SlideShare a Scribd company logo

Database security issues

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - June 2013 Meet

EducationTechnology
1 of 21
Download to read offline
Ravi Kant Rai Database Security Issues
Major Security Vulnerabilities  Bugs in database software components (e.g. buffer overflows) left un-patched  Lack of network isolation (external and internal)  Improper security configuration  Use of default user accounts and passwords  Use of null passwords  Excessive privileges
Major Threats  ApplicationVulnerability  Internal Employees
Mitigating Risk ApplicationVulnerabilities
Default username Password  While Default Installation of Database there are default username/password created Vendor username Password Oracle HR HR My sql ROOT Ms sql-server SA SA
Exploitation
Exploitation
Audit  Oracle Database 11g now offers a way to quickly identify users with default passwords, implemented in the rather ludicrously simple way of checking a single data dictionary view  DBA_USERS_WITH_DEFPWD
Solution Lock all Default username and passwords Password Policy must be in place for all users Lockout policies Password life time must be configured
Least Privilege  Least Privilege account should be allocated to all application user.  It will Mitigate risk of data loss.
Privileges
Public Privileges ORACLE FUNCTIONS Oracle supplies over 1,000 functions in about 175 standard database packages that potentially can be exploited in a SQL injection attack. SELECTTRANSLATE('' || UTL_HTTP.REQUEST('http://192.168.1.1/') || '', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual;
Auditing  For Oracle’s built-in auditing functionality, you must not only determine the rationale behind the turning on of auditing, but also the level of auditing and its impact on system resources. Oracle auditing gets turned on as soon as you set theAUDIT_TRAIL we can audit the following:  Statement Auditing: Audits on the type of SQL statement used, such as any SQL statement on a table.  Privilege Auditing: Audits use of a particular system privilege, such as CREATETABLE  Object: Audits specific statements on specific objects such as ALTER PROFILE on the DEFAULT profile.
Architecture Review (Oracle)
Secure Network Architecture
Application Security Solution
Major Threat  SQL Injection  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application  A successful SQL injection exploit can read sensitive data from the database, modify database  SQL Injection attacks occur when the data entered in the application is from an untrusted source and that same data is used to dynamically construct a SQL Query.
SQL Injection
Error
Solution  Error BasedTrigger could be a solution for SQL Injection.  The most powerful protection against SQL injection attacks is the use of bind variables.  Every passed string parameter should be validated.  The PL/SQL Gateway can be configured to display varying levels of error messages.
Thanks

Recommended

Database security
Database securityDatabase security
Database securityBirju Tank
 
Database security
Database securityDatabase security
Database securityMaryamAsghar9
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Transaction management DBMS
Transaction management DBMSTransaction management DBMS
Transaction management DBMSMegha Patel
 
1 - Introduction to PL/SQL
1 - Introduction to PL/SQL1 - Introduction to PL/SQL
1 - Introduction to PL/SQLrehaniltifat
 
Database security
Database securityDatabase security
Database securityCAS
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Database security
Database securityDatabase security
Database securityMurchana Borah
 

Recommended

Database security
Database securityDatabase security
Database securityBirju Tank
 
Database security
Database securityDatabase security
Database securityMaryamAsghar9
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Transaction management DBMS
Transaction management DBMSTransaction management DBMS
Transaction management DBMSMegha Patel
 
1 - Introduction to PL/SQL
1 - Introduction to PL/SQL1 - Introduction to PL/SQL
1 - Introduction to PL/SQLrehaniltifat
 
Database security
Database securityDatabase security
Database securityCAS
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Database security
Database securityDatabase security
Database securityMurchana Borah
 
Database security
Database securityDatabase security
Database securityArpana shree
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems Haitham Ahmed
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
Database security
Database securityDatabase security
Database securityafzaalkhalid1
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMS11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMSkoolkampus
 
Dbms relational model
Dbms relational modelDbms relational model
Dbms relational modelChirag vasava
 
2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMS2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMSkoolkampus
 
1. Introduction to DBMS
1. Introduction to DBMS1. Introduction to DBMS
1. Introduction to DBMSkoolkampus
 
Rdbms
RdbmsRdbms
RdbmsMuhammad Adeel Rajput
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Object Oriented Database Management System
Object Oriented Database Management SystemObject Oriented Database Management System
Object Oriented Database Management SystemAjay Jha
 
Database backup & recovery
Database backup & recoveryDatabase backup & recovery
Database backup & recoveryMustafa Khan
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 
Database administrator
Database administratorDatabase administrator
Database administratorTech_MX
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Cost estimation for Query Optimization
Cost estimation for Query OptimizationCost estimation for Query Optimization
Cost estimation for Query OptimizationRavinder Kamboj
 
Database Security
Database SecurityDatabase Security
Database SecurityFerdous Pathan
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 

More Related Content

What's hot

Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems Haitham Ahmed
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMS11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMSkoolkampus
 
Dbms relational model
Dbms relational modelDbms relational model
Dbms relational modelChirag vasava
 
2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMS2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMSkoolkampus
 
1. Introduction to DBMS
1. Introduction to DBMS1. Introduction to DBMS
1. Introduction to DBMSkoolkampus
 
Object Oriented Database Management System
Object Oriented Database Management SystemObject Oriented Database Management System
Object Oriented Database Management SystemAjay Jha
 
Database backup & recovery
Database backup & recoveryDatabase backup & recovery
Database backup & recoveryMustafa Khan
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 
Database administrator
Database administratorDatabase administrator
Database administratorTech_MX
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Cost estimation for Query Optimization
Cost estimation for Query OptimizationCost estimation for Query Optimization
Cost estimation for Query OptimizationRavinder Kamboj
 

What's hot (20)

Database security
Database securityDatabase security
Database security
 
DB security
DB security DB security
DB security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database security
Database securityDatabase security
Database security
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMS11. Storage and File Structure in DBMS
11. Storage and File Structure in DBMS
 
Dbms relational model
Dbms relational modelDbms relational model
Dbms relational model
 
2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMS2. Entity Relationship Model in DBMS
2. Entity Relationship Model in DBMS
 
1. Introduction to DBMS
1. Introduction to DBMS1. Introduction to DBMS
1. Introduction to DBMS
 
Rdbms
RdbmsRdbms
Rdbms
 
Software security
Software securitySoftware security
Software security
 
Object Oriented Database Management System
Object Oriented Database Management SystemObject Oriented Database Management System
Object Oriented Database Management System
 
Database backup & recovery
Database backup & recoveryDatabase backup & recovery
Database backup & recovery
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
 
Database administrator
Database administratorDatabase administrator
Database administrator
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Cost estimation for Query Optimization
Cost estimation for Query OptimizationCost estimation for Query Optimization
Cost estimation for Query Optimization
 

Viewers also liked

Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
The Challenges & Pitfalls of Database Continuous Delivery
The Challenges & Pitfalls of Database Continuous DeliveryThe Challenges & Pitfalls of Database Continuous Delivery
The Challenges & Pitfalls of Database Continuous DeliveryPerforce
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and securityDhani Ahmad
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1ahfiki
 
Database Management Systems (DBMS)
Database Management Systems (DBMS)Database Management Systems (DBMS)
Database Management Systems (DBMS)Dimara Hakim
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and securityMohd Arif
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 
The technology of the Human Protein Reference Database (draft, 2003)
The technology of the Human Protein Reference Database (draft, 2003)The technology of the Human Protein Reference Database (draft, 2003)
The technology of the Human Protein Reference Database (draft, 2003)Kiran Jonnalagadda
 
An Overview of Security in Distributed Database Management System
An Overview of Security in Distributed Database Management SystemAn Overview of Security in Distributed Database Management System
An Overview of Security in Distributed Database Management SystemIJSRD
 
141118 Thales contributions and benefits
141118 Thales contributions and benefits141118 Thales contributions and benefits
141118 Thales contributions and benefitsSINTAS
 
Data base testing
Data base testingData base testing
Data base testingBugRaptors
 
Anchor data type,cursor data type,array data type
Anchor data type,cursor data type,array data typeAnchor data type,cursor data type,array data type
Anchor data type,cursor data type,array data typedhruv patel
 
33rd degree talk: open and automatic coding conventions with walkmod
33rd degree talk: open and automatic coding conventions with walkmod33rd degree talk: open and automatic coding conventions with walkmod
33rd degree talk: open and automatic coding conventions with walkmodwalkmod
 

Viewers also liked (15)

Database Security
Database SecurityDatabase Security
Database Security
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
Active database system
Active database systemActive database system
Active database system
 
The Challenges & Pitfalls of Database Continuous Delivery
The Challenges & Pitfalls of Database Continuous DeliveryThe Challenges & Pitfalls of Database Continuous Delivery
The Challenges & Pitfalls of Database Continuous Delivery
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and security
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1
 
Database Management Systems (DBMS)
Database Management Systems (DBMS)Database Management Systems (DBMS)
Database Management Systems (DBMS)
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and security
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
The technology of the Human Protein Reference Database (draft, 2003)
The technology of the Human Protein Reference Database (draft, 2003)The technology of the Human Protein Reference Database (draft, 2003)
The technology of the Human Protein Reference Database (draft, 2003)
 
An Overview of Security in Distributed Database Management System
An Overview of Security in Distributed Database Management SystemAn Overview of Security in Distributed Database Management System
An Overview of Security in Distributed Database Management System
 
141118 Thales contributions and benefits
141118 Thales contributions and benefits141118 Thales contributions and benefits
141118 Thales contributions and benefits
 
Data base testing
Data base testingData base testing
Data base testing
 
Anchor data type,cursor data type,array data type
Anchor data type,cursor data type,array data typeAnchor data type,cursor data type,array data type
Anchor data type,cursor data type,array data type
 
33rd degree talk: open and automatic coding conventions with walkmod
33rd degree talk: open and automatic coding conventions with walkmod33rd degree talk: open and automatic coding conventions with walkmod
33rd degree talk: open and automatic coding conventions with walkmod
 

Similar to Database security issues

Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developerswebhostingguy
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hydewebhostingguy
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Sql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsSql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsKlaudiia Jacome
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfMelody Liu
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Securityijsrd.com
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 

Similar to Database security issues (20)

SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
Sql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsSql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor admins
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdf
 
Sql security
Sql securitySql security
Sql security
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Day2
Day2Day2
Day2
 
E017131924
E017131924E017131924
E017131924
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 

Recently uploaded (20)

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 

Database security issues

  • 1. Ravi Kant Rai Database Security Issues
  • 2. Major Security Vulnerabilities  Bugs in database software components (e.g. buffer overflows) left un-patched  Lack of network isolation (external and internal)  Improper security configuration  Use of default user accounts and passwords  Use of null passwords  Excessive privileges
  • 5. Default username Password  While Default Installation of Database there are default username/password created Vendor username Password Oracle HR HR My sql ROOT Ms sql-server SA SA
  • 8. Audit  Oracle Database 11g now offers a way to quickly identify users with default passwords, implemented in the rather ludicrously simple way of checking a single data dictionary view  DBA_USERS_WITH_DEFPWD
  • 9. Solution Lock all Default username and passwords Password Policy must be in place for all users Lockout policies Password life time must be configured
  • 10. Least Privilege  Least Privilege account should be allocated to all application user.  It will Mitigate risk of data loss.
  • 12. Public Privileges ORACLE FUNCTIONS Oracle supplies over 1,000 functions in about 175 standard database packages that potentially can be exploited in a SQL injection attack. SELECTTRANSLATE('' || UTL_HTTP.REQUEST('http://192.168.1.1/') || '', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual;
  • 13. Auditing  For Oracle’s built-in auditing functionality, you must not only determine the rationale behind the turning on of auditing, but also the level of auditing and its impact on system resources. Oracle auditing gets turned on as soon as you set theAUDIT_TRAIL we can audit the following:  Statement Auditing: Audits on the type of SQL statement used, such as any SQL statement on a table.  Privilege Auditing: Audits use of a particular system privilege, such as CREATETABLE  Object: Audits specific statements on specific objects such as ALTER PROFILE on the DEFAULT profile.
  • 17. Major Threat  SQL Injection  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application  A successful SQL injection exploit can read sensitive data from the database, modify database  SQL Injection attacks occur when the data entered in the application is from an untrusted source and that same data is used to dynamically construct a SQL Query.
  • 19. Error
  • 20. Solution  Error BasedTrigger could be a solution for SQL Injection.  The most powerful protection against SQL injection attacks is the use of bind variables.  Every passed string parameter should be validated.  The PL/SQL Gateway can be configured to display varying levels of error messages.