DATABASE Security

Lillian Nasharitah
Free Powerpoint Templates
Page 1
What is Database?
A structured set of data held in a computer, esp. one that is
accessible in various ways.

Free Powerpoint Templates

Page 2
What is inside Database?

Free Powerpoint Templates

Page 3
Database Schema
A database schema of a database system is its structure
described in a formal language supported by the database
management system (DBMS) and refers to the organization
of data to create a blueprint of how a database will be
constructed (divided into database tables).

Free Powerpoint Templates

Page 4
Concepts of Database Security

Free Powerpoint Templates

Page 5
Confidentiality
Confidentiality can be enforced by encrypting the data
stored in the database.

Encryption is a technique or process by which data is

encoded in such a way only authorized users be able to read
the data.

In other words, encryption means rendering sensitive data

unreadable to unauthorized users.

Free Powerpoint Templates

Page 6
Integrity
Integrity can be enforced by setting User Access Controls
(UAC) that define which users have to be given what
permissions in the database.

For example, data related to employee information is

stored in a database.

An employee may have permission for viewing the records

and altering only part of information like his contact details,
whereas a person in the human resources department will
have more privileges.

Free Powerpoint Templates

Page 7
How to ensure integrity of the database?
Once the database is installed, the password has to be
changed. Similarly, periodic checks have to be conducted to
ensure the password is not compromised.

User accounts that are not in use have to be locked. If one

is sure that these user accounts will never be used again,
then the best step is to remove such user accounts.

Policies to set strong passwords have to be enforced. A

good idea is to have a policy of changing the passwords
once per a month.

Free Powerpoint Templates

Page 8
How to ensure integrity of the database?
Check for the roles each user has and set the rules
accordingly. You must ensure that users are given
permissions to do what they are allowed to do. I know this is
a time consuming job when the database is huge, but once
the permissions are set the right way, it is easy to check
unauthorized entry or access.

Does your company have multiple database

administrators? If yes, segregate the duties among these
database administrators.

Free Powerpoint Templates

Page 9
Availability
To ensure availability, following steps have to be taken:

Restrict the amount of storage space given to each user in

the database.

Limit the number of concurrent sessions made available to

each database user.

Backup the data at periodic intervals to ensure data

recovery in case of application issues.

Free Powerpoint Templates

Page 10
Availability
Databases should be secured against security
vulnerabilities.

Free Powerpoint Templates

Page 11
Threats to Database Security?

Free Powerpoint Templates

Page 12
Threats to Database Security
1. Privilege abuse
When database users are provided with privileges that exceeds their day-to-day
job requirement, these privileges may be abused intentionally or unintentionally.
Take, for instance, a database administrator in a financial institution. What will
happen if he turns off audit trails or create bogus accounts? He will be able to
transfer money from one account to another thereby abusing the excessive
privilege intentionally.

2. Operating System Vulnerabilities

Vulnerabilities in underlying operating systems like Windows, UNIX, Linux, etc.,
and the services that are related to the databases could lead to unauthorized
access. This may lead to a Denial of Service (DoS) attack. This could be
prevented by updating the operating system related security patches as and when
they become available.

Free Powerpoint Templates

Page 13
Threats to Database Security
3. Database Rootkits
A database rootkit is a program or a procedure that is hidden inside the database
and that provides administrator-level privileges to gain access to the data in the
database. These rootkits may even turn off alerts triggered by Intrusion Prevention
Systems (IPS).

4. Weak Authentication
Weak authentication models allow attackers to employ strategies such as social
engineering and brute force to obtain database login credentials and assume the
identity of legitimate database users.

Free Powerpoint Templates

Page 14
Threats to Database Security
5. Weak Audit Trails
A weak audit logging mechanism in a database server represents a critical risk to
an organization especially in retail, financial, healthcare, and other industries with
stringent regulatory compliance. Regulations such as PCI, SOX, and HIPAA
demand extensive logging of actions to reproduce an event at a later point of time
in case of an incident. Logging of sensitive or unusual transactions happening in a
database must be done in an automated manner for resolving incidents. Audit
trails act as the last line of database defense. Audit trails can detect the existence
of a violation that could help trace back the violation to a particular point of time
and a particular user.

Free Powerpoint Templates

Page 15
Example of Database
MySQL
Oracle
PostgreSQL
Microsoft Visual Foxpro
MariaDB

Free Powerpoint Templates

Page 16
What is SQL Injection?

Free Powerpoint Templates

Page 17
What is SQL Injection?

Free Powerpoint Templates

Page 18
SQL Injection Steps

Free Powerpoint Templates

Page 19
What Should You Look For?

Free Powerpoint Templates

Page 20
What Should You Look For?

Free Powerpoint Templates

Page 21
What Should You Look For?

Free Powerpoint Templates

Page 22
SQL Injection Techniques

Free Powerpoint Templates

Page 23
How to test for SQL Injection Vulnerability?

Free Powerpoint Templates

Page 24
How does it work?

Free Powerpoint Templates

Page 25
BadLogin.aspx.cs

Free Powerpoint Templates

Page 26
Getting Output of SQL Query

Free Powerpoint Templates

Page 27
Getting Data from Database Using
ODBC Error Message

Free Powerpoint Templates

Page 28
Hacking Tools
AutoMagic SQL
Absinthe Automated SQL

Free Powerpoint Templates

Page 29
Automated SQL Injection Tool

Free Powerpoint Templates

Page 30
Absinthe Automated SQL Injection Tool

Free Powerpoint Templates

Page 31
SQL Injection in Oracle

Free Powerpoint Templates

Page 32
SQL Injection in MySQL

Free Powerpoint Templates

Page 33
SQL Injection in MySQL

Free Powerpoint Templates

Page 34
SQL Injection in MySQL

Free Powerpoint Templates

Page 35
SQL Injection Countermeasures

Free Powerpoint Templates

Page 36
SQL Injection Countermeasures

Free Powerpoint Templates

Page 37
SQL Injection Countermeasures

Free Powerpoint Templates

Page 38
SQL Injection Attack Prévention
Minimize the privileges of database connections
Disable verbose error messages
Protect the system account “sa”
Audit source codes
• Escape single quotes
• Input validation
• Reject known bad input
• Input bound checking

Free Powerpoint Templates

Page 39
SQL Injection Attack Prévention
Never trust user input
• Validate all textbox entries using validation controls,
regular expressions and code
Never use dynamic SQL
• Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account
• Use limited access account to connect to the database
regular expressions and code

Free Powerpoint Templates

Page 40
SQL Injection Attack Prévention
Do not store secrets in plain text
• Encrypt or hash passwords and other sensitive data, you
should also encrypt connection strings.
Exceptions should divulge minimal information
• Do not reveal too much information in error message,
use custom error messages

Free Powerpoint Templates

Page 41
SQL Injection Blocking Tool

Free Powerpoint Templates

Page 42
Acunetix Web Vulnerability Scanner

Free Powerpoint Templates

Page 43
What happened next?

Free Powerpoint Templates

Page 44
Thank You

Free Powerpoint Templates

Page 45