Académique Documents
Professionnel Documents
Culture Documents
Data breach:
Organization asset:
Forensic analysis:
Security regulations:
Regulatory compliance:
Data encryption:
Threat:
Regulatory compliance
HIPAA
GLBA
SOX
Passed by the U.S. Senate and the U.S. House of
Representatives with large majorities and signed into law on July
30, 2002.
Audit committee issues.
Audit committee expertise.
Enhanced review of periodic disclosures.
New oversight board for corporate governance.
Certification of financial statements.
Improper influence of conduct of audits.
Forfeiture of bonuses and profits (in some cases).
Off-balance sheet transactions.
Pro-forma financial information.
Dealings with securities analysts.
SB 1386
PCI
ISS
LFPDPPP
Como aplica?
Dnde empieza?
Que incluye el aviso de privacidad?
Como se cumple con la Ley?
Existe alguna solucin tecnolgica?
Database Components
Network Components
Core Switch
Switches
Routers
Access Points
Application Structure
Language Programming
Visual Basic
PSP
Etc.
SQL elements
Database
Tables
Store Procedures
Etc.
Database Elements
Tables
Primary Key
Foreign Key
Indexes
Unique
Multiple
Synonyms
Views
Etc.
Data Model
Entities
Associations
1-1
1-M
M-M
Normalization
Primary Key
A primary key is a column or group of (non-superfluous) columns that
insures the uniqueness of rows within a table. A primary key that
consists of more than one column is a composite primary key.
Primary keys do not imply either sequence or access path.
Primary keys are indicated by the letters PK under the appropriate
column heading (s)
Assuming that EMPLOYEE.NUMBERs are always unique:
EMPLOYEE
NUMBER
PK
EMPLOYEE
NAME
HIRE
DATE
BIRTH
DATE
SALARY
AMOUNT
Primary Key ..
Assuming that the combination
PART.NUMBER is always unique:
of
ORDER.NUMBER
and
ORDER PART
ORDER
NUMBER
PART
NUMBER
PK
ORDERED
QUANTITY
SHIPPED
QUANTITY
Primary Key ..
Primary key columns may not contain duplicate values (PK implies
ND).
By definition
Foreign Key
A foreign key is a column or group of columns that is not the whole
primary key of a table, but is based upon the same domain(s) as the
primary key of the same or; some other, table. A foreign key that
consists of more than one column is a composite foreign key.
EMPLOYEE.DEPT.CODE is a foreign key since it is not the primary
key of the EMPLOYEE table, but is based upon the same domain as
the primary key of the DEPT table.
DEPT
DEPT
CODE
PK
EMPLOYEE
DEPT
NAME
EMPLOYEE
NUMBER
PK
EMPLOYEE
NAME
DEPT
CODE
FK
Foreign Key ..
ORDER.CUSTOMER.NUMBER is a foreign key since it is not the
primary key of the ORDER table, but is based upon the same domain
as the primary key of the CUSTOMER table.
CUSTOMER
ORDER
CUSTOMER
NUMBER
CUSTOMER
NAME
PK
ORDER
NUMBER
CUSTOMER
NUMBER
PK
FK
BUILDING
NAME
DEPT
NUMBER
PK
PK
BUILDING
NUMBER
PK
MANAGER
MANAGER
NUMBER
DEPT
NAME
PROJECT
MANAGER
NAME
PROJECT
NUMBER
PK
PROJECT
NAME
MANAGER
NUMBER
Reading
tables
Given these two tables,
EMPLOYEE
DEPT
DEPT
CODE
DEPT
NAME
EMPLOYEE
NUMBER
EMPLOYEE
NAME
DEPT
CODE
PK
NN,ND
PK
NN
FK
The system is concerned with departments and employees (from the table
names).
Each department must have a department code (PK implies NN)
Each department code is unique (PK implies ND).
Department codes are not subject to change (PK implies no changes).
Every department has a department name (NN).
Every department has only one department name (each department code
appears on only one row).
No two departments have the same name (ND).
Each department may have zero, one or more employees (FK)
All employees have employee numbers (PK implies NN).
Each employee number is unique (PK implies ND).
Employee numbers cannot be modified (PK).
And so forth...
Data Model
A data model is a collection of constructs, operators and integrity rules
which together support a dynamic representation of real-world objects
and events
Constructs
Constructs are the basic building blocks of a data model.
Relational data models use a single type of construct, tables.
Operators
Operators are the means whereby the data in a data model is
maintained and retrieved. Typical relational operators are add,
change, delete, select, project, join, group, and so forth.
Integrity Rules
Integrity rules serve to maintain order and consistency in a data
model. No null, no duplicate, primary key and foreign key
constraints are examples of integrity rules
Entities
An entity is a person, place or thing, of inters to the user community,
about which the system is to maintain, correlate, and display
information
Entities are nouns
Entities are within the scope of the system.
Entities have existence in, and of, themselves and are therefore not
dependent upon, or subordinate to, something else.
Entities may be tangible (such as buildings or employees), intangible
(like departments or accounts), or semi-tangible (orders, perhaps or,
invoices).
Characteristics of entities (such as an employee's name), and other
information about entities (the total number of customers, or the average
number of orders placed in May) are not considered entities.
Associations
An association is a relationship between two or more entities (or other
associations), of interest to the user community, about which the
system is to maintain, correlate an display information.
Associations occur in three forms: one-to-one(1:1), one-to-many(1:M),
and many-to-many(M:M).
Associations typically occur between one entity and another (customers
and orders, for example, or orders and parts), but can involve any
number of entities and interrelationships (see the topic "Complex
Associations" in Section Four for a further discussion of this matter).
Associations are within the scope of the system.
Associations occur in three different forms (discussed in the following
topics).
Entity
B
B
KEY
A
KEY
PK
PK
FK, ND
A1
B1
A1
A2
B2
A3
A3
B3
A5
A4
A5
Since one
one--to
to--one associations are symmetrical,
symmetrical, either key may be
placed in the other table.
Foreign keys that model one-to-one associations should be placed to
minimize or eliminate null values.
Entity A
Entity B
B
KEY
A
KEY
PK
PK
FK
A1
B1
A1
A2
B2
A3
A3
B3
A1
B4
A1
B5
A3
Since one
one--to
to--many associations are not symmetrical,
symmetrical the A key must
be placed in the B table, and not vice versa.
Note that 1:M associations in tabular form look exactly like 1:1
associations, with the exception of the "ND" integrity constraint.
Entity A
Entity B
B
KEY
PK
BI
B2
A_B
A
KEY
PK
FK
A1
A1
A2
B
KEY
+
FK
BI
B2
B1
Atributes
An attribute is a characteristic or quality of an entity or an association,
of interest to the user community, about which the system is to
maintain, correlate and display information.
Attributes may be related to either entities (the name of a customer, for
example), or associations (say, the quantity of a particular part on a
particular order).
All columns of a table are technically attributes of that table, and
therefore are also attributes of the entity of association modeled by that
table. But it is useful to distinguish between three different "roles" that
attributes can play in table.
Attributes ..
Database Security
Concerns the use of a broad range of information security controls to
protect databases (potentially including the data, the database applications
or stored functions, the database systems, the database servers and the
associated network links) against compromises of their confidentiality,
integrity and availability.
It involves various types or categories of controls, such as technical,
procedural/administrative and physical.
Database security is a specialist topic within the broader realms of
computer security, information security and risk management.
Database Security ..
Security risks to database systems include, for example:
Unauthorized or unintended activity or misuse by authorized database users,
database administrators, or network/systems managers, or by unauthorized
users or hackers (e.g. inappropriate access to sensitive data, metadata or
functions within databases, or inappropriate changes to the database
programs, structures or security configurations);
Malware infections causing incidents such as unauthorized access, leakage
or disclosure of personal or proprietary data, deletion of or damage to the data
or programs, interruption or denial of authorized access to the database,
attacks on other systems and the unanticipated failure of database services;
Overloads, performance constraints and capacity issues resulting in the
inability of authorized users to use databases as intended;
Database Security ..
Security risks ........
Physical damage to database servers caused by computer room fires or
floods, overheating, lightning, accidental liquid spills, static discharge,
electronic breakdowns/equipment failures and obsolescence;
Design flaws and programming bugs in databases and the associated
programs and systems, creating various security vulnerabilities (e.g.
unauthorized privilege escalation), data loss/corruption, performance
degradation etc.;
Data corruption and/or loss caused by the entry of invalid data or commands,
mistakes in database or system administration processes, sabotage/criminal
damage etc.
Database Security ..
Many layers and types of information security control are appropriate to
databases, including:
Access control
Auditing
Authentication
Encryption
Integrity controls
Backups
Application security
Database architecture
Access control
Access control is the selective restriction of access to a place or other
resource. The act of accessing may mean consuming, entering, or using.
Permission to access a resource is called authorization.
Locks and login credentials are two analogous mechanisms of access control.
Auditing
Database auditing involves observing a database so as to be aware of the
actions of database users. Database administrators and consultants often set
up auditing for security purposes, for example, to ensure that those without the
permission to access information do not access it.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or
entity. This might involve confirming the identity of a person or software
program, tracing the origins of an artifact, or ensuring that a product is what its
packaging and labeling claims to be.
Encryption
Encryption is the process of encoding messages (or information) in such a way
that eavesdroppers or hackers cannot read it, but that authorized parties can.
Integrity controls
Integrity refers to maintaining and assuring the accuracy and consistency of
data over its entire life-cycle and is an important feature of a database or
RDBMS system.
Data warehousing and business intelligence in general demand the accuracy,
validity and correctness of data despite hardware failures, software bugs or
human error.
Data that has integrity is identically maintained during any operation, such as
transfer, storage or retrieval.
All characteristics of data, including business rules, rules for how pieces of
data relate, dates, definitions and lineage must be correct for its data integrity
to be complete.
When functions operate on the data, the functions must ensure integrity.
Examples include transforming the data, storing history and storing metadata.
The most popular types of Integrity are: Entity Integrity, Referential Integrity
and Domain Integrity.
Backups
A backup, or the process of backing up, refers to the copying and archiving of
computer data so it may be used to restore the original after a data loss event.
Backups have two distinct purposes. The primary purpose is to recover data
after its loss, be it by data deletion or corruption. Data loss can be a common
experience of computer users. A 2008 survey found that 66% of respondents
had lost files on their home PC.
The secondary purpose of backups is to recover data from an earlier time,
according to a user-defined data retention policy, typically configured within a
backup application for how long copies of data are required. Though backups
popularly represent a simple form of disaster recovery, and should be part of a
disaster recovery plan, by themselves, backups should not alone be
considered disaster recovery.
One reason for this is that not all backup systems or backup applications are
able to reconstitute a computer system or other complex configurations such
as a computer cluster, active directory servers, or a database server, by
restoring only data from a backup.
Application security
Database architecture
Hierarchical architecture
Network architecture
Relational architecture
Object Oriented architecture
Chapter 5: Administracin de la
Seguridad de la Informacin
Seguridad de la Informacin
Tipos de Ataques
Prdidas en 2006
5 Pilares de la Seguridad
Autentificacin.Verificar la autenticidad de usuarios.
Identificacin.Identificar usuarios para otorgar acceso.
Privacidad.Proteger la informacin.
Integridad.Mantener la informacin en su forma original.
No repudiacin.Que nadie pueda negar que una transaccin ocurri.
Desarroll:
Estela Alvarado Daz de Len
SQL injections
When your database platform fails to sanitize inputs, attackers are able to
execute SQL injections similar to the way they do in Web-based attacks,
eventually allowing them to elevate privileges and gain access to a wide
spectrum of functionality. A lot of vendors have released fixes to prevent these
problems, but it won't do much good if your DBMS remains unpatched.
SQL Injection
Juan Carlos Torres Prez
Matricula: 1063002
Caractersticas y funciones de
base de datos innecesariamente
habilitadas
Por: Yazmany Jahaziel Guerrero Ceja.
Buffer overflows
Another hacker favorite, buffer overflow vulnerabilities, are exploited by
flooding input sources with far more characters than an application was
expecting--say, by adding 100 characters into an input box asking for a SSN.
Database vendors have worked hard to fix the glitches that allow these attacks
to occur. This is yet another reason why patching is so critical.
Privilege escalation
Similarly, databases frequently sport common vulnerabilities that allow
attackers to escalate privileges within a little known and low privilege account
and gain access to administrator rights. For example, an attacker might
misuse a function that runs under a sysdba, Rothacker explains. As these
vulnerabilities are uncovered, administrators need to reign them in with timely
updates and patching.
Denial-of-service attack
SQL Slammer provided a very illuminating illustration of how attackers can use
DBMS vulnerabilities to take down database servers through a flood of traffic.
Even more illuminating is the fact that when Slammer went down in 2003, a
patch already was out there that addressed the vulnerability it attacked. Even
seven years later, SQL Slammer is still around and picking on unpatched
servers.
Unpatched databases
This could be repetitive, but it bears repeating. So many database
administrators don't patch in a timely fashion because they're afraid a patch
will break their databases. But the risk of getting hacked today is way higher
than the risk of applying a patch that will go haywire, Rothacker says. That
might not have been true five years ago, but vendors have become much
more rigorous with their testing.