SECURITY PROCEDURE

INTRODUCTION:

Security procedure concerns the use of a broad range of information security controls to
protect databases (potentially including the data, the database applications or stored functions,
the database systems, the database servers and the associated network links) against
compromises of their confidentiality, integrity and availability. It involves various types or
categories of controls, such as technical, procedural/administrative and physical. Database
security is a specialist topic within the broader realms of computer security, information security
and risk management.

Security risks to database systems include, for example:

Overloads, performance constraints and capacity issues resulting in the inability of

authorized users to use databases as intended;

Physical damage to database servers caused by computer room fires or floods,

overheating, lightning, accidental liquid spills, static discharge, electronic
breakdowns/equipment failures and obsolescence;

Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage etc.

DATABASE SECURED:

Databases have been largely secured against hackers through network security measures
such as firewalls, and network-based intrusion detection systems. While network security
controls remain valuable in this regard, securing the database systems themselves, and the
programs/functions and data within them, has arguably become more critical as networks are
increasingly opened to wider access, in particular access from the Internet. Furthermore, system,
program, function and data access controls, along with the associated user identification,

1
authentication and rights management functions, have always been important to limit and in
some cases log the activities of authorized users and administrators. In other words, these are
complementary approaches to database security, working from both the outside-in and the inside-
out as it were.

BASELINE SECURITY STANDARDS:

Many organizations develop their own "baseline" security standards and designs detailing
basic security control measures for their database systems. These may reflect general information
security requirements or obligations imposed by corporate information security policies and
applicable laws and regulations (e.g. concerning privacy, financial management and reporting
systems), along with generally accepted good database security practices (such as appropriate
hardening of the underlying systems) and perhaps security recommendations from the relevant
database system and software vendors.

PRIVILEGES:

Two types of privileges are important relating to database security within the database
environment: system privileges and object privileges.

System Privileges:

System privileges allow a user to perform administrative actions in a database. These

include privileges (as found in SQL Server) such as: create database, create procedure, create
view, backup database, create table, create trigger, and execute. [2]

Object Privileges:

Object privileges allow for the use of certain operations on database objects as authorized
by another user. Examples include: usage, select, insert, update, and references. [3]

VULNERABILITY ASSESSMENTS AND COMPLIANCE:

2
 One technique for evaluating database security involves performing vulnerability
assessments or penetration tests against the database. Testers attempt to find security
vulnerabilities that could be used to defeat or bypass security controls, break into the database,
compromise the system etc. Database administrators or information security administrators may
for example use automated vulnerability scans to search out misconfiguration of controls within
the layers mentioned above along with known vulnerabilities within the database software. The
results of such scans are used to harden the database (improve security) and close off the specific
vulnerabilities identified, but other vulnerabilities often remain unrecognized and unaddressed.

PROCESS AND PROCEDURES:

A good database security program includes the regular review of privileges granted to
user accounts and accounts used by automated processes. For individual accounts a two-factor
authentication system improves security but adds complexity and cost. Accounts used by
automated processes require appropriate controls around password storage such as sufficient
encryption and access controls to reduce the risk of compromise. In conjunction with a sound
database security program, an appropriate disaster recovery program can ensure that service is
not interrupted during a security incident, or any incident that results in an outage of the primary
database environment. An example is that of replication for the primary databases to sites located
in different geographical regions.

LOSS PREVENTION:

Loss prevention focuses on what your critical assets are and how you are going to protect
them. A key component to loss prevention is assessing the potential threats to the successful
achievement of the goal. This must include the potential opportunities that further the object
(why take the risk unless there's an upside?) Balance probability and impact determine and
implement measures to minimize or eliminate those threats.

SECURITY RISK MANAGEMENT:

Management of security risks applies the principles of risk management to the

management of security threats. It consists of identifying threats (or risk causes), assessing the

3
effectiveness of existing controls to face those threats, determining the risks' consequence(s),
prioritizing the risks by rating the likelihood and impact, classifying the type of risk and selecting
and appropriate risk option or risk response.

TYPES OF SECURITY THREATS:

External:

Strategic: like competition and customer demand...

Operational: Regulation, suppliers, contracts

Financial: FX, credit

Hazard: Natural disaster, cyber, external criminal act

Compliance: new regulatory or legal requirements are introduced, or existing ones are
changed, exposing the organisation to a non-compliance risk if measures are not taken to
ensure compliance

Internal:

Strategic: R&D

Operational: Systems and process (H&R, Payroll)

Financial: Liquidity, cash flow

Hazard: Safety and security; employees and equipment

Compliance: Actual or potential changes in the organisation's systems, processes,

suppliers, etc. may create exposure to a legal or regulatory non-compliance.

RISK OPTIONS:

4
Risk avoidance:
The first choice to be considered. The possibility of eliminating the existence of criminal
opportunity or avoiding the creation of such an opportunity is always the best solution, when
additional considerations or factors are not created as a result of this action that would create a
greater risk. As an example, removing all the cash from a retail outlet would eliminate the
opportunity for stealing the cashbut it would also eliminate the ability to conduct business.

Risk reduction:
When avoiding or eliminating the criminal opportunity conflicts with the ability to
conduct business, the next step is the reduction of the opportunity and potential loss to the lowest
level consistent with the function of the business. In the example above, the application of risk
reduction might result in the business keeping only enough cash on hand for one days operation.

Risk spreading:
Assets that remain exposed after the application of reduction and avoidance are the
subjects of risk spreading. This is the concept that limits loss or potential losses by exposing the
perpetrator to the probability of detection and apprehension prior to the consummation of the
crime through the application of perimeter lighting, barred windows and intrusion detection
systems. The idea here is to reduce the time available to steal assets and escape without
apprehension.

Risk transfer:
Transferring risks to other alternatives when those risks have not been reduced to
acceptable levels. The two primary methods of accomplishing risk transfer are to insure the
assets or raise prices to cover the loss in the event of a criminal act. Generally speaking, when
the first three steps have been properly applied, the cost of transferring risks is much lower.

Risk acceptance:
All remaining risks must simply be assumed by the business as a risk of doing business.
Included with these accepted losses are deductibles which have been made as part of the
insurance coverage.

COMPUTER SECURITY:
5
 Computer security, also known as cybersecurity or IT security, is security applied to
computing devices such as computers and smartphones, as well as computer networks such as
private and public networks, including the whole Internet. The field includes all five
components: hardware, software, data, people, and procedures by which digital equipment,
information and services are protected from unintended or unauthorized access, change or
destruction, and is of growing importance due to the increasing reliance of computer systems in
most societies. It includes physical security to prevent theft of equipment and information
security to protect the data on that equipment. Those terms generally do not refer to physical
security, but a common belief among computer security experts is that a physical security breach
is one of the worst kinds of security breaches as it generally allows full access to both data and
equipment.

NETWORK SECURITY CONCEPTS:

Network security starts with authenticating, commonly with a username and a password.
Since this requires just one detail authenticating the user name i.e., the password this is
sometimes termed one-factor authentication. With two-factor authentication, something the user
'has' is also used (e.g., a security token or 'dongle', an ATM card, or a mobile phone); and with
three-factor authentication, something the user 'is' is also used (e.g., a fingerprint or retinal scan).

TYPES OF ATTACKS:

Networks are subject to attacks from malicious sources. Attacks can be from two
categories: "Passive" when a network intruder intercepts data traveling through the network, and
"Active" in which an intruder initiates commands to disrupt the network's normal operation.

Types of attacks include:

Passive

o Network

Wiretapping

6
 Port scanner

Idle scan

Active

o Denial-of-service attack

o DNS spoofing

o Spoofing

o Man in the middle

o Phishing

o Cross-site scripting

o CSRF

o Cyber-attack

o SQL injection

CONCLUSION:

Application level authentication and authorization mechanisms may be effective means

of providing abstraction from the database layer. The primary benefit of abstraction is that of a
single sign-on capability across multiple databases and platforms. A single sign-on system stores
the database user's credentials and authenticates to the database on behalf of the user. Security
management for networks is different for all kinds of situations. A home or small office may only
require basic security while large businesses may require high-maintenance and advanced
software and hardware to prevent malicious attacks from hacking and spamming.

REFERENCE:
7
www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/home.aspx
www.archives.gov Research Our Records Notices

www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public

https://policy.unimelb.edu.au/MPF1118

www.luther.edu Safety and Security