Information Security Database is the main component of the major applications based on the web. It gives a possibility to present various dynamic contents. In so far as such database can contain sensitive important and secret information, it is worth-while to focus attention on database security. Every person who works with database needs first to connect to it, then send a request, process an answer and close the connection to get or save information. A Structured Query Language SQL is used very frequently. What hacker is able to do with SQL-request? It is known that PHP cannot protect the database.
There is a simple rule: the security should cover all possible breaches. The more places DB administrators protect, the less it is probable that hacker will use secret information, stored in database. All dangerous breaches can be protected if the structure of database and its application is well developed. Lets examine two articles related to database security. The first article, Database Security? Protecting Sensitive and Critical Information provides readers with definition and distinctions between network security and data security. Scott C.
Newins considers that database security does not supercede other security technologies, such as network layer firewalls, network monitoring, SSL-secured communications, operating system and application hardening. But data protection needs to be in place as the core element of a complete enterprise security infrastructure. (2003, para 2).
He focuses attention on potential risk associated with sensitive information within databases (2003, para 3).
However, Scott C. Newins underlines that it is very important to be sure that authorized persons are able to obtain information while DB administrators are planning their database security.
The bank stores all passwords and other secret information in special encrypted files, so it is important to organize access to database to obtain the information at the appropriate time. The author of the book recommends to focus attention on proper access control, selective encryption of stored data, separation of duties and centralized independent audit functions (2003, para 3) to protect the database. Scott C. Newins notices that although there can be network authorization, different access codes, roles, passwords, logins and some databases remain unprotected. In such cases, it is not enough to protect the perimeter: it is important to be able to use out-of-the-box application transparent encryption (2003, para 17) and other technologies. Newins considers that DB administrators should know all basic principles of databases and database security.
He specifies useful tips on DB and protection and gives specific examples regarding what can be done about interference. Lets analyze the database security and provide the user with definite recommendations according to Newins. The basic idea is this, “You can’t access what you can’t see”. (Blake Wiedman, 2005, para. 14) First step in database security is, actually, creation/writing the database, except of cases when DB administrator uses a ready-made database. When writing a DB, a person determines the owner (admin).
Administrator can do any changes with objects inside the database and has to provide other users with access to his DB. He can create different users of DB with differentiated access level for every necessary application. These rights should be determined only once: in case the hacker will get access to any entry, he is able to get the access to one part of application. Table access control is probably one of the most overlooked forms of database security because of the inherent difficult in applying it (Blake Wiedman, 2005, para. 22).
Administrator can establish connections to his database with help of SSL to encrypt client-server connection to increase the security level. He can use SSH to encrypt network connections between server DB and client.
In such way hacker will have difficulties to spy on information from network traffic. SSL/SSH protects the data only at client-server direction. It cannot protect the data kept in database because SSL is a protocol on-the-wire. When a hacker receives access to a DB, he can use stored information except the case when the data is protected in the database by coding. What are the best recommendations? The most probable way for the administrator is to create his own coding package and use it in his PHP-scripts. He can use Mscrypt and Mhash that include a lot of algorithms of coding.
Script codes the information and decodes it upon request. A lot of programmers consider SQL requests safety command. However, hackers can create or change AQL commands to get access to hidden secret data with help of Direct SQL Command Injection. Hacker can create superuser in a BD, if its administrator doesnt check entering the data into the computer. How can DB security be improved? DB administrator should never trust input of any kind (especially if this information enters computer from the clients side).
He shouldnt ever connect to database as superuser or owner.
To avoid this he can use specialized users with limited access only. It is important to check whether the entry has expected type of information. PHP has a lot of functions that are able to check entry: from simple till is numeric(), ctype digit().
In case the application waits for digit entry, DB administrator can check the data with is numeric() or change its type with settype().
To prevent access to database administrator can also use sets of unique features such as special tools, trusted IP addresses (Every server, should be configured to only allow trusted IP addresses (Blake Wiedman, 2005, para. 16)), account disabling (If you suspend the server ID after three password attempts, attackers are thwarted.
Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination (Blake Wiedman, 2005, para. 28)), port access (All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access (Blake Wiedman, 2005, para. 35)), role-based security (Object privileges can be grouped into roles, which can then be assigned to specific users (Blake Wiedman, 2005, para. 32), etc.
Bibliography:
Newins, Scott C.. (2003) Database Security ? Protecting Sensitive and Critical Information.
DM Direct Newsletter. January 31, 2003 Issue. Retrieved February 11, 2005. http://www.dmreview.com/article_sub.cfm?articleID= 6310 Wiedman, Blake. (2005).
Database Security (Common-sense Principles).
Retrieved February 11, 2005. http://www.governmentsecurity.org/articles/Databas eSecurityCommon-sensePrinciples.php.