SYSTEM VULNERABILITY

AND ABUSE

Database Security
zaldy.adrianto@unpad.ac.id

When large amounts of data are stored in

electronic form they are vulnerable to many
more kinds of threats

Why systems are vulnerable

Why systems are vulnerable

In multi-tier client server computing environment

vulnerabilities exist at each layer and in
communications between the layer

Intruders who launch denial of service attacks or

malicious software

Unauthorized access

Database Security
Database Security: Protection of the data
against accidental or intentional loss,
destruction, or misuse
Increased difficulty due to Internet access and
client/server technologies

System malfunction because hardware breaks

down or damaged by improper use or criminal act

Possible locations of data

security threats

Threats to Data Security

Accidental losses attributable to:

Human error
Software failure
Hardware failure
Theft and fraud
Loss of privacy or confidentiality
Loss of data integrity
Loss of availability (through, e.g. sabotage)

Database Recovery

Security Policies and

Procedures
Personnel controls!

Hiring practices, employee monitoring, security training

Physical access controls!

Equipment locking, check-out procedures, screen placement

Maintenance controls!

Maintenance agreements, access to source code, quality and

availability standards

Data privacy controls!

Adherence to privacy legislation, access rules

Backup Facilities

Mechanism for restoring a database quickly and

accurately after loss or damage

Automatic dump facility that produces backup copy

Recovery facilities:!

Periodic backup (e.g. nightly, weekly)

Cold backup database is shut down during

Backup Facilities
Journalizing Facilities
Checkpoint Facility
Recovery Manager

Journalizing Facilities
Audit trail of transactions and database updates
Transaction log record of essential data for
each transaction processed against the
database
Database change log images of updated data

Before-image copy before modification

After-image copy after modification

of the entire database

backup

Hot backup selected portion is shut down and

backed up at a given time

Backups stored in secure, off-site location

Security and challenges of

vulnerabilities

Internal threats : Employee

Management Framework for

Security and Control
COBIT FRAMEWORK

Largest financial threats to business institutions

come from insiders
Users lack of knowledge is the single greatest
cause of network security breaches

Also know as the Control Objectives for

Information and Related Technology framework.

Developed by the Information Systems Audit and

Control Foundation (ISACF).

A framework of generally applicable information

systems security and control practices for IT
control.

COBIT FRAMEWORK

Types of Information
Systems Control

The framework addresses the issue of control from three

vantage points or dimensions:

Business Objectives: To satisfy business objectives,

information must conform to certain criteria referred to

as business requirements for information.

IT resources: people, application systems,

technology, facilities, dan data

General Control govern the design, security, and

use of computer programs and the security of
data files in general throughout the
organizations information infrastructure.

IT processes: planning and organization, acquisition

and implementation, delivery and support, and
monitoring

General control

General control includes software controls,

physical hardware controls, computer
operations controls, control over implementation
process and administrative controls.

Picture example of Physical

hardware control

Picture example of Physical

hardware control

Ensuring business continuity

Computer failures, interruptions and downtime

translate into disgruntled customers
Downtime. Period of time in which a system is
not operational.

Ensuring business continuity

Fault-tolerant computer systems: hardware,

software and power supply components that
provides continuous, uninterrupted service.
Part of these computers can be removed and
repaired without disruption to computer system

Ensuring business continuity

High-availability computing: System that help
firms recover quickly from crash
Requires a tools and technologies to ensure
maximum performance of computer system and
networks. Including redundant server, load
balancing, clustering, high capacity storage,
and good recovery.

Ensuring business continuity

Data Center

Load balancing: distributes large numbers of

access request across multiple servers.
TELKOM SIGMA Data Center in Serpong and Sentul

Mirroring. Backup server that duplicates all the

processes and transactions of primary server.

Facebook data center

Disaster recovery plan and

business continuity planning
Disaster recovery plan: Plans for restoration and
computing and communications services after
disrupted by disaster
Business continuity planning, focus on how
company can restore business operations after
a disaster strike.

Disaster recovery plan and business

continuity planning

Disaster recovery plan and business

continuity planning

Disaster recovery plan and business

continuity planning

Technology and tools for

security and control

Sarbanes Oxley and

databases

The Sarbanes Oxley were designed to ensure

the integrity of public companies financial
statement

the key component is ensuring sufficient control

and security over the financial system and IT
infrastructure in use.

Firewalls gatekeeper that examines each user

credential before access granted
Intrusion Detection System, full time monitoring
tools placed at most vulnerable points.

Key focus of SOX audit

IT Change Management

Logical Access to data

IT operations

IT Change Management

Refer to process by which changes to

operational systems and databases are
authorised

Top deficiency found by SOX auditor:

Logical Access to data

Logical Access to data is essentially about

security procedures in place to prevent
unauthorised access to data.

Two types of security policy and procedure:

Personnel Control

Physical Access Control.

Inadequate segregation of duties between

people who have access to database in three
environments: Development, Test and
Production

IT Operations

IT Operations refers to the policies and

procedures in place related to day to day
management of the infrastructure, applications,
and databases in organisation

key areas:

database backup and recovery

data availability