database security analysis
TRANSCRIPT
1 | P a g e
University College Cork
IS6156 Databases for Management Information Systems
Analysing the breaches in Database security at YONS Ltd and evaluating the security options
available
Submitted by- Brendan Mc Sweeney, Senior Database Administrator
Student Number- 114223513
Submitted to- Dr. Ciara Heavin
Submission Date- 2/2/15
2 | P a g e
Table of Contents 1. Introduction ..................................................................................................................................... 3
2. Reasons for breaches in database security ..................................................................................... 4
3. Data Security Solutions ................................................................................................................... 7
3.1 Basic Data Security Measures ...................................................................................................... 7
3.1.1 FIA Software .............................................................................................................................. 7
3.1.2 Data Handling Policy ................................................................................................................ 7
3.1.3 Data Encryption ......................................................................................................................... 8
3.2 Intermediate Data Security Measures ..................................................................................... 8
3.2.1 Thin /lean Clients ................................................................................................................ 8
3.2.2 Data Loss Prevention (DLP) Software ............................................................................... 9
3.3 Advanced Data Security Measures ......................................................................................... 9
3.3.1 Activism ............................................................................................................................... 9
4. Recommendations ......................................................................................................................... 10
5. References ..................................................................................................................................... 12
3 | P a g e
1. Introduction
With the increasing value of data at YONS Ltd, we have been subject to unauthorized attacks
of our data over the last 18 months, as a result this report was commissioned to analyse the
recent breaches in our database security. It has emerged that confidential staff data
concerning salary details has been disclosed internally to staff and shareholders, additionally
vital customer data relating to bank details has also been obtained externally by our rivals.
Database security is our last line of defence and once penetrated we are left vulnerable to
attacks so it’s of utmost importance that we implement measures to secure our vital data.
Essentially the overall aim of this report is to analyse the reasons behind the breaches in our
databases, suggest measures to prevent database breaches and ultimately propose an effective
database security strategy for potential implementation.
In order to sustain our growth and success especially in online gaming, it’s important to
ensure that we are more attentive to database security. In recent times both internal and
external attacks on data have been difficult to detect due to the sophisticated nature of the
attacks, however following the commission of this report, I hope that our overall database
security is given a higher priority in order to prevent breaches and loss of data which
consequently could result in a loss in our competitive advantage in the future.
4 | P a g e
2. Reasons for breaches in database security
Database security is implemented in many organisations to ensure all company data is
protected (Spam Laws, 2015). The database at YONS Ltd was compromised on many
occasions over the last 18 months for a variety of reasons which may include the following,
YONS Ltd maybe implementing a very basic database security policy which only uses
detective controls such as auditing and monitoring, 20% of organisations implement similar
database security policies (Forrester, 2012).
Companies tend to attribute 8-10% of their IT Budget on security which incidentally focuses
more on application and network level security rather than on database security (Forrester,
2012). As a result this may highlight the low priority that database security is given at YONS
Ltd.
In many cases database security solutions are implemented in isolation, as a result the
database security may comprise of many vendors, the lack of integration by a single vendor
leaves significant gaps in security which may leave YONS Ltd vulnerable to attacks on their
database (Forrester, 2012).
YONS Ltd may have a lack of internal controls such as training and education, which as a
result may lead to breaches in database security, based on a study conducted by (Imperva,
2014) 75% of organisations experienced staff related breaches in their database as the
security policy was not fully understood by all members of staff, furthermore it was identified
that 54% of small businesses did not have a training policy in place to inform staff about data
security risks.
YONS Ltd may also be subject to Input/ SQL injection attacks, which basically target
traditional database systems by inserting malicious/unauthorized statements (Imperva, 2014).
At YONS Ltd members of staff may be abusing their database privileges, additionally former
members of staff may still have access rights to their database which may result in a rival
company obtaining vital data (Imperva, 2014).
An unpatched misconfigured database may leave YONS Ltd vulnerable to attacks which
attackers can easily exploit. This is a common problem for oracle users with 28% of users
never applying a critical patch update or are unaware if they have done so, while another 10%
take a year or longer to apply patch updates (Imperva, 2014).
5 | P a g e
(Figure 1)
Hacking is another data security breach which is a regular occurrence in many organisations,
hackers generally obtain unauthorised access to a computer network by installing malicious
software or malware in the computer network to obtain vital company information such as
credit card numbers, furthermore hackers can gain unauthorised access to a computer
network through manipulation of an organisation’s security software. According to figure 1,
51% of data security attacks were due to hacking (Clifton, 2009). It’s highly likely that
YONS Ltd may have been subject to hacking over the last 18 months, as generally hacking
occurs for months if not years.
Social engineering is a non -technical cause of a data security breach which YONS Ltd may
have also been exposed to. According to figure 1 17% of attacks were completed through
fraud or social engineering. Essentially this tactic relies heavily on human interaction. Social
engineers typically convince authorised personnel of an organisation to break data security
procedures to provide them with information, which is generally obtained through phishing e-
mails and by creating a fake business to convince the organisation that they are legitimate
(Clifton, 2009). Phishing e-mails are prevalent in obtaining sensitive information and maybe
another highly possible reason for the breaches in data security at YONS Ltd, this was
particularly rampant in the United States in 2003 with 255,000 cases of identity theft
attributed to phishing e-mails (Spam Laws, 2015).
6 | P a g e
Based on these reason, (Clifton, 2009) goes on to highlight the possible suspects in Figure 2
below. 81% of attacks were completed by malicious outsiders, 17% by malicious insiders
who deliberately attacked an organisations database, and 2% by unintentional insiders who
accidentally caused a database security breach. YONS Ltd can easily rectify unintentional
attacks on their database through training and education of staff, however the other attacks
can potentially be resolved using the methods in the following section.
(Figure 2)
7 | P a g e
3. Data Security Solutions
According to (Clifton, 2009) there are three data security measures listed in figure 3, which
could potentially be implemented by YONS Ltd.
(Figure 3)
3.1 Basic Data Security Measures
Due to its ease of use and affordability this data security measure could be easily
implemented by YONS Ltd. The potential options available are outlined in figure 3.
3.1.1 FIA Software
Firewall, detection intrusion and regular patch updates in combination with FIA anti -virus
software can provide suitable network security against hackers and other unauthorised users
(Clifton, 2009).
3.1.2 Data Handling Policy
The aim of a data handling policy is to provide regulations about all aspects of personal data,
the organisation subsequently relays this information to their employees through training
which would further enlighten employees about data handling rules, the value of data to the
company, the data security measures in place and the social engineering methods used by
unauthorised users or hackers (Clifton, 2009).
8 | P a g e
3.1.3 Data Encryption
This security option uses mathematical algorithms to render a network message unreadable to
unauthorised users (Spam Laws, 2015). Authorised users can decrypt these messages through
a username and password (Clifton, 2009).
The two categories of data encryption are symmetric and asymmetric (Spam Laws, 2015).
Symmetric Data Encryption
This category uses a shared private key between sender and recipient to encrypt or decrypt a
message (Diaa Salama, 2010). The most common symmetric data encryption algorithm is
DEA (Data Encryption Algorithm) which complies with DES (Data Encryption Standard),
it’s recommended to use this algorithm for large volumes of data (Spam Laws, 2015).
Asymmetric Data Encryption
Asymmetric Data encryption such as Diffie - Hellman use both a private key and a public key
(Spam Laws, 2015). The public key is used for the encryption of a message while the private
key is used to decrypt a message (Diaa Salama, 2010). The public key can essentially be used
by anyone to encrypt a message while decrypting a message can only be done by the owner
of the private key (Spam Laws, 2015).
3.2 Intermediate Data Security Measures
With the rather negligent data security measures in place at YONS Ltd data security and
protection of personal data should become a high priority. Implementing both basic data
security measures and intermediate data security measures outlined in figure 3 above should
ensure that personal data at YONS Ltd is not compromised in the future.
3.2.1 Thin /lean Clients
Essentially thin/ lean clients run on web browsers or on remote desktop software in the client-
server architecture network. A central server processes both inputs and outputs, so ultimately
the thin client can keep the personal data that is needed and the remaining personal data can
be stored in the central server or data centre (Clifton, 2009).
9 | P a g e
3.2.2 Data Loss Prevention (DLP) Software
This software detects and prevents malicious insiders from copying and sending personal data
without authorization. The functions of DLP software are carried out using both an online
mode and offline mode (Clifton, 2009).
Offline Mode
Essentially this mode uses three techniques to determine who the regular users of a document
are. These techniques include Manual Marking of documents, automated search of
documents which are keyword based and automated search for edited documents which
contain the authorised signatures of the original document (Clifton, 2009).
Online Mode
Users of DLP software must ensure that they abide by the data handling policy when sharing
and using personal data, when there is a violation the DLP software automatically blocks the
use and sharing of the personal data (Clifton, 2009).
3.3 Advanced Data Security Measures
Essentially this data security measure comes into play once the lower data security measures
explained above and illustrated in figure 3 are satisfied. At an advanced level web pages can
be hacked and personal data can ultimately be compromised (Clifton, 2009).
3.3.1 Activism
In order to prevent web page hacking, YONS Ltd can employ a community of internet
vigilantes for free to help avert web page hacking (Clifton, 2009).
10 | P a g e
4. Recommendations
Based on the options I outlined in the previous section, I believe YONS Ltd should
implement each level of data security illustrated in figure 3 from bottom to top to ultimately
form a comprehensive database security strategy. Essentially the comprehensive database
security strategy should use a single vendor for all database security systems to ensure cost
effectiveness and integration throughout the organisation (Forrester, 2012). YONS Ltd must
ensure that they implement each database security level to a satisfactory standard, in order to
protect themselves from unauthorised users.
A comprehensive database security strategy should proactively protect data from both
internal and external attacks by securing all databases. In order to successfully implement a
comprehensive database security strategy, YONS Ltd should follow the three key pillars
approach identified by (Forrester, 2012), and illustrated in figure 4 below.
Foundation Detection Prevention
Discovery and Classification Auditing Encryption
Authentication, authorization
and access control
Monitoring Data Masking
Patch Management Vulnerability Assessment Database Firewall
(Figure 4)
Foundation Pillar
Essentially this pillar identifies which databases YONS Ltd should focus on by enabling
authentication, authorization and access control measures to ensure only authorised users gain
access to a database. Additionally YONS Ltd should regularly configure patch updates to
ensure that they don’t leave themselves vulnerable to attacks by unauthorised users.
Detection Pillar
Auditing can be used by YONS Ltd in order to detect any data inconsistencies as well as
tracking the access rights of users. Database security monitoring provides real time intrusion
protection to ensure that the database is protected from unauthorised users. Additionally a
vulnerability assessment report can be carried out to provide information on database
weaknesses such as weak passwords and excessive access rights.
11 | P a g e
Prevention Pillar
The main aim of this pillar is to prevent unauthorized access and exposure of private
company data. Essentially the preventative measures include, data encryption to protect the
data stored in an organisations production database, data masking is used to protect an
organisations non production database and database firewall essentially ensures real time
protection from SQL injection attacks as well as ensuring that unauthorised access to a
database is blocked in real time.
12 | P a g e
5. References
Clifton, P. (2009). Protecting organisations from personal data breaches. In P. Clifton, Computer
Fraud & Security (pp. 13-18). Amsterdam Holland: Elsevier.
Diaa Salama, A. E. (2010). Evaluating the Performance of Symmetric Encryption Algorithms.
International Journal of network security , 213-219.
Forrester, C. (2012). Formulate a database security strategy to ensure investments will actually
prevent data breaches and satisfy regulatory requirements. Cambridge USA: Forrester Research Inc.
Imperva. (2014). Top Ten Database Threats.
Spam Laws. (2015). Retrieved January 23, 2015, from Spam Laws: http://www.spamlaws.com/