Database Security Threats And

Countermeasures Computer Science Essay

PRINT REFERENCE THIS
Published: 23rd March, 2015

Disclaimer: This essay has been submitted by a student. This is not

an example of the work written by our professional essay writers.
You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed

in this material are those of the authors and do not necessarily
reflect the views of UK Essays.

Information is very critical asset. Organizations create so much

information and they use database systems to handle the
information within them to automate various functions. Due to
information importance, information protection is a critical
component of the database management system. Information
security is the goal of a database management system (DBMS), also
called database security. This paper discusses about database
security, the various security issues in databases, importance of
database security, database security threats and countermeasure,
and finally, the database security in web application.

To be able to manage a huge amount of data effectively and fast, a

well organized system is needed to build. It will also need to store
and retrieve data easily. Generally, a database system is designed
to be used by many users simultaneously for the specific collections
of data. Databases are classified based on their types of collections,
such as images, numeric, bibliographic or full-text. Digitized
databases are created by using management system to make,
store, maintain or search the data. Oracle, MS SQL and Sybase
servers are mostly used in companies, agencies and institutions for
their different purposes of the assets.

On the one hand, internetworking technology provides the assets

efficiently and effectively among cooperation but it also gives
opportunities to hackers or lawbreakers to make profits. So,
database security becomes the most important issue and all related
agencies have to focus on the availability of their data to the
authorized users only. The protection of data from unauthorized
disclosure, alteration or destruction is the main purpose of the
database security process.

Database security is the system, processes, and procedures that

protect database from unintended activity that can be categorized
as authenticated misuse, malicious attacks made by authorized
individuals or processes. Databases have been protected from
external connections by firewalls or routers on the network
perimeter with the database environment. Database security can
begin with the process of creation and publishing of appropriate
security standards for the database environment. (C.J.Date, 2000)

Particularly database systems in E-commerce, can access the

database for exchange and retrieval of information from web
applications. As many layers consisted for web application access, it
is needed to make sure the security of each layer.

In this paper, we are making an attempt to present about database

security- threats, countermeasures and how to make secure
database in each layer of database system of ecommerce in details.

2. Importance of Database Security

In this information technology age, it is compulsory for all types of
institutions or companies to make avail their information assets
online always through databases. However, they must have a policy
to divide the levels of users with to which extent they can asset the
information. It is vital not to give opportunities to mischievous
intruders. Databases are used to provide personnel information,
customer information, credit card numbers, financial data and
business transactions, etc. The information is very sensitive and
highly confidential and must be prevented from disclosure by other
competitors and unauthorized persons.

The security of data is crucial not only in business but also in even
home computers as personal files, details of bank accounts are
difficult to replace and potentially unsafe if they will be in wrong
hands. Data destroyed by hazards like floods or fire is just lost but
handing it in unethical person will have severe consequences.Other
threats will be included human errors and espionage. Therefore, the
data security starts with strategies of identifying the area of
exposure which will be affected. It is important to define who can
access what data, who is allowed and who is restricted, whether
passwords are used and how to maintain it, what sort of firewalls
and anti-malware solutions to use, how to train the staff and to
enforce data security. Furthermore, the backup continuity plan
should be laid out so that even though the systems fail, the business
can be carried out without delay.

While constructing the infrastructure security of a company,

database security should be well considered. Database is very
crucial to most enterprises at present days; the damage of database
will have tragic impact on it. Unsecured systems will make hurt both
the company itself and itsclients.

Based on the research done by American National Infrastructure

Protection Centre (NIPC) in 2000, the continuous attacks on U.S. e-
commerce system are increasing. Themost interrupted system is
Microsoft Windows NT systems, butUNIX based operating systems
have also been maltreated. The hackers are utilizingat least three
identified system weaknesses to be able to achieveillegal access
and download information. Even though these vulnerabilities are not
freshly innovated and the mischievous activities of hackers had
been in progress for quite long before the sufferer became noticed
of the intrusion.

The insecurity of the database can affect not only the database
itself, but also the other running systems which have the
relationship with that database.The process of an intruder can be
first to get access to the poorlysafe database, then use strongbuilt-
in database characters to get admission to the local operating
system. In this way, other trusted systems connecting with that
database will be easily attacked by the intruder.

3. Database Security Threats:

Database security begins with physical security for the systems that
host the database management system (DBMS). Database
Management system is not safe from intrusion, corruption, or
destruction by people who have physical access to the computers.
Once physical security has been established, database must be
protected from unauthorized access by authorized users as well as
unauthorized users. There are three main objects when designing a
secure database system, and anything prevents from a database
management system to achieve these goals would be consider a
threat to database security. There are many internal and external
threats to database systems. Some of threats are as follows:

3.1 Integrity:
Database integrity refers that information be protected from
improper modification. Modification includes creation, insertion,
modification, changing the status of data, and deletion. Integrity is
lost if unauthorized changes are made intentionally or through
accidental acts. For example, Students cannot be allowed to modify
their grades.

3.2 Availability:
Authorized user or program should not be denied access. For
example, an instructor who wishes to change a student grade
should be allowed to do so.

3.3 Secrecy:
Data should not be disclosed to unauthorized users. For example, a
student should not be allowed to see and change other student
grades.

3.4 Denial of service attack:

This attack makes a database server greatly slower or even not
available to user at all. DoS attack does not result in the disclosure
or loss of the database information; it can cost the victims much
time and money.

3.5 Sniff attack:

To accommodate the e-commerce and advantage of distributed
systems, database is designed in a client-server mode. Attackers
can use sniffer software to monitor data streams, and acquire some
confidential information. For example, the credit card number of a
customer.

3.6 Spoofing attack:

Attackers forge a legal web application to access the database, and
then retrieve data from the database and use it for bad transactions.
The most common spoofing attacks are TCP used to get the IP
addresses and DNS spoofing used to get the mapping between IP
address and DNS name.

3.7 Trojan Horse:

It is a malicious program that embeds into the system. It can modify
the database and reside in operating system.

To achieve these objectives, a clear and consistent security policy

should be developed to define what security measure must be
enforced. We must determine what part of data is to be protected
and which users get access to which part of the information. The
security mechanisms of the underlying database management
system, as well as external mechanism, such as securing access to
buildings, must be utilized to enforce the policy.

4. Database Security Countermeasures:

To protect the database system from the above mentioned threats.
Here are some countermeasures which are as follows:

4.1 Access Control:

A database for an organization contains a great deal of information
and usually has several users. Most of them need to access only a
small part of the database. A policy defines the requirements that
are to be implemented within hardware and software and those that
are external to the system, including physical, personal, and
procedural controls.

4.2 Flow Control:

Flow control provides the flow of information among accessible
objects. Flow controls check that information contained in objects
does not flow explicitly or implicitly into less protected objects.

4.3 Encryption:
An encryption algorithm should be applied to the data, using a user-
specified encryption key. The output of the algorithm is the
encrypted version. There is also a decryption algorithm, which takes
the encrypted data and a decryption key as input and then returns
the original data.

4.4 RAID:
Redundant Array of Independent Disks which protect against data
loss due to disk failure.

4.5 Authentication:
Access to the database is a matter of authentication. It provides the
guidelines how the database is accessed. Every access should be
monitored.

4.6 Backup:
At every instant, backup should be done. In case of any disaster,
Organizations can retrieve their data.

5. Database Security in E-commerce database

Database system cannot stand alone and it needs to depend on
many othersystems. Hence, database security is a combination of
many other associated and correlated systems are included as well.
The following figure is a normal schema of E-commerce Company. In
figure 1, the four basic layers are existed in order to defend a
database system. These systems are the functioningsystem on
which the database system runs. Firewall is a commonly applied
mechanism to obstruct the interruption from the external network.
Web server and web application offernumerousservices to the end
user by accessing the database. Network layer is the medium in
which the data is transmitted.
Figure 1. E-enterprise Architecture

5.1 Operating system layer

Operating system security is a very important characteristic in
database administration.Some dominant features of database
systems will possibly be a crack for the underlying operating
system. Thus, the responsible person should very thoroughly scan
the relations between a feature of database and it is operating
system.

According to Gollmann, there are five layers in Information

Technology system. These layers are application, services,
operating system, os kernel and hardware. Each layer is constructed
on top of other fundamental ones. As the database system is at the
service and application layer, it is existed in above the operating
system layer. If the weaknesses of the operating system platforms
are identified, then those weaknesses may lead toillegal database
access or manipulation. Database configuration files and scripts are
at server level resources and they should be shelteredseverely to
ensure the reliability of the database environment. In many
database environments, membership in Operating system group is
authorized full power of controlling over the database. To keep away
frommistreatment and exploitationof the membership, those users'
membership and access to the database should be
warrantedfrequently.

One of the responsibilities of Administrator is toorganizethe settings

of the operating system or to adjust the size of the buffer andthe
timeout period, so as to avoid the rejection of service attack stated
previously. Most operating system vendors supply system patches
generously and fast if any vulnerability has been detected on the
system. Another weakness which is often ignored by the
administrator is to bring up to date the operating system with the
latest patches to abolish thenewestrevealed holes of the system.

5.2 Network layer

Data has to be transmitted through the network including local LAN
and Internet when web applications communicate with database or
other distributed components. The two major network transmissions
are from user to web server, and from the web application to web
database server. All these communications must be completely
protected. Although the administrator can secured the network in
local domain, the global internet is unmanageable.

Encryption is another influential technology. It is set aside not only

the invader cannot interrupt but also theencrypted data is
unreadable and tremendously hard to presume or decrypt. The
matching key can only be todecrypt the cipher text. The two
meansto apply encryption in database system are of the one way to
use the encryption options provided by database products and
another way to obtain encryption products form trusted vendors.In
addition, one more approach for a safety connection is practicing
the secured protocols above TCP/IP, for example, the technology of
Ipsec and VPN (Virtual Private Network).

The personal traffic in the course of the public internet by means of

encryption technology can be provided by VPN. In generally,SSL
(secure sockets layer)can be used as another way for cryptography
on top of TCP/IP. Safe and sound web sessions can be obtained by
Netscape. SSL has newly developed into Transport Layer Security
(TLS) that make certain no other invasion may snoop or interfere
with any communication. Utilization of SSL can help to validate and
protect web sessions, but thecomputer itself cannot be safe.

5.3 Web servers

There are dissimilarities in functions of Web programs and common
programs in area of safety. The major reason is safety for Web
application program as the flaw isnot easy to perceive. Web server
that keepsthe external disturbances is located in the middle of the
application server and firewall. It can beapplied as intermediary to
get the data that we approved to be available.

For the time being, the software commonly used in web applications
is CGI (Common Gateway Interface). The web server can do a
different function in easier way as it is uncomplicated. It is user-
friendly as a web page counter. Moreover, for example as reading
the input from the remote user, it can be used as multifarious to
access the input as uncertainty to a local database. CGI precedes
the outcome to the userafter retrieving the database. On the other
hand, it is also risky since CGI scripts permit software applications to
be carried out inside the web server. The well-known language for
CGI scripts is Perl since it is simple to build applications and parse
the input from the user. Nevertheless, Perl can be exploited by
wicked users as it grants some forceful system commands.

The invader can simply demolish the system if CGI was weakly
executed by web server. This may be a huge hazard to the system
as someone can easily eliminate the classified files from Web server
as effortless to contact. To get rid of the intimidations, there are
several ways to prevent these. The CGIscripts should be prohibited
by abuser to write, and the arrangement should be done to CGI
program that can be performedas a single way of directory. It should
also be cautious in writing the CGI script. No more longer usage of
CGI applications such as sample applications should be disposed as
theseare approachabletoWeb server and major intentions for
invaders since older CGI samples havesafetygaps.

Without comprehensive handlings, default settings of Web

application server can be a huge imperfection of the system if the
database system networks with CGI. There need to make sure the
system for which extent of operation is unapproved to the clients
when a use logs into the database. Web serve with verification
methods built in CGI is the most valuable way which means to
prepare a CGI script with login name and password to prevent the
files. By doing this, the files are protected to the web server apart
from readable only. The safety gaps should be checked firmly and
regularly to all the scripts even though these are obtained by self-
developed, downloaded or bought from vendors.

5.4 Firewalls
The major significant layer to slab the external interruption of the
system is Firewalls. Packet filter and proxy server are the twotypes
of firewall mechanism. Theconnected data between the application
and database are divided into packets which consist of much
information in its headers, for examples, sources, destination
address and protocol being used. A number of them are cleanedas
with whichsource addresses are unbelievable to access to the
databases.
The arrangement of firewall should be done to access only one or
few protocolswhich is helpful for application queriessuch as TCP
whereas the other packets are choked-up firmly. Accordingly, the
smallest amountof risks are maintained for the vulnerable system.
Moreover, the ping of fatalloss will be kept systematically if the
firewall is constructed to abandon the approached ICMP demand.

The potential invaders should be marked out by reserving log files at

the firewall. There are two connections inProxy server. The first one
is the connection between cooperation's database and proxy server.
Another one is the connection between proxy servers also provided
the log and audit files.On the other hand, there are very hard to
build up strong firewalls, and also too huge and tough to
investigatethe audit tracks.

5.5 Database server

Database servers are the fundamentals and essentials of greatest
values in each and every sector of Education, Health, Military,
Manpower, Economics, Modern Arts and Sciences, Information
Technology, Electronic Businesses, Financial Institutions, Enterprise
Resource Planning (ERP) System, and even universallycomprised of
sensitive information forbusiness firms, customers, marketers and
all stakeholders.

The functions and purposes of Database servers are highly

depended on the users of their particular intentions for applying the
services provided by the operating systems.Some good safety
practices for Database serversare to:

.
use multiple passwords to access multi-functions of a server such as
using one password to access thesingle system for administration;

apply a different password for another operation;

be audited for each and every transaction of the database;

utilize application specific user name and password and should

never use a default user name or password;
back up the system thoroughly for late recovery in case of
accidentally break down

Allowing knowing the end-user for the name and location of

database is very worthless. In addition, exposing physical location
and name of every database can also be a huge danger to the
system. To cover up these issues, we should better practice the
service names and pseudonyms. The several copies should be done
for the important fileswhich control the accessibility to the database
services. Each and every copy should be also connected to a
meticulous user group. Moreover, themembers of each group should
be allowed to access only the relevant documents concerning them.

6. Conclusion
The institutions, organizations and business firms mainly storedtheir
important information and valuable assets as digital formats in
online related excellent databases. The safety and security issues of
Databasesbecomestrongly an essential role in the modern world for
enterprises.To save from harm of database is to prevent the
companies’untouchableinformation resources and digital
belongings. Database is the multifarious system and very
complicated to handle and difficult to prevent from invaders.

Last, but not the least, database protection is also to be

takensignificantly to the confidentiality, availability and integrity of
the organizations likeother measures of the safety systems. It can
be guarded as diverse natures to cover up. Although auditing is
critical, but analysis is also very tough whilepotential analytical tools
will be an enormous contribution to protect the online rationality of
database system. There should be reinforced to the corporate safety
and security issues.Means of verification and encryption will play the
essential role in modern database precaution and safety system