EASTERN PROVINCE

RWAMAGANA DISTRICT

TVET SECOND TERM DISTRICT COMPREHENSIVE ASSESSMENT 2023-2024.

SECTOR: ICT and Multimedia

TRADE: Software Development

RQF LEVEL: V

MODULE CODE & TITLE: SFDDS501_DATABASE SECURITY

MARKS:

DURATION: 3 HOURS

INSTRUCTIONS TO CANDIDATES:

/100

This Exam paper is composed of Three Sections (A, B, C). Follow the

instructions given below, and answer the indicated questions for a total of

100 marks

Section A: Seventeen (17) questions, all Compulsory 55 marks

Section B: Among the five (5) questions, attempt any three (3) 30 marks

Section C: Among the two (2) questions, attempt any one (1) 15 marks

Page 2 of 21

Section A: Attempt all Questions (55 marks)

Qn1. Define the following in the context of database security. (3 marks)

A. Threat

Answer: A threat is any situation or event, whether incidentally, can cause

damage, which can reflect an adverse effect on the database structure and,

consequently, the organization.

Cryptograph
Answer: The science of encrypting and decrypting information is called

cryptography.

B. Data dictionary

Answer: This is a set of internal tables and views that support administer

Oracle Database more effectively.

Qn2. Outline at least 4 components covered under database security. (2

marks)

Answer:

Database security covers and enforces security on all aspects and components

of databases. This includes:

 Data stored in database

 Database server

 Database management system (DBMS)

 Other database workflow applications

Qn3. Discuss the difference and similarities between security policies and

security model (3 marks)

Answer:

Security models are the formal description of security policies. Security

models are useful tools for evaluating and comparing security policies.

Security models allow us to test security policies for completeness and

consistency. They describe what mechanisms are necessary to implement a

security policy.

Page 3 of 21

Qn4. By using technical term differentiate difference between encryption and

decryption (2 marks)
Answer:

Encryption is the method by which information is converted into secret code

that hides the information's true meaning.

decryption is When the intended recipient accesses the message, the

information is translated back to its original form.

Qn5. Explain why confidentiality is essential in database security

(2marks)

Answer:

Confidentiality/secrecy: information is only disclosed to authorized users.

Protection of data from unauthorized disclosure. Confidentiality: can be defined

as permitting approved users for accessing to all sensitive as well as a protected

information. Confidentiality can be made certain by the use of role-based

security techniques for ensuring user or viewer's authorization as well as access

controls on any particular data.

Qn6. Differentiate the security terms between identification, authentication

and authorization

Answer:

Identification: For access control to be effective, it must provide some way

to identify an individual. The weakest identification capabilities will simply

identify someone as part of a vague, poorly defined group of users who

should have access to the system.

Authentication: This is the process of ensuring that the identity in use is

authentic -- that it's being used by the right person.it is the process of verify

and validating the user credentials for accessing who you are to the system.

authentication involves validating a password linked to a username. Other

forms of authentication also exist, such as fingerprints

Page 4 of 21

Authorization: The set of actions allowed to a particular identity makes up

the meat of authorization. It describes what you are allowed to access.

(3 marks)

Qn7. While implementing access control, explain how it can contribute to

database control methods? At least in 4 points (4 marks)

Answer:

 Access Control: The purpose of access control is to limit the actions or

operations that a legitimate user of a computer system can perform.

 Access control is responsible for control of rules determined by security

policies for all direct accesses to the system

 Access Control system that defines permissions for who can access

which data

 Access control constraints what a user can do directly, as well as what

programs executing on behalf of the users are allowed to do. In this way

access control seeks to prevent activity that could lead to a breach of

security.

Qn8. What is privilege abuse in the context of database security and identify

why is it important to grant users only the necessary privileges?

(4 marks)

Answer:

Users may abuse legitimate data access privileges for unauthorized purposes.

Privilege abuse in database security refers to the misuse of elevated access

rights to perform unauthorized or damaging actions on a database.

important to grant users only the necessary privileges

 Security: Granting excessive privileges can pose significant security

risks. If a user with unnecessary privileges inadvertently or intentionally

accesses sensitive data or performs malicious actions, it can lead to data

breaches, data loss, or corruption.

 Reduces attack surface: Less access for individuals minimizes the

potential points of entry for malicious actors, both internal and external.

Page 5 of 21

 Improves accountability: Clearer delineation of privileges makes it

easier to track user activity and identify suspicious behavior.

 Limits damage: Even if a user's account gets compromised, the damage

they can inflict is minimized by restricting their access to specific tasks

and data.

Qn9. While describing database vulnerabilities, how can weak authentication

practices lead to it? (3 marks)

Answer:

Weak authentication schemes allow attackers to assume the identity of

legitimate database users by stealing or otherwise obtaining login credentials.

The weakest identification capabilities will simply identify someone as part of a

vague, poorly defined group of users who should have access to the system.

Qn10. By using Explanation, differentiate the three core elements of access

control? (3 marks)

Answer

There are three core elements to access control.

1. Identification: For access control to be effective, it must provide some way

to identify an individual. The weakest identification capabilities will simply

identify someone as part of a vague, poorly defined group of users who

should have access to the system. Your TechRepublic username, or even

the key to the server closet provides some form of identification.

This establishes who is trying to access a system or resource. While broad

groups can be used, the more specific the identification, the better.

2. Authentication. This is the process of ensuring that the identity in use is

authentic -- that it's being used by the right person. In its most common form

in IT security, authentication involves validating a password linked to a

username. This verifies whether the identified individual is actually who they

claim to be. Passwords are common, but other methods like biometrics are

becoming increasingly popular. Other forms of authentication also exist, such

as fingerprints, smartcards, and encryption keys.

Page 6 of 21

3. Authorization: The set of actions allowed to a particular identity makes up

the meat of authorization. This defines what the identified and authenticated

individual is allowed to do. Permissions like read, write, and execute control

their access level. On a computer, authorization typically takes the form of

read, write, and execution permissions tied to a username.

Qn11. Explain the concept of availability in the context of database security.

(3 marks)

Answer:

Availability ensures that data is both available and accessible to satisfy

business needs. Availability to the need for databases to be up and available for

use. Databases need to be dependable in order to be functional, which requires

they be up and running whenever the organization is. This means downtimes

should be planned on weekends and servers kept up-to-date.

Qn12. Make the elaboration about the structural features that make oracle

database very popular (4 marks)

Answer:

Qn13. Differentiate the terms plain text and cipher text as the techniques

used in securing the information’s transferred into the system

(3 marks)

Answer:

Plain Text:

 This is the original, unencrypted, and human-readable information

before any security measures are applied. It can be anything from text

messages and emails to documents and files. Anyone with access to the plain

text can easily understand its content and meaning. It is vulnerable to

interception and unauthorized access, making it unsuitable for transmitting

sensitive data.

Page 7 of 21

Cipher Text:

 This is the transformed, encrypted, and unreadable form of the plain

text. It is generated by applying a specific encryption algorithm and a key to the

original data. Only someone with the correct decryption key can decipher the

cipher text and access the original information. t is securely transmitted and

stored, making it resistant to unauthorized access even if intercepted.

Qn14. Describe the process of backup and recovery and why does it needed in

database security? (4 marks)

Answer:

A backup is a copy of the information in a database, held in some physically

separate location from your database. If the database becomes unavailable,

perhaps because of damage to a disk drive, you can restore it from the backup.

Depending on the nature of the damage, it is often possible to restore from

backups all committed changes to the database up to the time it became

unavailable.

Recovery happens when the operating system or database server crashes, or the

database server does not shut down properly. The database server checks on

database startup whether the database was shut down cleanly at the end of the

previous session. If it was not, the server executes an automatic recovery process

to restore information. This mechanism recovers all changes up to the most

recently committed transaction.

In general, the purpose of a backup and recovery strategy is to protect the

database against data loss and reconstruct the database after data loss.

Qn15. It is essential to set up strong password for improving the security

standard of the system. what are (5) the characteristics and tips for strong

password as used to the system (4

marks)

Answer:

Page 8 of 21

A strong password is one that is more secure by virtue of being difficult for a

machine or a human to guess. Password strength can be achieved by

incorporating the following characteristics; the more characteristics you

incorporate into your password, the stronger it will be.

Characteristics of strong passwords

 At least 8 characters—the more characters, the better

 A mixture of both uppercase and lowercase letters

 A mixture of letters and numbers

 Inclusion of at least one special character, e.g., ! @ # ?

Note: do not use < or > in your password, as both can cause problems in Web

browsers

Tips for keeping your password secure

 Change it regularly—once every three to six months.

 Change it if you have the slightest suspicion that the password has become

known by a human or a machine.

 Never use it for other websites.

 Avoid typing it on computers that you do not trust; for example, in an

Internet café.

 Never save it for a web form on a computer that you do not control or that is

used by more than one person.

 Never tell it to anyone.

 Never write it down.

Qn16. What is profile and its purpose in database management? (4 marks)

Answer:

A profile is a set of resource limitations that can be assigned to a database user.

Each Oracle database allows definition of a limitless number of profiles. They

must be created and administered only if security policy requires that the use of

database resources is limited. To use profiles, first we have to create types of

similar user groups.

Page 9 of 21

A user profile limits the database resources or password that the user cannot

exceed. You can assign a profile to a newly created user. If you skip this clause,

Oracle will assign the DEFAULT profile to the user.

Qn17. What is firewalls and Explain the significance of using it for database

servers. (4 marks)

Answer:

A firewall is a security system that monitors and controls incoming and outgoing

network traffic based on a set of pre-defined rules. In the context of database

servers, it acts as a vital first line of defense against unauthorized access and

malicious activity.

Significance of Firewalls for Database Servers:

 Reduced attack surface: By limiting inbound and outbound

traffic, firewalls significantly reduce the potential attack surface for hackers.

 Protection against common threats: Firewalls effectively block

common attacks like SQL injection, denial-of-service (DoS), and unauthorized

access attempts.

 Compliance with regulations: Many data privacy regulations require

implementing firewalls to protect sensitive data.

 Enhanced security posture: Firewalls form an essential layer of defense

in a layered security approach, complementing other security measures like

access control and encryption.

 Firewalls sit between your database server and the external

network, acting as a filter.

 They analyze each incoming and outgoing data packet based on rules
and policies configured by the administrator.

SECTION B (attempt only three questions /30mrks)

Qn18. By content of access control, answer the questions below

Page 10 of 21

A. define the term access control (2 marks)

B. make a short explanation and description about the element and types

of access control (8 marks)

Answer:

Access control is a set of policies and mechanisms that regulate who can

access specific resources and what actions they can perform within those

resources. It acts as a security barrier, ensuring only authorized individuals or

entities have access based on predefined permissions.

Essentially, it's the "who, what, where, when, and how" of accessing resources

like systems, networks, applications, and data.

Elements of access controls

The key to understanding access control security is to break it down. There are

three core elements to access control.

1. Identification: For access control to be effective, it must provide some way

to identify an individual. The weakest identification capabilities will simply

identify someone as part of a vague, poorly defined group of users who should

have access to the system. Your TechRepublic username, a PGP e-mail

signature, or even the key to the server closet provides some form of

identification.

2. Authentication: Identification requires authentication. This is the process

of ensuring that the identity in use is authentic -- that it's being used by the
right person. In its most common form in IT security, authentication involves

validating a password linked to a username. Other forms of authentication also

exist, such as fingerprints, smartcards, and encryption keys.

Page 11 of 21

3. Authorization: The set of actions allowed to a particular identity makes up

the meat of authorization. On a computer, authorization typically takes the

form of read, write, and execution permissions tied to a username.

Types of Access Control

Administrative Access Control

Administrative access control sets the access control policies and procedures

for the whole organization, defines the implementation requirements of both

physical and technical access control, and what the consequences of noncompliance will be. Some
examples are: supervisory structure, staff and

contractor controls, information classification, training, auditing, and testing.

Physical Access Control

Physical access control is critical to an organizations security and applies to

the access or restriction of access to a place such as property, building or

room. Some examples are: fences, gates, doors, turnstiles, etc. using locks,

badges, biometrics (facial recognition, fingerprints), video surveillance cameras,

security guards, motion detectors, mantrap doors, etc. to allow access to

certain areas

Technical or Logical Access Control

Technical or logical access control limits connections to computer networks,

system files, and data. It enforces restrictions on applications, protocols,

operating systems, encryptions mechanisms, etc.

Qn19. A. what do you understand by the term system security

C. by the use of explanation, make a short note about the elements of

system security

Answer:

Page 12 of 21

system security is the protection of information and property from theft,

corruption and other types of damage, while allowing the information and

property to remain accessible and productive. System security includes the

development and implementation of security countermeasures.

System security encompasses a wide range of practices and technologies

designed to protect computer systems, networks, and data from unauthorized

access, use, disclosure, disruption, modification, or destruction.

Elements of system security

1. Availability: As the name suggests, availability specifies whether the data or

resource is available when it is required or requested by the client. The

information that has been requested will possess the actual value only when

legitimate users can take access to those resources at the right time. But

cybercriminals seize those data so that the request to access those resources

gets denied (leads to downtime of a working server), which is a conventional

attack.

2.Integrity: This refers to the techniques to ensure that all the data or

resources that can be accessed in real-time are legitimate, correct, and

protected from unlawful user (hackers) modification. Data integrity has become

a primary and essential component or element of information security because

users have to trust online information to use them. Non-trusted data

compromises the integrity and hence will violate one of the six elements. Data
integrity is verified through techniques like checksums, change in hash values,

and data comparison.

3. Confidentiality: can be defined as permitting approved users for accessing

to all sensitive as well as a protected information. Confidentiality takes care of

the fact that confidential information and Page 12 of 60 other resources have to

be revealed to legitimate and authorize users only. Confidentiality can be made

certain by the use of role-based security techniques for ensuring user or

viewer's authorization as well as access controls on any particular data.

Page 13 of 21

4.Authenticity: Authenticity is another essential element, and authentication

can be defined as the process of ensuring and confirming that the identity of

the user is genuine and legitimate. This process of authentication takes place

when the user tries to gain access to any data or information (commonly done

by login or biometric access). However, cybercriminals use more sophisticated

tools and techniques to gain such access with the use of social engineering,

password guessing, brute force techniques, or cracking ciphers.

5. Non-repudiation: can be defined as the way of assurance that message

transmitted among two or more users via digital signature or through the use

of encryption is accurate, and no one can deny the authentication of the digital

signature on any document. Authentic data, as well as its origination, can be

acquired with the help of a data hash.

6. Utility: as the name suggests is used for any purpose or reason and is

accessed and then used by users. It is not entirely the type of element for

security, but if the utility of any resource becomes vague or useless, then it is

of no use. Cryptography is used to preserve the efficiency of any resource sent

over the internet. Various encryption mechanisms are used for securing the

message or data sent over the internet so that it is not altered during the

transmission; otherwise, the utility of that resource will not prevail.

Qn20. Explain the common Authentication types of database users used in

authentication method (10 marks)

Answer:

Authentication is the process of identifying users that request access to a

system, network, or device. Access control often determines user identity

according to credentials like username and password. Other authentication

technologies like biometrics and authentication apps are also used to

authenticate user identity.

5 Common Authentication Types

1. Password-based authentication

Page 14 of 21

Passwords are the most common methods of authentication. Passwords can be

in the form of a string of letters, numbers, or special characters. To protect

yourself you need to create strong passwords that include a combination of all

possible options.

2. Multi-factor authentication

Multi-Factor Authentication (MFA) is an authentication method that requires two

or more independent ways to identify a user. Examples include codes generated

from the user’s smartphone, Captcha tests, fingerprints, or facial recognition.

3. Certificate-based authentication

Certificate-based authentication technologies identify users, machines or devices

by using digital certificates. A digital certificate is an electronic document based

on the idea of a driver’s license or a passport.

4. Biometric authentication

Biometrics authentication is a security process that relies on the unique

biological characteristics of an individual. Here are key advantages of using

biometric authentication technologies:

 Biological characteristics can be easily compared to authorized features saved

in a database.

 Biometric authentication can control physical access when installed on gates

and doors.

 You can add biometrics into your multi-factor authentication process.

5. Token-based authentication

Token-based authentication technologies enable users to enter their credentials

once and receive a unique encrypted string of random characters in exchange.

You can then use the token to access protected systems instead of entering your

credentials all over again. The digital token proves that you already have access

permission. Use cases of token-based authentication include RESTful APIs that

are used by multiple frameworks and clients.

Qn21. Make the Elaboration of at least five database attack in database security

principles (10 marks)

Page 15 of 21

Answer:

1. Cloud database configuration errors

Barely a week goes by without a new data breach caused by insecurely

configured cloud databases or storage services. Public Cloud service IP

addresses are not secret and are continually scanned for vulnerabilities by
malicious persons and security researchers.

2. SQL injection

SQL injection vulnerabilities occur when application code contains dynamic

database queries which directly include user supplied input.

3. Weak Authentication

Weak authentication schemes allow attackers to assume the identity of

legitimate database users by stealing or otherwise obtaining login credentials.

4. Privilege abuse

Users may abuse legitimate data access privileges for unauthorised purposes.

For example, a user in sales with privileges to view individual customer records

may abuse that privilege to retrieve all customer records to pass to a

competitor.

5. Excessive privileges

If users hold privileges that exceed the requirements of their job function, these

privileges may be abused by the individual, or an attacker who compromises

their account. When people move roles, they may be given the new privileges

they need without those they no-longer require being removed.

6. Inadequate logging and weak auditing

Logging and auditing are key to deterring and detecting misuse and enabling

adequate investigation of suspected data compromise. In this context, logging

is the collection of data - and auditing is someone actually looking at it.

7. Denial of service

Network level Denial of Service (DoS) attacks from the internet, can overwhelm

your system regardless of the capacity of its internet connection. Cloud based

Page 16 of 21
DoS protection services are the usual defence against this and many offer a

free protection tier.

8. Exploiting unpatched services

While up-to-date patching won’t make you secure, operating vulnerable

unpatched services will significantly increase the likelihood of being

compromised.

9. Insecure system architecture

While controls against specific database threats are important, they must form

part of a design which is secure overall.

Qn22. By using deep Explanation, make the elaboration about the types of

database security (10 marks)

Answer:

Types of database security encompass various measures and techniques

implemented to protect data stored within a database from unauthorized

access, misuse, loss, or corruption.

1. Access Authorization:

Access authorization involves granting or denying users or entities permission

to access specific data or perform certain operations within the database. This

process typically involves authentication of users followed by authorization

based on their roles, privileges, or access rights.

2. Access Controls:

Access controls include mechanisms for enforcing access authorization

policies. This may involve implementing role-based access control (RBAC),

mandatory access control (MAC), discretionary access control (DAC), or

attribute-based access control (ABAC) to regulate who can access what data
and under what conditions.

3. Views: Secret Passages and Restricted Areas

Think of views as hidden passages within the castle, granting access to specific

information. These virtual tables provide users with only the data they need,

Page 17 of 21

like a specific courtyard or library section, limiting their exposure to sensitive

information and reducing potential vulnerabilities.

4. RAID Technology

RAID technology, or Redundant Array of Independent Disks, functions like

multiple fortified walls and guard towers surrounding your castle. It replicates

data across multiple disks, ensuring that even if one disk fails, your data

remains safe and accessible, minimizing downtime and data loss. Different

RAID levels offer varying levels of performance and redundancy, allowing you to

choose the best fit for your needs.

5. Data Integrity

Imagine ensuring the accuracy and consistency of castle records like maps and

inventories. Data integrity ensures the same for your database. Checksums,

validation rules, and data audits act as diligent scribes, verifying the accuracy

and preventing unauthorized modifications, safeguarding the reliability of your

information.

6. Encryption of Data

Just as precious jewels were hidden in secret chests, encryption scrambles

your data into an unreadable code, like an unbreakable lock. This protects

data confidentiality even if intercepted, ensuring its secrecy even if stolen by

malicious actors. Both data at rest (stored) and in transit can be encrypted for
maximum protection.

SECTION C (attempt only ONE questions /15mrks)

Qn23. Design the security triads of Goals for implementing security practices to

the information and over all of the system.

Page 18 of 21

Answer:

The security framework was designed based on the core facets of database

security mechanisms (CIA) to help address the issues of confidentiality,

integrity and authenticity as well as availability of data. ... While on the other

hand, the system rejects and denied unauthorized users access to the system

and data.

The security triad, often referred to as the CIA triad, represents the three

fundamental goals of information security: Confidentiality, Integrity, and

Availability. These goals act as guiding principles for implementing security

practices across all systems and information within your organization.

Page 19 of 21

1. Confidentiality:

 Goal: Ensure only authorized individuals can access and view sensitive

information.

 Implementation:

Access controls like user authentication, role-based access control, and data

encryption. Secure communication protocols and data encryption in transit

and at rest. Limiting data sharing and restricting access to sensitive areas.

 Benefits: Protects sensitive data from unauthorized

disclosure, leaks, and breaches, safeguarding privacy and preventing

competitive disadvantage.

2. Integrity:

 Goal: Ensure information remains accurate, complete, and unaltered by

unauthorized individuals.

 Implementation:

Data validation and verification procedures. Logging and auditing of data

access and changes. Data backups and recovery mechanisms to restore

corrupted or lost data. Security measures to prevent unauthorized

modifications and data tampering.

 Benefits: Maintains the accuracy and reliability of information, crucial

for decision-making, financial transactions, and regulatory compliance.

3. Availability:

 Goal: Ensure authorized users have timely and reliable access to

information and systems when needed.

 Implementation:

Page 20 of 21

System redundancy and disaster recovery plans to minimize downtime in case

of failures. Performance optimization and capacity planning to ensure smooth

operation under normal load. Security measures that balance protection with

user access needs.

 Benefits: Minimizes business disruptions, ensures productivity, and

allows users to perform their tasks efficiently.

Importance of the CIA triad:

 Provides a comprehensive framework for assessing and addressing

security risks across all aspects of your systems and information.

 Helps prioritize security investments and allocate resources effectively.

 Demonstrates commitment to information security and compliance with

regulations.

Qn24. By using of syntax for creating user, create user by assigning default

table space with its quota, profile, password expired and account status.

Answer:

The basic syntax of the CREATE USER statement is as follows:

CREATE USER username IDENTIFIED BY password [DEFAULT TABLESPACE

tablespace] [QUOTA {size | UNLIMITED} ON tablespace] [PROFILE profile]

[PASSWORD EXPIRE] [ACCOUNT {LOCK | UNLOCK}];

CREATE USER johndoe IDENTIFIED BY 'strong_password'

DEFAULT TABLESPACE users

QUOTA 100M ON users

PROFILE app_user

PASSWORD EXPIRE

ACCOUNT UNLOCK;

Explanation:

Page 21 of 21

 johndoe: Replace this with the desired username.

 strong_password: Replace this with a strong and secure password.

 users: Replace this with the name of the default tablespace.

 100M: This specifies the quota limit for the user in the "users"

tablespace. You can adjust this value based on your needs.

 app_user: Replace this with the name of the existing profile you want to

assign to the user.

 PASSWORD EXPIRE: This forces the user to change their password

upon first login.

 ACCOUNT UNLOCK: This leaves the account unlocked by default. You

can replace this with ACCOUNT LOCK if you want to initially lock the account.

END!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!