* Please Respond Anything Related to the Assignment in a Microsoft Word Document.*

Hello David,

For this assignment I have 2discussions questionsthat need to be answered as well as two discussion responses that need to be responded to. The discussion questions do not need to be super long, no more than 2 paragraphs and as long as the question is answered I am content. Each Discussion question will need at least 2-3 references.

I will need this completed by Friday, October 30, 2015 no later than 11pm EST.

*Please respond anything related to the assignment in a Microsoft word document.*

I am very paranoid and try to minimize anyone being able to trace this back to me considering these questions are open to the public and are searchable on the internet.

*Thank you in advandce*

Question 1:

How can you make your database more hacker-proof? How do you ensure the security of an organizations' distributed databases?

Question 2:

What specific vulnerabilities affect Web enabled databases? What can be done to prevent them from happening?

*Responses can be I agree…(explanation why) or I disagree… (explanation why) or Just your opinion on the response the student made pertaining to a real life experience you came across. You may reference any articles or sources you have used. Does not need to be long, a paragraph is fine.

Response 1:

As with any network, it’s impossible to fully secure a database that is somehow connected to the Internet. Attackers, given enough time and resources, will compromise the database. In my mind, what’s critically important is finding a way to ensure data integrity in the event the database is breached. There are a number of initiatives pending that are attempting to improve database management and promote integrity. Ibrahim Kamel (2009) suggests watermarking the database table in main memory. While this doesn’t deter or prevent malicious activity, it will alert the database manager to a potential compromise.

Reducing the vulnerability of databases, especially distributed databases, is a challenge. One of the most important methods of securing database is strengthening authentication procedures. As previously discussed in this course, using two stage and multi-factor authentication to verify the identity of users would reduce the likelihood attackers could steal a single credential and gain access. It’s also critical that companies encrypt data in motion. Enforcing encryption not only while data transits between databases, but also while it traverses the company intranets, will help protect the data from compromise. Requiring widely-used protocols like Secure Sockets Layer (SSL) and IPSEC will ensure data is encrypted and decrypted by authorized users. IPSEC works by encrypting and authenticating each IP packet in a session, and includes protocols for exchanging keys among users (Bamrara, 2015).

While ensuring the security of databases is impossible, administrators should look at watermarking database tables to preserve integrity, and consider their authentication and encryption protocols among their systems. It is critical administrators work to reduce the attack surface (number of vulnerabilities) of their network.

Response 2:

One of the main vulnerabilities of a Web enabled database is being open to SQL injection. SQL injection is the insertion or “injection” of a SQL query through a data input from a client to an application ("SQL injection," 2014). SQL or Structured Query Language is a language used to interact with databases (Goodrich & Tamassia, 2011, p.373). An attacker can take advantage of improper coding in Web applications to “inject” SQL queries into data input fields or as part of the URL. These queries can delete, insert, or copy fields, records, and complete databases. This data can be anything from benign useless data to private medical information or credit card numbers. The main impacts of SQL attacks are loss of confidentiality, ease of authentication of an attacker, possibility of changing authorizations, and compromised integrity.

There are defenses against SQL injection. Parameterized queries. Parameterized queries require that developers to define the SQL code and pass the parameters later which helps the database distinguish between code and data ("SQL injection," 2014). Another defense is using stored procedures where the developer builds SQL statements with parameters that are automatically parameterized ("SQL injection," 2014). Code for stored procedures is stored in the database itself. The result of stored procedures is similar to parameterized queries. Finally, a defense that is not quite as effective as the first two is escaping all user supplied input ("SQL injection," 2014). Escaping all user input allows the DBMS to not confuse the input with code written by the SQL developer.