APRIL 15, 2020

DSM ASSIGNMENT
Submitted To :Prof. Amna Lodhi

Submitted By:
Gohar Riaz (26)
MSC IT (4TH)PRE
Database Security Management…. Assignment 1

Principles and Practices for

Database Security Management

Page 1
Database Security Management…. Assignment 1

Article. July 2015

Jorge Domínguez Chávez
Universidad Politécnica Territorial del Estado Aragua

Basic Principles of Database Security

I. INTRODUCTION
A common problem of security for all computer systems is to prevent unauthorized
persons from gaining access to the system, either for information, making malicious
changes to all or a portion or entire database. The Cybercrime is defined as any type of
illegal activity on the Internet, a private or public network or computer system used.
Many forms of this type of crime revolve around obtaining sensitive information for
unauthorized purposes, including invasion of privacy of the largest possible number of
computer users. The Cybercrime encompasses any criminal act that use computers and
communication networks. It also includes traditional crimes conducted over the
Internet, such as hate crimes, the telemarketing1 and Internet fraud, identity theft and
stolen credit card accounts. The Databases not protected are the dream of cyber-
criminal. Those databases contain valuable data of the organization could be easy target
of an attack and are conveniently organized. It is not surprising that the databases are
the main target of sophisticated cyber-attacks crackers2 and, increasingly, users working
in the organization and have privileges. However, there are many steps you take to
protect databases in your organization and at the same time, his reputation.

The security of the databases is a broad area covering many

topics, including:
Ethical and legal issues concerning the right of access to certain information.

Policy issues to governmental, institutional or corporate level, related to the type

of information that should not be available to the public.
Issues related to the system and system levels that manage various security
features.

Security mechanisms can be oriented access control policies based on user identity,
known as discretionary safety or policies that restrict access to information classified as
confidential to authorized personnel , called Mandatory Safety.

Page 2
Database Security Management…. Assignment 1

Today, we speak about two types of security mechanisms in

databases:
Discretionary security mechanisms to grant privileges to users, including access
to files, records or specific data fields in a certain way.
The mandatory security mechanisms for equal multilevel sorting data and users
into several classes (or levels ) and then implementing appropriate security policy
of the organization.

II. THE SECURITY MECHANISM

The security mechanism of a SGBD3 should include ways to restrict access to the
system as a whole. This is called access control and put into practice by creating user
accounts and passwords for it DBMS controls the logon process.

Another security technique is data encryption, used to protect sensitive data

transmitted via satellite or some other type of communications network. Encryption
provides additional sections of a confidential database protection. The data is encoded
by some algorithm on purpose. An unauthorized user who has access to encrypted data
will struggle to decipher, but an authorized user will have algorithms (or key) encryption
or decryption for that purpose.

A. The administrator of the database

Is the central authority that controls a system of this type. The DBA4 has a privileged
account in the DBMS, sometimes called system account, which gives extraordinary
abilities not available to ordinary users accounts and database.
The DBA performs the following types of actions:
Account creation.
Granting privileges.
Revocation of privileges.
Assigning security levels.
It is responsible for the overall security of the system database.
A habit (bad habit) that have many administrators or users is to use the access root1
(super-user or administrator) for all database, install a site using the WordPress CMS,
and as data access to database (WP for use MariaDB server and use its DB) will put the
user management server MariaDB2: root5.

Page 3
Database Security Management…. Assignment 1

Also, if they install any other web application (chat, paste, forum, etc.) they do the
same, always use the root user of MariaDB6.
Proposal: MariaDB create separate users for each application that uses this GSBD
(either web application or desktop).
A lot of users and customers rely on MariaDB as technological solution to their
database needs, which is why many websites, blogs, ecommerce sites and webapps
provided with the database. The following five security practices help your database is
more "robust", be optimized and ready for any possible attack both internally and
externally:
1. Make sure you have "shielded" the chances that external users can inject code to
its database through public forms or text fields to your website.
2. Change the root user, which is the default, and assigned a different username.
3. Make sure the root password MariaDB is established.
4. Remove the test account and test database created during the initial installation
of MariaDB.
5. Periodically review the users and databases MariaDB account to ensure that the
permits granted in that time, remain exactly as you left them the last time.
The forms of malicious access are:
Unauthorized reading of data ( data theft )
Unauthorized modification of data
Unauthorized destruction of data security databases refers to protection against
malicious access.
To protect the database must adopt security measures at
various levels:
Database systems.
Operative System.
Network.
Phisycal.
Human.
To maintain security at all these levels should strengthen the security of the database.
The weakness of the low levels of security (physical or human) can circumvent the strict
security measures at higher levels (database). Security within the operating system is
applied at various levels, ranging from passwords to access the system until the isolation

Page 4
Database Security Management…. Assignment 1

of concurrent processes running on it. The file system also provides some level of
protection.

III. THE USERS

They should have various types of authorization for different parts of the
database. highlights include:
Read authorization for reading the data, but not modification.
The push authorization for insertion of new data, but not modification of
existing ones.
Update authorization for the modification of the data, but no deletion.
Erase authorization for erasing data.

IV. THE VIEW CONCEPT

A view is a PHP script that basically consists of elements of the UI (user interface - UI).
It can contain PHP expressions, but it is recommended that these statements do not
modify the data model and remain relatively simple . To maintain the separation of logic
and presentation is recommended that much of the logic is in the model and not at the
hearing.
A view:
It is a virtual relationship.
It is constructed to operate as the relational algebra from the base relations of
the database . Direct relationships form the basis of the database, which are
stored physically.
They provide powerful security mechanism , hiding parts of the database to
certain users. The user will not know that there are those attributes that are
omitted to define a view.
V. Encryption
The concept of encryption is simple: given a message clear, that is, recognizable
message, to which you apply an encryption algorithm is generated as a result an
encrypted message can only be deciphered by those who know the algorithm used and
the key that has been used.
A security technique is the data encryption used to protect confidential data
transmitted via satellite or some type of communications network. Encryption can also
provide additional confidential sections of a database protection.

Page 5
Database Security Management…. Assignment 1

The data is encoded by an encoding algorithm. An unauthorized user will have trouble
deciphering the encoded data, but an authorized user will have algorithms to decipher.
There are currently two types of encryption:
Symmetrical: The key used to encrypt the message so as to decipher is
common, so the chance of getting the key is greater because its spread can be
intercepted by unwanted people.
Asymmetric: There are two keys, one to encrypt the message and another
to decrypt it, usually the first is public, that is, only knows the sender, while the
second is called Private and only has to whom they are directed messages sent
between those with the public key, therefore, only the holder of the private key
can read the messages (decrypt).

Symmetric cryptography is more vulnerable than the asymmetric because of using a

single key, on the other hand in symmetric encryption is faster than asymmetrical since
this favors the decryption time is quite important.
The encryption and decryption functions provide an additional layer of
security:

GnuPG supports symmetric and asymmetric algorithms for encryption. Only files
and folders on the user's computer.

Another option is to sks - ecc for GNU / Linux -just running sudo apt- get install
sks - ecc from the console or GSKs , programmed in Bash. Zeniy invoked to
create simple interactive dialogues . Of course, it must be installed ' zenity '. -
The versatile , simple and effective portable software pocket SKS Cryptography
implements an excellent default AES192 symmetric encryption through its -c and
-C options that encrypt a given file in a conventional manner with a key
generated from the password provided by the user, It is capitalized -C option to
compress before encrypting if desired. The program requires two parameters:
the input file and output; the password is required for command line echo output
to ensure maximum privacy. It is always used to decrypt the -d option.

MD5. It is a 128-bit hash function . As all these functions , making certain size at
the entrance , and come out with a fixed length (128 bits) . To check the integrity
of a downloaded file an MD5 Internet tool is used to compare the MD5 sum of
the file with a file with the MD5 MD5SUM summary of the first file. It is also used
to verify that the emails have not been tampered with using public and private
keys . The PHP language has implemented MD5 ("" ) among others. On UNIX

Page 6
Database Security Management…. Assignment 1

and Linux systems, the MD5 algorithm is used to calculate the hash key users.
Current systems use Linux more secure hash functions , SHA -2 or SHA -3.

SHA -1. It is similar to MD5, but has a block of 160 bits instead of 128 bits.

SHA (Secure Hash Algorithm) is a family of cryptographic hash functions published by

the National Institute of Standards and Technology (NIST). The first version of the
algorithm was created in 1993 with the name of SHA, although it is known as SHA -0 to
avoid confusion with later versions. The second version of the system, published under
the name of SHA -1,
A. AES encryption and RSA Encryption (encryption)
The standard of encryption (encryption) advanced AES, Advanced Encryption Standard
(AES), is one of the most secure algorithms used today - available for public use. It is
classified by the National Security Agency, National Security Agency (NSA) of the
United States to the highest security of classified information "Top Secret". The
algorithm called "Rijndael" was introduced as the new encryption standard AES in 2001
and became effective in 2002. The standard algorithm is based on several substitutions,
permutations, and linear transformations, performed in data blocks of 16 bytes - so it is
called blockcipher. These operations are repeated several times, called "rounds". In each
round, a single "roundkey" is calculated as the encryption key, and is incorporated in the
calculations. Based on this block structure AES, the change of a single bit, whether the
key, or blocks of text simple and clear, resulting in ciphertext block / encrypted
completely different - a distinct advantage over ciphers Traditional flow. The difference
between AES-128, AES-192 and AES-256 is the key length: 128, 192 or 256 bits - all
improved compared to the 56-bit DES key. Crack a 128-bit key AES standard with a
super computer at the time, it would take longer than the presumed age of the universe.
Therefore, it remains the standard AES encryption preferred by governments, banks and
high security systems worldwide.

VI. ACCESS TO DATABASE

Now a BD of an organization contains large amounts of data and usually has several
groups, most of them require access to only a small part of the data. To this end, a
DBMS has two main approaches to this:

A. Discretionary Access Control Discretionary

Access is a way to restrict access to information based on privileges. Two levels of
assigning privileges : Account level : At this level, the administrator specifies the special

Page 7
Database Security Management…. Assignment 1

privileges that each user, independent of the database tables (CREATE TABLE, CREATE
VIEW, ALTER, MODIFY, SELECT).
Level of relationship: At this level privileges to access every relationship or single view
are controlled. Each database table
is assigned an account owner, who has all privileges on that table and is responsible for
granting them to other accounts.

B. Mandatory Access Control

The duties of the DBA is granting privileges and classify users and data in accordance
with the policy of the organization. DBA privileged commands include the following
types of actions:
1. Creating accounts.
2. Granting privileges.
3. Withdrawal of privileges.
4. Assign security levels.
Action 1 list controls access to DBMS in general, while the 2 and the 3 control
discretionary authorizations and 4 controls the authorization requirement.
The mandatory security mechanisms impose multilevel security and classifying
data users in several adhoc levels and then implementing appropriate security
policy of the organization.
Classification consists of both your subjects and objects in the system 'access
classes' that determine the characteristics of confidentiality.
An 'access class' is an element of a set of 'classes' partially ordered. Access classes
are defined as a set of two components, a 'security level' and 'set of categories'.
Each "level of security" is an element of a set, hierarchical and tidy, as 'top secret'
(TS), 'secret' (S) 'confidential' (C) and 'not rated' (U), where TS > S> C> U.
The whole category is a subset of an unordered set where elements reflect
different functional areas or competencies as 'finance', 'administration', 'sales' and
'shopping' for commercial systems.

Subject to authorization: USERS • User groups • PROCESS ROLES

Authorization privileges: READ, WRITE, EXECUTE, SELECT, INSERT, UPDATE,
REFERENCES, INDEX.
The access control policies are classified into two groups:
Closed: Only authorized accesses are explicitly allowed.
Open: the access not forbiden are allow.

Page 8
Database Security Management…. Assignment 1

VII. Safety Practices

We complement the following five safety practices previously filed with the seven
recommendations on safety in the design and implementation in their databases, own
servers installed in your organization.
A. Identify your sensitivity
You can not secure what is not known. Draw up a good catalogue of tables or their
bodies sensitive database data. Also automates the identification process, as this data
and corresponding location may be changing due to new applications or changes
resulting from mergers and acquisitions. Develop or acquire identification tools,
ensuring these malware placed in your database the result of SQL injection attacks;
because apart from exposing confidential information
due to vulnerabilities such as SQL injection, attackers also facilitates incorporate other
attacks inside the database.

B. Assessment of vulnerability and configuration

Evaluate the configuration database to ensure that no security holes. This includes the
verification of the way in which the database and operating system installed (checking
privileges groups file -reading, writing and execution- database and transaction logs).
Also, with settings files and executable programs. It is also necessary to verify that it is
not running database versions including known vulnerabilities ; and prevent SQL queries
from applications or users layer. To this can be considered (as administrator) : Limit
access to certain users procedures. Delimit the data access to specific users, procedures
and / or data. Decline matching between users that match schedules.

C. Hardening
As a result of an assessment of vulnerability they are often given a series of specific
recommendations. This is the first step in tightening the database. Other elements of
hardening involve removing all functions and options are not used. Apply a strict policy
that can and that can not be done, but be sure to disable it does not need.

D. Audit
After creating the settings and tightening controls , perform self-assessments and
monitoring audit recommendations to verify non-diversion of its goal (security).
Automate configuration control register so that any change in the same and implement
alerts about changes in it. Each time a change is made, it could affect the security of the
database.

Page 9
Database Security Management…. Assignment 1

E. Monitoring
Real-time monitoring of database activity is key to limiting your exposure, apply or
acquire intelligent agents monitoring, intrusion detection and misuse. For example, alerts
on unusual access patterns that could indicate the presence of a SQL injection attack,
unauthorized changes to data, change account privileges and configuration changes by
running a SQL script. Remember monitoring privileged users, it is required for data
governance and regulatory compliance such as SOX and privacy regulations. It also helps
detect intrusions, as many of the most common attacks are made with user privileges
senior.
Dynamic monitoring is also an essential element of vulnerability assessment, allows you
to go beyond static or forensic evaluations. A classic example see it when multiple users
share privileged credentials or an excessive number of logins database.

F. Audit
Trails Apply generate audit trails and traceability of activities that affect data integrity or
viewing sensitive data. Remember it is an audit requirement, and is also important for
forensic investigations. Most organizations today use some form of manual auditing of
transactions or native applications of management systems databases. However, these
applications are often deactivated due to: • complexity • high operating costs •
performance problems • the lack of segregation of duties and • the need for more
storage. Fortunately, solutions have been developed with minimal impact on
performance and low operating cost, based on intelligent agent technologies.

G. Authentication, access control and rights management

Not all data and not all users are created equal. You must authenticate users, ensure the
accountability per user, and manage privileges to limit access to data. Implement and
periodically review reports on user rights, as part of a formal audit process. Use
encryption to illegible confidential data, complicate the work of the attackers, this
includes encrypting data in transit, so that an attacker can not listen on the network
layer and access to the data when it is sent to client database.

References:
1. ISO/IEC 27001:2005 - Information technology -- Security techniques [en]
http://www.iso.org/iso/catalogue_detail? Csnumber=42103

Page 10
Database Security Management…. Assignment 1

2. ISO/IEC 17799:2005 - Information technology -- Security techniques [en]

http://www.iso.org/iso/catalogue_detail csnumber=39 612

3. Malware - Ataque a la Base de Datos [en] http://ataquebd.blogspot.mx/

4. Inyección de código SQL - MSDN – Microsoft [en
http://msdn.microsoft.com/eses/library/ms161953.aspx

5. Escolano F. “Inteligencia Artificial”, Editorial Paraninfo, 2003

6. Aguilera L “Seguridad Informática” 2010, Madrid, Editorial Editex, S.A.

7. El Reporte X-Force de IBM revela que el phishing y las amenazas relacionadas a

documentos se incrementan [en] http://www.lawebdelprogramador.com/noticias/mostr
ar.php?id=2460

8. http://sox.sourceforge.net/

9. Daniel Camargo Montero, Sistema de selección de personal inspirado en agentes

inteligentes, [en] http://catarina.udlap.mx/u_dl_a/tales/documentos/lis/ camargo_m_d/

10. El Reporte X-Force de IBM revela que el phishing y las amenazas relacionadas a
documentos se incrementan [en] http://www.lawebdelprogramador.com/noticias/mostr
ar.php?id=2460
About the Author:
Jorge Dominguez Chavez. Degree in Physics, Doctor in Sciences, Software
Development mention the UNAM. Computer security specialist from the University of
Washington. Territorial Assistant Professor in the Polytechnic University of Aragua
state. Appointed Tutor at the National Autonomous University of Mexico. Visiting
Professor University Federal do Rio Grande do Sul, (BRAZIL). Author of several books
and articles on database software development, operating systems, computer security.
Dr. Domínguez is recognized lecturer.

Article Link:
See discussions, stats, and author profiles for this publication at:
https://www.researchgate.net/publication/279996570

Page 11
Database Security Management…. Assignment 1

NEXT STEPS
Database security and compliance best practices dictate that organizations regularly scan
for vulnerabilities and highly privileged user accounts and then monitor for anomalous
activity. A pragmatic database security program requires that organizations implement
an automated process for identifying critical vulnerabilities and privileged accounts,
remediating issues where possible and then monitoring privileged activity whether it's
associated with authorized, recognized privileged accounts or other accounts with
excessive privileges. Organizations need to make sure administrators and/or security
personnel have suf cient, actionable data to make informed decisions and are not
distracted by excessive alerts, false-positives and false-negatives.
Also make sure that you're monitoring known but unpatched vulnerabilities. Commonly
referred to as a compensating control, real-time activity monitoring can protect
databases during the gap between discovery of a vulnerability and mitigation of that
vulnerability. Responsible organizations should proactively deploy activity
monitoring, informed by vulnerability and rights review scan results, to ensure the
highest, most ef cient level of database security

7 Gold Standard Database Security Best

Practices
Database security requires extensive experience
handling sensitive data and current knowledge of
new cyber threats. Your business database
contains information that cyber-criminals target to
steal identities, credentials, and financial
information. Below are 7 database security best
practices to help keep your company database safe.

Page 12
Database Security Management…. Assignment 1

1. Keep security controls of database server on maximum

Always ensure you’re running the most up-to-date version of your database software to
remove vulnerabilities. Turn on all security protocols and controls of your database and
website server — unless there is a specific and necessary reason that one should be
turned off. In addition, be sure to delete or disable any features or services you are not
using and do not need. Finally, remember to change all default passwords to prevent
unauthorized users from logging in.

2. Separate servers and web servers

Separate your database server from your website server to enhance database security.
Keeping your servers separate will increase the cyber security of your database server
and website so that even if a hacker cracks your web server admin account, they won’t
be able to access your database.
It’s always best practice to keep unnecessary programs and servers separate from
servers that don’t require them to operate. While these servers may need to
communicate at times, ensure that their permissions are confined to the lowest level of
privilege needed in order for them to operate successfully. This will limit the scope of
damage an attacker can implement.

3. Encrypt all files and backups

No matter how solid your defenses, there is always a chance a hacker could infiltrate
your system. But, cyber criminals aren’t the only threat to your database security. Your
employees could also be a significant risk to your business. There is always the chance
that an employee will access a file they don’t have permission to.
Encrypting your data makes it unreadable to both hackers, and employees without an
encryption key, therefore making it a final line of defense against unwanted intrusions.
Encrypt all important documents, files, and backups to keep your critical data unreadable
to unauthorized users.

4. Put a database firewall and web application

firewall in place
Firewalls enhance database security by denying traffic by default to minimize the
entrance of threats. When set up properly, they should only allow traffic from specific
applications and web servers that need to access the data, and should also prevent your
database from initiating outbound connections (aside from those that are necessary).
In addition, putting a web application firewall in place helps protect your web servers
and increases database security. Without one, web application attacks could be used to
delete or collect data from your database. This keeps your database behind a firewall
and away from prying cybercriminals.

Page 13
Database Security Management…. Assignment 1

5. Regularly update patches

If your database or website uses widgets, plugins and other third-party apps, cyber
criminals will often target these in order to bypass your database security, especially if
they haven’t been patched or updated on a regular basis. Even if your internal defenses
are strong, these third-party additions can create weaknesses if you don’t stay on top of
them.
Be sure to run updates as soon as they become available to keep all of your defenses
strong, and keep intruders from getting in.

6. Hack/audit your database to check your

security
If you’re hosting highly valuable information, like consumer credit card data, you could
find yourself as the target for hackers. Therefore, once you feel like you’ve implemented
all of the proper security defenses and have covered all of your bases, put your work to
the test by trying to hack in yourself.

Hacking or auditing your own database is a great way to check your own database
security — before someone else attempts to “test” your security measures for you.
Searching for ways to hack your own database will put you into the mindset of a hacker
and may help you spot vulnerabilities you would have otherwise missed. If you succeed
in hacking your database, you’ll know there is more work needed to be done.

7. Keep an encrypted copy of your database on

backup
Even with all of these security measures properly implemented, there’s always the
chance that something will go wrong. Perhaps your database suffers physical damage, a
hackers breaks in, or an employee deletes an important file — you need to be prepared
for any and all of these data loss scenarios. Luckily, this is easy to do with cloud backup.
Cloud backup allows you to recover any deleted or accidentally changed file to the
version you require. Backup all pertinent databases using a reliable, cloud backup
company focused on security. This will mean you always have a copy of all important
customer and company information stored away in case of an unforeseen problem and
can retrieve the information upon request. Look into cloud backup companies that
offer unlimited previous file versions (critical if a ransomware virus strikes) and military-
grade security. These companies will offer the most thorough backup and recovery
solutions and will keep your data safe no matter what.

Page 14