SYSTEM VULNERABILITY
AND ABUSE
Database Security
zaldy.adrianto@unpad.ac.id
When large amounts of data are stored in
electronic form they are vulnerable to many
more kinds of threats
Why systems are vulnerable
Why systems are vulnerable
In multi-tier client server computing environment
vulnerabilities exist at each layer and in
communications between the layer
Intruders who launch denial of service attacks or
malicious software
Unauthorized access
Database Security
Database Security: Protection of the data
against accidental or intentional loss,
destruction, or misuse
Increased difficulty due to Internet access and
client/server technologies
System malfunction because hardware breaks
down or damaged by improper use or criminal act
Possible locations of data
security threats
�Threats to Data Security
Accidental losses attributable to:
Human error
Software failure
Hardware failure
Theft and fraud
Loss of privacy or confidentiality
Loss of data integrity
Loss of availability (through, e.g. sabotage)
Database Recovery
Security Policies and
Procedures
Personnel controls!
Hiring practices, employee monitoring, security training
Physical access controls!
Equipment locking, check-out procedures, screen placement
Maintenance controls!
Maintenance agreements, access to source code, quality and
availability standards
Data privacy controls!
Adherence to privacy legislation, access rules
Backup Facilities
Mechanism for restoring a database quickly and
accurately after loss or damage
Automatic dump facility that produces backup copy
Recovery facilities:!
Periodic backup (e.g. nightly, weekly)
Cold backup database is shut down during
Backup Facilities
Journalizing Facilities
Checkpoint Facility
Recovery Manager
Journalizing Facilities
Audit trail of transactions and database updates
Transaction log record of essential data for
each transaction processed against the
database
Database change log images of updated data
Before-image copy before modification
After-image copy after modification
of the entire database
backup
Hot backup selected portion is shut down and
backed up at a given time
Backups stored in secure, off-site location
Security and challenges of
vulnerabilities
�Internal threats : Employee
Management Framework for
Security and Control
COBIT FRAMEWORK
Largest financial threats to business institutions
come from insiders
Users lack of knowledge is the single greatest
cause of network security breaches
Also know as the Control Objectives for
Information and Related Technology framework.
Developed by the Information Systems Audit and
Control Foundation (ISACF).
A framework of generally applicable information
systems security and control practices for IT
control.
COBIT FRAMEWORK
Types of Information
Systems Control
The framework addresses the issue of control from three
vantage points or dimensions:
Business Objectives: To satisfy business objectives,
information must conform to certain criteria referred to
as business requirements for information.
IT resources: people, application systems,
technology, facilities, dan data
General Control govern the design, security, and
use of computer programs and the security of
data files in general throughout the
organizations information infrastructure.
IT processes: planning and organization, acquisition
and implementation, delivery and support, and
monitoring
General control
General control includes software controls,
physical hardware controls, computer
operations controls, control over implementation
process and administrative controls.
Picture example of Physical
hardware control
�Picture example of Physical
hardware control
�Ensuring business continuity
Computer failures, interruptions and downtime
translate into disgruntled customers
Downtime. Period of time in which a system is
not operational.
Ensuring business continuity
Fault-tolerant computer systems: hardware,
software and power supply components that
provides continuous, uninterrupted service.
Part of these computers can be removed and
repaired without disruption to computer system
Ensuring business continuity
High-availability computing: System that help
firms recover quickly from crash
Requires a tools and technologies to ensure
maximum performance of computer system and
networks. Including redundant server, load
balancing, clustering, high capacity storage,
and good recovery.
Ensuring business continuity
Data Center
Load balancing: distributes large numbers of
access request across multiple servers.
TELKOM SIGMA Data Center in Serpong and Sentul
Mirroring. Backup server that duplicates all the
processes and transactions of primary server.
Facebook data center
�Disaster recovery plan and
business continuity planning
Disaster recovery plan: Plans for restoration and
computing and communications services after
disrupted by disaster
Business continuity planning, focus on how
company can restore business operations after
a disaster strike.
Disaster recovery plan and business
continuity planning
Disaster recovery plan and business
continuity planning
Disaster recovery plan and business
continuity planning
Technology and tools for
security and control
Sarbanes Oxley and
databases
The Sarbanes Oxley were designed to ensure
the integrity of public companies financial
statement
the key component is ensuring sufficient control
and security over the financial system and IT
infrastructure in use.
Firewalls gatekeeper that examines each user
credential before access granted
Intrusion Detection System, full time monitoring
tools placed at most vulnerable points.
�Key focus of SOX audit
IT Change Management
Logical Access to data
IT operations
IT Change Management
Refer to process by which changes to
operational systems and databases are
authorised
Top deficiency found by SOX auditor:
Logical Access to data
Logical Access to data is essentially about
security procedures in place to prevent
unauthorised access to data.
Two types of security policy and procedure:
Personnel Control
Physical Access Control.
Inadequate segregation of duties between
people who have access to database in three
environments: Development, Test and
Production
IT Operations
IT Operations refers to the policies and
procedures in place related to day to day
management of the infrastructure, applications,
and databases in organisation
key areas:
database backup and recovery
data availability
