Database and Data Mining Security

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Database and Data Mining Security"

Transcription

1 Database and Data Mining Security 1 Threats/Protections to the System 1. External procedures security clearance of personnel password protection controlling application programs Audit 2. Physical environment secure areas for DB/hardware radiation shielding 3. Data storage encryption duplication copies 2 4. Processor software - user authentication - access control - threat monitoring - audit trail 5. Processor hardware - memory protection - state of privilege - reliability 6. Communication line : -data encryption, implemented with cost consideration DB holds essential data that reflects the organization s core competencies Protecting data is at the heart of secure system Users rely on DBMS to manage protection DB organization and contents are valuable corporate assets that must be carefully protected 3 4 Two major security issues in DB context Integrity Secrecy Two major problems Inference Multilevel Introduction to DB DB = organized collection of data and a set of rules that organize the data by specifying certain relationship among the data Data Mining = the process of extracting hidden patterns from DB by using stat, math-inference DB administrator = the person who defines the rules to organize and control the usage of DB DBMS = software providing front end or interface for users to interact with DB 6

2 DBMS functions: create manage protect provide access Advantages of DB Shared access Minimal redundancy Data consistency Data integrity Controlled access Security Requirements of DB DB system may be attacked at many levels Attackers usually be end users rather than programmers Violation are reading, modifying or destroying info. by unauthorized people Basic problems access control, exclusion of spurious data, Requirements for DB Security 1. Physical DB integrity : DB must be immune to physical problems such as power failure, hardware malfunction,.. DB can be reconstructed if it is destroyed 2. Logical DB integrity : structure of DB must be preserve, eg., modification of one field does not effect other fields authentication of user, reliability Element integrity:data contained in each element must be correct or accurate. Can be provided by field check : test for appropriate value, access control : concurrency access control change log: list every change made to DB, we can track for all previous actions or when error occurs we can undo, roll back, Auditability : Possible to track who or what has accessed the elements in DB pass-through problem access which has no transfer of data to user, eg., when using select, thus difficult to audit log may be overstate or understate 12

3 5. Access control : user is allowed to access only authorized data. Different users can be restricted to different modes of access 6. User authentication : every user is positively identified, both for auditing and access permission 7. Availability : data must be available for the right person and at the right time Reliability & Integrity Reliable software = software that run for very long time without failing DB reliability and integrity can be viewed from 3 dimensions: DB integrity : DB as a whole is protected against damage, as from HW/SW failure Element integrity : the value of data elements is changed only by authorized user Element accuracy : only correct values are written into the elements of a DB 14 Protection Features for Reliability DB can be monitored and controlled by many methods as follows: Field checks is a check for validity of values in DB fields. Usually applied at data entry Change logs whenever changing on DB, there must be a log file to keep both old and new values in order that DBA can examine, verify or make correction if error occurs 15 Access control procedures to keep eyes on all users who access DB so that we can know DB status and access of every user before system crash or conflict User authentication to check and allow only authorized user to get DB access Integrity checks info. should be checked for integrity, accuracy and completeness 16 Audits performed by internal or external party to make sure that the system perform as designed Monitors can check for the structural integrity of DB eg., value being entered is consistence with other parts of DB or not Range comparisons verify new value whether it is in the acceptable range 17 State constraints to check whether DB values violate the entire DB constraints Transition constraints to check the conditions necessary before changes can be applied to a DB eg., before new employee can be added, there must be a vacant position Boundary checks to check for sensitive values whether they are fallen in the lower and upper bound without revealing actual values eg., checking salary which is sensitive against it boundary values 18

4 Two-phase update : secure method for updating intent phase: prepare data to be used for updating, eg., gather data, create dummy record, open file, lock rec., compute final answers (if fail, we can repeat) committing phase : making the permanent change by writing a commit flag, if fail, must perform recovery, eg., undo (roll back)/redo (roll forward) 19 Redundancy/internal consistency error detection/correction shadow fields : create 2 nd copy of field/ record in order that the 1 st copy is failed or error occurs when updating Data recovery roll back/roll forward compensating transaction backup/restore Concurrency/consistency control Serializability, data locking Sensitive Data Sensitive data =data that should not be made public otherwise it causes damage to individual Security concerns not only the data element but their context and meaning (Table 6-6) We should also take into account different degrees of sensitivity Access control problem : how to limit access so that sensitive data are not to be released to unauthorized people Factors that can make data sensitive inherently sensitive, eg., location of defensive missile data from a sensitive source, eg., info. from informer whose identity may be compromised if the information were disclosed declared sensitive, eg., classified military data 23 part of a sensitive attribute/record, eg., salary of personnel DB, record of secret space mission program sensitive in relation to previously disclose information, eg., longitude coordinate of secret gold mine when appearing with latitude can pinpoint the location 24

5 Access Decision access decision must be based on access policy factors effect to the decision availability of data : whether the access makes a permanent blocking or very long time data locking resulting denial of service acceptability of access : whether the access can release sensitive info. even user does not ask for but it come out with non-sensitive data assurance of authenticity : whether the access are made from authorized people, unauthorized people can reveal sensitive data Types of Disclosures exact data : the most serious disclosure bounds: useful way to present sensitive data negative results : data that are separated into 2 groups, not appearing in one group determines that they are in another group existence : reveal the existence of data regardless of its actual value is sometimes sensitive probable value : combination of nonsensitive query may result in disclosure of sensitive data (in probability) by combining several less sensitive queries Security vs Precision Security goal : protect data as secure as possible Precision goal: reveal data as much as possible situation is complicated by a desired to share non-sensitive and protect sensitive data ideal combination of security and precision : maintain for perfect security with maximum precision Inference - inference is the way to infer, derive, deduct info. from non-sensitive data - usually deduct to find sensitive info. from most extreme value of available info. - to protect inference, it can be done by creation of rule-based semantic layer between logical DB design and physical implementation which will be criteria to examine query 29 Methods of Inference Direct Attack attacker uses query trying to put some conditions so little output or a single data item is come out Ex student data containing sensitive field of drug with values; 0, 1, 2, 3 List NAME where SEX=M and DRUG=1 (obvious query) (less obvious query) List NAME where (SEX=M and DRUG=1) or (SEX = M and SEX = F) or (DORM=AYRES) 30

6 Indirect Attack indirect attack usually be done outside DB by using anonymous statistics to infer individual normally statistical info. from DB must eliminate anything used to identify individual, eg., name address, tel,.. present only neutral statistics, eg., count, sum, mean,.. without extreme values However, indirect attack may take these for inference, eg., sum, count, mean, median, tracker attack linear system vulnerability By combination of Table 6.8 and Table 6.9 we can infer who they are (for yellow) 35 36

7 37 38 Tracker Attack Fool DB manager into locating the desired data by using additional query The tracker adds additional records to be retrieved for two different queries The two records cancel each other out, leaving only the data required (given n and n-1 we can easily compute single element) Linear system vulnerability : -single c can be solved from 5 queries 41 Control for statistical inference attacks Query controls are effective primarily against direct attack Precision checks is set to determine whether a given query discloses sensitive data Suppression : query will be rejected and terminated without any response or indication when query sensitive data Concealing : presents info. that is not exact but close to actual data by slightly modifying data values with random no. 42

8 Limit response suppression Combined Results random sample results are computed from data randomly selected from the whole data random data perturbation : slightly modify statistics before presenting to the requester, eg, put some noise (error) into output data which has no effect to statistics Ex. Average salary may be multiplied by a small number and each record may be added/subtracted by small random number 45 query analysis Used to analyze query whether it can infer sensitive data Technique applied is to consider query history and query context More complicate Difficult to do 46 Inference conclusion No perfect solution Three approaches 1. Suppress obvious sensitive information 2. Track what the user knows 3. Disguise the data Aggregation This attack builds sensitive result from less sensitive data Several less sensitive data can be tracked to sensitive data Rather complicate and difficult to do Presently, advance in data mining can be applied to perform this type of attack 47 48

Database security. André Zúquete Security 1. Advantages of using databases. Shared access Many users use one common, centralized data set

Database security. André Zúquete Security 1. Advantages of using databases. Shared access Many users use one common, centralized data set Database security André Zúquete Security 1 Advantages of using databases Shared access Many users use one common, centralized data set Minimal redundancy Individual users do not have to collect and maintain

More information

Computer Security (EDA263 / DIT 641)

Computer Security (EDA263 / DIT 641) Computer Security (EDA263 / DIT 641) Lecture 12: Database Security Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Outline Introduction to databases

More information

Computer Security (EDA263 / DIT 641)

Computer Security (EDA263 / DIT 641) Computer Security (EDA263 / DIT 641) Lecture in EDA263: Database Security Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Outline Introduction to

More information

Database Security. Database Security Requirements

Database Security. Database Security Requirements Database Security Laurie Williams williams@csc.ncsu.edu John Slankas John_Slankas@ncsu.edu Physical database integrity Logical database integrity Element integrity Auditability Access Control User Authentication

More information

DATABASE SECURITY - ATTACKS AND CONTROL METHODS

DATABASE SECURITY - ATTACKS AND CONTROL METHODS DATABASE SECURITY - ATTACKS AND CONTROL METHODS Emil BURTESCU 1 PhD, Associate Professor, Department of Accounting and Management Informatics, University of Pitesti, Pitesti, Romania E-mail: emil.burtescu@yahoo.com,

More information

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E) SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E) 2 LECTURE OUTLINE Threats and countermeasures Access control mechanisms SQL s grant and revoke Role of views 3 THREATS What are the threats? Loss of integrity

More information

COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1

COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1 COSC344 Database Theory and Applications Lecture 23 Security and Auditing COSC344 Lecture 23 1 Overview Last Lecture Indexing This Lecture Database Security and Auditing Security Mandatory access control

More information

Database Security. Sarajane Marques Peres, Ph.D. University of São Paulo www.each.usp.br/sarajane

Database Security. Sarajane Marques Peres, Ph.D. University of São Paulo www.each.usp.br/sarajane Database Security Sarajane Marques Peres, Ph.D. University of São Paulo www.each.usp.br/sarajane Based on Elsmari x Navathe / Silberschatz, Korth, Sudarshan s books Types of security Legal and ethical

More information

B.Sc (Computer Science) Database Management Systems UNIT-V

B.Sc (Computer Science) Database Management Systems UNIT-V 1 B.Sc (Computer Science) Database Management Systems UNIT-V Business Intelligence? Business intelligence is a term used to describe a comprehensive cohesive and integrated set of tools and process used

More information

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database

More information

Overview of Information Security. Murat Kantarcioglu

Overview of Information Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Information Security Murat Kantarcioglu Pag. 1 Purdue University Outline Information Security: basic concepts Privacy: basic

More information

Concepts of Database Management Seventh Edition. Chapter 7 DBMS Functions

Concepts of Database Management Seventh Edition. Chapter 7 DBMS Functions Concepts of Database Management Seventh Edition Chapter 7 DBMS Functions Objectives Introduce the functions, or services, provided by a DBMS Describe how a DBMS handles updating and retrieving data Examine

More information

DATABASE SECURITY, INTEGRITY AND RECOVERY

DATABASE SECURITY, INTEGRITY AND RECOVERY DATABASE SECURITY, INTEGRITY AND RECOVERY DATABASE SECURITY, INTEGRITY AND RECOVERY Database Security and Integrity Definitions Threats to security and integrity Resolution of problems DEFINITIONS SECURITY:

More information

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University CS377: Database Systems Data Security and Privacy Li Xiong Department of Mathematics and Computer Science Emory University 1 Principles of Data Security CIA Confidentiality Triad Prevent the disclosure

More information

ICTN 4040. Enterprise Database Security Issues and Solutions

ICTN 4040. Enterprise Database Security Issues and Solutions Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of

More information

Chapter 8 A secure virtual web database environment

Chapter 8 A secure virtual web database environment Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 5 Database Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Database Security 1 Relational Databases constructed

More information

12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS

12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS 12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS 12 FAM 651 GENERAL (CT:DS-180; 06-20-2012) (Office of Origin: DS/SI/CS) a. Acquisition authorities must follow

More information

CS346: Advanced Databases

CS346: Advanced Databases CS346: Advanced Databases Alexandra I. Cristea A.I.Cristea@warwick.ac.uk Data Security and Privacy Outline Chapter: Database Security in Elmasri and Navathe (chapter 24, 6 th Edition) Brief overview of

More information

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database

More information

ITM661 Database Systems. Database Security and Administration

ITM661 Database Systems. Database Security and Administration ITM661 Database Systems Database Security and Administration Outline Introduction to Database Security Issues Types of Security Threats to databases Database Security and DBA Access Protection, User Accounts,

More information

CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security omputer Science S 45 Introduction to omputer Security Topic 6.: Database Inference ontrol Outline Inference attacks Direct attacks (no inference needed) Indirect attacks via aggregations Tracker attacks

More information

Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications Suggested Reference : Senft, Sandra; Gallegos, Frederick., 2009.

More information

4-06-55 Controlling Data Resources in Distributed Environments Barbara Grant

4-06-55 Controlling Data Resources in Distributed Environments Barbara Grant 4-06-55 Controlling Data Resources in Distributed Environments Barbara Grant Payoff As the role of data in an organization expands and data becomes increasingly related to profitability, the impact of

More information

Database Management. Chapter Objectives

Database Management. Chapter Objectives 3 Database Management Chapter Objectives When actually using a database, administrative processes maintaining data integrity and security, recovery from failures, etc. are required. A database management

More information

BM482E Introduction to Computer Security

BM482E Introduction to Computer Security BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based

More information

Cryptography and Network Security Sixth Edition by William Stallings

Cryptography and Network Security Sixth Edition by William Stallings Cryptography and Network Security Sixth Edition by William Stallings Chapter 1 Overview The combination of space, time, and strength that must be considered as the basic elements of this theory of defense

More information

VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur 603203.

VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur 603203. VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur 603203. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING Year & Semester : II / III Section : CSE - 1 & 2 Subject Code : CS 6302 Subject Name : Database

More information

Security Implications of Distributed Database Management System Models

Security Implications of Distributed Database Management System Models Security Implications of Distributed Database Management System Models 1 * Dr.C.Sunil Kumar, 2 J.Seetha, 3 S.R.Vinotha 1,2,3 Anna University, Chennai, India E-mail: 1 Sunil1977.dce@gmail.com, 2 seetha.venkat80@gmail.com,

More information

DATA MINING - 1DL360

DATA MINING - 1DL360 DATA MINING - 1DL360 Fall 2013" An introductory class in data mining http://www.it.uu.se/edu/course/homepage/infoutv/per1ht13 Kjell Orsborn Uppsala Database Laboratory Department of Information Technology,

More information

4-06-60 DBMS Recovery Procedures Frederick Gallegos Daniel Manson

4-06-60 DBMS Recovery Procedures Frederick Gallegos Daniel Manson 4-06-60 DBMS Recovery Procedures Frederick Gallegos Daniel Manson Payoff When a DBMS crashes, all or a portion of the data can become unusable, Appropriate procedures must be followed to restore, validate,

More information

Database Security. Chapter 21

Database Security. Chapter 21 Database Security Chapter 21 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student can t see other students grades. Integrity: Users should

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Introduction to Information Security

Introduction to Information Security Introduction to Information Security Chapter 1 Information Security Basics Winter 2015/2016 Stefan Mangard, www.iaik.tugraz.at What is Information Security? 2 Security vs. Safety The German word Sicherheit

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES 82-10-44 DATA SECURITY MANAGEMENT SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES James Cannady INSIDE: BASICS OF DATA BASE SECURITY; Discretionary vs. Mandatory Access Control Policies; Securing a RDBMS

More information

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21 Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed

More information

87-01-90 Establishing Security Controls in a Distributed Data Base Sooun Lee Mohamed Nour Soong H. Chung Payoff

87-01-90 Establishing Security Controls in a Distributed Data Base Sooun Lee Mohamed Nour Soong H. Chung Payoff 87-01-90 Establishing Security Controls in a Distributed Data Base Sooun Lee Mohamed Nour Soong H. Chung Payoff Distributed computing systems can provide benefits not available with centralized computing

More information

Computer and Network Security

Computer and Network Security Computer and Network Security R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu Introduction to Computer and Network Security

More information

Database Security. The Need for Database Security

Database Security. The Need for Database Security Database Security Public domain NASA image L-1957-00989 of people working with an IBM type 704 electronic data processing machine. 1 The Need for Database Security Because databases play such an important

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

INFORMATION TECHNOLOGY GRADES 10-12

INFORMATION TECHNOLOGY GRADES 10-12 GRADE 12 Grade 12: Term 1-10 weeks/40 hours Data and Information Management: Database design and concepts (±1 week/4 hours) - Relational database overview o Normalisation (overview and purpose) to reduce

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Reference Guide for Security in Networks

Reference Guide for Security in Networks Reference Guide for Security in Networks This reference guide is provided to aid in understanding security concepts and their application in various network architectures. It should not be used as a template

More information

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶 Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik Common Criteria Protection Profile Cryptographic Modules, Security Level Enhanced BSI-CC-PP-0045 Endorsed by the Foreword This Protection Profile - Cryptographic Modules, Security Level Enhanced - is issued

More information

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University schung@cs.wright.

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University schung@cs.wright. Database Security Soon M. Chung Department of Computer Science and Engineering Wright State University schung@cs.wright.edu 937-775-5119 Goals of DB Security Integrity: Only authorized users should be

More information

Welcome to Information Systems Security (503009)

Welcome to Information Systems Security (503009) Welcome to (503009) Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology thaonguyen@cse.hcmut.edu.vn Course Outline Week Lectures 1 Information systems security: basic

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

INFO/CS 330: Applied Database Systems

INFO/CS 330: Applied Database Systems INFO/CS 330: Applied Database Systems Introduction to Database Security Johannes Gehrke johannes@cs.cornell.edu http://www.cs.cornell.edu/johannes Introduction to DB Security Secrecy:Users should not be

More information

DATABASE MANAGEMENT SYSTEM

DATABASE MANAGEMENT SYSTEM REVIEW ARTICLE DATABASE MANAGEMENT SYSTEM Sweta Singh Assistant Professor, Faculty of Management Studies, BHU, Varanasi, India E-mail: sweta.v.singh27@gmail.com ABSTRACT Today, more than at any previous

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006 Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

1 File Processing Systems

1 File Processing Systems COMP 378 Database Systems Notes for Chapter 1 of Database System Concepts Introduction A database management system (DBMS) is a collection of data and an integrated set of programs that access that data.

More information

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America 1 Top Ten Security and Privacy Challenges for Big Data and Smartgrids Arnab Roy Fujitsu Laboratories of America 2 User Roles and Security Concerns [SKCP11] Users and Security Concerns [SKCP10] Utilities:

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services 1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system

More information

Application Intrusion Detection

Application Intrusion Detection Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction

More information

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS Manying Qiu, Virginia State University, mqiu@vsu.edu Steve Davis, Clemson University, davis@clemson.edu ABSTRACT People considering improvements in database

More information

Technical Standards for Information Security Measures for the Central Government Computer Systems

Technical Standards for Information Security Measures for the Central Government Computer Systems Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...

More information

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Privacy Impact Assessment for the Volunteer/Contractor Information System

Privacy Impact Assessment for the Volunteer/Contractor Information System Federal Bureau of Prisons Privacy Impact Assessment for the Volunteer/Contractor Information System Issued by: Sonya D. Thompson Deputy Assistant Director/CIO Reviewed by: Approved by: Vance E. Hitch,

More information

The Classical Architecture. Storage 1 / 36

The Classical Architecture. Storage 1 / 36 1 / 36 The Problem Application Data? Filesystem Logical Drive Physical Drive 2 / 36 Requirements There are different classes of requirements: Data Independence application is shielded from physical storage

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Software Requirements Specification. Schlumberger Scheduling Assistant. for. Version 0.2. Prepared by Design Team A. Rice University COMP410/539

Software Requirements Specification. Schlumberger Scheduling Assistant. for. Version 0.2. Prepared by Design Team A. Rice University COMP410/539 Software Requirements Specification for Schlumberger Scheduling Assistant Page 1 Software Requirements Specification for Schlumberger Scheduling Assistant Version 0.2 Prepared by Design Team A Rice University

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Third Edition by William Stallings Lecture slides by Shinu Mathew John http://shinu.info/ Chapter 1 Introduction http://shinu.info/ 2 Background Information Security requirements

More information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

More information

General IT Controls Audit Program

General IT Controls Audit Program Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu

More information

Library Systems Security: On Premises & Off Premises

Library Systems Security: On Premises & Off Premises Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information

More information

MULTILATERAL SECURITY. Based on chapter 9 of Security Engineering by Ross Anderson

MULTILATERAL SECURITY. Based on chapter 9 of Security Engineering by Ross Anderson MULTILATERAL SECURITY Based on chapter 9 of Security Engineering by Ross Anderson עומר פפרו Paparo Presenter: Omer Outline Introduction Motivation Data flow models Compartmentation and the lattice model

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

Building Scalable Applications Using Microsoft Technologies

Building Scalable Applications Using Microsoft Technologies Building Scalable Applications Using Microsoft Technologies Padma Krishnan Senior Manager Introduction CIOs lay great emphasis on application scalability and performance and rightly so. As business grows,

More information

Methods to increase search performance for encrypted databases

Methods to increase search performance for encrypted databases Available online at www.sciencedirect.com Procedia Economics and Finance 3 ( 2012 ) 1063 1068 Emerging Markets Queries in Finance and Business Methods to increase search performance for encrypted databases

More information

IY2760/CS3760: Part 6. IY2760: Part 6

IY2760/CS3760: Part 6. IY2760: Part 6 IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of

More information

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Network Security: From Firewalls to Internet Critters Some Issues for Discussion Network Security: From Firewalls to Internet Critters Some Issues for Discussion Slide 1 Presentation Contents!Firewalls!Viruses!Worms and Trojan Horses!Securing Information Servers Slide 2 Section 1:

More information

Wireless Security and Health Care Information Systems

Wireless Security and Health Care Information Systems Wireless Security and Health Care Information Systems Vladimir Oleshchuk Faculty of Engineering and Science Agder University College Grimstad, Norway WIM meeting Vilnius 12-13 December 2003 1 Outline Wireless

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 1 September 2, 2015 CPSC 467, Lecture 1 1/13 Protecting Information Information security Security principles Crypto as a security

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

IOM Data Privacy and Accuracy Policy

IOM Data Privacy and Accuracy Policy IOM Data Privacy and Accuracy Policy 1 Overview 2 Collection of information 2.1 Anonymous browsing 2.2 Candidate profile and application to vacancies 2.3 Accuracy of information 3 Use of information collected

More information

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Database security issues PETRA BILIĆ ALEXANDER SPARBER Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know Whitepaper Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know Phone (0) 161 914 7798 www.distology.com info@distology.com detecting the unknown Integrity

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information