Database Security & Control

S. Srinivasan, Ph.D.
Professor of CIS
University of Louisville
 Outline
• Secure data handling
• Security assessments
• Security policies
• Security audit
• Security controls
• Privacy
• Legal aspects

Srini - ISACA - 11/2/2005 2

 Recent Surveys
• Ernst & Young 2003 Global InfoSec
Survey:
– 1400 organizations responded
– InfoSec is of “high importance” for 90%
– “rarely or never calculate ROI” for InfoSec:
60%
– monetary reason for lack of security
investments: 56%

Srini - ISACA - 11/2/2005 3

 Recent Surveys
• AICPA 2003 survey:
– Information security – top technology issue
– Disaster recovery and Intrusion Detection are in the
top 10
• PricewaterhouseCoopers 2004 survey:
– 8000 senior executives surveyed
– 62 countries represented
– Major highlights:
• Develop strategies for:
– Information security 69%
– Security architecture 66%

Srini - ISACA - 11/2/2005 4

 Recent Surveys
• CSI/FBI 2005 survey:
– Insider attacks have dropped to 56% from
66% in 2004
– Wireless network abuses have increased to
18% from 17% in 2004
– Web incidents have increased to 95%,
significantly more than 2004

Srini - ISACA - 11/2/2005 5

 Secure data handling
• Access control
– not a stand alone component
– coexists with other security services
– works closely with audit control
– routers enforce Access Control List (ACL)
• Access control types:
– Mandatory Access Control (MAC)
– Discretionary Access Control (DAC)
– Role-based Access Control (RBAC)
Srini - ISACA - 11/2/2005 6
 MAC
• Enhances database security
• Gives consistent view of operations
• MAC provides all allowed accesses
• Examples:
– Official reports
– Medical records
– Accounting records

Srini - ISACA - 11/2/2005 7

 DAC
• Provides flexibility in allowing database
access
• Protects unstructured work in progress
• DAC is enforced using ACL
• Commercial products:
– Secure Sybase
– Trusted Oracle
– Trusted Informix
– SQL Server
Srini - ISACA - 11/2/2005 8
 RBAC
• Ideal for databases used by multiple users for
multiple applications
• RBAC is ideal when user access needs change
often
• RBAC is one way to handle security for the
users and applications
• DBAs create roles and assign permissions to
roles
• DBAs and others can place users in appropriate
roles

Srini - ISACA - 11/2/2005 9

 RBAC
• Roles can define:
– Specific individuals allowed access
– Specify extent of access to resources for
multiple individuals
• Roles can be mutually exclusive
• Permissions assigned to roles change less
frequently than permissions assigned to
users
Srini - ISACA - 11/2/2005 10
 RBAC
• RBAC is policy-neutral
• RBAC supports the following security principles :
– Least privilege
– Separation of duties
• NIST’s SQL3 standard recognizes the
importance of RBAC
• Commercial products:
– Oracle
– SQL Server
• MySQL does not support RBAC
Srini - ISACA - 11/2/2005 11
 Multilevel Security
• MLS involves the use of security levels
• User clearances could be at one of:
– Top secret
– Secret
– Confidential
– Unclassified
• Data views and updates could be
controlled based on security level
Srini - ISACA - 11/2/2005 12
 Security Assessments

Source: Chris Buechler, Strothman & Co.

Srini - ISACA - 11/2/2005 13

 Security Assessments
• Vulnerability scanning
– Nessus (www.nessus.org)
– Snort (www.snort.org)
• Security scanning and penetration testing
– Ethereal (www.ethereal.com)
• Risk assessment
– NIST SP 800-30 (www.nist.gov)

Srini - ISACA - 11/2/2005 14

 Risk Assessment

Source: GAO, Accounting and Information Management Division, 1999

Srini - ISACA - 11/2/2005 15

 Security Assessments
• Security auditing
– ISO 17799
– ISACA
• Ethical hacking
– What can an intruder see on the target
systems?
– What can an intruder do with that information?
– Does anyone at the target notice the intruder's
attempts or successes?

Srini - ISACA - 11/2/2005 16

 Security Assessments
• Garfinkel and Spafford mention that ethical
hackers want to know:
– What are you trying to protect?
– What are you trying to protect against?
– How much time, effort, and money are you
willing to expend to obtain adequate
protection?

Srini - ISACA - 11/2/2005 17

 Security Assessments
• Posture assessment & security testing
– Involves management commitment
– All aspects of security
• Physical security
• Network security
• Database security
• Encryption

Srini - ISACA - 11/2/2005 18

 Current Status
• Global Security Consortium (GSC) formed
– Members include the big four accounting firms
and AIG International
• GSC is developing a concept called Risk
Preparedness Index (RPI)
• RPI aims to quantitatively measure and
rate a company’s cyber-risk preparedness

Srini - ISACA - 11/2/2005 19

 Security Policies
• Does everyone in the organization know
the security policies?
• Most of the time the answer is NO
• Customer thinks:
What is explicitly not prohibited is permitted
• Organization thinks:
What is explicitly not permitted is prohibited

Srini - ISACA - 11/2/2005 20

 Security Policies
• Access control
• Data backup and recovery
• Disaster recovery
• Contingency planning
• Business continuity

Srini - ISACA - 11/2/2005 21

 Security Audit
• Security logs
– Remote logging
– Printer logging
– Cryptographic technology
• Data reduction
• Checklists

Srini - ISACA - 11/2/2005 22

 Security Controls
• Anti-virus software
• IDS/IPS
• Biometrics

Srini - ISACA - 11/2/2005 23

 Privacy
• Overlaying one database over another and
extracting information could violate privacy
laws
• Database marketing techniques could
violate people’s privacy
• Tradeoff between utility of a database and
privacy it affords based on stored data
• Direct marketing industry is worth $600 B
Srini - ISACA - 11/2/2005 24
 Privacy
• In Iceland and in U.S., laws support ‘opt
out’ feature for privacy
• In England and Estonia, laws support ‘opt
in’ feature for privacy
• ‘opt out’ feature disadvantages dead
people when it comes to privacy of
information

Srini - ISACA - 11/2/2005 25

 Privacy
• Canadian law permits storing DNA
information about citizens in a database
• Law enforcement in Canada has collected
DNA information for 7 years now
• DNA databanks are in use in United
States, Germany, Britain, Norway, Finland,
Belgium, and Denmark

Srini - ISACA - 11/2/2005 26

 Legal Aspects
• HIPAA
• Graham-Leach-Bliley Act
• Sarbanes-Oxley Act
• USA PATRIOT Act
• Databases are considered compilations
and as such are protected by Copyright
Laws

Srini - ISACA - 11/2/2005 27

 Legal Aspects
• U.S. standard for legal protection is “novel
and original” compilation
• “Sweat of the brow” argument rejected by
Supreme Court
• Recent British court ruling on British Horse
Racing industry supported “sweat of the
brow” argument for database ownership

Srini - ISACA - 11/2/2005 28

 References
• Ron Natan, “Implementing Database Security
and Auditing,” Elsevier Publishers, NY, 2005,
ISBN: 1-55558-334-2
• Hassan Afyouni, “Database Security and
Auditing,” Course Technology, 2006,
ISBN: 0-619-21559-3
• B. Thuraisingham, “Database and
Applications Security,” Auerbach
Publications, 2005, NY, ISBN: 0-8493-2224-3
Srini - ISACA - 11/2/2005 29
 References
• C. Andrews et al, “SQL Server Security,”
McGraw-Hill/Osborne, NY, 2003,
ISBN: 0-07-222515-7
• Open-source Security Testing
http://isecom.securenetltd.com/osstmm.en.2.1.1.pdf
• World Privacy Forum
http://www.worldprivacyforum.org/
• ISACA http://www.isaca.org

Srini - ISACA - 11/2/2005 30

 References
• Privacy laws of all 50 states
http://www.epic.org/privacy/consumer/states.html
• Database of Privacy policies
http://www.pandab.org/privacydbrelease.html
• R. S. Sandhu and P. Samarati, “Access
Control: Principles and Practice” IEEE
Communications Magazine, Vol. 32, Sept.
1994, 40 – 48

Srini - ISACA - 11/2/2005 31

 References
• R. S. Sandhu et al, “Role-based Access
Control Models” IEEE Computer, Vol. 29,
Feb. 1996, 38-47
• Risk Assessment,
http://www.gao.gov/special.pubs/ai00033.pdf
• S. Garfinkel and E. Spafford, “Practical
Unix Security,” O’Reilly Associates, MA,
1996.

Srini - ISACA - 11/2/2005 32