Databases need to have security in order to protect the database against both harmful and accidental threats.

A threat is any type of situation that will badly affect the database system.

THREATS TO A DATABASE SYSTEM are:

1. Privilege Elevation 2. Database Platform Vulnerabilities 3. SQL Injection 4. Weak Audit Trail 5. Denial of Service 6. Database Communication Protocol Vulnerabilities 7. Weak Authentication 8. Backup Data Exposure 9. Privilege Abuse 10.excessive privileges

Privilege elevation:
Attackers may take advantage of database platform software vulnerabilities to convert access privileges from those of an administrator to those of an ordinary user. Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and even SQL statements For example, a software developer at a financial institution can take benefit ofof a vulnerable function to obtain the database administrative privelege.

Preventing privilege elevation:

Privilege elevation exploits can be prevented with a combination of query-level access control and IPS intrusion prevention system.IP system view and examine officialy database traffic to recognize patterns which correspond to known vulnerable For example, if a given database function is known to be vulnerable, then an IPSystem can either block all access to the vulnerable procedure, or block only those procedures which are embedded by these attacks.

Database Platform Vulnerabilities:

Vulnerabilities in operating systems like (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to un authorized access,data corruption or deniel of services.

Preventing platform attacks:

For the safety of database assets from platform attacks needs a combination of regular software updates (patches) and Intrusion Prevention Systems (IPS). compatibility problems sometimes prevent software updates altogether. To overcome these problems, IPS should be implemented. IPS examine critically database traffic and identifies attack targeting to known vernalabilities.

Sql injection:
In a SQL injection attack, one who commits crime or perpetrate typically inserts (or injects) unauthorized database statements into a vulnerable SQL data channels. The targeted data channels contain stored procedure and web application input parameters. These injected statements are then passed to the database where they are executed Using SQL injection, attackers can gain unrestricted access to the whole database system.

Preventing sql injection:

several techniques can be combined to effectively combat SQL injection: intrusion prevention (IPS), query-level access control and event correlation. IPS can identify vulnerable stored procedures or SQL injection strings. However, IPS alone is not reliable since SQL injection strings are also use to prevent sql injection. Security managers who only depends on IPS alone would be bombarded with possible SQL injection alerts. However, by correlating a SQL injection signature with another violation such as a query-level access control violation, a real attack can be identified with extreme accurate results.

Weak Audit Trail:

A weak audit logging mechanism in a database server represents a critical risk to an organization especially in retail, , healthcare, and other industries with restrictive regulatory compliant. Logging of sensitive or more than usual transactions happening in a database should be done in an automated manner for resolving interruption and crises. Audit trails act as the last line of database protection. Audit trails can detect the existence of a violation that could help trace back the violation to a particular point of time and a particular user weak database audit policy represent a serious organizatoinal risks on multi level.

Denial of Service:
Denial of Service (DOS) is a general attack category in which access to network applications or data is denied to intended users. Denial of service (DOS) conditions may be generated through several techniques that are vulnerabilities. For example, DOS may be achieved by taking advantage of a database platform weaknesses to crash a server. Other common DOS techniques include data corruption, network flaws, and server resource overload (memory, CPU, etc.). Resource overload is specifically common in database environment.

Preventing deniel of service:

requires protections at multiple levels. Network, application, and database level security. This document focuses on database-specific protections. In this database-specific context, deployment of connection rate control, IPS, query access control, and response timing control are recommanded.

Database Communication Protocol Vulnerabilities:

growing number of security vulnerabilities are being identified in the database communication protocols of all dastabase vendors.

Preventing Database Communication Protocol Attacks :

Database communication protocol attacks can be defeated with technology commonly referred to as protocol validation. Protocol validation technology essentially parses (disassembles) database traffic and compares it to expectations. In the event that live traffic does not match expectations, alerts or blocking actions may be taken.

Weak Authentication:
Weak authentication schemes allow attackers to assume the identity of rightful database users by stealing or otherwise obtaining login authorities/privileges. An attacker can apply any number of strategies Brute Force - The attacker repeatedly enters username/password combinations until he finds the correct one that works accurately. The brute force process may involve simple guesswork or system wise enumeration of all combinations. usually an attacker can use automated programs to accelerate the brute force process Social Engineering A scheme in which the attacker takes advantage the natural human tendency to trust in order to convince others to provide their login authorities and privileges. For example, an attacker may present himself through phone as an IT manager and request login credentials for system maintenance purposes.

Preventing weak authentication:

Implementation of passwords or two-factor authentication is essential.. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures Strong user name and password policy must be implemented.

Backup Data Exposure:

Exposure of backup data attack involves stealing of database backup tapes and hard disks. Backup
database storage media is often completely unprotected from attack.

Preventing Backup Data Exposure:

All backups should be encrypted. some vendors have suggested that future DBMS products may not support the creation of unencrypted backups. . Encryption of on-line production database information is often suggested, but performance and cryptographic key management drawbacks often make this impractical and are generally acknowledged to be a poor substitute for granular privilege attacks.

Privilege Abuse:
users may abuse legal,lawful data access privileges for unauthorized purposes. For example, a user with privileges to view individual student records via a custom student application client may abuse that privilege to retrieve all student records through MS-Excel client.

Preventing privilege abuse:

The solution to prevent privilege abuse is to access control policies that apply not only to what data is accessible, but how data is accessed. By applying these policies for time of day, location, and application client and volume of data retrieved, it is helpful to identify users who are abusing access privileges.

excessive privileges:
When users (or applications) are granted database access privileges that exceed the requirements of their job function, these privileges may be abused for harmful purpose. For example, a college administrator whose job requires only the ability to change student information can take advantage of excessive database update privileges to change grades and marks of the students.

Preventing Excessive Privilege Abuse - Query-Level Access Control:

The solution to this problem (besides good hiring policies) is query-level access control. Query-level access control restricts privileges to minimum-required operations and data. Most native database security platforms offer some of these capabilities (triggers, RLS, and so on), but the manual design of these tools make them impractical .

Conclusion:
Although databases information is vulnerable to a host of attacks, it can also be reduced by focusing on the most critical threats.