Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Company X has decided to let its employees use smart phones and tablets to acces

ID: 3578297 • Letter: C

Question

Company X has decided to let its employees use smart phones and tablets to access their databases. The company keeps databases with different types of information in their own servers accessed through their web site, and in a public cloud, accessed through its portal server. The company web site and the cloud portal server receive requests from the employees to perform services that use information from their databases. The employees can also use their phones for their social activities. Smart phones use access points to connect to a wireless network. This network in turn connects to the Internet to reach other users through email and access the company web server and the cloud portal.

b. Indicate how to separate in each phone interactions with the company databases from social interactions.

c. How can we have secure interactions with the company data in the cloud? Indicate the necessary security functions and where, e.g. Authentication in point A of the block diagram

d. Analyze the possible insider threats for both types of databases. Which database is more exposed to insider threats? Any help on this would be appreciated as I feel kind of stuck.

I've already completed part A and was wondering about some input for the other questions as I feel kind of stuck.

Explanation / Answer

b) In this case the all phone interactions must be carried with only certain previleges so as to give the permission to just 'view' only and by not giving other integrity constraints such update ,modify ,delete options.The security constraint applied should not merge the database with the employee's social interaction data.

the database administrator would have full access to all tables in the database. They can abuse this privilege to extract sensitive data such as credit card numbers, Social Security numbers and product plans to sell on the black market.

To avoid alerting network security monitoring tools when downloading large amounts of sensitive data, a knowledgeable database administrator would download this information in small pieces over several days.

c). the functions which can be applied basically depends upon the requirements mentioned below:

Requirements:

Cryptography provides:

Secure Systems require:

Types of Security Functions

Password Storage and Transmission

On some systems the actual user password is not stored on the system. The host may store a one way function (Hash) of the users' passwords rather than the actual password. Sometimes the system will add additional random characters (salt) to the password and perform the hash function on the salt value with the password. The salt value is also stored on the system. When the host receives the transmitted user password, it will run the one way hash function on it (with the salt value if appropriate) and if the results match, the user is authenticated. The password should be sent using some type of encryption so eavesdroppers cannot read the password.

d) Possible insider threats we may face :

1. Excessive and Unused Privileges

When someone is granted database privileges that exceed the requirements of their job function, these privileges can be abused.

2. Privilege Abuse

Users may abuse legitimate database privileges for unauthorized purposes. Consider an internal healthcare application used to view individual patient records via a custom web interface. The web application normally limits users to viewing an individual patient’s healthcare history – multiple patient records cannot be viewed simultaneously and electronic copies are not allowed. However, a rogue user might be able to circumvent these restrictions by connecting to the database using an alternative client such as MS-Excel. Using Excel and their legitimate login credentials, the user could retrieve and save all patient records to their laptop. Once patient records reach a client machine, the data then becomes susceptible to a wide variety of possible breach scenarios.

3. Input Injection (Formerly SQL Injection)

There are two major types of database injection attacks:

a) SQL Injection that targets traditional database systems and

b) NoSQL Injection that targets Big Data platforms. SQL Injection attacks usually involve inserting (or “injecting”) unauthorized or malicious statements into the input fields of web applications. On the other hand, NoSQL injection attacks involve inserting malicious statements into Big Data components (e.g., Hive or MapReduce).

In both types, a successful Input Injection attack can give an attacker unrestricted access to an entire database.

4. Malware

Cybercriminals, state-sponsored hackers, and spies use advanced attacks that blend multiple tactics – such as spear phishing emails and malware – to penetrate organizations and steal sensitive data. Unaware that malware has infected their device, legitimate users become a conduit for these groups to access your networks and sensitive data.

5. Weak Audit Trail

Automated recording of database transactions involving sensitive data should be part of any database deployment. Failure to collect detailed audit records of database activity represents a serious organizational risk on many levels.

6. Storage Media Exposure

Backup storage media is often completely unprotected from attack. As a result, numerous security breaches may involve the theft of database backup disks and tapes. Furthermore, failure to audit and monitor the activities of administrators who have low-level access to sensitive information can put your data at risk.

Cryptography provides:

  • Confidentiality - Being sure the message cannot be read and understood by intruders. Requires a cypher algorithm.
  • Authentication - The receiver of the message should be able to be sure of the origin of the message. Requires a digital signature (One way hash, public key algorithm, and symmetric algorithm) or a public key algorithm.
  • Integrity - The receiver of the message should be able to tell the message was not modified. Requires key exchange.
  • Nonrepuditation - There is proof that the sender sent the message. Digital signatures may be used for nonrepuditation.

Secure Systems require:

  1. Authentication - In order to authenticate a user, most of the time a password is used. Several methods may be used to store and transmit the password depending on the security algorithm and system being used.
  2. Key exchange/management
  3. Cypher algorithms (Public key and symmetric)

Types of Security Functions

  • One way hash - A fixed length output string is generated from a variable length input. The reverse of the function is almost impossible to perform. A one way hash is also called a message digest, cryptographic checksum, message integrity check (MIC), and manipulation detection code (MDC).
  • Message Authentification Code (MAC) - One way hash with addition of a secret key. Only a person with the key can verify the hash.
  • A digital signature is when a private key is used to encrypt a message. If the receiver can decrypt it with that person's public key, the signature is authentic. Signatures are done on a one way hash of the message. If a person performs a one way hash on a message and encrypts it with their public key, when the receiver gets the message, they can perform a one way hash on it and compare it to the decrypted one way hash sent to tell if it is authentic. The document cannot be changed without detection after being signed. (Cannot be repudiated). The hash of the document is usually signed.
  • Key Certification Authority - Also called a key distribution center. It is a third party who signes distributed public keys with their own private key.
  • Interlock Protocol - Used to foil the man in the middle attack
  • Key exchange
    • With symmetric cryptography.
    • With Public-key cryptography.
    • With Digital Signatures.
  • Salting - The act of combining a user password with a random value as a countermeasure to a dictionary password attack. The combined values are encrypted and stored on the system along with the salt value.
  • Secret sharing systems are algorithms that do not allow a single person or a certain number of persons to violate the secret.
  • Time stamping services
  • Blind signatures - Are similar to a notary who validates the fact that a document was signed without caring about the contents of the document.

Related Questions

Company Inventory Conversion Period, days Average Collection Period, days Payabl
Question #2826853
Company J is a transporter of fruit. They transport goods from A to B (a one way
Question #2593587
Company JUK has a ROE of 25% and the company will not pay any dividend for the n
Question #2645970
Company JUK has a ROE of 25% and the company will not pay any dividend for the n
Question #2646914
Company January 1 ($) April 30 ($) Applied Materials 10.13 12.21 Bank of New Yor
Question #3049117
Company K is considering two mutally exclusive projects. The cash flows of the p
Question #2690471
Company K is considering two mutually exclusive projects. The cash flows of the
Question #2675358
Company K is considering two mutually exclusive projects. The cash flows of the
Question #2675389
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Company X has created a new variant on red-black trees which also uses blue as a
Next
Company X has decided to let its employees use smart phones and tablets to acces

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.