1. Running head: DATABASE SYSTEMS, ATTACKS, & SECURITIES 1
Database Systems, Attacks, & Securities
John Intindolo
October 18, 2014
ISSC431- Database Systems Security
Professor Christopher Weppler
American Public University
3. DATABASE SYSTEMS, ATTACKS, & SECURITIES 3
Abstract
A database is an assemblage of data which is stored on a computer using a database management
system. They are the most valued resources within an organization. Databases hold the most important
and secretive information of an organization within them, and without the proper security measures the
entire organization’s existence is at stake. There are different database models that exist ranging from a
flat model, hierarchical model, a network model, or a relational model. These models determine how the
database is designed and how its information can be accessed and handled. The type of information
housed within the database varies base upon which type of database is being used, either an online
transaction processing (OLTP) database or a online analytical processing (OLAP) or decision support
system (DSS). The most common database management systems are Relational Database Management
Systems (RDBMSs) with the three most prominent being Oracle, MySQL, and Microsoft SQL. Each
of them have their own requirements, instructions for installation, and security considerations, but the
two things that they each share are read consistency and query management. There are several different
types of database attacks which are used to harm or alter the database management system and include
the following: Inference, Passive Attacks, Active Attacks, and SQL-Injection Attacks (SQLIA). There
are ways to securing a database against these attacks however, and in doing so could be the difference
between an organization thriving or faltering.
4. DATABASE SYSTEMS, ATTACKS, & SECURITIES 4
Introduction
The most important information housed on a computer is data. Whether that be from a person’s
own personal computer at their home or if it is sitting on a server at a large mutli-billion dollar
corporation. The point is that with the advancements made in technology since the Internet has become
a part of daily living, it has become more important than ever to safeguard this data. The database is
where all of this vital information is stored and includes identities and other confidential data. Through
the use of a database model, database type, and a specific database system an organization must ensure
that their information remains secure. Three of the most prominent database management systems
existing today will be discussed including their system requirments, instructions on how to install them,
and security considerations. Those three database management systems are: Oracle, MySQL, and
Microsoft SQL. There are several different ways to attack a database and knowing some of the more
common attacks will go a long way to putting the best practices into place to secure against them.
Database Systems
A database is the gathering of data located on a computer through an application known as a
database management system. The database management system allows a user to search for data that is
stored in the database so that finding specific information is much easier. It is a tiered and structured
manner of storing information that can be used for retrieval at a later time, modification, management,
among other purposes (Oriyano & Gregg, 2011, p. 225). An example of this is the APUS library where
the student places key words in the search engine to find an article or book relevant to the key words
used. With that said, the way the data is stored is dependent upon the type of database used which will
be discussed later. Before getting to the different types of databases however, the first matter is to
describe the different structure components that make up every database management application.
5. DATABASE SYSTEMS, ATTACKS, & SECURITIES 5
Components
Understanding the structure components of a database will make accessing a database much
easier for the user. While it is true that there are many different database management systems available,
the one thing that is common amongst them all is the components they share which are used to store and
organize the data within. These common components referred to are tables, keys, and queries.
Tables
A table in a database system is a very basic unit of storage within a database, and is typically
used to signify distinctive and precise information entities. In other words, a table is used to categorize
and record very specific information. A table consists of rows and columns that hold the specific data
and may be sorted so that the information needed is accessed easier. The rows are the data that can be
read horizontally, while the columns are shown vertically. For instance, a table can be used to identify an
NFL team’s record. In this type of example the columns would consist of the team name, win/lose
record, and win/loss percentage. The rows would consist of the win/loss record and win/loss
percentage of each of the thirty-two teams in their respective column. Anyone who has experience with
Microsoft Excel spreadsheets is familiar with tables. Sorting is done by clicking on the appropriate field
in the column, such as clicking on win/lose record to sort by the best or worst record.
Keys
Keys are one of the other main components within the structure of a database, and they come in
several different types. The keys located within a table are the numbers or words that fall under the
different categories of the table. So using the example of the NFL teams record used earlier, the keys
would be the team names, win/lose records, and win/lose percentages that fall under their respective
categories. A primary key is one that has a unique label used to identify a row within the table. It should
6. DATABASE SYSTEMS, ATTACKS, & SECURITIES 6
be one that is different than any other record key in that table. In order to make this possible an
employee or student ID number may be used. No two employees’ or students may have the same
number, thus using that number is good. A foreign key is when a field within the table is used to build a
relationship between two tables (Basta & Zgola, 2012, p.46).
In other words a foreign key in one table points to a primary key in another. If there were two
tables, one with a list of defensive players names on the Philadelphia Eagles and another with their stats
it would consist of the following: the first table would have the players name, number, height, weight, and
position. The second table would consist of the players’ name, total tackles, solo tackles, sacks, forced
fumbles, fumble recoveries, interceptions, and touchdowns. In this example the foreign key would be the
player’s name because it can be used in both tables as an identification in both tables. There are several
other keys that can also be used and include the following: secondary key, candidate key, composite
key, control key, and alternate key. A secondary key is a field with several common pieces of data used
to refer to more than one record at once. A candidate key is one that meets the features of a primary
key, while a composite key clusters two or more fields together so that their values can be joined to
make up a primary key. A control key is one that is used for an arrangement of data, while an alternate
key is a field that has values that do not represent the primary key, but can alternately be used when the
primary key is unavailable.
Queries
A query is a request for information from a database. This can be done in one of three ways.
The first method of posing a query is to choose a parameter. In this method the database system will
give the user a list of parameters to choose from on how to conduct the search. Query by example is the
second method and unlike the parameter method does not automatically give the user a list of choices to
7. DATABASE SYSTEMS, ATTACKS, & SECURITIES 7
make. Instead the user specifies the fields themselves and values that express the query. The third
method of query is query language. A query is any request for data from a database and is used by
everything such as search engines and timetables, with the most often used type being Structured Query
Language or SQL (“Query,” 2003, p. 172).
Database Models
How a database is assembled also determines how to gain access to and handle it. This is
determined by the way the information is stored within the database otherwise known as the database
model. There are four main database models and they are as follows: flat model, hierarchical model,
network model, and relational model.
Flat Model
Flat database models typically consist of the least amount of structure in comparison to the
other models. It usually consists of one large table with the first row representing the list of variables and
the remaining rows containing data. This type of database model is simplistic in its structure and has the
advantage of being includes in most software for free, but also boasts a couple disadvantages. Two key
disadvantages that users of flat database models are burdened with are that they waste computer
storage by requiring illogical data on items that are unavailable, and they are not favorable to complex
search queries that divide the database further (Alemi, 2008). Furthermore, keeping a hefty amount of
meager data full of missing information can cause searching through the data a long time in large
databases, and complicated search queries that call for multiple passes through data would be very time
consuming.
Hierarchical Model
8. DATABASE SYSTEMS, ATTACKS, & SECURITIES 8
A heretical database model is a treelike storage arrangement that exemplifies records and
relationships by using tiers of parent-to-child relationships. This is much like a family tree in that it offers
a layered approach to illustrate the relationship of the data. The term hierarchy refers to an arrangement
of nodes that are connected by branches. In this type of model the highest node is the root node, and
each query passes through the root node on their way down the hierarchy (“The hierarchical database,”
2014). The root node is at the top of the tree, therefore every node below it is connected to only one
parent node which is directly above the child node. Just like in a family tree where a child only has one
mom or dad, but the mom and dad can have several children. An example of this type of model would
be the file directory on a computer.
Network Model
The network model is similar to a hierarchical model but rather than using a single-parent tree
hierarchy, it instead “uses set theory to provide a tree-like hierarchy” in a way that allows child tables to
have more than one parent (“Introduction to databases,” n.d.). This form of database model resolves
the issue of data redundancy found in hierarchical databases, by signifying the relationships in sets
instead of through hierarchy. Simply put the network database model consists of several trees that share
the same branches.
Relational Model
A relational database model does not use link fields to relate records in different files, but
instead uses a more theoretical observation of the database where associated information is located
when it is needed from the logical relationships among the items found in the files (“Lesson 1:
Relational,” n.d.). Relational databases use tables to store information, and allow for information to be
compared much quicker due to the fact that the data is arranged in columns. Due to the flexibility and
9. DATABASE SYSTEMS, ATTACKS, & SECURITIES 9
abstract ability relational database models present, they have become the most commonly used
database model in the world. Structured query language or SQL is the special computer language that is
used in relational database models and has become the standard for database systems to work together.
Database Types
Databases serve many purposes, but which type used is dependent upon the data that will be
contained within it. There are two different database types that may be used. The first is one that is
designed for real-time storage and manipulation of data within an organization known as an online
transaction processing OLTP database, while the second is a database that stores large volumes of
historical data for generating reports and analyzing data referred to as an online analytical processing
(OLAP) or decision support system (DSS) (Basta & Zgola, 2012, p. 54). The first type of database is
used for storing great amounts of small transactions such as cash register sales from a pizzeria, while the
latter is used to store large amounts of data that can be analyzed with the intention of improving
efficiency for instance. OLAP/DSS databases are not used for real-time transactions, but work rather
well in a warehouse environment.
Database Management Systems
Database management systems or DBMSs are a assemblage of programs that give the user the
capability to amass, alter, and remove information from a database. There are many different types of
DBMSs and nearly all of them are designed to be used with the relational database model, but the ones
featured here will be three of the most well-known and used on the market. Those three are Oracle,
MySQL, and Microsoft SQL. Each has their own requirements, methods of installation, and
advantages. While each database system may be different the common bond that all share is the
accuracy and reliability of the data, and the necessities of a database management application required
10. DATABASE SYSTEMS, ATTACKS, & SECURITIES 10
to process a user query. These things are known as read consistency and query management
respectively.
Oracle
Oracle is the most popular database system available, gives user’s complete data management
abilities, is portable, can run on nearly any operating system, and is a distributed database that
implements distributed processing function. There are some necessary hardware requirements on a
computer prior to installing oracle and they are as follows: 256mb minimum of RAM, double the amount
of RAM for virtual memory, 2.04 GB free disk space for basic installation, 256 colors for the video
adapter, and 550 MHz minimum processor (“Oracle database,” n.d.).
Oracle uses Procedural Language/SQL is an intricate and considerably strong form of SQL that
can assemble procedures together into bundles. While using Oracle, all database objects are grouped
by a subset assemblage of database objects, and all the database objects are shared between all
subsets and users. Some other advantages of the Oracle database system including the following: the
introduction of a shared SQL and multi-thread server architecture, provides role-based security
management which enhances security, it has support for multimedia data, has good portability, has a
wide-range of supported programming languages compared to MySQL and Microsoft SQL, and
makes reading and writing data within the database a simple task (Xiao-Ming, 2014, p. 3157).
Security should always be at the forefront of any database system installation and the same
holds true with Oracle. One thing that is extremely valuable is the fact that Oracle has a number of
applications that support security of the database. Some of these best measures include real-time access
control and encryption. Other security measures that may be taken to ensure the security of the
11. DATABASE SYSTEMS, ATTACKS, & SECURITIES 11
database is to close unused ports, harden the operating system, apply the latest security patches, and
the use of firewalls whenever possible to provide an additional level of security.
MySQL
MySQL is the most popular open-source database application used, and offers many different
customizations that can accommodate nearly any professional or personal setting. Due to the nature of
open-source applications MySQL can be installed in a number of different ways. The two different
formats that MySQL can be installed are through source code or binary code installation. The difference
between the two is that installing through source code is for more experienced users and allows for
greater customization. Since binary installations are already executable files customization is not
possible, but they are both easier and quicker to install.
Some advantages of using MySQL include the following: scalability and flexibility, high
performance, strong data protection, high availability, and the freedom associated with open-source
applications (“Top reasons to,” n.d.). After installing MySQL it is important to change the root
password because all accounts at the outset are set up without passwords. This can become a huge
vulnerability and must be addressed. Other security measures that can be taken to secure the MySQL
database include using the principal of least privileges, disabling of remote access whenever possible,
base access on specified IP addresses, and encrypt the connection to the server using SSH or SSL.
Microsoft SQL
Microsoft SQL is a growing database solution for many organizations and continues to improve
in order to compete with other prominent database systems such as Oracle and MySQL. In fact
12. DATABASE SYSTEMS, ATTACKS, & SECURITIES 12
Microsoft’s latest update SQL Server 2014 enables users to build high-performance, mission critical
applications that assists employees in making smarter decisions in a quicker manner, and allows said
solutions to be deployed on location, in the cloud, or even in a hybrid environment (“Sql server,” 2014).
Installing the Microsoft SQL Server 2014 has some hardware requirements that are necessary
in order to install the database system. A minimum of 6 GB of available hard disk space, a DVD drive,
a Super-VGA monitor with at least a 800 x 600 resolution, 1 GB memory (Express Editions), and the
following requirements for processor types: x86 Processor speed of 1.0 GHz and x86 Processor speed
of 1.4 GHz, but with a recommendation of 2.0 GHz or faster (“Hardware and software,” 2014). Since
Microsoft is such a well-known commodity and its software is so wide-spread amongst computers
around the globe, it also makes their software a huge target amongst hackers and crackers. That is why
it is important to take the proper security precautions so that the database remains safeguarded from an
attack. There are measures that can be taken before, during, and after installation. Some best practices
before installation includes using multiple firewalls (both internally and externally) and encrypting the
connection to the server using SSH or SSL, during the installation includes transparent data encryption
and the use of complex password policies, and following installation includes disabling of all Windows
guest accounts and the use of principle of least privilege for database accounts.
Database Attacks
There are many ways that an attacker can penetrate a database, but while there are many
methods used to perform an attack they can be broken up into the following categories: inference
attacks, passive attacks, active attacks and SQL injection attacks. An inference attack is a data-mining
technique used that allows an attacker to acquire more delicate information from inconsequential
information. A way to counter this type of attack is to have protocols installed into databases that
13. DATABASE SYSTEMS, ATTACKS, & SECURITIES 13
prevent them from occurring. Passive attacks allow the attacker to eavesdrop on the communication
and can be mitigated by disabling all services that are not required and installing anti-virus and anti-
spyware software.
Active attacks are as the name would suggest the opposite of passive attacks, and rather than
simply eavesdropping on the communication occurring within the database the attacker breaches the
database and alters the database values. Ensuring all security patches are constantly installed when
available and continuous review of audit logs will help to prevent these types of attacks. Finally is a
SQL-injection attack or SQLIA. In this type of attack an attacker will inject a series of SQL statements
into a query to alter the SQL statement and compromise the security of the database (Jane & Chaudari,
n.d., p. 56). Applying the principal of least privileges to user accounts is a good countermeasure for
SQLIAs.
Future of Database Security
Technology is constantly changing and evolving, so if an organization is staying still they are
essentially going backwards. In other words if one is not moving forward in this day and age, then they
are falling behind. The same holds true for the future of database systems. In the future things such as
disk storage, RAM storage, and processors are going to continue to change to where more can be
gotten for less. Disk storage is becoming cheaper and larger each year as is RAM storage.
Improvements in the Internet bandwidth allow database systems to deliver their software as needed to
its customers. One concern that fall within the future of database systems is the future of database
security. One such area is a focus on providing products that provide continuous monitoring at the
database tier to accurately identify database attacks through a complex behavioral analysis technology
14. DATABASE SYSTEMS, ATTACKS, & SECURITIES 14
provided by DB Networks (“Db networks,” 2014). This will mitigate the issue of a lack of visibility into
the SQL exchanges at the database tier.
Conclusion
In today’s world where technology and computer systems are relied upon for storing vital
company data, the importance of database security is more important than ever before. Generally
speaking, databases fall into four main database models: flat model, hierarchical model, network model,
and relational model. Relational Database Management Systems are the most commonly used types
with three of the most prominent being Oracle, MySQL, and Microsoft SQL. Each has their own
requirements and methods of installation, but the two things all three have in common are the assurance
of read consistency and query management. There are many different types of attacks which include:
inference, passive attacks, active attacks, and SQLIA attacks. Securing against these types of attacks
will help to keep the database safeguarded, but there are also methods of mitigation that may be used to
secure the database following an incident occurring. While there may not be one specific manner to
protect the database completely, following the security measures previously outlined will go a long way
to keeping that data safe and secure.
15. DATABASE SYSTEMS, ATTACKS, & SECURITIES 15
References
Alemi, F. (2008, August 30). Introduction to evolution of databases. Retrieved from
http://gunston.gmu.edu/healthscience/709/EvolutionDatabases.asp
Basta, A. and Zgola, M. (2012). Database Security, 1st
Edition. Florence, KY. Delmar Cengage
Learning. ISBN-10/13: 1435453905/9781435453906
Hardware and software requirements for installing sql server 2014. (2014). Retrieved from
http://msdn.microsoft.com/en-us/library/ms143506.aspx
Introduction to databases for web developers. (n.d.). Retrieved from
http://www.extropia.com/tutorials/sql/network_databases.html
Jane, P., & Chaudari, M. S. (n.d.). Sqlia: Detection and prevention techniques. IOSR Journal of
Computer Engineering, 56-60.
JIANG Xiao-Ming1, j. (2014). Design and Implementation of Computer Equipment Management
System Based on Oracle Database. Applied Mechanics & Materials, (644-650), 3157-3159.
Lesson 1: Relational databases. (n.d.). Retrieved from
http://cs.furman.edu/digitaldomain/more/sql/lesson1/ec225-mod1-less1.htm
Oracle database installation guide. (n.d.). Retrieved from
http://docs.oracle.com/cd/B19306_01/install.102/b14316/reqs.htm
16. DATABASE SYSTEMS, ATTACKS, & SECURITIES 16
References cont’d.
Oriyano, S., & Gregg, M. (2011). Hacker techniques, tools, and incident handling. Jones & Bartlett
Learning, LLC Publications. Retrieved from http://ebooks.apus.edu.ezproxy2.apus.edu
Query. (2003). Essential Internet, 172.
Sql server. (2014). Retrieved from http://www.microsoft.com/en-us/server-cloud/products/sql-server/
The hierarchical database model. (2014). Retrieved from http://www.dba-
oracle.com/t_object_hierarchical_database.htm
Top reasons to use mysql. (n.d.). Retrieved from https://www.mysql.com/why-mysql/topreasons.html
