26de5 database security

(1)

(2)

is one of the most valuable assets in any organization

INFORMATION

/

(3)

Definition

the mechanism that protect the

database against intentional or

accidental threats

the mechanism that protect the

database against intentional or

(4)

In actual terms database

security is to prevent the

confidential data which is

(5)

Organizations functioning well have

asked for the

confidentiality

of

their database. They do not allow

the illegitimate user to access their

data/information. And they also

claim the assurance that their data

(6)

Various security layers in a database

exist

database administrator

system admin

security officer,

developers

(7)

security can be

violated at any of

these layers by an

(8)

attacker can be classified into

3 attacker can be classified into

3 A. INTRUDER

B. INSIDER

C. ADMINISTRA

TOR

(9)

INTRUDER

an unauthorized user who inordinately accessing a computer system and tries to fetch beneficial information is called an intruder

(10)

INSIDER

A person who is one

of the representative

of trusted users and

misconduct of his/her

authority and tries to

get information

beyond his own

(11)

ADMINISTRATOR

an authorized user who has permission to administer a

computer system, but uses his/her

administration

privileges illegally as per

organization’s security policy

an authorized user who has permission to administer a

computer system, but uses his/her

administration

privileges illegally as per

organization’s security policy

(12)

(13)

Direct attacks

Directly hitting the target data is

known as direct attack. These attacks are accessible and successful only if the database does not accommodate any protection system

(14)

Indirect attacks

As its name implies indirect attacks are not directly executed on the target but data from or about the target can be collected through other transitional objects. For purpose to cheat the security system, some of the

combinations of different queries are used

(15)

Passive attacks

In this, attacker only inspects

data present in the database

and do not perform any

(16)

Active attack

actual database values are modified. can misguide a user.

Splicing – in this, a cipher text value is replaced by different cipher text value

(17)

• _Interruption

–_{penghentian sebuah} proses yang sedang berjalan.

–_{Performing denial}

of service: menutup database dari aplikasi Web, sehingga menyangkal layanan kepada pengguna lain • _Interruption

–_{penghentian sebuah}

proses yang sedang berjalan.

–_{Performing denial}

of service: menutup database dari aplikasi Web, sehingga menyangkal layanan kepada pengguna lain

• _Interception_:

–menyela sebuah proses yang sedang berjalan. –_Determining

database

schema : mengekstrak data dari database,

untuk mengetahui informasi skema

database, seperti nama tabel, nama kolom, dan tipe data kolom.

• _{Interception:}

–menyela sebuah proses yang sedang berjalan.

–_Determining

database

schema : mengekstrak data dari database,

untuk mengetahui informasi skema

database, seperti nama tabel, nama kolom, dan tipe data kolom.

(18)

• _Modification_:

– _{mengubah data} tanpa ijin dari pihak otoritas. – _{Adding or}

modifying

data : menamba h atau mengubah informasi dalam database.

• _Modification_:

– _{mengubah data} tanpa ijin dari pihak otoritas. – _{Adding or}

modifying

data : menamba h atau mengubah informasi dalam database.

• _Fabrication_:

–_{perusakan secara}

mendasar pada sistem utama.

–_{Injection through}

user input: penyerang menyuntikkan perintah SQL dengan menyediakan input pengguna yang

sengaja dibuat sesuai.

• _Fabrication_:

–_{perusakan secara}

mendasar pada sistem utama.

–_{Injection through}

user input: penyerang menyuntikkan perintah SQL dengan menyediakan input pengguna yang

sengaja dibuat sesuai.

(19)

BUSINESS REQUIREMENT

COMPLIANCE

--• _{DATA INTEGRITY}

regulation designed to prevent fraud and ensure that data changes are appropriately managed

• _{DATA CONFIDENTIALITY}

regulations designed to protect

personal,medical, financial data from theft and exposure

(20)

Government & industry

regulations require organizations

to protect regulated data from

unauthorized access & changes

REGULATION NAME SECURITY REQUIRMENT

Payment Card Industry Da ta Security Standard

(PCIDSS)

Reuires that mrerchants track and monitor all access to

cardholder data. secure audit trails so they can’t be altered Remove/disable inactive user accounts at least every 90 days

EU Privacy Directive Protects personal data that is processed or transferred.

(21)

DATABASE SECURITY REQUIREMENT

ORGANIZATIONS MUST

IMPLEMENT A

COMPREHENSIVE

DATABASE SECURITY

STRATEGY

(22)

DISCOVER & CLASSIFICATION

SENSITIVE DATA

IDENTIFYING ALL SENSITIVE DATA WILL HELP ORGNIZATIONS PRIOROTIE RISK

(23)

USER RIGHTS MANAGEMENT

Organizations should limit user rights to data to ‘business need-to-know’. This helps reduce and better control the risk of a data breach.

(24)

Database & Application Attack

Prevention

To protect database data, organization should identify, and optionally block,

• _{an intelligent Web application firewall}

to provide the first line of defense against

(25)

Security Levels On Relational Databases

• _Relasi

The user is allowed or not allowed to access directly a relation

• _{Read Authorization}

The user is allowed to read the data, but can not modify.

• _{Insert Authorization}

The user is allowed to add new data, but can not modify existing data

(26)

Tingkat Pengamanan Pada

Database Relasional

• _{Update Authorization}

The user is allowed to modify the data, but can not delete the data.

• _{Delete Authorization}

(1)