PA RT 0 N E c:.:....::======:::::======.::...:.:.::.:.:.

Security Architecture

••
••
•••
••
••• LEARNING OBJECTIVES:
•• Upon completion of this material, you should be able to:

••• • Define security

•••
• Describe an information system and its components
• Define database management system functionalities
•• • Outline the concept of information security
• • Identify the major components of information security architecture

••• • Define database security

• • List types of information assets and their values

••• • Describe security methods

•••
•••
•••
••
•••
••
••
•••
•••
II
•
 2 CHAPTER 1

Introduction
(j.. quick look at security statistics reveals that security violations~acks are increasing
globally at an annual average rate of2Q.o/~tatistics show that virus alerts, e-m~il spam-
; "It" hfr
ton
.
+pl"\
ming, identity theft, data theft, and other types of security breaches are also on the rise.
.,~e-,t.f'..l Rising at a faster rate are the related costs for preventive and protective measures. In
')'t.-fe.'kd
.•...
0 r; response to this situation, organizations are focusing more heavily on the security of their
information. This book places you in the role of a database administrator who is respond-
ing to this increasing focus on security by strengthening the security of your organization's
database. The first part of this book deals with topics that enable you to implement secu-
rity measures on your database to protect your data from a variety of violations. To pre-
pare for the technical discussions in the chapters to follow, this chapter presents an intro-
duction to concepts such as general security, information systems, database management
systems, and information security-all of which act as the basis for database security.
To gain an understanding of the issues you would face as a database administrator
trying to implement increased security, consider the following scenarios. They give you a
feeling for the types of security topics covered by the first half of this book.

III A prominent institution hires you to manage a team of skillful database developers,
architects, and administrators. Your first challenge on the job is to design and implement
a new database security policy to secure data and prevent data integrity violations.
III You are a database administrator for a small startup company. Your company just
won a contract from a large, reputable organization to implement a new database
application. One of the requirements is to enforce a stringent security policy, which
was never before a priority for your company.
/ You are a database developer assigned to a new project, which involves the latest
technology. As you read the functional specification of the module you are to build,
you discover that the data to be stored must be encrypted.

These are a few of the many scenarios you're likely to encounter as you progress
through the world of work. This chapter covers both security principles and implementa-
tion, in general, and database security, more specifically.
Not long ago, most companies protected their data simply by preventing physical
access to the servers where the data resided. This practice was sufficient until several inci-
dents occurred in which data was jeopardized, compromised, and hijacked. Corporations
quickly moved to enforcing security measures via operating systems, which prevented
data violations by requiring the authentication of the identity of computer users. This
approach was successful until new vulnerabilities and new threats brought different types
of risks to database systems and applications.
Database management systems that depend on operating systems cannot survive
without the implementation of security models that' enforce strict security measures. Most
database management systems did not have a secure mechanism for authentication and
encryption until recently, when serious research and development was initiated to add
security components that enable database administrators to implement security policies.
Yesterday's DBA was equipped with all sorts of technical skills that empowered him
or her to manage a database efficiently. Today's DBA is required to have an additional
skill-that of implementing security policies that protect one of the most valuable assets
of a company-its data.
 SECURITY ARCHITECTURE 3

Regardless of your job title, as a team member of a corporation that employs database
applications, you must be prepared to protect your company from a variety of security
threats. This chapter is designed to increase your expertise and knowledge so that you will be
prepared for your database security responsibilities. The chapter presents an overview of sev-
eral fundamental concepts essential to implementing the security of a database environment.

Security
You have just arrived at your office after a restful vacation. The minute you open the
office door, you are shocked to see that all the locked drawers are open, your work files
are missing, and your computer has disappeared. You immediately start to list in your
head the most sensitive confidential files that are missing. You begin to panic as you con-
sider what would happen if the information within these files were leaked to the public.
You remind yourself that the new project you have spent months developing is gone and
someone could be selling it to other vendors. Your anxiety rises when you consider what
could have happened to you personally if the incident had happened while you were
working late in your office. A few minutes later, your manager steps into your office to tell
you that the company had been forced to conduct an unexpected audit, and that all the
sensitive information in your office had been temporarily moved to an area where the
auditors were working. This scenario involves the sense of personal security, which is best
described as the level and degree of being free of danger and threats.
The subject of this book is database security. As you begin this book, it is important
to know just what that is. Database security is the degree to which all data is fully pro-
tected from tampering or unauthorized acts. However, this definition is not entirely com-:
plete. To fully understand the definition, you need to take a quick tour of various infor-
mation systems and information security concepts. The following sections dip into these
topics to build a foundation for defining and understanding database security.

Information Systems
In today's global market, corporations all over the world are competing to gain a portion
of market share. In some cases, corporations are striving to dominate a sector of the mar-
ket, and in other cases they are just trying to stay afloat and survive. Regardless of the
goals of these businesses, their success is usually attributed to the wise decisions of the
CEOs. Wise decisions are not made without accurate and timely information. At the
same time, the integrity of that information depends on the integrity of its source data
and the reliable processing of that data. Data is processed or transformed by a collection
of components working together to produce and generate accurate information. These
components are known as an information system.
An information system can be the backbone of the day-to-day operations of a com-
pany as well as the beacon oflong-term strategies and vision. Information systems can be
categorized based on usage. Figure 1-1 illustrates the typical management pyramid show-
ing the category of information system used in each level of management. For example,
lower-level manageinent uses information systems that assist management and employ-
ees with operational tasks, such as inventory systems or point-of-sale (POS) systems.
4 CHAPTER 1

Middle-level management uses systems that deal with midterm goals, such as a forecast-
ing systems that project sales for the following quarter. Upper-level management works
with systems that assist with long-term goals, such as business model simulation and
reasoning.

r--
I I Information 1~ lo_n...:g~-t_e_rm__=g_O_a_ls 11 Strategic. I
Expert
systems
(ESs)

Decision Management
s!;,pport information
system$ Middle-level manaqement systems
(DSSs) (MI~s)

Transaction-
processing lower-level management
systems
{TPSs}

Data _~~~~~~_Sb_o_r~t-_te_r_m-,g~o~a~ls_~_~_~-,-.11 Operationall

IIB!IDII Typical use of system applications at various management levels

As illustrated in Figure 1-1, information systems are classified mainly into three
distinct categories: transaction-processing systems, decision support systems, and
expert systems. Table 1-1 describes the characteristics and typical applications for each
type of system .

.,!1:j"'1 Characteristics of information system categories

Category Acronym Characteristics Typical
Application System
Transaction- TPS • Also known as online • Order tracking
processing transaction processing (OLTP) • Customer service
system • Used for operational tasks • Payroll
• Provides solutions for • Accounting
structured problems • Student
• Includes business transactions registration
Iii Logical component of TPS • Car sales
applications (derived from
business procedures, business
rules, and policies)
 SECURITY ARCHITECTURE 5

I@:!",' Characteristics of information system categories (continued)

Category Acronym Characteristics Typical
Application System
Decision DSS • Deals with nonstructured Risk management
Iii

support problems and provide Fraud detection

Iii

system recommendations or answers • Sales forecasting

to solve these problems • Case resolution
• Is capable of performing
"What-if?" analysis
• Contains a collection of
business models
• Is used for tactical
management tasks
Expert system ES • Captures reasoning of human • Virtual
experts university
III Executive expert systems (ESSs) simulation
are a type of expert system used I!I Financial

by top-level management for enterprise

strategic management goals III Statistical

• A branch of artificial trading

intelligence within the field of Loan expert
computer science studies • Market analysis
• Software consists of:
• Knowledge base
• Inference engine
III Rules

ill People consist of:

• Domain experts
• Knowledge engineers
Power users

Regardless of the type of information system and purpose, an information system

consists of the following components (see Figure 1-2 for an illustration of a typical
information system):

• Data-Collected data and facts used as input for system processing, and data stored
in the database for future reference or processing
• Procedures-Includes manual procedures, guidelines, business rules, and policies
implemented in the system or used as part of the system
• Hardware-Computer systems and devices such as disks, chips, faxes, scanners, and
printers
• Software-Application code, languages used to develop code, database management
system, operating system used, and any other utilities or tools
• Network-A communication infrastructure to connect client processes to the system
• People-Users, managers, business analysts, programmers, system analysts, database
administrators, and system administrators
6 CHAPTER 1

IIm!IiIIIJ Information system components

Figure 1-2 shows that data is entered into the system to be processed immedi-
ately or to be stored in a database to be processed later wh'en needed. The database is
a core component in today's most commonly used system architecture, which is a
form of the client/server architecture that was introduced in mid-1990s. The success
of client/server architecture is due to the flexibility and scalability that it offers to sys-
tem architects.
The concept behind a client/server application is based on the business model of a
customer ordering a service or product and the representative of a business granting
that request. In the client/server environment, you can think of the client as the cus-
tomer and the server as the representative of a business granting the client's request. The
client/server architecture can be implemented as one-tier, two-tier, and n-tier designs. A
tier is a logical or physical platform. From a physical point of view, single-tier architec-
ture is characterized by the client and server components residing on the same hardware
platform. From a logical perspective, single-tier architecture is characterized by the
client and the server coexisting as one component. A component is a logical (software)
module such as a function, process, or a program. Figure 1-3 illustrates one-tier, two-
tier, and three-tier client/server architecture. For example, a two-tier architecture can be
composed of a front-end module used to validate data and to submit requests to the
database server that processes and responds to the client-submitted requests.
 SECURITY ARCHITECTURE 7
---------~------------------------~------------~

Server

Dm!mIIJ Examples of different client/server tier design

The client/server architecture is composed of three layers: the first is the user
interface, which is typically the client; the second is the network layer, which is the
backbone of the application architecture; and the third is the core of the client/server
architecture, which responds to all requests submitted by the client (this third is the
database server layer). In other words, all applications use some sort of a database
server. The database is managed by a collection of programs whose main purpose is to
allow users to store, manipulate, and retrieve data efficiently. The collection of pro-
grams that manage the database is known as a database management system (DBMS).
The next section presents an overview of the architecture and functions of database
management systems.

Database Management Systems

As the database is an integral part of an information system, the need for reliable and effi-
cient programs to manage the database becomes essential to the success of the information
system. Although many corporations develop DBMSs in which each DBMS has a distinct
implementation and architecture, they all have the following basic common functionalities:

• Allow developers and administrators to organize data in an orderly fashion.

II Allow users to store and retrieve data efficiently.

• Allow users to manipulate data (update and delete).

• Enable developers and administrators to enforce data referential integrity and con-
sistency. Data is considered to have referential integrity when a relationship between
two tables is always maintained (never broken).
8 CHAPTER 1

• Allow administrators to enforce and implement data security policies and proce-
dures on all database levels.
• Allow administrators to back up data in case of a failure and provide a mechanism to
recover and restore data.

Here is a brief example of how data can lose its integrity and consistency. An
employee, Tom, who is in the Employee table, is assigned to the Engineering department
in the Department table (Employee and Department tables from a data modeling point
of view are related 1 to 1. This means that one employee is assigned to only one depart-
ment). If the Engineering department record is deleted, Tom's record loses reference to
the department. This means you do not know Tom's department, and the data for Tom
has lost its integrity. Now examine the concept of data consistency. When different
addresses for the same employee exist in different places in the database, you do not
know which is correct, and therefore the data has lost its consistency.
Of course, a DBMS can offer more advanced functions such as distributed transac-
tions, replication, and parallel processing. Figure 1-4 provides a view of the database and
DBMS environment that illustrates the similarity between those environments and infor-
mation systems. Both consist of the same components-data, hardware, software, net-
works, procedures, and database servers.

Users

System architectl Database

developer administrators

~------------------------------------------------
IIm!Ii1III Database and DBMS environment
 SECURITY ARCHITECTURE 9

By this point, the chapter has presented a quick overview of security, information
systems, and database management systems. Now that you have some understanding
of those topics, it is time to tie the topics together.

-
Information Security
Security, as defined earlier, is the sense of feeling safe or protected from deliberate or acci-
dental threats. So what about information security? Information is one of an organiza-
tion's most valuable assets, and many companies have an Information Security depart-
ment that protects the information and assures employees and managers that the
information is safe. Information is safe if it is protected from access by unauthorized
users. At the same time, to be useful, information must be accessible at all times to
authorized users. Information security consists of the procedures and measures taken to
protect each component of the information systems involved in producing information.
This means protecting data, hardware, software, networks, procedures, and people-all
the components of the information system.
According to the National Security Telecommunications and Information Systems
Security Committee (NSTISSC), the concept of information security is based on the
C.I.A. triangle, in which "C" stands for Confidentiality, ''1'' for Integrity, and "/\' for Avail-
ability. The C;:.l.A.triangle is a framework for protecting information. The C.l.A triangle
should guide your efforts to enforce information integrity and shield data from being
tampered with by unauthorized persons, being modified accidentally by employees, or
losing consistency because of the incorrect coding of business requirements and rules.
Ensuring that the information system is available when it is needed and at the same time
protected from downtime caused by external or internal attacks or threats can be a diffi-
cult balancing act. To achieve this balance, you must establish security policies that are
not so stringent as to make data inaccessible. Finally, you should not lose sight of confi-
dentiality. Sensitive data and information should be kept secret and only divulged based
on data and classification. Figure 1-5 illustrates the C.l.A. triangle .

• System is available at aU times

• Data and information is only for authorized and
classified into different levels of
authenticated persons.
confidentiality to ensure that
• System is protected from being
only authorized users access shut down due to external or
the information.
internal threats or attacks.

Integrity
• Data and information is
accurate and protected from
tampering by unauthorized
persons .
• Data and information is
consistent and validated.

IIB!IiIIID Information security C.I.A triangle

10 CHAPTER 1

Confidentiality
As indicated in the previous section, confidentiality is one of the three principles of the
C.LA. triangle. Confidentiality addresses two aspects of security that have subtle differ-
ences. The first aspect is the prevention of unauthorized individuals from knowing or
accessing secret information. The second aspect is the process of safeguarding confiden-
tial information and disclosing secret information only to authorized individuals by
means of classifying information. If either of these two factors is violated, the confiden-
tiality principle of the C.I.A. triangle is breached and information security is at risk.
From this discussion, you may conclude that this balancing act is hard to achieve, if
not impossible. It is difficult to implement but not impossible if you properly classify
your information and design a process to implement and enforce confidentiality. You
should classify your company's information into different levels-r-each level having its
own security measures. To devise an effective classification system, you need to under-
stand that classification schemes vary with different companies, government agencies,
and other institutions. What determines classification is the type of business and its poli-
cies and procedures. However, companies usually classify information based on the
degree of confidentiality necessary to protect that information. Figure 1-6 presents a
. model that can be adapted to implement controls for each level.

Dm!Il1ID Confidentiality classification

Integrity
Integrity is the second principle of the C.LA. triangle. For information integrity to exist,
the data upon which it is based must be consistent and accurate throughout the system.
You've probably heard the old expression «Garbage in, garbage out." For security, this
means that consistent and valid data, if processed correctly, yields accurate information.
The integrity aspect of information security is vital, because it focuses your attention on
the most valuable asset, data, which in turn becomes information. Data is considered to
have integrity if it is accurate and has not been tampered with intentionally or acciden-
tally. Data must be protected at all levels to achieve full integrity.
Consider the following example. Employee A learns that his adversarial coworker in
the next cubicle is earning a higher salary than he is. Somehow, employee A accesses an
 5 E( U R IT Y ARC H IT'E CT U R E 11

application program used by the Accounting department and manipulates the vacation
hours and overtime hours of his colleague. Two security violations have occurred. First,
sensitive data (salary), which is supposed to be confidential, was disclosed or obtained
inappropriately. This is a violation of the confidentiality principle. Second, the disgrun-
tled employee gained access to an application that allowed him to modify data. This is a
violation of data integrity. These violations are connected and also interconnected with
the third C.I.A. principle-availability. A security failure occurs when the application fails
to detect this malicious act through an audit mechanism or other data controls that
should be in place. An example of such a control in this case would be an application that
cross-checks overtime hours against actual time cards, computes vacation hours, and ver-
ifies entered values. If the computed and entered values are different, the application
should require an approval override from another person.
The integrity of the information system is measured by the integrity of its data. For
the integrity of the data to be considered valid, it must avoid the pitfalls summarized in
Table 1-2. One of the pitfalls is losing read consistency. When working with data that has
read consistency, each user sees only his own changes and those that have been commit-
ted by other users.

1M:!',,) Degradation of data integrity

Type of Data Degradation Description Reasons for Data Losing Integrity
Invalid data Indicates that not f!Ij User enters invalid data mistakenly
all the entered and or intentionally.
stored data is valid f!Ij Application code does not
without exception; validate inputted data.
checks and validation
processes (known as
database constraints)
that prevent invalid
data are missing.
Redundant data Occurs when the same f!Ij Faulty data design that does not
data is recorded and conform to the data normalization
stored in several places; process. (Normalization is a
this can lead to data database design process used to
inconsistency and data reduce and prevent data anomalies
anomalies. and inconsistencies.)
Inconsistent data Occurs when redundant f!Ij Faulty database design that does
data, which resides in not conform to the data
several places, is not normalization process.
identical.
Data anomalies Exists when there is iii Faulty data design that does not
redundant data caused conform to the data normalization
by unnormalized data process.
design; in this case, data
anomalies occur when
one occurrence of the
repeated data is
changed and the other
occurrences are not.
12 CHAPTER 1

U1:1-"l Degradation of data integrity (continued)

Type of Data Degradation Description Reasons for Data Losing Integrity
Data read inconsistency Indicates that a user • DBMS does not support or has
does not always read weak implementation of the read
the last committed data, consistency feature.
and data changes that
are made by the user
are visible to others
before changes are
committed.
Data nonconcurrency Means that multiple • DBMS does not support or has
users can access and weak implementation of the read
read data at the same consistency feature.
time but they lose
read consistency.

Availability
Suppose you are asked to write a prescription for a corporation's success. You will proba-
bJy prescribe three treatments: technology innovation and implementation, high-quality
products, and excellent customer care and service. When a corporation skips any of these
treatments, it probably loses the competitive edge and thus loses market share.
You may be asking yourself, "How is availability related to security?" To answer that
question, consider this scenario. A prominent dot-com company sells a variety of prod-
ucts over the Web. You want to purchase a product, but when you try to visit the Web site,
you receive an error message saying the site is unavailable. You call the company's cus-
tomer service number to get more information about the product, but to your surprise,
the customer service representative informs you that their system is not available and that
you should call back.
If incidents such as these occur frequently, customers lose confidence in a company,
the company loses customers, and eventually loses market share as well. Regardless of the
reasons that led to system unavailability, the result is unsatisfied customers. Now, put sys-
tem design and implementation aside and explore why a system becomes unavailable
from a security point of view. An organization's information system can become unavail-
able because of the following security issues:
External attacks and lack of system protection
III

Occurrence of system failure with no disaster recovery strategy

• Overly stringent and obscure security procedures and policies
• Faulty implementation of authentication processes, which causes failure to authenti-
cate customers properly

The availability principle with respect to information security means that the sys-
tem should be available (accessible) to individuals who are authorized to access the
information, and the system should determine what an individual can do with that
information.
 SECURITY ARCHITECTURE 13

Information Security Architecture

An information system, as defined earlier, is a collection of components working together
to solve a problem. Because data is processed into viable information by the information
system, security becomes an important aspect of the system. This means that the infor-
mation system must protect data and the information produced from the data from hav-
ing its confidentiality, integrity, and availability violated on any layer. This section
expands on the concept of information security by describing other aspects that make up
the infrastructure required to build security procedures and policies.
Figure 1-7 shows that information security architecture is a model for protecting log-
ical and physical assets. Information security architecture is the overall design of a com-
pany's implementation of the C.I.A. triangle. The architecture's components range from
physical equipment to logical security tools and utilities. You can see in Figure 1-7 that if
any of the principles of the C.I.A. triangle is violated, the information security model will
fail to protect the company's logical or physical assets.

Confidentiality Integrity " Availability

• Privacy laws • Security technology • Threats and attacks

·
•
Confidential classification
Policies and procedures ·• Security model
Cryptography technology ·· System vulnerabilities
Authorization methodology
•
•
Access rights
Customer concerns ·• DBMS technology
Database and data design
•
·•
Authentication technology
Network interfaces

· Social and cultural issues

· Application technology Disaster and recovery strategy

'\
I
'7 '<\ :v ~ :v
I Information security architecture
...11II
•••
'\ '7

Logical
and
physical assets

Dm!IDIJ Information security architecture

The following list outlines the components of information security architecture:

• Policies and procedures-Documented procedures and company policies that elabo-

rate on how security is to be carried out
• Security personnel and administrators-People who enforce and keep security in order
14 CHAPTER 1

• Detection equipment-Devices that authenticate employees and detect equipment

that is prohibited by the company
• Security programs-Tools that protect computer systems' servers from malicious
code such as viruses
• Monitoring equipment-Devices that monitor physical properties, employees, and
other important assets
• Monitoring applications-Utilities and applications used to monitor network traffic
and Internet activities, downloads, uploads, and other network activities
• Auditing procedures and tools-Checks and controls put in place to ensure that secu-
rity measures are working

Database Security
J Business corporations and government institutions depend more and more on informa-
tion technology as the sole tool for processing and storing data. This increased reliance
on information technology in general, and on information systems specifically, allows
organizations to become more productive and efficient. At the same time, use of infor-
mation systems offers a competitive edge over companies that lag behind in technology.
Reliance on information systems does not come without a cost. In fact, technology has
not only introduced societal issues and problems, it has also created a vast range of secu-
rity threats that could result in devastating situations.
Information is the foundation of knowledge, and information is not accurate if its
source-data-does not have consistency and integrity. For this specific reason, most
corporations employ sophisticated information systems that have a database
component.
One of the functions of database management systems is to empower the database
administrator to implement and enforce security at all levels of the database. In order for
you as a database administrator to protect valuable data stored in the database, Y9P must
know the various security access points that can make your database vulnerable.lg, secu-
rity access point is a place where database securi~Lmust be protected and applied-in
other words implemented, enforced, and aUdited)! his section presents a list of security
access points that apply to most databases.
Figure 1-8 presents all the major access points within a database environment where
security measures must be applied, enforced, and audited. Figure 1-8 represents all the
components of the database environment: people, applications, networks, operating sys-
tem, database management system, data files, and data. Data is the most valuable asset of
the database environment. Having said that, data requires the highest levels of protection,
and therefore its data access point must be the smallest of all the components shown in
Figure 1-8.
 SECURITY ARCHITECTURE 15
--------------.---------

People

Applications

Network

Database security

a:m:!IDIJ Database security access points

The security access points illustrated in Figure 1-8 are:

• People-Individuals who have been granted privileges and permissions to access

applications, networks, workstations, servers, databases, data files, and data. This
means that people represent a risk of database security violations. Therefore database
security must entail all necessary measures to secure the data within the database
against potential violations caused by people.
• Applications-Application design and implementation, which includes privileges and
permissions granted to people. If these permissions are too loose, individuals can
access and violate data. If these permissions are too restrictive, they do not allow
users to perform their responsibilities. When granting security privileges to applica-
tions, be extremely cautious.
• Network-One of the most sensitive security access points. Be sure to use your best
efforts to protect the network and provide network access only to applications, oper-
ating systems, and databases.
• Operating system-The operating system access point is defined as authentication to
the system-the gateway to the data. For example, to access the data residing in a sys-
tem, you must log on and your security credentials must be verified. The absence of
good security measures at this access point is the cause of most security violations.
16 CHAPTER 1

• DBMS-The logical structure of the database, which includes memory, executables,

and other binaries.
• Datafiles-Another access point that influences database security enforcement is
access to data files where data resides. Through use of permissions and encryption,
you must protect data files belonging to the database from being accessed by unau-
thorized individuals.
• Data-This data access point deals with the data design needed to enforce data
integrity, the application implementation needed to ensure data validity, and the
privileges necessary to access data.

Examining access points in more detail, you can see each access point as a compo-
nent of the entire system. The people component is the largest area because there is
often a huge community of individuals who access data, including users, managers, visi-
tors, outsiders, developers, and administrators. All these people increase the possibility
of endangering the security of data. Therefore, security efforts and measures should be
directed at decreasing the risks at the people access points, thus decreasing threats
from people.
In Figure 1-8, the data file access point is smaller than any of the points above it,
which means that the security risks for data files is not as high as at DBMS access points.
Therefore reducing DBMS access points makes the data files access point even less acces-
sible. Another point you may have noticed in Figure 1-8 is that the proximity of database
security to the access point indicates how close you are to database security violations,
and the area of the access point indicates the security risv.Having said that, Figure 1-8
indicates that you must start securing the database with ~~le access points, followed by
applications, and so on. ~
To see the other side of the coin, examine Figure 1-9, which shows that when the area
size of the people access point is reduced, the only access to data is through all access
points (layers or levels) above. Reducing access point size reduces security risks, which in
turn increases database security.
As defined earlier, a security access point is a point at which security measures are
needed to prevent access that can involve unauthorized actions. It is worth noting that
security access points should not to be ~o~fu$~ith security gaps or vul~erabilities:,\
~ Secunt a s are points at w IC securIty ISmissm and thus the system ISvulnerabte'~
Vulnerabilities are kinks in the system that must be watched because t ey can ~
threats. In the world of information security, a threat is defined as a security risk that has
a high possibility of becoming a system breach. The breach can be caused by either inten-
tional or unintentional actions. Figure 1-10 shows the process of a security gap eventually
resulting in a security breach. To complete this picture you need to know the formal defi-
nition of each security access point of the database environment, as defined earlier in this
section and illustrated in Figure 1-8.
 SECURITY ARCHITECTURE 17

Database security

Operating system

DBMS

Data files

Data

Datab~se security enforcement

Security
Access Data
points Integrity
are violation
unprotected

IIm!IiIIII!I Data integrity violation process

Database Security Levels

As you know, a relational database is a collection of related data files; a data file is a col-
lection of related tables; a table is a collection of related rows (records); and a row is
collection of related columns (fields), as shown in Figure 1-11. As you have noticed, the
18 CHAPTER 1

structure of the database is organized in levels, and each level can be protected by a dif-
ferent security mechanism. For instance, a column can be protected by using a VIEW
database object. A VIEW database object is a stored query that returns columns and
rows from the selected tables. The data provided by the view object is protected by the
database system functionality that allows schema owners to grant or revoke privileges.
The data files in which the data resides are protected by the database and that protection
is enforced by operating system file permissions. Finally, the database is secured by the
database management system through the use of user accounts and password mecha-
nisms as well as by the privileges and permissions of the main database functions-
database shutdown, creating user accounts, and database backup and recovery, to name
a few.

DBMS

Operating
'
l
system Data Data
file file

Grants
Table

Views

IIm!Il'IDII Levels of database security

Menaces to Databases
The following sections describe the kinds of menaces to database security that are
commonly faced by today's organizations. The sections describe database vulnerabilities,
 SECURITY ARCHITECTURE 19

threats, and risks. Although these terms have been used previously in this chapter, before
proceeding with those descriptions, it is important that you understand the differences
among these three terms, subtle as they may be:

• Security vulnerability-A weakness in any of the information system components

that can be exploited to violate the integrity, confidentiality, or accessibility of
the system
• Security threat-A security violation or attack that can happen any time because of a
security vulnerability
• Security risk-A known security gap that a company intentionally leaves open

Types of Vulnerabilities
According to www.dictionary.com, vulnerability means "susceptible to attack." Why is this
word important in security? The answer is simple-intruders, attackers, and assailers
exploit vulnerabilities in your environment to prepare and start their attacks. From an
information security perspective, hackers usually explore the weak points (design or code
flaws) of a system until they gain entry through a gap in protection. Once an intrusion
point is discovered, hackers unleash their array of attacks on the system, which could be
viruses, worms, malicious code (code that could corrupt or adversely alter the state of your
computer system), or other types of unlawful violations. To protect your system from
these attacks, you must understand the types of vulnerabilities that may be found in your
information security architecture. To conduct a review and examination of the different
types of database security vulnerabilities, you need to understand how vulnerabilities are
categorized. Vulnerability categorization is illustrated in Figure 1-12. A description of each
category is presented in Table 1-3 with examples.

Design
User mistakes and
implementation

Database
security
vulnerabilities
Installation
Software and
configuration

IIIDD'iIDD Categories of database security vulnerablilities

20 CHAPTER 1
1t!1:!I!IIJ Types of vulnerabilities with definitions and examples
Category Description
Installation and This type of vulnerability results
configuration from using a default installation
and configuration that is known
publicly and usually does not enforce
any security measures. Also, improper
configuration or installation may
result in security risks.
User mistakes Although all security vulnerabilities
are tied to humans, vulnerabilities
listed in this category are mainly
related to carelessness in
implementing procedures, failure to
follow through, or accidental errors.
Software This category relates to
vulnerabilities found in commercial
software for all types of programs
(applications, operating systems,
database management systems, and
other programs).
Examples
• Incorrect application
configuration that may
result in application
malfunction
• Failure to change default
passwords
• Failure to change default
permissions and privileges
• Using default application
configuration that leads to
security vulnerability, as
most applications do not
enforce high-security
measures for the
default setup.
• Lack of auditing controls
• Untested disaster
recovery plan
• Lack of activity monitoring
• Lack of protection against
malicious code
• Lack of applying patches as
they are released
• Bad authentication process
or implementation
• Social engineering
(pretending to be a
representative of a legitimate
organization to trick an
individual into providing
sensitive information)
• A user's lack of technical
information that leads to
user susceptibility to various
hacker intrusions and fraud
schemes
• Susceptibility to scams
Software patches are not
applied
• Software contains bugs
System administrators do
not keep track of patches
 SECURITY ARCHITECTURE 21

1t;1:!.I" Types of vulnerabilities with defmitions and examples (continued)

Category Description Examples
Design and Vulnerabilities of this category are II System design errors
implementation related to improper software analysis II Exceptional conditions
and design as well as coding (special cases in which code
problems and deficiencies. fails to execute) and errors
are not handled in program
development
II Input data is not validated

Type of Threats
Earlier in the chapter, you were shown that in the data integrity violation process, vulner-
abilities can escalate into threats. As database administrator, database manager, or infor-
mation security administrator, you need to be aware of these vulnerabilities and threats
to protect your organization and its assets. As with the categorization of vulnerabilities,
threats are categorized to ensure that everything that contributes to security risks is cov-
ered. Figure 1-13 presents threat categories.

People Malicious
code

Database
security
threats
Technological k' Natural
disasters disasters

ommJIID Categories of database security threats

As shown in Figure 1-13, four types of threats contribute to security risks.

According to www.dictionary.com, a threat is defined as "An indication of impending
danger or harm."
Table 1-4 defines and offers examples of each type of threat category shown in
Figure 1-13.
22 CHAPTER 1

.,;1:!",' Threat types, definitions, and examples

Threat type Definition Examples
People People intentionally or • Employees
unintentionally inflict damage, • Government authorities or
violation, or destruction to all or persons who are in charge
any of the database environment • Contractors
components (people, applications, • Consultants
networks, operating systems, • Visitors
database management systems, • Hackers
data files, or data). • Organized criminals
• Spies
• Terrorists
III Social engineers
------- ---
Malicious code Software code that in most cases is • Viruses
intentionally written to damage or • Boot sector viruses
violate one or more of the database III Worms

environment components • Trojan horses

(applications, networks, operating • Spoofing code
systems, database management II Denial-of-service flood

systems, data files, or data). • Rootkits

• Bots
III Bugs

• E-mail spamming
• Macro code
• Back door
Natural disasters Calamities caused by nature, which • Hurricanes
can destroy any or all of the database • Tornados
environment components. • Earthquakes
• Lightning
• Flood
II Fire
-- ----------------
Technological Often caused by some sort of • Power failure
disasters malfunction in equipment or • Media failure
hardware, technological disasters II Hardware failure

can inflict damage to networks, • Network failure

operating systems, database
management systems, data files,
or data.
 SECURITY ARCHITECTURE 23
--------------------------------------------------------
Terms used in the table:

III Virus-Code that compromises the integrity and state of a system

III Boot sector virus-Code that compromises the segment in the hard disk that con-
tains the program used to start the computer
• Worm-Code that disrupts the operation of a system
III Back door-An intentional design element of some software that allows developers
of a system to gain access to the application for maintenance or technical problems
III Trojan horse-Malicious code that penetrates a computer system or network by pre-
tending to be legitimate code
• Spoofing code-Malicious code that looks like legitimate code
III Denial-of-service-flood- The act of flooding a Web site or network system with
many requests with the intent of overloading the system and forcing it to deny serv-
ice to legitimate requests
• Rootkits and bots-Malicious or legitimate software code that performs such func-
tions as automatically retrieving and collecting information from computer systems
III BugS-Software code that is faulty due to bad design, logic, or both
III E-mail spamming-E-mail that is sent to many recipients without their permission

A threat can result in a security risk that requires you to employ and execute security
measures to prevent or foil security breaches or damage. In the next section you look at
the security risks that can emerge from threats.

Types of Risks
Risks are simply a part of doing business. Managers at all levels are constantly working to
assess and mitigate risks to ensure the continuity of departmental operations. As part of
this game, you need not only to understand your system weaknesses and threats, but to
walk the extra mile to diminish the probability of these threats actually occurring. So what
are the risks to the security of the database environment? Simply put, the reliability of a
database at all levels is at risk, and most importantly the integrity of the data. Figure 1-14
illustrates the categories of database security risks, and Table 1-5 defines those categories.

People Data

Database
security
risks

BI-----*~_c_o_nf_id_e_n_ce_ ••

IIm!IIJIID Categories of database security risks

-
24 CHAPTER 1

'(;1:jll'I1 Definition and examples of risk types

Risk Type Definition
People The loss of people who are vital
components of the database
environment and know critical
information about the environment
can create risks.
Hardware A risk that mainly results in hardware
unavailability or inoperability.
Data Data loss and data integrity loss is a
major concern of the database
Example
• Loss of key persons
(resignation, migration,
health problems)
• Key person downtime due
to sickness, personal or
family problems, or burnout
• Downtime due to hardware
failure, malfunction, or
inflicted damage
• Failure due to unreliable or
poor quality equipment
• Data loss
11II Data corruption

administrators and management • Data privacy loss

Confidence The loss of public confidence in the
data produced by the company causes
a loss of public confidence in the
company itself.
• Loss of procedural and
policy documents
• Database performance
degradation
• Fraud
• Confusion and uncertainty
about database information

If you were to rate vulnerabilities, threats, and risks according to most the com-
mon and important factors, you would list three factots: people, software, and data.
The remaining factors act as amplifiers or supporters. Figure 1-15 represents this inte-
gration. Figure 1-15 shows that database security involves the protection of the main
three components-people, software, and data-from vulnerabilities, which can
become threats to the integrity of the system and consequently become a risk to the
business operation.
 SECURITY ARCHITECTURE 25

--------l
I
I

Vulnerabilities
~------------------- ------------
IIl!I!IJDD Integration of security vulnerabilities, threats, and risks in a database
environment

Asset Types and Their Value

People always tend to protect assets regardless of what they are. For example, you may
keep a memorable picture of your parents in a safe place. However, the degree of protec-
tion you provide is directly based on how much you value the assets. If you highly value
the picture of your great-grandparents, you might take an extra measure of precaution by
copying it and placing it in a fireproof safe where it is guarded from most natural disas-
ters and from theft, or you may just put it in a frame because you have many similar pic-
tures or because you can reproduce it.
Corporations treat their assets in the same way. Assets are the infrastructure of the
company operation. Depending on the type of asset and how much the company values
it, the company builds security policies and procedures and executes actions to protect
these assets. In this section you explore the types of assets that business entities own in
order to relate these concepts to database security. There are four main types of assets: .
• Physical assets-Also known as tangible assets, these include buildings, cars, hard-
ware, and so on
Logical assets-Logical aspects of an information system, such as business applica-
tions, in-house programs, purchased software, operating systems, databases, and data
Intangible assets-Business reputation, quality, and public confidence
• Human assets-Human skills, knowledge, and expertise

Security measures are implemented based on the value of each asset. For instance, if
a company employs a scientist working on an important invention, the company may
take extra measures to avoid losing the intellectual asset she represents. Similarly, every
component in the database environment is protected according to its value. Continuing
26 CHAPTER 1

with the same example, the company may use no security measures to protect test-gener-
ated data that developers and quality assurance engineers use as part of the database
application development phases. However, if the information is part of production data,
the company probably executes specific security procedures and polices to protect that
production data from all types of violations.

Security Methods
Security technology comprises a variety of methods that protect specific aspects of secu-
rity architecture. In this section you explore the most common methods used to secure
the database environment. Only methods that are data related are discussed in this book.
Table 1-6 outlines the security methods that are used to protect the different components
of a database environment.

IM:!"la Security methods used to protect database environment components

Database Security Methods
Component
Protected
People _ Physical limits on access to hardware and documents
_ Through the processes of identification and authentication, make
certain that the individual is who he or she claims to be through the
use of devices, such as ID cards, eye scans, and passwords
_ Training courses on the importance of security and how to guard assets
_ Establishment of security policies and procedures
Applications
---
_ Authentication of users who access applications
_ Business rules
_ Single sign-on (a method for signing on once for different
applications and Web sites)
Network _ Firewalls to block network intruders
_ Virtual private network (VPN) (a remote computer securely
connected to a corporate network)
_ Authentication
Operating system _ Authentication
_ Intrusion detection
_ Password policy
_ User accounts
Database _ Authentication
management _ Audit mechanism
system _ Database resource limits
_ Password policy
----~ -- --- ------------------ ------
Data files _ File permissions
_ Access monitoring
 SECURITY ARCHITECTURE 27

1@:j!,Oa Security methods used to protect database environment components (continued)

Database Security Methods
Component
Protected
Data • Data validation
• Data constraints
• Data encryption
• Data access
A business rule is the implementation of a business procedure or policy through code written
in an application.

Database Security Methodology

By this point in this chapter, you have an overview of most of the essential aspects of
security architecture. It is time to put the pieces of the database security jigsaw puzzle
together to compose a process that will assist you in building your database security. This
section presents an implementation process that can be used as a framework or method-
ology to outline the security tasks required for each stage. As shown in Figure 1-16, this
process consists of phases similar to those of most software engineering methodologies,
except the focus in each phase is security.

Software development life cycle

~, + ',*
, III

I
..
Planning
~",Y:<I'
H H Design Coding

~
Testing
~
Maintenance

Identification
~
Assessment
~
Design
••• Implementation
••• Evaluation
~
Auditing

t t • III

Database security implementation methodology

IIm!JIIDB Database security methodology

Figure 1-16 presents database security methodology side by side with the software
development life cycle (SDLC) methodology. Notice that phases in the database secu-
rity methodology correspond to those of the SDLC. For example, suppose your com-
pany is carrying out a new inventory system project. Typically, your first phase in the
SDLC is to plan for resources and devise a high-level project plan outlining major
milestones. As a security architect or administrator, at the planning phase you are exe-
cuting tasks in the identification phase. One of the tasks in this phase is identifying the
p

28 CHAPTER 1

security policy that will be adopted for this project. The following list presents the def-
inition of each phase of the database security methodology.
II Identification-This phase entails the identification and investigation of resources
required and policies to be adopted.
• Assessment-This phase includes analysis of vulnerabilities, threats, and risks for
both aspects of database security: physical (data files and data) and logical (memory
and code). You analyze system specifications and requirements to devise a security
policy and procedures for all database modules and application data.
iii Design-This phase results in a blueprint of the adopted security model that is used
to enforce security. The blueprint shows how security measures are implemented to
enforce data integrity and accessibility.
Implementation-Code is developed or tools are purchased to implement the blue-
print outlined in the previous phase.
Evaluation-In this phase you evaluate the security implementation by testing your
system against typical software attacks, hardware failures, natural disasters, and
human errors. The result of this phase is a determination of the system's degree of
security.
iii Auditing-After the system goes into production, security audits should be per-
formed periodically to ensure the security state of the system.

Database Security Definition Revisited

At the start of this chapter database security was defined as the degree to which all data is
fully protected from tampering or unauthorized acts. You were warned, however, that you
needed the chapter's quick tour of various information systems and information security
concepts before confronting a complete definition. Now that you've had that tour, the
definition can be expanded as follows: Database security is a collection of security poli-
cies and procedures, data constraints, security methods, and security tools blended
together to implement all necessary measures to secure the integrity, accessibility, and
confidentiality of every component of the database environment. These components
include people, applications, networks, operating systems, database management systems,
data files, and data.

Chapter Summary
• Securityis defined as the level and degree of being free from danger and threats.
• Database security can be brieflydefined as the degree to which data is fully protected from unau-
thorized tampering.
• Information systems are the backbone of the day-to-day company operations as well as the guide
for long-term strategies.
• A typical informationsystem consists of data, procedures, hardware, software, networks, and people.
 SECURITY ARCHITECTURE 29

III A client/server application is based on the business relationship in which the customer requests an
order or service and the server responds to the request.
III A tier is a logical or physical platform in client/server architecture.
III DBMSsfrom different vendors vary in distinct implementation and architecture but they have close
to the same functionality.
III The basic function of a DBMS is to enable developers and administrators to organize data; store,
manipulate, and retrieve data efficiently; enforce data referential integrity; and provide a security
mechanism to protect the data.
III Most companies employ an Information Security department to protect data and information.
III The concept of information security is based on the C.I.A. triangle in which "C" stands for confi-
dentiality, "I" stands for integrity, and "A" stands for availability.
III There are two components to confidentiality: preventing unauthorized individuals from knowing or
accessing secretive information, and keeping confidential information secret by not disclosing it to
unauthorized individuals.
II! Data is considered to have integrity if it is accurate and has not been intentionally or unintention-
ally tampered with.
III System availability is measured by how accessible the system is to individuals who are authorized
to access information and how free individuals are to manipulate data.
II Database environment components are people, applications, networks, operating systems, data-
base management systems, data files, and finally data.
II! Data is the most valuable asset of the database environment.
IiII An access point is a gateway that requires measures to limit database security violations.
III A security access point is a point where security measures are needed to prevent accessto unau-
thorized actions.
III Vulnerability is defined as being susceptible to attack.
• A threat is defined as an indication of impending danger or harm.
• A security risk is a result of a threat, which is a result of vulnerability.
• Information security architecture is a model for protecting logical and physical assets.
III Information security architecture is the overall design of a company's implementation of the
C.I.A. triangle.
• Components of information security architecture include policies and procedures, security
personnel and administrators, detection equipment, security programs, monitoring equipment,
monitoring applications, and auditing procedures and tools.
II Database management systems empower the database administrator to implement and enforce
security at all levels of the database. .
III The security accesspoints are people, applications, networks, operating systems, DBMS,data files,
and data.

Review Questions
1. Security is best described as being totally free from danger. True or false?
2. Data is processed or transformed to become facts. True or false?
3. Data anomalies exist when there is redundant data caused by unnormalized data design.Trueor false?
30 CHAPTER 1
-------------
4. Human error vulnerabilities are most often related to carelessnessin implementing or following
through on procedures.Trueor false?
5. Malicious code is software code written by hobbyists to test their capabilities. True or false?
6. A power failure is a type of natural disaster threat. True or false?
7. A system can become unavailable becauseof bad implementation of an authentication process.
True or false?
8. Which one of the following is not a component of an information system?
a. programmer
b. report
c. business procedure
d. physical asset
9. Which one of the following is not a functionality of database management systems?
a. allows usersto validate data as it is entered
b. allows developers and administrators to organize data
c. enables developers and administrators to enforce data referential integrity and consistency
d. allows administrators to enforce and implement data security
10. Which one of the following administrator functions is enabled by a database management system?
a. Automatically back up data in case of a failure.
b. Back up data in case of theft.
c. Back up data in case of an intrusion.
d. Back up data for auditing purposes.
11. Which one of the following is part of the information security triangle?
a. intrusion
b. integrity
c. integral
d. internal
12. Which one of the following is not part of a typical information security architecture?
a. policies and procedures
b. business rules
c. detection equipment
d. auditing procedures and tools
13. Data risk results in which of the following?
a. data performance
b. data access
c. data privileges
d. data corruption
14. Which of the following is not a logical asset?
a. information system
b. businessapplication
c. in-house programs
d. purchased software
15. Outline the three components of the information security triangle and list one violation example
for each.
16. Provide an example of how you can prevent physical accessto an application database server.
17. Name three methods to enforce data integrity and provide an example for each method.
 SECURITY ARCHITECTURE 31

18. Provide three examples of people threats.

19. Explain how system vulnerabilities impact business.
20. Name three key measures that your business may adopt to protect data.

Hands-on Projects

Hands-on Project 1-1

~
HANDS·ON Using the Web as a resource,conduct a survey to compile a list of the top ten security vulnerabilities.
.HOIECl>

Hands-on Project 1-2

~
BARDS-ON Why is the CI.A. triangle important?
.RonCl>

Hands-on Project 1-3

~
BARDS·ON You are a security officer working for a medium-sized research company. You have been assigned to
.HOIECl>
guard a back entrance checkpoint. One day, a well-known manager walks out with a box of papers.
A day later you are summoned to the security office by your manager and the security director for
questioning about the manager who had been terminated the day before. The manager had walked
out with highly confidential information.
1. Outline briefly what types of security measureswere violated and how to avoid those violations.
2. Describe how this incident may result in security violations.

IktJ
~~
Hands-on Project 1-4
iiiRDS-ON You are an employee of a company responsible for the administration of ten production databases.
• ROIECl>
Lately, you have noticed that your manager is asking you frequent questions about the data used
by one of the top researchers of the Engineering department. For two days, while conducting rou-
tine database tasks, you notice your manager exporting data from the database the top
researchers are using.
1. What type of security threat is the exportation of data? How can you prevent it?
2. To what type of security risk could exporting data lead?
3. Explain briefly how you would react to this incident.

Hands-on Project 1-5

~
HIRDS-ON You were just informed by your manager that you are assigned to a new project that deals with
.HOIECl>
financial data. Becauseyou are the system analyst, your manager asked you to conduct a survey of
users regarding what they require from the new project. After collecting all necessarydata, you
determine that this project requires high security measures.Outline the steps you should take to
move forward.
32 CHAPTER 1

Hands-on Project 1-6

~
IlAIIOS-ON Foreach type of malicious code listed in Table 1-4, provide two examples of real-life code.
PROJECTS

Hands-on Project 1-7

~
HANDS·ON Describe a situation that illustrates each type of human threat listed in Table 1-4.
PROJECTS

Case Project
You are a database administrator working for a national bank institution. One day, a lead devel-
oper sends you an e-mail requesting that you perform a data change. In the e-mail, he stresses the
urgency and importance of this task. A minute later. you receive another e-mail but this is from the
lead developer's manager to confirm the data change. This is the first time you have ever received
this type of request. Usually, all requests go through the change management process.
1. List the security issues involved in this incident.
2. Describe the type of risks involved if you comply with the request and the types of risk
involved if you do not.
3. Explain briefly how you would react to this incident, outlining your reasoning and whether
you would comply or not.
 Operating System Security
Fundamentals

•••
••
•
•••
•• LEARNING OBJECTIVES:
•• On completion of this material, you should be able to:
••
•• • Explain the functions of an operating system

•• • Describe the operating system security environment from a database perspective

•• • List the components of an operating system security environment

• Explain the differences between authentication methods
•• • Outline useful user administration best practices
•• • List the criteria of strong password policies
•• • Describe operating system vulnerabilities
•• • Describe security risks posed bye-mail services

••
•••
••
••
••
••
••
••
••
••
••
••
••
34 CHAPTER 2

_Introduction
.....
"""'"-

As you already know, the operating system is the essence of a computer system-without
it the computer hardware is not operable. The operating system is a collection of programs
that manage the computer and allow programs and users to use its resources. No applica-
tion, regardless of how simple and small, or complex and large, can be used without the
operating system.
The operating system is one of the main access points to the database management
system. Normally, when you want to access the database locally or remotely, you are
authenticated by the operating system. Once you are authenticated to the system, you can
operate or access the resources for which you have authorization, based on the set of
privileges granted to you. Since the database resides on a machine operated by the operat-
ing system, the operating system becomes the first line of defense for any database security
violations and infringements.
This chapter presents, from a database perspective, an overview of operating system
security issues that help you gain an understanding of how security violations occur and
where to focus your efforts to protect a database.
This chapter is not intended to provide technical details on configuring or running
the operating system from an operational or security point of view. In addition, the
information presented in the chapter is not tied to any specific operating system. In fact,
the content of the chapter is applicable to any operating system. However, there are some
instances in which technical details are presented. In these cases, UNIX and Windows
2000 or Windows XP are the operating systems referenced.

Operating System Overview

This section presents a quick overview of the operating system and its functions. If you
are familiar with this topic, you can skip this section and move on to the discussion of the
operating system security environment in the next section. Computer hardware consists
of digital resources used to solve various computing problems at very high speed and
with considerable accuracy. To take advantage of this technology, you need to communi-
cate with the computer hardware in Osand Is, which is almost impossible for you to do.
Several computer companies realized the need for a middleman between the user and the
computer hardware to enable the user to operate the computer hardware. That was the
birth of the operating system. An operating system is a collection of programs that allows
the user to operate the computer hardware. But this is not the only thing that the operating
system does. In fact, the operating system performs many tasks that vary from managing
resources to scheduling jobs.
The following describes the three layers of a computer system, as shown in Figure 2-1:

• The inner layer represents the computer hardware, which is managed and controlled
by the middle layer.
• The middle layer is the operating system.
• The outer layer represents all the different software used by users to solve a problem
or perform a specific task.
 OPERATING SYSTEM SECURITY FUNDAMENTALS 35

ID!!IiJDI Three layers of a computer system

An operating system has a number of key functions and capabilities as outlined in

the following list:

• Performs multitasking, that is, runs multiple jobs (tasks) at the same time
• Performs multisharing, that is, allows multiple users to use the computer hardware at
the same time
• Manages computer resources such as CPU (central processing unit), memory, input
and output devices, and disk storage
• Controls the flow of activities
• Provides a user interface to operate the computer
• Administers user actions and accounts
• Runs software utilities and programs
• Provides functionality to enforce security measures
• Schedules jobs and tasks to be run
• Provides tools to configure the operating system and hardware
There are many different vendors of operating systems including Windows by
Microsoft; UNIX by companies such as Sun Microsystems, HP, and IBM; Linux "flavors"
from various vendors such as Red Hat; and Macintosh as by Apple.
This quick tour of operating system basics is designed to prepare you for the next
section, in which you learn about the operating system security environment to gain an
understanding of the security risks posed by operating system security access points.
36 CHAPTER 2

The Operating System Security Environment

Figure 2-2 illustrates the components of the database environment, as explained in
Chapter 1. If it is exposed, the operating system component of the database environment
can open the door to unlawful individuals who contravene rules imposed to protect the
database and its data. The door of the room that contains the computer that runs the
operating system must be protected as securely as an organization can manage through
padlocks, chain locks, guards, peep holes, security cameras, and other detection and
authentication measures.

a Users )

Threa~s
-.::'>.
t-" f >i
;(",1

,,~.
\

!
Threats
.~

..
-s •• ,

System
architect/developer
~ -- ,",.m.ytt
Network
/" Database
administrators

Database management
system (DBMS)

IimDlJIIJ Database security environment

When thinking of how to guard an operating system, it may help you to think of
the physical building of a bank (the operating system), a safe (the database), and
money (the data). To rob the bank, thieves must get inside the bank property and then
break into the safe. Over the years, bank administrators have learned from a history of
robberies how to protect their institutions. An increasing number of security measures
are installed and enforced, including the architectural structure of the building,
mechanical equipment, and electronic and digital devices. All of these measures are
 OPERATING SYSTEM SECURITY FUNDAMENTALS 37

costly, but banks invest the necessary money and resources for two main reasons: to
protect their clients' money and to maintain their clients' confidence. If you are the
system administrator protecting the access door to the database where data resides,
you must work tirelessly to secure that door. In this section you explore the operating
system security environment components that can be exploited and thus lead to data
violations.

The Components of an Operating System Security Environment

The components that make up the operating system security environment are used as access
points to the database. These access points are weak and insecure links to data within the data-
base. The three components (layers) of the operating system are represented in Figure 2-3:
memory, services, and files. As shown in the illustration, the services layer is an entry point
and a gateway to the operating system as well as to the other components-memory and files.
The services component comprises such operating system features and functions as network
services, file management, and Web services.

a:m:!l:IIDJ Operating system security environment

The memory component is the hardware memory available on the system,

whereas the files component consists of the files stored on the disk. Why are these
components important? Improper protection of these components can jeopardize the
security of the database system. The following sections explore each component of the
operating system from a database security perspective.

Services
The main component of the operating system security environment is services. The services
component consists of functionality that the operating system offers as part of its core
utilities. Users employ these utilities to gain access to the operating system and to all the
features the users are authorized to use. If not secured and configured properly, each service
becomes a vulnerability and access point and can lead to a security threat. These services
vary a good deal and include the following: fundamental functionality such as authentication
of the identity of users; core features such as remote copy (a program that allows you to
------------------------------------------~------
38 CHAPTER 2

copy a file from or to a remote computer system); and common practices such as user
administration tasks and password policies.

Files
Here is an incident in which data was compromised. A system engineer was hired as a
contractor by a small telecommunication company to upgrade the operating system and
the main application to a higher software version. One of this engineer's tasks was to set
up UNIX scripts to monitor the database. After long hours of implementation and testing,
the system went into production. A few months later while the system administrator was
browsing through the system logs, he noticed some unusual activities that shocked him.
The system had been violated! There had been an intrusion from one specific IP address,
and for the last three months it had been causing a huge amount of traffic every night at
different hours.
The system administrators and other engineers in the company spent hours analyzing
all logs and finally, with the help of the database administrator, they pinpointed what hap-
pened. A hacker broke into the system and somehow got the password to a database
account and transferred customer data from two tables in the database, as determined
through a trace of spool files that were left behind by the hacker. It was not enough for the
operations manager to find out what happened. How did the hacker get the password?
Another audit was performed on the machine looking at every single file, examining file
permission, date and time stamp, contents, and so forth. The audit was in its sixth straight
day when one of the system operators located a file that contained the account name and
password for the database. It was a file that the system engineer had created for monitoring
the scripts that he had installed. The scripts used this file to look up the user name and
password. Not only was the file in plaintext (not encrypted), but also the file permission
was set to -rw-r--r--, which meant that everyone was able to read the file.
File permission and sharing files are common threats to system security when not set
properly. Files must be protected from being read by unauthorized individuals and kept
safe from being written or modified. Data resides in files; therefore, improper file permis-
sions on the file could lead to catastrophic loss of data or breach of privacy. Most operat-
ing systems have an elaborative function to implement any desired method of file per-
mission. File sharing is another phenomenon in which individuals are using different
types of peer-to-peer software, which may impose a high security risk.

File Permissions
Every operating system has a method of implementing file permission to grant read,write,
or execute privileges to different users. In the sections that follow, first you look at the
Windows 2000 implementation of file permission, followed by UNIX implementation.

Windows 2000
In Windows 2000 you can change file permissions by clicking a file's Properties to open it
and clicking on the Security tab as shown in Figure 2-4. The security tab shows all per-
missions that have been assigned for each user. In this screen you may grant and revoke
privileges to and from users. Note that Allow indicates grant, and Deny indicates revoke.
 OPERATING SYSTEM SECURITY FUNDAMENTALS 39

My_s
My~
tlJ 3'" Aowy(A:) Imt.ora Ptopertte:s \
13 LocaiOist.(C:)
Q CACorliQ
Olisl-J
It! 0 1isk2
r Ooo.rnents and setmgs
Inetp<.b ClSYSTEM
"""'Slltl !JAMValJme
CI MSOC."he
S o o<oclo
8 oraJO
Eo edtnh
..J ••••pre
Sl'C
OW"" Ala.. Deny
Cl C<1Jmp
~ F•• WCol El 0
die
Madly El 0
\;:.J u<M1> RMd H.ecute 9 0
Oe,,;st.r/:s Read EI 0
Q8lN Wit. o 0
(dote Speciol Pe""i •.•ion, D D

OK

a:mmIDI File properties function showing Security tab

UNIX
In UNIX, file permissions work differently than in Windows. For each file there are three per-
mission settings: one for the owner of the file, one for the group to which the owner belongs,
and finally one for all other users. Each setting consists of rwx as illustrated in Figure 2-5, in
which r stands for read permission, w stands for write permission, and x stands for execute
permission. In Figure 2-5, the initSAM. ora file permissions indicates the following: read
and write permission for owner of file, read permission for the oinstall group to which
the file owner belongs, and finally read permission to all other users.

-rw-r--r-- 1 oracle oinstall 4568 Mar 27 11:20

initSAM.ora
40 CHAPTE R 2

~ 'ii, ~~;~d~
2: ~~x_e;_u_:_~-ou-p_x","":"_r-o-W-th-e-r_X--'.
___________ _ -J

Dm!IiIIIJ UNIX file permissions

You can use the CHMOD command to change the following file permissions:

• Execute only
• Write only
• Execute and write
• Read only
• Execute and read
• Read and write
• Read, write, and execute
To change the permissions of the file mail_list to -rw-rw-r-- you issue the follow-
ing command:

I $ c hmod 664 mail list

Consult your UNIX operating system documentation for more information on the
CHMOD command.

File Transfer
Steve is a production Oracle DBA for a regional chain of retail stores. He is responsible for
administering over 20 database applications. He is part of a team of three database admin-
istrators and a database manager. One of his weekly tasks is to refresh the QA (quality
assurance) database. Because the database is not large, Steve uses the Oracle export and
import utilities. The process goes like this-s-On Sunday a scheduled job performs a full
export of the database. The generated file from the export utility is transferred to the host
machine where the QA database resides, and then it is imported.
One day Steve was summoned to an urgent meeting held by the chief technology
officer (CTO). To Steve's surprise, the only people attending the meeting were his manager,
the system manager, and the security director. Steve's anxiety and curiosity about the
meeting made him uncomfortable. The CTO opened the meeting by talking about the
refresh process that takes place every week and explained that it was necessary to change
it because a violation was detected and fortunately prevented. One of the developers who
had access to the machine and to the file was able to copy the file and transfer it to his
home computer. The developer's intention was to be able to work from home, not to
compromise the privacy of the company data.
This sort of "innocent" security breach happens all too frequently in organizations of
all sizes and types. Who is responsible for protecting this process? Everyone is responsible.
 OPERATING SYSTEM SECURITY FUNDAMENTALS 41

What could've happened if this violation had not been detected? Data integrity and confiden-
tiality could have been compromised, which is a major security violation. How can you
protect this process from being violated again? This section presents best practices that you
can adopt to secure file-transferring tasks.
First, you must know the following facts about FTP (File Transfer Protocol). FTP is
an Internet service that allows transferring files from one machine to another.

• File transfer is a tool to send files from one computer to another.

• FTP clients and servers transmit user names and passwords in plaintext format (not
encrypted). This means any hacker can sniff network traffic and be able to get the
logon information quite easily.
• Logon information is notthe only data that is transmitted in plaintext. Files are also
transmitted unencrypted.
• A root account cannot/be used to transfer files using FTP.
• Anonymous FTP is the ability to log on to the FTP server without being authenti-
cated. This method is usually used to provide access to files in the public domain.

Here are some best practices for transferring files:

• Never use the normal FTP utility. Instead, use the Secure FTP utility, if possible.
• Make two FTP directories: one for file uploads with write permission only, and
another one for file downloads with read permission only.
• Us~ specific accounts for FTP that do not have access to any files or directories out-
side the UPLOAD and DOWNLOAD directories.
• Turn on logging, and scan the FTP logs for unusual activities on a regular basis.
• Allow only authorized operators to have FTP privileges.

Sharing Files
No matter what the circumstances, sharing files naturally leads to security risks and
threats. The peer-to-peer technology phenomenon is on the rise. Peer-to-peer programs
allow users to share flies with other users over the Internet. These types of programs
introduce a whole new can of worms-in this case, worms and viruses that can infect
your system. If you were to conduct a survey of users that use peer-to-peer programs,
you would most likely find that the majority of the users' machines are infected with
some sort of virus, spyware, or worm.
Most companies prohibit the use of such progr"ms, and rightfully so. They should
prosecute users who don't adhere to this policy. The main reasons for blocking these
programs are:

• Malicious code-Peer-to-peer programs are notorious for malicious code, and most
of the files that are being shared are infected with code that could harm your com-
puter. Malicious code is a program, macro, or script that deliberately damages files
or disrupts computer operations. There are several types of malicious code, such as
viruses, worms, Trojan horses, and time bombs.
• Adware and spyware-Similar to malicious code, these types of programs are used to
generate pop-up advertisements as well as capture key strokes, Web sites visited, clicks
on pages, and more. Peer-to-peer programs are sponsored by Web sites and individuals.
42 CHAPTER 2

• Privacy and confidentiality-If peer-to-peer programs are configured improperly,

users can see and obtain all sorts of private and confidential data residing on the
computer system.
• Pornography-A huge community of individuals uses peer-to-peer programs to
exchange pornographic images or clips that may be offensive or inappropriate to
other users.
• Copyright issues-Peer-to-peer programs make sharing music files, video clips,
software applications, gaming software, or electronic books very easy. This medium
encourages individuals to infringe on other people properties and promotes piracy
as an acceptable action.

Now that you are aware of the risks of peer-to-peer programs, you should monitor
all network activities to determine who is using this type of program. Employees who are
caught using these programs should be disciplined to educate them about the possible
risks that peer-to-peer programs bring to the company.

Memory
The last component of the operating system to be discussed in this chapter is memory.
You may wonder how memory is an access point to security violations. There are many
badly written programs and utilities that could damage the contents of memory.
Although these programs do not perform deliberate destructive acts, you need to be
aware of them. In most cases, when you use a program that violates the integrity of your
data, you have two options: either stop using it or apply a patch (service pack) to fix it.
On the other hand, programs that intentionally damage or scan data in memory are the
type that not only can harm data integrity, but may also exploit data for illegal use.

Authentication Methods
Authentication is a fundamental service of the operating system. It is a process that verifies
the identity of the user to permit access to the operating system. A weak authentication
method exposes the system to security risks and threats. Most security administrators
implement two types of authentication methods, physical and digital.
The physical authentication method allows physical entrance to the company prop-
erty. Most companies use magnetic cards and card readers to control entry to a building,
office, laboratory, or data center. For mission-critical or sensitive operations, personnel
are physically authenticated using biometric or biomagnetic technologies. Examples of
these technologies are eye retina scans, fingerprint scans, handprint scans, voice recogni-
tion, signature recognition, thermal sensing, and others.
The digital authentication method is the process of verifying the identity of the user by
means of a digital mechanism or software. The following sections list digital authentication
mechanisms used by many operating systems and implemented by many organizations.

Digital Certificate
A digital certificate is a type of authentication that is widely used in e-cornmerce (con-
ducting business over the Internet). A digital certificate is a digital passport that identifies
and verifies the holder of the certificate. The holder can be a person, a computer, a Web
 •
OPERATING SYSTEM SECURITY FUNDAMENTALS 43

site, or a network system. This digital certificate is an electronic file issued by a trusted
party (known as certificate authority) and cannot be forged or tampered with.

Digital Token (Security Token)

./ A digital token is a small electronic device that users keep with them to be used for
authentication to a computer or network system. Usually, this device displays a number
unique to the token holder, which is used with the user's PIN (personal identification
number) as the password. This token constantly displays a new number, which means
that each time a user is authenticated, a different password is used, making it very hard
for hackers to pass authentication. Many companies commonly use this method. One
note worth mentioning: if a user loses this token, it should be reported immediately, and
the user account should be locked until the situation is rectified.

Digital Card
'-"" A digital card is also known as a security card or smart card. This card is similar to a
credit card in dimensions but instead of a magnetic strip, it has an electronic circuit that
stores user identification information such as name, ID, password, and other related data.
The card is used to authenticate the holder to a computer system by having a card reader
device read the card.

Kerberos
Kerberos was developed by the Massachusetts Institute of Technology (MIT) to enable
two parties to exchange information over an open network by assigning a unique key,
called a ticket, to each user. This ticket is used to encrypt communicated messages.

lightweight Directory Access Protocol (LDAP)

,LDAP is an authentication method developed by the University of Michigan that uses a
centralized directory database storing information about people, offices, and machines in
a hierarchical manner. An LDAP directory can be easily distributed to many network
servers. You can use LDAP to store information about:

• Users (user name and user ID)

• Passwords
• Internal telephone directory
• Security keys
LDAP servers are efficient for reading information from the directory but are not suited
for data that is frequently changing. Many operating systems and applications use this
method of authentication because it is simple to implement. Use LDAP for these reasons:

• LDAP can be used across all platforms (operating system independent).

• It is easy to maintain.
• It can be employed for multiple purposes.
LDAP architecture is client/server based, in which the client requests information
from the directory, and the LDAP server supplies a response.
44 CHAPTER 2

NTlM
NT LAN Manager, developed and used by Microsoft, employs a challenge/response
authentication protocol that uses an encryption and decryption mechanism to send and
receive passwords over the network. This method is no longer used or supported by new
versions of the Windows operating system.

-J Public Key Infrastructure (PKI)

PKI, also known as public key encryption, is an authentication method in which a user
keeps a private key and the authentication firm holds a public key. These two keys are used
to encrypt and decrypt communication messages between the two parties. The private key
is usually kept as a digital certificate on the user's system.

RADIUS
J Remote Authentication Dial-In User Services (RADIUS) is an authentication method
commonly used by network devices to provide a centralized authentication mechanism.
RADIUS is client/server based, and uses a dial-up server, a virtual private network
(VPN), or a wireless access point communicating to a RADIUS server.

Secure Sockets Layers

Secure Sockets Layers (SSL) is a method in which authentication information is transmitted
\../ over the network in an encrypted form. This method is commonly used by Web sites to
secure client communications. This protocol was developed by Netscape Communications
to provide secure communication between client and server.

Secure Remote Password (SRP)

SRP was developed by Stanford University. It is a protocol in which the password is not
stored locally in encrypted or plaintext form. This method is very easy to install and does
not require client or server configuration. Also, this method is invulnerable to brute force
or dictionary attacks.

Authorization
Authentication is the process of proving that users really are who they claim to be.
Authorization, on the other hand, is a process that decides whether users are permitted to
perform the functions they request. Authorization is not performed until the user is
authenticated. Authorization deals with privileges and rights that have been granted to the
user. For example, suppose you have created a user account to perform file transferring
only. This user is provided with a user name and password to allow the user to be authenti-
cated. You may provide this user read permission on the DOWNLOAD directory and write
permission to the UPLOAD directory. This means that this user is only authorized to read
and write on these two directories and is not permitted to perform other tasks.

User Administration
Authentication and authorization are essential services that every operating system provides
in order to secure access to the computer's logical and physical resources. Another related
 OPERATING SYSTEM SECURITY FUNDAMENTALS 45

service is user administration. Administrators use this functionality to create user accounts,
set password policies, and grant privileges to users. Although hackers do not often tap into
user administration, improper use of this feature can lead to security risks and threats. The
following is a compilation of best practices for user administration, in no specific order.

• Use a consistent naming convention by adopting a combination of first name and

last name for the user account.
• Always provide a password to an account and force the user to change it at the
first logon.
• Make sure that all passwords are encrypted in a well-protected file.
• Do not use default passwords for any account.
• If a machine is compromised or you suspect it is compromised, change all passwords
for all existing accounts.
• Use different accounts for different applications and users.
• Create a specific file system for users, separate from applications and data.
• Educate users on how to select a password.
• Lock a user account when a user's employment is terminated or ended.
• Lock accounts that are not used for a specific period of time.
• If possible, grant privileges on a per host basis.
• Do not grant privileges to all machines, but only to those users who are absolutely
in need.
• If connected remotely, use Secure Shell (ssh), Secure Copy (scp), and Secure FTP for
telneting, copying files, and transferring files, respectively.
• When a computer system is compromised, isolate the system from other systems to
prevent further intrusion.
• When a system is compromised, work with management and the security office to
determine the cause of the infringement.
• Perform random auditing procedures on a regular basis.

Password Policies
A good password policy is the first line of defense against the unwanted accessing of an
operating system. Usually, hackers try to access the system through the front door using an
account and password. If this method fails, they try other methods. In fact, most hackers
utilize tools that use the dictionary method to crack passwords. These tools use the per-
mutation of words in the dictionary to guess the password. As the system administrator,
you should work with the security manager to establish a password policy to make it diffi-
cult for hackers to enter your system. .
There are many different practices and policies that you can adopt for your company.
However, the best password policy is the one that matches your company missions and is
enforced at all levels of the organization. The following password practices-all or a com-
bination of them-can be employed to devise a policy plan that suits your company.
• Password aging-Tells the system how many days a password can be in effect before
J it must be changed. Most companies practice a three-month policy, but you should
determine the number of days based on your business and security requirements.
46 CHAPTER 2

• Password reuse-This practice can be interpreted and applied in three different ways:
../ • Tells the system how many times you can reuse a password
• Indicates the number of days that must pass before you can reuse a password
• Determines whether the system allows passwords to be reused
• Password history-This practice is related to password reuse, and it tells the system
how many passwords it should maintain for an account. The password history can
be used to determine if a password can be reused or not.
• Password encryption-A method that encrypts (scrambles) the password and stores
-/ it in a,way that it cannot be read directly.
• Password storage-The place where the password is stored and kept hidden from
./ the public.
• Password complexity-This is one of the most important password practices that
'-' should be implemented for any password policy. Complex passwords are those that
are made up of a combination of upper- and lowercase letters, digits, and symbols.
Having a password complexity requirement forces users to choose a password that is
not easily cracked. The following is a list of standards that can be used when creating
complex passwords:
• The password must contain digits, symbols, and alphabetic characters (a-z, A-Z,
0-9, !@#$%/\&*(L+}{":><?).
• The password must have a minimum length which is usually six characters, but
eight 'Characters are recommended.
• The alphabetical characters must use mixed letter cases (uppercase and lowercase).
• The password must not contain any part of your account, first name, last name,
birthday, telephone number, license number, registration number, employee num-
ber, spouse's name, child's name, parent's name, sibling's name, city you live in, or
country in which you reside.
• Logon retries-A good practice is to allow a user to unsuccessfully try to log on up to
three times before the account is locked and an administrator is contacted.
• Password protection-Although this practice is very hard to enforce, you, the man-
ager, system administrator, security manager, or human resources manager, must
train your employees and make them aware of the danger of concealing a password
in a place from which it can be retrieved in case it is forgotten. It is bad practice to
record a password on paper even if the paper is stored in a locked place. If you must
record a password, use an encrypted file that can be accessed only by you.
• Single sign-on-Single sign-on allows you to sign on once to a server (host machine)
'- and then not have to sign on again if you go to another server where you have an
account. Although a single sign-on provides great convenience, it should not be .
practiced for mission-critical operations, financial institutions, government agencies,
or other similar organizations.

Vulnerabilities of Operating Systems

In this section you are presented with a list of the top ten vulnerabilities of Windows and
UNIX. The list identifies the tools that hackers use as a gateway to break into the system,
and in most cases these intrusions lead to loss of service, loss of data, invasion of privacy,
 OPERATING SYSTEM SECURITY FUNDAMENTALS 47
----------------------------------
data corruption, or a combination of all these. This list was released by the u.s. Depart-
ment of Homeland Security, along with its Canadian and British counterparts and the
SANS Institute, on October 28, 2003.1
The top vulnerabilities to Windows systems are:

• Internet Information Services (lIS)

• Microsoft SQL Server (MSSQL)
• Windows Authentication
• Internet Explorer (IE)
• Windo"ws Remote Access Services
• Microsoft Data Access Components (MDAC)
• Windows Scripting Host (WSH)
• Microsoft Outlook and Outlook Express
• Windows Peer-to-Peer File Sharing (P2P)
• Simple Network Management Protocol (SNMP)
The top vulnerabilities to UNIX systems are:

• BIND Domain Name System

• Remote Procedure Calls (RPC)
• Apache Web Server
• GenerallJNIX authentication accounts with no passwords or weak passwords
• Clear text services
• Sendmail
• Simple Network Management Protocol (SNMP)
• Secure Shell (SSH)
• Misconfiguration of Enterprise Services NIS/NFS
• Open Secure Sockets Layer (SSL)

E-mail Security
J E-mail may be the tool most frequently used by hackers to exploit viruses, worms, and
other computer system invaders. This is true no doubt because e-rnail is the tool most
widely used by public and private organizations as a means of communication. If you
were to research the number of incidents that have occurred in the last five years, you
would find that e-rnail was the medium used in many of the most famous worm and
virus attacks'; for example, the Love Bug worm, the ILOVEYOU worm, the Mydoom
worm, and the Melissa virus were all spread through e-rnail.
More worrisome and threatening is that e-mail is not only used to send viruses and
worms, but to send spam e-rnail, private and confidential data, as well as offensive mes-
sages. Here is another incident that actually occurred.
An Oracle database developer was hired to work on back office modules for a well-
known department store. This developer was responsible for writing PL/SQL code to
implement business rules and other processing logic. Several weeks later, the application
went into production without any issues or hiccups. A few months after that, this devel-
oper was laid off because of the downturn of the economy. Although the developer had
left the scene, his presence would be felt for months to come.
48 CHAPTER 2

Before long, the department store started to get complaints from customers about
credit card charges that were incurred without their knowledge. The fraud office of the
department store investigated these complaints and soon verified that the customers'
complaints were valid. A memo was issued to all employees in every department to be on
the watch for any suspicious activity. In addition, a special meeting was held by the infer-
mation technology group to talk about ways to monitor and audit all database activities.
The meeting resulted in the creation of an internal audit group made up of three data-
base engineers.
After a thorough investigation, the group came across a module within a PL/SQL
package that sent e-mail to an ambiguous address. This module created and sent a report
listing all customer and credit data for 20 customers. Also, the module was scheduled to
run every week via the Oracle job scheduler, DBMS_JOB.
This did happen, and it could happen to other companies that do not follow strin-
gent security procedures to secure data. In the case above, system operations failed to
monitor the activities of the e-mail server where the database resided. In addition, the
database administration team failed to examine the PL/SQL code to get an idea of what
the code was doing. The developer team failed to review the code submitted by the data-
base developer. The whole system development process failed because it did not have
security checks and controls to catch this mishap before it occurred.
E-mail is used by many employees to communicate with clients, colleagues, and
friends, and some of these employees may violate the security policies of the company by
sending confidential data. Many reports and research studies claim that e-mail is being
used more frequently by unhappy and disgruntled employees to expose sensitive and
confidential data inside and outside the company. What does this mean to you? Regard-
less of your position, you should have the integrity to comply and adhere to the company
policies and respect others' privacy and confidentiality. For those individuals who do not
understand what this means, you need to install auditing and monitoring controls to
detect any suspicious activities and report them immediately to management.
To prevent incidents similar to the scenario just described, do not configure the e-mail
server on a machine in which sensitive data resides, and do not disclose technical details
about the e-mail server without a formal written request from the technology group man-
ager explaining the reasons the e-mail server information is needed.

Chapter Summary
• An operating system is a collection of programs that allows the user to interact with the computer
hardware.
• An operating system is one of the main accesspoints to the database management system.
• If the operating system component of the database security environment is exposed. it can open
the door for unlawful individuals to contravene all rules imposed to protect the database.
 OPERATING SYSTEM SECURITY FUNDAMENTALS 49

II Authentication is a process that validates the identity of the user in order to permit accessto the
operating system.
II Physical authentication methods allow physical entrance to the company property.
II Digital authentication methods are the processes of verifying the identity of the user by means of a
digital mechanism or software.
II A digital certificate is a digital passport that identifies and verifies the holder of the certificate.
II A digital token is a small electronic device that users keep with them to be used for authentication
to a computer or network system.
II A digital card is similar to a credit card; it holds user identification information such as name, ID,
and password.
II Kerberos enables two parties to exchange information over an open network by assigning a unique
key to each user.
II LDAP is an authentication method that uses a centralized directory database to store information
about people, offices, and machines in a hierarchical manner.
II PKI is an authentication method whereby a user keeps a private key and the authentication firm
holds a public key.
II Remote Authentication Dial-In User Services (RADIUS)is an authentication method commonly used
by network devices to provide a centralized authentication mechanism.
II Secure Sockets Layers is a method whereby authentication information is transmitted over the net-
work in an encrypted form.
II SRPis a protocol in which the password is not stored locally in either encrypted or plaintext form.
II Authorization is a process that determines whether the user is permitted to perform the function
he or she requests.
II Authorization is not performed until the user is authenticated.
II Authorization deals with privileges and rights that have been granted to the user.
II A good password policy is the first line of defense for protecting accessto an operating system.
II The best password policy is the one that matches your company missions and is enforced at all
levels of the organization.
II When set improperly, file permission and file sharing are common threats to system security.
II Sharing files naturally leads to security risks and threats.
II E-mail may be the tool most frequently used by hackers to exploit viruses, worms, and other com-
puter system invaders.

Review Questions
1. The graphical user interface program found on the desktop of most machines is called an operating
system. True or false?
2. Authorization is a process that validates the identity of the user in order to permit accessto the
operating system. True or false?
3. Digital authentication is a digital passport that identifies and verifies the holder of the certificate.
True or false?
4. FTPclients and servers encrypt all transmitted data. True or false?
g;:s

50 CHAPTER 2

5. It is acceptable to use peer-to-peer programs to download files as long as these files are public
domain and your system is protected by an antivirus program. True or false?
6. LDAPcan be used to store information not related to authentication. True or false?
7. Which of the following is not a valid authentication method?
a. Lightweight Directory Access Protocol
b. NLM
c. Kerberos
d. RADIUS
8. Which of the following is a malicious code?
a. bug
b. patch
c. service pack
d. time bomb
9. Which of the following is not true about operating system security environment?
a. An operating system is a collection of programs that allows the user to operate the computer
hardware.
b. The operating. system component of the database environment can be used as a gateway to
violate database integrity.
c. The components that make up the operating system security environment are used as access
points to the database and can be weak or insecure links to connect to data within the database.
d. Files, services, and memory are the three components of the operating system security
environment.
10. Why is it important to protect the operating system?
11. Name three methods of protecting your operating system.
12. What is the difference between authentication and authorization? Provide an example.
13. Name two best practices for user administration, and provide an example of how each practice
enhances operating system security.
14. Name three sources of detailed information about viruses.
15. What should you do ifa developer needs one of the files that you own?

Hands-on Projects

Hands-on Project 2-1

Find owner, group, and others file permissions for the Oracle file called orapwSID_NAME found in:
• ORACLE_HOME/dbs(UNIX)
• ORACLE_HOME/database(WINDOWS)
If the permissions for this file were accessibleto all, explain what the implications would be.
 OPERATING SYSTEM SECURITY FUNDAMENTALS 51

Hands-on Project 2-2

~
IlANDS-ON Suppose your system were attacked by a worm. Use information found on the Web to outline steps
PHOIEm
to rid your system of the worm.

mIlANDS-ON
PHOllen;
Hands-on Project 2-3
Compile a list of five system administration best practices for any two operating systems.

Hands-on Project 2-4

~
HANDS·ON Using the Internet as a source, compile a list of three known vulnerabilities for Windows 2000. What
.HOIEen;
would you do to protect your system if your operating system were Windows 2000?

Hands-on Project 2-5

Supposeyou were hired as a system administrator for a small company. On your first day of work, you
were asked by a developer to configure an e-mail server on one of the systems because the e-mail
server was needed as part of the new system being developed. Outline the steps that you would take
in response to this request.

Case Project
Suppose you are the security manager for a small high-tech company. Outline security measures
that you would implement to protect the operating system containing code for a new product
innovation. II

Endnotes
1This list is adapted from www.sans.org/top20.
2 For a full list and details of viruses and worms, visit http://securityresponse.symantec.com/avcenter/vinfodb.html.