Database Security: SQL Injection, Authentication and Authorization

Verified

Added on 2023/06/16

AI Summary

This assignment covers essential information security concepts, starting with examples of confidential information and delving into vulnerabilities like SQL injection and buffer overflows. It emphasizes the importance of legal awareness for security professionals and explores alternative security models beyond the CIA triad. Key components of security documentation are outlined, along with the role of a security architect. The assignment differentiates between authentication and authorization, detailing commands for managing database object permissions and best practices for network architecture. It also discusses the use of encryption, the Cisco hierarchical internetworking model, and the significance of intranets for organizational collaboration. Desklib provides access to this and other solved assignments to aid students in their studies.

1. Examples of Confidential Information are social security number, intellectual
property such as research activities, supplier contact list, customer list and terms of
contracts.
2. SQL Injection is an insertion molest in which an assailant can accomplish malevolent
SQL statements that control’s a web application’s record server. Thus it can be rightly
said that SQL injection’s defencelessness could perhaps influence any website which
employs the SQL based database(Acunetix 2016). This is one of the oldest
susceptibility of the web based applications.
3. A buffer overflow is a common software coding mistake which occurs when excess
information is made a part of the fixed length buffer than the same can manage. Due
to this the adjoining reminiscence room gets infected and overwritten. Thus due a
buffer overflow, the system may end up crashing down and a hacker can also run
certain random code(DuPaul 2012).
4. It is important for the information security professionals to know the laws that affects
them because they are not only expected to be skilful enough to be able to manage the
various security execution issues but also ensure that the company is made aware of
those who are doing injustice to the organization. Lastly, becoming aware of the laws
would also deter them from attempting any kind of malicious acts against the
organization.
5. Some other security models besides CIA triad are capability-based security,
mandatory access control, protection ring, Bell-La Padula model and access control
list.
6. The four components of security documentation are enforcement which states how the
security documentation will be enforced and how would any kind of mishandles be
dealt with, the user access to computer resources which also enables identification of
the responsibilities of the users who are accessing the various computer resources, a
good security profile and back up and recovery which is very crucial in case of
exigencies (Albright, 2002).
7. A security architect, as the name says is accountable for the security counter methods
of one or more systems, applications, components or centres. He is required to check
and re-check the need for the security and thereby formulate and build up the security

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

architecture of the various applications, servers and data centres. He is also
responsible for budding the safety instrument in the software building and guarantees
the veracity of the architectures with respect to security and for helping the
organization in implementing accepted strategies, actions, principles and procedures
(Queensland Government Chief Information Office. 2017).
8. In the context of system and technology, authentication is a procedure that confirms
the identity of a user. Authentication is said to start once a user makes efforts to get
hold of the information. Thus it can be defined as identification of a person, basis the
userid and password while entering any security system.
Whereas authorisation is a defence method which is used to conclude user/client
rights or admission levels associated to system resources. Thus it can be said to be a
procedure wherein the user is either permitted or denied access to a security system of
an organization. Authorisation allows accessibility to only those resources which is
apt to that particular user’s identity.
Practically, authentication come first to authorisation for the purpose of identification
of the user who is trying to access the resources. While conducting the process of
authorisation, the system checks what access the authenticated user has been
provided, basis which it grants or denies the access to the resources (Laskov, 2005).
9. The three commands for administering database object permissions are
a) Grant Command: GRANT [privilege] ON [Object] TO [User] [WITH GRANT
OPTION]
b) Revoke Command: REVOKE [GRANT OPTION FOR] [permission] ON [object]
FROM [user] [CASCADE]
c) Deny Command: DENY [permission] ON [Object] TO [user] (Chapple 207)
10. The best practice network architecture that should be sued for the databases that
provide data via a web server to the internet is a trusted zone of one’s own. They
should ensure in-bound associations from the web-servers only which should further
be imposed at a firewall and on the systems.

11. Encryption is not generally used in the core layer because this layer just take care of
the speed and ensures proper delivery of the resource packets. The main job of
encryption is to ensure that the data is sent without any loss.
12. The layers of the Cisco Hierarchical Internetworking model are:
a) Core Layer: this is the main spine of the system and includes the high-end
switches and high-speed cables such as fibre cables. The said layer is basically
concerned with the speed and conforms proper delivery of the packets.
b) Distribution Layer: the said layer comprises of LAN-based routers and layer 3
switches. It conforms that the packets are securely sent between the subnets and
VLANs within the organization.
c) Access Layer: this layers comprises of hubs and switches. Its main wok is to
ensure that the packets are delivered to the end users (Search Networking 2004).
13. The core layer comprises of high speed network equipments which are formed so as
to change gears between packets and thereby connect various campus elements such
as the distribution models, service modules and the WAN edge. Thus in this layer
there is no storage or transmission of data. It is basically concerned with reliance and
transportation over networks. Whereas encryption is a procedure which ensures that
the confidential information is transmitted in a different code so that it is not
understood by any other unauthorised person. Hence the need for encryption is at the
distribution layer than the core layer.
14. An intranet is a website which enables people within the organization to stay
connected. In today’s world intranet is of utmost importance. It is used for better
interaction and collaboration by providing the staff with such tools which they require
so as to become more productive, efficient and informed (Friesen, 2016). It helps the
employees to conduct their task at any given point of time irrespective of the place.

REFRENCES
Albright,J.G. (2002). The Basics of an IT Security Policy. Retrieved from
https://www.giac.org/paper/gsec/1863/basics-security-policy/103278
Acunetix. (2016). SQL Injection (SQLi). Retrieved from
https://www.acunetix.com/websitesecurity/sql-injection/
Chapple,M. (2017). Data Control Language (DCL). Retrieved from
https://www.thoughtco.com/data-control-language-dcl-1019477
Cisco Networking Academy. (2014). Cisco Networking Academy Connecting Networks
Companion Guide: Hierarchical Network Design. Retrieved from
http://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4
DuPaul,N. (2012). What is a Buffer Overflow? Retrieved from
https://www.veracode.com/blog/2012/04/what-is-a-buffer-overflow-learn-about-
buffer-overrun-vulnerabilities-exploits-attacks
Friesen,I. (2016). What is an Intranet? The Definitive Explanation. Retrieved from
https://www.thoughtfarmer.com/blog/what-is-an-intranet-definitive-explanation/
Laskov,P. (2005). Introduction to Computer Security. Retrieved from
http://www.ra.cs.uni-tuebingen.de/lehre/ss11/introsec/05-auth.pdf
Queensland Government Chief Information Office. (2017). Security Architect. Retrieved
from https://www.qgcio.qld.gov.au/products/ict-workforce-capability/careers-and-
programs/ict-career-streams/security-architect
Search Networking. (2004). The CISCO three-layered hierarchical model. Retrieved
from http://searchnetworking.techtarget.com/tutorial/The-Cisco-three-layered-
hierarchical-model