SE571Security in Computing

Chap 6: Database and Data Mining Security

SE571 Security in Computing Dr. Ogara2

This Chapter Examines… Integrity for databases: record

integrity, data correctness, update integrity

Security for databases: access control, inference, and aggregation

Multilevel secure databases: partitioned, cryptographically sealed, and filtered

Security in data mining applications

SE571 Security in Computing Dr. Ogara3

Research… Top 10 Database Security Threats(Shulman,

CTO Imperva, Inc)• Excessive privilege abuse• Legitimate privilege abuse• Privilege elevation• Database platform vulnerabilities• SQL injection• Weak audit trail• Denial of service (DOS)• Database communication protocol vulnerabilities• Weak authentication• Back up data exposure

SE571 Security in Computing Dr. Ogara4

Research… Major Database Security

Threats(Sybase Users Group, 2010)• Human error (56%)• Malicious insiders abusing privileges (24%)

SE571 Security in Computing Dr. Ogara5

Research… Database auditing and real time protection

report (Forrester Report, 2007)• DBAs spending approx. 5% of their time on database

security• 80% of organizations do not have a database security

plan that addresses critical threats• 20% of enterprises employ advanced security

measures• Environmental complexity – cloud computing, grids,

SOA, etc• 60% of enterprises are behind in database security

patches, making database highly vulnerable• 75% of attacks are internal, often difficult to detect

SE571 Security in Computing Dr. Ogara6

Research… Top Security Tips to Ensure Database

Security (Application Security, Inc., 2007)• Devise a database security plan• Fix default, blank, and weak password• Regularly patch databases• Minimize attack surface• Review user privileges• Locate sensitive information• Encrypt sensitive data at rest or in motion• Train and enforce corporate best practices

SE571 Security in Computing Dr. Ogara7

Three Pillars of Database Security (Forrester Research, Inc., 2010)

SE571 Security in Computing Dr. Ogara8

Database and Data Mining Security

Database• Collection of data and a set of rules that

organize the data by specifying certain relationships among the data

Database administrator• Person who defines the rules that organize the

data • Controls access to data

Database Management System (DBMS)• Program that allows user to interact with

database

SE571 Security in Computing Dr. Ogara9

Database and Data Mining Security

Components of a database• Records• Fields• Schema – logical structure of database

• Queries – commands used in DBMS to retrieve, modify, add or delete records in a database

SE571 Security in Computing Dr. Ogara10

Database and Data Mining Security

Advantages of a database• shared access• minimal redundancy• data consistency• data integrity• controlled access

SE571 Security in Computing Dr. Ogara11

Database and Data Mining Security

Security of a database (Requirements)• Physical database integrity• Logical database integrity• Element integrity• Auditability• Access control• User authentication• Availability

SE571 Security in Computing Dr. Ogara12

Database Security Requirements Integrity

• How ? Field checks – appropriateness of values Access control – who has access to what Change log – what changes have been made

Auditability• Establish audit record of all access

Access control• Establish who has access to which data• Specify privileges to read, change, delete, or append records

or fields User authentication

• Supplement OS authentication e.g. password and time-of-day check

SE571 Security in Computing Dr. Ogara13

Database Reliability and Integrity

Database integrity• Concern - disk failure, corruption of master

database index• Solution - OS integrity controls and recovery

procedures Element integrity

• Concern – Is data changed or written by authorized users only?

• Solution – access control

SE571 Security in Computing Dr. Ogara14

Database Reliability and Integrity

Element accuracy• Concern – are correct values written into

elements of the database?• Solution – constraints conditions to detect

incorrect values

SE571 Security in Computing Dr. Ogara15

Sensitive Data Inherently sensitive

• Value reveals sensitivity, e.g. location of defensive missiles

From a sensitive source • Source may suggest confidentiality, e.g. an informer

identity

Declared sensitive • Database admin declares them sensitive

Part of a sensitive attribute or record • An attribute may be sensitive, e.g. salary

In relation to previously disclosed information• Sensitive in the presence of other data

SE571 Security in Computing Dr. Ogara16

Access Decisions Database admin determines who

gets access to what Access decisions are based on three

factors• Availability of data

block access during updates• Acceptability of access

Release sensitive info to authorized users only• Assurance of authenticity

Allow access during certain times/working hours

SE571 Security in Computing Dr. Ogara17

Types of Disclosures Exact data

• Most serious disclosure• User is aware about sensitive data

Bounds• Disclose sensitive data lies between two

values, L and H. Negative result

• Disclosing that a value is not 0, e.g. # of felonies

SE571 Security in Computing Dr. Ogara18

Types of Disclosures Existence

• Knowing that certain data exists Probable value

• Possibility of determining that the probability of certain element has a certain value

SE571 Security in Computing Dr. Ogara19

Inference Ways of deriving sensitive data

values from the database

• Direct attack – uses queries to seek for values directly, e.g. List NAME where SEX=M ^ DRUGS=1

• Indirect attack - infer final result based on one or more statistical results

SE571 Security in Computing Dr. Ogara20

Controlling Inference Suppress obviously sensitive

information• May be used to limit queries accepted /data

provided

Track what the user knows May be used to limit queries accepted /data

provided Costly/information of all users must be obtained

Disguise the data• Applicable to released data only

SE571 Security in Computing Dr. Ogara21

Multilevel Databases The Case for Differentiated Security

• The security of a single element may be different from the security of other elements of the same record

• Two levels—sensitive and non-sensitive• The security of an aggregate—a sum, a

count, or a group of values in a database—may differ from the security of the individual elements

SE571 Security in Computing Dr. Ogara22

Multilevel Databases

SE571 Security in Computing Dr. Ogara23

Multilevel Databases Granularity

• How do we associate a sensitivity level with each value of a database? Access control policy - which users have access

to what data? Guarantee – an unauthorized person does not

change data

SE571 Security in Computing Dr. Ogara24

Multilevel Secure Databases

Must provide both Integrity and Confidentiality

Separation can be implemented physically, logically, or cryptographically

SE571 Security in Computing Dr. Ogara25

Proposal for Multilevel Security

Separation • Partitioning - divide database into separate

database with their own level of sensitivity• Encryption – encrypt data • Integrity lock – to limit access

Entrust database manager with trusted procedure

• Sensitivity lock – combination of unique identifier (e.g. record number) and sensitivity level

SE571 Security in Computing Dr. Ogara26

Five Approaches to Confidentiality Multilevel Database Security

Integrity lock• Actual data• Sensitivity level – sensitivity of data• Error detecting code - checksum

Trusted front end• Serves as one-way filter – removes results not

needed by users Cumulative filters

• Filters reformats query to allow database manager to screen out unacceptable records

• Provides second screening to select data which user has access

SE571 Security in Computing Dr. Ogara27

Design for Secure Multilevel Security

Distributed databases• Trusted front end controls access to all low-

sensitivity data and all high-sensitivity data• If user is cleared for high-sensitivity data,

the front end submits queries to both the high- and low-sensitivity databases

• If user is not cleared for high-sensitivity data, the front end submits a query to only the low-sensitivity database

SE571 Security in Computing Dr. Ogara28

Design for Secure Multilevel Security

Window/view• DBMS creates picture of the data reflecting

only what the user needs to see/different views

• A window is a subset of a database, containing exactly the information that a user is entitled to access

• Subset guarantees that the user does not access values outside the permitted ones

SE571 Security in Computing Dr. Ogara29

Data Mining Data mining uses statistics, machine

learning, mathematical models, pattern recognition, and other techniques to discover patterns and relations on large datasets

SE571 Security in Computing Dr. Ogara30

Security Problems with Data Mining

Confidentiality/Privacy and Sensitivity• Difficult to maintain• Inference across multiple databases is a threat to

confidentiality Data Correctness and Integrity

• Data owned and controlled by one party• Mining of different databases from different users• Correcting Mistakes in Data – have data in one place• Using Comparable Data • Eliminating False Matches

Availability of Data• Missing data may lead to incorrect data mining results