3. What Is Database Security?
Database
It is a collection of information stored in a computer.
Security
It is being free from danger.
Database Security
It is the mechanisms that protect the database
against intentional or accidental threats.
5. Secrecy
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are
trying to do.
For examples,
The employees should not
see the salaries of their managers.
6. Only authorized users should be allowed to modify
data.
Ensures that what users are trying to do is correct.
For examples,
An employee should be able to modify his or her
own information.
Integrity
7. Authorized users should be able to access data at any
time they need for Legal purposes as necessary
For examples,
Payment orders regarding taxes should be made on
time by the tax law.
Availability
8. Threat
Threat is any intentional or accidental event that may adversely
affect the system.
Examples of threats:
- Using another person’s log-in name to access data.
- Unauthorized copying data.
- Program/Data alteration.
- Illegal entry by hacker
- Viruses
9. Kinds of Threat
1. Non-fraudulent Threat
Natural or accidental disasters.
Errors or bugs in hardware or software.
Human errors.
2. fraudulent Threat
Exploitation of Vulnerable .
Input Injection (Formerly SQL Injection) .
10. Input Injection (Formerly SQL Injection)
SQL injection is a technique where malicious users can inject SQL commands into
an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a
web application.
11. There are two major types of database injection attacks :
1) SQL Injection that targets traditional database systems .
2) NoSQL (stands for not only SQL( Injection that targets Big Data platforms.
SQL Injection attacks usually involve inserting (or “injecting”) unauthorized or
malicious statements into the input fields of web applications. On the other hand,
NoSQL injection attacks involve inserting malicious statements into Big Data
components .
In both types, a successful Input Injection attack can give an attacker unrestricted
access to an entire database.
13. How the Injection (Statements ) work?
the web application is literally asking the database server:
((do we have a user with the username 'Ahmed' and the password
'AAAA' registered in the system? ))
14. the Sql Syntax is broken and an error occurs.
This plays a key role in Sql injection
15. if an attacker is able to "smuggle " special character (which is
not filtered by web application)
It is possible to modify the Sql queries, their logic and hence
the application's behavior.
16. checking the web design if it pass special character to
database queries
17. What happen if we pass this command throw
the web application
18. What in fact happen inside the Database
The statement which always true 1=1
19. The attacker is successfully authenticated as the first
user from the top of the list (the first row) for ex:
21. Authorization
The granting of a privilege that enable a user to have legitimate access
to a system.
Authenticating
A system administrator is responsible for allowing users to have access
to the system by creating individual user accounts.
Backup & Recovery
Is the process of periodically taking a copy of the database and log file
onto offline storage media.
22. View
hiding parts of the database from certain users that provides a
powerful and flexible security mechanism.
Redundant Array of Independent Disks (RAID)
The hardware that the DBMS is running on must be fault-tolerant,
meaning that the DBMS should continue to operate even if one of the
hardware components fails.
Hinweis der Redaktion
التهديد هو اي حدث حصل متعمداً أو عرضا التي قد تؤثر سلبا على النظام.
- استبدال برنامج / البيانات
- الدخول غير المشروع من قبل القراصنة
- الفيروسات
نوعين من التهديدات
الغير مقصوده او غير المزوره((بصوره طبيعية او عن طريق حادث ,الفشل في هاردوير او سوفت وير , واخطاء بشريه))
والتهديدات المقصوده المزوره ((استغلال الثغرات ونقاط الضعف , او بواسطة الحقن )
الاول يستهدف الداتتا بيس نفسها
الثاني يستهدف البيانات التي ع الداتا بيس
اذا كان المخترق قادر ان يهرب بعض الرموز الخاصة
التي لم تحجب من تصميم الصفه اي ان تعبر خلال الويب دزاين ال
sql quires
Compiler of Sql appear in the attacker web browser
منح امتياز التي تمكن المستخدم من الوصول الشرعي للنظام.
إخفاء أجزاء من قاعدة البيانات من بعض المستخدمين أن يوفر آلية أمنية قوية ومرنة.
يجب أن يكون الجهاز الذي نظم إدارة قواعد البيانات يعمل على قبول نسبة الخطىء ، وهذا يعني أن نظم إدارة قواعد البيانات ينبغي أن تستمر في العمل حتى لو فشل أحد مكونات الأجهزة.