BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1
Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based authentication Biometrics Biometric accuracy Attacks Remote user authentication Challenge-response protocol 2
Summary of Lecture 6 Access Control Authorization Object, subject, access right DAC, MAC, RBAC Access matrix, access control lists & capability lists, authorization table RBAC hierarchies & constraints 3
Today Database Security Operating System Security 4
Database Security is Hard Databases hold important data. DBMS are complex. SQL is complex. Most organizations lack security personnel. Most organizations use a mixture of different DB and OS platforms. Much of the DB is on the Cloud. 5
Database Security: Defense in Depth Layers Firewalls Authentication General access control DB access control Encryption 6
Database Access Control Access rights can be to the entire DB, individual tables, or certain rows or columns. Administration may be centralized: Only some users (such as DBAs) may grant (give) and revoke (take back) access rights to other users. ownership-based: Table owners may grant and revoke access rights. decentralized: Table owners may grant and revoke administration rights, which allow other users to grant and revoke access rights. 7
Database Access Control Role-based access control in databases Roles make it easier to manage privileges in databases. Roles improve security by ensuring that users receive only the privileges they need. DB admin, application owner, other user etc. 8
Database Access Control using SQL General syntax GRANT [ON TO [WITH { privileges role } object] { user role PUBLIC } GRANT OPTION] REVOKE [ON TO { privileges role } object] { user role PUBLIC } 9
Database Access Control using SQL Granting privileges to a user GRANT TO create table, create view user1; Granting privileges to a role and granting a role to a user CREATE GRANT TO GRANT ROLE engineer; create table, create view engineer; engineer TO user1; 10
Database Access Control using SQL Granting object privileges GRANT ON TO WITH GRANT ON TO select, insert employees user1 GRANT OPTION; update (department_name) departments manager; 11
Database Security Issue: Inference Deducing unauthorized information from authorized queries. This can be a problem when individual values are not sensitive, but their combination is sensitive. Example: 12
Today Database Security Operating System Security 13
Operating System Security There are different layers in a system. Physical Hardware Operating System Kernel User Applications and Utilities All of these must be secured. 14
Operating System Security A 2009 report says that 70% of cyber intrusions can be prevented by taking the following four measures: Patch OS and applications using auto-update Patch third-party applications Restrict admin privileges to users who need them White-list approved applications 15
OS Security: Planning It is hard and expensive to add security to a system later. So, security must be built into system design by determining the Purpose and security requirements of the system, applications and data. Categories of users and their privileges Authentication mechanisms Administrative duties 16
OS Security: Basic Steps Install and patch Harden and configure Remove unnecessary services and apps Configure users, groups, permissions and resource controls Install and configure additional controls Anti-virus, firewalls, IDS etc. Test 17
OS Security: Basic Steps Installation and patching Be careful about the source of OS software and patches. Do not enable full Internet connection until patching is complete. Install the minimum necessary, add things later if needed. Secure the boot process. Verify the source and integrity of device drivers. 18
OS Security: Basic Steps Hardening and configuration Minimize the number of services and applications. Tradeoff: Usability vs. Security Restrict privileges to users who require them. Configure password requirements. 19
OS Security: Basic Steps Additional controls Anti-virus software Firewalls Intrusion detection / prevention systems White-list: Limit programs to an explicit list of allowed programs. 20
OS Security: Basic Steps Testing Check for basic security requirements and vulnerabilities. Do after initial configuration and repeat periodically. 21
OS Security: Maintenance Monitor and analyze Perform backups Test regularly Patch and update all critical software Recover from compromises 22
Example: Windows Security Windows Update service for maintenance Users and groups have Security IDs (SID). Discretionary access control on objects using ACLs Integrity controls using Biba Integrity Model Support for encryption via EFS (default algorithm: AES) Most of the configuration is done through the Registry. Lots of additional controls are needed. 23
Summary Database Security Challenges Defense in Depth Database Access Control Inference Operating System Security Challenges Defense in Depth 24
Next Lecture Malware Software Security 25