SlideShare a Scribd company logo

Database Security Analysis

B
Brendan Mc Sweeney

This document analyzes database security breaches at YONS Ltd and evaluates security options. It finds that YONS Ltd implemented basic security measures which were insufficient. Reasons for breaches included a low priority on database security, lack of integration among security solutions, and lack of staff training. The document recommends YONS Ltd implement a comprehensive strategy including basic, intermediate, and advanced security measures following a three pillar approach of foundation, detection, and prevention. This would proactively protect data from internal and external attacks by securing all databases.

1 of 12
Download to read offline
1 | P a g e University College Cork IS6156 Databases for Management Information Systems Analysing the breaches in Database security at YONS Ltd and evaluating the security options available Submitted by- Brendan Mc Sweeney, Senior Database Administrator Student Number- 114223513 Submitted to- Dr. Ciara Heavin Submission Date- 2/2/15
2 | P a g e Table of Contents 1. Introduction.....................................................................................................................................3 2. Reasons for breaches in database security.....................................................................................4 3. Data Security Solutions...................................................................................................................7 3.1 Basic Data Security Measures......................................................................................................7 3.1.1 FIA Software..............................................................................................................................7 3.1.2 Data Handling Policy ................................................................................................................7 3.1.3 Data Encryption.........................................................................................................................8 3.2 Intermediate Data Security Measures.....................................................................................8 3.2.1 Thin /lean Clients................................................................................................................8 3.2.2 Data Loss Prevention (DLP) Software ...............................................................................9 3.3 Advanced Data Security Measures .........................................................................................9 3.3.1 Activism...............................................................................................................................9 4. Recommendations .........................................................................................................................10 5. References.....................................................................................................................................12
3 | P a g e 1. Introduction With the increasing value of data at YONS Ltd, we have been subject to unauthorized attacks of our data over the last 18 months, as a result this report was commissioned to analyse the recent breaches in our database security. It has emerged that confidential staff data concerning salary details has been disclosed internally to staff and shareholders, additionally vital customer data relating to bank details has also been obtained externally by our rivals. Database security is our last line of defence and once penetrated we are left vulnerable to attacks so it’s of utmost importance that we implement measures to secure our vital data. Essentially the overall aim of this report is to analyse the reasons behind the breaches in our databases, suggest measures to prevent database breaches and ultimately propose an effective database security strategy for potential implementation. In order to sustain our growth and success especially in online gaming, it’s important to ensure that we are more attentive to database security. In recent times both internal and external attacks on data have been difficult to detect due to the sophisticated nature of the attacks, however following the commission of this report, I hope that our overall database security is given a higher priority in order to prevent breaches and loss of data which consequently could result in a loss in our competitive advantage in the future.
4 | P a g e 2. Reasons for breaches in database security Database security is implemented in many organisations to ensure all company data is protected (Spam Laws, 2015). The database at YONS Ltd was compromised on many occasions over the last 18 months for a variety of reasons which may include the following, YONS Ltd maybe implementing a very basic database security policy which only uses detective controls such as auditing and monitoring, 20% of organisations implement similar database security policies (Forrester, 2012). Companies tend to attribute 8-10% of their IT Budget on security which incidentally focuses more on application and network level security rather than on database security (Forrester, 2012). As a result this may highlight the low priority that database security is given at YONS Ltd. In many cases database security solutions are implemented in isolation, as a result the database security may comprise of many vendors, the lack of integration by a single vendor leaves significant gaps in security which may leave YONS Ltd vulnerable to attacks on their database (Forrester, 2012). YONS Ltd may have a lack of internal controls such as training and education, which as a result may lead to breaches in database security, based on a study conducted by (Imperva, 2014) 75% of organisations experienced staff related breaches in their database as the security policy was not fully understood by all members of staff, furthermore it was identified that 54% of small businesses did not have a training policy in place to inform staff about data security risks. YONS Ltd may also be subject to Input/ SQL injection attacks, which basically target traditional database systems by inserting malicious/unauthorized statements (Imperva, 2014). At YONS Ltd members of staff may be abusing their database privileges, additionally former members of staff may still have access rights to their database which may result in a rival company obtaining vital data (Imperva, 2014). An unpatched misconfigured database may leave YONS Ltd vulnerable to attacks which attackers can easily exploit. This is a common problem for oracle users with 28% of users never applying a critical patch update or are unaware if they have done so, while another 10% take a year or longer to apply patch updates (Imperva, 2014).
5 | P a g e (Figure 1) Hacking is another data security breach which is a regular occurrence in many organisations, hackers generally obtain unauthorised access to a computer network by installing malicious software or malware in the computer network to obtain vital company information such as credit card numbers, furthermore hackers can gain unauthorised access to a computer network through manipulation of an organisation’s security software. According to figure 1, 51% of data security attacks were due to hacking (Clifton, 2009). It’s highly likely that YONS Ltd may have been subject to hacking over the last 18 months, as generally hacking occurs for months if not years. Social engineering is a non -technical cause of a data security breach which YONS Ltd may have also been exposed to. According to figure 1 17% of attacks were completed through fraud or social engineering. Essentially this tactic relies heavily on human interaction. Social engineers typically convince authorised personnel of an organisation to break data security procedures to provide them with information, which is generally obtained through phishing e- mails and by creating a fake business to convince the organisation that they are legitimate (Clifton, 2009). Phishing e-mails are prevalent in obtaining sensitive information and maybe another highly possible reason for the breaches in data security at YONS Ltd, this was particularly rampant in the United States in 2003 with 255,000 cases of identity theft attributed to phishing e-mails (Spam Laws, 2015).
6 | P a g e Based on these reason, (Clifton, 2009) goes on to highlight the possible suspects in Figure 2 below. 81% of attacks were completed by malicious outsiders, 17% by malicious insiders who deliberately attacked an organisations database, and 2% by unintentional insiders who accidentally caused a database security breach. YONS Ltd can easily rectify unintentional attacks on their database through training and education of staff, however the other attacks can potentially be resolved using the methods in the following section. (Figure 2)
7 | P a g e 3. Data Security Solutions According to (Clifton, 2009) there are three data security measures listed in figure 3, which could potentially be implemented by YONS Ltd. (Figure 3) 3.1 Basic Data Security Measures Due to its ease of use and affordability this data security measure could be easily implemented by YONS Ltd. The potential options available are outlined in figure 3. 3.1.1 FIA Software Firewall, detection intrusion and regular patch updates in combination with FIA anti -virus software can provide suitable network security against hackers and other unauthorised users (Clifton, 2009). 3.1.2 Data Handling Policy The aim of a data handling policy is to provide regulations about all aspects of personal data, the organisation subsequently relays this information to their employees through training which would further enlighten employees about data handling rules, the value of data to the company, the data security measures in place and the social engineering methods used by unauthorised users or hackers (Clifton, 2009).
8 | P a g e 3.1.3 Data Encryption This security option uses mathematical algorithms to render a network message unreadable to unauthorised users (Spam Laws, 2015). Authorised users can decrypt these messages through a username and password (Clifton, 2009). The two categories of data encryption are symmetric and asymmetric (Spam Laws, 2015). Symmetric Data Encryption This category uses a shared private key between sender and recipient to encrypt or decrypt a message (Diaa Salama, 2010). The most common symmetric data encryption algorithm is DEA (Data Encryption Algorithm) which complies with DES (Data Encryption Standard), it’s recommended to use this algorithm for large volumes of data (Spam Laws, 2015). Asymmetric Data Encryption Asymmetric Data encryption such as Diffie - Hellman use both a private key and a public key (Spam Laws, 2015). The public key is used for the encryption of a message while the private key is used to decrypt a message (Diaa Salama, 2010). The public key can essentially be used by anyone to encrypt a message while decrypting a message can only be done by the owner of the private key (Spam Laws, 2015). 3.2 Intermediate Data Security Measures With the rather negligent data security measures in place at YONS Ltd data security and protection of personal data should become a high priority. Implementing both basic data security measures and intermediate data security measures outlined in figure 3 above should ensure that personal data at YONS Ltd is not compromised in the future. 3.2.1 Thin /lean Clients Essentially thin/ lean clients run on web browsers or on remote desktop software in the client- server architecture network. A central server processes both inputs and outputs, so ultimately the thin client can keep the personal data that is needed and the remaining personal data can be stored in the central server or data centre (Clifton, 2009).
9 | P a g e 3.2.2 Data Loss Prevention (DLP) Software This software detects and prevents malicious insiders from copying and sending personal data without authorization. The functions of DLP software are carried out using both an online mode and offline mode (Clifton, 2009). Offline Mode Essentially this mode uses three techniques to determine who the regular users of a document are. These techniques include Manual Marking of documents, automated search of documents which are keyword based and automated search for edited documents which contain the authorised signatures of the original document (Clifton, 2009). Online Mode Users of DLP software must ensure that they abide by the data handling policy when sharing and using personal data, when there is a violation the DLP software automatically blocks the use and sharing of the personal data (Clifton, 2009). 3.3 Advanced Data Security Measures Essentially this data security measure comes into play once the lower data security measures explained above and illustrated in figure 3 are satisfied. At an advanced level web pages can be hacked and personal data can ultimately be compromised (Clifton, 2009). 3.3.1 Activism In order to prevent web page hacking, YONS Ltd can employ a community of internet vigilantes for free to help avert web page hacking (Clifton, 2009).
10 | P a g e 4. Recommendations Based on the options I outlined in the previous section, I believe YONS Ltd should implement each level of data security illustrated in figure 3 from bottom to top to ultimately form a comprehensive database security strategy. Essentially the comprehensive database security strategy should use a single vendor for all database security systems to ensure cost effectiveness and integration throughout the organisation (Forrester, 2012). YONS Ltd must ensure that they implement each database security level to a satisfactory standard, in order to protect themselves from unauthorised users. A comprehensive database security strategy should proactively protect data from both internal and external attacks by securing all databases. In order to successfully implement a comprehensive database security strategy, YONS Ltd should follow the three key pillars approach identified by (Forrester, 2012), and illustrated in figure 4 below. Foundation Detection Prevention Discovery and Classification Auditing Encryption Authentication, authorization and access control Monitoring Data Masking Patch Management Vulnerability Assessment Database Firewall (Figure 4) Foundation Pillar Essentially this pillar identifies which databases YONS Ltd should focus on by enabling authentication, authorization and access control measures to ensure only authorised users gain access to a database. Additionally YONS Ltd should regularly configure patch updates to ensure that they don’t leave themselves vulnerable to attacks by unauthorised users. Detection Pillar Auditing can be used by YONS Ltd in order to detect any data inconsistencies as well as tracking the access rights of users. Database security monitoring provides real time intrusion protection to ensure that the database is protected from unauthorised users. Additionally a vulnerability assessment report can be carried out to provide information on database weaknesses such as weak passwords and excessive access rights.
11 | P a g e Prevention Pillar The main aim of this pillar is to prevent unauthorized access and exposure of private company data. Essentially the preventative measures include, data encryption to protect the data stored in an organisations production database, data masking is used to protect an organisations non production database and database firewall essentially ensures real time protection from SQL injection attacks as well as ensuring that unauthorised access to a database is blocked in real time.
12 | P a g e 5. References Clifton, P. (2009). Protecting organisations from personal data breaches. In P. Clifton, Computer Fraud & Security (pp. 13-18). Amsterdam Holland: Elsevier. Diaa Salama, A. E. (2010). Evaluating the Performance of Symmetric Encryption Algorithms. International Journal of network security , 213-219. Forrester, C. (2012). Formulate a database security strategy to ensure investments will actually prevent data breaches and satisfy regulatory requirements. Cambridge USA: Forrester Research Inc. Imperva. (2014). Top Ten Database Threats. Spam Laws. (2015). Retrieved January 23, 2015, from Spam Laws: http://www.spamlaws.com/

Recommended

IS6155 Project Student numbers 90079094 114223513 102859661
IS6155 Project Student numbers 90079094 114223513 102859661IS6155 Project Student numbers 90079094 114223513 102859661
IS6155 Project Student numbers 90079094 114223513 102859661
Brendan Mc Sweeney
 
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
Brendan Mc Sweeney
 
Client Technology Tracking System
Client Technology Tracking SystemClient Technology Tracking System
Client Technology Tracking System
Brendan Mc Sweeney
 
IS6138 PPARS
IS6138 PPARSIS6138 PPARS
IS6138 PPARS
Brendan Mc Sweeney
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
Pdf wp-emc-mozyenterprise-hybrid-cloud-backup
Pdf wp-emc-mozyenterprise-hybrid-cloud-backupPdf wp-emc-mozyenterprise-hybrid-cloud-backup
Pdf wp-emc-mozyenterprise-hybrid-cloud-backup
lverb
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
Rick Lemieux
 

Recommended

IS6155 Project Student numbers 90079094 114223513 102859661
IS6155 Project Student numbers 90079094 114223513 102859661IS6155 Project Student numbers 90079094 114223513 102859661
IS6155 Project Student numbers 90079094 114223513 102859661
Brendan Mc Sweeney
 
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
IS 6156 Jean Donnelly 90079094 Brendan McSweeney 114223513 Tim Walsh 102859661
Brendan Mc Sweeney
 
Client Technology Tracking System
Client Technology Tracking SystemClient Technology Tracking System
Client Technology Tracking System
Brendan Mc Sweeney
 
IS6138 PPARS
IS6138 PPARSIS6138 PPARS
IS6138 PPARS
Brendan Mc Sweeney
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
Pdf wp-emc-mozyenterprise-hybrid-cloud-backup
Pdf wp-emc-mozyenterprise-hybrid-cloud-backupPdf wp-emc-mozyenterprise-hybrid-cloud-backup
Pdf wp-emc-mozyenterprise-hybrid-cloud-backup
lverb
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
Rick Lemieux
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
Rick Lemieux
 
C044031823
C044031823C044031823
C044031823
IJERA Editor
 
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
ijcncs
 
Employee Engagement within the IT Industry
Employee Engagement within the IT Industry Employee Engagement within the IT Industry
Employee Engagement within the IT Industry
Momo Scott
 
Architecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an EnterpriseArchitecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an Enterprise
IOSR Journals
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
CSCJournals
 
The 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends ReportThe 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends Report
ibossCyber
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
Rick Lemieux
 
112337801 Lit Review
112337801 Lit Review112337801 Lit Review
112337801 Lit Review
Tim Kelly
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
IJNSA Journal
 
Completed IT Sourcing and Projects
Completed IT Sourcing and ProjectsCompleted IT Sourcing and Projects
Completed IT Sourcing and Projects
Del Kirwan
 
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
Becky Ward
 
Data Protection Governance IT
Data Protection Governance ITData Protection Governance IT
Data Protection Governance IT
Cristina Villavicencio
 
Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...
Yung-Chun Chang
 
From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...
IJECEIAES
 
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMA DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
IAEME Publication
 
IRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based ApproachIRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based Approach
IRJET Journal
 
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKSA PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
jares jares
 
eCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SMEeCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SME
Stefan Martens
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
IJERA Editor
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_Hill
Dennis Hill
 

More Related Content

What's hot

Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
Rick Lemieux
 
C044031823
C044031823C044031823
C044031823
IJERA Editor
 
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
ijcncs
 
Employee Engagement within the IT Industry
Employee Engagement within the IT Industry Employee Engagement within the IT Industry
Employee Engagement within the IT Industry
Momo Scott
 
Architecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an EnterpriseArchitecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an Enterprise
IOSR Journals
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
CSCJournals
 
The 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends ReportThe 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends Report
ibossCyber
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
Rick Lemieux
 
112337801 Lit Review
112337801 Lit Review112337801 Lit Review
112337801 Lit Review
Tim Kelly
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
IJNSA Journal
 
Completed IT Sourcing and Projects
Completed IT Sourcing and ProjectsCompleted IT Sourcing and Projects
Completed IT Sourcing and Projects
Del Kirwan
 
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
Becky Ward
 
Data Protection Governance IT
Data Protection Governance ITData Protection Governance IT
Data Protection Governance IT
Cristina Villavicencio
 
Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...
Yung-Chun Chang
 
From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...
IJECEIAES
 
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMA DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
IAEME Publication
 
IRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based ApproachIRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based Approach
IRJET Journal
 
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKSA PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
jares jares
 
eCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SMEeCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SME
Stefan Martens
 

What's hot (19)

Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
 
C044031823
C044031823C044031823
C044031823
 
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
Neural Network Web-Based Human Resource Management System Model (NNWBHRMSM)
 
Employee Engagement within the IT Industry
Employee Engagement within the IT Industry Employee Engagement within the IT Industry
Employee Engagement within the IT Industry
 
Architecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an EnterpriseArchitecture Framework for Resolution of System Complexity in an Enterprise
Architecture Framework for Resolution of System Complexity in an Enterprise
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
 
The 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends ReportThe 2018 Enterprise Cloud Trends Report
The 2018 Enterprise Cloud Trends Report
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
 
112337801 Lit Review
112337801 Lit Review112337801 Lit Review
112337801 Lit Review
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
Completed IT Sourcing and Projects
Completed IT Sourcing and ProjectsCompleted IT Sourcing and Projects
Completed IT Sourcing and Projects
 
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
IJIS Institute_Critical Decision Criteria for Data Sharing (Jul 2013)
 
Data Protection Governance IT
Data Protection Governance ITData Protection Governance IT
Data Protection Governance IT
 
Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...Types of Information Technology Capabilities and Their Role in Competitive Ad...
Types of Information Technology Capabilities and Their Role in Competitive Ad...
 
From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...
 
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMA DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEM
 
IRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based ApproachIRJET- Social Network Message Credibility: An Agent-based Approach
IRJET- Social Network Message Credibility: An Agent-based Approach
 
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKSA PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
A PROPOSED EXPERT SYSTEM FOR EVALUATING THE PARTNERSHIP IN BANKS
 
eCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SMEeCollaboration: Evaluation of a File Sharing Platform for SME
eCollaboration: Evaluation of a File Sharing Platform for SME
 

Similar to Database Security Analysis

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
IJERA Editor
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_Hill
Dennis Hill
 
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docxAPA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
justine1simpson78276
 
How to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxHow to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptx
Single Point of Contact
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
Thomas Jones
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
John Intindolo
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
ijcsit
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
IJERD Editor
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
Mike McMillan
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
IJNSA Journal
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
Enterprise Technology Management (ETM)
 
AgendaIntroduction Administrative Controls Physical Contro.docx
AgendaIntroduction Administrative Controls Physical Contro.docxAgendaIntroduction Administrative Controls Physical Contro.docx
AgendaIntroduction Administrative Controls Physical Contro.docx
daniahendric
 
E04 05 2841
E04 05 2841E04 05 2841
E04 05 2841
International Journal of Engineering Inventions www.ijeijournal.com
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
IJNSA Journal
 
Strategic HRM Plan Grading GuideHRM498 Version 42.docx
Strategic HRM Plan Grading GuideHRM498 Version 42.docxStrategic HRM Plan Grading GuideHRM498 Version 42.docx
Strategic HRM Plan Grading GuideHRM498 Version 42.docx
florriezhamphrey3065
 
The literature and write report on information system security part 1 of 5 p...
The literature and write report on information system security part 1 of 5 p...The literature and write report on information system security part 1 of 5 p...
The literature and write report on information system security part 1 of 5 p...
raufik tajuddin
 

Similar to Database Security Analysis (20)

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_Hill
 
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docxAPA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
 
How to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxHow to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptx
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
 
AgendaIntroduction Administrative Controls Physical Contro.docx
AgendaIntroduction Administrative Controls Physical Contro.docxAgendaIntroduction Administrative Controls Physical Contro.docx
AgendaIntroduction Administrative Controls Physical Contro.docx
 
E04 05 2841
E04 05 2841E04 05 2841
E04 05 2841
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
 
Strategic HRM Plan Grading GuideHRM498 Version 42.docx
Strategic HRM Plan Grading GuideHRM498 Version 42.docxStrategic HRM Plan Grading GuideHRM498 Version 42.docx
Strategic HRM Plan Grading GuideHRM498 Version 42.docx
 
The literature and write report on information system security part 1 of 5 p...
The literature and write report on information system security part 1 of 5 p...The literature and write report on information system security part 1 of 5 p...
The literature and write report on information system security part 1 of 5 p...
 

Database Security Analysis

  • 1. 1 | P a g e University College Cork IS6156 Databases for Management Information Systems Analysing the breaches in Database security at YONS Ltd and evaluating the security options available Submitted by- Brendan Mc Sweeney, Senior Database Administrator Student Number- 114223513 Submitted to- Dr. Ciara Heavin Submission Date- 2/2/15
  • 2. 2 | P a g e Table of Contents 1. Introduction.....................................................................................................................................3 2. Reasons for breaches in database security.....................................................................................4 3. Data Security Solutions...................................................................................................................7 3.1 Basic Data Security Measures......................................................................................................7 3.1.1 FIA Software..............................................................................................................................7 3.1.2 Data Handling Policy ................................................................................................................7 3.1.3 Data Encryption.........................................................................................................................8 3.2 Intermediate Data Security Measures.....................................................................................8 3.2.1 Thin /lean Clients................................................................................................................8 3.2.2 Data Loss Prevention (DLP) Software ...............................................................................9 3.3 Advanced Data Security Measures .........................................................................................9 3.3.1 Activism...............................................................................................................................9 4. Recommendations .........................................................................................................................10 5. References.....................................................................................................................................12
  • 3. 3 | P a g e 1. Introduction With the increasing value of data at YONS Ltd, we have been subject to unauthorized attacks of our data over the last 18 months, as a result this report was commissioned to analyse the recent breaches in our database security. It has emerged that confidential staff data concerning salary details has been disclosed internally to staff and shareholders, additionally vital customer data relating to bank details has also been obtained externally by our rivals. Database security is our last line of defence and once penetrated we are left vulnerable to attacks so it’s of utmost importance that we implement measures to secure our vital data. Essentially the overall aim of this report is to analyse the reasons behind the breaches in our databases, suggest measures to prevent database breaches and ultimately propose an effective database security strategy for potential implementation. In order to sustain our growth and success especially in online gaming, it’s important to ensure that we are more attentive to database security. In recent times both internal and external attacks on data have been difficult to detect due to the sophisticated nature of the attacks, however following the commission of this report, I hope that our overall database security is given a higher priority in order to prevent breaches and loss of data which consequently could result in a loss in our competitive advantage in the future.
  • 4. 4 | P a g e 2. Reasons for breaches in database security Database security is implemented in many organisations to ensure all company data is protected (Spam Laws, 2015). The database at YONS Ltd was compromised on many occasions over the last 18 months for a variety of reasons which may include the following, YONS Ltd maybe implementing a very basic database security policy which only uses detective controls such as auditing and monitoring, 20% of organisations implement similar database security policies (Forrester, 2012). Companies tend to attribute 8-10% of their IT Budget on security which incidentally focuses more on application and network level security rather than on database security (Forrester, 2012). As a result this may highlight the low priority that database security is given at YONS Ltd. In many cases database security solutions are implemented in isolation, as a result the database security may comprise of many vendors, the lack of integration by a single vendor leaves significant gaps in security which may leave YONS Ltd vulnerable to attacks on their database (Forrester, 2012). YONS Ltd may have a lack of internal controls such as training and education, which as a result may lead to breaches in database security, based on a study conducted by (Imperva, 2014) 75% of organisations experienced staff related breaches in their database as the security policy was not fully understood by all members of staff, furthermore it was identified that 54% of small businesses did not have a training policy in place to inform staff about data security risks. YONS Ltd may also be subject to Input/ SQL injection attacks, which basically target traditional database systems by inserting malicious/unauthorized statements (Imperva, 2014). At YONS Ltd members of staff may be abusing their database privileges, additionally former members of staff may still have access rights to their database which may result in a rival company obtaining vital data (Imperva, 2014). An unpatched misconfigured database may leave YONS Ltd vulnerable to attacks which attackers can easily exploit. This is a common problem for oracle users with 28% of users never applying a critical patch update or are unaware if they have done so, while another 10% take a year or longer to apply patch updates (Imperva, 2014).
  • 5. 5 | P a g e (Figure 1) Hacking is another data security breach which is a regular occurrence in many organisations, hackers generally obtain unauthorised access to a computer network by installing malicious software or malware in the computer network to obtain vital company information such as credit card numbers, furthermore hackers can gain unauthorised access to a computer network through manipulation of an organisation’s security software. According to figure 1, 51% of data security attacks were due to hacking (Clifton, 2009). It’s highly likely that YONS Ltd may have been subject to hacking over the last 18 months, as generally hacking occurs for months if not years. Social engineering is a non -technical cause of a data security breach which YONS Ltd may have also been exposed to. According to figure 1 17% of attacks were completed through fraud or social engineering. Essentially this tactic relies heavily on human interaction. Social engineers typically convince authorised personnel of an organisation to break data security procedures to provide them with information, which is generally obtained through phishing e- mails and by creating a fake business to convince the organisation that they are legitimate (Clifton, 2009). Phishing e-mails are prevalent in obtaining sensitive information and maybe another highly possible reason for the breaches in data security at YONS Ltd, this was particularly rampant in the United States in 2003 with 255,000 cases of identity theft attributed to phishing e-mails (Spam Laws, 2015).
  • 6. 6 | P a g e Based on these reason, (Clifton, 2009) goes on to highlight the possible suspects in Figure 2 below. 81% of attacks were completed by malicious outsiders, 17% by malicious insiders who deliberately attacked an organisations database, and 2% by unintentional insiders who accidentally caused a database security breach. YONS Ltd can easily rectify unintentional attacks on their database through training and education of staff, however the other attacks can potentially be resolved using the methods in the following section. (Figure 2)
  • 7. 7 | P a g e 3. Data Security Solutions According to (Clifton, 2009) there are three data security measures listed in figure 3, which could potentially be implemented by YONS Ltd. (Figure 3) 3.1 Basic Data Security Measures Due to its ease of use and affordability this data security measure could be easily implemented by YONS Ltd. The potential options available are outlined in figure 3. 3.1.1 FIA Software Firewall, detection intrusion and regular patch updates in combination with FIA anti -virus software can provide suitable network security against hackers and other unauthorised users (Clifton, 2009). 3.1.2 Data Handling Policy The aim of a data handling policy is to provide regulations about all aspects of personal data, the organisation subsequently relays this information to their employees through training which would further enlighten employees about data handling rules, the value of data to the company, the data security measures in place and the social engineering methods used by unauthorised users or hackers (Clifton, 2009).
  • 8. 8 | P a g e 3.1.3 Data Encryption This security option uses mathematical algorithms to render a network message unreadable to unauthorised users (Spam Laws, 2015). Authorised users can decrypt these messages through a username and password (Clifton, 2009). The two categories of data encryption are symmetric and asymmetric (Spam Laws, 2015). Symmetric Data Encryption This category uses a shared private key between sender and recipient to encrypt or decrypt a message (Diaa Salama, 2010). The most common symmetric data encryption algorithm is DEA (Data Encryption Algorithm) which complies with DES (Data Encryption Standard), it’s recommended to use this algorithm for large volumes of data (Spam Laws, 2015). Asymmetric Data Encryption Asymmetric Data encryption such as Diffie - Hellman use both a private key and a public key (Spam Laws, 2015). The public key is used for the encryption of a message while the private key is used to decrypt a message (Diaa Salama, 2010). The public key can essentially be used by anyone to encrypt a message while decrypting a message can only be done by the owner of the private key (Spam Laws, 2015). 3.2 Intermediate Data Security Measures With the rather negligent data security measures in place at YONS Ltd data security and protection of personal data should become a high priority. Implementing both basic data security measures and intermediate data security measures outlined in figure 3 above should ensure that personal data at YONS Ltd is not compromised in the future. 3.2.1 Thin /lean Clients Essentially thin/ lean clients run on web browsers or on remote desktop software in the client- server architecture network. A central server processes both inputs and outputs, so ultimately the thin client can keep the personal data that is needed and the remaining personal data can be stored in the central server or data centre (Clifton, 2009).
  • 9. 9 | P a g e 3.2.2 Data Loss Prevention (DLP) Software This software detects and prevents malicious insiders from copying and sending personal data without authorization. The functions of DLP software are carried out using both an online mode and offline mode (Clifton, 2009). Offline Mode Essentially this mode uses three techniques to determine who the regular users of a document are. These techniques include Manual Marking of documents, automated search of documents which are keyword based and automated search for edited documents which contain the authorised signatures of the original document (Clifton, 2009). Online Mode Users of DLP software must ensure that they abide by the data handling policy when sharing and using personal data, when there is a violation the DLP software automatically blocks the use and sharing of the personal data (Clifton, 2009). 3.3 Advanced Data Security Measures Essentially this data security measure comes into play once the lower data security measures explained above and illustrated in figure 3 are satisfied. At an advanced level web pages can be hacked and personal data can ultimately be compromised (Clifton, 2009). 3.3.1 Activism In order to prevent web page hacking, YONS Ltd can employ a community of internet vigilantes for free to help avert web page hacking (Clifton, 2009).
  • 10. 10 | P a g e 4. Recommendations Based on the options I outlined in the previous section, I believe YONS Ltd should implement each level of data security illustrated in figure 3 from bottom to top to ultimately form a comprehensive database security strategy. Essentially the comprehensive database security strategy should use a single vendor for all database security systems to ensure cost effectiveness and integration throughout the organisation (Forrester, 2012). YONS Ltd must ensure that they implement each database security level to a satisfactory standard, in order to protect themselves from unauthorised users. A comprehensive database security strategy should proactively protect data from both internal and external attacks by securing all databases. In order to successfully implement a comprehensive database security strategy, YONS Ltd should follow the three key pillars approach identified by (Forrester, 2012), and illustrated in figure 4 below. Foundation Detection Prevention Discovery and Classification Auditing Encryption Authentication, authorization and access control Monitoring Data Masking Patch Management Vulnerability Assessment Database Firewall (Figure 4) Foundation Pillar Essentially this pillar identifies which databases YONS Ltd should focus on by enabling authentication, authorization and access control measures to ensure only authorised users gain access to a database. Additionally YONS Ltd should regularly configure patch updates to ensure that they don’t leave themselves vulnerable to attacks by unauthorised users. Detection Pillar Auditing can be used by YONS Ltd in order to detect any data inconsistencies as well as tracking the access rights of users. Database security monitoring provides real time intrusion protection to ensure that the database is protected from unauthorised users. Additionally a vulnerability assessment report can be carried out to provide information on database weaknesses such as weak passwords and excessive access rights.
  • 11. 11 | P a g e Prevention Pillar The main aim of this pillar is to prevent unauthorized access and exposure of private company data. Essentially the preventative measures include, data encryption to protect the data stored in an organisations production database, data masking is used to protect an organisations non production database and database firewall essentially ensures real time protection from SQL injection attacks as well as ensuring that unauthorised access to a database is blocked in real time.
  • 12. 12 | P a g e 5. References Clifton, P. (2009). Protecting organisations from personal data breaches. In P. Clifton, Computer Fraud & Security (pp. 13-18). Amsterdam Holland: Elsevier. Diaa Salama, A. E. (2010). Evaluating the Performance of Symmetric Encryption Algorithms. International Journal of network security , 213-219. Forrester, C. (2012). Formulate a database security strategy to ensure investments will actually prevent data breaches and satisfy regulatory requirements. Cambridge USA: Forrester Research Inc. Imperva. (2014). Top Ten Database Threats. Spam Laws. (2015). Retrieved January 23, 2015, from Spam Laws: http://www.spamlaws.com/