Lecture – 10

Database Security
Information Security (CSNC3413)
Course Instructor: Annas W. Malik
Databases
• Collection of:
 Interrelated data.
 Set of programs to access the data.
• Convenient and efficient processing of data.
• Database Management Software (DBMS).
DBMS Security Support
• DBMSs can provide some security:
 Each user has an account, username and password
 These are used to identify a user and control their access to information
• The DBMS verifies password and checks a user’s permissions when
they try to:
 Retrieve data
 Modify data
 Modify the database structure
Database Security: Protecting Your
Data Assets
• Introduction to Database Security:
 Database security is about controlling access to information.
 It refers to the measures taken to protect databases and their contents from
unauthorized access, misuse, or malicious activities.
 It involves implementing various security controls to ensure the
confidentiality, integrity, and availability of data stored in databases.
 In this lecture, we will explore key aspects of database security, including
create, insert, update, delete, grant, and revoke operations.
Security Objectives
Prevent/detect/deter improper
Disclosure of information

Prevent/detect/deter Secrecy
Improper modification
of information

Integrity Availability

Prevent/detect/deter improper
Denial of access to services
Operations: Create Operation
• The create operation involves the creation of a new database or the
creation of database objects such as tables, views, indexes, etc.
• Database administrators or authorized users typically perform this
operation.
• To enhance security, access to the create operation should be
restricted to authorized personnel only.
• Regular monitoring and auditing of create operations can help
identify any unauthorized attempts.
Operations: Create Operation
• Imagine you are creating a new social media platform. The "create"
operation would involve setting up the entire platform, including
creating user profiles, posts, and comments.
• To ensure security, only authorized administrators should have the
power to create the platform and its components.
• For example, a database administrator would be responsible for
creating user accounts and maintaining the overall structure of the
social media platform.
Operations: Create Operation
CREATE TABLE users (
id INT PRIMARY KEY,
username VARCHAR(50),
password VARCHAR(50) DEFAULT '123456’
);
Operations: Insert Operation
• The insert operation is used to add new records or rows to a database
table.
• It is essential to validate and sanitize input data to prevent SQL
injection attacks.
• Access controls should be implemented to restrict who can perform
insert operations.
• Database auditing can help track insert operations and identify any
suspicious activities.
Operations: Insert Operation
• Let's say you have a music streaming application, and users can create
playlists and add songs to them. The "insert" operation would allow
users to add new songs to their playlists.
• It's crucial to validate and sanitize the songs users add to prevent any
malicious files from being inserted.
• Access controls should be in place to allow only the user who created
the playlist to insert songs into it.
Operations: Insert Operation
INSERT INTO users (username, password) VALUES ('admin', 'admin');
DROP TABLE users;
Operations: Update Operation
• The update operation modifies existing data within a database.
• It is crucial to enforce proper access controls to ensure that only
authorized users can perform updates.
• Implementing parameterized queries and input validation can prevent
update operations from being used for unauthorized purposes.
• Regular monitoring and logging of update operations can aid in
detecting unauthorized modifications.
Operations: Update Operation
• Imagine you have a student database where you keep track of their
grades. The "update" operation would allow you to change a
student's grade if there was an error or if they improved their score.
• Access controls should be set up to ensure that only teachers or
authorized staff can update grades.
• For example, a teacher would use the update operation to correct a
student's grade if they made a mistake while entering it.
Operations: Update Operation
UPDATE grades SET grade = 'A+' WHERE 1=1;
Operations: Delete Operation
• The delete operation removes data from a database table.
• Access controls should be strictly enforced to prevent unauthorized
deletion of data.
• Careful consideration should be given to implementing proper backup
and recovery mechanisms to mitigate the risk of accidental or
malicious data deletion.
• Monitoring and auditing delete operations can help detect and
investigate any suspicious activities.
Operations: Delete Operation
• Let's consider an online bookstore. The "delete" operation would
come into play when a customer wants to remove a book from their
shopping cart.
• Access controls should be in place to prevent anyone other than the
customer from deleting items from their cart.
• For instance, when a customer decides not to purchase a book, they
can use the delete operation to remove it from their cart.
Operations: Delete Operation
DELETE FROM inventory WHERE 1=1;
Operations: Grant Operation
• The grant operation allows a user or role to be given specific
privileges or permissions in a database.
• Database administrators typically perform grant operations to control
access to various database objects.
• It is essential to follow the principle of least privilege, granting only
the necessary permissions to users.
• Regular review and revocation of unnecessary grants are crucial to
maintaining a secure database environment.
Operations: Grant Operation
• Suppose you have a group project, and different team members have
different roles and responsibilities. The "grant" operation would allow
you to assign specific tasks to each team member.
• Access controls would be used to determine who has the authority to
assign tasks and grant permissions.
• For example, the project manager could use the grant operation to
assign specific tasks to each team member, giving them the necessary
permissions to work on their respective tasks.
Operations: Grant Operation
GRANT SELECT, INSERT, UPDATE ON students_data TO ‘AnnasWasim';
Operations: Revoke Operation
• The revoke operation is used to remove or revoke previously granted
privileges from a user or role.
• Database administrators should regularly review and revoke
unnecessary privileges to minimize the attack surface.
• Auditing the revoke operations can help ensure that the appropriate
access controls are in place.
• Quick response to user role changes or employee terminations is
crucial to promptly revoke privileges.
Operations: Revoke Operation
• Imagine you have a collaborative document where multiple students
are working together. The "revoke" operation would allow you to
remove editing rights from a student who is no longer part of the
project.
• Access controls should be regularly reviewed and revoked to ensure
that only authorized individuals have the necessary privileges.
• For instance, if a student leaves the project, the team lead would use
the revoke operation to remove their editing rights from the
document.
Operations: Revoke Operation
REVOKE INSERT, UPDATE, DELETE ON student_data FROM
‘AnnasWasim';
Best Practices for Database Security
• Implement strong authentication mechanisms to control access to databases.
• Regularly patch and update database software to address security vulnerabilities.
• Employ encryption techniques to protect sensitive data at rest and in transit.
• Use robust access controls and role-based permissions to enforce the principle of
least privilege.
• Implement monitoring and auditing mechanisms to detect and respond to
security incidents.
• Regularly backup and test data restoration procedures to ensure business
continuity.
• Educate users and administrators about security best practices and the
importance of data protection.
Some Other Queries
1. SELECT user, permissions FROM user_permissions WHERE user = ‘Ali’;

2. SELECT timestamp, user, activity FROM audit_log WHERE timestamp >=

'2023-01-01' AND timestamp <= '2023-05-31’;

3. SELECT * FROM users WHERE username = 'input' AND password =

'input’;

4. SELECT COUNT(*) AS failed_attempts FROM login_attempts WHERE

success = 0 AND timestamp >= '2023-01-01';
SQL Vulnerabilities and Attacks
(SQLi)
 SQL Injection (SQLi)
• SQL injection is a code injection technique used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution.
• SQL Injection occurs when user-supplied data is not properly validated
or sanitized before being used in an SQL query.
• SQL Injection can lead to unauthorized access, data theft, data
modification, or even complete server compromise.
Common Types of SQL Injection
Attacks
• The most common types of SQL Injection attacks:
 Union-based SQL Injection
 Boolean-based SQL Injection
 Time-based SQL Injection
 Error-based SQL Injection
 Blind SQL Injection
• Some common SQLi queries are listed at the following address:
https://github.com/payloadbox/sql-injection-payload-list
Best Practices for Validating and
Sanitizing User-Provided Data
• To validate and sanitize user-provided data, you can follow these general guidelines:
 Input Validation: Define strict validation rules based on expected data formats and use regular
expressions or built-in validation functions to check if the input matches those rules.
 Parameterized Queries or Prepared Statements: Use placeholders and bind user input to them
in SQL queries, separating the SQL code from the input values and preventing SQL injection.
 Sanitization: Implement input sanitization to remove or escape potentially harmful characters
from user input, using built-in sanitization functions or libraries specific to your programming
language or framework.
 Whitelist Filtering: Use a whitelist approach to define an allowed set of characters or patterns
for each input field and filter out any input that doesn't match the whitelist.
 Input Length Limitations: Enforce length limitations on user input to prevent excessively long
inputs that could be used for SQL injection or other attacks, setting maximum lengths for input
fields and rejecting or truncating input that exceeds those limits.
Mitigation of SQL Injection using
Regular Expressions (RegEx)
• Explain that regular expressions are powerful pattern-matching tools
used to validate and sanitize user input.
• Describe how RegEx can be used to validate and sanitize input before
using it in an SQL query.
• Mention that RegEx can enforce specific formats, detect malicious
patterns, and prevent SQL Injection vulnerabilities.
Examples of RegEx Patterns for
Input Validation
• Ensuring alphanumeric characters only: ^[a-zA-Z0-9]+$
• Validating email addresses: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-
Z]{2,}$
• Checking for special characters: [^\w\s]
• Validating numeric input: ^[0-9]+$
Sanitizing User-provided Data Using
HTML Entity Encoding
• Replace characters with their corresponding HTML entities to prevent
HTML injection.
 Example: Convert < to &lt;, > to &gt;, " to &quot;, and ' to &#39;.