Transcript Chap 6
Chap 6: Database and Data
Mining Security
Integrity
for databases: record integrity,
data correctness, update integrity
Security for databases: access control,
inference, and aggregation
Multilevel secure databases: partitioned,
cryptographically sealed, and filtered
Security in data mining applications
SE571 Security in Computing
Dr. Ogara
2
Top
10 Database Security Threats(Shulman,
CTO Imperva, Inc)
•
•
•
•
•
•
•
•
•
•
Excessive privilege abuse
Legitimate privilege abuse
Privilege elevation
Database platform vulnerabilities
SQL injection
Weak audit trail
Denial of service (DOS)
Database communication protocol vulnerabilities
Weak authentication
Back up data exposure
SE571 Security in Computing
Dr. Ogara
3
Major
Database Security Threats(Sybase
Users Group, 2010)
• Human error (56%)
• Malicious insiders abusing privileges (24%)
SE571 Security in Computing
Dr. Ogara
4
Database
auditing and real time protection
report (Forrester Report, 2007)
• DBAs spending approx. 5% of their time on database
•
•
•
•
•
security
80% of organizations do not have a database
security plan that addresses critical threats
20% of enterprises employ advanced security
measures
Environmental complexity – cloud computing, grids,
SOA, etc
60% of enterprises are behind in database security
patches, making database highly vulnerable
75% of attacks are internal, often difficult to detect
SE571 Security in Computing
Dr. Ogara
5
Top
Security Tips to Ensure Database
Security (Application Security, Inc., 2007)
• Devise a database security plan
• Fix default, blank, and weak password
• Regularly patch databases
• Minimize attack surface
• Review user privileges
• Locate sensitive information
• Encrypt sensitive data at rest or in motion
• Train and enforce corporate best practices
SE571 Security in Computing
Dr. Ogara
6
SE571 Security in Computing
Dr. Ogara
7
Database
• Collection of data and a set of rules that organize
the data by specifying certain relationships
among the data
Database administrator
• Person who defines the rules that organize the
data
• Controls access to data
Database Management System (DBMS)
• Program that allows user to interact with
database
SE571 Security in Computing
Dr. Ogara
8
Components of a database
• Records
• Fields
• Schema – logical structure of database
• Queries – commands used in DBMS to retrieve,
modify, add or delete records in a database
SE571 Security in Computing
Dr. Ogara
9
Advantages
of a database
• shared access
• minimal redundancy
• data consistency
• data integrity
• controlled access
SE571 Security in Computing
Dr. Ogara
10
Security
of a database (Requirements)
• Physical database integrity
• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
SE571 Security in Computing
Dr. Ogara
11
Integrity
• How ?
Field checks – appropriateness of values
Access control – who has access to what
Change log – what changes have been made
Auditability
• Establish audit record of all access
Access control
• Establish who has access to which data
• Specify privileges to read, change, delete, or append
records or fields
User authentication
• Supplement OS authentication e.g. password and time-of-
day check
SE571 Security in Computing
Dr. Ogara
12
Database
integrity
• Concern - disk failure, corruption of master
database index
• Solution - OS integrity controls and recovery
procedures
Element
integrity
• Concern – Is data changed or written by
authorized users only?
• Solution – access control
SE571 Security in Computing
Dr. Ogara
13
Element
accuracy
• Concern – are correct values written into
elements of the database?
• Solution – constraints conditions to detect
incorrect values
SE571 Security in Computing
Dr. Ogara
14
Inherently sensitive
•
From a sensitive source
•
Database admin declares them sensitive
Part of a sensitive attribute or record
•
Source may suggest confidentiality, e.g. an informer identity
Declared sensitive
•
Value reveals sensitivity, e.g. location of defensive missiles
An attribute may be sensitive, e.g. salary
In relation to previously disclosed information
•
Sensitive in the presence of other data
SE571 Security in Computing
Dr. Ogara
15
Database
admin determines who gets
access to what
Access decisions are based on three
factors
• Availability of data
block access during updates
• Acceptability of access
Release sensitive info to authorized users only
• Assurance of authenticity
Allow access during certain times/working hours
SE571 Security in Computing
Dr. Ogara
16
Exact
data
• Most serious disclosure
• User is aware about sensitive data
Bounds
• Disclose sensitive data lies between two values,
L and H.
Negative
result
• Disclosing that a value is not 0, e.g. # of felonies
SE571 Security in Computing
Dr. Ogara
17
Existence
• Knowing that certain data exists
Probable
value
• Possibility of determining that the probability of
certain element has a certain value
SE571 Security in Computing
Dr. Ogara
18
Ways
of deriving sensitive data values
from the database
• Direct attack – uses queries to seek for values
directly, e.g. List NAME where SEX=M ^
DRUGS=1
• Indirect attack - infer final result based on one or
more statistical results
SE571 Security in Computing
Dr. Ogara
19
Suppress
obviously sensitive information
• May be used to limit queries accepted /data
provided
Track what the user knows
May be used to limit queries accepted /data provided
Costly/information of all users must be obtained
Disguise
the data
• Applicable to released data only
SE571 Security in Computing
Dr. Ogara
20
The
Case for Differentiated Security
• The security of a single element may be
different from the security of other elements of
the same record
• Two levels—sensitive and non-sensitive
• The security of an aggregate—a sum, a count, or
a group of values in a database—may differ from
the security of the individual elements
SE571 Security in Computing
Dr. Ogara
21
SE571 Security in Computing
Dr. Ogara
22
Granularity
• How do we associate a sensitivity level with each
value of a database?
Access control policy - which users have access to
what data?
Guarantee – an unauthorized person does not change
data
SE571 Security in Computing
Dr. Ogara
23
Must
provide both Integrity and
Confidentiality
Separation can be implemented
physically, logically, or cryptographically
SE571 Security in Computing
Dr. Ogara
24
Separation
• Partitioning - divide database into separate
database with their own level of sensitivity
• Encryption – encrypt data
• Integrity lock – to limit access
Entrust database manager with trusted procedure
• Sensitivity lock – combination of unique
identifier (e.g. record number) and sensitivity
level
SE571 Security in Computing
Dr. Ogara
25
Integrity lock
• Actual data
• Sensitivity level – sensitivity of data
• Error detecting code - checksum
Trusted front end
• Serves as one-way filter – removes results not
needed by users
Cumulative filters
• Filters reformats query to allow database manager to
screen out unacceptable records
• Provides second screening to select data which user
has access
SE571 Security in Computing
Dr. Ogara
26
Distributed
databases
• Trusted front end controls access to all low-
sensitivity data and all high-sensitivity data
• If user is cleared for high-sensitivity data, the
front end submits queries to both the high- and
low-sensitivity databases
• If user is not cleared for high-sensitivity data, the
front end submits a query to only the lowsensitivity database
SE571 Security in Computing
Dr. Ogara
27
Window/view
• DBMS creates picture of the data reflecting only
what the user needs to see/different views
• A window is a subset of a database, containing
exactly the information that a user is entitled to
access
• Subset guarantees that the user does not access
values outside the permitted ones
SE571 Security in Computing
Dr. Ogara
28
Data
mining uses statistics, machine
learning, mathematical models, pattern
recognition, and other techniques to
discover patterns and relations on large
datasets
SE571 Security in Computing
Dr. Ogara
29
Confidentiality/Privacy and Sensitivity
• Difficult to maintain
• Inference across multiple databases is a threat to
confidentiality
Data Correctness and Integrity
•
•
•
•
•
Data owned and controlled by one party
Mining of different databases from different users
Correcting Mistakes in Data – have data in one place
Using Comparable Data
Eliminating False Matches
Availability of Data
• Missing data may lead to incorrect data mining results
SE571 Security in Computing
Dr. Ogara
30