Lecture1

Introduction to data and database security
Database security threats
 Preventive and detective security measures


Access control and data security
Access control in relational databases
 Granularity
 Integrity Principles


Data security standards in Database Management
Systems (DBMS)
User views
 System and object privileges
 Virtual private databases (VPD)


Auditing for data security
Database audit trail
 Operating system audit trail
 Fine Grain Audit (FGA)


Tools and techniques for data security



Encryption
Masking
Password Complexity

Why database security ?
Essential asset
 All systems ultimately connected
 Last line of defense
 Offering various features. (Ex encryption, RAC,
Backup, etc)


Database security threats








Excessive privileges
Legitimate privilege abuse
Database injection attacks
Malware
Storage media exposure
Exploitation of vulnerable databases
Unmanaged sensitive data
The human factor

Cause of the data breach
Ref : https://www.ibm.com/security/data-breach

Cause of the data breach

Annual number of data breaches and exposed records in US 2018
Ref : https://www.statista.com/statistics/273550/
data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

Cyber attack trends 2017

Threat modeling

Terminology
 Assets
 A resource of value. May be tangible or intangible. Usually
referred to an Object.

Threat modeling

Terminology
 Threats
 Undesired act that potentially occurs causing compromise
or damage of an asset.
 Threat Agent
 Something/someone that makes the threat materialize.
Usually referred to as Subject
 Vulnerability
 Weakness that makes an attack possible

Threat modeling

Terminology
 Attack
 Act of malicious threat agent. Also known as Exploit.
 Safeguard – (Countermeasures)
 Address vulnerabilities (not threats directly);
 For example – Application Design, Writing Secure Code,
deploy with least privilege.
 Probability
 The potential chance of a threat being realized by an attack
on an asset.
 Impact
 Outcome of the materialized threat.

Threat modeling

Threat agents
 Accidental Discovery
 An ordinary user stumbles across a functional mistake in
an application and gains access to privileged
information/functionality.
 Curious Attacker
 Ordinary user who notices something wrong with the
application and decides to explore further.
 Insider
 An employee/contractor within the organization.

Threat modeling

How complex your systems
Ref : https://www.tripwire.com/state-of-security/security-data-protection/
are-you-threatening-me-a-tutorial-on-threat-modeling/

Threat modeling

Threat modeling

Threat modeling

Preventive techniques




Least privileges grant to users
Enforce controls to restrict and prevent DB
operations.
Ensure that security breaches minimum or not
possible.
Check every actions to control non nonconformance
with the policy.

Detective techniques
Use to identify the Attack, Victims, Damage and
Attackers.
 Use to identify foot prints of the attack before it
happens.
 Detection systems need to properly maintain the
logs. (system logs, audit log,(Audit trail), access
log(AD), network logs etc.


Security measures
Access control
 Inference control
 Data encryption
 Authentication

Integrity controls
 Backups
 Application security
These security controls are used to enhance the
security of data in the databases.



Access control in relational databases
 The purpose of access controls
 Ensure that a user is only permitted to perform operations on
the database for which that user is authorized.

Access controls
 Discretionary access controls (DAC)
 Mandatory access controls of multilevel security. (MAC)
 Role based access control (RBAC)
 Rule based access control (RuBAC)

Access controls are based on the authentication
 Authentication procedure helps access control system to
correctly identify the user.

Access control in relational databases
Authentication

Claim identity and verify identity

Discussion : Identity and Identity verification methods.

Method of authentication in databases

https://oracle-base.com/articles/misc/os-authentication

Access control in relational databases
DAC




Allows each user to control access to their own data.
Default access mechanism for most desktop operating systems.
Ex ?
ACL is the based system of DAC.




List of users and groups with objects permitted to access with the
level of access
Ex : User A may provide read-only access on one of her files to User
B, read and write access on the same file to User C and full control to
any user belonging to Group 1.
Privilages – Simple read write operations on objects

Access control in relational databases

MAC





MAC was defined, and is primarily used by the government.
This enforced policy based environment access to all resource objects.
All access to resource objects is strictly controlled by settings on systems
(Initially configured and controlled by system administrator).
This Based on data classification and security labels associated with each
data items and each user
Ex




Top secret (TS)
Secret (S)
Confidential (C)
Unclassified (U)

Access control in relational databases

MAC

Bell La Padua – Confidentiality policy

Access control in relational databases

MAC





Bell La Padua – Confidentiality policy
Only consider confidentiality (Not: Availability and integrity)
Labels on subject, clearance level of object
If clearance label matches the classification label, Information can flow.
Rules
 Simple Security Property : You cannot read objects in higher
sensitivity. (Cannot read up)
 Star Property : Cannot write objects of lower sensitivity. (Cannot write
down)
 Strong Star Policy : Cannot read/write object in higher/lower
sensitivity. (Cannot R/W Up/Down)

Access control in relational databases
MAC


Ex ?
 Oracle row-level security (VPD and OLD)
 SELinux

Access control in relational databases
MAC


Biba - ensures data integrity
 Biba was designed to address three integrity issues:
 Prevent modification of objects by unauthorized subjects.
 Prevent unauthorized modification of objects by authorized
subjects.
 Protect internal and external object consistency.
 Rules
 The Simple Integrity Property : subject cannot read an object at a
lower integrity level (no read-down).
 The * (star) Integrity Property : subject cannot modify an object at a
higher integrity level (no write-up).

Access control in relational databases
MAC


Biba
Note : Consider the Biba properties.
The second property of the Biba model is pretty straightforward.
A subject cannot write to an object at a higher integrity level.
What about the first property? Why can’t a subject read an object at a lower integrity
level?
The answer takes a little thought. Think of integrity levels as being like the purity level
of air. You would not want to pump air from the smoking section into the clean room
environment.

Access control in relational databases
MAC


Clark-Wilson Model
Allow modifications through set of programs
Subject does not have direct access to objects
Use multi factored approach to enforce data integrity
Although, it use two principles (Well formed transactions and separation of duties.)

Access control in relational databases
MAC


Clark-Wilson Model – define following items and procedures to
ensures data integrity
 Constrained Data Item (CDI) – refers any data item whose integrity is
protected by the security model.
 unconstrained data item (UDI) – refers any data item that is not controlled
by the security model
 integrity verification procedure (IVP) – refers procedure that scans data
items and confirms their integrity.
 Transformation procedures (TPs) - Only procedures that are allowed to
modify a CDI.

Through these mechanisms, the Clark-Wilson model ensures that
data is protected from unauthorized changes from any user and
separation of duties.

Access control in relational databases
MAC


Brewer and Nash Model (Chinese Wall model)
 Provide access control using RBAC
 Permissions are changing dynamically based on a user’s
previous activity
 Define a wall to segment data types and develop set of rules to
ensure no subject can access objects on the other side of the
wall.

Access control in relational databases
MAC


Brewer and Nash Model (Chinese Wall model)

Access control in relational databases
MAC


There are other models
 Goguen-Meseguer Model
 Sutherland Model
 Graham-Denning Model, etc
Ref : ISC2 official study guide for CISSP

Granularity

Access controls can be imposed at various degrees of
granularity in a system.
 The entire database.
 Some collection of relations.
 One relation.
 Some columns of one relation.
 Some rows of one relation.
 Some columns of some rows of one relation.

Integrity Principles

What is integrity ?
 Trustworthiness of data or resources.

How you manage integrity in databases ?
 Controlling improper or unauthorized change of data.

There are three main goals
 Preventing unauthorized users making modifications.
 Preventing authorized users making improper
modifications.
 Maintaining consistency.

Integrity Principles

Well-formed transactions
 Arbitrary data manipulation not allowed
 It define restricted way of manipulation of data
 Make sure the constancy data by encapsulating all
modifications to a single transaction
 Transaction – Sequence of one or more SQL statements
that together perform a logical unit of work.
 Transaction - A transaction is a logical, atomic unit of
work that contains one or more SQL statements (Oracle
docs)

Integrity Principles

Well-formed transactions
 Ex :

Integrity Principles

Well-formed transactions
 ACID properties – All transactions must obey the basic
properties of transactions.
 A – Atomicity
 All tasks of a transaction are performed or none of them are.
 C – Consistency
 The transaction takes the database from one consistent state to
another consistent state.
 I – Isolation
 The effect of a transaction is not visible to other transactions until
the transaction is committed.
 D – Durability
 Changes made by committed transactions are permanent. After a
transaction completes, the database ensures through its recovery
mechanisms that changes from the transaction are not lost

Integrity Principles

Well-formed transactions

Integrity Principles

Well-formed transactions

Integrity Principles

Consistency integrity
 Correctness of a state is assured by enforcing consistency constraints on the
data.

Entity integrity
 Stipulates that attributes in the primary key of a relation cannot have NULL
values.

Referential integrity
 Concerned with references from one entity to another.
 A foreign key is a set of attributes in one relation whose values are
required to match those of the primary key of some specific relation.

Least privileges
 Provide least privilege to accomplish tasks to users.
 Control visibility of information using VIEWS or Query Modification.

Integrity Principles

Constrains
 NOT NULL constraint
 Unique constraint
 Primary key constraint
 Foreign key constraint
 Check constraint

Introduction to data and database security
Database security threats
 Preventive and detective security measures


Access control and data security
Access control in relational databases
 Granularity
 Integrity Principles


Data security standards in Database Management
Systems (DBMS)
User views
 System and object privileges
 Virtual private databases (VPD)


Q&A