Reply To: OCU ISSO Week 4 Lesson 14 Discussion
IST3100 Information Systems Security Officer
WK4 Database Security Discussion
This is wide scope to discuss. As database security includes a variety of measures used to secure database management systems from malicious cyber-attacks and illegitimate use (Imperva, 2023). I have learned this week that database security programs are designed to protect not only the data within the database, but also the data management system itself, and every application that accesses it, from misuse, damage, and intrusion (Imperva, 2023). I felt that this is an extreme important point to fully comprehend as an Security Officer (SO).
Database security encompasses tools, processes, and methodologies which establish security inside a database environment (Imperva, 2023). Okay, so what are we fighting against or potentially defending against? THREATS! Even insider threats. For example, an insider threat is a security risk from one of the following three sources, each of which has privileged means of entry to the database:
A malicious insider with ill-intent (Imperva, 2023).
A negligent person within the organization who exposes the database to attack through careless actions (Imperva, 2023).
An outsider who obtains credentials through social engineering or other methods, or gains access to the database’s credentials (Imperva, 2023).
An insider threat is one of the most typical causes of database security breaches and it often occurs because a lot of employees have been granted privileged user access (Imperva, 2023).
Another attack type worth discussing is a database-specific threat involving the use of arbitrary non-SQL and SQL attack strings into database queries (Imperva, 2023). Typically, these are queries created as an extension of web application forms or received via HTTP requests (Imperva, 2023). This may seem like super power hacker stuff, but it is not really that complicated. In fact, nearly all database system are vulnerable to these attacks, if developers do not adhere to secure coding practices, and if the organization does not carry out regular vulnerability testing (Imperva, 2023).
The defense starts with understanding the enemy.
That’s all I’ve got.