CIA Triad
1) Confidentiality
1) Data-in-transit:
This refers to data that is moving within the network. Sensitive data, for example,
that is sent through network layers or through the Internet. A hacker can gain access to
this sensitive data by eavesdropping. When this happens, the confidentiality of the data is
compromised. Encrypting data-in-transit avoids such compromises.
2) Data-at-rest:
It is possible for a hacker to hack the data that is stored in the database.
Encrypting data-at-rest prevents such data leakages.
2) Integrity
Integrity can be enforced by setting User Access Controls (UAC) that define which users have
to be given what permissions in the database. For example, data related to employee information
is stored in a database. An employee may have permission for viewing the records and altering
only part of information like his contact details, whereas a person in the human resources
department will have more privileges.
What are the steps that have to be taken to ensure integrity of the database?
1) Once the database is installed, the password has to be changed. Similarly, periodic
checks have to be conducted to ensure the password is not compromised.
2) User accounts that are not in use have to be locked. If one is sure that these user
accounts will never be used again, then the best step is to remove such user accounts.
3) Availability
Databases must not have unplanned downtime. To ensure this, following steps have to be
taken:
1. Restrict the amount of storage space given to each user in the database.
2. Limit the number of concurrent sessions made available to each database user.
3. Backup the data at periodic intervals to ensure data recovery
1) Privilege abuse:
When database users are provided with privileges that exceeds their day-to-day job
requirement, these privileges may be abused intentionally or unintentionally.
Having seen how privilege can be abused intentionally, let us see how privilege can be
abused unintentionally. A company is providing a “work from home” option to its
employees and the employee takes a backup of sensitive data to work on from his home.
This not only violates the security policies of the organization, but also may result in data
security breach if the system at home is compromised.
3) Database rootkits:
4) Weak authentication:
1
0
1 1) Brute Force - The attacker repeatedly enters username/password
combinations until he finds one that works. The brute force process may involve
simple guesswork or systematic enumeration of all possible username/password
combinations. Often an attacker will use automated programs to accelerate the
brute force process.
2 2) Social Engineering – A scheme in which the attacker takes advantage the
natural human tendency to trust in order to convince others to provide their
login credentials. For example, an attacker may present himself via phone as an
IT manager and request login credentials for “system maintenance” purposes.
3 3) Direct Credential Theft – An attacker may steal login credentials by
copying post-it notes, password files, etc.
7) SQL Injection:
In a SQL injection attack, a perpetrator typically inserts (or “injects”)
unauthorized database statements into a vulnerable SQL data channel. Typically targeted
data channels include stored procedures and Web application input parameters. These
Created by Sameer Chandrakant Chimote DBMS (IT-I) Unit IV
4
injected statements are then passed to the database where they are executed. Using SQL
injection, attackers may gain unrestricted access to an entire database.
8) Denial of Service:
Denial of Service (DOS) is a general attack category in which access to network
applications or data is denied to intended users. Denial of service (DOS) conditions may
be created via many techniques - many of which are related to previously mentioned
vulnerabilities. For example, DOS may be achieved by taking advantage of a database
platform vulnerability to crash a server. Other common DOS techniques include data
corruption, network flooding, and server resource overload (memory, CPU, etc.).
Resource overload is particularly common in database environments.
Cryptography:
The conversion of data into a secret code for transmission over a public
network. The original text, or "plaintext," is converted into a coded equivalent called
"ciphertext" via an encryption algorithm. The ciphertext is decoded (decrypted) at the
receiving end and turned back into plaintext..
Branches of cryptography
1. Cryptographic engineering
2. Multivariate cryptography
3. Quantum cryptography
4. Steganography
5. Visual cryptography
1) Asymmetric Cryptography
Symmetric-key cryptography
1) Block Ciphers
Block ciphers are cryptographic algorithms which operate on 64-bit blocks of
plaintext. The encryption procedure usually consists of multiple and complex rounds of
bit shifts, XORs, permutations and substitutions of plaintext and key bits. Decryption is
similar to encryption except that some operations may be performed in the reverse order.
Some algorithms use fix-length keys, for others the key length may vary.
1) DES
2) RC2
RC2 was invented by Ron Rivest for RSA Data Security, Inc. Its details
have not been published. RC2 is a variable-key-length cipher. However, when
using the Microsoft Base Cryptographic Provider, the key length is hard-coded to
40 bits.
3) Triple DES
The idea behind Triple DES is to improve the security of DES by applying
DES encryption three times using three different keys. This way the effective key
length becomes 56 x 3 = 168 bits which makes brute-force attacks virtually
impossible.Triple DES is implemented by the Microsoft Enhanced Cryptographic
Provider.
In this variation, DES encryption is still applied three times but using only
2 keys: first key 1 is applied, then key 2 and then key 1 again. The effective key
length is 56 x 2 = 112 bits.Triple DES with 2 keys is implemented by the
Microsoft Enhanced Cryptographic Provider.
2) Stream Ciphers
Stream ciphers encrypt plaintext one bit (or sometimes byte) at a time. The stream
of plaintext bits are XORed with the output of a keystream generator which produces a
stream of bits based on a seed value. This seed value is the key for a stream cipher.
The decryption process is identical: the ciphertext bits are XORed with the same
keystream (which is the function of the key).
1) RC4
RC4 was developed by Ron Rivest in 1987. It is a variable-key-size
stream cipher. The details of the algorithm have not been officially published.
However, the algorithm's internals have been posted on the Internet, and the book
Applied Cryptography contains its detailed description. The algorithm is
extremely easy to describe and program.
Just like RC2, 40-bit RC4 is supported by the Microsoft Base
Cryptographic provider, and the Enhanced provider allows keys in the range of 40
to 128 bits in 8-bit increments.
Digital Signature
A digital signature or digital signature scheme is a mathematical scheme for
demonstrating the authenticity of a digital message or document. A valid digital signature
gives a recipient reason to believe that the message was created by a known sender, and
that it was not altered in transit. Digital signatures are commonly used for software
distribution, financial transactions, and in other cases where it is important to detect
forgery and tampering.
1) A key generation algorithm that selects a private key uniformly at random from a set of
possible private keys. The algorithm outputs the private key and a corresponding public
key.
2) A signing algorithm which, given a message and a private key, produces a signature.
3) A signature verifying algorithm which given a message, public key and a signature,
either accepts or rejects the message's claim to authenticity.
Service Providers
1) Healthcare
2) Life Sciences
3) Government
4) Engineering
5) Human Resources
6) Insurance
Privileges
A privilege is a right to execute an SQL statement or to access another user's
object. In Oracle, there are two types of privileges: system privileges and object
privileges. A privileges can be assigned to a user or a role
1) System privileges
There are quite a few system privileges: in Oracle 9.2, we count 157 of them, and
10g has even 173. Those can be displayed with select name from system_privilege_map
Executing this statement, we find privileges like create session, drop user, alter
database, see system privileges.
System privileges can be audited.
Arguably, the most important system privileges are:
2) Object privileges
privileges can be assigned to the following types of database objects:
1) Tables
select, insert, update, delete, alter, debug, flashback, on commit refresh,
query rewrite, references, all
2) Views
select, insert, update, delete, under, references, flashback, debug
3) Sequence
alter, select
4) Packeges, Procedures, Functions (Java classes, sources...)
execute, debug
5) Materialized Views
delete, flashback, insert, select, update
6) Directories
read, write
7) Libraries
execute
8) User defined types
execute, debug, under
9) Operators
execute
10) Indextypes
execute
For a user to be able to access an object in another user's schema, he needs the
according object privilege.
Object privileges can be displayed using all_tab_privs_made or user_tab_privs_made.
1) Grant
The SQL command grant allows to assign system privileges and object
privileges to users and roles.
2) Revoke
The SQL command revoke allows to take away system privileges and
object privileges from users and roles.