Database Security

CT069-3-3-DBS (VE1.0)

Topic 2
Operating System and Security Principles
 Topic Learning Outcomes

At the end of this topic, you should be able to:

1. Explain the OS security concepts
2. Explain the steps and process in OS deployment planning
3. Explain the scope of OS security maintenance

Module Code & Module Title Slide Title SLIDE 2

 Recap From Last Lesson

• What are Vulnerability, Threat and Risk

Module Code & Module Title Slide Title SLIDE 3

 Recap - Definitions

• Vulnerability
– Weakness in the system that makes the data vulnerable to
• unauthorized access
• manipulation, or destruction by authorized/unauthorized

• Threat
– Security attack that can happen any time because of a security
vulnerabilities

• Risk
– Damage that can happen if the threat attack happens

Module Code & Module Title Slide Title SLIDE 4

 Recap - Vulnerability Access Points

Module Code & Module Title Slide Title SLIDE 5

‹#›
 Recap - DB Security Threats & Risks

Threats Explanation Risks

Unauthorized Access by persons that should NOT have Data Theft - data is stolen
Access / Social access to the system and data
Engineering
Attack
Insider Threat / Intentional unlawful activity performed by Data Leakage –data is
Privilege Abuse employees with legimate access to the intentionally exposed to other
system, and data parties
Human Error Unintentional Mistakes or unlawful activity Data Corruption – data become
performed employees with legimate access unusable (partial or fully)
to the system and data
Hardware failure Failure of computing, network or storage Data Corruption or Data
devices Unavailable (temporary or
permanent)

Module Code & Module Title Slide Title SLIDE 6

 Recap - DB Security Threats & Risks

Threats Explanation Risks

Denial of Service Intentional activities that jams up the Data Unavailable (temporary)
Attack system to a level that it stops functioning
SQL Injection Illegitimate access or manipulation of data Data Stolen or Data Corruption
Ransomware Computer malware that is used to hijack Data Unavailable (temporary or
Attack data ownership permanent)

Operating Software malfunction that results in Data Unavailable (permanent)

System or accidental data corruption or deletion
Application bug
Computer virus Computer malware that is used to corrupt Data Unavailable (permanent)
the data

Module Code & Module Title Slide Title SLIDE 7

 This lecture - Contents & Structure

• CIA Triad – Confidentiality, Integrity and Availability

• OS security concepts and principles
• OS deployment planning and maintenance
• Application Security
• Windows Security
• Visualization security risk and issues.

Module Code & Module Title Slide Title SLIDE 8

 CIA Triad

CIA are three principles that form the core pillars of information
security which are essential for protecting data and systems.

Module Code & Module Title Slide Title SLIDE 9

 CIA Triad

• The CIA triad serves as a framework for designing and

implementing security measures to safeguard information assets.

• It helps organizations assess risks, identify vulnerabilities, and

implement appropriate controls to protect the confidentiality,
integrity, and availability of their data and systems.

• The CIA triad provides a simple yet comprehensive high-level

checklist for the evaluation of your security procedures and tools. An
effective system satisfies all three components: confidentiality,
integrity, and availability.

Module Code & Module Title Slide Title SLIDE 10

 Confidentiality, Integrity and Availability

Confidentiality:

• This principle ensures that data is

accessible only to authorized individuals or
systems.

• It involves measures such as encryption,

user authentication and access controls to
prevent unauthorized access to sensitive
information.

Module Code & Module Title Slide Title SLIDE 11

 Confidentiality, Integrity and Availability

Integrity:

• Integrity ensures that data remains accurate, complete,

and unaltered.

• It involves protecting data from unauthorized

modifications, whether intentional or accidental,
throughout its lifecycle.

• Techniques such as built-in integrity controls, access

controls, hashing/checksums and audit trails help
maintain data integrity.

Module Code & Module Title Slide Title SLIDE 12

 Confidentiality, Integrity and Availability

Availability:

• Availability ensures that data and systems are accessible and

usable by authorized users when needed.

• It involves measures to prevent and mitigate disruptions, such

as hardware failures, cyberattacks, or natural disasters,
ensuring that services remain operational.

• Techniques used are backup/restores of data and securing and

controlling physical and remote access to the systems
(hardward, OS, DBMS, data) .

Module Code & Module Title Slide Title SLIDE 13

 C.I.A – Summary
Confidentiality Integrity Availability
What?
• Data loss can cause • Data only has value if it is • Data only has value if
huge monetary and accurate. the right people can
image loss. • Information is safe from access it at the right
• Information is safe accidental modification time.
from accidental or or intentional • Information is
intentional unauthorized available to the
disclosure. modification authorized users
• Keeping the identity of • It is a requirement that when needed
authorized parties information and programs
involved in sharing and are changed only in a
holding data private specified and authorized
and anonymous. manner.
How ?
• Permission Control • Good database design & • Backup – up-to-date
(Authentication & implementation – backups in external
Authorization) constraints (entity, location to protect
• Encryption relationships, data type, against theft or
• Database, Column, data length, valid values, destruction
Backup default values etc) • Access control – limit
• Symm , Asymm, • Trigger (protection, users & timing to
Cert, Pwd auditing) ensure server is in
Module Code & Module Title • Hashing • Auditing (what happened or
Slide Title optimal condition SLIDE 14
 Operating System Security Concepts
• Operating System is one of the most critical components in
information system security landscape
• Almost ALL software and program are running on top of an OS, that
include RDBMS
• Some software rely on proper behavior of underlying hardware such
as CPU, RAM and peripheral devices, in which the OS has ultimate
control
• Due to the complexity of modern-day OS, and securing an OS is not
an easy task.
• At a high conceptual level, the goals of securing an OS environment
will still bind to the C.I.A principles.

Module Code & Module Title Slide Title SLIDE 15

 What is an OS ?
• An operating system (OS) is a system software that, after being
initially loaded into the memory, manages the computer hardware
and networking resources and provides common services to
computer programs and users.
• Operating System is one of the most critical components in
information system security landscape
• Almost ALL software and program are running on top of an OS, that
include RDBMS
• The application programs make use of the operating system by
making requests for services through a defined application program
interface (API).
• In addition, users can interact directly with the operating system
through a user interface, such as a command-line interface (CLI) or
a graphical UI (GUI).

Module Code & Module Title Slide Title SLIDE 16

 Operating System Layer
• OS Security Layers

Layers in Operation System

User Applications and Utilities
Operation System Kernel
Physical Hardware
• Each layer needs to handle their respective security services
• Each layer is vulnerable to attack from below if the lower layers are not
secured appropriately

Module Code & Module Title Slide Title SLIDE 17

 OS Hardening Measures

• OS hardening is one of the top security mitigation strategies

• Over 70% of targeted cyber intrusion can be prevented by the following
4 measures, according to Australia Australian Defense Signals
Directorate (DSD) 2010:
– white-list approved applications
– patch third-party applications and OS vulnerabilities
– restrict admin privileges to users who need them
– create a defense-in-depth*
* Strategy that leverage multiple security measures to secure an
information system environment

Module Code & Module Title Slide Title SLIDE 18

 OS Security Principles

• OS Security
– The process of ensuring OS CIA – operating system (OS) stays
protected from intruders (hackers) and malicious computer
software (virus, worms, malware etc)
– This is to ensure confidentiality, integrity and availability (CIA) of
hardware resources, software and data that resides in the
computer that is running the OS

• Principles
– Rules to follow
– Practice guideline

Module Code & Module Title Slide Title SLIDE 19

 OS Security Principles

• To address the vulnerabilities and better protect our data, we

need to adopt and apply IS and OS security principles
• In other words, a good security architecture will implement a
good set of security principles
• Security principles provides guideline on how we develop,
implement and operate IS components to be highly secure

Module Code & Module Title Slide Title SLIDE 20

 Security Principles

• Economy of mechanism
– This basically means keep your system as simple as possible.
Simpler systems have fewer bugs and easier to debug and
protect.
– Only install or enable software or services that are required
initially
– If additional packages are needed later, they can be installed
when they are required

Module Code & Module Title Slide Title SLIDE 21

 Security Principles

• Integrity
– Assurance that the software and data that we have is accurate
(up-to-date, not illegally modified etc)
– All data are added and updated by authorised persons or
systems accordingly to proper procedures
– Audit trail - We can trace all changes to data changes from the
time it was acquired to even after it was disposed (timeline
subject to laws etc).
– Continuous monitoring to ensure there is no security breach

Module Code & Module Title Slide Title SLIDE 22

 Security Principles
• Least privilege
– Give a user the minimum privileges required to perform their
work. The more privileges you give to a party, the greater the
danger that they will abuse those privileges or mistakenly cause
more damage.

Note: Not all users with access to a system will have the same access to all data
and resources on that system. Elevated privileges should be restricted to only
those users that require them only when they are needed to perform a task

Module Code & Module Title Slide Title SLIDE 23

 Security Principles

• Confidentiality
– Permission control – authentication and authorization
– Encryption to protect the data on transit or at rest
– Data hiding (SQL Views)

Module Code & Module Title Slide Title SLIDE 24

 Data Exposure Levels:
Three Level Architecture to support principles
of
least privilege and confidentiality

Module Code & Module Title Slide Title SLIDE 25

 Security Principles

• Fail-safe defaults
– Default to security, not insecurity. If policies can be set to
determine the behavior of a system, have the default for those
policies be stricter (more secure), not less.

• Separation of duty and privilege

– Require separate authentications to perform critical actions -
such user account to access emails; admin account to manage
database

Module Code & Module Title Slide Title SLIDE 26

 Security Principles

• Acceptability
– If your highly secured system is difficult to use, then it will be
abandoned or avoided, and you will not achieve your goal

• Complete mediation
– It means that each action that is taken or allowed to take place
must all the security policies every single time the action is taken

Module Code & Module Title Slide Title SLIDE 27

 Security Principles

• Availability
– Access control – control how many users can access at a
certain time, when system can be accessed etc
– Ensuring system/data is available to authorized users anytime
they need it without any interruptions

• Password Policies
– A good password policy is the first line of defense against the
unwanted accessing of an operating system.
– In most cases hackers utilize tools that use the dictionary
method to crack passwords. These tools use the permutations of
word in the dictionary to guess the password.

Module Code & Module Title Slide Title SLIDE 28

 Security Principles

• Proper and Continuous Validation Done

– All setups, configurations and changes in the environments must
be properly tested/validated
– Testing should include functionality and security aspects to
ensure no new loopholes are created
– If failed, changes must be properly and fully reversed, and the
environment must be retested to ensure no loopholes are left
behind

Module Code & Module Title Slide Title SLIDE 29

 What Is a Password Policy?

• Set of guidelines: –
– Enhances the robustness of a password
– Reduces the likelihood of password breaking

• Deals with:
– Complexity
– Change frequency
– Reuse

Module Code & Module Title Slide Title SLIDE 30

 Importance of Password Policy

• First line of defense

• Most companies invest considerable resources to strengthen
authentication by adopting technological measures that protect their
assets
• Forces employees to abide by the guidelines set by the company
and raises employee awareness of password protection
• Helps ensure that a company does not fail audits and/or become an
easy target for hackers

Module Code & Module Title Slide Title SLIDE 31

 Characteristics of Password Policy (Windows)

Module Code & Module Title Slide Title SLIDE 32

 Characteristics of Password Policy (Windows) –
Account Lockout

Module Code & Module Title Slide Title SLIDE 33

 Security Architecture

Module Code & Module Title Slide Title SLIDE 34

 What is a Security Architecture
?

A Security Architecture
refers to an integrated set
of tools, procedures,
principles and roles/user
management which is
developed and deployed
to protect the system from
unauthorized access,
modification or
destruction.

Module Code & Module Title Slide Title SLIDE 35

 Security Architecture

• People/Roles – players in the system

– Management
– DBA What is their roles and responsibilities?
What can they do ? What cannot they do
– Users ? Who manages the users ? etc
– Customers
• Procedures – how to do things in this system
– Must separate web and database servers
– Take backup every night
– Users must be authenticated using 2FA authentication
• Tools - what are the technologies that we can use to achieve high level security? What
devices or software that are allowed or prohibited from being used ? etc
– Use only the latest version of browser, os, application
– Old versions not allowed and must be un-installed
– Cannot use thumb drive

Module Code & Module Title Slide Title SLIDE 36

 DB Security Architecture

Module Code & Module Title Slide Title SLIDE 37

 Steps to build and ensure database
security

• Identification: Identify and investigate resources required and policies to be

adopted.
• Assessment: Analyze the system’s vulnerabilities, threats, and risks.
• Design: Design how security measures are implemented, which results in a
blueprint of the adopted security model that is used to enforce security.
• Implementation: Developed or purchase applications and tools to
implement the blueprint.
• Test and Evaluation: Evaluate the security implementation by testing the
system against typical software attacks, hardware failures, natural
disasters, and human errors.
• Auditing: Perform security audits periodically to ensure the security state of
the system is as expected.

Module Code & Module Title Slide Title SLIDE 38

 Security Maintenance

• Process of maintaining security is continuous

• Security maintenance includes:
– Monitoring and analyzing logging information
– Performing regular backups
– Recovering from security compromises
– Regularly testing system security
– Using appropriate software maintenance processes to patch and update all critical
software, and to monitor and revise configuration as needed

Module Code & Module Title Slide Title SLIDE 39

 Discussion

• What is the importance of security principles ?

• List 5 security principles

Module Code & Module Title Slide Title SLIDE 40

 Summary / Recap of Main Points

• Importance of Operating System Security

• Security principles as guidelines
• Security principles : Economy of mechanism,
Integrity, Least privilege, Confidentiality, Fail-safe
defaults, Separation of duty and privilege,
Acceptability, Complete mediation, Availability,
Password Policies, Proper and Continuous Validation
Done

Module Code & Module Title Slide Title SLIDE 41

 What To Expect Next Week

In Class Preparation for Class

• Data Obfuscation • Read about encryption,
hashing, SQL view

Module Code & Module Title Slide Title SLIDE 42