2 Responses
Sachin Work:
Legitimate privilege abuse and how to prevent it:
Privileges are a crucial native security control in any system. As the name implies, privileges grant required permissions for accounts based on roles or groups they are in to perform certain operations within the system. For example, in Database read, write, debugging, impersonation, etc. A security expert or someone like a DBA who understands privileges and how attackers may harm them can increase their monitoring and attack surface reduction abilities. This discussion post will discuss privileges and share some recommendations for detecting and preventing their abuse. Additionally, will talk about key concepts a defender needs to understand to protect privileges and legitimate privilege abuse and how to prevent it.
When users are granted default database rights that exceed the specifications of their job duties, these privileges can be abused. For example, a Front End Developer whose job requires the ability only to do UI changes may take advantage of excessive database privileges and insert or delete some tables in the Database or run a query which can do some damage to the Database. Moreover, some businesses fail to document or update access privileges for users who change positions within the company or switch jobs. Employees may abuse legitimate database privileges for unauthorized missions. Excessive privileges, legitimate privilege abuse, database injection attacks, exploitation of vulnerable databases, unmanaged sensitive data, and human error are some of the threats to Database. "Authorisation in much discussion on computer abuse implies that the role, and hence privileges, of an individual in an enterprise has been pre-assigned and known to the individual, not whether the role is consequential to the identity and authentication of the human. " (Blatchford, 1989)
Now let's look at some of the ways to keep database security tight and prevent privilege abuse. Ensure Physical Database Security: This means keeping database instances in a secure, locked environment with access restrictions in place to keep unauthorized users out. But it also indicates having the Database on a separate physical machine, separated from the devices running application or web servers. A web server is more likely to be attacked since it is publicly accessible. So, if a web server is compromised, it puts the database server at risk, which is running on the same machine, the attacker would also get access as a root user to Database. Avoiding insider attacks is a difficult task. "While it is necessary to provide privileges to employees so they can perform their jobs efficiently, providing too many privileges may backfire when users accidentally or intentionally abuse their privileges." (Baracaldo & Joshi, 2013). Hence, finding a middle ground where the necessary privileges are provided and malicious practice is avoided is essential.
Manage database access tightly: It would help if you aimed for the smallest number of people to have access to the Database. Administrators should have just the bare minimum privileges they need to do their work, and only during times while they need access. This may not be practical for smaller organizations, but at the very least, permissions should be managed using groups or roles preferably than given directly."Misuse incidents frequently present as being a result of privilege abuse" (Walker-Roberts et al., 2020)
References:
Blatchford, C. (1989). Hacking: An abuse of privilege. Computer Audit Update, 1990(1), 21-24. https://doi.org/10.1016/S0960-2593(89)80020-5
Baracaldo, N., & Joshi, J. (2013). An adaptive risk management and access control framework to mitigate insider threats. Computers & Security, 39, 237-254. https://doi.org/10.1016/j.cose.2013.08.001
Walker-Roberts, S., Hammoudeh, M., Aldabbas, O., Aydin, M., & Dehghantanha, A. (2020). Threats on the horizon: Understanding security threats in the era of cyber-physical systems. The Journal of Supercomputing, 76(4), 2643-2664. https://doi.org/10.1007/s11227-019-03028-9
Dushyanth Work:
New Database in the Manufacturing Industry
Manufacturing technology has significantly changed over the recent past to align with the digitalization in the market. “Today's increasingly automated and software driven industries have reduced human intervention to pressing only a few buttons in some cases” (Robinson, 2015). Therefore, the management has been able to invest in nanotechnology, cloud computing, the Internet of Things (IoT). The advancements not only lead to cost saving, but only increase speed, precision, and efficiency of the organizations (Robinson, 2015). However, the management should understand that the technologies increases the amount of data collected.
It can adopt data structure manipulation to streamline the database management processes. The reason being, database engineering requires technologies to address the complex mapping challenges. The authors stated that, “We can mention the normalization theory, which laid the basis for data- and constraint-preserving schema transformations, but also the now standard 3-schema data modeling architecture which clearly complied, more than 25 years ago, to what the SE community currently calls Model-Driven Engineering (MDE)” (Hainaut, 2005). Thus, the management should first understand the kind of data they deal with to ensure it uses the best models.
It should also consider the best database design methodologies that suits their organizational operations. For instance, they can choose between conceptual schema, the logical schema, the physical schema and the DDL1 code (Hainaut, 2005). The employees should understand the database structure chosen to assist in preservation of data. Given the organization utilize the logical relational schema, they should ensure they rewrite rules and the configuration does not affect columns and keys. Therefore, “If the rules are carefully selected, the relational schema has the same information contents as its conceptual origin” (Hainaut, 2005). The strategy ensures there is preservation of data integrity and facilitate the data retrieval process.
Lungariello (2017) discovered that, “Whether it’s kept on the premises or off site, locally managed or handled by a third-party, businesses need a reliable, searchable and adaptable database to handle the constant influx of information.” Therefore, an organization can have both on-premise and cloud databases provided they are secure. The author recommended ten database software systems that have been developed to improve data security. One of the systems is Oracle, which is powerful but very complicated to operate (Lungariello, 2017). Second, the organizations can implement Microsoft SQL servers, where they can choose between Server 2008, 2012, 2014, and 2016.
The system chosen should facilitate the archival and retrieval of data on raw material, product, and components. Moreover, the management should understand that, “Usually there are many databases in the manufacturing process in which they would become integrated with one another” (Angelo, 2017). Therefore, the systems depend on whether they are to be installed in Supply Chain, Production Item, or Inventories Databases. They should also assist the management in investing in emerging technologies. The investment into Collaborative Robots, Smart Manufacturing, or Additive Manufacturing require databases that can handle large data sizes (Devereaux, 2019). The manufacturers should be able to get data in real time as they produce their commodities.
References
Angelo, N. (2017, March 3). Databases in Manufacturing. MIS Class Blog.
Devereaux, D. (2019, February 7). 5 Manufacturing Technology Trends to Watch in 2019. The US. The National Institute of Science and Technology.
Hainaut J. (2005). The Transformational Approach to Database Engineering. In: Lämmel R., Saraiva J., Visser J. (eds) Generative and Transformational Techniques in Software Engineering. GTTSE 2005. Lecture Notes in Computer Science, vol 4143. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11877028_4
Lungariello, R. (2017, April 10). The 10 Best Database Software Systems For Business Professionals. My Tech Decisions
Murphy, C. (n.d). 10 Transformational Database Technologies. The Oracle Databases
Robinson, A. (2015). 5 Sweeping Technologies Rapidly Changing Paradigms & Execution of Manufacturing Processes. Cerasis Team