Database Threats - Information System Security
Download as PPTX, PDF2 likes532 views
The document outlines various database threats and their implications for information system security, including sensitive data exposure, security misconfiguration, SQL injection, insecure direct object references, cross-site scripting, and denial of service attacks. Additionally, it provides prevention techniques for each threat, such as using proper data escaping methods, access control measures, contextual encoding, and employing firewalls and monitoring tools. Overall, the content emphasizes the importance of safeguarding sensitive information and maintaining robust security protocols.
Database Threats - Information System Security
- 1. Database Threats Information System Security Presented by: Abdul Majeed Al-Kattan Rabee Al-Rass Rahaf Aamer Rimon Koroni Sandra Sukarieh
- 2. The Content • Sensitive Data Exposure. • Security Misconfiguration. • SQL Injection (Blind) • Insecure Direct Object Reference • Cross Site Scripting • Denial of Service Information System Security 2
- 3. Sensitive Data Exposure Information System Security 3
- 4. Security Misconfiguration Information System Security 4
- 5. SQL Injection • Can be achieved when sending unreliable data to the interpreter as a part of a command or a query. • Malicious data of the attacker can fool the interpreter to: 1. Execute banned orders. 2. Access data without authority . 3. Harm the content of the database. Information System Security 5
- 6. SQL Injection Information System Security 6
- 7. SQL Injection Prevention • Escape String : 1. mysqli_real_escape_string() 2. Addslashes() • Example: x’ or ‘x’=‘x’ – When mysqli_real_escape_string is applied x’ or ’x’=’x’ -- Information System Security 7
- 8. Insecure Direct Object Reference • The insecure gap of direct object reference comes up when the programmer expose the references to internal components such as files, folders, or database keys. • Without access control tools and other methods of protection, the hacker can manipulate these references to reach the data without proper authority. Information System Security 8
- 9. Insecure Direct Object Reference Information System Security 9
- 10. Insecure Direct Object Reference Prevention • Never expose application or database internal details to public. • Hide system objects with ambiguous names and do encryption to values. • Use sessions instead of cookies alone. Information System Security 10
- 11. Cross Site Scripting • Programming gaps appear across the site when the application receives non reliable data and sends it to the browser without checking or overcoming (escaping). • Programming gaps across the site allow the attacker to implement “scripts” in the browser of the victim, which may lead to: 1. The theft of the user’s session. 2. Distortion of the website. 3. Redirect the user to other malicious sites. Information System Security 11
- 12. Cross Site Scripting Information System Security 12
- 13. Cross Site Scripting Prevention • Contextual Encoding: 1. HTML Encoding. 2. JavaScript Encoding. 3. CSS Encoding. Information System Security 13
- 14. Denial Of Service • One of the methods used to inundate the special service of the database or the application with a stream of requests, leading to deprive the real users from the service. • This attack can be achieved with the tool slowhttptest. Information System Security 14
- 15. Denial Of Service Information System Security 15
- 16. Denial of Service Prevention • Firewall. • Cloud Mitigation Provider DDoS attack Detection and Monitoring. • Flow-Based Monitoring (PLXfbm) . • service monitors netflow on your router. Information System Security 16
- 17. Thank You.