ASSIGNMENT 2 LOGICAL DATABASE DESIGN (CPT307)

MAY 7, 2015

Faculty of Science

ASSIGNMENT 2 CPT307 LOGICAL DATABASE DESIGN

ASADHU SHUJAAU (000033475) WORD COUNT: 2487

Assignment 2

Table of Contents 1.0 Abstract ................................................................................................................................ 2 2.0 Introduction .......................................................................................................................... 3 3.0 Key issues on database security today ................................................................................. 4 3.1 Privilege Abuse ................................................................................................................ 4 3.2 SQL Injection ................................................................................................................... 4 3.3 Weak Authentication ....................................................................................................... 5 3.4 Platform Vulnerabilities ................................................................................................... 5 3.5 Malware ........................................................................................................................... 6 3.6 Weak Auditing ................................................................................................................. 6 3.7 Deployment Failure ......................................................................................................... 6 4.0 How to solve the key issues ................................................................................................. 7 5.0 Losses faced by database when it comes to security ........................................................... 9 6.0 My opinion ......................................................................................................................... 10 7.0 Conclusion ......................................................................................................................... 11 Bibliography ............................................................................................................................ 12

1

Assignment 2

1.0 Abstract This paper is about database security. It looks into the key database security issues that are faced by databases today. These include privilege abuse, weak authentication, platform vulnerabilities, SQL injection, malware, weak auditing and deployment failures. It goes further by looking into solutions for each aspect of security issue described here. Security measures that help overcome the issues are discussed for each security problem. Next, the losses faced by database when it comes to security are explained. These include loss of data manipulation of data and corporate losses etc. As the writer my own opinion is included before concluding this paper.

2

Assignment 2

2.0 Introduction In today’s world millions of data are shared, collected and retained every day. Privacy and security are great concerns as most of these data are stored and shared digitally. These content that users share and corporate companies collect are stored on databases located in different areas of the world. Main cause of data security issues are in the databases itself. This is evident by the growing number of reported events of loss, theft or exposure of sensitive information (Murray, 2010). Before moving on to the topic of database security issues and solutions, first it is necessary to understand what database security is about. In a journal (Murray, 2010) states that, database security should provide controlled and protected access to information stored within databases. Furthermore, it is stated that database should preserve the integrity and consistency along with the overall quality of the data that is stored. This writing will look into the key database security challenges that are common today. Before moving on to the solutions for these issues the next section will briefly explain each identified issue and why they are risky. After covering aforementioned areas, the losses faced by the database due to security issues will be highlighted next. My own opinion about the database security as the writer is included as well before concluding the writing with the overall findings and judgements about the concerned areas of database security.

3

Assignment 2

3.0 Key issues on database security today 3.1 Privilege Abuse Sometimes databases are created in such a way that users can access features of the database that they do not necessarily need all the time. These may lead to privilege abuse whereby a user may use his rights for illegal or dishonest purpose. (Stonecypher, 2010), has given a great example to explain this issue. He states that a database administrator in a financial business such as a bank can use his rights to create fake accounts and also transfer money from one account to another if he wished to. Above example is one where a user abuses the privilege intentionally. In his writing (Stonecypher, 2010), goes further by giving an example on how privilege can be abused unintentionally as well. In case of a company offering “work from home” option to its staff, an employee may take backup of sensitive while working from home, so that he or she could work easily without accessing the company network every time. This violates security policies of the company and will result in data security breach if the employee’s home system is compromised.

3.2 SQL Injection SQL Injection is a web attack method by hackers that target databases. This technique can be used to steal sensitive corporate data via online platforms. It can be said that this is one of the most common methods used to breach database security today. This attack becomes possible due to the improper coding of web applications that allows hackers to inject SQL commands through input fields on forms such as login form (acunetix, 2015). In 2014, (Goldman, 2014) has written about cyber-attacks by CyberVor, a Russian gang of fewer than a dozen hackers who stole billions of usernames and passwords. In it he has written that a research was conducted in order to identify the vulnerabilities of websites where by they found that “over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites' databases.” Furthermore to aid the severity of this issue, in another writing of (Goldman, 2014) he has stated that in 2013 alone two thirds of U.S. companies were breached by SQL Injection. This alone shows it is a major database security issue.

4

Assignment 2 3.3 Weak Authentication A lot of databases allow creation of users with short, weak passwords. This makes the application and database more prone to attacks. As said by (Shulman, 2006), weak authentication can help attackers to disguise as authentic users of the database by stealing and or obtaining login credentials of users with weak authentications. Different techniques are used by attackers to take advantage of weak authentication in systems used by companies. An attacker can use guesswork or enumeration of possible username and password combinations. This technique is called brute forcing which is done mostly by using a specialized application. Also an attacker may present themselves as company IT staff via a phone in order to gain credentials from employees of the company. This method is called social engineering which uses trust as a weapon. This method becomes possible because only few security matters are taken into consideration when authenticating users to use the database (Shulman, 2006). Think of the impact if a bank uses weak authentication for its online user. It might lead to losing their customers and customers losing their money deposited in their bank accounts. Hence, this issue can have a severe outcome if left unsolved.

3.4 Platform Vulnerabilities Databases can be affected due to the vulnerabilities in the operating system it is running on. For example, systems like UNIX, Linux or Windows. Due to bugs in the platform, services related to database may lead to unauthorized access (Stonecypher, 2010). For example (Shulman, 2006) mentions about the Blaster Worm, which took advantage of a Windows 2000 vulnerability to create denial of service conditions. Due to such reasons, platform vulnerability issues, lead to database security issues.

5

Assignment 2 3.5 Malware Above in the platform vulnerabilities an example was given about a malware which used platform vulnerabilities to create denial of service conditions. This is another serious issue that presents databases to cyber threats. Unlike other issues malware can be used to create automatic exploitation of the above mentioned points and few more. Attackers use these malicious software to steal information and or sabotage on damage the entire database system (Paganini, n.d.). In the writing, (Paganini, n.d.) mentions that, in November 2013, Symantec released a security alert about a malware that could damage corporate databases which wipes out the infected PCs hard disk. The malware was called W32.Narilam.

3.6 Weak Auditing As per (Shulman, 2006), recording of sensitive and unusual database transactions should be a part of database foundation before it is deployed. This is to ensure better auditing. The following are threats faced due to weak auditing as mentioned by (Shulman, 2006). 

Weak database audits are against government regulatory policies. This applies to many countries while it might not apply to all.



No way of forensic evidence of intruders in order to track them.



Better audits lead to better detection and recovery. It helps to pinpoint the origin of the attack and to know which account was used to access the database. This can help take actions accordingly. Without a good audit, this will not be possible.

3.7 Deployment Failure (Lane, 2013) explains that deployment failure as the most common database vulnerability. He mentions that as all databases are tested for what they should do functionally. Many fail to certify that it is not doing something it should not. Databases should be tested for all kinds of criteria before they are deployed. Database platforms are insecure after fresh installations. It would have problems like having default accounts with default passwords which everyone who uses databases know very well. it will remain same until these are manually configured and changed. If it is left as it is, these can be exploited by attackers for unauthorized access to database.

6

Assignment 2

4.0 How to solve the key issues This section will discuss the solutions for the problems mentioned in the previous section. This section will be divided to paragraph each relating to one of the issues mentioned above. Solutions are discussed in the order the issues are discussed in the previous section. First of all privilege abuse can be solved by implementing SecureSphere’s Dynamic Profiling technology. This application automatically creates a model of the context surrounding normal database interactions. It can tell time of day, IP address, volume of data retrieved, application client used to access the database. When users excess and retrieve too much information or they try unauthorized tasks, SecureSphere triggers an alert (Shulman, 2006). As (Osborne, 2013) says SQL injection can be prevented by protecting online databases with firewalls. However, (acunetix, 2015) says it is not enough just to use firewalls. In addition to firewall protection, while building web applications inputs should be cleaned off of SQL strings that can cause issues in the database. This is called sanitizing. In order to overcome weak authentication, strongest practical authentication should be used. Usage of Two-factor authentication are preferred where possible. Strong username/password can also be used to overcome this issue. Sometimes even these measures might not be enough. In such cases logging failed sign in attempts can help identify possible cyber-attacks (Shulman, 2006). Platform vulnerabilities can be solved by having the system updated regularly. This will help system have the latest patches for bug fixes and other security updates. Also having a secure password on the platform itself can help minimize the risk of platform vulnerabilities. Also encrypting the data stored in databases can help prevent further damage in case of platform breach. In case of malware, corporate companies and other database users’ needs to have a strong antivirus program which will help to identify and eliminate the malware. The mentioned anti-virus programs need to be up-to-date at all times in-order to identify and eliminate latest threats. Having database backups in a safer offline environment can help restore the database in case of malware take over (Paganini, n.d.). The following are ways to overcome weak auditing ad suggested by (Shulman, 2006). Quality network-based audit applications addresses flaws associated with inbuilt audit tools in database. Network-based audit tools help improve auditing along with improved database

7

Assignment 2 performance. These audit tools are separate from database hence it is invulnerable to privilege elevation attacks. Also they perform over different platforms. These help reduce server costs, load-balancing and administrative costs. While at the same time it delivers better security. By testing database software for different criteria can help overcome deployment failures. Existing default accounts should be removed or changed to have a different name and a strong password. Hiring experts for testing can help minimize the risks that come along with failure in database deployment.

8

Assignment 2

5.0 Losses faced by database when it comes to security This section will discuss different losses faced by database due to unhandled security issues that exists within the database. Different issues can cause different types of database losses related to three constructs of databases, the CIA, confidentiality, integrity and availability. Each will be discussed separately in this section. Sometimes as mentioned in previous section Denial of Service attacks take place due to improper security measures. This kind of attacks restrict access to network applications or data for actual users (Shulman, 2006). This can mean database facing unexpected downtimes. From a corporate firms point of view, if it is a firm serving thousands of customers every day. This can be a huge loss as it can lead to loss of customers and profits for the company and lot of time being wasted on resolving the issue. Another loss that database can face is loss of data itself. As previously mentioned. There are malwares that target systems to wipe clean its hard disks (Paganini, n.d.). Hard disks are mainly used to store everything that on a computer system. This means databases as well. If anti-virus are not used or other proper measures like backups are not in place. Then databases can lose huge amounts of data and in the worst case scenario they can be destroyed fully. For huge businesses this might mean losing sensitive information about customers, projects, employees, etc. In turn losing the database’s availability or identification and recovery from hardware and software applications (Murray, 2010). Database data leaks is another issue faced due to weak security measures. Data can be stolen through online attacks or by stealing backups which can be gained access through different means like, from an employee system of a “work from home” company. Moreover, it can be done by an employee within a company as well (Stonecypher, 2010). This effects the confidentiality or protection of data from unauthorized disclosure (Murray, 2010). Last but not the least, another loss faced by the databases when it comes to security can be unauthorized manipulation of data within a database. This can be done through SQL injection, Denial of Service attacks which will give time for attackers to perform other types of operations on the database. Also privilege abuse can lead to data manipulation. This effects the integrity of information present in the database making it untrustworthy.

9

Assignment 2

6.0 My opinion As the writer, in my opinion there are some issue of database security that can be solved easily. Like platform vulnerabilities can be solved by anyone by simply having the system on auto update. Also, almost everyone familiar with computers today are familiar with anti-virus programs. Hence issues like these can be resolved easily. However, some issues need specialists. For example SQL injections cannot be solved by people without programming knowledge and database configurations can be corrected by experts in the field. So in order to have the best security measures best expertise are also needed. Furthermore, it might not be always possible to prevent database from attacks in such cases having proper security measures will help bring database back on track in least amount of time. Other than the above mentioned, it is also worth mentioning that although the discussed are the issue of database security present today. Future might show new threats that arise with new technologies. When relational database model gets deprecated and object oriented databases takes over it is bound to bring security issues of its own along with it.

10

Assignment 2

7.0 Conclusion This paper looked into most common security issues that are present today in database security. With the help of identified security issues the suggested solutions can be implemented by companies to safeguard their content store on databases. The explanations given by different authors about different securities were understandable and examples presented were related or cases that have happened or are likely to happen. This helps to understand possible breaches due to different kinds of vulnerabilities in the database. Database security issues discussed here can be used while setting up databases so that it is ready in terms of security before going forward. As mentioned early technology is evolving rapidly. It might be a good idea to think about possible future security issues that come along with the changes that come to database management system. Although it may solve some problems it might also bring another.

11

Assignment 2

Bibliography Acunetix. (2015). SQL Injection: What is it? Retrieved from acunetix: https://www.acunetix.com/websitesecurity/sql-injection/ Goldman, J. (2014, August 6). CyberVor Breach Exposes 1.2 Billion User Names, Passwords. Retrieved from eSecurity Planet: http://www.esecurityplanet.com/hackers/cybervor-breach-exposes-1.2-billion-usernames-passwords.html Lane, A. (2013, June 23). 10 Most Common Security Vulnerabilities In Enterprise Databases. Retrieved from Dark Reading: http://www.darkreading.com/risk/10-most-commonsecurity-vulnerabilities-in-enterprise-databases/d/d-id/1139979? Murray, M. C. (2010). Database Security: What Students Need to Know. (A. Scime, Ed.) Journal of Information Technology Education: Innovations in Practice, 9, 62-77. Osborne, C. (2013, June 26). The top ten most common database security vulnerabilities. Retrieved from ZDNET: http://www.zdnet.com/article/the-top-ten-most-commondatabase-security-vulnerabilities/ Paganini, P. (n.d.). Databases - Vulnerabilities, Costs of Data Breaches and Countermeasures. Retrieved from Infosec Institute: http://resources.infosecinstitute.com/databases-vulnerabilities-costs-of-data-breachesand-countermeasures/ Shulman, A. (2006). Top Ten Database Security Threats. Retrieved from www.schell.com/Top_Ten_Database_Threats.pdf Stonecypher, L. (2010, January 14). Threats to Database Security. Retrieved from Bright Hub: http://www.brighthub.com/computing/smb-security/articles/61554.aspx

12