System security
Download as PPTX, PDF3 likes3,744 views
The document discusses database security, outlining its three main aspects: secrecy, integrity, and availability, which protect databases from unauthorized access and ensure accurate data handling. It highlights the importance of data security across various sectors, including banking and personal information, and emphasizes the need for secure authentication and authorization mechanisms within applications. Additionally, the document addresses potential vulnerabilities and the significance of human training in the security landscape.
System security
- 1. System Security -Bharat P. Patil -M. Sc. C.S. Part II -64 Database Security
- 3. ` What Is Database Security? Database: It is a collection of information stored in a computer. Security: It is being free from danger. Database Security: It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data.
- 4. ` Three Main Aspects 1. Secrecy 2. Integrity 3. Availability
- 5. ` Secrecy • It is protecting the database from unauthorized users. • Ensures that users are allowed to do the things they are trying to do. • For example:- – The employees should not see the salaries of their managers.
- 6. ` Integrity • Protecting the database from authorized users. • Ensures that what users are trying to do is correct. • For examples, • An employee should be able to modify his or her own information.
- 7. ` Availability • Authorized users should be able to access data for Legal purposes as necessary. • For examples, – Payment orders regarding taxes should be made on time by the tax law.
- 8. ` Importance of Data • Bank/Demat accounts • Credit card, Salary, Income tax data • University admissions, marks/grades • Land records, licenses • Data = crown jewels for organizations
- 9. ` Importance of Data (contd…) • Recent headlines: – Personal information of millions of credit card users stolen • Laws on privacy in the US • Theft of US data in India – Criminal gangs get into identity theft – Earlier this year in Mumbai • Hackers steal credit card data using card reader and make fraudulent purchases • Hacker creates fake Web site to phish for credit card information – Auto-rickshaw license fraud in New Delhi
- 10. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
- 11. ` Levels of Data Security • Human level: Corrupt/careless User. • Network/User Interface. • Database application program. • Database system. • Operating System. • Physical level.
- 12. ` Physical/OS Security • Physical level – Traditional lock-and-key security. – Protection from floods, fire, etc. • E.g. WTC (9/11), fires in IITM, WWW conf website, etc. – Protection from administrator error • E.g. delete critical files. – Solution • Remote backup for disaster recovery. • Plus archival backup (e.g. DVDs/tapes). • Operating system level – Protection from virus/worm attacks critical.
- 13. ` Security at the Database/Application Program • Authentication and authorization mechanisms to allow specific users access only to required data • Authentication: who are you? Prove it! • Authorization: what you are allowed to do?
- 14. ` Database vs. Application • Application authenticates/authorizes users • Application itself authenticates itself to database – Database password DatabaseApplication Program
- 15. ` User Authentication • Password – Most users abuse passwords. For e.g. • Easy to guess password • Share passwords with others • Smartcards – Need smartcard – + a PIN or password Bill Gates
- 16. ` User Authentication • Central authentication systems allow users to be authenticated centrally – LDAP or MS Active Directory often used for central authentication and user management in organizations • Single sign-on: authenticate once, and access multiple applications without fresh authentication – Microsoft passport, Pub Cookie etc – Avoids plethora of passwords – Password only given to central site, not to applications.
- 17. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
- 18. ` Authorization • Different authorizations for different users – Accounts clerk vs. – Accounts manager vs. – End users
- 19. ` Database/Application Security • Ensure that only authenticated users can access the system. • And can access (read/update) only data/interfaces that they are authorized to access.
- 20. ` Limitations of SQL Authorization • SQL does not support authorization at a tuple level – E.g. we cannot restrict students to see only (the tuples storing) their own grades. • Web applications are dominant users of databases – Application end users don't have database user ids, they are all mapped to the same database user id. – Database access control provides only a very coarse application-level access control.
- 21. ` Access Control in Application Layer • Authorization in application layer vs. database layer – Benefits • fine grained authorizations, such as to individual tuples, can be implemented by the application. • authorizations based on business logic easier to code at application level – Drawback: • Authorization must be done in application code, and may be dispersed all over an application • Hard to check or modify authorizations • Checking for absence of authorization loopholes becomes very difficult since it requires reading large amounts of application code – Need a good via-media.
- 22. ` Privacy • Aggregate information about private information can be very valuable – E.g. identification of epidemics, mining for patterns (e.g. disease causes) etc. • Privacy preserving data release – E.g. in US, many organizations released “anonymized” medical data, with names removed, but zip code (= pin code), sex and date of birth retained • Turns out above (zip code, sex, date of birth) uniquely identify most people! –Correlate anonymized data with (say) electoral data with same information
- 23. ` Privacy (contd…) – Recent problems at America Online • Released search history, apparently anonymized, but users could be easily identified in several cases –Several top officials were fired – Earlier problems revealed medical history of Massachusetts state governor. • Not yet a criminal issue, but lawsuits have happened • Conflict with Right To Information Act – Many issues still to be resolved.
- 24. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
- 25. ` Application Security • Applications are often the biggest source of insecurity –Poor coding of application may allow unauthorized access. –Application code may be very big, easy to make mistakes and leave security holes. –Very large surface area. • Used in fewer places – Some security by obfuscation. – Lots of holes due to poor/hasty programming.
- 26. ` OWASP Top 10 Web Security Vulnerabilities 1. Invalidated input. 2. Broken access control. 3. Broken account/session management. 4. Cross-site scripting (XSS) flaws. 5. Buffer overflows. 6. (SQL) Injection flaws. 7. Improper error handling. 8. Insecure storage. 9. Denial-of-service. 10.Insecure configuration management.
- 27. ` Passwords in Scripts • E.g.: file1.jsp (or java or other source file) located in publicly accessible area of web server – Intruder looks for http://<urlpath>/file1.jsp~ • or .jsp. swp, etc – If jsp has database user id/password in clear text, big trouble • Happened at IITB • Morals – Never store scripts (java/jsp) in an area accessible to http – Never store passwords in scripts, keep them in config files – Never store config files in any web-accessible areas – Restrict database access to only trusted clients • At port level, or using database provided functionality
- 28. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
- 29. ` Summary • Data security is critical. • Requires security at different levels. • Several technical solutions . • But human training is essential.