Data Security

1
Data Security

• CSE530A Database Management Systems
• November 16, 2005
• Stephanie McCarthy
• Crystal Miller
• Rebecca Miller-Webster

2
Outline

• Overview
• Threats
• Countermeasures
• Authorization
• Access Controls
• Views
• Backup and Recovery
• Integrity
• Encryption
• RAID
• DBMS and Web Security
• Proxy Servers
• Firewalls
• Message Digest Algorithms and Digital Signatures
• Digital Certificates

• DBMS and Web Security (contd)
• Kerberos
• Secure Sockets Layer and Secure HTTP
• Secure Electronic Transactions and Secure
  Transaction Technology
• Security in MS SQL Server
• Case Study CreditCards.com
• Security Issue Inference
• HIPAA
• Security Policies
• Active Research Areas

3
Database Security

• The mechanisms that protect the DB against
  intentional or accidental threats
• Security situations to consider
• theft and fraud
• loss of confidentiality (secrecy)
• loss of privacy
• loss of integrity
• loss of availability

4
Threats

• Any situation or event, whether intentional or
  accidental, that may adversely affect a system
  and consequently the organization
• Organizations should
• identify threats
• initiate plans and countermeasures
• focus resources on threats that could have
  significant impact

5
Countermeasures Authentication

• A mechanism which determines whether a user is
  who they claim to be
• Goals
• To authenticate subjects requesting access to a
  databases resources.

6
Countermeasures Authentication

• Standard Implementation
• Very similar to OS model of authentication
• An administrator creates individual user
  accounts, with associated passwords
• Each account is given a unique identifier by
  which the system can determine who they are
• When a user attempts to log on, the system does a
  basic lookup to verify that the information
  provided is correct and that the account is
  enabled.

7
Countermeasures Access Controls

• Developed to provide more fine-grained access
• Beyond the basic all or nothing access to a
  system, users can be granted or restricted access
  to particular resources
• Ex relations, views, indices, certain utilities

8
Countermeasures Access Controls

• Discretionary Access Control (DAC)
• Part of the ISO SQL Standard
• Provided by virtually all commercial DBMSs
• Based upon GRANT/REVOKE commands
• Example
• GRANT ALL PRIVILEGES
• ON Staff
• TO Manager WITH GRANT OPTION
• Has some known flaws
• An unauthorized user can trick an authorized user
  into disclosing restricted information

9
Countermeasures Access Controls

• Mandatory Access Control (MAC)
• Based on system-wide policies that cannot be
  changed by individual users.
• Each database resource and user is assigned a
  security class and clearance
• Biggest drawback is rigidity of these
  restrictions.

10
Countermeasures Views

• View - a dynamic result of one or more
  relational operations operating on the base
  relations to produce another relation
• Hide parts of database from certain users
• The user is not aware of any attribute or rows
  that are missing from the view
• More restrictive than giving users access to the
  base relations.

11
Countermeasures Backup Recovery

• Backup copies
• Log File/Journal
• Contains information of all updates to database
• Keep changes that are made after the last backup

12
Countermeasures Integrity

• Prevent information from becoming invalid
• Avoid misleading/ incorrect results

13
Countermeasures Encryption
Source CS 505A Website
14
Countermeasures Encryption

• Cryptosystem
• Encryption key
• Encryption algorithm
• Plaintext to ciphertext with encryption key
• Decryption key
• Decryption algorithm
• Ciphertext to plaintext with decryption key

15
Countermeasures Encryption

• Techniques
• Symmetric encryption
• Encryption key Decryption key
• Examples DES, AES
• Asymmetric encryption
• Encryption key ? Decryption key
• Examples public key cryptosystems, RSA

16
Countermeasures Encryption

• Database security characteristics
• No person should be able to directly read, write,
  destroy, or modify data in unauthorized manner
• Impossible to infer value of any data item by
  manipulating data
• Flexible security mechanism
• Accessibility of system not reduced
• Encryption and decryption should be fast

17
Countermeasures Encryption

• Database security characteristics (contd)
• Stored data is not largely expanded
• Reasonable security implementation cost
• System secure or require extremely high work
  factor to break
• Encipherment must be record oriented
• Support Subschema
• Prevent pattern matching
• Prevent substitution of encrypted values

18
Countermeasures RAID

• Redundant Array of Independent/Inexpensive Disk
• Improve performance
• use disk array to read/write data in parallel
  thus improving the speed
• Improve fault tolerance
• use disk array in which part of the storage
  capacity is used to store redundant information
  about the data stored in the remainder of the
  storage capacity

19
Countermeasures RAID

• Raid 0 Striping (without parity)
• Data striping (spreading out blocks of each file
  across multiple disks)
• No redundancy
• Drive Requirement 2

20
Countermeasures RAID

• Advantages
• Increase I/O performance
• No overhead
• Simple design
• Easy to implement

• Disadvantages
• No fault tolerant
• Any failure will result lost data

21
Countermeasures RAID

• Raid 1 Mirroring or Duplexing
• Utilize 50 of the drive capacity to store a copy
  of the data
• Drive requirement 2

22
Countermeasures RAID

• Advantages
• One write, two reads
• Rebuild not required

• Disadvantages
• High overhead
• 50 failure will result lost data

23
Countermeasures RAID

• Raid 01
• Data striping redundancy
• Drive requirement 4

24
Countermeasures RAID

• Raid 2 - 5
• Use parity/ error correcting code instead of
  mirroring
• Save Storage Cost
• XOR
• A B xor (A xor B)
• B A xor (A xor B)

Source MIM 505A
25
Countermeasures RAID

• Raid 2 Bit level striping with Hamming code
• Each bit of data word is store on disk
• Each word has its Hamming Code ECC word on ECC
  disk
• Verify and correct on read
• If ECC Disk and other disk drive fail, all fails
• High Ratio of ECC Disk space/Data Disk required

26
Countermeasures RAID

• Advantages
• Fast data correction

• Disadvantages
• Inefficient
• high ratio of ECC disks to data disks with
  smaller word sizes

27
Countermeasures RAID

• Raid 3 Bit level striping with dedicated parity
• Disk Requirement 3

28
Countermeasures RAID

• Advantages
• Fast read/ write
• Insignificant impact on disk failure
• High efficiency

• Disadvantages
• Multiple disk Parity disk failure

29
Countermeasures RAID

• Raid 4 Block level striping with dedicated
  parity
• Disk requirement 4

30
Countermeasures RAID

• Raid 5 Block level striping with distributed
  parity
• Disk requirement 3

31
Countermeasures RAID

• Raid 6 PQ redundancy
• Use error correcting code instead of parity
• Protect against multiple disk failure
• Disk Requirement N2

32
Proxy Servers

• Computer that sits between server and browser
• Intercept requests to the server
• Improve Performance and filter requests

33
Firewalls

• System that prevents unauthorized access to and
  from a private network
• Implemented in both hardware, software, or both
• Techniques
• Packet Filter
• Application Gateway
• Circuit-Level Gateway
• Proxy Server

34
Message Digest Algorithms

• One way hash function
• Takes an arbitrarily sized string and generates a
  fixed-length string (digest)
• Infeasible to find another message that will
  generate the same digest
• Digest reveals nothing about the message

35
Digital Signature

• Consists of data as a string of bits and private
  key of individual requesting signature
• Signature that verifies data is coming from a
  particular individual or organization
• Authenticity can be verified
• Cannot be forged
• Function of the data that is signed
• Signed data cannot be changed

36
Digital Certificates

• Attachment to an electronic message
• Verifies that a user sending message is who
  he/she claims to be
• Provides receiver with a way to encode reply
• User applies for a certificate from Certificate
  Authority
• CA issues certificate makes public key available
  on internet
• Receiver uses public key to decode message and
  send an encrypted message back

37
Kerberos

• Server of secured user authentication and access
  information
• Centralized security server for all data and
  resources on a network, including
• Login/password info
• Database access privileges
• Authorization control privileges
• Similar in function to a Certificate server

38
Secure Sockets Layer

• Cryptographic protocol which resides between the
  application-level protocols (e.g. HTTP) and
  transport-level protocols (e.g. TCP)
• Designed to prevent eavesdropping, tampering, and
  message forgery
• Creates secure connection between a client and a
  server, over which any amount of data can be sent
• Can be used underneath application level
  protocols (HTTP, FTP, SMTP, NNTP) to make them
  more secure
• Requires slight modification to application level
  protocols which use it, and transport layer
  interface
• Basis for Transport Layer Security protocol

39
S-HTTP

• Security-enhanced version of HTTP resides in
  application layer
• Designed to transmit individual messages securely
• Individual documents can be marked as private or
  signed
• URL begins with https instead of http
• Is therefore complementary to SSL

40
SSL and S-HTTP

• Heavily utilize cryptography and certificates
• Allow clients and servers to authenticate each
  other
• Permit site owners to control access to
  particular resources
• Allow sensitive information to be shared securely
• Ensure data that is exchanged is reliable (unable
  to be corrupted accidentally or intentionally)

41
Secure Electronic Transactions

• Open, interoperable standard for processing
  credit card transactions over the Internet
• Goal is simplicity and security matching that in
  retail stores
• Merchant has access to product info, price,
  payment approval but not payment method
• Card issuer has access to price but not product
  info
• Heavy utilization of certificates for certifying
  cardholder and merchants relationship with
  financial institution
• Application-level security

42
Secure Electronic Transactions
Database Systems - Figure 19.11, p. 567
43
Secure Transaction Technology

• Protocol to handle secure bank payments over the
  Internet
• Uses DES to encrypt payment information
• Uses RSA to encrypt bankcard info
• Application-level security

44
Security in MS SQL Server

• Login required to connect to each SQL Server
  instance
• Windows authentication mode
• vs. SQL Server mode
• User accounts specific to each database

45
Security in MS SQL Server

• Stored Procedures for security
• sp_addlogin Creates a new login that allows
  users to connect to SQL Server using SQL Server
  authentication
• sp_grantlogin Allows a Windows NT/2000 user
  account or group to connect to SQL Server using
  Windows authentication
• sp_droplogin Drops a SQL Server login
• sp_revokelogin Drops a Windows NT/2000
  login/group from SQL Server
• sp_denylogin Prevents a Windows NT/2000
  login/group from connecting to SQL Server

46
Security in MS SQL Server

• More Stored Procedures
• sp_password Adds or changes the password for an
  SQL Server login
• sp_helplogins Provides information about logins
  and their associated users in each database
• sp_defaultdb Changes the default database for a
  login
• sp_grantdbaccess Adds an associated user account
  in the current database for an SQL Server login
  or Windows NT/2000 login
• sp_revokedbaccess Drops a user account from the
  current database
• sp_helpuser Reports information about the
  Microsoft users and roles in the current database
  

47
Security in MS SQL Server

• Helpful web resources
• http//www.sql-server-performance.com/vk_sql_secur
  ity.asp
• www.SQLSecurity.com
• http//www.windowsecurity.com/articles/Secure_SQL_
  Server.html
• http//www.mssqlcity.com/Articles/Adm/SQL7SecMode/
  SQL70SecurityModes.htm

48
Case Study
49
Case Study CreditCards.com

• An anonymous hacker using the pseudonym Maxus
  posted the following message on his Internet
  websiteHello, my name is Maxus. I would like
  to present you a credit cards datapipe. If you
  press the button you will get a real credit card
  directly from the biggest online shop database.
  No kidding.
• He wasnt kidding

50
How did this happen?

• Even if your credit card information is
  transmitted securely, it may not be stored
  securely.

51
How did this happen? SQL Server

• During the installation process, SQL Server
  prompts the user to create a system administrator
  (or "sa") account that grants full access to the
  database. 
• Quickly installing older versions of SQL Server
  can result in creation of system administrator
  account without any password protection! 

52
How did this happen? SQL Server

• In SQL Server 2000, you must acknowledge this
  security risk before allowing the creation of a
  password-free account.
• BUT older versions of SQL Server still exist

53
How did this happen? Hacking SQL Server

• Start the SQL Server client software on your own
  computer
• Type in the address of the database server (often
  the same as the web URL) 
• If the sa account has no password, you
  immediately obtains full access to the database
  and can view, modify or delete information at
  will.

54
How to Prevent This

• Use a strong password on the Administrator
  account
• Look at the services running on the machine with
  the database
• Remove extraneous services to decrease complexity
  and the possibility of vulnerability
• Install a firewall on the server

55
Elements of a Strong Password

• Combine Letters, numbers, words, special
  characters, upper case, and lower case
• Do not use a single word in ANY dictionary
• Replace certain letters with numbers or special
  characters
• Even with replacements, do not use a single word
  in ANY dictionary
• Use phrases

56
Elements of a Strong Password That you can
Remember

• Vanity plates
• Create a pattern for upper/lower case
  letter/number
• Use the first letters of a favorite phrase or
  song lyric or a sentence you can remember
• Lets Try It

57
Storing Data Securely

• Hashing
• Use for data whose value only needs to be
  compared, not used.
• i.e. Passwords
• Add a salt to prevent collisions
• Encryption
• Use for data whose actual value needs to be used.
• i.e. social security numbers, credit card
  numbers, etc.

58
Security Issue Inference

• Even if a user cannot view data with his or her
  security privilege, can they infer information of
  a higher security privilege from the data they
  are given?

59
Inference Example

• Military Transportation Company
• The following Cargo Table

60
Inference Example

• A private with no security clearance would see
  the following table

61
Inference Example

• Assume there is a unique constraint on Flight ID
  and Cargo Hold.
• If the private tried to schedule a shipment for
  Flight 1254 at Cargo C, she would be unable
• She infers that there is a top secret shipment at
  Cargo C
• She may be able to cross-reference the table to
  another and find more information.

62
What can you do about Inference?

• Polyinstantiation include the classification
  column in the unique constraint.
• BUT might end up double booking Cargo C
• Leave as-is
• She would know the shipment was taking place but
  wont have access to the contents

63
HIPAA
64
HIPAA Introduction

• HIPAA is the acronym for the Health Insurance
  Portability and Accountability Act of 1996.
• The HIPAA Privacy Regulations become effective on
  April 14, 2003.
• These regulations place limitations upon the use
  of protected health information (PHI).
• Protected health information is information that
  is individually identifiable and that relates to
  an individual's past, present, or future medical
  condition or treatment.

65
HIPAA Introduction

• The Privacy Regulations also create or formalize
  several rights patients or enrollees in a health
  plan have regarding their health information.
• Finally, the regulations establish an individual,
  called a Privacy Officer or Privacy Official, to
  whom patients or enrollees may address their
  questions, complaints, or requests.

66
HIPAA and Databases

• These regulations apply to electronic data,
  specifically databases
• There are two specific regulations database
  professionals must adhere to
• HIPAA Privacy Rule
• HIPAA Security Rule

67
HIPAA Privacy Rule

• The Privacy Rule protects (PHI) maintained by the
  Covered Entity. It is not specific to electronic
  information and applies equally to written
  records, telephone conversations, etc. According
  to the Department of Health and Human Services,
  PHI includes data that relates to
• the individuals past, present or future physical
  or mental health or condition or
• the provision of health care to the individual or
  
• the past, present, or future payment for the
  provision of health care to the individual

68
HIPAA Security Rule

• The Security Rule covers the security of
  electronic protected health information (ePHI).
  It prescribes a number of required policies,
  procedures and reporting mechanisms that must be
  in place for all information systems that process
  ePHI.

69
HIPAA Security Rule

• It also prescribes a number of required and
  addressable implementation specifications
  designed to protect the confidentiality,
  integrity and availability of ePHI within the
  enterprise. These specifications fall into five
  categories
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• Policies and Procedures

70
HIPAA and DATABASES

• All existing databases that contain PHI used for
  research purposes should be registered by the
  database custodian.
• Databases created after April 14, 2003 should be
  registered before research use begins.
• Single study do not need to be registered
• Database decision tool
• Database registration form

71
HIPAA Forms

• http//www.wisc.edu/hipaa/ResearchGuide/forms.html
  requirements

72
HIPAA Compliance Example

• PMA
• Each database can have a unique set of user names
  and passwords, up to 30 each.
• The Patient Notes for each patient on each
  database can have a unique password.
• Installing or updating database
• Automatic shutdown of system
• Activity log of users

73
Creating a Security Policy

• Have a structured security hierarchy
• Who ensures system administrators are following
  security guidelines?
• How does an organization ensure all system
  administrators are applying the latest patches?
• What organization ensures that the latest patches
  have been tested to ensure they do not cause
  additional system faults?
• Who performs security audits on the corporation
  as a whole?

74
Creating a Security PolicyDatabase
Vulnerabilities

• Server Security
• Limit access to the database server itself
• You cant access what you cant see
• Trusted IP Addresses
• Database Connections
• Dont allow immediate unauthenticated updates
• Validate user inputted SQL
• Every connection has its own user
• Table Access Control

75
Creating a Security PolicyRestricting Database
Access

• Typically, a hacker will
• Port Scan
• Ping the system

76
Creating a Security PolicyRestricting Database
Access

• Disable ICMP Packets
• Prevent a ping from being replied to
• Trusted IP addresses
• Server should only respond to ping from a trusted
  IP
• Server Account Disabling
• Disable the user ID after X number of failed
  password attempts
• Special Tools
• Database Specific Tools
• OS Specific Tools

77
Active Research Areas

• Secret Sharing Scheme
• Intrusion Detection
• Steganographic File System/DBMS
• Secret-Sharing DBMS
• Authenticating Query Results in Edge Computing

78
References

• Database Systems, by Thomas Connolly and Carolyn
  Begg
• A Database Encryption System with Subkeys, by
  George I Davida, David L Wells and John B Kam
• http//www.acnc.com/04_00.html
• http//mathcircle.berkeley.edu/BMC3/rsa/node4.html
  
• Internet Security Firewalls and Beyond, by Rolf
  Oppliger
• Database Security, by S. Castano, M. Fugini, G.
  Martella, and P. Samarati
• http//databases.about.com/od/security/a/hipaa.htm
  
• http//databases.about.com/od/security/a/aasecurit
  ytest.htm
• http//databases.about.com/od/security/l/aainsecur
  ity1.htm
• http//www.governmentsecurity.org/articles/Databas
  eSecurityCommon-sensePrinciples.php

79
Questions?