BM482E Introduction to Computer Security



Similar documents
CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Computer Security: Principles and Practice

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Introduction to IT Security

Chapter 23. Database Security. Security Issues. Database Security

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Introduction to Computer Security

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Cybersecurity Health Check At A Glance

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Chapter 15 Operating System Security

GoodData Corporation Security White Paper

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Industrial Security for Process Automation

Ch.5 Database Security. Ch.5 Database Security Review

Computer Security: Principles and Practice

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Decrease your HMI/SCADA risk

Identity Management and Access Control

Chapter 8 A secure virtual web database environment

CESG Certification of Cyber Security Training Courses

Security Controls for the Autodesk 360 Managed Services

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Securing Data in Oracle Database 12c

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Network and Security Controls

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Protecting Your Organisation from Targeted Cyber Intrusion

Nessus Agents. October 2015

Critical Security Controls

ITM661 Database Systems. Database Security and Administration

Overview. Edvantage Security

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

How To Secure An Rsa Authentication Agent

Client Security Risk Assessment Questionnaire

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Document ID. Cyber security for substation automation products and systems

White Paper. BD Assurity Linc Software Security. Overview

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

Comprehensive Approach to Database Security

Secret Server Qualys Integration Guide

System Security Policy Management: Advanced Audit Tasks

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

The Protection Mission a constant endeavor

Multi-factor authentication

74% 96 Action Items. Compliance

Access Control Intro, DAC and MAC. System Security

SEC Secure. Usable. Cheap. Data. Applications. Host Internal Network Perimeter Physical Security. People, Policies, & Process.

Implementing Security Update Management

Global ediscovery Client Data Security. Managed technology for the global legal profession

CONTENTS. PCI DSS Compliance Guide

Cyber Essentials KAMI VANIEA 2

T21: Microsoft Windows Server and Client Security Donald E. Hester, Maze Associates

Does your Citrix or Terminal Server environment have an Achilles heel?

GE Measurement & Control. Cyber Security for NEI 08-09

Web Plus Security Features and Recommendations

Database Security. Database Security Requirements


Thick Client Application Security

GE Measurement & Control. Cyber Security for NERC CIP Compliance

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Introduction to Computer Security

Data Stored on a Windows Computer Connected to a Network

1 Introduction 2. 2 Document Disclaimer 2

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Xerox Mobile Print Cloud

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Security Advice for Instances in the HP Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Introduction to Cyber Security / Information Security

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Developing Network Security Strategies

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Recommended Wireless Local Area Network Architecture

Supplier Information Security Addendum for GE Restricted Data

Protecting Sensitive Data Reducing Risk with Oracle Database Security

DeltaV System Cyber-Security

Locking down a Hitachi ID Suite server

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Achieving PCI-Compliance through Cyberoam

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Security and Control Issues within Relational Databases

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats. Windows XP Support Has Ended Why It Concerns You

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

CompTIA Security+ Certification Study Guide. (Exam SYO-301) Glen E. Clarke. Gravu Hill

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

IBM Connections Cloud Security

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Payment Card Industry Self-Assessment Questionnaire

Best Practices For Department Server and Enterprise System Checklist

Nixu SNS Security White Paper May 2007 Version 1.2

IBX Business Network Platform Information Security Controls Document Classification [Public]

Using Remote Desktop Clients

Transcription:

BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1

Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based authentication Biometrics Biometric accuracy Attacks Remote user authentication Challenge-response protocol 2

Summary of Lecture 6 Access Control Authorization Object, subject, access right DAC, MAC, RBAC Access matrix, access control lists & capability lists, authorization table RBAC hierarchies & constraints 3

Today Database Security Operating System Security 4

Database Security is Hard Databases hold important data. DBMS are complex. SQL is complex. Most organizations lack security personnel. Most organizations use a mixture of different DB and OS platforms. Much of the DB is on the Cloud. 5

Database Security: Defense in Depth Layers Firewalls Authentication General access control DB access control Encryption 6

Database Access Control Access rights can be to the entire DB, individual tables, or certain rows or columns. Administration may be centralized: Only some users (such as DBAs) may grant (give) and revoke (take back) access rights to other users. ownership-based: Table owners may grant and revoke access rights. decentralized: Table owners may grant and revoke administration rights, which allow other users to grant and revoke access rights. 7

Database Access Control Role-based access control in databases Roles make it easier to manage privileges in databases. Roles improve security by ensuring that users receive only the privileges they need. DB admin, application owner, other user etc. 8

Database Access Control using SQL General syntax GRANT [ON TO [WITH { privileges role } object] { user role PUBLIC } GRANT OPTION] REVOKE [ON TO { privileges role } object] { user role PUBLIC } 9

Database Access Control using SQL Granting privileges to a user GRANT TO create table, create view user1; Granting privileges to a role and granting a role to a user CREATE GRANT TO GRANT ROLE engineer; create table, create view engineer; engineer TO user1; 10

Database Access Control using SQL Granting object privileges GRANT ON TO WITH GRANT ON TO select, insert employees user1 GRANT OPTION; update (department_name) departments manager; 11

Database Security Issue: Inference Deducing unauthorized information from authorized queries. This can be a problem when individual values are not sensitive, but their combination is sensitive. Example: 12

Today Database Security Operating System Security 13

Operating System Security There are different layers in a system. Physical Hardware Operating System Kernel User Applications and Utilities All of these must be secured. 14

Operating System Security A 2009 report says that 70% of cyber intrusions can be prevented by taking the following four measures: Patch OS and applications using auto-update Patch third-party applications Restrict admin privileges to users who need them White-list approved applications 15

OS Security: Planning It is hard and expensive to add security to a system later. So, security must be built into system design by determining the Purpose and security requirements of the system, applications and data. Categories of users and their privileges Authentication mechanisms Administrative duties 16

OS Security: Basic Steps Install and patch Harden and configure Remove unnecessary services and apps Configure users, groups, permissions and resource controls Install and configure additional controls Anti-virus, firewalls, IDS etc. Test 17

OS Security: Basic Steps Installation and patching Be careful about the source of OS software and patches. Do not enable full Internet connection until patching is complete. Install the minimum necessary, add things later if needed. Secure the boot process. Verify the source and integrity of device drivers. 18

OS Security: Basic Steps Hardening and configuration Minimize the number of services and applications. Tradeoff: Usability vs. Security Restrict privileges to users who require them. Configure password requirements. 19

OS Security: Basic Steps Additional controls Anti-virus software Firewalls Intrusion detection / prevention systems White-list: Limit programs to an explicit list of allowed programs. 20

OS Security: Basic Steps Testing Check for basic security requirements and vulnerabilities. Do after initial configuration and repeat periodically. 21

OS Security: Maintenance Monitor and analyze Perform backups Test regularly Patch and update all critical software Recover from compromises 22

Example: Windows Security Windows Update service for maintenance Users and groups have Security IDs (SID). Discretionary access control on objects using ACLs Integrity controls using Biba Integrity Model Support for encryption via EFS (default algorithm: AES) Most of the configuration is done through the Registry. Lots of additional controls are needed. 23

Summary Database Security Challenges Defense in Depth Database Access Control Inference Operating System Security Challenges Defense in Depth 24

Next Lecture Malware Software Security 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information