IST 210: Organization of Data Security

1
IST 210 Organization of DataSecurity

• James Z. Wang
• School of Information Sciences and Technology
• http//wang.ist.psu.edu

2
Outline

• Why security is important
• Security framework
• Models of security
• Security policies

3
Specific Questions

• Why cryptology does not help?
• What security policies are available for DB?
• What can these policies do?
• What are their limitations and leakages?
• How can they be applied to DB?
• What security features must a DB have?

4
Why Important?

• We all shop on-line using our credit cards
• Most shops store credit cards as an unprotected
  attribute
• Everyday, some credit card databases are hacked
  and compromised
• security lock at the bottom of your browser
  window?
• Encryption and decryption over network
• Not database security

5
(searched with keywords hacked credit cards on
google.com)
Vast online credit card theft revealed Hacker
hid data on 485,000 cards on U.S. agencys Web
site March 17, 2001
6
Egghead scrambles to gauge damage December 22,
2000, ZDNet News An intruder potentially poached
the online retailer's database of 3.7 million
customers, including credit cards. The FBI and
security experts are now on the
case. Robertson said that Egghead.com is using
Microsoft's Internet Information Server, a common
e-business server, as the platform for its online
service. IIS is known to have had many security
flaws. http//news.excite.com/news/zd/001222/
15/egghead-scrambles-to
7
Hackers Get Bill Gates' Credit Card http//dgl.com
/itinfo/2000/it000326.html March 26,
2000 Raphael Gray may style himself the white
hatted "Saint of E-Commerce, but he's got a lot
of explaining to do after he and another 18-year
old friend were arrested for holding the credit
card account number of Microsoft's Bill Gates,
the world's richest man. Gray, 18, and a
friend, hacked into 9 e-commerce sites and stole
credit card information related to 26,000 people
in the United States, Canada, Thailand, Japan,
and Britain. Gates' information was emailed to
NBCi, a subsidiary of the National Broadcasting
Company. They were caught by a joint
investigation of the Federal Bureau of
Investigation, Welsh police, the Royal Canadian
Mounted Police and Internet security consultants.
Significant assistance was provided by the
international banking and credit card industry.
The total losses attributable to Gray's online
pranks could exceed 3 million, according to the
FBI.
8
Why Should a DB Designer Care?

• Loss of reputation, money, time, data,
• Why should a consumer shop at egghead.com if they
  cannot even secure creditcard number?
• One day downtime at places like Yahoo!, EBAY,
  amazon.com, could mean loss of millions of
• A system break-in took down the server of IST210
  for two days. 180 students were waiting. The
  professor spent 20 hours time.

9
Security Framework

• Secrecy
• Information must be protected from unauthorized
  disclosure
• Including direct retrieval and logical inference
• Integrity
• Information must be protected from unauthorized
  modification
• Including the insertion of false data and the
  deletion of data
• Availability
• Information must be available when the users need
  it

10
Security Mechanisms

• Identification, authorization
• OS level, DBMS (e.g., login and password, secure
  transmission via encryption)
• Authorization, access controls
• DBMS, security module (e.g., GRANT, REVOKE)
• Integrity, consistency
• DBMS, data checks, transaction processing
• Auditing, backup
• OS level, DBMS (e.g., logs, tapes)

11
Models of Security

• A security model is an abstraction used to
  represent a security policy of an organization
• Security object passive entity that contains or
  receives information
• E.g., DB, relation, view, tuple, a memory
  segment, a pay check printer, )
• Security subject active entity, often in the
  form of a person (user) or process (e.g., ASP
  code) operating on behalf of a user
• Responsible for the DB security

12
Model 1 DAC

• Discretionary Access Control (DAC)
• Security objects, security subjects, and access
  privileges
• Basic primitives
• Users can protect the data they own
• The owner may GRANT access to others
• The owner may define the type of access (read,
  write, execute,) given to others
• Granting and revoking of access permission is
  under the discretion of the users themselves
• Advantages well-studied, supported by DBMS
• Disadvantages not always inline with real world

13
Model 2 Military Security

• Security objects and security subjects are
  assigned security labels
• A subject can access an object if the clearance
  level is at least as high as the classification
  of the object

High Security
Top Secret
Company Confidential
Secret
Classified
Public
Confidential
Information
14
Model 3 Need-to-Know Principle

• Each security object is associated with one or
  more projects, called compartments.
• A security subject is allowed to access an object
  if the subject has a need to know the content of
  the object
• Common practice in medicine and manufacturing
• Example a regular physician should not need to
  know if a VIP patient has HIV or not
• Example at Boeing, a tail engineer has a need to
  know the design of the tail. (But he can release
  the length of the antenna, a classified
  information. Length?frequency!)

15
Model 4 Personal Knowledge

• The world is seen as a set of persons
• Data encapsulation A person is an object and has
  permanent knowledge about itself
• Friendship Persons are acquainted with other
  persons
• Functions/Methods Persons are assigned to roles
  that have certain authorities
• Messages If a person wants to know something
  about another person, send a message. The
  receiver reacts based on roles and authorities.
• OBJECT-ORIENTED approach

16
Model 5 Check-at-the-Door

• Example at a supermarket, you take whatever you
  want. You pay when you checkout.
• A subject can access the level of objects he/she
  is entitled to
• BUT, before an object is viewed or taken out, the
  content of the object is checked
• Example if the keyword HIV appears in the
  patient record, a normal physician may not be
  able to read
• Example if the keyword antenna appears in the
  document, a normal plane tail engineer may not be
  able to read or copy

17
Many Other Models

• Bell and LaPadula Model
• Biba Model
• Clark and Wilson Model
• Others .
• You need to choose and implement a model for
  your application requirements
• May need to combine models
• SQL cannot solve all security problems
• Often you need to write programs

18
Security Tips

• Install all security patches
• Hackers often hack through known security holes
• Backup
• Frequent backup of data on tapes and disks
• Backup to remote sites to prevent from fire,
  earthquake, etc
• Secure development environments
• Dont keep sensitive data in RD databases
  unguarded
• Be aware of default user and application accounts
• Many systems are shipped with the same default
  root/admin account password

19
(cont.)

• Use auditing effectively
• Mine the auditing logs generated by the DBMS
• (in reality) most administrators turn off
  auditing to save disk space
• Passwords
• Do not use dictionary words in passwords
• Do not use the same password for many accounts
• Changes mandatory, simple procedure
• Isolate your production DB
• Dont run everything on one machine

20
Bottom Lines

• Dont assume a computer to be secure, as long as
  it is connected with a network cable.
• Dont assume a database to be secure, as long as
  it runs sensitive data.
• DB Manager is a job with high salary and
  extremely high responsibilities.