Module-4

Database Security
Database security includes a variety of measures used to secure database management systems
from malicious cyber-attacks and illegitimate use. Database security programs are designed to
protect not only the data within the database, but also the data management system itself, and
every application that accesses it, from misuse, damage, and intrusion.

Database security encompasses tools, processes, and methodologies which establish security
inside a database environment.

Database Security Threats

Many software vulnerabilities, misconfigurations, or patterns of misuse or carelessness could

result in breaches. Here are a number of the most known causes and types of database security
cyber threats.

Data security is an imperative aspect of any database system. It is of particular importance in

distributed systems because of the large number of users, fragmented and replicated data,
multiple sites and distributed control.

Threats in a Database

● Availability loss − Availability loss refers to non-availability of database objects by

legitimate users.
● Integrity loss − Integrity loss occurs when unacceptable operations are performed upon
the database either accidentally or maliciously. This may happen while creating,
inserting, updating or deleting data. It results in corrupted data leading to incorrect
decisions.
● Confidentiality loss − Confidentiality loss occurs due to unauthorized or unintentional
disclosure of confidential information. It may result in illegal actions, security threats and
loss in public confidence.

Database Security
Database security refers to the process of protecting and safeguards the database
from unauthorized access or cyber-attacks. There are different types of database security such as
encryption, authentication, backup, application security and physical security which should be
implemented in your business.

Types of Database Security

● Authentication
● Database Encryption
● Backup Database
● Physical Security
 ● Application Security
● Access Control
● Web Application Firewall
● Use Strong Password
● Database Auditing

1. Authentication

Database authentication is the type of database security that verifies the user’s login credentials
which are stored in the database. If the user's login credentials match in the database then the
user can access the database. That means the user has authentication to login into your database.
If an authentic user has some privilege to access the data then he can’t access the other data
which are out of privilege. No unauthorized or malicious user can’t login into your database. So,
database authentication plays an important role in ensuring database security.

2. Database Encryption

Encryption is one of the most effective types of database security which protect your database
from unauthorized access during storing and transmission over the internet. There are different
types of encryption algorithms such as AES, MD5, and SHA 1 which are used to encrypt and
decrypt all types of sensitive data.

Typically, an encryption algorithm transforms the plain text data into ciphertext of unreadable
formats within a database. So, if hackers get access to your database then they can’t use your
data until the data is decrypted. It is highly recommended to you that you encrypt your sensitive
data while storing into a database because it provides security and protection from cyber-attacks.

3. Backup Database
Backup is another type of database security which is used to restore data in case of data loss, data
corruption, hacking, or natural disasters. It is copying or archiving the database in real time on a
secondary storage.If you configured the primary and secondary server at the same place and if
the primary server is destroyed then there is a chance to destroy the secondary server. So, you
can’t run your application and your system will shut down until you recover.

That’s why it is suggested that, always configure the secondary server physically in a separate
location in order to ensure database security. In that case, if the primary server is down then you
can recover the database from the secondary server. There are different types of database backup
such as full backup, differential and incremental backup. You can set your backup plan as per
your business need and time. However, you can consider the following strategy to backup
database:

● Determine the backup schedule and backup types

 ● Make ensure database backup regularly
● Ensure your backup location is physically separate

4. Physical Security

Physical database security is the protection of the database server room in order to protect from
unauthorized access. Database server should be located in a secured and climate-controlled
environment in a building.Only DBA (Database Administration) and authorized IT (Information
Technology) officer can enter into the server room. If your database server is in a cloud data
center then your service provider will take necessary action to secure your database.

5. Application security
You have to secure your application and database in order to protect from web attacks such as
SQL injection. SQL injection is the most common web attack where hackers control an
application's database to hack sensitive information or destroy the database. In this technique, the
attacker adds the malicious code in SQL query, via web page input. It is occurring when an
application fails to properly sanitize the SQL statements. So, attackers can add their own
malicious SQL statements to access your database for malicious purposes.

To protect from SQL injection attacks, you can secure application by applying the following
prevention methods:

● Use of Prepared Statements

● Use a Web Application Firewall
● Updating your system
● Validating user input
● Limiting privileges
● Use Stored Procedures

6. Access Control
To ensure database security you have to restrict the access of databases by unauthorized users.
Only authorized users can access the database and no unauthorized users can't access the
database. Create user accounts by DBA who will access the database and set a role and limit
what they can access in your database.So, access control is a type of database security which can
secure your database by restricting unauthorized users’ access.

7. Web Application Firewall

A web application firewall or WAF is an application based cyber security tool which is the
database security best practice. WAF is designed to protect applications by filtering, monitoring
and blocking HTTP malicious traffic.This database security measure controls who can access the
application and prevent intruders from accessing the application via the internet. To secure your
application from malicious users you should use a web application firewall which will protect
your application database

8. Use Strong Password

These are simple but very important tips for ensuring database security. As a DBA or IT officer
you should use a strong password for database login and never share your password with others.
If you use easy passwords such as your mobile no, employee id, date of birth which is known to
hackers and they will try to login using these passwords. As a result, you will lose your database
control. So, create a strong password for database login using a combination of letters, numbers,
special characters (minimum 10 characters in total) and change the password regularly.

9. Database Auditing
Auditing is a very important type of database security control which can help to detect and
identify unauthorized access to your DBMS (Database Management System).

Database auditing regularly checks the log files for who accessed the database, when they
accessed, how long time stayed there and what they did in the database. You can easily find out if
there is unauthorized access to the database server. Database auditing is a type of database
protection which can provide overall monitoring for database security of your organization.

Authentication and Authorisation

Authentication and authorization are the two words used in the security world. They might sound
similar but are completely different from each other. Authentication is used to authenticate
someone's identity, whereas authorization is a way to provide permission to someone to access a
particular resource. These are the two basic security terms and hence need to be understood
thoroughly. In this topic, we will discuss what authentication and authorization are and how they
are differentiated from each other.

Authentication
● Authentication is the process of identifying someone's identity by assuring that the person
is the same as what he is claiming for.
● It is used by both server and client. The server uses authentication when someone wants
to access the information, and the server needs to know who is accessing the information.
The client uses it when he wants to know that it is the same server that it claims to be.
● The authentication by the server is done mostly by using the username and password.
Other ways of authentication by the server can also be done using cards, retina scans,
voice recognition, and fingerprints.
 ● Authentication does not ensure what tasks under a process one person can do, what files
he can view, read, or update. It mostly identifies who the person or system is actually.

Authentication Factors
As per the security levels and the type of application, there are different types of Authentication
factors:

● Single-Factor Authentication
Single-factor authentication is the simplest way of authentication. It just needs a
username and password to allow a user to access a system.
● Two-factor Authentication
As per the name, it is two-level security; hence it needs two-step verification to
authenticate a user. It does not require only a username and password but also needs the
unique information that only the particular user knows, such as first school name, a
favorite destination. Apart from this, it can also verify the user by sending the OTP or a
unique link on the user's registered number or email address.
● Multi-factor Authentication
This is the most secure and advanced level of authorization. It requires two or more than
two levels of security from different and independent categories. This type of
authentication is usually used in financial organizations, banks, and law enforcement
agencies. This ensures to eliminate any data exposure from the third party or hackers.

Authentication techniques
1. Password-based authentication

It is the simplest way of authentication. It requires the password for the particular username. If
the password matches with the username and both details match the system's database, the user
will be successfully authenticated.

2. Passwordless authentication

In this technique, the user doesn't need any password; instead, he gets an OTP (One-time
password) or link on his registered mobile number or phone number. It can also be said to be
OTP-based authentication.

3. 2FA/MFA

2FA/MFA or 2-factor authentication/Multi-factor authentication is the higher level of

authentication. It requires additional PIN or security questions so that it can authenticate the user.
4. Single Sign-on

Single Sign-on or SSO is a way to enable access to multiple applications with a single set of
credentials. It allows the user to sign-in once, and it will automatically be signed in to all other
web apps from the same centralized directory.

5. Social Authentication

Social authentication does not require additional security; instead, it verifies the user with the
existing credentials for the available social network.

Authorisation
● Authorization is the process of granting someone to do something. It means it is a way to
check if the user has permission to use a resource or not.
● It defines what data and information one user can access. It is also said as AuthZ.
● The authorization usually works with authentication so that the system could know who
is accessing the information.
● Authorization is not always necessary to access information available over the internet.
Some data available over the internet can be accessed without any authorization.

Authorization Techniques

● Role-based access control

RBAC or Role-based access control technique is given to users as per their role or profile
in the organization. It can be implemented for system-system or user-to-system.
● JSON web token
JSON web token or JWT is an open standard used to securely transmit the data between
the parties in the form of the JSON object. The users are verified and authorized using the
private/public key pair.
● SAML
SAML stands for Security Assertion Markup Language. It is an open standard that
provides authorization credentials to service providers. These credentials are exchanged
through digitally signed XML documents.
● OpenID authorization
It helps the clients to verify the identity of end-users on the basis of authentication.
● OAuth
OAuth is an authorization protocol, which enables the API to authenticate and access the
requested resources.
Requirements on DBMS Security

At this moment we have a basic image of information system security and we can take a look at
concrete aspects that should be covered with DBMS security mechanisms.

1. Protection from improper access- only authorized users should be granted access to
objects of DBMS. This control should be applied on smaller objects (record, attribute,
value).
2. Protection from inference - inference of confidential information from available data
should be avoided. This regards mainly statistical DBMSs.
3. Database integrity - partially is ensured with system controls of DBMS (atomic
transactions) and various back-up and recovery procedures and partially with security
procedures.
4. Operational data integrity - logical consistency of data during concurrent transactions
(concurrency manager), serializability and isolation of transactions (locking techniques).
5. Semantic data integrity - ensuring that attribute values are in allowed ranges. This is
ensured with integrity constraints.
6. Accountability and auditing - there should be a possibility to log all data accesses.
7. User authentication - there should be unambiguous identification of each DBMS user.
This is the basis for all authorization mechanisms.
8. Management and protection of sensitive data - access should be granted only to a
narrow round of users.
9. Multilevel security - data may be classified according to their sensitivity. Access granting
should then depend on that classification.
10. Confinement (subject isolation) - there is a necessity to isolate subjects to avoid
uncontrolled data flow between programs (memory channels, covert channels).

At least five aspects from the previous list must be ensured with special techniques that do not
exist in unsecure DBMSs. There are three basic ways to do it:

● flow control - we control information flows in frame of DBMS

● inference control - control of dependencies among data
● access control - access to the information in DBMS is restricted
1. Flow Control

Flow control regulates distribution (flow) of information among available objects. E.g. reading
of information from object X and its direct writing into object Y.

Flow control policies need a list of acceptable information flows and their constraints. Flow
constraints are often based on classification of system elements and definition of acceptable
flows between classification levels.
2. Inference Control

The aim of the inference control is to avoid indirect disclosure of information (set of data X that
can be read by the user can be used for determination of data set Y (Y=f(X)) ). Generally there
are three ways to unauthorized data disclosure:

1. correlated data - typical channel when visible data X are semantically related with
invisible data Y
2. missing data - result of query contains NULL values that mask sensitive data. Existence
of that data may be detected that way.
3. statistical inference - typical for databases that provide statistical information about
entities.

Statistical databases do not allow direct access to data and users have to query only statistical
data. Attacks in this DBMSs can be faced with two different approaches:

1. data perturbation - concrete data are replaced with statistical results

2. query controls - more frequently used, mostly it is based on minimal and maximal
number of items that are concerned with query. Results are satisfactory but this technique
is expensive and difficult for administration.
3. Access Control
Access control is responsible for control of rules determined by security policies for all direct
accesses to the system. Traditional control systems work with notions subject, object and
operation. For a better image look at the figure of secure DBMS.

Database access control is a method of allowing access to company’s sensitive data only to those
people (database users) who are allowed to access such data and to restrict access to
unauthorized persons. It includes two main components: authentication and authorization.

Authentication is a method of verifying the identity of a person who is accessing your database.
Note that authentication isn’t enough to protect data. An additional layer of security is required,
authorization, which determines whether a user should be allowed to access the data or make the
transaction he’s attempting. Without authentication and authorization, there is no data security.

Any company whose employees connect to the Internet, thus, every company today, needs some
level of access control implemented.

Types of Access Control

Obsolete access models include Discretionary Access Control (DAC) and Mandatory Access
Control (MAC). Role Based Access Control (RBAC) is the most common method today, and the
most recent model is Attribute Based Access Control (ABAC).
 ● Discretionary Access Control (DAC)

With DAC models, the data owner allows access. DAC is a means of assigning access rights
based on user-specified rules.

● Mandatory Access Control (MAC)

MAC was developed using a nondiscretionary model, in which people are granted access based
on an information clearance. MAC is a policy in which access rights are assigned based on
central authority regulations.

● Role Based Access Control (RBAC)

RBAC grants access based on a user’s role and implements key security principles such as “least
privilege” and “separation of privilege.” Thus, someone attempting to access information can
only access data necessary for their role.

● Attribute Based Access Control (ABAC)

In ABAC, each resource and user are assigned a series of attributes. In this dynamic method, a
comparative assessment of the user’s attributes, including time of day, position and location, are
used to make a decision on access to a resource.

Discretionary Access Control (DAC) –

DAC is a type of access control system that assigns access rights based on rules specified by
users. The principle behind DAC is that subjects can determine who has access to their objects.
The DAC model takes advantage of using access control lists (ACLs) and capability tables.
Capability tables contain rows with ‘subject’ and columns containing ‘object’. The security
kernel within the operating system checks the tables to determine if access is allowed.
Sometimes a subject/program may only have access to read a file; the security kernel makes sure
no unauthorized changes occur.

Implementation –

This popular model is utilized by some of the most popular operating systems, like Microsoft
Windows file systems.
Role-Based Access Control (RBAC) –

RBAC, also known as a non-discretionary access control, is used when system administrators
need to assign rights based on organizational roles instead of individual user accounts within an
organization. It presents an opportunity for the organization to address the principle of ‘least
privilege’. This gives an individual only the access needed to do their job, since access is
connected to their job.

Implementation-

Windows and Linux environments use something similar by creating ‘Groups’. Each group has
individual file permissions and each user is assigned to groups based on their work role. RBAC
assigns access based on roles. This is different from groups since users can belong to multiple
groups but should only be assigned to one role. Example roles are: accountants, developer,
among others. An accountant would only gain access to resources that an accountant would need
on the system. This requires the organization to constantly review the role definitions and have a
process to modify roles to segregate duties. If not, role creep can occur. Role creep is when an
individual is transferred to another job/group and their access from their previous job stays with
them.
Mandatory Access Control (MAC) –

Considered the strictest of all levels of access control systems. The design and implementation of
MAC is commonly used by the government. It uses a hierarchical approach to control access to
files/resources. Under a MAC environment, access to resource objects is controlled by the
settings defined by a system administrator. This means access to resource objects is controlled by
the operating system based on what the system administrator configured in the settings. It is not
possible for users to change access control of a resource. MAC uses “security labels” to assign
resource objects on a system. There are two pieces of information connected to these security
labels: classification (high, medium, low) and category (specific department or project – provides
“need to know”). Each user account is also assigned classification and category properties. This
system provides users access to an object if both properties match. If a user has high
classification but is not part of the category of the object, then the user cannot access the object.
MAC is the most secure access control but requires a considerable amount of planning and
requires a high system management due to the constant updating of objects and account labels.
Implementation-

Other than the government’s implementation of MAC, Windows Vista-8 used a variant of MAC
with what they called, Mandatory Integrity Control (MIC). This type of MAC system added
integrity levels (IL) to processes/files running in the login session. The IL represented the level
of trust the object would have. Subjects were assigned an IL level, which was assigned to their
access token. IL levels in MIC were: low, medium, high, and system. Under this system, access
to an object was prohibited unless the user had the same level of trust, or higher than the object.
Windows limited the user to not being able to write or delete files with a higher IL. It first
compared IL levels, then moved on to checking the ACLs to make sure the correct permissions
are in place. This system took advantage of the Windows DAC system ACLs and combined it
with integrity levels to create a MAC environment.

Attribute-Based Access Control (ABAC)

Another alternative to role-based access control is attribute-based access control (ABAC). This
model grants rights by introducing special policies. These policies combine attributes for users,
resources, and objects.
The main difference of ABAC is that every situation is assessed not from the role and desired
action point of view, but on the basis of attributes assigned to this role and action. As a result, the
business rule here is a set of conditions where different attributes should satisfy certain
requirements. ABAC uses Boolean logic with “IF, THEN” statements to understand should the
user be granted access or not. (IF the user is an accountant, THEN allow him to access financial
data).
Intrusion Detection in DBMS
Data represents today a valuable asset for organizations and companies and must be protected.
Ensuring the security and privacy of data assets is a crucial and very difficult problem in our
modern networked world. Despite the necessity of protecting information stored in database
systems (DBS), existing security models are insufficient to prevent misuse, especially insider
abuse by legitimate users. One mechanism to safeguard the information in these databases is to
use an intrusion detection system (IDS). The purpose of Intrusion detection in database systems
is to detect transactions that access data without permission

An Intrusion Detection System (IDS) is a monitoring system that detects suspicious activities
and generates alerts when they are detected. Based upon these alerts, a security operations center
(SOC) analyst or incident responder can investigate the issue and take the appropriate actions to
remediate the threat.

Classification of Intrusion Detection Systems

Intrusion detection systems are designed to be deployed in different environments. And like
many cybersecurity solutions, an IDS can either be host-based or network-based.
 ● Host-Based IDS (HIDS): A host-based IDS is deployed on a particular endpoint and
designed to protect it against internal and external threats. Such an IDS may have the
ability to monitor network traffic to and from the machine, observe running processes,
and inspect the system’s logs. A host-based IDS’s visibility is limited to its host machine,
decreasing the available context for decision-making, but has deep visibility into the host
computer’s internals.
● Network-Based IDS (NIDS): A network-based IDS solution is designed to monitor an
entire protected network. It has visibility into all traffic flowing through the network and
makes determinations based upon packet metadata and contents. This wider viewpoint
provides more context and the ability to detect widespread threats; however, these
systems lack visibility into the internals of the endpoints that they protect.
● Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises a system or agent that would
consistently reside at the front end of a server, controlling and interpreting the protocol
between a user/device and the server. It is trying to secure the web server by regularly
monitoring the HTTPS protocol stream and accepting the related HTTP protocol. As
HTTPS is un-encrypted and before instantly entering its web presentation layer then this
system would need to reside in this interface, between to use the HTTPS.
● Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that
generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols. For example, this
would monitor the SQL protocol explicit to the middleware as it transacts with the
database in the web server.
● Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two or more approaches
of the intrusion detection system. In the hybrid intrusion detection system, host agent or
system data is combined with network information to develop a complete view of the
network system. Hybrid intrusion detection systems are more effective in comparison to
the other intrusion detection systems. Prelude is an example of Hybrid IDS.

Due to the different levels of visibility, deploying a HIDS or NIDS in isolation provides
incomplete protection to an organization’s system. A unified threat management solution, which
integrates multiple technologies in one system, can provide more comprehensive security.
Detection Method of IDS Deployment
Beyond their deployment location, IDS solutions also differ in how they identify potential
intrusions:

● Signature Detection: Signature-based IDS solutions use fingerprints of known threats to

identify them. Once malware or other malicious content has been identified, a signature is
generated and added to the list used by the IDS solution to test incoming content. This
enables an IDS to achieve a high threat detection rate with no false positives because all
alerts are generated based upon detection of known-malicious content. However, a
signature-based IDS is limited to detecting known threats and is blind to zero-day
vulnerabilities.
● Anomaly Detection: Anomaly-based IDS solutions build a model of the “normal”
behavior of the protected system. All future behavior is compared to this model, and any
anomalies are labeled as potential threats and generate alerts. While this approach can
detect novel or zero-day threats, the difficulty of building an accurate model of “normal”
behavior means that these systems must balance false positives (incorrect alerts) with
false negatives (missed detections).
● Hybrid Detection: A hybrid IDS uses both signature-based and anomaly-based
detection. This enables it to detect more potential attacks with a lower error rate than
using either system in isolation.

SQL Injection
The SQL Injection is a code penetration technique that might cause loss to our database. It is one
of the most practiced web hacking techniques to place malicious code in SQL statements, via
webpage input. SQL injection can be used to manipulate the application's web server by
malicious users.

SQL injection generally occurs when we ask a user to input their username/userID. Instead of a
name or ID, the user gives us an SQL statement that we will unknowingly run on our database.
For Example - we create a SELECT statement by adding a variable "demoUserID" to select a
string. The variable will be fetched from user input (getRequestString).

Syntax:

demoUserI = getrequestString("UserId");

demoSQL = "SELECT * FROM users WHERE UserId =" +demoUserId;

Types of SQL injection attacks:

SQL injections can do more harm other than passing the login algorithms. Some of the SQL
injection attacks include:

● Updating, deleting, and inserting the data: An attack can modify the cookies to poison a
web application's database query.
● It is executing commands on the server that can download and install malicious programs
such as Trojans.
● We are exporting valuable data such as credit card details, email, and passwords to the
attacker's remote server.
● Getting user login details: It is the simplest form of SQL injection. Web applications
typically accept user input through a form, and the front end passes the user input to the
back end database for processing.

Example of SQL Injection

We have an application based on employee records. Any employee can view only their own
records by entering a unique and private employee ID. We have a field like an Employee ID.
And the employee enters the following in the input field:

236893238 or 1=1

It will translate to:

SELECT * from EMPLOYEE where EMPLOYEE_ID == 236893238 or 1=1

The SQL code above is valid and will return the EMPLOYEE_ID row from the EMPLOYEE
table. The 1=1 will return all records for which this holds true. All the employee data is
compromised; now, the malicious user can also similarly delete the employee records.

Example:

SELECT * from Employee where (Username == "" or 1=1) AND (Password="" or 1=1).

Now the malicious user can use the '=' operator sensibly to retrieve private and secure user
information. So instead of the query mentioned above, the following query, when exhausted,
retrieves protected data, not intended to be shown to users.

SELECT * from EMPLOYEE where (Employee_name =" " or 1=1) AND (Password=" " or
1=1)
SQL injection based on Batched SQL statements

Several databases support batched SQL statements. It is a group of two or more SQL statements
separated by semicolons.

The SQL statement given below will return all rows from the Employee table, then delete the
Employee_Add table.

SELECT * From Employee; DROP Table Employee_Add

How to detect SQL Injection attacks

Creating a SQL Injection attack is not difficult, but even the best and good-intentioned
developers make mistakes. The detection of SQL Injection is, therefore, an essential component
of creating the risk of an SQL injection attack. Web Application Firewall can detect and block
basic SQL injection attacks, but we should depend on it as the sole preventive measure.

Intrusion Detection System (IDS) is both network-based and host-based. It can be tuned to detect
SQL injection attacks. Network-based IDSec can monitor all connections to our database server,
and flag suspicious activities. The host-based IDS can monitor web server logs and alert when
something strange happens.

Impact of SQL Injection

The intruder can retrieve all the user-data present in the database, such as user details, credit card
information, and social security numbers, and can also gain access to protected areas like the
administrator portal. It is also possible to delete the user data from the tables. These days all the
online shopping applications, bank transactions use back-end database servers. If the intruder can
exploit SQL injection, the entire server is compromised.

How to prevent SQL Injection attack

● We should use user authentication to validate input from the user by pre-defining length,
input type, and the input field.
● Restricting the access privileges of users and defining the amount of data any outsider
can access from the database. Generally, the user cannot be granted permission to access
everything in the database.
● We should not use system administrator accounts.