Introduction to Database Security

8/7/2019 Introduction to Database Security

http://slidepdf.com/reader/full/introduction-to-database-security 1/7

Introduction to Database Security

Database security entails allowing or disallowing user actions on the database and the objectswithin it. Oracle uses schemas and security domains to control access to data and to restrict the

use of various database resources.

Oracle provides comprehensive discretionary access control. Discretionary access control

regulates all user access to named objects through privileges. A privilege is permission to accessa named object in a prescribed manner; for example, permission to query a table. Privileges are

granted to users at the discretion of other users.

Database Users and Schemas

Each Oracle database has a list of user names. To access a database, a user must use a databaseapplication and attempt a connection with a valid user name of the database. Each user name has

an associated password to prevent unauthorized use.

Security Domain

Each user has a security domain²a set of properties that determine such things as:

y The actions (privileges and roles) available to the user

y The tablespace quotas (available disk space) for the user y The system resource limits (for example, CPU processing time) for the user

Each property that contributes to a user's security domain is discussed in the following sections.

Privileges

A privilege is a right to run a particular type of SQL statement. Some examples of privilegesinclude the right to:

y Connect to the database (create a session)

y Create a table in your schemay Select rows from someone else's table

y R un someone else's stored procedure

See Also:

"Introduction to Privileges"

R oles

Oracle provides for easy and controlled privilege management through roles. R oles are named

groups of related privileges that you grant to users or other roles.



See Also:

"Introduction to R oles" information about role properties

Storage Settings and Quotas

You can direct and limit the use of disk space allocated to the database for each user, includingdefault and temporary tablespaces and tablespace quotas.

Default Tablespace

Each user is associated with a default tablespace. When a user creates a table, index, or cluster and no tablespace is specified to physically contain the schema object, the user's default

tablespace is used if the user has the privilege to create the schema object and a quota in thespecified default tablespace. The default tablespace provides Oracle with information to direct

space use in situations where schema object's location is not specified.

Temporary Tablespace

Each user has a temporary tablespace. When a user runs a SQL statement that requires the

creation of temporary segments (such as the creation of an index), the user's temporarytablespace is used. By directing all users' temporary segments to a separate tablespace, the

temporary tablespace can reduce I/O contention among temporary segments and other types of segments.

Tablespace Quotas

Oracle can limit the collective amount of disk space available to the objects in a schema. Quotas(space limits) can be set for each tablespace available to a user. This permits selective controlover the amount of disk space that can be consumed by the objects of specific schemas.

Profiles and R esource Limits

Each user is assigned a profile that specifies limitations on several system resources available tothe user, including the following:

y Number of concurrent sessions the user can establish

y CPU processing time available for the user's session and a single call to Oracle made by a

SQL statementy Amount of logical I/O available for the user's session and a single call to Oracle made by

a SQL statement

y Amount of idle time available for the user's sessiony Amount of connect time available for the user's session

y Password restrictions:o Account locking after multiple unsuccessful login attempts

o Password expiration and grace period



o Password reuse and complexity restrictions

Personal Computer Security Guide

Overview:

All computers and other electronic devices that connect to the campus network must comply

with the established UW-Madison Security Policies. For a more complete discussion of computing security visit the DoIT Security web (http://www.cio.wisc.edu/security/)

This document is a quick reference to the primary security tools recommended for personal

computers used by all UW-Madison faculty, staff and students when connecting to the campus

network. At a minimum, all such computers must run the latest security-related patches and up-to-date antivirus software. See Policy on Electronic Devices (http://www.cio.wisc.edu/policies/devices.aspx) for more policy details, and Secure Your

Computer (http://www.cio.wisc.edu/security/secure) for more security options. To maintain asecure computer, and do your part in keeping the UW computing environment safe, use the

following security solutions available to you as a UW-Madison faculty, staff or student.

For assistance with Operating System updates, Symantec AntiVirus and other security softwareissues, contact the DoIT Help Desk 6am to 1am, 7 days per week, at (608) 264-HELP,

[email protected], Online Help (http://helpdesk.doit.wisc.edu), or LiveChat (http://helpdesk.doit.wisc.edu).

NOTE: If you have departmental IT staff supporting your computer, consult with them before

downloading or installing any of these products. Otherwise, your actions could create conflictswith protections already in place.

Operating System Updates (Windows and Mac):

Campus policy on electronic devices connected to the UW-Madison network states that you mustkeep all operating system software, device firmware, application software and other software

current with the latest security-related patches from the vendor. Microsoft and Apple arecontinually checking for and discovering new vulnerabilities in their operating systems and

releasing patches to keep their users secure. Either manual or auto update checking for newpatches at least once a week will go a long way towards keeping your computer, and everyone

else on campus, safe from attacks.Windows operating system updates:

More details at DoIT Help Desk's Windows Update Document (http://helpdesk.doit.wisc.edu/page.php?id=2121).

Apple MacOS X operating system updates:



More details at DoIT Help Desk's Mac OS X Update Document (http://helpdesk.doit.wisc.edu/page.php?id=4551).

AntiVirus software (Windows and Mac):

Campus policy on electronic devices connected to the UW-Madison network states that you mustrun up-to-date antivirus software. We have a site license for Symantec AntiVirus softwareproducts. The most current versions include Symantec Endpoint Protection for Windows (SEP)

and Symantec AntiVirus for Macintosh (SAV), both with free updates and virus definitionupdates for every UW-Madison student, faculty, and staff. Other Symantec AntiVirus products

are also available on this site for older systems.

1. Download (http://www.cio.wisc.edu/security/antivirus.aspx) (high-speed Internetaccess highly recommended) these Symantec AntiVirus products, or pick up afree Security Starter Software CD at the DoIT Tech Store (http://techstore.doit.wisc.edu/parking.aspx?login=P).

2. Install Symantec AntiVirus following the on-screen instructions. More detailedinstructions at DoIT Help Desk's SEP on Windows 7 and Windows VistaInstallation Instructions (http://helpdesk.doit.wisc.edu/page.php?id=7157), SEPon Windows XP Installation Instructions (http://helpdesk.doit.wisc.edu/page.php?id=7168) or SAV on MacOSX InstallationInstructions (http://helpdesk.doit.wisc.edu/page.php?id=7709).

3. For more assistance with Symantec AntiVirus, contact the DoIT Help Desk.

Firewall software options (Windows and Mac):

Computers should be secured with software firewalls whenever possible to prevent

unauthorized access from remote computers, as well as to help inhibit the spread of viruses.

1. For most typical campus network users, the Windows OS (7, Vista and XP) andMacOS X built-in firewalls are adequate. But if you don't use these operatingsystems or you would just like more configuration options and flexibility you maywant to consider purchasing a firewall product. If you are not certain what's bestfor you, contact the Tech Store Showroom at (608) 265-7469 (5-SHOW) or [email protected].

2. For more assistance with configuring and troubleshooting Windows or MacOS Xbuilt-in firewalls, contact the DoIT Help Desk.

AntiSpyware software (Windows only):

Many computer owners are unaware of another source of invasive software generallyreferred to as Spyware, Adware or Malware. Learn more at the DoIT Security web (http://www.cio.wisc.edu/security/secure/spyware.aspx). To protect your personalinformation and eliminate other adverse affects of spyware on your computer'sperformance, we recommend using Symantec Endpoint Protection for Windows (SEP)



which includes spyware detection and remediation capabilities. If you are stillexperiencing spyware issues, we recommend you view our Virus and Spyware RemovalGuide. (http://helpdesk.doit.wisc.edu/page.php?id=6649) or contact the DoIT Help Desk.

WiscVPN software (Windows and Mac):

WiscVPN is software that establishes an encrypted tunnel between your computer andthe campus network to allow you to remotely access campus-restricted networkresources when off campus. To learn more, visit the WiscVPN site (http://www.doit.wisc.edu/network/vpn/faq.asp).

1. Download (http://www.doit.wisc.edu/network/vpn/) and install WiscVPN software.For more detailed instructions, select the Directions for your operating systemfrom the WiscVPN site (http://www.doit.wisc.edu/network/vpn/).

2. For more assistance with WiscVPN, contact the DoIT Help Desk.

Communication Security at the Application Layer

Every layer of communication has its own unique security challenges. The application layer communication is a very weak link in terms of security because that t he application layer

supports many protocols which provide many vulnerabilities and access points for attackers. Allthis variability makes application-layer attacks very hard to defend against. In addition,

application-layer attacks are very attractive to a potential attacker because the information they

seek ultimately resides within the application itself and it is direct for them to make an impactand reach their goals. The main categories of risks at the application level are as follows:

Web Security :Balance between security and accessibility: A poorly configured Web server can punch a hole in the most carefully designed firewall system so that stackers can steal

confidential information, modify systems and launch various attacks. On the other hand, a poorlyconfigured firewall can make a Web site impossible to use. Virus/Worm: To the end-user,

active content, such as ActiveX controls and Java applets, introduces the possibility that Webbrowsing will introduce viruses or other malicious software into the user's system. For network

administrator, Web browsers with active content provide a pathway for malicious software tobypass the firewall system and enter the local area network. Information privacy : Both end-

users and Web administrators need to worry about the confidentiality of the data transmittedacross the Web.

EMAIL Security :WebMail: If the connection to your WebMail server is "insecure" (i.e. the

address is http:// and NOT https://), then all information including your username and passwordis not encrypted as it passes between the WebMail server and your computer. SMTP : SMTP

does not encrypt messages. Additionally, your username and password to "login" to the SMTPserver are also in plain text. This information, available to all recipients, may be a privacy



concern. POP and IMAP : These protocols require that you send your username and password tologin, which are not encrypted. So, your messages and credentials can be read by any

eavesdropper listening to the flow of information between your personal computer and your email service provider's computer. Virus/Worm: EMAILs are a very active carrier of viruses

and worms.

Password Attack : A password attack is indicated by a series of failed logins within a shortperiod of time. The most sophisticate password auditing tools includes pre-computed password

tables containing trillions of password hashes that have been computed in advance of thepassword auditing and recovery process.

Information sniffing : Because most network applications distribute network packets in clear

text, a packet sniffer can provide its user with meaningful and often sensitive information, suchas user account names and passwords. A packet sniffer can provide an attacker with information

that is queried from the database, as well as the user account names and passwords used to accessthe database. This cause serious information privacy problems as well as tools for crimes.

DNS Attack : Also called DNS Spoofing or DNS cache poisoning, t he attacks aim to redirectusers to potentially malicious web servers by changing the records used to convert domain names

to numerical addresses, which is used as another way for online fraudsters to install aggressiveadvertising software, or adware, on victims' computers and redirect people to pay-per-click Web

sites. The domain name system protocol is inherently vulnerable to this style of attack due to theweakness of 16-bit transaction IDs.

Instant Message Security : The top 5 security risks for IM are: Viruses and worms over IM,

Identity theft/authentication spoofing, Firewall tunneling, Data security leaks and spim (instant

messaging spam).

SNMP Attack : Most network devices support the Simple Network Management Protocol

(SNMP) for the network monitoring purpose. Attackers can access to the MIBs of SNMP agentswhich can result in the network being mapped, and traffic can be monitored and redirected. The

best defense against this attack is upgrading to SNMP3, which encrypts passwords andmessages.

Operation System R isks : All Operating Systems are not secure, especially Windows OS andUnix systems. The subject requires additional articles (if not books) to address.

Other Applications (FTP and TELNET): Some old versions of network applications such as

Passive FTP and are likely with security holes. The newer versions of products shouldimplemented the latest security patches.

Like most of the network security problems, there are no silver bullet solution to FIX the

problems, however, there are many technologies and solutions available to mitigate the abovesecurity problems and to monitor the network to reduce its damage if attack happens. To mitigatethe application layer security problems, many technologies have been developed in various

levels of communications. The main technologies are as follows:



Secure/Multipurpose Internet Mail Extensions (S/MIME) is a specification for securingelectronic mail. S/MIME, which is based on the popular MIME standard, describes a protocol for

adding cryptographic security services through MIME encapsulation of digitally signed andencrypted objects. These security services are authentication, nonrepudiation, message integrity,

and message confidentiality.

Pretty Good Privacy (PGP) is intentionally uses existing cryptographic algorithms (R SA,IDEA, MD5) rather than inventing new ones. PGP supports secrecy, digital signatures, key

management, and data compression.

Secure HTTP (S-HTTP) is a superset of HTTP, which allows web traffic to be encapsulated invarious ways. S-HTTP provides a wide variety of mechanisms for confidentiality, authentication,

and integrity. Separation of policy from mechanism was an explicit goal. The S-HTTP basedsystem is not tied to any particular cryptographic system, key infrastructure, or cryptographic

format.

Public Key Infrastructure (

PKI): PKI provides an integrated solution with digital certificates,public-key cryptography, and certificate authorities that enables enterprises to protect the

security of their communications and business transactions on the Internet. A typical network

PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with corporate certificate directories; tools for managing,

renewing, and revoking certificates; and related services and support.

Anti-virus systems : many products at the client or the server level to capture and kill virusesfrom different sources including http (web) traffic, email and messenger services.

There are many lower layer technologies that support the application layer security. The

following is a few examples:

Secure Sockets Layer ( SSL) and Transport Layer Security ( TLS ) are cryptographic

protocols which provide secure communications on the Internet. TLS is the seccesor of SSL.TSL/SSL runs on layers beneath application protocols such as HTTP, SMTP and NNTP and

above the TCP transport protocol. While TSL/SSL can add security to any protocol that usesTCP, it is most commonly used with HTTP to form HTTPS which serves to secure World Wide

Web pages for e-commence.

IPsec: IPsec provides security services at the IP layer by enabling a system to select requiredsecurity protocols, determine the algorithm(s) to use for the service(s), and put in place any

cryptographic keys required to provide the requested services.

Firewall :Well designed firewall products blocking un-wanted visitors and malicious traffic.

The following is the top threats from the latest (March 2005) Symantec Internet Security threat

report:

Introduction to Database Security

Documents

Transcript of Introduction to Database Security