From the course: CISSP Cert Prep (2021): 3 Security Architecture and Engineering

Server and database security

From the course: CISSP Cert Prep (2021): 3 Security Architecture and Engineering

Start my 1-month free trial

Server and database security

- [Instructor] Server and database administrators must be aware of security issues particular to the environments that they manage. All servers are affected by data flow control. Well, database servers must also be protected against aggregation, inference, and other database specific attacks. Data flow control manages the transfer of information to and from your servers. As you prepare for the exam, you should familiarize yourself with two different data flow control concepts. First, administrators must take steps to ensure that data flow doesn't become high enough in volume that it overwhelms the available bandwidth of either the server or the network. Data flow control technology is built into network devices and server operating systems. These components should be configured to limit inbound and outbound data transmissions to a rate that both the server and the network can support. Failure to enforce data flow control in this manner can lead to a denial of service attack. Second, system architecture carefully map out and understand how data flows within their systems paying particular attention to sensitive information. Cyber security professionals must apply rigorous security controls to environments that handle that sensitive information. By mapping out these data flows, they can apply controls with the confidence they are impacting all the systems that store sensitive information. One of the most common types of server is the database server. Database servers store information for later retrieval and are an important component of almost every enterprise system. Data mining and analytics programs are very important business trends, and they depend upon very large data warehouses. These warehouses store massive amounts of data, and as such are lucrative targets of attackers. There are two specific types of attack the database administrators should pay careful attention to: aggregation and inference. Aggregation occurs when an individual with a low level security clearance is able to put together facts available at that low level to determine a very sensitive piece of information that they should not have access to. Let's look at an example, imagine that a company is planning to open a new manufacturing facility but hasn't yet disclosed that information to the public. They like to keep it a closely guarded secret for as long as possible and only a few key employees within the company know about the facility. Well, a travel agents certainly wouldn't be among those cleared individuals, but that travel agent might have access to travel records that show that the vice-president for manufacturing traveled six times to Texas in the past three months. Also, they might be able to see that a key group of manufacturing leaders is traveling to Texas in June using one way tickets and that the CEO booked a private jet to travel to Texas on July 1st. By aggregating together these pieces of information, the travel agent might figure out that a new facility will be in Texas and it's likely opening on July 1st. Inference occurs when an individual can figure out sensitive information from the facts available to them. For example, a financial analyst may not be permitted to know individual employee's salaries but may have access to financial reports that show the total amount of the company spent on payroll each month. Let's say that amount was $2,350,000 in June, and then it went up to two and a half million dollars in July. If the analyst also knows that a new engineer was hired on July 1st, that no employee has left the company in June or July, and that salary increases for existing employees only occur in January, then the analyst can infer that the new engineer's salary is $150,000. That's inference.

Contents