5.3 Database Security Countermeasures P2

Question 1

What is SQL injection?

Answer 1

Lethal code can be directly placed into the user input field

Question 2

How is SQL injection done?

Answer 2

1. Types in URL to company’s website
2. Prompted to provide a username & password
3. 1 Syntax in username field (‘or’1’=’1-)
4. 2 Returns 1st entry in given table (username & then password table)

Question 3

How to avoid SQL injection as a threat?

Answer 3

Ensure application validates data being received before sending to database

Question 4

What does SET stand for?

Answer 4

Secure Electronic Transactions

Question 5

What does SET mean (definition)?

Answer 5

Protocol designed to handle secure bank payments over the internet

Question 6

What is SET used for?

Answer 6

DES encryption

RSA encryption

Question 7

Why is the SET transaction split

Answer 7

So the merchant has access to information about:
What is being purchased
How much it costs
Whether payment is approved

Question 8

What information does the merchant NOT have access to?

Answer 8

What payment method the customer is using

Question 9

What is involved in non-computer controls?

Answer 9

Policies agreements, and administrative controls:
Security policy & contingency plan
Personnel controls
Secure positioning of equipment
Maintenance agreements
Physical access controls

Question 10

Why is it important to test security?

Answer 10

To ensure security measures are adequate
Testing is an ongoing process and carried out regularly (threats don’t disappear - may evolve again at anytime)
Database security is a huge area requiring knowledge - not just of databases but also of the environment within which they operate