Security has always been an important aspect of database management. But some of the ground rules for how a database management system needs to think about security have changed.  In the not so distant past, companies locked most databases behind closed doors and allowed little access from outside the corporate walls. Security practices addressed preventing internal threats from internal users or accidental misuse.  But most companies now have mission-critical databases that are exposed on the public Internet or intranets.  This approach creates new sets of security vulnerabilities that DBAs were not considering in the past.

The greatest promise of today’s e-business is more timely information accessible to more people, at reduced cost of information access. Simultaneously, you must protect databases and the servers on which they reside; you must administer and protect the rights of internal database users; and you must guarantee the confidentiality of e-business customers and their data as they access your database.

 

Security Administrator, May 2002, Microsoft Plans SQL Server Security Guide, Brian Moran

 

But businesses are worried about the possibility of being “hacked”. Some 30,000 Web sites post hacker codes, which can be downloaded to break passwords, crash systems, and steal data. The overwhelming majority of potential intruders are not very clever; they just have access to tools and techniques provided by the sharpest 2%. These tools and techniques are available on the Internet. Security administrators need to keep track of these sites for two reasons: 1) to determine if your site is vulnerable to intrusion, and 2) to test your system’s defense. A website with an unbelievable list of exploits and tools is “packetstorm.securify.com” (that is “securify” not “security”)

Title: Virtual Defense.Source: Foreign Affairs, May/June2001, Vol. 80 Issue 3, p98, 15p   Author(s): Adams, James

Secure System Key Attributes

Business that need to cope with today’s level of database system risk and

e-commerce complexity need to employ a security system which has the following key attributes:

  • Scalability, to handle far more users and transactions than non-Internet systems, that is, millions rather than thousands,
  • Manageability, to automate, reliably and securely, the administrative tasks such as assigning each user an account and password, and handling all associated information the user may supply or want organized, and
  • Interoperability, to communicate or even integrate with the proprietary systems of customers, suppliers, partners, and others, enabling outsourcing to acquire supplies and collaboration to provide services.

(Computer, August 2000; Encryption Advances to Meet Internet Challenges, David Clark)

In order for business and security systems to meet these requirements, database systems must be designed based on widely-accepted standards, such as Java, C, and XML.  Only then can security mechanisms deployed in e-business systems have the scalability, manageability and interoperability which will work straightforwardly with multiple systems, thin clients, and multitier architectures 

As you apply security mechanisms to protect data, the cost to break those defenses increases. No single solution can provide total security for a system. You can begin to improve security by making a particular way more expensive to break into. You can then move on to making the next way much more expensive, such as incorporating 128-bit cryptography, which is extremely difficult for hackers to break. Faced with this and other obstacles, potential hackers might try to bribe the CEO, rather than try to break in and decrypt the data. Here is a rule of thumb: when the cost to break security is greater than the value of the data protected, then you can quit making the system more secure.

(Spectrum, Volume 37 No. 5; Encryption Wars: Shifting Tactics, Michael A. Caoloyannides, Mitretek Systems)

 

Key Security Requirements

Trying to protect all the data with every possible defense will more than likely degrade performance. For this reason, you must identify exactly what data needs to be protected. You may want to apply security protection to certain classes of data, and not to others. Regional sales data, for example, may require protection, while promotional photographs may not. The seven major security needs of database systems within a Web environment are:

(Information Systems Management, Summer 2001 Forces of Change: Ten Trends That Will Impact The Internet Over The Next Five Years, Michael Erbschloe)

Confidentiality

Over the Internet network owners often route portions of their network through insecure land lines, extremely vulnerable satellite links, or a number of servers. This situation leaves private data open to view by any interested party. However, confidential data, such as credit card numbers, are routinely encrypted, so that even if observed, they cannot be read or used. In Local Area Network (LAN) environments within a building or campus, insiders with access can view data not intended for them. Sniffers can be designed to find and steal user names and passwords. Frequent password changes can lessen the risk of misuse, since the stolen data would only be usable until the next password change. 

However, today there are many password issues arising. End users are complaining about the needs for frequent changes of passwords, the complexity and number of passwords, and the time taken from what they regard as more productive use of time.  In one case known to this writer, EUs(End Users)  must change passwords every three weeks and use seven character mixed case passwords for each application. With such frequencies and complexity it is clear that managing passwords can consume significant amounts of time as well as put a burden and stress employees. Auto identification technologies, such as eye, face and fingerprint recognition, smart cards, and tokens do currently exist but do not appear to have been widely employed so far.

Industry and Practice, IT Security Issues. Marvin D. Troutt, Kent State University, USA Journal of End User Computing April – June 2002.

Common Password Mistakes:

  • Users often select easily guessed passwords--such as a name, fictional character, or a word found in a dictionary. All of these passwords are vulnerable to attacks because the passwords can be unveiled through dictionary searches. 
  • Users also often choose to use the same password on all machines or Web sites, with the potential that a compromised password allows an impostor to use one password to access any of the systems. 
  • Users with complex passwords may write them down where an attacker can easily find them, or they may just forget them--requiring costly administration and support efforts.

Communications of the ACM, April 2000, Vol. 43. No. 4,Securing User Passwords, Anthony Fedanzo

All of these strategies compromise password secrecy. From the user's point of view, remembering multiple passwords is a hassle. From an administrator's viewpoint, maintaining multiple user accounts and passwords is time-consuming, and expensive. Password requests from legitimate users account for a high percentage of help-desk time. And user reactions to the complexity often compromise the intended security measures implemented.

Single Sign-on

Single sign-on (SSO) to Web-based database applications enables users to log on only once to access multiple databases and services. The user does not need to remember multiple passwords, because SSO handles all of that after the initial user log-in to each registered application or resource.

In addition, Single sign-on saves time and improves security. It starts with the fact that more and more companies are deploying diverse Web-based e-business applications for use by employees, customers, and partners. Each application typically requires a user or account ID and a password. Single sign-on therefore benefits users while easing the burdens of coping with maintaining security in rapidly changing circumstances. In order for single sign-on to be successful, your single password needs to be a “good” one. To try to keep people from using passwords that occur early in the password-cracking calculation scheme used by hackers, some companies require that passwords contain atleast one number or national character ($#@!*^, etc.). Most Unix systems come with several unneeded accounts in /etc/passwd. Among these might be:  smtp                    uucp                nuucp

                          Listen                        sundiag          sysdiag

Do not delete these accounts.  Just make sure they have an x in the password field “NP” in the /etc/shadow file. Some organizations go overboard and insist on so many letters, so many numbers and so many special characters.  These passwords can backfire by making it EASIER to guess passwords once the pattern is known.

World Oil, October 2000 “ Improving Security Systems”  by Will Morse

 

 

Biometric Authentication

Another trend that companies are implementing to increase security is the use of biometrics. This method has also been proven successful for those organizations who want to eliminate the need for memorizing configured passwords.

In Biometrics, all the user would have to do is interface with the computer and the computer would validate who he or she was. Biometrics is recognized as the most promising technology which allows you to perform such validation methods.Within the international biometrics community, "there are over 150 different biometrics that are being developed. There are emerging technologies that include vein recognition, body odor, ear lobes, lip movement. One particular problem in biometrics is to enable layered biometrics to interface and interoperate with multiple systems, without bringing in middleware. This is why biometric technology is not common in the LINUX and UNIX environments of today.   
   Title: Beyond Passwords.   Source: Armed Forces Journal International, Sep2001, Vol. 139 Issue 2,   p24, 2p, 2c   Author(s): Kauchak, Marty

Ethical Hacking Trends

Authorization is also a defense against hackers who may try to corrupt your Web site. In search for a way to approach the problem, organizations came to realize that one of the best emerging ways to evaluate the intruder threat to their interest would be to have independent computer security professionals attempt to break into their computer systems. These new professionals are known as “tiger teams” or “ethical hackers, who in turn come into an organization to evaluate its security systems. The “teams would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems' security and report back to the  owners with the vulnerabilities they found and instructions for how to remedy them. , how does one go about finding such individuals? The best ethical hacker candidates will have successfully published research papers or released popular open-source security software. One rule that IBM's ethical hacking effort had from the very beginning was that they would not hire ex-hackers. Some will argue that only a "real hacker" would have the skill to actually do the work. IBM felt that the requirement for absolute trust eliminated such candidates

What do ethical hackers do?   
An ethical hacker's evaluation of a system's security seeks answers to
 three basic questions:  
   * What can an intruder see on the target systems?  
   * What can an intruder do with that information?  
   * Does anyone at the target notice the intruder's attempts.?

 While the first and second of these are important, the third is even more important: If the owners or operators of the target systems do not notice when someone is trying to break in, the intruders can, and will, spend weeks or months trying and will usually eventually succeed. Some clients are under the mistaken impression that their Web site would not be a target. Web administrators at UNICEF (United Nations Children's Fund) thought that no hacker would attack them. However, in January of 1998, their page was defaced as shown in
   Figures 3 and 4. (go to email- ethical hacking ), there are several kinds of testing. The following are key testing areas are conducted by the tiger teams to determine weaknesses:  
   * Remote network. This test simulates the intruder launching an attack
     across the Internet. The primary defenses that must be defeated here
     are border firewalls, filtering routers, and Web servers.  
   * Remote dial-up network. This test simulates the intruder launching
      an attack against the client's modem pools. The primary defenses that
     must be defeated here are user authentication schemes.

   * Local network. This test simulates an employee or other authorized
    person who has a legal connection to the organization's network. The
    primary defenses that must be defeated here are intranet firewalls,
    internal Web servers, server security measures, and e-mail systems.
  * Stolen laptop computer. In this test, the laptop computer of a key
    employee, such as an upper-level manager, is stolen from the client without                warning and given to the ethical hackers.
Since many busy users store passwords on their machine, it is common for the ethical hackers to be able to use this laptop computer to dial into the corporate intranet with the owner's full privileges.  
   * Social engineering. This test evaluates the target organization's
   staff as to whether it would leak information to someone. A typical
   example of this would be an intruder calling the organization's
computer help line desk and asking for the external telephone numbers of the modem pool. Most people are basically helpful, so it seems harmless to tell someone who appears to be lost where the computer room is located, or to let   someone into the building who "forgot" his or her badge..
Title: Ethical hacking. Source: IBM Systems Journal, 2001, Vol. 40 Issue 3,  Author: Palmer, C. C.

Authentication Security Methods

Authentication ensures that users are who they claim to be. Some authentication methods require the user to be known in advance, by name and password, but other methods dole out this requirement by using unforgetable certificates. Authentication can be applied at various points of vulnerability to guard against unauthorized access. Authentication mechanisms vary for different environments. In database authentication, the database performs both identification and authentication of users. In external authentication, the operating system or network service performs the authentication..

Communications of the ACM, Vol. 42, No. 9; The Trojan Horse Race, Bruce Schneier

Non-Repudiation Security Measures

The intent of non-repudiation is to preserve accountability and prevent misrepresentation. Non-repudiation means that when someone actually sends a message, the sender cannot later deny responsibility for sending it.

To ensure against false claims, there must be a digital "signature," usable only by the true sender, that any recipient can verify. A digital signature also solves the parallel problem of someone else sending a message that falsely claims to be from a third party. For entities wanting to communicate in a secure manner must possess certain security credentials. This collection of security credentials is stored in a wallet. Security credentials consist of:

Public and private keys

This form of cryptography uses a secret private key and a mathematically-related public key. Only the public key can be used to encrypt information, and only the corresponding private key can be used to decrypt that information. Only the owner of the key pair knows the private key; the public key can be distributed widely and remains associated with its owner. A message encrypted with the public key can only be decrypted by the owner who knows the associated private key. Such keys are also used in digital signatures to prevent Internet impersonation and repudiation of valid messages.

Digital certificates

Certificates are digital identities, issued by trusted third parties, that identify users and machines. Certificates are issued when that third party receives trusted information proving to its satisfaction the validity of those identities. The certificates can then be securely stored in wallets or in directories and used to prove the claimed identity to anyone on the Internet who trusts that third party.

Certificate Authority (CA)

A CA is a third party that acts as a trusted, independent provider of digital certificates.

Oracle Security Handbook, August 2001, Marlene Theriault & Aaron Newman

Use of a cryptographic key pair to set up a secure, encrypted channel ensures the privacy of a message and can validate the authenticity of the sender of the message. Wide distribution of the public key on a server, or in a central directory, does not jeopardize security because the private key is never shared. The public key for an entity is published by a certificate authority in a user certificate

The majority of all security operations in database servers depend on the twin processes of authentication and authorization When your client sends the password to the server in clear text, the password is encrypted during the handshake by default.

In order to protect the password during transmission, you must use one of three encryption methods:  the Multiprotocol Net-Library, Secure Sockets Layer(SSL), or IP Security(IP Sec) encryption.  Of the three, only IPSec can be managed for the entire enterprise through domain policy. IPSec secures communications between end systems—meaning that routers, gateways, firewalls, and other network infrastructure components between the end systems don't participate in the secure communication and simply pass the packets on to their intended destinations

Security Administrator ,  December 17, 2001  |  John Howie  |  Feature  |  InstantDoc #23446

The second encryption method, Multiprotocol Net-Library has two drawbacks: Clients can choose not to use it if the server supports any other Net_library, and it works only against the default instance The Secure Sockets Layer (SSL) is an application layer protocol that can be employed for certificate-based authentication. .

The Secure Sockets Layer (SSL) protocol, developed by Netscape Corporation, is a widely accepted standard for network security. It provides authentication, data encryption, and data integrity, in a public-key infrastructure. SSL is widely employed over the Internet to give users established digital identities and to prevent eavesdropping, tampering with, or forging messages. SSL uses digital certificates, and a public/private key pair to authenticate users and systems.

Unlike password-based authentication, which authenticates client to server only, SSL can authenticate server to client as well as client to server. This feature is useful in a multitier system that is exposed to the Web, because users want the database server authenticated before providing sensitive information, such as credit card numbers. ( Put this into presentation: Figure 1-2 illustrates SSL-protected communication links to the Oracle server from a remote client through the Internet and an Oracle Application Server.)

 

SSL does have a drawback as well. SSL requires  a separate certificate for each server which can increase management overhead and cost if you have multiple database servers. In making your security decisions, you might wonder whether to use IPSec or Kerberos for authentication and encryption. The main difference between them is that IPSec authenticates computer-to-computer communications and Kerberos authenticates user-to-service communications. IPSec doesn't control access to services running on a server; it controls whether a user can connect to the computer at the IP layer, not the application layer. SQLServer Magazine “Guard Your Data with Kerberos, July 2002, Morris Lewis, 

Fault Containment Security
If there is a security breach, how do you limit the damage it can cause?

Among the best ways to lessen security risk on the Internet for the database system is to provide multiple layers of security mechanisms. This concept is referred to as deep data protection. Deep data protection ensures well-formed, comprehensive security from client to application server to data server, as well as throughout the layers of an application. Another fault containment area to be conscious of is that applications do not use root privileges and that cross-site scripting is disallowed. In other words, even if a person has root privileges, he/she would not be able to insert a Java script to send the entire machine configuration to a third party.

 

Sudo/Superuser Access Programs

Sudo and other limited superuser access programs utilize rules that allow privileged users to perform only certain tasks that require root privilege.  For example, a normal data administrator may need to switch user to an Oracle account for certain maintenance work. Rather than giving him the the superuser password, just create a rule like: 

Joeuser                      elvis:/bin/su – manager

The user can type su-manager (but only on system elvis), and sudo will let this happen.  The user (joeuser) will have to enter his own password, not the superuser password.  The superuser password can be changed from time to time without this user needing to know it.

World Oil, October 2000 “ Improving Security Systems”  by Will Morse

How can you stay on top of all the security fixes coming down the pike from Microsoft and other sources? Security Bulletin Services, which are available online from software sites offer one way you can stay abreast of security patches.Bulletin Services offer the downloadable files necessary to fix a security patch.

SQL Server Magazine, March 2002, Staying Ahead in the Security Game, Brian Moran

 

 

 

 

The Truth About Firewalls                               
Companies often spend considerable resources on expensive firewalls only to risk attack through dial-in-modem pools or other insecure access points. According to the Computer Security Institute, 30 percent of Internet sites that reported security breaches had firewalls. So, the first lesson is: A firewall is only one component of a comprehensive database security policy. Following are some guidelines for selecting and implementing a firewall, and addressing any remaining problems.

Title: Firewalls: Not As Safe As You Thought. Source: Professional Safety, Jun99, Vol. 44 Issue 6, Author(s): Hansen, Mark D.
In general, the more secure the firewall,  the less convenient it is for authorized users to pass through. To weigh these trade-offs,. ask the question, "How much damage can be done if data is compromised or corrupted?" However, you cannot deny the lesser of two evils. Compromising convenience in a business environment could determine the success or failure of e-commerce for an organization. If Internet access is difficult, users will find other other online services.

At the low-end of firewall security is packet screening (also know as a network-level firewall). This mechanism is usually handled at the router level. Consistent with TCP/IP, the router screens packet headers for source and destination addresses, and allows or denies entry based on rules that the firm develops to define allowable transmissions.
  
   This type of firewall ranks low in security because it is vulnerable to a hacker who breaks in by IP spoofing. To do this, a hacker disguises incoming packets to look as if they come from a trusted host; the router cannot distinguish between an authentic network address and a disguised one. In other words, routers are
insecure because they are essentially "dumb boxes" that are designed to enable the free flow of information, not prevent data transmission.

Oracle Security Handbook, August 2001, Marlene Theriault & Aaron Newman                                     
   An application-level firewall goes a step further than network-level packet screening. It sits between the private network and the Internet and relays data between the two networks. Application programs (proxies) can perform sophisticated functions, such as logging or user authentication. Proxies can also enforce customized security options (e.g., allowing incoming FTP while blocking outgoing FTP).
Title: Firewalls: Not As Safe As You Thought.Source: Professional Safety, Jun99, Vol. 44 Issue 6, Author(s): Hansen, Mark D.
** Note: Need more sources for firewalls.

However, even an application-level firewall is vulnerable. FTP and other Internet protocols can leave the system without a security check, thus exposing it to attack from the inside. An application-level firewall may also allow Trojan-horse programs or macro files (rogue programs that hide inside authorized programs) to pass through. These programs execute as soon as they are opened or read. Besides causing direct damage to a system, embedded programs may look for a well-known host table, and mail data and password lists to another address.
According to Kevin Kitagawa, Internet security product line manager for Sun's Internet Commerce Group, proxy servers present management headaches. "Proxy servers are wonderful for most common Internet protocols or services," he says. "The problem is, for every new protocol or service that comes out, you have to add another application to the proxy server." The proxy server cannot handle protocols that lack a specific proxy for them. Proxy architectures can
degrade performance as well.
A dual-homed gateway represents the highest level of firewall security. A host system sits on both the private network and the Internet. TCP/IP forwarding is disabled, which fully isolates the two networks. A company supplies access by configuring application proxies or by granting user log-ins to the gateway host In a comprehensive report financed by the National Institute of Standards and Technology, recommend that firewalls feature the following elements.

1)     Strong filtering techniques that support a "deny services except those specifically permitted" policy, based on attributes such as source and destination IP address, protocol type, source and destination ports and inbound/outbound interfaces.

2)     Easy configuration to support a basic security policy.

3)     Flexibility to accommodate new services and needs as the security
policy and organizational structure change.

4)     Proxy services to implement advanced authentication measures (e.g.,
digital signature certificates or public-key cryptography) and
centralize simple mail transfer protocol (SMTP) at a buffer zone between servers.

5)     Segregation of systems that do not require public access.

6)     Thorough logging and auditing tools for reporting suspicious activity.

7)     A secured version of the OS, in which all known security holes are plugged.

8)     An interface that is easy to use and maintain, including an architecture for patching new problems that might arise.                  

Ultimately, firewalls are not impenetrable. The good news is that the firewall market is still maturing. Products now combine the best elements of past developments with encryption, user authentication, digital signatures and management software. The best software-driven devices are fully configurable with comprehensive, single-point management and reporting capabilities administered from a stand-alone terminal. Firewalls are increasingly used to buffer corporate intranets not only from the Internet, but from each other as well.
Firewalls: Not As Safe As You Thought. Professional Safety, Jun99, Vol. 44 Issue 6, Author(s): Hansen, Mark D.

Helpful Security Tips

Security Policies

Improving security is pointless if top management does not empower the security administrator to do his job and create/fund security policies essential for success.  I security management is just another difficult and obscure chore in a long list for overworked systems administrator, it isn’t going to be done.

           

Unused Software Functions

Modern operating systems come with lots of bundled software- much of which you may not even be aware of, let alone use.  This software is a big risk because, since you don’t use it, you are not familiar with its vulnerabilities and won’t notice if it gets modified. Turning this software off by changing ownership, permissions and commenting lines in /etc/inetd.conf is a big win because it greatly reduces vulnerability with no pain to the users.

Appropriate Use Banners

Appropriate use banners put up a message when you login (or better, before you login) that says something like: “ For business use by authorized persons only.” Talk to your legal department about exact wording. Some courts have found that if you don’t say no, you can’t sue or complain- or at least not as effectively.  You also avoid giving potential intruders hunts as to what operating system or version is in use.

Deactivating Accounts

Once a person has an account on your system, NEVER delete this account. You have at least 65,000 userids. There is no reason to actually delete an account. Change the password in /etc/shadow or in your NIS shadow database to “NP”. For a little extra safety, change the default shel (in/etc/passwd) to /bin/false or /bin/nologin. File ownership in Unix is kept by userid, a number, not by the username.  If you delete a passwd entry, you may have files owned “by a number” and no idea who that number is related to.  If you reuse the number, the new owner will suddenly own files he knows nothing about

World Oil, October 2000, Improving Systems Security, Will Morse More Solutions

More advanced solutions are available and can add considerable security.  These solutions must be installed on every computer in your network, and the appropriate version of each solution must be installed for every OS in your network. 

Denial-of-service-checker

**Note  - explain what denial-of-service attacks are here ***

The FBI and PacketStorm have released software to determine if your system has been compromised for launching denial-of-service attacks. For information go to: http://ww.fbi.gov/nipc/trinoo.html

Online Help Resources

You can get e-mail for security announcements through vendors and through CERT. CERT “Computer Emergency Response Team”,at 

 cert-advisory-requirest@cert.org SUBJECT: subscribe your-email-address

Particular vulnerabilities are daemons and dynamic libraries. Never have ANY files owned or executed by root, and do not ask for root to install the application. The single, most-critical success factor for a secure system is top management that takes responsibility by creating and supporting realistic security policies and then funds and supports the security function. Security is not something that you “turn on” and forget.

World Oil, October 2000 “ Improving Security Systems”  by Will Morse Security Best Practices

1.      Analyze vulnerability notifications as they are released to determine if they apply in their business environment;

2.      Testing them against their effect on line of business  applications in a test environment.

3.      Applying those patches to all appropriate  systems in production; and

4.      Updating their system documentation to include the patch in all future builds.

 

However, a frighteningly high percentage of  organizations  do not follow this practice.

The Public Manager, Fall 2001 Volume 30, Number 3 IT Pragmatics 2001, by Jeff Williams

 

**Note – Need Conclusion