such cases, linear
algebra techniques can be used to reverse-engineer the nature of the privacy
preserving transformation.
✓ Known Sample Attack:
✓ In this case, the attacker has a collection of independent data samples from
the same distribution from which the original data was drawn. In such cases,
principal component analysis techniques can be used in order to reconstruct
the behavior of the original data.

Data Swapping
✓ Noise addition or multiplication is not the only technique which can be used to
perturb the data.
✓ A related method is that of data swapping, in which the values across different records
are swapped in order to perform the privacy-preservation
✓ One advantage of this technique is that the lower order marginal totals of the data are
completely preserved and are not perturbed at all.
▪ Therefore certain kinds of aggregate computations can be exactly performed
without violating the privacy of the data.
✓ This technique does not follow the general principle in randomization which allows
the value of a record to be perturbed independent;y of the other records.
▪ Therefore, this technique can be used in combination with other frameworks
such as k-anonymity, as long as the swapping process is designed to preserve the
definitions of privacy for that model.

Group Based Anonymization
✓ The randomization method is a simple technique which can be easily
implemented at data collection time, because the noise added to a given record
is independent of the behavior of other data records.
✓ This is also a weakness because outlier records can often be difficult to mask.
✓ Clearly, in cases in which the privacy-preservation does not need to be
performed at data-collection time, it is desirable to have a technique in which
the level of inaccuracy depends upon the behavior of the locality of that given
record.
✓ Another key weakness of the randomization framework is that it does not
consider the possibility that publicly available records can be used to identify the
identity of the owners of that record.
✓ Therefore, a broad approach to many privacy transformations is to construct
groups of anonymous records which are transformed in a group-specific way.

Group Based Anonymization …
The k-Anonymity Framework
✓ In many applications, the data records are made available by simply
removing key identifiers such as the name and social- security
numbers from personal records.
✓ However, other kinds of attributes (known as pseudo-identifiers) can
be used in order to accurately identify the records.
▪ For example, attributes such as age, zip-code and sex are available
in public records such as census rolls.
▪ When these attributes are also available in a given data set, they can
be used to infer the identity of the corresponding individual.
▪ A combination of these attributes can be very powerful, since they
can be used to narrow down the possibilities to a small number of
individuals.

✓ In k-anonymity techniques, it reduce the granularity of representation of
these pseudo-identifiers with the use of techniques such as generalization and
suppression.
✓ In the method of generalization, the attribute values are generalized to a range
in order to reduce the granularity of representation.
▪ For example, the date of birth could be generalized to a range such as year
of birth, so as to reduce the risk of identification.
✓ In the method of suppression, the value of the attribute is removed
completely.
✓ It is clear that such methods reduce the risk of identification with the use of
public records, while reducing the accuracy of applications on the transformed
data.
✓ In order to reduce the risk of identification, the k-anonymity approach
requires that every tuple in the table be indistinguishability related to no fewer
than k respondents.

✓ k-anonymity approach can be formalized as follows:
▪ Each release of the data must be such that every combination of
values of quasi-identifiers ( are pieces of information that are not of
themselves unique identifiers) can be indistinguishably matched to
at least k respondents.
✓ The first algorithm for k-anonymity approach uses domain
generalization hierarchies of the quasi-identifiers in order to build
k-anonymous tables.
✓ The concept of k-minimal generalization has been proposed in order to
limit the level of generalization for maintaining as much data precision
as possible for a given level of anonymity.
✓ Subsequently, the topic of k-anonymity has been widely researched.

✓ It was note that the problem of optimal anonymization is inherently a difficult
one.
✓ It has been shown that the problem of optimal k-anonymization is NP-hard.
Nevertheless, the problem can be solved quite effectively by the use of a number of
heuristic methods.
✓ A method proposed by Bayardo and Agrawal is the k-Optimize algorithm which
can often obtain effective solutions.
✓ The approach assumes an ordering among the quasi-identifier attributes.
✓ The values of the attributes are discretized into intervals quantitative attributes) or
grouped into different sets of values (categorical attributes). Each such grouping is
an item.
✓ For a given attribute, the corresponding items are also ordered. An index is
created using these attribute-interval pairs (or items) and a set enumeration tree is
constructed on these attribute-interval pairs.
✓ k-Optimize algorithm can use a number of pruning strategies to good effect.

✓ A branch and bound technique can be used to successively improve the
quality of the solution during the traversal process.
✓ Incognito method has been proposed for computing a k-minimal
generalization with the use of bottom-up aggregation along domain
generalization hierarchies.
✓ The Incognito method uses a bottom-up breadth-first search of the
domain generalization hierarchy, in which it generates all the possible
minimal k-anonymous tables for a given private table.

✓ First, it checks k-anonymity for each single attribute, and removes all
those generalizations which do not satisfy k-anonymity. Then, it
computes generalizations in pairs, again pruning those pairs which do
not satisfy the k-anonymity constraints.
✓ Incognito algorithm computes (i + 1)-dimensional generalization
candidates from the i-dimensional generalizations, and removes all
those generalizations which do not satisfy the k-anonymity constraint.
✓ This approach is continued until, no further candidates can be
constructed, or all possible dimensions have been exhausted.

Personalized Privacy-Preservation
Not all individuals or entities are equally concerned about their privacy.
• For example, a corporation may have very different constraints on the
privacy of its records as compared to an individual.
• This leads to the natural problem that we may wish to treat the records in
a given data set very differently for anonymization purposes.
• From a technical point of view, this means that the value of k for
anonymization is not fixed but may vary with the record.
• A condensation based approach has been proposed for privacy-preserving
data mining in the presence of variable constraints on the privacy of the
data records.

Personalized Privacy-Preservation…
✓ This technique constructs groups of non-homogeneous size from the data,
such that it is guaranteed that each record lies in a group whose size is at
least equal to its anonymity level
✓ Subsequently, pseudo-data is generated from each group so as to create a
synthetic data set with the same aggregate distribution as the original data.
✓ Another interesting model of personalized anonymity is discussed in which
a person can specify the level of privacy for his or her sensitive values.
✓ This technique assumes that an individual can specify a node of the domain
generalization hierarchy in order to decide the level of anonymity that he
can work with.
✓ This approach has the advantage that it allows for direct protection
✓ of the sensitive values of individuals than a vanilla k-anonymity method
which is susceptible to different kinds of attacks.

Utility Based Privacy Preservation
✓ The process of privacy-preservation leads to loss of information for data mining
purposes.
✓ This loss of information can also be considered a loss of utility for data mining
purposes.
✓ Since some negative results on the curse of dimensionality suggest that a lot of
attributes may need to be suppressed in order to preserve anonymity, it is
extremely important to do this carefully in order to preserve utility.
✓ We note that many anonymization methods use cost measures in order to
measure the information loss from the anonymization process.
✓ Examples of such utility measures include
▪ Generalization height
▪ Size of anonymized group
▪ Discernability measures of attribute values
▪ Privacy information loss ratio

Utility Based Privacy Preservation…
✓ A method for utility-based data mining using local recoding was
proposed, The approach is based on the fact that different attributes
have different utility from an application point of view.
✓ Most anonymization methods are global, in which a particular tuple
value is mapped to the same generalized value globally.
✓ In local recoding, the data space is partitioned into a number of
regions, and the mapping of the tuple to the generalizes value is local
to that region.
✓ This kind of approach has greater flexibility, since it can tailor the
generalization process to a particular region of the data set.

Utility Based Privacy Preservation…
✓ Another indirect approach to utility based anonymization is to make the privacy-
preservation algorithms more aware of the workload.
✓ Typically, data recipients may request only a subset of the data in many cases, and
the union of these different requested parts of the data set is referred to as the
workload.
✓ A workload in which some records are used more frequently than others tends to
suggest a different anonymization than one which is based on the entire data set.
✓ Another direction for utility based privacy-preserving data mining is to
anonymize the data in such a way that it remains useful for particular kinds of
data mining or database applications.
✓ In such cases, the utility measure is often affected by the underlying application at
hand.
✓ There is a method has been proposed for k-anonymization using an information-
loss metric as the utility measure.

Sequential Releases
✓ Privacy-preserving data mining poses unique problems for dynamic applications
such as data streams because in such cases, the data is released sequentially.
✓ In other cases, different views of the table may be released sequentially.
✓ Once a data block is released, it is no longer possible to go back and increase the
level of generalization.
✓ On the other hand, new releases may sharpen an attacker’s view of the data and may
make the overall data set more susceptible to attack.
✓ A technique discussed in relies on lossy joins in order to cripple an attack based on
global quasi identifiers.
✓ The intuition behind this approach is that if the join is lossy enough, it will reduce
the confidence of the attacker in relating the release from previous views to the
current release.
✓ A new generalization principle called m-invariance is proposed, which effectively
limits the risk of privacy-disclosure in re-publication.
✓ The broad idea in this approach is to progressively and consistently increase the
generalization granularity, so that the released data satisfies the k-anonymity
requirement both with respect to the current table, as well as with respect to the
previous releases

The l -diversity Method
✓ The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
✓ The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
✓ Nevertheless the technique is susceptible to many kinds of attacks especially
when background knowledge is available to the attacker
✓ Some kinds of such attacks are as follows:
▪ Homogeneity Attack:
✓ In this attack, all the values for a sensitive attribute within a group of k
records are the same. Therefore, even though the data is k-anonymized,
the value of the sensitive attribute for that group of k records can be
predicted exactly.
▪ Background Knowledge Attack:
✓ In this attack, the adversary can use an association between one or more
quasi-identifier attributes with the sensitive attribute in order to narrow
down possible values of the sensitive field further

The l -diversity Method
✓ While k-anonymity is effective in preventing identification of a record, it may
not always be effective in preventing inference of the sensitive values of the
attributes of that record.
✓ Therefore, the technique of l-diversity was proposed which not only
maintains the minimum group size of k, but also focuses on maintaining the
diversity of the sensitive attributes.
✓ Therefore, the l-diversity model for privacy is defined as follows:
▪ Let a q∗-block be a set of tuples such that its non-sensitive values
generalize to q∗.
▪ A q∗-block is l-diverse
• if it contains l “well represented” values for the sensitive attribute S.
• A table is l-diverse, if every q∗-block in it is l-diverse.
✓ when there are multiple sensitive attributes, then the l-diversity problem
becomes especially challenging because of the curse of dimensionality.

The t-closeness Model
• The t-closeness model is a further enhancement on the concept of l-
diversity.
• One characteristic of the l-diversity model is that it treats all values of
a given attribute in a similar way irrespective of its distribution in the
data.
• A t-closeness model was proposed which uses the property that the
distance between the distribution of the sensitive attribute within an
anonymized group should not be different from the global distribution
by more than a threshold t.

Distributed Privacy-Preserving Data Mining
✓ The key goal in most distributed methods for privacy-preserving data mining is
to allow computation of useful aggregate statistics over the entire data set
without compromising the privacy of the individual data sets within the
different participant.
✓ Thus, the participants may wish to collaborate in obtaining aggregate results,
but may not fully trust each other in terms of the distribution of their own data
sets.
✓ For this purpose, the data sets may either be horizontally partitioned or be
vertically partitioned.
✓ In horizontally partitioned data sets, the individual records are spread out
across multiple entities, each of which have the same set of attributes.
✓ In vertical partitioning, the individual entities may have different attributes (or
views) of the same set of records.
✓ Both kinds of partitioning pose different challenges to the problem of
distributed privacy preserving data mining.

Distributed Privacy-Preserving Data Mining …
✓ The problem of distributed privacy-preserving data mining overlaps closely with a
field in cryptography for determining secure multi-party computations.
✓ The broad approach to cryptographic methods tends to compute functions over
inputs provided by multiple recipients without actually sharing the inputs with
one another.
✓ For example, in a 2-party setting, Alice and Bob may have two inputs x and y
respectively, and may wish to both compute the function f(x, y) without revealing
x or y to each other.
✓ This problem can also be generalized across k parties by designing the k argument
function h(x1 . . . xk). Many data mining algorithms may be viewed in the context
of repetitive computations of many such primitive functions such as the scalar dot
product, secure sum etc.
✓ In order to compute the function f(x, y) or h(x1 . . . , xk), a protocol will have to
designed for exchanging information in such a way that the function is computed
without compromising privacy.

Distributed Privacy-Preserving Data Mining …
✓ That the robustness of the protocol depends upon the level of trust one is
willing to place on the two participants Alice and Bob.
✓ This is because the protocol may be subjected to various kinds of adversarial
behavior:
▪ Semi-honest Adversaries:
✓ In this case, the participants Alice and Bob are curious and attempt to
learn from the information received by them during the protocol, but
do not deviate from the protocol themselves. In many situations, this
may be considered a realistic model of adversarial behavior.
▪ Malicious Adversaries:
✓ In this case, Alice and Bob may vary from the protocol, and may send
sophisticated inputs to one another to learn from the information
received from each other.

The Curse of Dimensionality
✓ Many privacy-preserving data-mining methods are inherently limited by the
curse of dimensionality in the presence of public information.
✓ For example, the technique in analyzes the k-anonymity method in the
presence of increasing dimensionality.
✓ The curse of dimensionality becomes especially important when adversaries
may have considerable background information, as a result of which the
boundary between pseudo-identifiers and sensitive attributes may become
blurred.
✓ This is generally true, since adversaries may be familiar with the subject of
interest and may have greater information about them than what is publicly
available.
✓ This is also the motivation for techniques such as l-diversity in which
background knowledge can be used to make further privacy attacks.

Applications of Privacy-Preserving Data Mining
✓ The problem of privacy-preserving data mining has numerous
applications in homeland security, medical database mining, and
customer transaction analysis.
✓ Some of these applications such as those involving bio-terrorism and
medical database mining may intersect in scope.
✓ Number of different applications of privacy-preserving data mining
methods.
▪ Medical Databases: The Scrub and Datafly Systems
▪ Bioterrorism Applications
▪ Homeland Security Applications
▪ Genomic Privacy

Applications of Privacy-Preserving Data Mining …
Medical Databases: The Scrub and Datafly Systems
Scrub :
✓ The scrub system was designed for de-identification of clinical notes and letters which
typically occurs in the form of textual data.
✓ Clinical notes and letters are typically in the form of text which contain references to
patients, family members, addresses, phone numbers or providers.
✓ Traditional techniques simply use a global search and replace procedure in order to
provide privacy.
✓ However clinical notes often contain cryptic references in the form of abbreviations
which may only be understood either by other providers or members of the same
institution.
✓ Therefore traditional methods can identify no more than 30-60% of the identifying
information in the data
✓ The Scrub System uses local knowledge sources which compete with one another based
on the certainty of their findings.
✓ Such a system is able to remove more than 99% of the identifying information from the
data.

Datafly Systems:
✓ The Datafly System was one of the earliest practical applications of
privacy-preserving transformations.
✓ This system was designed to prevent identification of the subjects of
medical records which may be stored in multidimensional format.
✓ The multi-dimensional information may include directly identifying
information such as the social security number, or indirectly identifying
information such as age, sex or zip-code.
✓ The system was designed in response to the concern that the process of
removing only directly identifying attributes such as social security
numbers was not sufficient to guarantee privacy.

✓ Typically, the user of Datafly will set the anonymity level depending
upon the profile of the data recipient in question.
✓ The overall anonymity level is defined between 0 and 1, which defines
the minimum bin size for each field.
✓ An anonymity level of 0 results in Datafly providing the original data,
whereas an anonymity level of 1 results in the maximum level of
generalization of the underlying data.
✓ The Datafly system is one of the earliest systems for anonymization,
and is quite simple in its approach to anonymization.

Bioterrorism Applications
✓ Often a biological agent such as anthrax produces symptoms which are
similar to other common respiratory diseases such as the cough, cold and
the flu.
✓ In the absence of prior knowledge of such an attack, health care providers
may diagnose a patient affected by an anthrax attack of have symptoms
from one of the more common respiratory diseases.
✓ In order to identify such attacks it is necessary to track incidences of these
common diseases as well.
✓ Therefore, the corresponding data would need to be reported to public
health agencies. However, the common respiratory diseases are not
reportable diseases by law.

✓ Homeland Security Applications
▪ A number of applications for homeland security are inherently
intrusive because of the very nature of surveillance.
▪ Some examples of such applications are as follows:
✓Credential Validation Problem:
• Trying to match the subject of the credential to the person
presenting the credential.
• For example, the theft of social security numbers presents a
serious threat to homeland security.
✓Identity Theft:
• A related technology is to use a more active approach to
avoid identity theft.
• The identity angel system , crawls through cyberspace, and
determines people who are at risk from identity theft.
• This information can be used to notify appropriate parties.

Web Camera Surveillance:
✓ One possible method for surveillance is with the use of publicly
available webcams which can be used to detect unusual activity.
✓ this is a much more invasive approach than the previously discussed
techniques because of person specific information being captured in
the webcams.
✓ The approach can be made more privacy-sensitive by extracting only
facial count information from the images and using these in order to
detect unusual activity.

Video-Surveillance:
✓ In the context of sharing video-surveillance data, a major threat is the use
of facial recognition software, which can match the facial images in
videos to the facial images in a driver license database.
✓ While a straightforward solution is to completely black out each face, the
result is of limited new, since all facial information has been wiped out.
✓ A more balanced approach is to use selective downgrading of the facial
information, so that it scientifically limits the ability of facial recognition
software to reliably identify faces, while maintaining facial details in
images.
✓ The algorithm is referred to as k-Same, and the key is to identify faces
which are somewhat similar, and then construct new faces which
construct combinations of features from these similar faces.

The Watch List Problem:
✓ The motivation behind this problem is that the government typically has
a list of known terrorists or suspected entities which it wishes to track
from the population.
✓ The aim is to view transactional data such as store purchases, hospital
admissions, airplane manifests, hotel registrations or school attendance
records in order to identify or track these entities.
✓ This is a difficult problem because the transactional data is private, and
the privacy of subjects who do not appear in the watch list need to be
protected.
✓ Therefore, the transactional behavior of non-suspicious subjects may
not be identified or revealed.
✓ The watch list problem is currently an open problem.

Genomic Privacy
• Recent years have seen tremendous advances in the science of DNA
sequencing and forensic analysis with the use of DNA.
• As result, the databases of collected DNA are growing very fast in the both the
medical and law enforcement communities.
• DNA data is considered extremely sensitive, since it contains almost uniquely
identifying information about an individual.
• As in the case of multi-dimensional data, simple removal of directly
identifying data such as social security number is not sufficient to prevent re-
identification.
• It has been shown that a software called CleanGene can determine the
identifiability of DNA entries independent of any other demographic or other
identifiable information.
• The software relies on publicly available medical data and knowledge of
particular diseases in order to assign identifications to DNA entries.
• Another method for compromising the privacy of genomic data is that of trail
re-identification, in which the uniqueness of patient visit patterns is exploited
in order to make identifications.

Database security 12.pdf

More Related Content

What's hot (20)

Similar to Database security 12.pdf (20)

Recently uploaded (20)

Database security 12.pdf