Assignment 1: Database Analysis

1. Least privilege: SQL accounts will have least privilege. Each SQL account can do a unique task. Some dummy accounts with no privileges will be created. So, if the system is compromised then the database is still protected. Only 2 accounts will have full access (What Is the Principle of Least Privilege (POLP)? A Best Practice for Information Security and Compliance).

Mandatory access control is a single user, normally the network admin, who is given access to the users’ rights and privileges. They control access policies and are also in control of choosing which objects and what systems each individual user has access to and what they do not have access to. The access is made in the form of different levels. Each system and all folders containing information are put into a specific classification. The user will be in a certain classification that will only allow them to access data

The organization has a security objective of protecting the database from being altered. Since the data is held in the system, there are regulations that have been set to the users, and there are also limits to the functions that each user performs. In this case, there are three categories of users each with clearly defined responsibilities. For instance, the administration team has been given full control of the application in that they can even alter codes and perform any variations to the database objects. The other groups of users are the executives; these have the ability to access all the information

If the finance department wanted to find the total compensation paid to each employee in the same month as the first query a slightly different query would be run to generate that information. The first code simply pulled the information and did not include and computation because the finance department only requested to be able to determine as in pull up the record for employee’s commission paid. The second code will include computation which will divide the yearly salary by twelve months then multiples the commission rate by the total amount of product sold and lastly add those two numbers together to get the total compensation for that month. Unfortunately the coding that I am using is not generating a proper result. However, it should look something like this:

The three main access control methods available are Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Role-Based Access Control (RBAC). Each one of these control methods provides different layers or levels of technical controls that will limit an IT system or network user’s access to data based on security access controls. Mandatory Access Control is a security model where users are given permissions to resources (files, folders or documents) by an administrator (Windows OS) or root (LINUX or UNIX OS) user. The configuration changes to the file or resource permissions can only be modified by the authorized system administrator. Discretionary Access Control is a security model where users

Ensuring data security within your organization is crucial if you are to remain compliant against the increasing data security regulations, as well ensuring that you maintain a good relationship with your customers and prospects. Data security concerns the protection of data from accidental or intentional but unauthorized modification, destruction or disclosure through the use of physical security, administrative controls, logical controls, and other safeguards to limit accessibility. Protecting your customer information and ensuring full confidence in your data security measures will put you in good stead for protection against data loss and data security breaches. Data is the raw

SQL Injection is one of the main database attack mechanisms used by hackers to loot organization 's data from databases. Hacker target the application layer program and takes advantage of the improper coding methods to inject SQL command into a web form and then gain access to the database. SQL injection may adversely affect the integrity of the database and may reveal sensitive data of the organization. The intensity of the SQL injection attack vary depend on the capabilities of the backend database in use. With the help of SQL injection hacker can change existing queries, attach additional queries, read in or write to file or execute operating system command from the database. To protect organization data from SQL injection we need to apply security measures in the application layer and in the database layer. The purpose of this study is to analyze the database functionalities/security holes, mainly Oracle and MySQL, and propose the preventive measures database developers need to consider in the database layer while working with these databases to secure data from SQL injection.

This assignment will be on the Clifton Liquor Store located in Clifton, Colorado. This essay will explain the entire floor plan of the store. Moving forward we will discuss the threats and evaluate the risk of each threat. We will point out the times in which the store is most vulnerable for each threat as well as counter-measures for each threat. We will then discuss the security measures the liquor store has put into place. Lastly we will point out the plans in place in an emergency situation such as a fire or a bomb threat.

Any data system with a security policy will most likely have an array of countermeasures that have a range of threats. An organizations guideline, policies and coaching material that is virtually nonexistent and not really pressed upon

The most important thing about the database is to have it secure and safe. You want to make sure that the database is hosted on a secure network. For the best secure database, the system should remain and be installed on its own dedicated machine that is not directly connected to the network. It should not be accessible by just anyone, the super user should be the only one with access and the database should be installed behind its own firewall and perhaps a 7 layer security system. The passwords should be changed every month and include numbers and letters. There should also be no live production data because this can be copied and sent to a remote server. You can install and use host restrictions from server to server communications.

Another important aspect is to define who owns the information and what measures should be taken to protect the data.

12. What is a threat in the context of information security? How many categories of threats exist as presented in this chapter?

Access control allows specific users either privileges or restriction of access to objects in a database system. A Data Base Administrator (DBA) must take in specific consideration pertaining to which users can see what tables, and perform certain data actions among those specific tables. Access control can be defined in three ways: Mandatory Access Control (MAC), Discretionary

With advances in technology constantly happening, it can be hard to keep up with all of the latest trends. If organizations cannot keep up with the latest trends, it can lead to flaws in their security. Any flaws in security can have a detrimental effect on an organization’s database. Almost every organization has some sort of database, whether it is for maintaining customers, inventory, or vital information.

Access control has been in use before the growth of the technology world. It could involve a simple action as locking a door. A person locks a door to prevent entry to those who are not allowed or authorize to do so. The same can be said about the security involving databases and the controlling of who can have access and what can be accessed. As far as database security is concerned, there are various categories that are involved in access control. The four main categories of access control include: Discretionary, Mandatory, Role-based, and Rule-based access control.