chap 6: database and data mining security. integrity for databases: record integrity, data...
TRANSCRIPT
SE571Security in Computing
Chap 6: Database and Data Mining Security
SE571 Security in Computing Dr. Ogara2
This Chapter Examines… Integrity for databases: record
integrity, data correctness, update integrity
Security for databases: access control, inference, and aggregation
Multilevel secure databases: partitioned, cryptographically sealed, and filtered
Security in data mining applications
SE571 Security in Computing Dr. Ogara3
Research… Top 10 Database Security Threats(Shulman,
CTO Imperva, Inc)• Excessive privilege abuse• Legitimate privilege abuse• Privilege elevation• Database platform vulnerabilities• SQL injection• Weak audit trail• Denial of service (DOS)• Database communication protocol vulnerabilities• Weak authentication• Back up data exposure
SE571 Security in Computing Dr. Ogara4
Research… Major Database Security
Threats(Sybase Users Group, 2010)• Human error (56%)• Malicious insiders abusing privileges (24%)
SE571 Security in Computing Dr. Ogara5
Research… Database auditing and real time protection
report (Forrester Report, 2007)• DBAs spending approx. 5% of their time on database
security• 80% of organizations do not have a database security
plan that addresses critical threats• 20% of enterprises employ advanced security
measures• Environmental complexity – cloud computing, grids,
SOA, etc• 60% of enterprises are behind in database security
patches, making database highly vulnerable• 75% of attacks are internal, often difficult to detect
SE571 Security in Computing Dr. Ogara6
Research… Top Security Tips to Ensure Database
Security (Application Security, Inc., 2007)• Devise a database security plan• Fix default, blank, and weak password• Regularly patch databases• Minimize attack surface• Review user privileges• Locate sensitive information• Encrypt sensitive data at rest or in motion• Train and enforce corporate best practices
SE571 Security in Computing Dr. Ogara7
Three Pillars of Database Security (Forrester Research, Inc., 2010)
SE571 Security in Computing Dr. Ogara8
Database and Data Mining Security
Database• Collection of data and a set of rules that
organize the data by specifying certain relationships among the data
Database administrator• Person who defines the rules that organize the
data • Controls access to data
Database Management System (DBMS)• Program that allows user to interact with
database
SE571 Security in Computing Dr. Ogara9
Database and Data Mining Security
Components of a database• Records• Fields• Schema – logical structure of database
• Queries – commands used in DBMS to retrieve, modify, add or delete records in a database
SE571 Security in Computing Dr. Ogara10
Database and Data Mining Security
Advantages of a database• shared access• minimal redundancy• data consistency• data integrity• controlled access
SE571 Security in Computing Dr. Ogara11
Database and Data Mining Security
Security of a database (Requirements)• Physical database integrity• Logical database integrity• Element integrity• Auditability• Access control• User authentication• Availability
SE571 Security in Computing Dr. Ogara12
Database Security Requirements Integrity
• How ? Field checks – appropriateness of values Access control – who has access to what Change log – what changes have been made
Auditability• Establish audit record of all access
Access control• Establish who has access to which data• Specify privileges to read, change, delete, or append records
or fields User authentication
• Supplement OS authentication e.g. password and time-of-day check
SE571 Security in Computing Dr. Ogara13
Database Reliability and Integrity
Database integrity• Concern - disk failure, corruption of master
database index• Solution - OS integrity controls and recovery
procedures Element integrity
• Concern – Is data changed or written by authorized users only?
• Solution – access control
SE571 Security in Computing Dr. Ogara14
Database Reliability and Integrity
Element accuracy• Concern – are correct values written into
elements of the database?• Solution – constraints conditions to detect
incorrect values
SE571 Security in Computing Dr. Ogara15
Sensitive Data Inherently sensitive
• Value reveals sensitivity, e.g. location of defensive missiles
From a sensitive source • Source may suggest confidentiality, e.g. an informer
identity
Declared sensitive • Database admin declares them sensitive
Part of a sensitive attribute or record • An attribute may be sensitive, e.g. salary
In relation to previously disclosed information• Sensitive in the presence of other data
SE571 Security in Computing Dr. Ogara16
Access Decisions Database admin determines who
gets access to what Access decisions are based on three
factors• Availability of data
block access during updates• Acceptability of access
Release sensitive info to authorized users only• Assurance of authenticity
Allow access during certain times/working hours
SE571 Security in Computing Dr. Ogara17
Types of Disclosures Exact data
• Most serious disclosure• User is aware about sensitive data
Bounds• Disclose sensitive data lies between two
values, L and H. Negative result
• Disclosing that a value is not 0, e.g. # of felonies
SE571 Security in Computing Dr. Ogara18
Types of Disclosures Existence
• Knowing that certain data exists Probable value
• Possibility of determining that the probability of certain element has a certain value
SE571 Security in Computing Dr. Ogara19
Inference Ways of deriving sensitive data
values from the database
• Direct attack – uses queries to seek for values directly, e.g. List NAME where SEX=M ^ DRUGS=1
• Indirect attack - infer final result based on one or more statistical results
SE571 Security in Computing Dr. Ogara20
Controlling Inference Suppress obviously sensitive
information• May be used to limit queries accepted /data
provided
Track what the user knows May be used to limit queries accepted /data
provided Costly/information of all users must be obtained
Disguise the data• Applicable to released data only
SE571 Security in Computing Dr. Ogara21
Multilevel Databases The Case for Differentiated Security
• The security of a single element may be different from the security of other elements of the same record
• Two levels—sensitive and non-sensitive• The security of an aggregate—a sum, a
count, or a group of values in a database—may differ from the security of the individual elements
SE571 Security in Computing Dr. Ogara22
Multilevel Databases
SE571 Security in Computing Dr. Ogara23
Multilevel Databases Granularity
• How do we associate a sensitivity level with each value of a database? Access control policy - which users have access
to what data? Guarantee – an unauthorized person does not
change data
SE571 Security in Computing Dr. Ogara24
Multilevel Secure Databases
Must provide both Integrity and Confidentiality
Separation can be implemented physically, logically, or cryptographically
SE571 Security in Computing Dr. Ogara25
Proposal for Multilevel Security
Separation • Partitioning - divide database into separate
database with their own level of sensitivity• Encryption – encrypt data • Integrity lock – to limit access
Entrust database manager with trusted procedure
• Sensitivity lock – combination of unique identifier (e.g. record number) and sensitivity level
SE571 Security in Computing Dr. Ogara26
Five Approaches to Confidentiality Multilevel Database Security
Integrity lock• Actual data• Sensitivity level – sensitivity of data• Error detecting code - checksum
Trusted front end• Serves as one-way filter – removes results not
needed by users Cumulative filters
• Filters reformats query to allow database manager to screen out unacceptable records
• Provides second screening to select data which user has access
SE571 Security in Computing Dr. Ogara27
Design for Secure Multilevel Security
Distributed databases• Trusted front end controls access to all low-
sensitivity data and all high-sensitivity data• If user is cleared for high-sensitivity data,
the front end submits queries to both the high- and low-sensitivity databases
• If user is not cleared for high-sensitivity data, the front end submits a query to only the low-sensitivity database
SE571 Security in Computing Dr. Ogara28
Design for Secure Multilevel Security
Window/view• DBMS creates picture of the data reflecting
only what the user needs to see/different views
• A window is a subset of a database, containing exactly the information that a user is entitled to access
• Subset guarantees that the user does not access values outside the permitted ones
SE571 Security in Computing Dr. Ogara29
Data Mining Data mining uses statistics, machine
learning, mathematical models, pattern recognition, and other techniques to discover patterns and relations on large datasets
SE571 Security in Computing Dr. Ogara30
Security Problems with Data Mining
Confidentiality/Privacy and Sensitivity• Difficult to maintain• Inference across multiple databases is a threat to
confidentiality Data Correctness and Integrity
• Data owned and controlled by one party• Mining of different databases from different users• Correcting Mistakes in Data – have data in one place• Using Comparable Data • Eliminating False Matches
Availability of Data• Missing data may lead to incorrect data mining results