Database security management to improve organization performance

 

 

                An important requirement of any information management system is to protect data and resources within the computer against unauthorized disclosure ( confidentiality), and unauthorized or improper modifications (integrity), while at the same time ensuring their availability to legitimate users (no denial of service). Ensuring protection, therefore, requires that every access to a system and its resources be controlled and that all and only authorized access can take place.                                                                    In this article, we are looking at a protection system for a database using access control mechanisms, models, and policies.  Databases have a long history of storing important intellectual property and items that are considered valuable and proprietary to companies and institutions. Because of this, they usually live in an environment of mystery to all but the database and network administrators.  The less anyone knows about the databases, the better. Users generally, the database through a client interface, and their actions are restricted to ensure the confidentiality, integrity, and availability of the data held within the database and the structure of the database itself.

The risk is increasing as a company/institution runs to connect their network to the internet, allow remote user access, and provide more and more access to external entities.

 

          What is a database?

A database is a collection of data in meaningful ways that enable multiple users and applications to access, view, and modify data when needed. The database is managed by software that provides these types of capabilities. It also enforces access control restrictions, provides data integrity and redundancy, and set up different procedures for data manipulations, such software is referred to as a data management system (DBMS) and is usually controlled by a database administrator.

Databases not only store data, but they process data and represent it in a more usable and logical form. Data is the mechanism that provides the structure for the data collected.

Then, from the above write-up, we ask ourselves, what are the benefits of these databases, and of what importance are they to organizations?  The question outlines the benefit of databases.

Benefits of databases

Reduced data redundancy

Reduced updating errors and increased consistency

Greater data integrity and independence from applications programs

Improve data access to users through the use of host and query languages

Improved data security

Reduced data entry, storage, and retrieval costs

Facilitated development of new applications program

Having seen the importance of databases, it is imperative to protect databases from every form of unauthorized disclosure and also ensure it is readily available when needed. It is also important we protect data from every form of attack, be it virus attack, SQL attack, cross-site scripting, worms, and every other security issue affecting databases. This will lead us to the various types of threats to database security.

Database Security Issues

Excessive privilege abuse

Legitimate privilege abuse

Privilege Elevation

Database Platform Vulnerabilities

SQL Injection

Weak Audit Trail

Denial of service

Data Communication protocol Vulnerabilities

Weak Authentication

Backup Data Exposure

Threat 1-Excessive Privilege Abuse: When users (or applications) are granted database access privileges that exceed the requirements of their job function, this privilege may be abused for malicious purposes.   For instance, a university administrator whose job requires only the ability to change student contact information may take advantage of excessive database update privileges to change grades. A given database user ends up with excessive privileges for the simple reason that database administrators do not have the time to define and update granular access privilege control mechanisms for each user. As a result of this, all users or a large group of users are granted generic default access privileges that far exceed specific job requirements.

Threat 2- Legitimate Privilege Abuse: Users may also abuse legitimate database privileges for unauthorized purposes.  Consider a hypothetical rogue healthcare worker with privileges to view individual patient records via a custom web application. The structure of the web application normally limits users from viewing an individual patient's healthcare history. Multitude records cannot be viewed simultaneously and electronic copies cannot be allowed. However, the rogue worker may circumvent these limitations by connecting to using an alternative client such as MS- Excel. Using MS-Excel and his legitimate login credentials, the worker may retrieve and save all patient records. It is unlikely that such personal copies of patient record databases comply with any healthcare organization’s data protection policies. These are two risks to consider. The first is the rogue worker who is willing to trade patient records for money. The second (and perhaps more common) is the negligent employee that retrieves and stores large amounts of information on their client's machine for legitimate work purposes. Once the data exists on an endpoint machine, it becomes vulnerable to, Trojans, laptop theft, etc  

Threat 3 Privilege Elevation: Attackers may take advantage of database platform software vulnerabilities to convert access privileges from those of an ordinary user to those of an administrator. Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and even SQL statements. For example, a software developer at a financial institution might take advantage of a vulnerable function to gain the data administrative privilege, the rogue developer may turn off audit mechanisms, create bogus accounts, transfer funds, etc.

Threat 4-Platform Vulnerabilities: Vulnerabilities in underlying operating systems (windows 2000, UNIX, ETC) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service. The Blaster Worm, for example, took the advantage of a windows 2000 vulnerability to create a denial of service conditions.

Threat 5-SQL Injection:  In a SQL Attack, a perpetrator typically insects ( or "injects") unauthorized database statements into a vulnerable SQL  data channel. Typically targeted data channels include stored procedures and web application input parameters. The injected statement is then passed to the database where they are executed. Using SQL injection, attackers may gain unrestricted access to an entire database.

Threat 6-Weak audit trail:  Automated recording of all sensitive and /or unusual database transactions should be part of the foundation underlying any database deployment. A weak database audit policy represents a serious organizational risk on many levels.

    Regulatory Risk – Organizations with weak (or sometimes non-existent) database audit mechanisms will increasingly find that they are at odds with government regulatory requirements. Sarbanes- Oxley (SOX) in the financial services sector and the healthcare information portability and Accountability Act ( HIPAA) in the healthcare sector are just two examples of government regulation with clear database audit requirements.

     Deterrence-Like video cameras recording the faces of individual entering a bank, database audit mechanisms serves to deter attackers who know that database audit tracking provides investigators with forensic link intruders to a crime.  

      Detection and Recovery- Audit mechanisms represent the last line of database defense. If an attacker manages to circumvent other defenses; audit data can identify the existence of a violation after the fact. Audit data may then be used to link a violation to a particular user and/or repair the system. Database software platforms typically integrate basic audit capabilities but they suffer from multiple weaknesses that limit or preclude deployment.

 

         Lack of User Accountability- When users access the database via Web applications (such as SAP,   Oracle E-business suite, or people soft), native audit mechanisms have no awareness of specific user identities.  In this case, all user identity is associated with the web application account name.  Therefore, when native audit logs reveal fraudulent database transactions, there is no link to the responsible user.

        Performance Degradation- Native database audit mechanisms are notorious for consuming CPU and disk resources.  The performance decline experienced when audit features are enabled forces many organizations to scale back or together eliminate audits.

          Separation of duties- Users with administrative access to the database server can simply turn off auditing to hide fraudulent activity.  Audit duties should ideally be separate from both database administrators and the database server platform.

         Limited Granularity-Many native audit mechanisms do not record details necessary to support attack detection, forensics, and recovery.  For example, data client applications, source IP addresses, query response attributes, and failed queries ( an important attack reconnaissance indicator) are not recorded by many native mechanisms.

         Proprietary- Audit mechanisms are unique to the data server platform-Oracle logs are different from  MS-SQL, MS-SQL logs are different from Sybase, etc.  In organizations with mixed database environments, this virtually eliminates the implementation of uniform, scalable audit processes across the enterprise.

        Threat 7-Denial of service:  Denial of service (DOS) is a general attack category in which access to network applications or data is denied to intended users. Denial of service (DOS) conditions may be created via many techniques- many of which are related to previously mentioned vulnerabilities.  For example,  DOS  may be achieved by taking advantage of a database platform to crash a server.  Other common DOS techniques include data corruption, network flooding, and server resource overload (memory, CPU, etc.). Resource overload is particularly common in database environments. The motivations behind DOS are similarly diverse.DOS attacks are often linked to extortion scams in which a remote attacker will repeatedly crash servers until the victim deposits funds to an international bank account.  Alternatively, DOS may be traced to worm infection. Whatever the source, DOS represents a serious threat to many organizations.

       Threat 8-Database communications protocol Vulnerabilities:  A growing number of security vulnerabilities are being identified in the database communication protocols of all database vendors. Four out of security fixes in the two most recent IBM DB2 FixPacks address protocol vulnerabilities1. Similarly, 11 out of 23 database vulnerabilities fixed in the most recent Oracle quarterly patch relate to protocols.  Fraudulent activity targeting these vulnerabilities can range from unauthorized data access to data corruption to denial of service. The SQL slammer2 worm, for example, took advantage of a flaw in the Microsoft SQL server protocol to force denial of service.  To make matters worse, no record of these fraud vectors will exist in the native audit trail since protocol operations are not covered by native database audit mechanisms.

Threat 9 –Weak Authentication: Weak authentication schemes allow attackers to assume the identity of legitimate database users by stealing or otherwise obtaining login credentials.

              Brute force –The attacker repeatedly enters username/password combinations until he finds one that works.  The force process may involve simple guesswork or systematic enumeration of all possible username/password combinations.  Often an attacker will use automated programs to accelerate the brute force process.

               Social Engineering- A scheme in which the attacker takes the advantage of the natural human tendency to trust to convince others to provide their login credentials.  For example, an attacker may present himself via phone as an IT manager and request login credentials for “system maintenance” purposes.

               Direct Credential Theft-An attacker may steal login credentials by copying post-it notes, password files, etc.

               Threat 10- Backup Data Exposure:  Backup data storage media is often completely unprotected from attack. As a result, several high-profile security breaches have involved the theft of database backup tapes and hard disks.

                Although database information is vulnerable to a host of attacks, it is possible to dramatically reduce risk by focusing on the most critical threats. This write-up focuses majorly on access control policies, models, technologies, strategies, mechanisms, and monitoring tools that can be used to protect the database from unauthorized disclosure, and modification so that it can be available when needed.

                                                                                          

                                                                                     

 



 

 

 

 

 

                                                                                                                                                                                                                                                                               

Comments

Post a Comment

Popular posts from this blog

Retinoids: A Guide To Youthful Skin.

Image
        Retinoids are a class of compounds derived from vitamin A that have been hailed as a powerful tool for combating the signs of aging. They work by stimulating cell turnover, increasing collagen production, and reducing the appearance of fine lines and wrinkles.     Understanding Retinoids.   Retinoids come in various forms and strengths, each with its own benefits and potential side effects. Here's a breakdown of the most common types: Retinol: This is the over-the-counter (OTC) form of vitamin A. It is generally milder than prescription retinoids but still effective in addressing mild to moderate skin concerns. Retinaldehyde: Also available OTC, retinaldehyde is a precursor to retinol and can be more potent. Adapalene, Tretinoin, and Tazorac: These are prescription retinoids known for their ability to treat acne and reverse the signs of aging. They are typically stronger than OTC options and may cause more irritation. Benefits of Using Ret...
Read more

The Future Of Crypto: Will Automated Trading Bots Take Over?

Image
  The cryptocurrency world is evolving at lightning speed. From Bitcoin’s humble origins to a multi-trillion-dollar market, the rise of crypto has been nothing short of revolutionary. As we look to the future, one burning question dominates the conversation: Will automated trading bots take over the crypto market? Let’s dive deep into what’s happening now, what’s coming next, and why the answer is more complex—and more exciting—than a simple yes or no. What Are Crypto Trading Bots? Crypto trading bots are software programs that interact with exchanges and execute trades automatically. They analyze real-time market data, identify opportunities, and buy or sell based on predefined strategies—all within milliseconds. These bots don’t sleep, don’t panic, and don’t miss opportunities. In a 24/7 market like crypto, they’re more than helpful—they’re becoming essential. Why Bots Are Taking Over There’s a reason bots are dominating more of the market every year. Here are four key advantages...
Read more

Leveraging AI Bots For Crypto Trading Success.

Image
https://hopebi.blogspot.com/2025/01/leveraging-ai-bots-for-crypto-trading.html             Artificial intelligence (AI) has revolutionized numerous industries, and the world of cryptocurrency trading is no exception. AI-powered trading bots have emerged as an important tool, capable of analyzing vast amounts of data, identifying patterns, and executing trades with lightning speed. This write-up delves into the strategies and considerations involved in how to make use of AI bots for successful crypto trading. Understanding AI Crypto Trading Bots:        AI trading bots are sophisticated software programs that employ machine learning algorithms to analyze market data, identify trends, and execute trades based on predefined strategies. These bots can operate 24/7, eliminating the need for constant human monitoring. Key Features and Capabilities: Automated Trading: AI bots can execute trades automatically, following predefined rules and para...
Read more