Lecture 2

Question 1

What are the 2 main steps to access data? (!!)

Answer 1

-Authentication: confirmation of identity to gain access

-Authorization: permissions given to users

Question 2

What are the 3 levels of authentication in a database environment? (!!)

Answer 2

-OS level
-Database level
-Network/Third party level

Question 3

What are 2 advantages to using OS Authentication?

Answer 3

-Convinience

-Centralized account administration

Question 4

What is a challenge when applying database-level authentication?

Answer 4

A single user must have different passwords for each system which may lead to weak passwords

Question 5

Name 2 types of Third-party authentication:

Answer 5

-Smart Card with PIN.

-Public key infrastructure (PKI): a framework that manages digital certificates and public-key encryption.

Question 6

Which 2 types of policies should be used for maximum effectiveness? (!!)

Answer 6

-Clear/written policies
-Server-defined policies

Question 7

What are 4 password policies/attributes that may be used in database servers? (!!)

Answer 7

-Complexity.

-Limited failed attempts.

-Expired passwords (regularly changing passwords).

-No password reuse.

Question 8

What are 3 common standards in equipment usage agreements?

Answer 8

-Password discretion (complexity)

-Password sharing

-Password storage

Question 9

What are the 3 tasks in user management?

Answer 9

-Adding users

-Removing users

-Assigning privileges to users

Question 10

What are default accounts, and how do you deal with them? (!!)

Answer 10

They are created accounts with predefined credentials and privileges.
Credentials must be changed immediately as they can be found online.

Question 11

What are 3 good practices in user management? (!!)

Answer 11

-Always change the default passwords of new users

-Enforcing strong password policies

-Save passwords in encrypted file

Question 12

What is a privilege and give 3 examples of them? (!!)

Answer 12

A privilege is the ability to access a specific resource or do a specific action.

Examples: Read, write, execute.

Question 13

What are 3 tasks in managing privileges? (!!)

Answer 13

-Granting privilege
-denying privilege
-revoking privilege

Question 14

What are “Roles”, and how do they help?

Answer 14

A combination of privileges that can be assigned to multiple users or objects.

Saves time and centralizes administration.

Question 15

What are the 3 types of roles?

Answer 15

-User-defined

-Application: defines what applications can do.

-Public: a way to assign privileges to all users.

Question 16

What is inference? (!!)

Answer 16

A method for unauthorized users to obtain sensitive information through assumptions based on the database’s responses.

Question 17

What are the 2 types of inference? (!!)

Answer 17

• logical inference: making assumptions based on the database responses.
• statistical inference: using statistical data to find unauthorized information.

Question 18

What are 4 techniques to limit inference? (list and explain) (!!)

Answer 18

• Polyinstantiation: having multiple fake instances of a record, but may confuse employees.
• Logging and monitoring: monitoring queries and logs for suspicious activity.
• Limit user requests: limits the users capability in making queries, like query size, frequency, functions, etc.
• Limit query responses: limit the information that is provided by the query response. Like returning ranges instead of exact numbers.