Database Security Paper Example

Introduction

It is only natural that human beings value confidentiality and protection of their personal spheres of life. They care about who knows what about them. Certainly, they do not want their private information to be accessible to just about anyone at any given time. Database security, therefore, has never been more vital given the high number of data hacking. As such, it is of utmost importance to sectors such as banking, information technology, finance and e-commerce among others. Every transaction is based on the security of the database as it holds sensitive details such as secret codes, passwords, and customers' information. Users worldwide expect their privacy to be taken seriously and every institution must reflect this wish. In that regard, any company must consider database security as a major priority.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Generally, an organization that collects customers' information must store it on a database somewhere. The information may be sensitive and can be subject to strict privacy contracts. For instance, a client may provide you with their email address and contact details when they purchase something from your store. Nonetheless, if this information is accessed compromised, misused or sold to third parties, the customer may take legal action against you.

Essentially, a database is a collection of data on a computer's hard drive. The information stored in these databases is usually organized to support processes that require storage and retrieval of information (Malik & Patel, 2016). The user interface for databases is known as database management systems (DBMS). These are software applications that interact with the lawful user and the database itself to analyze data. As such, DBMS help to organize data for better performance and faster retrieval.

Database Security

Database security is thus any form of security used to protect databases from any form of compromise. It involves using a wide variety of tools to protect large data storage units from external attacks (Sisense, n.d.). Different areas of database security include data level security, physical servers, applications used to capture and store data and system level security. Every company uses databases to some extent-from minor issues such as tracking employee details to more complex issues such as customer relationship management(CRM) databases. Examples of how stored data can be protected from compromise include: 1) Using software to ensure people cannot gain unauthorized access to the database through hacking.2) Physical control- an example is constant monitoring of the database to allow the security personnel to identify any potential threats or weaknesses. 3)Administrative control-this involves the use of passwords or blocking access to some organization's personnel.

Database Privacy

The two major concerns with database privacy are the security of the database itself and the legal implications of what should be kept in the database. Furthermore, there should be an inherent ethical duty placed on security personnel to secure a database system (Bertino, Byun, & Li).

Leakage of Database Information

Structured Query Language(SQL) injection attacks- This involves sending unexpected data to a server which then interacts with the database. Usually, hackers test for injection vulnerabilities by sending incorrect data into a website to try and create an invalid SQL query. Eventually, the server returns an error message with information about the structure of the database such that the hacker can use those details to stage more attacks (ComputerWeekly.com, n.d.). As such, the main problem here is poor coding. To prevent this, it advisable to ensure that all applications have a safe mode which they can return to in case of any compromises. Additionally, it is important to get rid of all debug error handlers from the manufacturer code.

Preventing SQL attacks

SQL is a hacking technique that still proves to be devastatingly effective to date. It is used to compromise personal data as well as high-profile attacks against companies. A successful attack on the database gives the hacker a broad range of options of modifying the content of the website to capturing private and sensitive information such as customer credentials or internal business data.

The first stage in preventing an SQL attack is establishing if an application is vulnerable. You can do this by launching your own attacks to see whether they are successful or not. However, SQL is a complex language hence it is not easy to create a code that can be injected into a query in a bid to compromise a database (OWASP, 2018). The good news is that you can run an automated injection attack tool to do the work for you. An example is Havij- a tool that was created by Iranian security personnel. Pointing the Havij at a potential target probe the site to determine the type of database that is being used (Rubens, 2018). The tool (Havij) than creates queries to probe the features of the database. As such, the tool can extract full data dumps and tables from a target.

Luckily, there is a lot of remedies for website owners to prevent SQL injection attacks. Though foolproof security does not exist in network security, onerous obstacles can be placed to stop injection attempts. The following steps significantly lower the risks of falling victim to SQL injection attacks from hackers:

• Do not trust anyone-It is important to sanitize everything by user information by context. For instance, user email addresses should be filtered to give room for characters only allowed in an email address.
• Avoid constructing queries with user input- At times, data sanitization procedures can be faulty, so use parameterized queries instead whenever possible. Also, don't forget that while prepared statements prevent some types of SQL attacks, they may fail to offer protection against many other attacks, so don't solely rely on their use for your database security. A patch management system is also a great investment.
• Firewalls- A web application firewall (WAF) helps to filter out unwanted data. A WAF is therefore useful in providing some security protection against a developing vulnerability before a patch is presented. A common example is the ModSecurity, which offers a sophisticated and ever-evolving set of guidelines to filter potentially risky website requests.
• Reducing attack surface- Get rid of any database functions that are not essential to preventing an attacker from taking advantage of it (Rubens, 2018). For instance, the xp_cmdshell stored formula in MS SQL issues a Windows command shell and authorizes a string for execution, which is certainly beneficial for an attacker. Additionally, act accordingly by encoding or hashing secret codes and other private information, including connection cords.
• Using appropriate Privileges-Do not use an account that has admin-level privileges unless it is compelling to do so. It is safer to use a limited access account since it can limit the activities of a hacker. For instance, the secret code behind a login page should be limited only to the relevant credentials.
• Data interference techniques-A less evident leak occurs when confidential information is inferred from answers to valid demands. For instance, the date of birth and residence of a customer provides useful information for a marketing campaign, but could likely enable a sales clerk tore-associate a client with his or her procurement records.

Database Legal Protection

Indeed, databases have become very valued assets. As such, people tend to ask if there is a law that relates to databases and how the law protects different aspects of a database. The Copyright Act of 1978 outlines the works eligible for copyright as far as databases are concerned (Michalsons, 2018). Databases are usually protected as compilations under copyright law. An example of a database that is protected as a compilation is a number of carefully chosen quotations from the presidents of the United States. The individual quotations, however, may not be subject to legal protection. In that regard, the selection of the quotation is done on the basis of originality and creativity. Consequently, a database of quotations is protected as a compilation although some of the quotations are not protected by copyright.

A database of facts also gets copyright protection. An example is a database of Internet locations for specific legal articles. Each location is made up of purely factual information hence a particular article can only be found at a specific URL on the internet. However, no copyright location exists for each location (U, S Copyright Office, 1997). Therefore, the creative and original expression that is protected is the chosen locations for the database. If these sites were divided by subject matter in the database, then the database company would also be protected.

Though databases are protected as compilations under the American copyright law, the underlying information is not mechanically granted protection. Particularly, the Copyright Act states that the copyright in a compilation only extends to the compilation itself and not the underlying data (USPTO, 2009). For that reason, compilation copyrights cannot be used to cover facts that are otherwise unprotectable. In that regard, a database of unprotectable facts is only protected as a compilation. Since the underlying information is not subject to protection, the United States copyright law does not prevent extraction of vulnerable data from an otherwise protectable catalog.

Licensing and Preemption

In the case of Feist Publications, the American Supreme court ruled that a database must have a minimum level of creativity to be granted protection under the Copyright Act. From the ruling, it is clear that not all databases are protected as compilations under copyright law. To be granted protection, the database must be original and coordinated. The simple alphabetical arrangement is not considered original enough for copyright protection unless there are some creativity and originality in the coordination of the data. According to Feist, it is also clear that even if a database is granted protection by copyright law as an original work, this protection does not prevent one from extracting factual information from the database.

The partial protection provided to databases makes it imperative that database administrators and developers protect their records through contract law. Through a legal agreement, classically in the form of a permit to use the database, the end user can be barred from mining data from the database for users other than those envisioned by the database administrator. For example, a contract could bar the end user from creating data mined from the database for the third party or from including the extracted information in a new catalog. Since an agreement is enforced under the law, some courts have declined to put into effect contracts that provide copyright-like protection to derivative databases. The reason is that such agreements are blocked by the Copyright Act. Nonetheless, a vast majority of court rulings have maintained that such contracts are not obstructed and can be enforced.

Infringement

Violation of copyright can be direct or indirect. An individual directly violates the copyright of another when they do something that is exclusive of the copyright owner without their consent (Gupta). In this case, the author is the first owner of the copyright. He or she is the first person who creates the work by applying some form of skills and intellect. Generally, the creator of the database is the writer and the first owner of the patent in the database. On the other hand, when the creator happens to be an employee, the employer is considered the owner of the copyright in the work. Additionally, the author can also assign rights to another person w...