Database Security and Auditing: Protecting Data

Confidentiality, Integrity, and Accessibility

Chapter 6(2)
Auditing Database Systems
Introduction
 Security violations and attacks are increasing globally at an
annual average rate of 20%.
 Database Administrator (DBA) has the following responsibilities:
Often work with developers to design and implement new
security policies to protect the data (assets).
Enforce a stringent security policy.
manage databases (maintaining, securing, operating, ensures
the data is correctly stored and retrieved), and

3
Introduction: Cont’d

 Security measures (How to protect our data security?)

Prevent physical access to the servers where the data resides.
Operating systems require authentication of the identity of
computer users.
Implement security models that enforce security measures.

4
 6.1 Security
 Security mostly refers to protection from hostile forces.
What is Database System?
 A database system is a collection of integrated software components that
allow us:
to store
to retrieve
 to update, and
to delete data in a computer system.
 This data is managed by a database management system (DBMS),
which efficiently processes and queries the data.

5
Security: Cont’d

What is database security?

 A degree to which data is fully protected from tampering or
unauthorized acts
 Comprises (includes):
Information system, and
Information security concepts

6
6.2 Information Systems
 It is a set of procedures that collect (or retrieve), Process, Store and
disseminate information to support decisions making and control.
 It needs the following work together to transform raw data into useful
information:
 hardware
 Software
 people and processes
 Information systems contain information about:
 People
 place and
 things within the organization or environment surrounding them.

7
Information Systems: Cont’d
What should the information be to make a wise decision?
 Wise decisions require:
Accurate, timely, and integrity information
 Categorized based on usage: low-level, mid-level and high-level

8
6.2.1 Types of Information Systems
 Some of the most common types (Categories) of information
systems:
1. Transaction processing systems
2. Management information systems
3. Decision-support systems, and
4. Executive (Expert) support systems.

9
Type of Information Systems, TPS, Cont’d
1. Transaction processing systems
 It is an organized collection of people, procedures, software, databases,
and devices used to perform and record business transactions.
 Used to record the day to day transactions of a business. Example, Point
of sale (POS) system.
 Transaction is any business-related exchange such as:
 payments to employees
sales to customers
payments to suppliers or
cash withdrawn from a ATM
10
Type of Information Systems, TPS, Cont’d
 Critical to the organization as they gather all the input necessary for other types
of systems and provide the basic input to the company’s database.
 Serves the organization’s operational level (lower-level management) i.e.
employees
 TPS is responsible for collecting, storing, modifying, & retrieving data and
generating reports.
For example:
 Payroll systems (working time x rate per hour =Total salary)
 Airlines online Transaction Processing Reservation Systems (choose destination
and flight dates, then, compare costs, then, book seats, then, Generate
electronic tickets
11
Type of Information Systems, TPS, Cont’d
Types of TPS
Batch Processing Real-time Processing
 Processing of transactions takes  Transaction is processed with
place over batches immediate effect
 Follows FIFO method  There is no time delay
 There is a time delay  Accessed remotely
Example: Example:
 The batches of employee salaries  Useful in hotel reservations
is processed over a span of two wherein the customer needs an
weeks of payroll in a bi-weekly instant verification of the request.
manner.
10/28/2024
12
Type of Information Systems, TPS, Cont’d
Table 6.2.1.1: Characteristics of Information System Categories (TPS)

13
Type of Information Systems, MIS, Cont’d
2. Management Information System (MIS)
 It is system approach or an organized collection of people, procedures, software,
databases, and devices that provides routine information to managers and
decision makers.
 The use of information technology, people, and business processes to record,
store and process data to produce information that decision makers can use to
make day to day decisions.
 Computerized database of information organized and programmed in such a
way that it produces regular reports on operations for every level of
management in a company.

14
Type of Information Systems, MIS, Cont’d
 It serves the organization’s tactical level (form lower-level to upper-level
management) or it is Management oriented.
 Collects or provides reports generated with data and information from
the TPS to help middle management optimize planning and decision-
making.
For example
 MIS provides reports on annual sales data, performance data, or
historical records (MIS provides past, present and future data).

15
Type of Information Systems, MIS, Cont’d
Figure 6.2.1.1: Level of management

16
Type of Information Systems, MIS, Cont’d

Importance or Benefits of MIS in Business

 It provides information that is essential to operations, management,
and decision making.
For example:
University's student management information systems (Registration status
of students to make eligible to take final examination decision.
 Improved the following benefits:

17
Type of Information Systems, MIS, Cont’d
Figure 6.2.1.2: Benefits of MIS in Business

18
Type of Information Systems, MIS, Cont’d

Figure 6.2.1.3: Role of MIS in Business

19
Type of Information Systems, DSS, Cont’d
3. Decision-support systems (DSS)
 It is an organization collection of people, procedures, software,
databases, and devices that support problem-specific decision
making.
 It serves the organization’s strategic management level (middle-
level management) to make decisions.
 Helps companies to identify and solve problems.
 Output from TPS, MIS and External systems (such as current
market forces, competition, etc.) is used as input to the DSS

20
Type of Information Systems, DSS, Cont’d
Example:
Bank loan management systems used to verify the credit of the loan
applicant and predict the likelihood of the loan being recovered.
MIS DSS
 Helps an organization
 Helps a manager

DO THINGS RIGHT DO THE RIGHT THING

10/28/2024
21
Type of Information Systems, DSS, Cont’d
Table 6.2.1.2: Characteristics of Information System Categories (DSS)

22
Type of Information Systems, ESS, Cont’d
4. Executive (Expert) support systems.
 It uses the same approach to DSS for managers, but more focused to
support executives (upper-level management) in making decisions.
 System that allows top managers to quickly retrieve, analyze, and
disseminate data and information.
 Transforms the data quickly from all departments including accounting,
HR and operation in the form of reports.

23
Type of Information Systems, ESS, Cont’d
Table 6.2.1.3: Characteristics of Information System Categories (ES)

24
Type of Information Systems, Summary, Cont’d

Figure 6.2.1.4: Typical use of system applications at various management levels

25
6.2.2 Components of Information Systems
 Information system components include: Data, Procedures,
Hardware, Software, Network, People

Figure 6.2.2.1: Information System Components

26
 6.3 Database Management Systems (DBMS)
What is DBMS?
 Are software systems used to store, retrieve, and run queries on data.
 Serves as an interface between an end-user and a database, allowing users to
create, read, update, and delete data in the database.
 On the other hand, functionalities of DBMS:
 Organize data
 Store and retrieve data efficiently
 Manipulate data (update and delete)
 Enforce referential integrity and consistency
 Enforce and implement data security policies and procedures
 Back up, recover, and restore data
27
Database Management Systems (DBMS): Cont’d

Figure 6.3.1: Database and DBMS Environment

28
6.3.1 Components of Database Management Systems (DBMS)

 DBMS can be classified into six main components include:

1. Data 4. Networks
2. Hardware 5. Procedures
3. Software 6. Database servers

29
6.4 Information Security
 Information is one of an organization’s most valuable assets
 Information security:
Procedures and measures taken to Protects sensitive
information from unauthorized activities, including inspection,
modification, recording, and any disruption or destruction.
Goal
 to ensure the safety and privacy of critical data such as customer
account details, financial data or intellectual property.

30
6.4.1 Principles (Model) of Information Security
How to protect our information?
 Based on the following three main components:
CIA(Confidentiality, Integrity, Availability) is called information
security model (triangle)

Figure 6.4.1.1: Information Security CIA Triangle 31

Principles (Model) of Information Security, confidentiality,
Cont’d
1. Confidentiality
How do we protect the confidentiality of data and information?
 Addresses two aspects of security:
 Prevention of unauthorized access
 Information disclosure based on classification.
 Classify company information into levels:
 Each level has its own security measures
 Usually based on degree of confidentiality necessary to protect information
 In confidence a classification that identifies information that, if disclosed, may
result in damage to a party’s commercial interests, intellectual property or trade
secrets.
32
Principles (Model) of Information Security, Integrity, Cont’d

2. Integrity

 Information has integrity if:

It is accurate
It has not been tampered with unauthorized persons

33
Principles (Model) of Information Security, Integrity, Cont’d

Integrity-Example
 Employee A learns that his adversarial coworker is earning higher salary than he
is. A accesses an application program by accounting dept and manipulates the
vacation hours and overtime hours of his colleague.
What securities are violated from this example?
 Two security violations:
 Confidential data is disclosed inappropriately
 An application to modify data was accessed inappropriately.

How to avoid or control these violation?

 There should be a control to cross-check overtime hours against actual time
cards, computed vacation hours, and verified entered values. If they are
different, the app requires override from another person (data validation) 34
Principles (Model) of Information Security, Integrity, Cont’d

Table 6.4.1.1: Degradation of data Integrity

35
Principles (Model) of Information Security, Integrity, Cont’d

Table 6.4.1.1 : Degradation of data Integrity

36
Principles (Model) of Information Security, Integrity, Cont’d

Table 6.4.1.1: Degradation of data Integrity

37
Principles (Model) of Information Security, Availability, Cont’d

3. Availability
 Systems must be always available to authorized users
 Systems determines what a user can do with the information
What are the reasons for a system to become unavailable?
1. External attacks and lack of system protection
2. System failure with no disaster recovery strategy
3. Overly stringent and obscure (unclear) security policies
4. Bad implementation of authentication processes

38
6.5 Database Security
 Is the processes, tools, and controls that secure and protect databases
against accidental and intentional threats. Thus,
 Enforce security at all database levels
 Security access point: place where database security must be protected
and applied
 Data requires highest level of protection; data access point must be small
Objective
 To secure sensitive data and maintain the confidentiality, availability,
and integrity of the database.

39
Database Security: Cont’d

 The 3 pillars or components (CIA) of database security are:

1. Confidentiality
2. Integrity, and
3. Availability

40
Database Security: Cont’d
Need to consider in Database Security
 Reducing access point size reduces security risks
 Security gaps: points at which security is missing
 Vulnerabilities: kinks in the system that can become threats
 Threat: security risk that can become a system breach
 People: individuals who have been granted privileges and permissions
to access applications, networks, servers, databases, data files and data.
 Applications: application design and implementation, which includes
privileges and permissions granted to people.

41
Database Security: Cont’d
 Network: is the most sensitive security access point. Use best
effort to protect the network.
 Operating system: the authentication to the system and the
gateway to the data.
 DBMS: logical structure of the database, include memory,
executables, and other binaries.
 Data files: to be protected through the use of permissions and
encryption.
 Data: need to enforce data integrity, and necessary privileges.

42
6.6 Data Integrity violation Process

Figure 6.6.1: Data Integrity violation Process

43
6.7 Menaces/Dangers to Databases
 Security vulnerability: a weakness in any information system
component.

Figure 6.7.1: Categories of database security vulnerabilities

44
Menaces to Databases: Cont’d
 Security threat: a security violation or attack that can happen any
time because of a security vulnerability.
 security vulnerability leads to security violation or attach or
security threat.

Figure 6.7.2: Categories of database security threats

45
Menaces to Databases: Cont’d
 Security risk: a known as security gap left open.

Figure 6.7.3: Categories of database security risks

46
6.8 Asset Types and Their Value
 Security measures are based on the value of each asset.
 Types of assets include:
Physical: tangible assets including buildings, cars, hardware etc.
Logical: such as business applications, in-house programs,
purchased software, databases etc.
Intangible: business reputation, public confidence etc.
Human: human skills, knowledge, expertise etc.

47
 Summary
 Security is level and degree of being free from danger and threats
 Database security is degree to which data is fully protected from
unauthorized tampering
 Information systems is backbone of day-to-day company operations
 DBMS is programs to manage a database
 C.I.A triangle (Confidentiality, Integrity and Availability).
 Secure access points
 Security vulnerabilities, threats and risks
 Enforce security at all levels of the database

48
 Exercises

1. Data is processed or transformed by a collection of components working together

to produce and generate accurate information. These components are known as a(n)
_____________.
A. Information system
B. Database
C. DBA
D. operating system
2. The concept behind a(n) __________________ application is based on the
business model of a customer ordering a service or product and the representative
of a business granting that request.
E. information system
F. C.I.A. triangle
G. DBMS
H. client/server

49
Exercises: Cont’d

3. A ____________________ is a place where database security must be protected

and applied.
A. Security gap
B. Security access point
C. Security threat
D. Security vulnerability
4. A ____________________ is a security violation or attack that can happen any
time because of a security vulnerability.
E. Security risk
F. Security privilege
G. Security policy
H. Security threat

50
 Cases
Q 1. You are a security officer working for a medium-sized research company. You
have been assigned to guard a back entrance checkpoint. One day, a well-
known manager walks out with a box of papers. A day after you are summoned
to the security office by your manager and the security director for questioning
about the manager who had been terminated the day before. The manager had
walked out with highly confidential information.
A. Outline briefly what types of security measures were violated and how to avoid
those violations.
B. Describe how this incident may result in security violations.

51
Cases: Cont’d
Q 2. You are an employee of a company responsible for the administration of
ten production databases. Lately, you have noticed that your manager is
asking you frequent questions about the data used by one of the top
researchers of the Engineering department. For two days, while
conducting routine database tasks, you notice your manager exporting
data from the database the top researchers are using.
A. What type of security threat is the exportation of data? How can your
prevent it?
B. To what type of security risk could exporting data lead?
C. Explain briefly how you would react to this incident.

52
 End of chapter 6(2)

10/28/2024
53