SlideShare a Scribd company logo

Security Issues Surrounding Data Manipulation in a Relational Database

David Murphy
David Murphy
1 of 5
Download to read offline
1 Security Issues Surrounding Data Manipulation in a Relational Database David Murphy 5th November 2015 Abstract - It is no secret that we are quite dependent on big data. Over two-thirds of organisations owe their success to technology, and information ease of access. It still remains that database security is an important issue considering the alarming number of incidents involving unauthorised data exposure, especially with the volume of sensitive data that is becoming increasingly available. With that being said, it is becoming hard to feel safe with the confidentiality of database managements system handling heterogeneous data. Numerous security mechanisms have been implemented to protect against unwarranted data exposure and modification. Even so, there have still been cases of data exposure. This paper will investigate the security issues involved in database management systems. Keywords - RDBMS, access control policies, data exposure, SQL. Database management system, manipulation, access control policies, privileges, security threats, authorization, injection, vulnerabilities. 1. INTRODUCTION With the conspicuous exponential growth of heterogeneous data and the significant role it plays in the technological world we live in, it’s easy to notice the value of database management systems. There have been several real-world cases of database breaching, in particular with some of the biggest multi-national companies and conglomerates. It is because of this very reason that the security of information (data) will always be under some degree of risk. Unauthorised persons will seek out an opportunity to expose and alter database content for numerous reasons, many of which are illegal. In 2011 alone, 5 worldwide organisations databases were compromised including RSA security, ESTsoft and Sony’s Playstation Network (PSN) where millions of records had been exposed and sold that included sensitive information like credit card details. Naturally, this has caused a sense of discomfort as people begin to believe that their data is not secure. The remainder of this paper is as follows: Section 2 will introduce the relational database management system and the access control policies that have established as a medium of security for the database. Sections 3 and 4 will discuss the issues involving data manipulation in relational databases. 2. RELATIONAL DATABASE MANAGEMENT SYTEMS A relational database management system (RDBMS) is a tool that allows a user to create, modify, and administer a relational database that contains ever- growing volumes of information. A secure database will comprise of three principal requirements, Confidentiality, Integrity, and Availability (CIA): - Confidentiality refers to the level of data exposure i.e. only those with appropriate authorisation can access the data. Those who do not have authorisation do not have access to the data. Integrity refers to the trustworthiness of information i.e. assurance that the information was not modified by an unauthorised source. Availability refers to the availability of data i.e. the prevention of attack techniques that make data inaccessible such as Denial Of Service (DoS) attacks [1]. Access control policies were implemented to enforce the security of database information. When a subject (user)
2 attempts to access information of a DBMS, the access control mechanism compares the subject’s access privileges to a predetermined set of authorisation rules in terms of data confidentiality. These “rules” detail a list of access policies surrounding the object (database). For example, which roles have sufficient authorisation. There are three main access control policies that are implemented on relational databases. 2.1 Mandatory Access Control Mandatory Access Control (MAC) is a built-in mechanism that constrains a user’s ability to access or modify data, and cannot be revised by system users. It requires all subject’s to abide by rules that were established by the Database Administrator (DBA). It is enforced by comparing attributes of a subject (user) and an object (information) to control access to the object. It restricts access to objects based on the sensitivity of the information[2]. The enforcement of two principles :- No Read-Up + No Write down, protects sensitive information from being accessed or altered by subjects with deficient privileges. The Department of Defence (DoD) have adapted the mandatory access control mechanism[3]. 2.2 Discretionary Access Control The Discretionary Access Control (DAC) policy includes mechanisms for granting (and revoking) access permissions to subjects (users) based on the subjects identity and authorizations. These authorizations or guidelines specify access modes, for each subject and each object in the system [2]. Once this mechanism implemented, the ability to grant/revoke subject privileges lies with the DBA. This policy is called “Authorisation Administration”. There are two types of such administration: - Centralized administration, whereby some privileged subjects can grant or revoke authorizations, and Ownership administration, where only the database creator can grant or revoke subjects some or all privileges on objects to users. 2.2.1 System R Authorisation Model One model that adapted the discretionary access control policy is the System R authorisation model. Here, objects are tables of n rows and n columns of formatted information. The access modes that subjects can exercise on tables correspond to operations that can be executed on tables in a process called data manipulation [4]. 2.3 Role-Based Access Control The Role-Based Access Control (RBAC) policy was established to directly represent access control mechanisms for organisations. RBAC policies govern a user’s “role” in an organisation, whereby a role encapsulates access privileges detailing a set of authorised functions available to the user. If the user belongs to a role that does not have sufficient access privileges, then they are denied access. If the user wishes to gain access to the information, they have to be granted privileges by a user that has the ability to perform the operation, such as the database administrator. Of course, the DBA can also revoke privileges from users. 2.3.1 NIST Reference Model The National Institute of Standards and Technology (NIST) RBAC reference model takes the access decision for an individual user based on the roles the user has in the organisation. The access rights are grouped by role name, and the access to a resource is granted or revoked according to the users authorisation status [2]. The NIST reference model is illustrated in Figure 1 below
3 Fig. 1: The NIST RBAC reference model 3. DATA MANIPULATION IN A RDBMS Data manipulation is the process of modifying data stored in a database i.e. creating new data or modifying pre-existing data. Data manipulation language (DML) exists in relational database management systems in the form of Structured Query Language (SQL). As mentioned in the discretionary access control policy, SQL gives the user privileges to perform operations on database content. They can access the data for reading operations and writing operations, depending on what privileges they are granted. The primary threat to SQL as a data manipulation language is SQL injection, where an unauthorised user executes illicit queries on a database to gain information needed to access the database content. However, SQL injection is not the only threat regarding data manipulation. There is forms of privilege abuse issues, as well as authentication validation vulnerabilities, that I will discuss in the next section. 4. SECURITY ISSUES SURROUNDING DATA MANIPULATION IN A RELATIONAL DBMS The main issues surrounding security in a relational database system are its vulnerabilities to attack. Taking into account the occurrences of database breaches in the last 5 years alone, there has evident flaws being exploited in database security. TalkTalk, one of the biggest telecommunications companies in the UK, had it’s database content exposed by an unauthorised hacker group. The hacker’s had gained access unlawfully to millions of customer records including sensitive information e.g. credit card details. It is believed that the company’s database had a weak authentication policy, as changed passwords were stored in plaintext rather than encrypted with a “salt". The unauthorised users invoked SQL injection to access the data [5]. 4.1 SQL Injection One of the biggest security issues is an attack called SQL injection (SQLIA). Here, a perpetrator typically “injects” unauthorised database statements into a vulnerable SQL data channel. Typically targeted data channels include stored procedures and Web application input parameters. These injected statements are then passed to the database where they are executed [6]. This form of attack attempts to enable the unauthorised user to access the database information. There are five methods of SQIA that are available to an attacker. Damaging with additional injected query is a simple injection attack method. This involves interaction with the authentication service on the database’s web application. By submitting illegal SQL statements, an attacker gathers sufficient information about the database management system to gain access to the information. This is called database fingerprinting. In order to avoid this type of incident, web applications should enforce user input validation to eliminate the injection of harmful SQL queries [7]. Another type of attack is injection with the UNION SQL query. Here, the attacker gets data from a table, which is different from one that was intended by developer. There are other techniques available to protect against SQLIA. The introduction of an Intrusion Prevention System (IPS) could discover vulnerable stored procedures, or the injection of unlawful SQL queries. Working with query-level access control violation can help identify an attack [6].
4 4.2 Privilege Abuse Another issue with security in relation database management systems is privilege abuse. When users (subjects) have sufficient access privileges to manipulate a database outside of their job requirements, these privileges can be exploited for improper use. This issue is evident more so in relational DBMS that incorporates a discretionary access control policy or a role-based access control policy. Take, for example, an organisation where a low-level employee has been granted the same database access privileges as a manager. This employee has the ability to harmfully manipulate the information where they should not. This is an example of legitimate privilege abuse. In order to avoid the occurrence of this issue, an acceptable standard of privilege delegation should be implemented. Only those with appropriate permissions can assign users to roles, where privileges are granted/revoked depending on the nature of the role. There should also be an access control policy that applies to all contextual information about database access by enforcing policy for user applications, time of day, etc. [6]. 4.3 Denial Of Service Of course there is also the potential occurrence of a Denial of Service (DoS) attack where the attackers will make all database information inaccessible for authorised users. DoS is the process of “flooding” a database system with a volume of requests that the server cannot handle, causing the database server to crash. Methods of avoiding DoS attacks involve dynamic profiling and connection controls, which can be used to identify illegal SQL queries. Any query that does not match previously established user or application patterns are immediately identified and rejected [6]. 4.4 Weak Authentication According to Basharat, Azam, and Muzaffar, A weak authentication strategy renders the databases more vulnerable to attackers. The identity of database users are stolen or the login credentials are obtained through some source which then helps in modification of data or obtaining sensitive information and if authentication is not properly implemented and is weak, it helps the attacker to steal data[8]. The most effective way to combat this potential threat is to sanitise user input on web applications. By doing so, any attacker that attempts to insert illicit SQL statements into the web application will be detected and rejected. 5. CONCLUSION It is conspicuous that the need for database security increases proportional to the exponential growth of big data in the technological world we inherit today. From 2013 to 2020, the digital universe will grow by a factor of 10 – from 4.4 trillion gigabytes to 44 trillion. It more than doubles every two years[9]. In this paper, I have identified and discussed the issues involved with data manipulating operations performed on relational database management systems that enforce different access control policies as a means of database confidentiality, integrity, and availability. I have also outlined the various techniques available to avoid the occurrence of these potential issues. 6. REFLECTION Having completed this research paper, I have learned a substancial amount about database security and the implementation of different access policies that constitute a protected database mangement system. I have also learned about the various threats to database security, and techniques available to defend against such threats. Taking into consideration the different real-world examples of database secuirty breaches I have mentioned in this paper, my point has been further expressed. Of course I would not have been able to complete this paper to an acceptable standard without the aim of good resources that I have cited throughtout.
5 REFERENCES [1] - University of Miami, Miller School of Medicine. 2006. confidentiality, integrity, availability (CIA). [ONLINE] Available at: http://privacy.med.miami.edu/glossary/xd_confidentiality_int egrity_availability.htm. [Accessed 04 November 15]. [2] - Patil, Meshram, A.P, B.B.M, 2012. Database Access Control Policies. / International Journal of Engineering Research and Applications (IJERA), [Online]. 2/3, 3151-3153. Available at:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.416. 4856&rep=rep1&type=pdf [Accessed 03 November 2015]. [3] - National Institute of Standards and Technology. 1983. DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA. [ONLINE] Available at:http://csrc.nist.gov/publications/history/dod85.pdf. [Accessed 04 November 15]. [4] - Bertino, Sandhu, E.B, R.S, 2005. Database Security—Concepts, Approaches, and Challenges. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, [Online]. 2,1, 5. Available at:http://www.profsandhu.com/journals/ieee-depend- dbsec-05.pdf [Accessed 03 November 2015]. [5] - Engadget/Matt Brian. 2015. TalkTalk hack: what you need to know. [ONLINE] Available at:http://www.engadget.com/2015/10/23/talktalk-hack- explainer/. [Accessed 05 November 15]. [6] - Shulman, A.S, 2006. Top Ten Database Security Threats . How to Mitigate the Most Significant Database Vulnerabilities , [Online]. 1/1, 6. Available at: http://www.schell.com/Top_Ten_Database_Threats.pdf[Acce ssed 03 November 2015]. [7] - Kulkarni, Urolagin, S.K, S.U, 2012. Review of Attacks on Databases and Database Security Techniques.International Journal of Emerging Technology and Advanced Engineering, [Online]. 2/11, 255. Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.414 .1729&rep=rep1&type=pdf [Accessed 04 November 2015]. [8]- Basharat, Azam, Wahab Muzaffar , I.B, F.A, A.W.M., 2012. Database Security and Encryption: A Survey Study. International Journal of Computer Applications (0975 – 888), [Online]. 47/12, 30. Available at:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258. 8172&rep=rep1&type=pdf [Accessed 05 November 2015]. [9]- EMC. 2014. Data Growth, Business Opportunities, and the IT Imperatives. [ONLINE] Available at:http://www.emc.com/leadership/digital- universe/2014iview/executive-summary.htm. [Accessed 05 November 15].

Recommended

Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Distributed database security with discretionary access control
Distributed database security with discretionary access controlDistributed database security with discretionary access control
Distributed database security with discretionary access controlJyotishkar Dey
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 

Recommended

Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Distributed database security with discretionary access control
Distributed database security with discretionary access controlDistributed database security with discretionary access control
Distributed database security with discretionary access controlJyotishkar Dey
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Database security
Database securityDatabase security
Database securityBirju Tank
 
Iaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd Iaetsd
 
A DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORKA DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORKijcsit
 
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...IJERA Editor
 
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...IJNSA Journal
 
Data Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud ApplicationData Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud ApplicationIJSRD
 
Database security issues
Database security issuesDatabase security issues
Database security issuesn|u - The Open Security Community
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and complianceActian Corporation
 
Presentation security measure
Presentation security measurePresentation security measure
Presentation security measuremukarram522
 
Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...JPINFOTECH JAYAPRAKASH
 
Analysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure DatabaseAnalysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure DatabaseIOSR Journals
 
A03302001006
A03302001006A03302001006
A03302001006theijes
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...journal ijrtem
 
Privacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative taggingPrivacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative taggingeSAT Publishing House
 
1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)Aida Harun
 
Dr. ritu soni
Dr. ritu soniDr. ritu soni
Dr. ritu soniijcite
 
Application security models
Application security modelsApplication security models
Application security modelsERSHUBHAM TIWARI
 
Database Security - IG
Database Security - IGDatabase Security - IG
Database Security - IGAnne Lee
 
res r1
res r1res r1
res r1Uthay Kumar
 
La sostenibilidad y la revolución energética
La sostenibilidad y la revolución energéticaLa sostenibilidad y la revolución energética
La sostenibilidad y la revolución energéticaNoelia del Valle Nebiolo
 
La ley de la cadena
La ley de la cadenaLa ley de la cadena
La ley de la cadenarigoberto arturo zapata sánchez
 

More Related Content

What's hot

Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Database security
Database securityDatabase security
Database securityBirju Tank
 
Iaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd Iaetsd
 
A DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORKA DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORKijcsit
 
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...IJERA Editor
 
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...IJNSA Journal
 
Data Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud ApplicationData Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud ApplicationIJSRD
 
Presentation security measure
Presentation security measurePresentation security measure
Presentation security measuremukarram522
 
Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...JPINFOTECH JAYAPRAKASH
 
Analysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure DatabaseAnalysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure DatabaseIOSR Journals
 
A03302001006
A03302001006A03302001006
A03302001006theijes
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...journal ijrtem
 
Privacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative taggingPrivacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative taggingeSAT Publishing House
 
1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)Aida Harun
 
Dr. ritu soni
Dr. ritu soniDr. ritu soni
Dr. ritu soniijcite
 
Application security models
Application security modelsApplication security models
Application security modelsERSHUBHAM TIWARI
 
Database Security - IG
Database Security - IGDatabase Security - IG
Database Security - IGAnne Lee
 

What's hot (19)

Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Database security
Database securityDatabase security
Database security
 
Iaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd database intrusion detection using
Iaetsd database intrusion detection using
 
A DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORKA DATABASE SYSTEM SECURITY FRAMEWORK
A DATABASE SYSTEM SECURITY FRAMEWORK
 
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...
 
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
CREDENTIAL BASED MEDIATOR ARCHITECTURE FOR ACCESS CONTROL AND DATA INTEGRATIO...
 
Data Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud ApplicationData Stream Controller for Enterprise Cloud Application
Data Stream Controller for Enterprise Cloud Application
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
Presentation security measure
Presentation security measurePresentation security measure
Presentation security measure
 
Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...Enforcing secure and privacy preserving information brokering in distributed ...
Enforcing secure and privacy preserving information brokering in distributed ...
 
Analysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure DatabaseAnalysis of Various Attributes to Have a Secure Database
Analysis of Various Attributes to Have a Secure Database
 
A03302001006
A03302001006A03302001006
A03302001006
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
 
Privacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative taggingPrivacy preserving and obscure delicate data with collaborative tagging
Privacy preserving and obscure delicate data with collaborative tagging
 
1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)1639(pm proofreading)(tracked)
1639(pm proofreading)(tracked)
 
Dr. ritu soni
Dr. ritu soniDr. ritu soni
Dr. ritu soni
 
Application security models
Application security modelsApplication security models
Application security models
 
Database Security - IG
Database Security - IGDatabase Security - IG
Database Security - IG
 

Viewers also liked

La sostenibilidad y la revolución energética
La sostenibilidad y la revolución energéticaLa sostenibilidad y la revolución energética
La sostenibilidad y la revolución energéticaNoelia del Valle Nebiolo
 
Cuento♥♥
Cuento♥♥Cuento♥♥
Cuento♥♥WenVeflo
 
BURHAN TALENT MANAGEMENT
BURHAN TALENT MANAGEMENTBURHAN TALENT MANAGEMENT
BURHAN TALENT MANAGEMENTOmar Rosli
 
AHT-Media newsletter uptodate
AHT-Media newsletter uptodateAHT-Media newsletter uptodate
AHT-Media newsletter uptodateFelix Ihah
 
Objetivos de la comunicación. Publicidad 2 Parcial
Objetivos de la comunicación. Publicidad 2 ParcialObjetivos de la comunicación. Publicidad 2 Parcial
Objetivos de la comunicación. Publicidad 2 ParcialStephanie Pinzón
 
Epistemología. Dra. lorna cruz
Epistemología. Dra. lorna cruzEpistemología. Dra. lorna cruz
Epistemología. Dra. lorna cruzug-dipa
 
How to make a Line Follower Robot
How to make a Line Follower RobotHow to make a Line Follower Robot
How to make a Line Follower RobotroboVITics club
 
Obstacle avoidance robot
Obstacle avoidance robotObstacle avoidance robot
Obstacle avoidance robotRahuldey1991
 

Viewers also liked (16)

res r1
res r1res r1
res r1
 
La sostenibilidad y la revolución energética
La sostenibilidad y la revolución energéticaLa sostenibilidad y la revolución energética
La sostenibilidad y la revolución energética
 
La ley de la cadena
La ley de la cadenaLa ley de la cadena
La ley de la cadena
 
Cuento♥♥
Cuento♥♥Cuento♥♥
Cuento♥♥
 
BURHAN TALENT MANAGEMENT
BURHAN TALENT MANAGEMENTBURHAN TALENT MANAGEMENT
BURHAN TALENT MANAGEMENT
 
Papel machê
Papel machêPapel machê
Papel machê
 
AHT-Media newsletter uptodate
AHT-Media newsletter uptodateAHT-Media newsletter uptodate
AHT-Media newsletter uptodate
 
Objetivos de la comunicación. Publicidad 2 Parcial
Objetivos de la comunicación. Publicidad 2 ParcialObjetivos de la comunicación. Publicidad 2 Parcial
Objetivos de la comunicación. Publicidad 2 Parcial
 
Epistemología. Dra. lorna cruz
Epistemología. Dra. lorna cruzEpistemología. Dra. lorna cruz
Epistemología. Dra. lorna cruz
 
Trayectorias
TrayectoriasTrayectorias
Trayectorias
 
Line Follower Final Report
Line Follower Final ReportLine Follower Final Report
Line Follower Final Report
 
Abastecimiento de agua
Abastecimiento de aguaAbastecimiento de agua
Abastecimiento de agua
 
How to make a Line Follower Robot
How to make a Line Follower RobotHow to make a Line Follower Robot
How to make a Line Follower Robot
 
Obstacle avoidance robot
Obstacle avoidance robotObstacle avoidance robot
Obstacle avoidance robot
 
Ppem
PpemPpem
Ppem
 
Kabinet djuanda
Kabinet djuandaKabinet djuanda
Kabinet djuanda
 

Similar to Security Issues Surrounding Data Manipulation in a Relational Database

A Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseA Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseShivnandan Singh
 
DATABASE SECURITY - ATTACKS AND CONTROL METHODS
DATABASE SECURITY - ATTACKS AND CONTROL METHODSDATABASE SECURITY - ATTACKS AND CONTROL METHODS
DATABASE SECURITY - ATTACKS AND CONTROL METHODSijistjournal
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfdatabase-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfDr Amit Phadikar
 
A Database System Security Framework
A Database System Security FrameworkA Database System Security Framework
A Database System Security FrameworkMaria Perkins
 
Database Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaDatabase Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaOllieShoresna
 
Security and Integrity violations, Authorisation and views, Integrity Constant
Security and Integrity violations, Authorisation and views, Integrity ConstantSecurity and Integrity violations, Authorisation and views, Integrity Constant
Security and Integrity violations, Authorisation and views, Integrity ConstantPrakash Kumar
 
A provenance policy based access
A provenance policy based accessA provenance policy based access
A provenance policy based accessijsptm
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Editor IJARCET
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
 
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...ijdms
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injectionA. Shamel
 
Application Of A New Database Management System
Application Of A New Database Management SystemApplication Of A New Database Management System
Application Of A New Database Management SystemPamela Wright
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 

Similar to Security Issues Surrounding Data Manipulation in a Relational Database (20)

A Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseA Review Report on Security Threats on Database
A Review Report on Security Threats on Database
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
A1802030104
A1802030104A1802030104
A1802030104
 
DATABASE SECURITY - ATTACKS AND CONTROL METHODS
DATABASE SECURITY - ATTACKS AND CONTROL METHODSDATABASE SECURITY - ATTACKS AND CONTROL METHODS
DATABASE SECURITY - ATTACKS AND CONTROL METHODS
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfdatabase-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
 
A Database System Security Framework
A Database System Security FrameworkA Database System Security Framework
A Database System Security Framework
 
Database Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaDatabase Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisa
 
Security and Integrity violations, Authorisation and views, Integrity Constant
Security and Integrity violations, Authorisation and views, Integrity ConstantSecurity and Integrity violations, Authorisation and views, Integrity Constant
Security and Integrity violations, Authorisation and views, Integrity Constant
 
A provenance policy based access
A provenance policy based accessA provenance policy based access
A provenance policy based access
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
 
Database security
Database securityDatabase security
Database security
 
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...
DYNAMIC CLASSIFICATION OF SENSITIVITY LEVELS OF DATAWAREHOUSE BASED ON USER P...
 
Database security
Database securityDatabase security
Database security
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injection
 
Application Of A New Database Management System
Application Of A New Database Management SystemApplication Of A New Database Management System
Application Of A New Database Management System
 
Data base security
Data base securityData base security
Data base security
 
Unit iii dbms
Unit iii dbmsUnit iii dbms
Unit iii dbms
 

Security Issues Surrounding Data Manipulation in a Relational Database

  • 1. 1 Security Issues Surrounding Data Manipulation in a Relational Database David Murphy 5th November 2015 Abstract - It is no secret that we are quite dependent on big data. Over two-thirds of organisations owe their success to technology, and information ease of access. It still remains that database security is an important issue considering the alarming number of incidents involving unauthorised data exposure, especially with the volume of sensitive data that is becoming increasingly available. With that being said, it is becoming hard to feel safe with the confidentiality of database managements system handling heterogeneous data. Numerous security mechanisms have been implemented to protect against unwarranted data exposure and modification. Even so, there have still been cases of data exposure. This paper will investigate the security issues involved in database management systems. Keywords - RDBMS, access control policies, data exposure, SQL. Database management system, manipulation, access control policies, privileges, security threats, authorization, injection, vulnerabilities. 1. INTRODUCTION With the conspicuous exponential growth of heterogeneous data and the significant role it plays in the technological world we live in, it’s easy to notice the value of database management systems. There have been several real-world cases of database breaching, in particular with some of the biggest multi-national companies and conglomerates. It is because of this very reason that the security of information (data) will always be under some degree of risk. Unauthorised persons will seek out an opportunity to expose and alter database content for numerous reasons, many of which are illegal. In 2011 alone, 5 worldwide organisations databases were compromised including RSA security, ESTsoft and Sony’s Playstation Network (PSN) where millions of records had been exposed and sold that included sensitive information like credit card details. Naturally, this has caused a sense of discomfort as people begin to believe that their data is not secure. The remainder of this paper is as follows: Section 2 will introduce the relational database management system and the access control policies that have established as a medium of security for the database. Sections 3 and 4 will discuss the issues involving data manipulation in relational databases. 2. RELATIONAL DATABASE MANAGEMENT SYTEMS A relational database management system (RDBMS) is a tool that allows a user to create, modify, and administer a relational database that contains ever- growing volumes of information. A secure database will comprise of three principal requirements, Confidentiality, Integrity, and Availability (CIA): - Confidentiality refers to the level of data exposure i.e. only those with appropriate authorisation can access the data. Those who do not have authorisation do not have access to the data. Integrity refers to the trustworthiness of information i.e. assurance that the information was not modified by an unauthorised source. Availability refers to the availability of data i.e. the prevention of attack techniques that make data inaccessible such as Denial Of Service (DoS) attacks [1]. Access control policies were implemented to enforce the security of database information. When a subject (user)
  • 2. 2 attempts to access information of a DBMS, the access control mechanism compares the subject’s access privileges to a predetermined set of authorisation rules in terms of data confidentiality. These “rules” detail a list of access policies surrounding the object (database). For example, which roles have sufficient authorisation. There are three main access control policies that are implemented on relational databases. 2.1 Mandatory Access Control Mandatory Access Control (MAC) is a built-in mechanism that constrains a user’s ability to access or modify data, and cannot be revised by system users. It requires all subject’s to abide by rules that were established by the Database Administrator (DBA). It is enforced by comparing attributes of a subject (user) and an object (information) to control access to the object. It restricts access to objects based on the sensitivity of the information[2]. The enforcement of two principles :- No Read-Up + No Write down, protects sensitive information from being accessed or altered by subjects with deficient privileges. The Department of Defence (DoD) have adapted the mandatory access control mechanism[3]. 2.2 Discretionary Access Control The Discretionary Access Control (DAC) policy includes mechanisms for granting (and revoking) access permissions to subjects (users) based on the subjects identity and authorizations. These authorizations or guidelines specify access modes, for each subject and each object in the system [2]. Once this mechanism implemented, the ability to grant/revoke subject privileges lies with the DBA. This policy is called “Authorisation Administration”. There are two types of such administration: - Centralized administration, whereby some privileged subjects can grant or revoke authorizations, and Ownership administration, where only the database creator can grant or revoke subjects some or all privileges on objects to users. 2.2.1 System R Authorisation Model One model that adapted the discretionary access control policy is the System R authorisation model. Here, objects are tables of n rows and n columns of formatted information. The access modes that subjects can exercise on tables correspond to operations that can be executed on tables in a process called data manipulation [4]. 2.3 Role-Based Access Control The Role-Based Access Control (RBAC) policy was established to directly represent access control mechanisms for organisations. RBAC policies govern a user’s “role” in an organisation, whereby a role encapsulates access privileges detailing a set of authorised functions available to the user. If the user belongs to a role that does not have sufficient access privileges, then they are denied access. If the user wishes to gain access to the information, they have to be granted privileges by a user that has the ability to perform the operation, such as the database administrator. Of course, the DBA can also revoke privileges from users. 2.3.1 NIST Reference Model The National Institute of Standards and Technology (NIST) RBAC reference model takes the access decision for an individual user based on the roles the user has in the organisation. The access rights are grouped by role name, and the access to a resource is granted or revoked according to the users authorisation status [2]. The NIST reference model is illustrated in Figure 1 below
  • 3. 3 Fig. 1: The NIST RBAC reference model 3. DATA MANIPULATION IN A RDBMS Data manipulation is the process of modifying data stored in a database i.e. creating new data or modifying pre-existing data. Data manipulation language (DML) exists in relational database management systems in the form of Structured Query Language (SQL). As mentioned in the discretionary access control policy, SQL gives the user privileges to perform operations on database content. They can access the data for reading operations and writing operations, depending on what privileges they are granted. The primary threat to SQL as a data manipulation language is SQL injection, where an unauthorised user executes illicit queries on a database to gain information needed to access the database content. However, SQL injection is not the only threat regarding data manipulation. There is forms of privilege abuse issues, as well as authentication validation vulnerabilities, that I will discuss in the next section. 4. SECURITY ISSUES SURROUNDING DATA MANIPULATION IN A RELATIONAL DBMS The main issues surrounding security in a relational database system are its vulnerabilities to attack. Taking into account the occurrences of database breaches in the last 5 years alone, there has evident flaws being exploited in database security. TalkTalk, one of the biggest telecommunications companies in the UK, had it’s database content exposed by an unauthorised hacker group. The hacker’s had gained access unlawfully to millions of customer records including sensitive information e.g. credit card details. It is believed that the company’s database had a weak authentication policy, as changed passwords were stored in plaintext rather than encrypted with a “salt". The unauthorised users invoked SQL injection to access the data [5]. 4.1 SQL Injection One of the biggest security issues is an attack called SQL injection (SQLIA). Here, a perpetrator typically “injects” unauthorised database statements into a vulnerable SQL data channel. Typically targeted data channels include stored procedures and Web application input parameters. These injected statements are then passed to the database where they are executed [6]. This form of attack attempts to enable the unauthorised user to access the database information. There are five methods of SQIA that are available to an attacker. Damaging with additional injected query is a simple injection attack method. This involves interaction with the authentication service on the database’s web application. By submitting illegal SQL statements, an attacker gathers sufficient information about the database management system to gain access to the information. This is called database fingerprinting. In order to avoid this type of incident, web applications should enforce user input validation to eliminate the injection of harmful SQL queries [7]. Another type of attack is injection with the UNION SQL query. Here, the attacker gets data from a table, which is different from one that was intended by developer. There are other techniques available to protect against SQLIA. The introduction of an Intrusion Prevention System (IPS) could discover vulnerable stored procedures, or the injection of unlawful SQL queries. Working with query-level access control violation can help identify an attack [6].
  • 4. 4 4.2 Privilege Abuse Another issue with security in relation database management systems is privilege abuse. When users (subjects) have sufficient access privileges to manipulate a database outside of their job requirements, these privileges can be exploited for improper use. This issue is evident more so in relational DBMS that incorporates a discretionary access control policy or a role-based access control policy. Take, for example, an organisation where a low-level employee has been granted the same database access privileges as a manager. This employee has the ability to harmfully manipulate the information where they should not. This is an example of legitimate privilege abuse. In order to avoid the occurrence of this issue, an acceptable standard of privilege delegation should be implemented. Only those with appropriate permissions can assign users to roles, where privileges are granted/revoked depending on the nature of the role. There should also be an access control policy that applies to all contextual information about database access by enforcing policy for user applications, time of day, etc. [6]. 4.3 Denial Of Service Of course there is also the potential occurrence of a Denial of Service (DoS) attack where the attackers will make all database information inaccessible for authorised users. DoS is the process of “flooding” a database system with a volume of requests that the server cannot handle, causing the database server to crash. Methods of avoiding DoS attacks involve dynamic profiling and connection controls, which can be used to identify illegal SQL queries. Any query that does not match previously established user or application patterns are immediately identified and rejected [6]. 4.4 Weak Authentication According to Basharat, Azam, and Muzaffar, A weak authentication strategy renders the databases more vulnerable to attackers. The identity of database users are stolen or the login credentials are obtained through some source which then helps in modification of data or obtaining sensitive information and if authentication is not properly implemented and is weak, it helps the attacker to steal data[8]. The most effective way to combat this potential threat is to sanitise user input on web applications. By doing so, any attacker that attempts to insert illicit SQL statements into the web application will be detected and rejected. 5. CONCLUSION It is conspicuous that the need for database security increases proportional to the exponential growth of big data in the technological world we inherit today. From 2013 to 2020, the digital universe will grow by a factor of 10 – from 4.4 trillion gigabytes to 44 trillion. It more than doubles every two years[9]. In this paper, I have identified and discussed the issues involved with data manipulating operations performed on relational database management systems that enforce different access control policies as a means of database confidentiality, integrity, and availability. I have also outlined the various techniques available to avoid the occurrence of these potential issues. 6. REFLECTION Having completed this research paper, I have learned a substancial amount about database security and the implementation of different access policies that constitute a protected database mangement system. I have also learned about the various threats to database security, and techniques available to defend against such threats. Taking into consideration the different real-world examples of database secuirty breaches I have mentioned in this paper, my point has been further expressed. Of course I would not have been able to complete this paper to an acceptable standard without the aim of good resources that I have cited throughtout.
  • 5. 5 REFERENCES [1] - University of Miami, Miller School of Medicine. 2006. confidentiality, integrity, availability (CIA). [ONLINE] Available at: http://privacy.med.miami.edu/glossary/xd_confidentiality_int egrity_availability.htm. [Accessed 04 November 15]. [2] - Patil, Meshram, A.P, B.B.M, 2012. Database Access Control Policies. / International Journal of Engineering Research and Applications (IJERA), [Online]. 2/3, 3151-3153. Available at:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.416. 4856&rep=rep1&type=pdf [Accessed 03 November 2015]. [3] - National Institute of Standards and Technology. 1983. DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA. [ONLINE] Available at:http://csrc.nist.gov/publications/history/dod85.pdf. [Accessed 04 November 15]. [4] - Bertino, Sandhu, E.B, R.S, 2005. Database Security—Concepts, Approaches, and Challenges. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, [Online]. 2,1, 5. Available at:http://www.profsandhu.com/journals/ieee-depend- dbsec-05.pdf [Accessed 03 November 2015]. [5] - Engadget/Matt Brian. 2015. TalkTalk hack: what you need to know. [ONLINE] Available at:http://www.engadget.com/2015/10/23/talktalk-hack- explainer/. [Accessed 05 November 15]. [6] - Shulman, A.S, 2006. Top Ten Database Security Threats . How to Mitigate the Most Significant Database Vulnerabilities , [Online]. 1/1, 6. Available at: http://www.schell.com/Top_Ten_Database_Threats.pdf[Acce ssed 03 November 2015]. [7] - Kulkarni, Urolagin, S.K, S.U, 2012. Review of Attacks on Databases and Database Security Techniques.International Journal of Emerging Technology and Advanced Engineering, [Online]. 2/11, 255. Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.414 .1729&rep=rep1&type=pdf [Accessed 04 November 2015]. [8]- Basharat, Azam, Wahab Muzaffar , I.B, F.A, A.W.M., 2012. Database Security and Encryption: A Survey Study. International Journal of Computer Applications (0975 – 888), [Online]. 47/12, 30. Available at:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258. 8172&rep=rep1&type=pdf [Accessed 05 November 2015]. [9]- EMC. 2014. Data Growth, Business Opportunities, and the IT Imperatives. [ONLINE] Available at:http://www.emc.com/leadership/digital- universe/2014iview/executive-summary.htm. [Accessed 05 November 15].