Journal of Information Technology Education:
Innovations in Practice
Volume 9, 2010
Database Security: What Students Need to Know
Meg Coffin Murray
Kennesaw State University, Kennesaw, GA, USA mcmurray@kennesaw.edu Executive Summary
Database security is a growing concern evidenced by an increase in the number of reported incidents of loss of or unauthorized exposure to sensitive data. As the amount of data collected, retained and shared electronically expands, so does the need to understand database security. The
Defense Information Systems Agency of the US Department of Defense (2004), in its Database
Security Technical Implementation Guide, states that database security should provide controlled, protected access to the
…show more content…
The Security Module, presented in this paper, allows students to explore such areas as access control, SQL injections, database inference, database auditing, and security matrices.
The courseware was developed as part of a National Science Foundation grant and has been made freely available at http://adbc.kennesaw.edu
Keywords: database security, data integrity, database courseware, database vulnerability, access control. Introduction
Database technologies are a core component of many computing systems. They allow data to be retained and shared electronically and the amount of data contained in these systems continues to grow at an exponential rate. So does the need to insure the integrity of the data and secure the data from unintended access. The Privacy Rights Clearing House (2010) reports that more than
345 million customer records have been lost or stolen since 2005 when they began tracking data breach incidents, and the Ponemon Institute reports the average cost of a data breach has risen to
$202 per customer record (Ponemon, 2009). In August 2009, criminal indictments were handed down in the United States to three perpetrators accused of carrying out the single largest data security breach recorded to date. These hackers allegedly stole over 130 million credit and debit card numbers by exploiting a well known database vulnerability, a SQL injection (Phifer, 2010).
The Verizon Business Risk Team, who have been reporting data breach
A direct cyberattack in 2014 to JPMorgan Chase caused a compromised of accounts effecting a total of 76 million households and seven million small businesses. We are clearly, in times when consumer confidence in the digital operations of corporate America is on shaky ground. In directly, banking is taking the brunt of the fallout but major stores also have breaches which of course are directly related to their financial data. Store like, Target, Home Depot and a number of other retailers have experienced major data breaches. 40 million cardholders and 70 million others were compromised at Target alone in 2013 and an attack at Home Depot in September, 2013 affected 56 million cardholders.
Data security; affinion security center augments data breach solution. (2012). Information Technology Newsweekly, , 91. Retrieved from http://search.proquest.com/docview/926634711?accountid=458
During the dates of November 27 through December 2013, the department store Target experienced a data breach in which approximately 40 million customers credit and debit cards were exposed. During this breach, customer’s personal information may have also been exposed for use of possible fraud. January 2014, Target
on average, at least one data breach occurs in Australia every week, in these attacks, an estimated 19000 records are lost, costing $2.16 million dollars to the organisation involved
Statistics show that most security breaches are direct results of insider misconduct rather than being hacked. According to the most recent Verizon Data Breach Investigations Report, about “285 million records were compromised in 2008.” Seventy-four percent of the incidents were from inside sources. Users are more likely to be victims of computer virus infections, inquisitive students/co-workers, and hardware failures than to be victims of an Internet security attack.
This case study, written in 2009 is not the only case where a major data breach has occurred within organizations. In the late 2011 Sony’s PlayStation Network (PSN) was breached impacting up to 77 million user’s accounts including data on names, address and possibly credit card details. In late 2013 Target had a cyber-attack that compromised a large quantity of its data and had 110 million accounts compromised. Finally in September 2014 Apple had their iCloud server breached by hacking that compromised all the users of the online server. These occurrences still have some unanswered questions and several experts have yet to decipher the actual reason as to why the security breach occurred.
The Aim Higher college has recently had some issues of sensitive information being stolen from students when registering for classes. I believe that the web application that the student information system is using is a problem named SQL injection. A SQL injection attack is an attack where the attacker can run malicious SQL queries against a web application’s database server and it can be a danger for the users who access the web page because the hacker will look for their personal information records, then delete it or modify the information gained. This type of attack is no joke we have to take action and create a plan to resolve this vulnerability on our database, so the students will register for their courses with our security on their side.
Aside from the Playstation Outage, there had been larger and more nefarious data breaches in history that exploited weaknesses in internet, server, and network security. One such breach is when Heartland Payment Systems had, what was called, the most massive credit card security breach in history, with hackers embedding deep into Heartland security and recording card data. According to Bloomberg Business, it was estimated that “as many as 100 million cards issued by more than 650 financial services companies may have been compromised”. The attack cost Heartland $12.6 million, which was orchestrated by a man named Albert Gonzalez, who was also the cause for several other data breaches, each costing from thousands to millions of dollars. Another such attack was when Russian, and a Ukrainian, computer hackers assaulted NASDAQ stock exchange servers and stealing “more than 160 million credit and debit card numbers, target more than 800,000 bank accounts” (NY Daily News). Separate hacking operation spanned over seven years, attacking NASDAQ, but also affected “chains like 7-Eleven”. All the operations, in the period of time and the global scale it spanned, resulted “in at least $300 million in losses to companies and individuals”. One of the latest, and possibly the largest, data breaches of 2015, Anthem, the second largest health insurer in the US was hacked, compromising millions of account and personal data, as well as social security. When Anthem discovered that they had been
On January 2007 a press release was issued according to CPA journal article “Analyzing the TJ Maxx Data Security Fiasco” that TJX Companies, Inc. the parent company to retail stores like TJ Maxx, Marshalls, HomeGoods, and A.J Wright stores; computer systems had been breached and that customers’ information had been stolen. (Berg, G. 2008, August) This data breach became the largest one of it’s kind because during the investigation there was reported that approximately 94 million Visa and MasterCard accounts had been compromised (Berg, G. 2008, August).
Data breaches happen daily, in too many places at once to keep count. But there is some huge breach versus a small one and we will take some examples from the biggest or most significant breaches of the 21st century to show how much risk or damage the breach caused for companies, insurers and users or account holders.
Databases allow us to easily store and retrieve data in a purely digital format. The strength of this is that large amounts of data can be stored and retrieved with minimal effort on the part of the user. Opposed to manually flipping through files, one can quickly pull up the requested data through a computer program. Many systems that were conventionally paper and file based have been converted to a digital format which are now stored in one or more databases.
The potential of violations can come from numerous sources (Lawrence & Weber, 2011) (Consumer Information). Recently Equifax had a data breach of their customer’s personal information. The hackers accessed the names, social security numbers, birthdates, and addresses of 142 million American consumers (Consumer Information). This is frightening and happens more often that we think. According to PricewaterhouseCoopers executive, ”Cybercrime has emerged as a formidable threat. Over the years millions have fallen victim to theses attacks. In a survey of 583 U.S. companies, 90 percent said that hackers breached their company’s computers over the last twelve months (Lawrence & Weber, 2011). Cyber crimes occur when hackers attempt to damage or destroy a computer network or system of company’s data. Criminals will use one of the most harmful systems around. This system is called a zombie. A zombie is
With advances in technology constantly happening, it can be hard to keep up with all of the latest trends. If organizations cannot keep up with the latest trends, it can lead to flaws in their security. Any flaws in security can have a detrimental effect on an organization’s database. Almost every organization has some sort of database, whether it is for maintaining customers, inventory, or vital information.
Data has always been analyzed within companies and used to help benefit the future of businesses. However, the evolution of how the data stored, combined, analyzed and used to predict the pattern and tendencies of consumers has evolved as technology has seen numerous advancements throughout the past century. In the 1900s databases began as “computer hard disks” and in 1965, after many other discoveries including voice recognition, “the US Government plans the world’s first data center to store 742 million tax returns and 175 million sets of fingerprints on magnetic tape.” The evolution of data and how it evolved into forming large databases continues in 1991 when the internet began to pop up and “digital storage became more cost effective than paper. And with the constant increase of the data supplied digitally, Hadoop was created in 2005 and from that point forward there was “14.7 Exabytes of new information are produced this year" and this number is rapidly increasing with a lot of mobile devices the people in our society have today (Marr). The evolution of the internet and then the expansion of the number of mobile devices society has access to today led data to evolve and companies now need large central Database management systems in order to run an efficient and a successful business.
The first and most important of any database is to get the best security guide lines and compliance objectives as part of the data warehouses or data centers design and to ensure a team of people are involved to maintain the security protocols and the type of data whether its inbound or outbound. All designed security controls should be customized for each module of data so that the data type and the security of the data is maintained all over the data center—united by a common policy environment.