1. ASSIGNMENT 2
CPT307 LOGICAL DATABASE DESIGN
ASADHU SHUJAAU (000033475)
WORD COUNT: 2487
MAY 7, 2015
Faculty of Science
2. Assignment 2
1
Table of Contents
1.0 Abstract................................................................................................................................2
2.0 Introduction..........................................................................................................................3
3.0 Key issues on database security today.................................................................................4
3.1 Privilege Abuse................................................................................................................4
3.2 SQL Injection...................................................................................................................4
3.3 Weak Authentication .......................................................................................................5
3.4 Platform Vulnerabilities...................................................................................................5
3.5 Malware ...........................................................................................................................6
3.6 Weak Auditing.................................................................................................................6
3.7 Deployment Failure .........................................................................................................6
4.0 How to solve the key issues.................................................................................................7
5.0 Losses faced by database when it comes to security ...........................................................9
6.0 My opinion.........................................................................................................................10
7.0 Conclusion .........................................................................................................................11
Bibliography ............................................................................................................................12
3. Assignment 2
2
1.0 Abstract
This paper is about database security. It looks into the key database security issues that are
faced by databases today. These include privilege abuse, weak authentication, platform
vulnerabilities, SQL injection, malware, weak auditing and deployment failures. It goes further
by looking into solutions for each aspect of security issue described here. Security measures
that help overcome the issues are discussed for each security problem. Next, the losses faced
by database when it comes to security are explained. These include loss of data manipulation
of data and corporate losses etc. As the writer my own opinion is included before concluding
this paper.
4. Assignment 2
3
2.0 Introduction
In today’s world millions of data are shared, collected and retained every day. Privacy and
security are great concerns as most of these data are stored and shared digitally. These content
that users share and corporate companies collect are stored on databases located in different
areas of the world.
Main cause of data security issues are in the databases itself. This is evident by the growing
number of reported events of loss, theft or exposure of sensitive information (Murray, 2010).
Before moving on to the topic of database security issues and solutions, first it is necessary to
understand what database security is about.
In a journal (Murray, 2010) states that, database security should provide controlled and
protected access to information stored within databases. Furthermore, it is stated that database
should preserve the integrity and consistency along with the overall quality of the data that is
stored.
This writing will look into the key database security challenges that are common today. Before
moving on to the solutions for these issues the next section will briefly explain each identified
issue and why they are risky. After covering aforementioned areas, the losses faced by the
database due to security issues will be highlighted next. My own opinion about the database
security as the writer is included as well before concluding the writing with the overall findings
and judgements about the concerned areas of database security.
5. Assignment 2
4
3.0 Key issues on database security today
3.1 Privilege Abuse
Sometimes databases are created in such a way that users can access features of the database
that they do not necessarily need all the time. These may lead to privilege abuse whereby a user
may use his rights for illegal or dishonest purpose.
(Stonecypher, 2010), has given a great example to explain this issue. He states that a database
administrator in a financial business such as a bank can use his rights to create fake accounts
and also transfer money from one account to another if he wished to.
Above example is one where a user abuses the privilege intentionally. In his writing
(Stonecypher, 2010), goes further by giving an example on how privilege can be abused
unintentionally as well. In case of a company offering “work from home” option to its staff, an
employee may take backup of sensitive while working from home, so that he or she could work
easily without accessing the company network every time. This violates security policies of the
company and will result in data security breach if the employee’s home system is compromised.
3.2 SQL Injection
SQL Injection is a web attack method by hackers that target databases. This technique can be
used to steal sensitive corporate data via online platforms. It can be said that this is one of the
most common methods used to breach database security today. This attack becomes possible
due to the improper coding of web applications that allows hackers to inject SQL commands
through input fields on forms such as login form (acunetix, 2015).
In 2014, (Goldman, 2014) has written about cyber-attacks by CyberVor, a Russian gang of
fewer than a dozen hackers who stole billions of usernames and passwords. In it he has written
that a research was conducted in order to identify the vulnerabilities of websites where by they
found that “over 400,000 sites were identified to be potentially vulnerable to SQL injection
flaws alone. The CyberVors used these vulnerabilities to steal data from these sites' databases.”
Furthermore to aid the severity of this issue, in another writing of (Goldman, 2014) he has
stated that in 2013 alone two thirds of U.S. companies were breached by SQL Injection. This
alone shows it is a major database security issue.
6. Assignment 2
5
3.3 Weak Authentication
A lot of databases allow creation of users with short, weak passwords. This makes the
application and database more prone to attacks. As said by (Shulman, 2006), weak
authentication can help attackers to disguise as authentic users of the database by stealing and
or obtaining login credentials of users with weak authentications. Different techniques are used
by attackers to take advantage of weak authentication in systems used by companies.
An attacker can use guesswork or enumeration of possible username and password
combinations. This technique is called brute forcing which is done mostly by using a
specialized application. Also an attacker may present themselves as company IT staff via a
phone in order to gain credentials from employees of the company. This method is called social
engineering which uses trust as a weapon. This method becomes possible because only few
security matters are taken into consideration when authenticating users to use the database
(Shulman, 2006).
Think of the impact if a bank uses weak authentication for its online user. It might lead to losing
their customers and customers losing their money deposited in their bank accounts. Hence, this
issue can have a severe outcome if left unsolved.
3.4 Platform Vulnerabilities
Databases can be affected due to the vulnerabilities in the operating system it is running on.
For example, systems like UNIX, Linux or Windows. Due to bugs in the platform, services
related to database may lead to unauthorized access (Stonecypher, 2010).
For example (Shulman, 2006) mentions about the Blaster Worm, which took advantage of a
Windows 2000 vulnerability to create denial of service conditions. Due to such reasons,
platform vulnerability issues, lead to database security issues.
7. Assignment 2
6
3.5 Malware
Above in the platform vulnerabilities an example was given about a malware which used
platform vulnerabilities to create denial of service conditions. This is another serious issue that
presents databases to cyber threats. Unlike other issues malware can be used to create automatic
exploitation of the above mentioned points and few more. Attackers use these malicious
software to steal information and or sabotage on damage the entire database system (Paganini,
n.d.).
In the writing, (Paganini, n.d.) mentions that, in November 2013, Symantec released a security
alert about a malware that could damage corporate databases which wipes out the infected PCs
hard disk. The malware was called W32.Narilam.
3.6 Weak Auditing
As per (Shulman, 2006), recording of sensitive and unusual database transactions should be a
part of database foundation before it is deployed. This is to ensure better auditing. The
following are threats faced due to weak auditing as mentioned by (Shulman, 2006).
Weak database audits are against government regulatory policies. This applies to many
countries while it might not apply to all.
No way of forensic evidence of intruders in order to track them.
Better audits lead to better detection and recovery. It helps to pinpoint the origin of the
attack and to know which account was used to access the database. This can help take
actions accordingly. Without a good audit, this will not be possible.
3.7 Deployment Failure
(Lane, 2013) explains that deployment failure as the most common database vulnerability. He
mentions that as all databases are tested for what they should do functionally. Many fail to
certify that it is not doing something it should not. Databases should be tested for all kinds of
criteria before they are deployed. Database platforms are insecure after fresh installations. It
would have problems like having default accounts with default passwords which everyone who
uses databases know very well. it will remain same until these are manually configured and
changed. If it is left as it is, these can be exploited by attackers for unauthorized access to
database.
8. Assignment 2
7
4.0 How to solve the key issues
This section will discuss the solutions for the problems mentioned in the previous section. This
section will be divided to paragraph each relating to one of the issues mentioned above.
Solutions are discussed in the order the issues are discussed in the previous section.
First of all privilege abuse can be solved by implementing SecureSphere’s Dynamic Profiling
technology. This application automatically creates a model of the context surrounding normal
database interactions. It can tell time of day, IP address, volume of data retrieved, application
client used to access the database. When users excess and retrieve too much information or
they try unauthorized tasks, SecureSphere triggers an alert (Shulman, 2006).
As (Osborne, 2013) says SQL injection can be prevented by protecting online databases with
firewalls. However, (acunetix, 2015) says it is not enough just to use firewalls. In addition to
firewall protection, while building web applications inputs should be cleaned off of SQL strings
that can cause issues in the database. This is called sanitizing.
In order to overcome weak authentication, strongest practical authentication should be used.
Usage of Two-factor authentication are preferred where possible. Strong username/password
can also be used to overcome this issue. Sometimes even these measures might not be enough.
In such cases logging failed sign in attempts can help identify possible cyber-attacks (Shulman,
2006).
Platform vulnerabilities can be solved by having the system updated regularly. This will help
system have the latest patches for bug fixes and other security updates. Also having a secure
password on the platform itself can help minimize the risk of platform vulnerabilities. Also
encrypting the data stored in databases can help prevent further damage in case of platform
breach.
In case of malware, corporate companies and other database users’ needs to have a strong anti-
virus program which will help to identify and eliminate the malware. The mentioned anti-virus
programs need to be up-to-date at all times in-order to identify and eliminate latest threats.
Having database backups in a safer offline environment can help restore the database in case
of malware take over (Paganini, n.d.).
The following are ways to overcome weak auditing ad suggested by (Shulman, 2006). Quality
network-based audit applications addresses flaws associated with inbuilt audit tools in
database. Network-based audit tools help improve auditing along with improved database
9. Assignment 2
8
performance. These audit tools are separate from database hence it is invulnerable to privilege
elevation attacks. Also they perform over different platforms. These help reduce server costs,
load-balancing and administrative costs. While at the same time it delivers better security.
By testing database software for different criteria can help overcome deployment failures.
Existing default accounts should be removed or changed to have a different name and a strong
password. Hiring experts for testing can help minimize the risks that come along with failure
in database deployment.
10. Assignment 2
9
5.0 Losses faced by database when it comes to security
This section will discuss different losses faced by database due to unhandled security issues
that exists within the database. Different issues can cause different types of database losses
related to three constructs of databases, the CIA, confidentiality, integrity and availability. Each
will be discussed separately in this section.
Sometimes as mentioned in previous section Denial of Service attacks take place due to
improper security measures. This kind of attacks restrict access to network applications or data
for actual users (Shulman, 2006). This can mean database facing unexpected downtimes. From
a corporate firms point of view, if it is a firm serving thousands of customers every day. This
can be a huge loss as it can lead to loss of customers and profits for the company and lot of
time being wasted on resolving the issue.
Another loss that database can face is loss of data itself. As previously mentioned. There are
malwares that target systems to wipe clean its hard disks (Paganini, n.d.). Hard disks are mainly
used to store everything that on a computer system. This means databases as well. If anti-virus
are not used or other proper measures like backups are not in place. Then databases can lose
huge amounts of data and in the worst case scenario they can be destroyed fully. For huge
businesses this might mean losing sensitive information about customers, projects, employees,
etc. In turn losing the database’s availability or identification and recovery from hardware and
software applications (Murray, 2010).
Database data leaks is another issue faced due to weak security measures. Data can be stolen
through online attacks or by stealing backups which can be gained access through different
means like, from an employee system of a “work from home” company. Moreover, it can be
done by an employee within a company as well (Stonecypher, 2010). This effects the
confidentiality or protection of data from unauthorized disclosure (Murray, 2010).
Last but not the least, another loss faced by the databases when it comes to security can be
unauthorized manipulation of data within a database. This can be done through SQL injection,
Denial of Service attacks which will give time for attackers to perform other types of operations
on the database. Also privilege abuse can lead to data manipulation. This effects the integrity
of information present in the database making it untrustworthy.
11. Assignment 2
10
6.0 My opinion
As the writer, in my opinion there are some issue of database security that can be solved easily.
Like platform vulnerabilities can be solved by anyone by simply having the system on auto
update. Also, almost everyone familiar with computers today are familiar with anti-virus
programs. Hence issues like these can be resolved easily. However, some issues need
specialists. For example SQL injections cannot be solved by people without programming
knowledge and database configurations can be corrected by experts in the field. So in order to
have the best security measures best expertise are also needed.
Furthermore, it might not be always possible to prevent database from attacks in such cases
having proper security measures will help bring database back on track in least amount of time.
Other than the above mentioned, it is also worth mentioning that although the discussed are the
issue of database security present today. Future might show new threats that arise with new
technologies. When relational database model gets deprecated and object oriented databases
takes over it is bound to bring security issues of its own along with it.
12. Assignment 2
11
7.0 Conclusion
This paper looked into most common security issues that are present today in database security.
With the help of identified security issues the suggested solutions can be implemented by
companies to safeguard their content store on databases.
The explanations given by different authors about different securities were understandable and
examples presented were related or cases that have happened or are likely to happen. This helps
to understand possible breaches due to different kinds of vulnerabilities in the database.
Database security issues discussed here can be used while setting up databases so that it is
ready in terms of security before going forward.
As mentioned early technology is evolving rapidly. It might be a good idea to think about
possible future security issues that come along with the changes that come to database
management system. Although it may solve some problems it might also bring another.
13. Assignment 2
12
Bibliography
Acunetix. (2015). SQL Injection: What is it? Retrieved from acunetix:
https://www.acunetix.com/websitesecurity/sql-injection/
Goldman, J. (2014, August 6). CyberVor Breach Exposes 1.2 Billion User Names,
Passwords. Retrieved from eSecurity Planet:
http://www.esecurityplanet.com/hackers/cybervor-breach-exposes-1.2-billion-user-
names-passwords.html
Lane, A. (2013, June 23). 10 Most Common Security Vulnerabilities In Enterprise Databases.
Retrieved from Dark Reading: http://www.darkreading.com/risk/10-most-common-
security-vulnerabilities-in-enterprise-databases/d/d-id/1139979?
Murray, M. C. (2010). Database Security: What Students Need to Know. (A. Scime, Ed.)
Journal of Information Technology Education: Innovations in Practice, 9, 62-77.
Osborne, C. (2013, June 26). The top ten most common database security vulnerabilities.
Retrieved from ZDNET: http://www.zdnet.com/article/the-top-ten-most-common-
database-security-vulnerabilities/
Paganini, P. (n.d.). Databases - Vulnerabilities, Costs of Data Breaches and
Countermeasures. Retrieved from Infosec Institute:
http://resources.infosecinstitute.com/databases-vulnerabilities-costs-of-data-breaches-
and-countermeasures/
Shulman, A. (2006). Top Ten Database Security Threats. Retrieved from
www.schell.com/Top_Ten_Database_Threats.pdf
Stonecypher, L. (2010, January 14). Threats to Database Security. Retrieved from Bright
Hub: http://www.brighthub.com/computing/smb-security/articles/61554.aspx