Transcript Chap 6
Chap 6: Database and Data Mining Security Integrity for databases: record integrity, data correctness, update integrity Security for databases: access control, inference, and aggregation Multilevel secure databases: partitioned, cryptographically sealed, and filtered Security in data mining applications SE571 Security in Computing Dr. Ogara 2 Top 10 Database Security Threats(Shulman, CTO Imperva, Inc) • • • • • • • • • • Excessive privilege abuse Legitimate privilege abuse Privilege elevation Database platform vulnerabilities SQL injection Weak audit trail Denial of service (DOS) Database communication protocol vulnerabilities Weak authentication Back up data exposure SE571 Security in Computing Dr. Ogara 3 Major Database Security Threats(Sybase Users Group, 2010) • Human error (56%) • Malicious insiders abusing privileges (24%) SE571 Security in Computing Dr. Ogara 4 Database auditing and real time protection report (Forrester Report, 2007) • DBAs spending approx. 5% of their time on database • • • • • security 80% of organizations do not have a database security plan that addresses critical threats 20% of enterprises employ advanced security measures Environmental complexity – cloud computing, grids, SOA, etc 60% of enterprises are behind in database security patches, making database highly vulnerable 75% of attacks are internal, often difficult to detect SE571 Security in Computing Dr. Ogara 5 Top Security Tips to Ensure Database Security (Application Security, Inc., 2007) • Devise a database security plan • Fix default, blank, and weak password • Regularly patch databases • Minimize attack surface • Review user privileges • Locate sensitive information • Encrypt sensitive data at rest or in motion • Train and enforce corporate best practices SE571 Security in Computing Dr. Ogara 6 SE571 Security in Computing Dr. Ogara 7 Database • Collection of data and a set of rules that organize the data by specifying certain relationships among the data Database administrator • Person who defines the rules that organize the data • Controls access to data Database Management System (DBMS) • Program that allows user to interact with database SE571 Security in Computing Dr. Ogara 8 Components of a database • Records • Fields • Schema – logical structure of database • Queries – commands used in DBMS to retrieve, modify, add or delete records in a database SE571 Security in Computing Dr. Ogara 9 Advantages of a database • shared access • minimal redundancy • data consistency • data integrity • controlled access SE571 Security in Computing Dr. Ogara 10 Security of a database (Requirements) • Physical database integrity • Logical database integrity • Element integrity • Auditability • Access control • User authentication • Availability SE571 Security in Computing Dr. Ogara 11 Integrity • How ? Field checks – appropriateness of values Access control – who has access to what Change log – what changes have been made Auditability • Establish audit record of all access Access control • Establish who has access to which data • Specify privileges to read, change, delete, or append records or fields User authentication • Supplement OS authentication e.g. password and time-of- day check SE571 Security in Computing Dr. Ogara 12 Database integrity • Concern - disk failure, corruption of master database index • Solution - OS integrity controls and recovery procedures Element integrity • Concern – Is data changed or written by authorized users only? • Solution – access control SE571 Security in Computing Dr. Ogara 13 Element accuracy • Concern – are correct values written into elements of the database? • Solution – constraints conditions to detect incorrect values SE571 Security in Computing Dr. Ogara 14 Inherently sensitive • From a sensitive source • Database admin declares them sensitive Part of a sensitive attribute or record • Source may suggest confidentiality, e.g. an informer identity Declared sensitive • Value reveals sensitivity, e.g. location of defensive missiles An attribute may be sensitive, e.g. salary In relation to previously disclosed information • Sensitive in the presence of other data SE571 Security in Computing Dr. Ogara 15 Database admin determines who gets access to what Access decisions are based on three factors • Availability of data block access during updates • Acceptability of access Release sensitive info to authorized users only • Assurance of authenticity Allow access during certain times/working hours SE571 Security in Computing Dr. Ogara 16 Exact data • Most serious disclosure • User is aware about sensitive data Bounds • Disclose sensitive data lies between two values, L and H. Negative result • Disclosing that a value is not 0, e.g. # of felonies SE571 Security in Computing Dr. Ogara 17 Existence • Knowing that certain data exists Probable value • Possibility of determining that the probability of certain element has a certain value SE571 Security in Computing Dr. Ogara 18 Ways of deriving sensitive data values from the database • Direct attack – uses queries to seek for values directly, e.g. List NAME where SEX=M ^ DRUGS=1 • Indirect attack - infer final result based on one or more statistical results SE571 Security in Computing Dr. Ogara 19 Suppress obviously sensitive information • May be used to limit queries accepted /data provided Track what the user knows May be used to limit queries accepted /data provided Costly/information of all users must be obtained Disguise the data • Applicable to released data only SE571 Security in Computing Dr. Ogara 20 The Case for Differentiated Security • The security of a single element may be different from the security of other elements of the same record • Two levels—sensitive and non-sensitive • The security of an aggregate—a sum, a count, or a group of values in a database—may differ from the security of the individual elements SE571 Security in Computing Dr. Ogara 21 SE571 Security in Computing Dr. Ogara 22 Granularity • How do we associate a sensitivity level with each value of a database? Access control policy - which users have access to what data? Guarantee – an unauthorized person does not change data SE571 Security in Computing Dr. Ogara 23 Must provide both Integrity and Confidentiality Separation can be implemented physically, logically, or cryptographically SE571 Security in Computing Dr. Ogara 24 Separation • Partitioning - divide database into separate database with their own level of sensitivity • Encryption – encrypt data • Integrity lock – to limit access Entrust database manager with trusted procedure • Sensitivity lock – combination of unique identifier (e.g. record number) and sensitivity level SE571 Security in Computing Dr. Ogara 25 Integrity lock • Actual data • Sensitivity level – sensitivity of data • Error detecting code - checksum Trusted front end • Serves as one-way filter – removes results not needed by users Cumulative filters • Filters reformats query to allow database manager to screen out unacceptable records • Provides second screening to select data which user has access SE571 Security in Computing Dr. Ogara 26 Distributed databases • Trusted front end controls access to all low- sensitivity data and all high-sensitivity data • If user is cleared for high-sensitivity data, the front end submits queries to both the high- and low-sensitivity databases • If user is not cleared for high-sensitivity data, the front end submits a query to only the lowsensitivity database SE571 Security in Computing Dr. Ogara 27 Window/view • DBMS creates picture of the data reflecting only what the user needs to see/different views • A window is a subset of a database, containing exactly the information that a user is entitled to access • Subset guarantees that the user does not access values outside the permitted ones SE571 Security in Computing Dr. Ogara 28 Data mining uses statistics, machine learning, mathematical models, pattern recognition, and other techniques to discover patterns and relations on large datasets SE571 Security in Computing Dr. Ogara 29 Confidentiality/Privacy and Sensitivity • Difficult to maintain • Inference across multiple databases is a threat to confidentiality Data Correctness and Integrity • • • • • Data owned and controlled by one party Mining of different databases from different users Correcting Mistakes in Data – have data in one place Using Comparable Data Eliminating False Matches Availability of Data • Missing data may lead to incorrect data mining results SE571 Security in Computing Dr. Ogara 30