Abstract
The privacy and confidentiality of information is a crucial factor for any organization dealing with large volumes of information. On the other hand, the development in technology, increase in the cases of cybercrimes, and the web-security issues that are common in almost every online platform, makes the need for database security concern for organizations that handle date. Currently, DBMS is one of the best tools for ensuring the safety of data, and this paper will review its use in database security. It will give a cognitive outline of how a company can use it, with the sole focus on its strengths and weaknesses while also highlighting the role of information manager in its implementation.
Database Security Features
Also referred to as ‘database,’ a DBMS (Database Management System) is a computer application (software) that interacts with other applications in the network, the database, and the user to collected and analyze large volumes of data. The one designed for general purposes allows the creation, definition, administration, update, and querying of the database. Examples of Database Management Systems include the Microsoft SQL, MySQL, Sybase, SAP HANA, MySQL, IBM DB2, Server, and Oracle. In general, no database is portable across all the types of Database Management Systems, but several DBMS can use Open Database Connectivity, Structured Query Language, or Java Database Connectivity to interoperate and enable one application to operate in different Database Management Systems. The standard classification of DBMS involves the use of the Database Model that they can support. A significant percentage of Systems support the Relational Model that the Structured Query Language represents.
Commercial off -the Shelf: Database Security Features
Widely referred to as COTS, Commercial off-the-shelf is the description for the purchase of standard manufactured goods rather than bespoke (customized). COTS application remains ubiquitous in any company that uses it, meaning that only a comprehensive strategy will help the organization use it in the best way. For that reason, looking at a single COTS product will little significance to the overall understanding of how to use the COTS software. For improved security risk management, a comprehensive maintenance of the software. This factor contrasts the use of an in-house developed code. The following are the database security features offered by COTS.
One of the essential features of the Commercial off-the-shelf is the Enterprise Resource Planning system. Just as the name reveals, it allows the organization make initial plans on how to curb the security risks that might leave the company data open to attacks. With perfect preparations in place, fraudsters and other sources of security breach will not find a chance to invade the data, especially if the organization stores and manages large volumes of it.
Another feature of COTS that makes it perfect for database security is the unification of its components. Commercial off-the-shelf systems connect with other custom components and COTS in special cases and through process implementation. Evaluating these connections is crucial to learning how the shortfalls of one feature can impact the other elements; and how the transformations in one component can close or expose the loopholes in others.
In most cases, the point of attacks on any software, including the Commercial off-the-shelf systems, occurs through the input process. For that reason, the interfaces between different features become natural platforms for inserting malicious viruses that disable the executable files, corrupt the data, or alter the functionality of particular programs in the system.
Another significant feature is access control. In general, COTS systems control access in the most appropriate way, and that factor enables it to fight security attacks of almost any kind. Access control means that the COTS systems come with electronic systems for both firewall and authentication. For example, the organization can use biometric means and tokens where appropriate to ensure only ‘authorized’ parties access the departments of data storage. In addition to that, access control also encompasses human systems linked to various appropriate divisions of authority and access, strategic delineated procedures and policies, and training. It also extends to frequent reinforcements, audit, and monitoring.
Any significant COTS program package has access to at least one internet platform. For that reason, the company finds it easy to seek help with the design, usability, access, and installation. Most importantly, the online forums add to the security of the software since the organization can seek additional help for ways of boosting the database security if using any Commercial off-the-shelf system.
In addition to that, it binds the other features of Commercial off-the-shelf Database Management System. For example, the planning of how to use the software will also involve ways of planning for the same as well as ensuring that the other components of the system unify in controlling the access of the same. The software will only recognize the authorized personnel and raise alarms if any attack of the database occurs. With Access Control, the company can monitor the uses of the COTS systems, ensuring that things work in line with the plans while also detecting any problem.
Database Management System
Selecting the best DBMS is a tall order, but a possibility. What makes it daunting is the fact that one has to consider several factors before settling on one of these must-have tools for any company that aims at expanding its ventures. Therefore, I would also undergo the same trouble if I was to advise one Database Management System software for the manager of purchasing in my organization. If my corporation is a large one and plans to run the DBMS on its mainframe, IBM DB2 is the best choice to use. While the organization can consider operating other Database Management Systems on the partition that uses Linux, IBM should come first because it is the market leader. For Linux and UNIX installations, I would advise the manager to go for either DB2 or Oracle. The latter is the ultimate fit for those platforms, but IBM also has a robust presence there, as well. For the development of Windows, any of these three tools is a viable option that I would recommend my manager to consider. However, it is a no brainer to settle for Microsoft because it is the exceptional leader on its Operating System.
Since my manager needs the "most" security-rich DBMS available on the market that fits my organization's specific database security needs, I would advise him or her to select the DBMS that does the same. My take is Oracle. For starters, it is overall share leader in the market, and one of the factors that make it the top notch is its ability to provide security for data. The emergence of a new version of the software (Oracle Database - 12c) contributes to the widespread adoption of its Database Management System as well as improved security capabilities. Another quality that contributes to my preference for Oracle is its ability to support a variety of operating systems for its Database Management System. For example, it can run on several versions of UNIX, Windows, and Linux variations.
Given its extensive platform support and installed base, the availability of professional developers and technicians of Oracle Database will not become a worry should my manager need any assistance after installing this Oracle. For that reason, even if a fraudster tried to hack into the company’s system, a technician would help fix the problem. Moreover, there are many tools for the administration of Oracle database, application development and data management as well as information flow (movement). For that reason, my organization will find it easy to replace less functional equipment with the best ones. The same approach applies to the security tools of Oracle Database Management System. Should any or a few of them fail or become prone to attacks, my company will find a perfect replacement. Since my business aims at finding a market leader with excellent tooling and skills, Oracle is the perfect choice for the RDBMS needs of my company
Regarding its performance, Oracle ousts and is also at par with almost all advanced and new features such as the support of JavaScript Object Notation, multi-tenancy and temporal capabilities. With its new option of Database (Database In-Memory), Oracle can use the columnar in-memory technology to assist my organization to improve the performance of its business analytics with ease and transparency.
Web-Security Issues
For many organizations, web security arises when their information system becomes the subject of a breach. Many programmers and developers alike find the IT industry a complex world that expertise alone cannot suffice. A comprehensive approach to the security of IT must be defensive and proactive. The increase in the cases of cybercrimes means that developers of enterprise web-applications should be cognizant of some web-security issues when creating programs for database security. The following are some of the factors that designers must consider when designing DBMS.
Injection Flaws
These shortfalls emanate from the failure to filter any untrusted input. It can occur when one passes unfiltered information to the server Structured Query Language (SQL injection), to the browser (also referred to as the XSS) to the server of LDAP (LDAP injection), or any other output system. Here, the issue is that the invader can direct commands to any of these entities, leading to the loss of data as well as hijacking the browsers of the client.
Broken Authentication
When the authentication breaks, it comes with many problems. Since they do not emanate from the same source, they do not require one mitigation measure. For example, if anyone wants to roll his or her personal code, he or she is likely to get it wrong as well as invite any of the following problems. For starters, the URL may contain the id of the session and leak to the header of the referrer to another person. Both the storage and transit might fail to encrypt the passwords. In some cases, the ids of the session might look easy to predict, making access trivial. At the same time, fixation of the session might also occur, which also leaves it open to hijacking, wrong implementation of timeouts, or lack of SSL.
XSS (Cross Site Scripting)
Cross Site Scripting is one of the biggest failures of input sanitization (a special version of Injection Flaws). In this case, the attacker gives the web application of a user a JavaScript tag during the process of entry. After which, the browser of the user executes the input if it returns to the user unfiltered. Sometimes XSS as simple as persuading a user to click a crafted link, but it can also turn out to become sinister. For example, the script can run as the page loads and the browser can post the user’s cookies to that of the attacker.
Security Misconfiguration
Usually, the web applications and servers with misconfigurations are more than those with proper configuration. The following are some examples of misconfigured websites; operating an application whose production has an enabled debug, and having too many unnecessary services running on the computer. Other common cases of misconfiguration include using outdated software such as old PhpMyAdmin and the plugins of WordPress. Having a server with an enabled directory listing and leaks confidential information. Failing to change the password and default keys is also another example of misconfiguration of security. Many people fail to change their passwords, and that factor makes their ‘accounts' open to hacking. The same issue applies to the default keys. Revealing the information handling error to the attacker is also a dangerous move to take.
Facilitating a Secure Web-based Application
According to this paper, the leading Database Management System is Oracle. One of its features that facilitates the development of a secure web-based application is the Exdata – a tool that promotes Oracle’s appliance to the database. This component combines the hardware and software incorporated together to provide a high-availability and high-performance forum for operating the Oracle Database. Its architecture has a scale-out, state-of-art design with intelligent storage and industry-based servers that make free of many attempts of a breach. For example, it has a flash technology and InfiniBand (an internal fabric with high speed). With the help of its flexible configurations, it tailors systems to specific workloads of the database to avoid and reject general instruction. Examples include OLTP (widely referred to as Online Transaction Processing), mixed workloads, in-memory analytics and warehousing of data. The ultimate factor that makes Oracle suitable for the development of secure web-based applications is the fact that it has all the necessary components needed to run a Database Management System.
Security Guidelines
If I were the team manager, I would advise the members to consider the following safety guidelines when developing a web-based application. For starters, I would direct them to design an application that filter all input data, especially those from untrusted sources. The best way to go about it is to add a ‘whitelist’ to it. The application only becomes secure if it can filter all the input. For example, a system that successfully filters 9,999 out of the 10,000 inputs it has, is not secure as the remaining one can cause a breakdown of the entire system.
For the application to avoid cases of broken authentication, it must have a framework. For that reason, I must urge to design one for the safety of the system. Another step to consider is to develop an application that blocks the reversal of the HTML tags. For example, they should make it in a way that it can convert the entities of a HTML.
I would also advise the team to develop applications that enable user’s authorization in a proper way and on a consistent basis, as well as whitelist their choices. In addition to that, they should have internal stores for data to stop users from relying on the CGI parameters that pass the information to the client. Therefore, they should also have session variables in their frameworks to assist users through this process.
Another security guideline that I would give my team when developing a secure web-based application is to incorporate an automated “build and implement” method to allow users to run tests of the system before applying them.
Database Forensic and Auditing
The prerequisite of the process of database forensic is database auditing. In the forensic investigation, specialists for this field use log files of various purposes and types to correlate the evidence associated with the same. Currently, courts and masters of the law use a new framework to explore the features of auditing as well as the DBMS-oriented, built-in utilities to lessen the workload of conducting database forensic.
Usually, the courts of law only recognize the admissibility of evidence if its forensic is sound. While a database is a crucial feature of Database Forensic, it is the Computer File System that occupies the largest percentage of the same. From a general perspective, Database Forensic is a constituent of Digital Forensic, except that it has less literature, few tools of inventory, and little focus. One factor that contributes to its lack of intensive research is the fact that it underlies inherent dynamism, which is a key feature of the dimensional outlook of databases from the perspective of forensic. For that reason, vendors are likely to find it challenging to improvise automated tools for forensic that can also apply to other Database Management Systems.
One of the recent cases of Database Forensic is the January 2012 incident, in which a report claimed that over 10 million MasterCards and VISA were subjects of theft. As a result, several banks traced all the financial transactions for all the compromised cards in search for the common purchases. This incident highlighted the importance of database in forensics. In fact, the experts of forensics believe that databases oust files in many ways in this field.
While files support the metadata which links different sets of databases, the functions executed by the database combines bother the raw information (data) and the metadata. Therefore, manipulating the metadata causes several changes to it even though the data remains unchanged. In addition to that, the database systems make duplicates of confidential data which may become available in the logs of audits, table storage, data dictionary, and materialized views, all of which fall under forensic. Consequently, the use of databases allows the users to carve some data even when some of them gets deleted.
As the Senior Database Auditor, I would urge the Information Security Manager to consider the following software and tool for improving the performance of Database Auditing and Forensic Database. LogMiner Utility is one of the tools that I would suggest for him or her. It is a utility in Oracle that queries the archived or online redo log files via the interface of Structured Query Language. It deploys the BDMS LOGMNR package. With the help of LogMiner Utility, the company can plan its audit plans in advance before executing them.
Another tool that I would suggest to the Information Security Manager is the Mysqlbinlog Utility. With it, the Manager can use the MySQL binary log to view the changes in the database, such as the creation of tables and alter them. In addition to that, I would suggest that the manager goes for the MySQL.frm Files which would help him or her define and format all the files produced with the use of MySQL. Usually, the .frm files stay in secure chambers of the system before it uses them to create a clean baseline of a database, which helps in discovering any tampering with the data.
Another tool that can assist the company in database forensic and auditing are the Oracle Data Blocks. They are small volumes of data in a database. Oracle uses them to store several files of data of the database. The data blocks also contain information from tables and either updated or deleted data that the forensic experts consider convenient for use. For example, the company can use the Blocks to create a table of usernames and their corresponding passwords for the authentication purposes. In this case, the data blocks will also trace any alteration to the data in the same way as the log files. In case the attacker erases some log entries, the data blocks will retain some traces showing the tampering.
The SQLite Database Browser can also help the Manager improve the Database Forensic and Auditing needs of the company. Unlike the other tools, it suits the mobile databases, such as the web browser and Android. If an attacker tampers with the data bank, the SQLite Database Browser scans and rebuilds it again. This software has no configurations of forensic features and cannot recover deleted database. Usually, the experts have to use the UFED Celebrite Kit – a mobile device for forensic - to recover lost data as it can carve deleted data. After which the Manager can use the SQLite Database Browser to view its contents.
4. Data Recovery
The process of recovering data in DBMS is a procedural activity that involves many factors. Examples include Crash Recovery, which uses a set of techniques and algorithms to recover lost data. During the recovery process, the DBMS checks all the past transactions ensure its atomicity, and checks whether they are completed with immediate effect or rolled back. In the case of long-based recovery, a stable storage media keeps the log file and writes a log when any transaction gets into the system and begins the execution process.
5. Big Data
Despite its pros, Big Data also comes with the following security risks. A significant percentage of its computations only have a single level of protection, which makes it prone to several sources of attacks. In addition to that, the Big Data cannot meet the demands of Non-relational databases as they evolve from one time to another and fails to provide extra security measures, which the automated transfer of date requires.
As the Chief Data Officer, I would highlight these pitfalls to advise my company against deploying the Big Data. Instead, I would propose the adoption of Oracle, which handles all these security hitches. If the enterprise staff does not understand how to operate the software, I will organize a training session so that they learn how to interact with it. In this case, the best approach is one that involves a practical demonstration of how Oracle DBMS works.
References
Couts, C. T., & Gerdes, P. F. (2016). Integrating COTS Software. Retrieved from file:///C:/Users/user/Downloads/article_Integrating_COTS.pdf
Khanji, S. I., & Hacid, K. (2016). Database Auditing and Forensic: Exploration and Evaluation. Retrieved from College of Technical Innovation: http://www.academia.edu/21745970/Database_Auditing_and_Forensics_Exploration_and_Evaluation
Miller, C. (2006, December 14). Security Considerations in Managing COTS Software. Retrieved from Cigital Inc.: https://buildsecurityin.us-cert.gov/articles/best-practices/legacy-systems/security-considerations-in-managing-cots-software