SlideShare a Scribd company logo

System security

Download as PPTX, PDF
ReachLocal Services India
ReachLocal Services India

Database: It is a collection of information stored in a computer. Security: It is being free from danger. Database Security: It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data. Three Main Aspects: 1. Secrecy 2. Integrity 3. Availability

EducationTechnology
1 of 29
System Security -Bharat P. Patil -M. Sc. C.S. Part II -64 Database Security
` Introduction • Database Security
` What Is Database Security? Database: It is a collection of information stored in a computer. Security: It is being free from danger. Database Security: It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data.
` Three Main Aspects 1. Secrecy 2. Integrity 3. Availability
` Secrecy • It is protecting the database from unauthorized users. • Ensures that users are allowed to do the things they are trying to do. • For example:- – The employees should not see the salaries of their managers.
` Integrity • Protecting the database from authorized users. • Ensures that what users are trying to do is correct. • For examples, • An employee should be able to modify his or her own information.
` Availability • Authorized users should be able to access data for Legal purposes as necessary. • For examples, – Payment orders regarding taxes should be made on time by the tax law.
` Importance of Data • Bank/Demat accounts • Credit card, Salary, Income tax data • University admissions, marks/grades • Land records, licenses • Data = crown jewels for organizations
` Importance of Data (contd…) • Recent headlines: – Personal information of millions of credit card users stolen • Laws on privacy in the US • Theft of US data in India – Criminal gangs get into identity theft – Earlier this year in Mumbai • Hackers steal credit card data using card reader and make fraudulent purchases • Hacker creates fake Web site to phish for credit card information – Auto-rickshaw license fraud in New Delhi
` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
` Levels of Data Security • Human level: Corrupt/careless User. • Network/User Interface. • Database application program. • Database system. • Operating System. • Physical level.
` Physical/OS Security • Physical level – Traditional lock-and-key security. – Protection from floods, fire, etc. • E.g. WTC (9/11), fires in IITM, WWW conf website, etc. – Protection from administrator error • E.g. delete critical files. – Solution • Remote backup for disaster recovery. • Plus archival backup (e.g. DVDs/tapes). • Operating system level – Protection from virus/worm attacks critical.
` Security at the Database/Application Program • Authentication and authorization mechanisms to allow specific users access only to required data • Authentication: who are you? Prove it! • Authorization: what you are allowed to do?
` Database vs. Application • Application authenticates/authorizes users • Application itself authenticates itself to database – Database password DatabaseApplication Program
` User Authentication • Password – Most users abuse passwords. For e.g. • Easy to guess password • Share passwords with others • Smartcards – Need smartcard – + a PIN or password Bill Gates
` User Authentication • Central authentication systems allow users to be authenticated centrally – LDAP or MS Active Directory often used for central authentication and user management in organizations • Single sign-on: authenticate once, and access multiple applications without fresh authentication – Microsoft passport, Pub Cookie etc – Avoids plethora of passwords – Password only given to central site, not to applications.
` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
` Authorization • Different authorizations for different users – Accounts clerk vs. – Accounts manager vs. – End users
` Database/Application Security • Ensure that only authenticated users can access the system. • And can access (read/update) only data/interfaces that they are authorized to access.
` Limitations of SQL Authorization • SQL does not support authorization at a tuple level – E.g. we cannot restrict students to see only (the tuples storing) their own grades. • Web applications are dominant users of databases – Application end users don't have database user ids, they are all mapped to the same database user id. – Database access control provides only a very coarse application-level access control.
` Access Control in Application Layer • Authorization in application layer vs. database layer – Benefits • fine grained authorizations, such as to individual tuples, can be implemented by the application. • authorizations based on business logic easier to code at application level – Drawback: • Authorization must be done in application code, and may be dispersed all over an application • Hard to check or modify authorizations • Checking for absence of authorization loopholes becomes very difficult since it requires reading large amounts of application code – Need a good via-media.
` Privacy • Aggregate information about private information can be very valuable – E.g. identification of epidemics, mining for patterns (e.g. disease causes) etc. • Privacy preserving data release – E.g. in US, many organizations released “anonymized” medical data, with names removed, but zip code (= pin code), sex and date of birth retained • Turns out above (zip code, sex, date of birth) uniquely identify most people! –Correlate anonymized data with (say) electoral data with same information
` Privacy (contd…) – Recent problems at America Online • Released search history, apparently anonymized, but users could be easily identified in several cases –Several top officials were fired – Earlier problems revealed medical history of Massachusetts state governor. • Not yet a criminal issue, but lawsuits have happened • Conflict with Right To Information Act – Many issues still to be resolved.
` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
` Application Security • Applications are often the biggest source of insecurity –Poor coding of application may allow unauthorized access. –Application code may be very big, easy to make mistakes and leave security holes. –Very large surface area. • Used in fewer places – Some security by obfuscation. – Lots of holes due to poor/hasty programming.
` OWASP Top 10 Web Security Vulnerabilities 1. Invalidated input. 2. Broken access control. 3. Broken account/session management. 4. Cross-site scripting (XSS) flaws. 5. Buffer overflows. 6. (SQL) Injection flaws. 7. Improper error handling. 8. Insecure storage. 9. Denial-of-service. 10.Insecure configuration management.
` Passwords in Scripts • E.g.: file1.jsp (or java or other source file) located in publicly accessible area of web server – Intruder looks for http://<urlpath>/file1.jsp~ • or .jsp. swp, etc – If jsp has database user id/password in clear text, big trouble • Happened at IITB • Morals – Never store scripts (java/jsp) in an area accessible to http – Never store passwords in scripts, keep them in config files – Never store config files in any web-accessible areas – Restrict database access to only trusted clients • At port level, or using database provided functionality
` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
` Summary • Data security is critical. • Requires security at different levels. • Several technical solutions . • But human training is essential.

Recommended

two tier and three tier
two tier and three tiertwo tier and three tier
two tier and three tierKashafnaz2
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sentiment Analysis using Twitter Data
Sentiment Analysis using Twitter DataSentiment Analysis using Twitter Data
Sentiment Analysis using Twitter DataHari Prasad
 
Loaders
LoadersLoaders
LoadersSathasivam Rangasamy
 
Easy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client SocketsEasy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client Socketsbabak danyal
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 

Recommended

two tier and three tier
two tier and three tiertwo tier and three tier
two tier and three tierKashafnaz2
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sentiment Analysis using Twitter Data
Sentiment Analysis using Twitter DataSentiment Analysis using Twitter Data
Sentiment Analysis using Twitter DataHari Prasad
 
Loaders
LoadersLoaders
LoadersSathasivam Rangasamy
 
Easy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client SocketsEasy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client Socketsbabak danyal
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Sam Bowne
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14Rachit Goel
 
Database security
Database securityDatabase security
Database securityMaryamAsghar9
 
loaders and linkers
loaders and linkers loaders and linkers
loaders and linkersTemesgen Molla
 
Timestamp protocols
Timestamp protocolsTimestamp protocols
Timestamp protocolsPrashant Saini
 
Sentiment Analysis in Twitter
Sentiment Analysis in TwitterSentiment Analysis in Twitter
Sentiment Analysis in TwitterAyushi Dalmia
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Unit 5 testing -software quality assurance
Unit 5 testing -software quality assuranceUnit 5 testing -software quality assurance
Unit 5 testing -software quality assurancegopal10scs185
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Sentiment Analysis of Twitter Data
Sentiment Analysis of Twitter DataSentiment Analysis of Twitter Data
Sentiment Analysis of Twitter DataSumit Raj
 
Cs8791 cloud computing introduction new
Cs8791 cloud computing introduction newCs8791 cloud computing introduction new
Cs8791 cloud computing introduction newGOVERNMENT COLLEGE OF ENGINEERING,TIRUNELVELI
 
Password strength svm
Password strength svmPassword strength svm
Password strength svmSunil Rm
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Cryptography & network security atul kahate free download
Cryptography & network security atul kahate free downloadCryptography & network security atul kahate free download
Cryptography & network security atul kahate free downloadNaveen Gouda
 
Deadlock dbms
Deadlock dbmsDeadlock dbms
Deadlock dbmsVardhil Patel
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
System security
System securitySystem security
System securitysommerville-videos
 
Operating system security
Operating system securityOperating system security
Operating system securitySarmad Makhdoom
 

More Related Content

What's hot

Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Sam Bowne
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14Rachit Goel
 
Sentiment Analysis in Twitter
Sentiment Analysis in TwitterSentiment Analysis in Twitter
Sentiment Analysis in TwitterAyushi Dalmia
 
Unit 5 testing -software quality assurance
Unit 5 testing -software quality assuranceUnit 5 testing -software quality assurance
Unit 5 testing -software quality assurancegopal10scs185
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Sentiment Analysis of Twitter Data
Sentiment Analysis of Twitter DataSentiment Analysis of Twitter Data
Sentiment Analysis of Twitter DataSumit Raj
 
Password strength svm
Password strength svmPassword strength svm
Password strength svmSunil Rm
 
Cryptography & network security atul kahate free download
Cryptography & network security atul kahate free downloadCryptography & network security atul kahate free download
Cryptography & network security atul kahate free downloadNaveen Gouda
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 

What's hot (20)

Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14Twitter sentiment-analysis Jiit2013-14
Twitter sentiment-analysis Jiit2013-14
 
Database security
Database securityDatabase security
Database security
 
loaders and linkers
loaders and linkers loaders and linkers
loaders and linkers
 
Timestamp protocols
Timestamp protocolsTimestamp protocols
Timestamp protocols
 
Sentiment Analysis in Twitter
Sentiment Analysis in TwitterSentiment Analysis in Twitter
Sentiment Analysis in Twitter
 
Security testing
Security testingSecurity testing
Security testing
 
Unit 5 testing -software quality assurance
Unit 5 testing -software quality assuranceUnit 5 testing -software quality assurance
Unit 5 testing -software quality assurance
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Sentiment Analysis of Twitter Data
Sentiment Analysis of Twitter DataSentiment Analysis of Twitter Data
Sentiment Analysis of Twitter Data
 
Cs8791 cloud computing introduction new
Cs8791 cloud computing introduction newCs8791 cloud computing introduction new
Cs8791 cloud computing introduction new
 
Password strength svm
Password strength svmPassword strength svm
Password strength svm
 
Sql injection
Sql injectionSql injection
Sql injection
 
Database security
Database securityDatabase security
Database security
 
Cryptography & network security atul kahate free download
Cryptography & network security atul kahate free downloadCryptography & network security atul kahate free download
Cryptography & network security atul kahate free download
 
Deadlock dbms
Deadlock dbmsDeadlock dbms
Deadlock dbms
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 

Viewers also liked

Operating system security
Operating system securityOperating system security
Operating system securitySarmad Makhdoom
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating systemAbou Bakr Ashraf
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposureredpel dot com
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Security System Design for an Intelligent Building
Security System Design for an Intelligent BuildingSecurity System Design for an Intelligent Building
Security System Design for an Intelligent BuildingKyle Zheng
 
System Analysis Desing: Innovation
System Analysis Desing: Innovation System Analysis Desing: Innovation
System Analysis Desing: Innovation Subhrapratim Bairagi
 
Analysis & Design of Business System - 6
Analysis & Design of Business System - 6Analysis & Design of Business System - 6
Analysis & Design of Business System - 6Jitendra Tomar
 

Viewers also liked (20)

System security
System securitySystem security
System security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
Operating system security
Operating system securityOperating system security
Operating system security
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating System
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Network security
Network securityNetwork security
Network security
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - Protection
 
PPT FOR SECURITY
PPT FOR SECURITYPPT FOR SECURITY
PPT FOR SECURITY
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Web Security
Web SecurityWeb Security
Web Security
 
Security System Design for an Intelligent Building
Security System Design for an Intelligent BuildingSecurity System Design for an Intelligent Building
Security System Design for an Intelligent Building
 
System Analysis Desing: Innovation
System Analysis Desing: Innovation System Analysis Desing: Innovation
System Analysis Desing: Innovation
 
Analysis & Design of Business System - 6
Analysis & Design of Business System - 6Analysis & Design of Business System - 6
Analysis & Design of Business System - 6
 
P2 Project
P2 ProjectP2 Project
P2 Project
 

Similar to System security

INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYNishant Pawar
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerceMentalist Akram
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxyasirkhokhar7
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptxmissionsk81
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And AuthenticationSudeb Das
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxSakshiGawde6
 
Database Security, Threats & Countermeasures.pptx
Database Security, Threats & Countermeasures.pptxDatabase Security, Threats & Countermeasures.pptx
Database Security, Threats & Countermeasures.pptxSaqibAhmedKhan4
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Database security in database management.pptx
Database security in database management.pptxDatabase security in database management.pptx
Database security in database management.pptxFarhanaMariyam1
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and IntegrityZaid Shabbir
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 

Similar to System security (20)

INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Threats
ThreatsThreats
Threats
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptx
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptx
 
Database Security, Threats & Countermeasures.pptx
Database Security, Threats & Countermeasures.pptxDatabase Security, Threats & Countermeasures.pptx
Database Security, Threats & Countermeasures.pptx
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Database security in database management.pptx
Database security in database management.pptxDatabase security in database management.pptx
Database security in database management.pptx
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
203135 Muhammad Usama.pptx
203135 Muhammad Usama.pptx203135 Muhammad Usama.pptx
203135 Muhammad Usama.pptx
 
Database security
Database securityDatabase security
Database security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 

More from ReachLocal Services India

More from ReachLocal Services India (12)

Excel ppt
Excel pptExcel ppt
Excel ppt
 
Virtual reality
Virtual realityVirtual reality
Virtual reality
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Artificial intelligence
Artificial intelligenceArtificial intelligence
Artificial intelligence
 
Distributed database
Distributed databaseDistributed database
Distributed database
 
Loop invariant computation
Loop invariant computationLoop invariant computation
Loop invariant computation
 
Distributed dbms
Distributed dbmsDistributed dbms
Distributed dbms
 
Sexual harresment on women
Sexual harresment on womenSexual harresment on women
Sexual harresment on women
 
Digital signal processing
Digital signal processingDigital signal processing
Digital signal processing
 
Mobile network layer (mobile comm.)
Mobile network layer (mobile comm.)Mobile network layer (mobile comm.)
Mobile network layer (mobile comm.)
 
Regular expression (compiler)
Regular expression (compiler)Regular expression (compiler)
Regular expression (compiler)
 
Temporal data mining
Temporal data miningTemporal data mining
Temporal data mining
 

Recently uploaded

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 

Recently uploaded (20)

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 

System security

  • 1. System Security -Bharat P. Patil -M. Sc. C.S. Part II -64 Database Security
  • 3. ` What Is Database Security? Database: It is a collection of information stored in a computer. Security: It is being free from danger. Database Security: It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data.
  • 4. ` Three Main Aspects 1. Secrecy 2. Integrity 3. Availability
  • 5. ` Secrecy • It is protecting the database from unauthorized users. • Ensures that users are allowed to do the things they are trying to do. • For example:- – The employees should not see the salaries of their managers.
  • 6. ` Integrity • Protecting the database from authorized users. • Ensures that what users are trying to do is correct. • For examples, • An employee should be able to modify his or her own information.
  • 7. ` Availability • Authorized users should be able to access data for Legal purposes as necessary. • For examples, – Payment orders regarding taxes should be made on time by the tax law.
  • 8. ` Importance of Data • Bank/Demat accounts • Credit card, Salary, Income tax data • University admissions, marks/grades • Land records, licenses • Data = crown jewels for organizations
  • 9. ` Importance of Data (contd…) • Recent headlines: – Personal information of millions of credit card users stolen • Laws on privacy in the US • Theft of US data in India – Criminal gangs get into identity theft – Earlier this year in Mumbai • Hackers steal credit card data using card reader and make fraudulent purchases • Hacker creates fake Web site to phish for credit card information – Auto-rickshaw license fraud in New Delhi
  • 10. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
  • 11. ` Levels of Data Security • Human level: Corrupt/careless User. • Network/User Interface. • Database application program. • Database system. • Operating System. • Physical level.
  • 12. ` Physical/OS Security • Physical level – Traditional lock-and-key security. – Protection from floods, fire, etc. • E.g. WTC (9/11), fires in IITM, WWW conf website, etc. – Protection from administrator error • E.g. delete critical files. – Solution • Remote backup for disaster recovery. • Plus archival backup (e.g. DVDs/tapes). • Operating system level – Protection from virus/worm attacks critical.
  • 13. ` Security at the Database/Application Program • Authentication and authorization mechanisms to allow specific users access only to required data • Authentication: who are you? Prove it! • Authorization: what you are allowed to do?
  • 14. ` Database vs. Application • Application authenticates/authorizes users • Application itself authenticates itself to database – Database password DatabaseApplication Program
  • 15. ` User Authentication • Password – Most users abuse passwords. For e.g. • Easy to guess password • Share passwords with others • Smartcards – Need smartcard – + a PIN or password Bill Gates
  • 16. ` User Authentication • Central authentication systems allow users to be authenticated centrally – LDAP or MS Active Directory often used for central authentication and user management in organizations • Single sign-on: authenticate once, and access multiple applications without fresh authentication – Microsoft passport, Pub Cookie etc – Avoids plethora of passwords – Password only given to central site, not to applications.
  • 17. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
  • 18. ` Authorization • Different authorizations for different users – Accounts clerk vs. – Accounts manager vs. – End users
  • 19. ` Database/Application Security • Ensure that only authenticated users can access the system. • And can access (read/update) only data/interfaces that they are authorized to access.
  • 20. ` Limitations of SQL Authorization • SQL does not support authorization at a tuple level – E.g. we cannot restrict students to see only (the tuples storing) their own grades. • Web applications are dominant users of databases – Application end users don't have database user ids, they are all mapped to the same database user id. – Database access control provides only a very coarse application-level access control.
  • 21. ` Access Control in Application Layer • Authorization in application layer vs. database layer – Benefits • fine grained authorizations, such as to individual tuples, can be implemented by the application. • authorizations based on business logic easier to code at application level – Drawback: • Authorization must be done in application code, and may be dispersed all over an application • Hard to check or modify authorizations • Checking for absence of authorization loopholes becomes very difficult since it requires reading large amounts of application code – Need a good via-media.
  • 22. ` Privacy • Aggregate information about private information can be very valuable – E.g. identification of epidemics, mining for patterns (e.g. disease causes) etc. • Privacy preserving data release – E.g. in US, many organizations released “anonymized” medical data, with names removed, but zip code (= pin code), sex and date of birth retained • Turns out above (zip code, sex, date of birth) uniquely identify most people! –Correlate anonymized data with (say) electoral data with same information
  • 23. ` Privacy (contd…) – Recent problems at America Online • Released search history, apparently anonymized, but users could be easily identified in several cases –Several top officials were fired – Earlier problems revealed medical history of Massachusetts state governor. • Not yet a criminal issue, but lawsuits have happened • Conflict with Right To Information Act – Many issues still to be resolved.
  • 24. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
  • 25. ` Application Security • Applications are often the biggest source of insecurity –Poor coding of application may allow unauthorized access. –Application code may be very big, easy to make mistakes and leave security holes. –Very large surface area. • Used in fewer places – Some security by obfuscation. – Lots of holes due to poor/hasty programming.
  • 26. ` OWASP Top 10 Web Security Vulnerabilities 1. Invalidated input. 2. Broken access control. 3. Broken account/session management. 4. Cross-site scripting (XSS) flaws. 5. Buffer overflows. 6. (SQL) Injection flaws. 7. Improper error handling. 8. Insecure storage. 9. Denial-of-service. 10.Insecure configuration management.
  • 27. ` Passwords in Scripts • E.g.: file1.jsp (or java or other source file) located in publicly accessible area of web server – Intruder looks for http://<urlpath>/file1.jsp~ • or .jsp. swp, etc – If jsp has database user id/password in clear text, big trouble • Happened at IITB • Morals – Never store scripts (java/jsp) in an area accessible to http – Never store passwords in scripts, keep them in config files – Never store config files in any web-accessible areas – Restrict database access to only trusted clients • At port level, or using database provided functionality
  • 28. ` Overview • Levels of data security • Authorization in databases • Application Vulnerabilities • Summary
  • 29. ` Summary • Data security is critical. • Requires security at different levels. • Several technical solutions . • But human training is essential.