Skip to main content
Workforce LibreTexts

5.1.4: Databases and Security Issues

  1. Last updated
  2. Save as PDF
  • Page ID
    10124

    • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Learning Objectives

    • Identify the importance of database security.
    • Apply an understanding of confidentiality, integrity, and accessibility to issues of database security.
    • Analyze a scenario to determine the type of database threat that is described.
    • Identify basic questions that need to be addressed when evaluating database security.
    • Identify steps an individual can take to secure information stored in personal databases or PII shared with businesses.

    Would it be possible to store all of the available data (in digital form) in a single database? Most likely not, since the volume of digital data doubles almost every year (Vishen, 2013). One recent estimate lists the total volume of digital data at 4.4 trillion gigabytes (Dartnell, 2014). That data is currently stored in many different databases, and claims of having the largest database by volume are contested. Recent reports agree that the current holder of that title is the World Data Center for Climate (WDCC) operated by the Max Planck Institute for Meteorology and German Climate Computing Center (Vishen, 2013). Also among the world’s largest databases (Vishen, 2013):

    • National Energy Research Scientific Computer Center (Lawrence Labs)
    • AT&T (calling records)
    • Google
    • Sprint (calling records)
    • LexisNexis (legal research)
    • YouTube
    • Amazon
    • the Central Intelligence Agency, and
    • Library of Congress

    NSA's surveillance database and PRISM data mining program could contend for the top spot if the number of data records were revealed.

    Why Data Security is Important

    It is the confidentiality, integrity, and availability (CIA) of the data in a database that need to be protected. Confidentiality can be lost if an unauthorized person gains entry or access to a database, or if a person who is authorized to view selected records in a database accesses other records he or she should not be able to view. If the data is altered by someone who is unauthorized to do so, the result is a loss of data integrity. And if those who need to have access to the database and its services are blocked from doing so, there is a resulting loss of availability. Security of any database is significantly impacted by any one or more of these basic components of CIA being violated (Nuramn, 2011).

    There are various reasons for spending money, time, and effort on data protection. The main reason is reducing financial loss, followed by compliance with regulatory requirements, maintaining high levels of productivity, and meeting customer expectations (Petrocelli, 2005).

    Both businesses and home computer users should be concerned about data security. The information stored in databases—client information, payment information, personal files, bank account details, and more—can be hard to replace, whether the loss results from

    • physical threats such as a fire or a significant power outage
    • human error that results in errors in the processing of information or unintended deletion of data, or from erroneous input
    • corporate espionage, theft, or malicious activity.

    Loss of this data is potentially dangerous if it falls into the wrong hands (Why Data Security, n.d.).

    It is in these three areas that a risk assessment of the database’s security and protection of the data should focus. Is there a backup procedure that would allow access to the data if the primary database is destroyed by a physical threat? That same backup procedure might be important in case the CIA of the database is inadvertently affected by human error. And what safeguards can/should be put in place to prevent incidents of espionage, theft, or other malicious activity? We will look again at risk assessments later on this page.

    did I get this\(\PageIndex{1}\)

    You log on to the network and attempt to enter the database to do your assigned work for the day. But your valid ID and password are denied and you cannot get access to the records you need. This situation best reflects a problem with which of the following?

    A classmate contacts you to ask why you received an A on the project and she only received a C. The classmate tells you that she could see your grades posted in the class’s roster and not just her own. This situation best reflects a problem with which of the following?

    All of your educational records (classes taken, grades, financial information, etc.) were deleted from the school’s database by human error. This situation best reflects a problem with which of the following?

    Reset this Activity

    Learning Dashboard

    How Common Are Database Breaches?

    Just how prevalent are the threats against databases? Is it worth the time, money, and personnel effort to ensure that the database is safeguarded? Remember the Target and Neiman Marcus problems that surfaced in late 2013? And the continuing saga of Edward Snowden and the NSA leaks? These may have been the most widely publicized data breaches of 2013. But they were definitely just two of many such database breaches. Database breachesare the exposure of database records containing personally identifiable information (PII) or other sensitive information to unauthorized viewers. Risk Based Security (RBS), a group of consultants and founders of the Open Security Foundation (OSF), report that 2013 saw a record number of data records exposed via data breaches. Over 822 million such records were made available to persons who had no authority to view these records (Risk Based Security, 2014). But remember, the number of reported database breaches does not reflect the total number of breaches that occurred. Some companies do not report breaches in order to protect their reputations or to prevent customers from abandoning the company. The following is a short list of what RBS discovered.

    • The business sector accounted for 53.4% of reported incidents, followed by government (19.3%), medical (11.5%), education (8.2%), and unknown (7.6%).
    • Hacking was the cause of 59.8% of reported incidents, accounting for 72.0% of exposed records.
    • Of the reported incidents, 4.8% were the result of web-related attacks, which amounted to 16.9% of exposed records.
    • Four incidents in 2013 alone secured a place on the Top 10 All-Time Breaches list:
      • Adobe—152 million records. Customer IDs, encrypted passwords, debit or credit card numbers, and other information relating to customer orders was compromised.
      • Unknown organizations—140 million records. North Korean hackers exposed e-mail addresses and identification numbers of South Korean individuals.
      • Target—110 million records. Information included customer names, addresses, phone numbers, e-mail addresses, credit/debit card numbers, PINs, and security codes.
      • Pinterest—70 million records. A flaw in the site’s application programming interface (API) exposed users' e-mail addresses.

    Even if you were not impacted by any of the above data breaches, if you have used a credit card, made an airline reservation, subscribed to a magazine, been a patient in a hospital, or shopped at a chain store (supermarket or department store), or if you are a member of an online social media site, your personally identifiable information (PII) is stored in a database. How vulnerable is your PII?

    Exercise \(\PageIndex{1}\)

    did I get this

     

    True or false? All of the top database breaches in 2013 involved U.S. companies.

    True or false? Hacking accounts for more than 50 percent of all reported database breaches in 2013.

    True or false? The total number of database breaches is most likely far greater than the numbers reported by RBS in this section.

    What Are the Most Common Causes of Database Breaches?

    As evidenced by the NSA Snowden leaks and the Target breach, no database and no government agency, company, or business is as secure as the owners of that database think. It is difficult for database administrators and security managers to keep pace with the new threats and vulnerabilities that continually emerge. And to compound the issues, every company/business/government has different security issues, making it a particularly hard challenge to standardize any one solution that fits all. However, there are some common threats and vulnerabilities that seem to occur repeatedly.

    Threats

    Unauthorized Access by Insiders

    The malicious insider with approved access to the system is one of the greatest threats to database security.

    People attack computers because that's where the information is, and in our hyper-competitive, hi-tech business and international environment, information increasingly has great value. Some alienated individuals also gain a sense of power, control, and self-importance through successful penetration of computer systems to steal or destroy information or disrupt an organization's activities. (Threats to Computer Systems, n.d.)

    Another scenario might involve employees affected by a workforce reduction who take customer account lists, financial data, or strategic plans with them when they leave. Proprietary information could end up in the hands of competitors or be widely disseminated online (Data Loss Prevention, n.d.).

    Insiders may also be a threat to database security if they are granted database access privileges that go beyond the requirements of their job function, abuse legitimate database privileges for unauthorized purposes, or convert access privileges from those of an ordinary user to those of an administrator.

    Accidental Breaches Resulting from Incorrect—but Not Malicious—Usage

    The data breach is not always the result of a deliberate attempt to subvert data security; sometimes it is an unintended consequence. For example, employees might export data from the parent database system at work and send it, typically unencrypted, to personal e-mail addresses so they can work from home. The data then might be subsequently compromised on someone’s home computer. Or a data mining application might contain flaws that allow a user without the correct access credentials to stumble upon database records inadvertently. (Note: If the user deliberately continues to access the data without permission, this situation becomes a malicious insider threat.)

    Unprotected Personal Hardware Collection

    It is becoming increasingly common for data to be transferred to other personal mobile devices—USB flash drives, smartphones, tablets, and the like. It is rare now to find an employee who never uses a mobile device—personal or company-supplied—for business purposes. However, mobile devices continue to be a significant source of data breaches, stemming from a range of circumstances, including loss or theft of the devices, failure to install antimalware tools on the devices, or failing to password-protect a device being used for business purposes. Data is at risk if an employee stores any proprietary information on such a device or if that device is used to access a company's network and/or database (Bruemmer, 2014).

    Stolen Laptops

    Forgetful or careless laptop owners whose equipment is taken expose data on that laptop to persons not authorized to have access to the data. This can also happen if a laptop is replaced and the hard drive on the original machine is not properly erased or destroyed.

    Weak Authentication

    A legitimate database user typically is required to submit an ID and password in order to gain access to a protected database. Authentication is the process (internal to the database program itself) by which the credentials of the user are verified and access may be granted. If the process of authentication is weak, an attacker can assume the identity of a legitimate user by stealing or obtaining login credentials. Credentials may be illegitimately obtained by various means:

    • Credential theft. The attacker accesses password files or finds a paper on which the legitimate user has written down the ID and password.
    • Social engineering. The attacker deceives someone into providing the login ID and password by posing as a supervisor, IT maintenance personnel, or other authority.
    • Brute-force attacks. Have you ever been locked out of an account after attempting to log in more than three times with an incorrect password? If so, this is the simplest (and perhaps least effective) means of blocking a brute force attack, whether it is an attempt to access files on your machine or to access a database. However, not all password protected systems, databases, or files block you from access after three attempts. For example, if you have put a lock on a file on your computer, you most likely have not set a limit on the number of attempts on that file. A brute-force attack is a password-guessing approach in which the attacker attempts to discover a password by systematically testing every combination of letters, numbers, and symbols until the correct combination is found. Depending upon the password's length and complexity, this can be a very difficult task to complete. However, there are widely available tools that hackers can use to find the password, and it can be difficult to block all the means by which hacker will try to find the password (Blocking Brute Force Attacks, 2007).

    Exploiting Weaknesses in an Operating System or Network

    Worms, viruses, or Trojan horses could be introduced into an unprotected or poorly protected operating system or computer network that supports the database, leading to potential unauthorized database access (loss of confidentiality), data corruption (loss of integrity), or denial of service (DOS), a loss of access to legitimate users. A DOS may be achieved by causing a server to stop functioning, or “crash,” flooding a network with message traffic or overloading resources on the computer, forcing it to stop handling additional tasks or processing.

    Theft of Database Backup Tapes or Hard Drives

    Database backups typically do not have the same security measures in place that the primary database employs. These backups may not be encrypted, and the media on which backups are stored are also unprotected. Theft of the backup media may allow the attacker full access to the data stored within the backup (Schulman, 2007).

    learn by doing

    A savvy hacker targets a local university as a potential source of access to social security numbers, which he can sell on the black market. He obtained the credentials of a previous university employee by hacking that employee's personal computer, on which the employee had stored his ID and password to the university’s database. The hacker then used the ID and password to access the personnel files at the university. Which threat best describes this database breach?

    Reset this Activity

    Learning Dashboard

    As a result of an upcoming merger, a long-time employee of Company QRS finds out that she is slated to be laid off in the process of combining workforces. As part of her current job, she has access to a database that holds a great deal of research in which Company QRS is currently involved. She starts downloading this sensitive information and stores the files on a removable flash drive, which she takes home. Which threat best describes this database breach?

     

    The regional marketing manager for a large pizza chain is on a business trip to a national marketing meeting. Before leaving for the meeting, he downloads all of the financial information related to his region to the iPad he uses for work. While putting his shoes back on after going through TSA security checks at the airport, he inadvertently leaves his iPad on the bench. He discovers his iPad is missing and returns to the screening area, but the equipment is nowhere to be found. The next day it is discovered that data from the database has been downloaded by someone who does not have authorization to access that data. Which threat best describes this database breach?

    Reset this Activity

    Learning Dashboard

    A busy lawyer has not had time to update his computer’s operating system with the latest security patches. A hacker takes advantage of this known vulnerability and gains access to the firm’s files related to all clients facing criminal charges. Which threat best describes this database breach?

    Reset this Activity

    Learning Dashboard

    Vulnerabilities

    There are other means by which databases are exposed to security breaches, and these are considered vulnerabilities that may subject a database to a security breach. These are more passive, but they can do as much harm as direct threats:

    • Data at rest (unencrypted information) that is passively residing in storage within the boundaries of company computers, perhaps waiting to be moved to a secure database. Data at rest typically is not as well protected as data that has been entered into the database and enjoys the database security measures.
    • Data in motion is information that is being electronically transmitted outside the company’s protected network via e-mail or other communication mediums. For example, the data might be transferred to a backup facility that is not part of the internal storage media used for daily work. Or if the company uses the cloud for data storage backups, the transfer might take place outside of the company’s protected network. This can lead to a loss of sensitive data if there is a malicious attack via malware during the transfer process or during execution of a flawed business process that allows unauthorized persons to view or obtain the data. (This is not the same as the accidental breach resulting from incorrect but not malicious usage noted above, where the home computer to which the data has been transferred is attacked or breached. That accidental breach occurred without any intention of harm by the employee.)
    • Poor architecture, in which security was not adequately factored into the design and development of the database structure. This vulnerability may not be discovered until there is an attempted or successful data breach.
    • Vendor bugs, particularly programming flaws that allow actions to take place within the database and with the data that were not intended or planned. Much like poor application architecture, this vulnerability may not be uncovered until there is an attempted or successful data breach.
    • An unlocked database is one that has no security measures in place to control access or auditing. This seems counterintuitive, but many home users employing a database for personal needs, or even for working on company data while at home, may be working with an unlocked database (Nichols, n.d.;Data Loss Prevention, n.d.).

    did I get this\(\PageIndex{1}\)

    Henrietta copies some personnel files to her flash drive so that she can complete annual performance reviews while at home. At the time of the transfer, she does not realize that her home computer is infected with a virus that makes the computer vulnerable to being taken over by a malicious hacker. This is a potential to the confidentiality of the data in the files.

    Company LUV has created a custom-designed database for you. After you install it and enter a great deal of highly sensitive data, LUV sends you an emergency patch (a correction to the database program) to correct a small loophole in security of certain types of reports. This loophole would be considered a potential database .

    Your company uses cloud storage for the database which contains sensitive inventory information, enabling staff to access the database when they need to. Updates to the inventory information are gathered during the day in files stored on your computer and you upload that data to the database (cloud) in the evenings after 9pm. This would be considered a potential database .

    Reset this Activity

    Learning Dashboard

    Risk Assessments

    In the business environment, it is critical that a thorough risk assessment takes place and be periodically reviewed. The assessment should address:

    • who has access to what data
    • the circumstances under which access to the database may need to change
    • who maintains the passwords needed to access the database
    • who uses the company's computers for access to the internet, e-mail programs, etc., and how employees access those resources
    • what type of firewalls and antimalware solutions to put in place
    • the training of the staff
    • who has responsibility for enforcement procedures related to data security (Why Data Security, n.d.)

    There are identified solutions for each of the threats and vulnerabilities discussed here, including well-defined and enforced access policies, use of strong data encryption, vulnerability assessments, policies related to strong passwords, and installation of firewalls. There are companies that specialize in designing plans, procedures, and software to prevent data loss or data leakage. With data lossthe data is lost forever, either by deletion, theft, or data corruption.Data leakageallows unauthorized people to get access to the data, either by intentional action or by mistake. So data loss and data leakage can be intentional or unintentional, and both can be malicious or just human errors (VJ, 2013).

    Exercise \(\PageIndex{1}\)

    did I get this

    True or false? Risk assessment related to database security revolves primarily around technical support such as firewalls, secure operating systems and networks, antivirus protection, etc.

    True or false? In terms of database access, risk assessments address only those who have legitimate credentials for viewing, entering, updating, or removing data from the database.

    True or false? All of the questions listed for risk assessment can be applied to any databases you have on your personal computer or databases that exist for your personal use only.

    Reset this Activity

    Learning Dashboard

    A faculty member accidentally sends to a student in the class a spreadsheet containing all assignment grades for all the students in the class instead of a single row in the spreadsheet intended for that particular student. Which of the following best describes the data issue?

    Candace works in the payroll department and is authorized to work on payroll records in the database. She downloads company financial records to her unencrypted USB stick so she can work on some analysis over the weekend on her home computer. She then decides to use these records as examples in a computer class she teaches at the community center on the weekend. Which of the following best describes this data issue?

    Henry is unhappy with his job and deletes a set of personnel records that cannot be restored because there is no database backup procedure in place. Which of the following best describes this data issue?

    Reset this Activity

    Learning Dashboard

    How Can You Protect Your PII?

    Protecting databases and the data contained within can be a costly and all-consuming activity. But what does this mean for you, the individual who uses that credit card, makes airline reservations, files taxes online, subscribes to a magazine, has been a patient in a hospital, shops at a chain store, or is a member of an online social media site? Your PII is out there, stored in multiple databases. Obviously, you cannot implement security measures for the company, business, or government agency that holds your PII. But are there many measures you can take to better protect yourself? Here are a few rules of thumb that you can implement:

    Keep your passwords to yourself.

    Do not leave a slip with a list of passwords under your computer, or anywhere where it can be viewed or taken by someone. Just giving your password to a friend is not a good idea, either.

    Use different passwords for different accounts.

    Remembering multiple passwords can be a challenge, and it’s often convenient to use the same password for multiple accounts, ranging from Facebook and your bank account to your Twitter page. The danger here is that a compromise of any one of these accounts could also result in the compromise of others if the same password is used for multiple accounts.

    Use strong passwords.

    Many of your user IDs must have strong passwords to gain entry into one or more systems. In those instances when you can choose any password configuration, pick a strong password to protect your information.

    Check your credit reports annually.

    Sometimes people don’t learn that they’re victims of identity theft until their credit rating and identity are destroyed. It’s proactive to get copies of your credit reports from the credit bureaus and carefully review them for any errors. Be sure to follow-up with the credit bureaus to make any corrections to your reports, if needed. By law, you can get one free credit report from each of the three credit bureaus every year.

    Google yourself.

    Enter your own name in Google, Yahoo or other search engine and see what data comes up. Investigate any postings about yourself in the information that you find. Look for any suggestions that your PII may be compromised.

    Remember that people can be a very weak link in security.

    No matter how secure you make your passwords and how careful you are with your technology, there is always a human element to protecting your information.

    Control physical access to your devices.

    It’s important not leave laptops and other mobile devices unattended in public locations, like a coffee shop or other location with free WiFi. An unattended machine is at risk, for both theft and other security threats. When you aren't controlling physical access to your machine, you shouldn’t let it out of your sight.

    Remember to logout of a website when you are finished using it.

    Whether it’s your email, bank account, retail store shopping account or library account, always remember to logout when you leave the website.

    Remember to lock your computer with a password when you are finished using it.

    By requiring a password to access your computer (or other electronic device) you are protecting your information. You are also making your computer useless to a thief who cannot break password locks.

    learn by doing

    True or false? Your internet connection at the house is not working due to a recent storm. But you need to complete some bill paying online, so you go to the local coffee shop, where Wi-Fi is available. You successfully complete the bill paying and decide to get a cup of coffee. Before walking up to the counter, you log out of the banking site. You have successfully safeguarded your PII.

    You are going to be traveling outside of the United States and leave your Visa credit card number, security code, online ID, and password with your best friend. This is a practice.

    True or false? Your bank offers you access to free copies of your credit report. You are not having any credit problems at this time. You should take advantage of this offer anyway.

    True or false? It is just too challenging to have different passwords for every device you use and every online site that requires an ID and password. It would be OK to use the same very strong password for all those places where one is required.

    True or false? Your computer “times out” after 10 minutes of non-use and goes into a hibernation state (blank screen). It should require a password to reactivate.

    Reset this Activity

    Learning Dashboard

    References

    1. Blocking Brute Force Attacks. (2007). Retrieved March 17, 2014, from System Administration Database UVA Computer Science: http://www.cs.virginia.edu/~csadmin/...rute_force.php.
    2. Bruemmer, M. (2014, January 21). How Mobile Devices Can Imperil Your Organization's Cyber Security. Retrieved March 17, 2014, from Experian Information Solutions.com: http://www.experian.com/blogs/data-b...yber-security/.
    3. Dartnell, J. (2014, April 20). EMC: Digital universe data to grow tenfold by 2020. Retrieved from cnme: computer news middle east: http://www.cnmeonline.com/news/emc-d...nfold-by-2020/.
    4. Data Loss Prevention: Keeping sensitive data out of the wrong hands. (n.d.). Retrieved March 17, 2014, from Price Waterhouse Cooper Advisory Services/security: http://www.pwc.com/en_US/us/increasi...prevention.pdf.
    5. Nichols, E. (n.d.). Eleven specific solutions to today's most common database security threats and vulnerabilities.Retrieved March 16, 2014, from University of Oregon: http://aimdegree.com/research/ebrief...eb-nichols.php.
    6. Nuramn, A. (2011, August 10). Database Security. (L. Stonecypher, Editor) Retrieved April 29, 2014, from Bright Hub: http://www.brighthub.com/computing/s...les/61400.aspx.
    7. Risk Based Security. (2014, February 18). Data Breach QuickView. Retrieved from Risk Based Security: https://www.riskbasedsecurity.com/re...hQuickView.pdf.
    8. Threats to Computer Systems. (n.d.). Retrieved March 16, 2014, from USDA.gov: http://www.dm.usda.gov/ocpm/Security...ut/Threats.htm.
    9. Vishen, N. (2013, April 20). Largest Databases of the World. Retrieved from Neeraj0dba.blogspot: http://neeraj-dba.blogspot.com/2013/...-of-world.html.
    10. VJ (2013, April 2). Is There a Difference Between Data LOSS and Data LEAKAGE Prevention?. Retrieved March 28, 2014, from Rational Survivability: http://www.rationalsurvivability.com...ge-prevention/.
    11. Why Data Security is of Paramount Importance. (n.d.). Retrieved March 21, 2014, from SpamLaws.com: http://www.spamlaws.com/data-security-importance.html.
    12. Petrocelli, T. (2005). "The Changing Face of Data Protection." InformIT. Retrieved May 1, 2019, from http://www.informit.com/articles/art...22303&seqNum=3.

     

    5.1.4: Databases and Security Issues is shared under a CC BY-NC-SA license and was authored, remixed, and/or curated by LibreTexts.