5a - Database Securi..


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

5a - Database Securi..

  1. 1. Security Architecture (1 of 2)
  2. 2. Security Concerns Viruses Denial of Service Information Theft Unauthorized Access Industrial Espionage Hacktivism Public Confidence Privacy Pornography Internet
  3. 3. Security Expectations <ul><li>Users can perform only authorized tasks </li></ul><ul><li>Users can obtain only authorized information </li></ul><ul><li>Users cannot cause damage to the data, applications, or operating environment of a system </li></ul>
  4. 4. Motivations for Security
  5. 5. Network Security Weaknesses <ul><li>Technology weaknesses </li></ul><ul><li>Configuration weaknesses </li></ul><ul><li>Security policy weaknesses </li></ul>
  6. 6. Technology Weaknesses <ul><li>All computer and network technologies have inherent security weaknesses or vulnerabilities. </li></ul><ul><li>Don’t overlook: </li></ul><ul><ul><li>Hardware issues </li></ul></ul><ul><ul><li>OS issues </li></ul></ul><ul><ul><li>Network protocol issues (even TCP/IP) </li></ul></ul><ul><ul><li>Application vulnerabilities </li></ul></ul>
  7. 7. Configuration Weaknesses <ul><li>Insecure default settings </li></ul><ul><ul><li>If you left the defaults, you are dead. </li></ul></ul><ul><li>Misconfigured network equipment </li></ul><ul><ul><li>A little knowledge is a dangerous thing </li></ul></ul><ul><li>Insecure user accounts/passwords </li></ul><ul><ul><li>End-users can’t be trusted to use strong passwords </li></ul></ul><ul><li>Misconfigured Internet services </li></ul><ul><ul><li>HTTP, Java, CGI, unneeded services. </li></ul></ul>
  8. 8. Security Policy Weaknesses <ul><li>Lack of a written security policy </li></ul><ul><li>Internal politics </li></ul><ul><li>Lack of business continuity </li></ul><ul><ul><li>Turnover in staff/management can be devastating </li></ul></ul><ul><li>Logical access controls to network equipment are not applied </li></ul><ul><li>Security administration is lax, including monitoring and auditing </li></ul><ul><li>Lack of awareness of having been attacked </li></ul><ul><li>Software and hardware installation and changes do not follow the policy </li></ul><ul><li>Security incident and disaster recovery procedures are not in place </li></ul>
  9. 9. Categories of Network Threats <ul><li>Unstructured </li></ul><ul><li>Structured </li></ul><ul><li>Internal </li></ul><ul><li>External </li></ul>
  10. 10. Threats and Consequences
  11. 11. Database Security <ul><li>Degree to which data is fully protected from tampering or unauthorized acts </li></ul><ul><li>Comprises </li></ul><ul><ul><li>Information system </li></ul></ul><ul><ul><li>Information security concepts </li></ul></ul>
  12. 12. Information Systems <ul><li>Comprised of components working together to produce and generate accurate information </li></ul><ul><li>Wise decisions require: </li></ul><ul><ul><li>Accurate and timely information </li></ul></ul><ul><ul><li>Information integrity </li></ul></ul><ul><li>Categorized based on usage </li></ul>
  13. 13. Information Systems Components
  14. 14. Database Management <ul><li>Essential to success of information system </li></ul><ul><li>DBMS functions: </li></ul><ul><ul><li>Organize data </li></ul></ul><ul><ul><li>Store and retrieve data efficiently </li></ul></ul><ul><ul><li>Manipulate data (update and delete) </li></ul></ul><ul><ul><li>Enforce referential integrity and consistency </li></ul></ul><ul><ul><li>Enforce and implement data security policies and procedures </li></ul></ul><ul><ul><li>Back up, recover, and restore data </li></ul></ul>
  15. 15. Client Server Database systems
  16. 16. Database Management <ul><li>Data </li></ul><ul><li>Hardware </li></ul><ul><li>Software </li></ul><ul><li>Networks </li></ul><ul><li>Procedures </li></ul><ul><li>Database servers </li></ul>
  17. 17. Information Security Architecture <ul><li>Protects data and information produced from the data </li></ul><ul><li>Model for protecting logical and physical assets </li></ul><ul><li>Is the overall design of a company’s implementation of C.I.A. triangle </li></ul>
  18. 18. Information Security Architecture
  19. 19. C onfidentiality <ul><li>Addresses two aspects of security: </li></ul><ul><ul><li>Prevention of unauthorized access </li></ul></ul><ul><ul><li>Information disclosure based on classification </li></ul></ul><ul><li>Classify information into levels: </li></ul><ul><ul><li>Each level has its own security measures </li></ul></ul><ul><ul><li>Usually based on degree of confidentiality necessary to protect information </li></ul></ul>
  20. 20. Eavesdropping – Packet Sniffing
  21. 21. C onfidentiality Classification
  22. 22. I ntegrity <ul><li>Consistent and valid data, processed correctly, yields accurate information </li></ul><ul><li>Information has integrity if: </li></ul><ul><ul><li>It is accurate </li></ul></ul><ul><ul><li>It has not been tampered with </li></ul></ul><ul><li>Read consistency </li></ul><ul><ul><li>Each user sees only his changes and those committed by other users </li></ul></ul>
  23. 23. Degradation of Data Integrity
  24. 24. Degradation of Data Integrity
  25. 25. A vailability <ul><li>Systems must be always available to authorized users </li></ul><ul><li>Systems determines what a user can do with the information </li></ul><ul><li>Reasons for a system to become unavailable: </li></ul><ul><ul><li>External attacks and lack of system protection </li></ul></ul><ul><ul><li>System failure with no disaster recovery strategy </li></ul></ul><ul><ul><li>Overly stringent and obscure security policies </li></ul></ul><ul><ul><li>Bad implementation of authentication processes </li></ul></ul>
  26. 26. Fin…