Professional Documents
Culture Documents
1. Password-Based Authentication:
• Users provide a username and password combination to gain access.
• It's a widely used method but can be vulnerable to password guessing,
social engineering, and password reuse.
2. Multi-Factor Authentication (MFA):
• Requires users to provide multiple pieces of evidence to verify their
identity.
• Common factors include something the user knows (password), something
they have (one-time codes, smart cards), and something they are
(biometric data like fingerprints or facial recognition).
3. Biometric Authentication:
• Relies on unique biological traits like fingerprints, retina/iris scans, facial
recognition, or voice recognition.
• Offers strong security, but implementation challenges can include accuracy
and privacy concerns.
4. Smart Cards and Tokens:
• Users possess physical devices like smart cards or hardware tokens that
generate one-time passwords (OTP).
• Increases security by requiring both something the user knows (PIN) and
something they have (physical token).
5. Public Key Infrastructure (PKI) Authentication:
• Utilizes digital certificates to authenticate users and devices.
• Involves asymmetric cryptography with a public key for encryption and a
private key for decryption and signing.
6. Certificate-Based Authentication:
• Similar to PKI, users present digital certificates as proof of identity.
• Commonly used for secure email, VPN access, and web authentication.
7. One-Time Passwords (OTP):
• Generates unique passwords for each login session.
• Enhances security by making stolen passwords less useful to attackers.
8. Knowledge-Based Authentication (KBA):
• Requires users to answer personal questions that only they should know.
• Can be susceptible to social engineering if attackers gather information
about the user.
9. Time-Based One-Time Password (TOTP):
• Similar to OTP, but the password changes after a predefined time interval.
• Often used in combination with mobile apps like Google Authenticator.
1. Strong Passwords: Use strong, unique passwords for your email account and
update them regularly to prevent unauthorized access.
2. Two-Factor Authentication (2FA): Enable 2FA to add an extra layer of security
by requiring a second form of verification in addition to your password.
3. Phishing Awareness: Be cautious of phishing emails, verify sender addresses,
and avoid clicking on suspicious links or sharing personal information.
4. Regular Updates: Keep your email client and operating system updated to patch
security vulnerabilities and minimize the risk of exploitation.
What is the difference between authentication and authorization? Provide an
example.
Authentication Authorization
It is done before the authorization While this process is done after the
process. authentication process.
It needs usually the user’s login While it needs the user’s privilege or
details. security levels.
1. Process Management:
• Creation, scheduling, and termination of processes.
• Process synchronization and communication.
• Management of process states and resources.
2. Memory Management:
• Allocation and deallocation of memory for processes.
• Virtual memory management and paging.
• Memory protection and access control.
3. File System Management:
• Creation, organization, and deletion of files and directories.
• File access and permissions.
• File storage, retrieval, and manipulation.
4. Device Management:
• Management of input and output devices.
• Device drivers for hardware communication.
• Handling device interrupts and interactions.
Define security access points. List out those that apply to most
databases.
Security Access Points refer to specific locations or mechanisms within a system or database
where access control measures are implemented to ensure that only authorized users can
interact with resources or data. These access points help protect sensitive information and
maintain the overall security of the system. In the context of databases, the following security
access points commonly apply:
1. Data Storage and Retrieval: Efficiently store and organize data, making it
accessible for users' queries and needs.
2. Data Manipulation: Modify and maintain data accurately by inserting, updating,
and deleting records while enforcing integrity rules.
3. Data Definition and Schema Management: Define the database structure,
including tables, fields, and relationships, and adapt it to changing requirements.
4. Query Language and Reporting: Enable users to retrieve specific data using a
query language like SQL, and generate reports for analysis and decision-making.
The purpose of an Information System (IS) is to effectively gather, process, store, and distribute
information to support decision-making, streamline operations, enhance communication, and
enable strategic planning within an organization. IS serves to:
1. Enable Decision-Making: Information systems offer accurate and timely data for
informed choices by individuals and management.
2. Improve Efficiency: They automate processes, reducing manual effort and
enhancing operational speed.
3. Enhance Communication: Information systems enable seamless data sharing,
fostering collaboration among teams and departments.
4. Support Strategic Planning: By providing insights and trends, they aid in
aligning goals, resources, and actions for long-term success.
Q.Name two best practices for user administration and illustrate how each example
enhances operating system security. 4 marks answer
Q.List out the best practices to adopt for secure file transferring
1. Encryption: Protect data while it's being transferred by encoding it, ensuring
only authorized recipients can decipher it.
2. Authentication: Verify the identity of users before allowing them to access or
transfer files, preventing unauthorized access.
3. Secure Protocols: Use protocols like SFTP (secure file transfer protocol) and
HTTPS (secure web protocol) to ensure data integrity and confidentiality.
4. Regular Updates: Keep file transfer tools and systems up-to-date with the latest
security patches to counteract potential vulnerabilities.
Q.Discuss about the different client/server tier designs
1. Two-Tier Design:
• Client directly communicates with the server, leading to potential coupling
between user interface and data handling.
• Suitable for simpler applications where separation of concerns is less
critical.
2. Three-Tier Design:
• Middleware layer acts as an intermediary, reducing direct communication
between client and server.
• Offers better maintenance and scalability, making it suitable for
applications requiring modularity.
3. Multi-Tier (N-Tier) Design:
• Each additional tier adds complexity and communication overhead,
requiring careful architecture planning.
• Enables fine-grained scalability and flexibility, advantageous for large-scale
applications.
virtual private architecture and its implementation in oracle?
Virtual Private Database(VPD) is the most popular secured database which
was introduced by Oracle Database Enterprise. It is used when the object
privileges and database roles are inadequate to achieve security requirements.
The policies or protocols are directly proportional to security requirements.
VPD is associated with the “application context” feature and these contexts are
used to manage the data during the execution of SQL statements. A complex
VPD example might read an application context during a login trigger and a
simple VPD example might restrict access to data during business hours.
Advantages of VPD:
• Higher Accessibility: Users can easily access the data from anywhere.
• Flexibility: It can be easily modified without breaking the control flow.
• Higher Recovery Rate: The data can be retrieved very easily.
• Dynamically Secured: No need to maintain complex roles.
• No back doors: The security policy is attached to the data so no by-
passing is allowed.
Dis-advantages of VPD:
Designing and implementing password policies in SQL Server is essential for enhancing
security and ensuring that user accounts have strong and secure passwords. SQL Server
provides several features and options for configuring password policies. Here are the
steps to design and implement password policies in SQL Server:
Column-level privileges are permissions within a database that grant or deny access to specific
columns (fields) in database tables. They enable fine-grained control over who can perform
actions (e.g., SELECT, INSERT, UPDATE, DELETE) on individual columns, providing enhanced data
security and privacy. Implementing them involves specifying the column name, the privilege,
and the user or role, with syntax varying by database system. They are crucial for safeguarding
sensitive data and ensuring regulatory compliance in scenarios where not all users should have
access to all data within a table.
1. Syntax: The syntax for defining column-level privileges varies depending on the
database management system. Generally, it involves specifying the column name,
the privilege (e.g., SELECT, INSERT, UPDATE, DELETE), and the user or role to
which the privilege is granted or denied.
2. Examples:
• In SQL Server, you can use the GRANT and DENY statements to control
column-level permissions. For instance:
• GRANT SELECT (ColumnName) ON TableName TO UserName;
How to Create SQL Server Logins
1. Access SQL Server Management Studio (SSMS): Start by launching SQL Server
Management Studio, the primary tool for administering SQL Server.
2. Connect to the SQL Server Instance: In SSMS, connect to the specific SQL
Server instance where you want to create the login. You must have administrative
privileges or belong to a role with the necessary permissions.
3. Navigate to the "Logins" Folder:
• In the Object Explorer panel, locate and expand the "Security" node to
reveal the "Logins" folder. This is where you manage all SQL Server logins.
4. Create a New Login:
• Right-click on the "Logins" folder and select "New Login" from the context
menu.
• In the "Login - New" dialog box that appears, you can define the login by
specifying:
• Login Name: This can be a Windows user or group (Windows
Authentication) or a SQL Server login (SQL Server Authentication).
For SQL Server Authentication, you'll need to provide a unique login
name and password.
• Default Database: Choose the default database that the login will
connect to by default.
• Server Roles (Optional): Assign server roles like sysadmin,
serveradmin, or securityadmin if necessary.
• User Mapping: If you want this login to have access to specific
databases, go to the "User Mapping" tab. Select the databases and
assign roles and permissions within each database.
• Review the settings to ensure they are accurate.
• Finally, click the "OK" button to create the login.
What are the ORACLE default users and SQL Server default users?
Oracle and SQL Server have default users with specific roles and purposes. Here are the
default users for both Oracle and SQL Server in a concise four-mark answer:
1. SYSTEM: The SYSTEM user is the database administrator with full privileges. It is
used for database maintenance and management tasks.
2. SYS: The SYS user is the superuser and has the highest level of database
privileges. It is used for database administration tasks and should be used
sparingly.
3. HR: The HR user is used for the Human Resources (HR) schema, which provides
sample data for tutorials and demonstrations.
4. SCOTT: The SCOTT user is used for the SCOTT schema, another sample schema
with tables and data for educational purposes.
List the system tables you would use to view all users in oracle database ?
to view more details about all users in an Oracle database, you can extend your query to include
additional columns from the DBA_USERS view. Here's an example query that provides more
information about the users:
In this query:
1. Data Classification:
• Define data classification levels to categorize data based on its sensitivity
(e.g., public, confidential, restricted).
• Determine appropriate security controls for each classification.
2. Access Control:
• Implement Role-Based Access Control (RBAC) to manage and restrict user
access based on roles.
• Enforce the principle of least privilege, ensuring users have only the
necessary access rights.
3. Fine-Grained Access Control:
• Apply access controls at the table and column levels to restrict data
exposure.
• Utilize views, stored procedures, and triggers for more granular control.
4. Authentication and Authorization:
• Enforce strong user authentication methods, such as username/password,
multi-factor authentication (MFA), or integration with identity providers.
• Specify authorization policies that determine which users or roles can
access specific tables and data.
5. Data Encryption:
• Encrypt data in transit and at rest to protect against eavesdropping and
unauthorized access.
• Utilize Transparent Data Encryption (TDE) or application-level encryption
as needed.
1. Symmetric Encryption
2. Asymmetric Encryption
Implementing row and column-level security in SQL Server involves controlling access to
specific rows and columns of data based on user privileges. Here's a concise four-mark
answer:
These measures collectively enable row and column-level security in SQL Server,
safeguarding data by controlling access at the finest levels of granularity.
What is the need of auditing database? In what are the ways it can be audited ?
Auditing a database is a crucial process for ensuring the integrity, security, and accountability of
the data and operations within a database management system. There are several reasons for
auditing databases:
This four-point summary highlights the key reasons for auditing databases.
Triggers are used to enforce data integrity, automate actions, and capture and respond
to database events. There are two main types of triggers in Oracle:
1. Trigger Types: Oracle triggers come in two main types - row-level triggers
(before and after) and statement-level triggers (before and after). Row-level
triggers operate on each affected row, while statement-level triggers work on a
group of rows.
2. Event Association: Triggers can be associated with various database events,
including DML events (e.g., INSERT, UPDATE, DELETE), DDL events (e.g., CREATE,
ALTER, DROP), and database events (e.g., logon/logoff events).
3. Purpose: Triggers are used for automating actions, enforcing data integrity
constraints, logging changes, and implementing business rules. They can respond
to specific events or conditions in the database.
4. Example: For instance, a row-level trigger can be defined to execute custom
logic before an INSERT operation on an 'employees' table, validating data or
modifying it as needed. These triggers can help maintain data quality and
consistency.
How the data mining techniques are used to preserve privacy in database.
12 marks