is one of the most valuable assets in any organization

INFORMATION

/

Definition

the mechanism that protect the

database against intentional or

accidental threats

the mechanism that protect the

database against intentional or

In actual terms database

security is to prevent the

confidential data which is

Organizations functioning well have

asked for the

confidentiality

of

their database. They do not allow

the illegitimate user to access their

data/information. And they also

claim the assurance that their data

Various security layers in a database

exist

database administrator

system admin

security officer,

developers

security can be

violated at any of

these layers by an

attacker can be classified into

3

attacker can be classified into

3

A. INTRUDER

B. INSIDER

INTRUDER

INSIDER

ADMINISTRATOR

an authorized user who has permission to administer a

computer system, but uses his/her

administration

privileges illegally as per

organization’s security policy

an authorized user who has permission to administer a

computer system, but uses his/her

administration

privileges illegally as per

Direct attacks

Directly hitting the target data is

Indirect attacks

As its name implies indirect attacks are not directly executed on the target but data from or about the target can be collected through other transitional objects. For purpose to cheat the security system, some of the

Passive attacks

In this, attacker only inspects

data present in the database

and do not perform any

Active attack

actual database values are modified. can misguide a user.

• _Interruption

–_{penghentian sebuah} proses yang sedang berjalan.

–_{Performing denial}

of service: menutup database dari aplikasi Web, sehingga menyangkal layanan kepada pengguna lain • _Interruption

–_{penghentian sebuah}

proses yang sedang berjalan.

–_{Performing denial}

of service: menutup database dari aplikasi Web, sehingga menyangkal layanan kepada pengguna lain

• _{Interception:}

–menyela sebuah proses yang sedang berjalan. –_Determining

database

schema : mengekstrak data dari database,

untuk mengetahui informasi skema

database, seperti nama tabel, nama kolom, dan tipe data kolom.

• _{Interception:}

–menyela sebuah proses yang sedang berjalan.

–_Determining

database

schema : mengekstrak data dari database,

untuk mengetahui informasi skema

• _{Modification:}

– _{mengubah data} tanpa ijin dari pihak otoritas.

– _{Adding or}

modifying

data : menamba h atau mengubah informasi dalam database.

• _{Modification:}

– _{mengubah data} tanpa ijin dari pihak otoritas.

– _{Adding or}

modifying

data : menamba h atau mengubah informasi dalam database.

• _Fabrication:

–_{perusakan secara}

mendasar pada sistem utama.

–_{Injection through}

user input:  penyerang menyuntikkan perintah SQL dengan menyediakan input pengguna yang

sengaja dibuat sesuai. 

• _Fabrication:

–_{perusakan secara}

mendasar pada sistem utama.

–_{Injection through}

user input:  penyerang menyuntikkan perintah SQL dengan menyediakan input pengguna yang

BUSINESS REQUIREMENT

COMPLIANCE

--• DATA INTEGRITY

regulation designed to prevent fraud and ensure that data changes are appropriately managed

• _{DATA CONFIDENTIALITY}

regulations designed to protect

Government & industry

regulations require organizations

to protect regulated data from

unauthorized access & changes

REGULATION NAME SECURITY REQUIRMENT

Payment Card Industry Da ta Security Standard

(PCIDSS)

Reuires that mrerchants track and monitor all access to

cardholder data. secure audit trails so they can’t be altered Remove/disable inactive user accounts at least every 90 days

EU Privacy Directive Protects personal data that is processed or transferred.

DATABASE SECURITY REQUIREMENT

ORGANIZATIONS MUST

IMPLEMENT A

COMPREHENSIVE

DISCOVER & CLASSIFICATION

SENSITIVE DATA

USER RIGHTS MANAGEMENT

Database & Application Attack

Prevention

To protect database data, organization should identify, and optionally block,

• _{an intelligent Web application firewall}

Security Levels On Relational Databases

• _Relasi

The user is allowed or not allowed to access directly a relation

• _{Read Authorization}

The user is allowed to read the data, but can not modify.

• _{Insert Authorization}

Tingkat Pengamanan Pada

Database Relasional

• _{Update Authorization}

The user is allowed to modify the data, but can not delete the data.

• _{Delete Authorization}