Security

Question 1

Why is data a concern ?

Answer 1

Data is a valuable resource, it should be controlled and managed. most data has customer info, product info analytics.

Security is used to protect against international and accidental threats.

Breaches may affect other components like hardware, software, people

Question 2

What are the different types of threats ?

Answer 2

Theft and fraud
Loss of confidentiality
Loss of privacy
loss of integrity
Loss of availability

Aims to minimize the losses caused by anticipated events in cost-effective manner without constraining the users

Question 3

What are threats ?

Answer 3

any situation intentional/ accidental that may adversely affect a system and consequently an organisation

TANGIBLE:
Hardware, Software, Data

INTANGIBLE:
reputation, Client confidence

To mitigate against threats we identify weaknesses , test system security, monitor access.

Question 4

Write a summary about threats

Answer 4

HARDWARE:
Fire bombs
Data corruption due to power surge
Theft of equipment

DBMS and app software:
Program alteration
Failure of security mechanism

DATABASE:
Theft of data
Data corruption due to power surge

COMMUNICATION NETWORKS:
Wire tapping
Electronic radiation

PROGRAMERS:
Creating trap doors
Program alteration

USERS:
Using other person access
Blackmail
Intro of viruses

Question 5

what is CounterMeasure- computer based controls

Answer 5

Can include physical control and administrative procedures

Despite these security can only be as good as OS.
There are six measures

Question 6

What is authorization and authentication ?

Answer 6

1. AUTHORIZATION
   Granting of rights which enables a subject to legitimately have access to a system or its object(DB, view)

AUTHENTICATION:
A mechanism that determines whether a user is who they claim to be. Password protection, 2 factor authentication

Question 7

What is access control ?

Answer 7

2. ACCESS CONTROL
   provide access controls for a DB system based on granting and revoking privileges.

PRIVILIGES allow users to create/access (read/write/modify) or run some DBMS utilities.
Are often granted to a user so they can do their work.

DISCRETIONARY ACCESSS CONTROL(DAC):
Users use GRANT & REVOKE commands for privilege.

MANDATORY ACCESS CONTROL(MAC)
System wide policies that cannot be changes by users.
Each object has a security class and each user has a clearance.

Question 8

What are views ?

Answer 8

3.VIEWS
A virtual relation that doesn’t exist in DB but is produced upon request by user at time of request.

It can hide parts of DB from certain users.

Can be defined over several relations with users being granted privilege to use.

Users only query and modify data they can see.

Question 9

What is backup and journaling ?

Answer 9

4.BACKUP
Process of periodically taking a copy of DB log file and possibly programs to offline storage media.

JOURNALING
process of keeping and maintaining a log file of all changes made to DB to enable effective recovery in event of a failure.

Question 10

What is replica ?

Answer 10

Replica: each node that stores a copy of a DB.

we are given multiple replicas how to be sure data ends on al replicas
solution- leader based replication

Question 11

What is synchronous and asynchronous replication ?

Answer 11

SYNCHRONOUS:
Ensure leaders are forced to wait until followers are complete before continuing processing writes.
Advantage:
Followers guaranteed up-to-date copy of data.
Disadvantage:
followers not responding, writers cant be processed by leader

ASYNCHRONOUS:
allow leader to proceed processing queries without confirmation from followers.
Advantage:
no waiting for leader for followers to complete replications.
Disadvantage:
if leader fails, no guarantee of a node with most up-to-date copy of data.

Question 12

What is semi synchronous replication ?

Answer 12

if DB enables sync it means a single follower is sync while others are async.

if sync follower becomes unavailable one of async followers are made sync.

Question 13

How to set up new follower ?

Answer 13

Copying data from one node to other is insufficient.

Data is always in flux ,standard copies would read diff parts at diff time

Done as follows:
1. Take consistent snapshots of leader DB at some point in time
2.Copy snapshot to follower node
3. Follower connects to leader and request all data changes since snapshot
4.When follower processes backlog, it is said to be caught up

Question 14

how to handle node outages ?

Answer 14

Any node can fail. Goal is to keep system running despite nodes failing.

FOLLOWER FAILURE(Catch up recovery):

Follower local disk keeps log of data changes from leaders. If follower node fails , they can recover by querying the leader of subsequent changes.

Question 15

What is leader failure(Failover) ?

Answer 15

once follower needs to be promoted as new leader, client need to reconfigure to send writes to new leader and other followers need to start consuming changes from new leader.

Following steps:
1.Determine if leader has failed: if node doesnt respond it is assumed dead
2. Choosing a new leader: election process or a new leader is appointed by an election controller. Best candidate usually have most up to date changes.
3. Reconfiguring the system: clients now send their write requests to new leader. If old leader comes back it may still believe it is the leader.

Question 16

Problems with failover

Answer 16

Async replication: new leaders may not receive all writes from old leader. Old leader may have conflicting writes if it rejoins so
usually this data is discarded.

Discarding writes can be dangerous if system encodes impo shared info

Multi leader replication: Sometimes two nodes think they are the leader, and both accept writes.

Question 17

what is encryption ?

Answer 17

5. ENCRYPTION
   Encoding of data by a special algorithm that renders the data unreadable by any program, without the decryption key.

CEASER CIPHER: One of the easiest and most famous example.
Take alphabet and shift the offset of each letter up by some set amount.
While encrypting the message use this alphabet shift to replace each letter in the message.
A colleague can decipher message with a known shift of letters.

Question 18

What is RAID ?

Answer 18

RAID
REDUNDANT ARRAY OF INDEPENDENT DISKS
Hardware for DBMS’s should be fault-tolerant. (DBMS should continue to operate even if one of hardware components fail)

Redundant comps can be + into working system to withstand one or more component failures.

Main components:
1.Disk drive
2.Disk controller
3.CPU
4.Power suppliers and cooling fans

Question 19

RAID write a note on performance

Answer 19

Solution to disk failure include RAID TECHNO

A large disk array comprising an arrangement of several independent disks organized to improve reliability and increase performance

Performance increase - Striping as several I/O commands can be serviced at one time

Reliability is improved by storing redundant info across disks using PARITY SCHEME- each byte has a parity bit associated with it that records whether no of bits in byte that are set to 1 is odd or even. Even if one bit corrupted-parity will not match.

Question 20

What are the levels of RAID configurations ?

Answer 20

RAID 0;NON REDUNDANT
Uses no redundant data and has best write performance
Data striping is performed at level of blocks

RAID 1: MIRRORED
Two identical copies of data across different disks.
Maintains consistency during disk failure, writes may not be simultaneous.

Question 21

What is the association of DBMS and web security

Answer 21

Internet communication relies on TCP/IP & HTTP as underlying protocol.

These were not designed with security in mind(use packet sniffing software)

While transmitting and receiving infor over internet ensure:
inaccessible to anyone but the sender and receiver
It has not changed during transmission
Receiver is sure it came from sender
Sender is sure the receiver is genuine

Question 22

What are the measures taken for web security ?

Answer 22

PROXY SERVER:
Sits b/w web browser and server
Improves performance by serving requests on proxy if info is still in cache
Filters requests such that selected website cant be used

FIREWALLS:
Prevents unauthorized access to/ from a private network.
It examines messages entering/leaving a network and blocks those that don’t meet the criteria.

DIGITAL CERTIFICATES:
An attachment to an electronic message used for security. Verifies that a user sending message is who they are.

Provides receiver the key to encode a reply.
An individual wishing to send an encoded message applied to a Certificate Authority(CA)
CA provides an encrypted digital certificate containing applicants public key
Vouches for the authenticity of sender and receiver and provides them with keys.

Question 23

State a case study

Answer 23

Chaos Monkey: A tool to randomly disable
production instances to ensure they can survive
this common failure.
* Running this program in the middle of the day in
a busy environment with standby engineers they
can learn lessons about weaknesses in the
system, so failures during down-time are less
noticeable.
* Other examples include Latency, Conformity, and
Doctor Monkey
This is a tool designed by netflix where individual components fail yet not affecting the entire system

Question 24

What is Security policy and contingency plan ?

Answer 24

SECURITY POLICY:
How an organization is to maintain a secure system:
Agreed encryption methods
Digital certificates
Authentication

Should include:
Area of business it covers
Responsibility of employees
Disciplinary action in case of breaches
Procedures

CONTINGENCY PLAN;
How an organization will react and continue to operate in emergency

Should include:
Establish response necessary to deal with unusual events
Key personnel and how to contact
Who decides if contingency exists
Technical requirement of transferring operations to other site
Imp external contacts
Insurance

Question 25

What is legal personnel controls and securing positioning

Answer 25

LEGAL PERSONNEL CONTROLS:
Threats include internal staff
Adequate control mechanisms to minimize risk of all staff accessing protected data.

SECURING POSITIONING AND STORAGE:
Using LOCKED ROOMS
restricted access to hardware
Alarms

Question 26

What is escrow agreements ?

Answer 26

ESCROW AGREEMENTS
Legal contracts concerning software b/w developer and client
Third party holds source code for client application
Client can acquire source code if developer goes out of business.

Question 27

What are the main stages of risk analysis

Answer 27

establish SECURITY TEAM
Scope of analysis and obtain system details
Identify existing COUNTER MEASURES
Identify all system assets and all THREATS AND RISKS
Select countermeasures and undertake a cost/benefit analysis
TEST security systems

Question 28

What is privacy and privacy law ?

Answer 28

PRIVACY:
Right of an individual not to have personal info collected, stored or disclosed willfully or not.

DATA PROTECTION:
Protection of data from unlawful acquisition, storage and provision of safeguards to avoid the destruction of legitimate data

PRIVACY LAW:
Concerns personal data rights of individuals with respect to their data.
Legislation attempts to protect individuals from abuse.

Question 29

What are the important legal acts to protect data

Answer 29

EU Data protection directive-1995

US Patriot Act-2001

General Data Protection Regulations(GDPR)-2018