Abstract be more adept and interested in learning


The basic knowledge on
database security that people in the field of technology should know nowadays
is very simple. Students can avoid mistakes that compromise their security on
their network, and thus not falling victim to hacker, by following
uncomplicated methods.  There is a vast
amount of information out there, which I have put together, so I can share this
knowledge with people that are interested in learning something new for their
own benefit. Database security is an essential component of many computing
systems. It allows data to be viewed and accessed electronically by the public,
and the amount of data confined in these systems continues to grow at an exponential
rate. We can use databases to learn about an infinite amount of facts, no
matter how small; such as how much people spent on a Black Friday or Christmas,
 even if we need more details what race
spent more money. Also, databases can be used to hack valuable information such
as credit card numbers, files or anything valuable for the user. Hackers and
malware are often enabled by errors committed by the victim or database owner,
for which reason they are the ones who should be more adept and interested in
learning how to secure their database.


Any given company’s
integrity is crucial when it comes to their customer relations, productivity
and overall performance. All this is jeopardized by the security issues that
companies face when it comes to their database systems that are used by many of
these companies. There have been many new developments in the field of
information technology, which offer more opportunities for business operations
to improve their efficiency and effectiveness. Unfortunately, these
developments that have improved customer relations, sales, human resources, and
production, have also negatively impacted their security and leave them
vulnerable to cybercrimes. Cybercrimes are criminal activities involving a
computer system or technology for identity theft, phishing, and blackmailing.
In this paper, several issues with database security will be discussed, as well
as goals of security measures necessary to fight against cybercrimes, and
maintain database security. Database security is extremely important when
maintaining a successful operation. Database security is the “deliberate effort
to protect an organization’s data against threats such as accidental or
intentional loss destruction or misuse” (Almutairi, 2). These threats and
cybercrimes have been increasing in the last decade as a result of electronic
commerce instead of conventional trade when it comes to materials. Due to the
amount of powerful information that can be leaked or used for ransom or
blackmailing, companies have prioritized the security of their databases.

The main issue that puts
strain on the database security of a company is the company’s way of product
distribution and client/server architecture. One of the different threats to
database systems is “Loss of availability”, which means that data or systems
cannot be accessed by any user. This is often a result of sabotaged hardware,
applications or networks from cyber criminals looking to use this lost
information as ransom. Since this would cause a company to halt its daily
activities and lose a lot of money, they usually give into the criminals’
demands (Singh, 2009). An example of this is a bank loosing account numbers and
privileged client information to cyber criminals, or hackers; they will lose all
the clients that could possibly be robbed, and will have to reimburse those
clients for their loss.

Another method of
compromising the security of a company’s database is by giving “excessive
privilege” to a user who can abuse it and use or share the private information
with malicious intent, which can damage a company’s reputation and credibility
(Singh, 2010). Another type of threat is having a weak audit trail, which is
when an “organization exposes itself to risk of various types due to weaknesses
in its internal system” (Almutairi, 3). A weak system and procedures for
authentication are a huge problem when it comes to database security as well,
because it opens the door for hackers to steal or change credentials. If
hackers get their hands on important data, they can deny service or access to
users, which they use as a means to extort money from the interested parties.
This type of data corruption is very common and unfortunately often works for

Most of these
cybercrimes, as mostly any type of crimes, are for theft or fraud purposes.
This happens when employees go into protected areas where the databases are,
and interfere with the systems. In order to avoid such threats, companies
should have more control over these protected areas and install a reliable
firewall to prevent people from having unauthorized access to their database
systems. Another serious form of cybercrime is identity theft, which has
increased a lot over the last decade, because it has become easier for hackers
to obtain people’s personal information from banks and other sources that
usually hold information such as social security numbers of individuals. This
is a huge issue, because an individual can be driven to declare bankruptcy
after being the victim of identity theft, because the violator usually spends
large sums of credit card money in the name of the victim.

The livelihood of
individuals are at risk when hackers are able to access databases and steal
private information. In August 2009, three cyber criminals were accused for
carrying out the “single largest data breach recorded to date”; they stole over
“130 million credit and debit card numbers by exploiting a well known database
vulnerability, a SQL injection”, but there were 285 million records that had
been compromised  (Murray, IIP-62). This case was studied very well in
order to record statistics of such crimes, and to be able to predict how these
hackers work. It was found that most data breaches come from external sources,
with 75% of the incidents coming from outside a company, while 20% come from
the inside. It was also found that 91% of the compromised records were breached
because malware facilitated by errors committed by the victim. Therefore, in
order to avoid large amounts of hacking, it is crucial for companies to limit
access, and have more information technology professionals working in their
database security.

Due to the many dangers
and threats enabled by a weak database system, or loosely secured access to
unreliable personnel, there are several goals that need to be seriously worked
on, so that companies can win against cyber criminals. These goals include;
confidentiality, maintaining integrity, and securing data. Below are some
methods as presented by Meg Murray, that can be used to achieve these goals,
and to designing network behavior pattern that lets companies know of intrusive
or improper use of the network, as well as track those patterns.

a.      Access Control-

The best method of protection against cybercrimes is access
control, which limits the access to the data by using three mechanisms;
authentication, authorization, and access control. Access control is defined in
three ways; Mandatory Access Control (MAC), Discretionary Access Control (DAC),
and Role Based Access Control (RBAC). MAC and DAC give privileges to specific
users or groups to which users are assigned, authentication provide with
usernames and passwords, and authorization give privilege to specifics
resources. For instance, a student will have student access, which is very
limited, or when we give access to the data to people on Facebook that they can
see what we want them to see. With access control it is easy to limit the
access to users. The same thing in SQL the user will be able to update, insert,
delete tables and sub-users just will be able to read the tables. Once a role
has been created, the format for implementing RBAC follows the pattern below:

GRANT privilege_name




    b. Row level Security  

The Row level security grants privilege to objects that control
access to database tables and columns. For example, a student will be able to
modify data that corresponds to him or her. In order to see these, we have to
use SQL. Row level security plays an important role in the database security.
Despite the difficulty of implementation, it allows restriction of access to
data in the table related to a specific category.  Because it would be
waste of time storing each person to the database, and giving full access to
all user’s full access to the table. To avoid this one, when the user is on a
general row, the user will be redirected to an Oracle’s Virtual Private
Database where everyone will have their own access according their privilege on
the database.



FROM Table_Name

WHERE AttributeName = ‘USER’;


    c. Application Access

Most cannot access to the data just by login into the database,
they access by using a program. There is a program called Security Matrix known
as CRUD which identifies the permission required by the program. This program
shows you a visual depiction of the operation of authorization for objects,
outputs and inputs. The columns with letters CRUD identify the access required
by any program that require access to the data, the column that has all four
letters this cell will have full access to the table. The CRUD letters mean;

C = Create or insert a
Record row

R = Read Query or Select
a row

U = Update or modify

D = Delete

Another advantage of using
this Security Matrix is the visualization because this way, the person in
charge has a better and faster way to identify the applications that are making
changes to the database table. In other words, the Security matrix is a simple
and effective tool to identify security access to the database.


 Database Vulnerability

The data protection of network database is the protection of “data
security, integrity and concurrency of data” (Sabareesan, 1748). However, data
protection is becoming more difficult to protect since there are many
vulnerabilities and breaches database systems face. Because more of the
database is made on the web-bas or internet, the risk of security will increase
because any hacker will be able to access the database if they want to hack it,
that was not the case when the database was on a corporation isolated from
malicious people without the internet, this theft had to brake in physically
into the company to steal information about these companies. Now with the
internet this job is easier for hackers that are stealing in a virtual mode.
Perhaps the vulnerability of this problem is the injection to the SQL. This
injection is no more that simple inputs to the SQL that tricks the database
executing unintended commands that allows these hackers to have access to the
data. For example, on a webpage that have username and password the hacker can
access a malicious text that create a SQL statement in which the SQL will gain
access to data following the string, OR 1 = 1 — entered on the username text
the hacker will get a dynamic access where he can get the real username and
password. For example, in a model SQL code:

SELECT Count *

FROM user table

WHERE username = ‘OR 1 =
1 — ‘AND password = ‘ ‘;


     d. Database

An inference occurs when we get unknown information based on
retrieved information, which is a very subtle vulnerability. This is a problem
because there is not a good solution to this problem, the most recommended
solution is to suppress or conceal. It is very important that people understand
the risk of inferences and how this occurs. To illustrate; there are two
workers Mike and Frank. Mike is trying to find out the Frank’s salary, but
salaries are private data in a company. Mike can gather some data with this
data and he can manipulate the query by summarizing the salary data and
averaging it to see how much money the co-worker makes by only possessing few
details of information about Frank. Here is the SQL sample:


SELECT AVG (salary)

FROM employees

WHERE Gender = ‘M’ AND
department = 10.


The system will not tell
Mike how much money Frank makes per hour but he will figure out how to do it.
Mike can have access to some data but his supervisor has more access in detail.
The ADbC interference sub-module includes three animations that effectively
show how users might be able to put together information when data is available
to users with higher security access, or when they are only given access to
aggregate data. Inference becomes a problem when someone who is not authorized,
say a hacker, wants to generate or view this data to steal individual data

 e. Auditing

This method is used to track user’s activity and to identify who
accesses the database query, actions perform, and data change. Auditing will not
prevent security breaches, but it will show how the data was managed. The
categories that auditing uses are; database access attempts, Data Control
Language (DCL) activities, Data Definition Language (DDL) activities, and Data
Manipulation Language (DML) activities. The monitoring access control, controls
the login and logout attempts. DLC record the user privileges, updates to the
database. DDL change attributes data type, and table structure.  DML
records changes to the data and all these changes are monetarized via log files
and audit tables. The challenge of auditing databases is deciding what and how
much data to retain and how long to keep it. There is an auditing submodule
that can help with these decisions, the ADbC sub-module, which “provides step-by-step
examples  for creating audits of user sessions, changes to database
structure, and modifications to data” (Murray, IIP-74).


f. ADbC Courseware Use
and Evaluation

This ADbc was created to provide support in classrooms. This
software helps students with school materials, where they can practice the
sub-modules to reinforce courses presented in class. The majority of students
said that they agreed or strongly agreed that the sub-modules enhanced their
learning. Even teachers reported that their teaching was enhanced by the
courseware, because it mapped the concepts very well and provided reinforcement
for student learning. Courses like the ADbC are extremely encouraged to the
public because the more people know how to secure themselves against cyber
criminals, the less they will be victims to hackers.


Cryptography and Genetic
Algorithm Methods

Encryption and Decryption

There are other proposed systems that involve cryptography and
genetic algorithm, to battle against the many threats to Database security. By
implementing cryptographic techniques and genetic algorithms to databases,
securing them from hackers who can easily access them will be plausible.
Cryptography is a method used to protect data in two ways; over the network or
in any standalone device. It has two methods; encryption and decryption.
Encryption is the “process of converting plaintext to ciphertext and Decryption
is the reverse process” and both are done by private keys, which are highly
confidential (Sabareesan, 1748).


b. Genetic Algorithms

    Algorithms are part of
the family of the computer. Algorithms are used more in the field of
optimization, but it also is very expensive, and it need a lot of time. Thanks
to the SQL injection attacks is rising, such as hacking credit cards, account
numbers, bank information and much more. this companies have to be prepare
against SQL injections.

First, the alphanumeric data invulnerability is a cryptographic
algorithm, with this technique works on octal encoding and can encrypt and
decrypt encoding scheme, crossover with lesser time than the encryption part.
Even though the encryption part runs autonomy, it is hard to used it.

Second, the cryptography based on chaos is used on cryptography.
This cryptography generates random equations on point. where the cryptography
based on chaos can be used on hardware without using digital or analogue
conversion. Even though, this cryptography chaos detects spectral peaks, this
system is insecure when we want to encrypt long messages.

Third, Cryptography in database security relies on different
technique, such as, access control, information flow control, operating system
and network security, inference, and other protocols. all these mechanisms
together defend any attack to the database, but at the same time consumes a lot
time and is not user friendly.

Four, The challenges in teaching database security. by creating
users accounts managing privileges, different clients and user’s architecture,
application servers, and networks create the need of secure the database. All
these knowledge and people are not interested because there is a lot
complicated material to learn. (Sabareesan M , 1748)

Most people are unaware of the
importance of having a secured computer, or think that their company is not big
enough to have the need to secure their network. Computer Network security
involves the authorization of access in the network control by the administrator.
It is important to have our computers secured in order to avoid theft by
hacking bank accounts, credit card or personal information using these programs
such as   Trojan, malware, spywares programs. These programs can spy
into your computer and get valuable information. If we maintain our PC updated,
and enrolled with known programs that help with network safety, such as
antiviruses, anti-malware, and other firewalls, we will be on our way to
keeping our networks safe from hackers. The importance of having a secure database
Network in the 21th century is huge and brings great advantage to companies,
Startups, small businesses, and the average person. By increasing network
security, your chances of piracy are minimal as well as your chances of being a
victim from hacker attacks. Everything from torrent files can make a breach in
your network by way of malicious viruses, malware, ransom-ware, etc., which
exposes your network to hackers, and can harm your computer, as well as
give easy access to your private information.



    With the fast and
growing developments of network database, it faces many difficulties and risks
of being accessed by unauthorized users, such as hackers and cyber criminals.
This puts in danger the livelihood of individuals, the integrity and
productivity of companies, and the relationship between consumer and producer.
As more data is being made available electronically to the general public, the
more threats and risks are put on the data. The main goals of database security
are to prevent unauthorized access to data, prevent unauthorized tampering or
modification of data, and to ensure that data remains available when it is
needed. So to overcome these risks and tackle many of the vulnerabilities
database security faces, there are several methods and courses of actions
companies can take to secure themselves and their clients. The methods
discussed in this paper were Access Control, Row Level Security, Application
Access Assessment, Database Interfering, Auditing, ADbC Courseware, Cryptography
and Genetic Algorithm. Although the explanation of these methods was basic, it
is my hope that the readers have realized that knowing how to secure their
databases is extremely important, and they will seek out a more detailed
explanation to each method, or enroll in a course that can teach them.