8. Database Security – 3marks

Question 1

How does privacy differ to security?

Answer 1

Privacy involves the ability of individuals to control the terms under which their sensitive data (personal information) is acquired and used
In contrast;
Security is required building block for privacy, and includes
• Preventing storage of sensitive data
• Ensuring appropriate/authorized use of sensitive data

Question 2

What are the forms of sensitive data?

Answer 2

• Inherently sensitive
• From a sensitive source
• Declared sensitive
• A sensitive attribute or sensitive record
• Sensitivity in relation to previously disclosed data

Question 3

Why is there typically a trade-off between accessibility and security?

Answer 3

Ensuring data kept safe from corruption and access suitably controlled can mean reduced accessibility (and the inverse).

Question 4

Threats to database security include the loss of:

Answer 4

( Acronym to remember: CIA )
Confidentiality
– Unauthorized disclosure of confidential information
Integrity
– Improper modification of information
Availability
– Legitimate user cannot access data objects

Question 5

Database control measures include:

Answer 5

(acronym to remember: AIFE)
Access control
– Handled by creating user accounts and passwords
Inference control
– Must ensure information about individuals cannot be accessed
Flow control
– Prevents information from flowing to unauthorized users
Encryption of Data
– Used to protect sensitive transmitted data

Question 6

The 3 Access control measures include:

Answer 6

Discretionary Access Control 
– Used to grant privileges to users 
Mandatory Access Control 
– Classify data and users into various security classes 
– Implement security policy 
Role-based Access Control

Question 7

What is the most common threat to a database system? Describe it?

Answer 7

SQL injection, where:
Attacker injects a string input through the (often web) application which changes or manipulates SQL statement to attacker’s advantage

Question 8

Threats to database security include:

Answer 8

• SQL injection
• Unauthorized privilege escalation – Privilege abuse
• Denial of service
• Weak authentication

Question 9

The 3 main SQL injection methods include:

Answer 9

SQL manipulation
– Changes an SQL command in the application
– Example: adding conditions to the WHERE clause Typical
manipulation attack occurs during database login
Code injection
– Add additional SQL statements or commands that are then processed
Function call injection
– Database or operating system function call inserted into vulnerable SQL statement to manipulate data or make a privileged system call

Question 10

Risks Associated with SQL Injection are:

Answer 10

• Database fingerprinting
• Denial of service
• Bypassing authentication
• Identifying injectable parameters
• Executing remote commands
• Performing privilege escalation

Question 11

Three Protection Techniques for SQL injection are:

Answer 11

Blind variables (using parameterized statements)
– Protects against injection attacks
– Improves performance
Filtering input (input validation)
– Remove escape characters from input strings
– Escape characters can be used to inject manipulation attacks
Function security
– Standard and custom functions should be restricted