Unit - 5 (DBMS)

What is Authentication?
● Authentication is the process of identifying someone's identity by assuring that
the person is the same as what he is claiming for.
● It is used by both server and client. The server uses authentication when
someone wants to access the information, and the server needs to know who
is accessing the information. The client uses it when he wants to know that it
is the same server that it claims to be.
● The authentication by the server is done mostly by using the username and
password. Other ways of authentication by the server can also be done using
cards, retina scans, voice recognition, and fingerprints.
● Authentication does not ensure what tasks under a process one person can
do, what files he can view, read, or update. It mostly identifies who the person
or system is actually.
Authentication Factors

As per the security levels and the type of application, there are different types of
Authentication factors:
● Single-Factor Authentication
Single-factor authentication is the simplest way of authentication. It just needs
a username and password to allows a user to access a system.
● Two-factor Authentication
As per the name, it is two-level security; hence it needs two-step verification
to authenticate a user. It does not require only a username and password but
also needs the unique information that only the particular user knows, such as
first school name, a favorite destination. Apart from this, it can also verify
the user by sending the OTP or a unique link on the user's registered number
or email address.
● Multi-factor Authentication
This is the most secure and advanced level of authorization. It requires two or
more than two levels of security from different and independent categories.
This type of authentication is usually used in financial organizations, banks,
and law enforcement agencies. This ensures to eliminate any data exposer
from the third party or hackers.

Authentication techniques
1. Password-based authentication
It is the simplest way of authentication. It requires the password for the particular
username. If the password matches with the username and both details match the
system's database, the user will be successfully authenticated.
2. Passwordless authentication
In this technique, the user doesn't need any password; instead, he gets an OTP
(One-time password) or link on his registered mobile number or phone number. It
can also be said OTP-based authentication.

What is Authorization?

● Authorization is the process of granting someone to do something. It means it

a way to check if the user has permission to use a resource or not.
● It defines that what data and information one user can access. It is also said
as AuthZ.
● The authorization usually works with authentication so that the system could
know who is accessing the information.
● Authorization is not always necessary to access information available over the
internet. Some data available over the internet can be accessed without any
authorization, such as you can read about any technology from here.

Authorization Techniques

● Role-based access control

RBAC or Role-based access control technique is given to users as per their
role or profile in the organization. It can be implemented for system-system or
user-to-system.
● JSON web token
JSON web token or JWT is an open standard used to securely transmit the
data between the parties in the form of the JSON object. The users are
verified and authorized using the private/public key pair.

What is access control?

Access control maintains building security by strategically controlling who can
access your property and when. It can be as simple as a door with a lock on it or as
complex as a video intercom, biometric eyeball scanners, and a metal detector.
Access control allows you to manage who enters your property and at what time

What are access control models?

Access control models are distinguished by the user permissions they allow, and the
methods we cover in this post all feature electronic hardware that uses technology to
control access to a property.
Some types of security access control are more strict than others and are more
suitable for commercial properties and businesses. Other methods are better suited
for buildings that receive a high volume of visitors, and some basic control models
are better for buildings with low traffic.
While looking elsewhere on the web, you may learn about different access control
methods or alternate definitions for the models we list below. There are two
categories of access models: models that benefit physical properties and models
used to set software permissions for accessing digital files.
While some interesting connections are to be made here, they actually have very
little to do with each other. This is especially true when finding the right physical
access control system for your property.

The main access control models are:

1. Discretionary access control (DAC)

2. Mandatory access control (MAC)

3. Role-based access control (RBAC)

What is mandatory access control (MAC)?

Mandatory access control uses a centrally managed model to provide the highest
level of security. A non-discretionary system, MAC reserves control over access
policies to a centralized security administration.
MAC works by applying security labels to resources and individuals. These security
labels consist of two elements:
● Classification and clearance — MAC relies on a classification system
(restricted, secret, top-secret, etc.) that describes a resource’s sensitivity.
Users’ security clearances determine what kinds of resources they may
access.
● Compartment — A resource’s compartment describes the group of people
(department, project team, etc.) allowed access. A user’s compartment
defines the group or groups they participate in.
A user may only access a resource if their security label matches the resource’s
security label.
MAC originated in the military and intelligence community. Beyond the national
security world, MAC implementations protect some companies’ most sensitive
resources. Banks and insurers, for example, may use MAC to control access to
customer account data.

Advantages of MAC
● Enforceability — MAC administrators set organization-wide policies that
users cannot override, making enforcement easier.
● Compartmentalization — Security labels limit the exposure of each resource
to a subset of the user base.

Disadvantages of MAC
● Collaboration — MAC achieves security by constraining communication.
Highly collaborative organizations may need a less restrictive approach.
 ● Management burden — A dedicated organizational structure must manage
the creation and maintenance of security labels.

What is discretionary access control (DAC)?

Discretionary access control decentralizes security decisions to resource owners.
The owner could be a document’s creator or a department’s system administrator.
DAC systems use access control lists (ACLs) to determine who can access that
resource. These tables pair individual and group identifiers with their access
privileges.
The sharing option in most operating systems is a form of DAC. For each document
you own, you can set read/write privileges and password requirements within a table
of individuals and user groups. System administrators can use similar techniques to
secure access to network resources.

Advantages of DAC
● Conceptual simplicity — ACLs pair a user with their access privileges. As
long as the user is in the table and has the appropriate privileges, they may
access the resource.
● Responsiveness to business needs — Since policy change requests do not
need to go through a security administration, decision-making is more nimble
and aligned with business needs.

Disadvantages of DAC
● Over/underprivileged users — A user can be a member of multiple, nested
workgroups. Conflicting permissions may over- or under privilege the user.
● Limited control — Security administrators cannot easily see how resources
are shared within the organization. And although viewing a resource’s ACL is
straightforward, seeing one user’s privileges requires searching every ACL.
● Compromised security — By giving users discretion over access policies,
the resulting inconsistencies and missing oversight could undermine the
organization’s security posture.

What is role-based access control (RBAC)?

Role-based access control grants access privileges based on the work that individual
users do. A popular way of implementing “least privilege‚ policies, RBAC limits
access to just the resources users need to do their jobs.
Implementing RBAC requires defining the different roles within the organization and
determining whether and to what degree those roles should have access to each
resource.
Accounts payable administrators and their supervisor, for example, can access the
company’s payment system. The administrators’ role limits them to creating
payments without approval authority. Supervisors, on the other hand, can approve
payments but may not create them.

Advantages of RBAC
 ● Flexibility — Administrators can optimize an RBAC system by assigning
users to multiple roles, creating hierarchies to account for levels of
responsibility, constraining privileges to reflect business rules, and defining
relationships between roles.
● Ease of maintenance — With well-defined roles, the day-to-day
management is the routine on-boarding, off-boarding, and cross-boarding of
users’ roles.
● Centralized, non-discretionary policies — Security professionals can set
consistent RBAC policies across the organization.
● Lower risk exposure — Under RBAC, users only have access to the
resources their roles justify, greatly limiting potential threat vectors.

Disadvantages of RBAC
● Complex deployment — The web of responsibilities and relationships in
larger enterprises makes defining roles so challenging that it spawned its own
subfield: role engineering.
● Balancing security with simplicity — More roles and more granular roles
provide greater security, but administering a system where users have dozens
of overlapping roles becomes more difficult.
● Layered roles and permissions — Assigning too many roles to users also
increases the risk of over-privileging users.

What is an Intrusion Detection System?

A system called an intrusion detection system (IDS) observes network traffic
for malicious transactions and sends immediate alerts when it is observed. It
is software that checks a network or system for malicious activities or policy
violations. Each illegal activity or violation is often recorded either centrally
using an SIEM system or notified to an administration. IDS monitors a network
or system for malicious activity and protects a computer network from
unauthorized access from users, including perhaps insiders. The intrusion
detector learning task is to build a predictive model (i.e. a classifier) capable of
distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good
(normal) connections’.

Working of Intrusion Detection System(IDS)

● An IDS (Intrusion Detection System) monitors the traffic on a
computer network to detect any suspicious activity.
● It analyzes the data flowing through the network to look for patterns
and signs of abnormal behavior.
● The IDS compares the network activity to a set of predefined rules
and patterns to identify any activity that might indicate an attack or
intrusion.
 ● If the IDS detects something that matches one of these rules or
patterns, it sends an alert to the system administrator.
● The system administrator can then investigate the alert and take
action to prevent any damage or further intrusion.

What Is SQL Injection?

SQL Injection is a code-based vulnerability that allows an attacker to read and

access sensitive data from the database. Attackers can bypass security measures of
applications and use SQL queries to modify, add, update, or delete records in a
database. A successful SQL injection attack can badly affect websites or web
applications using relational databases such as MySQL, Oracle, or SQL Server. In
recent years, there have been many security breaches that resulted from SQL
injection attacks.

With this basic understanding of ‘what is SQL Injection’, you will now look at the
different types of SQL Injection.
Types of SQL Injection

In-band SQLi - The attackers use the same communication channel to launch their
attacks and collect results.

The two common types of in-band SQL injections are Error-based SQL injection and
Union-based SQL injection.

1. Error-based SQL injection - Here, the attacker performs certain actions that
cause the database to generate error messages. Using the error message,
you can identify what database it utilizes, the version of the server where
the handlers are located, etc.
2. Union-based SQL injection - Here, the UNION SQL operator is used in
combining the results of two or more select statements generated by the
database, to get a single HTTP response. You can craft your queries within
the URL or combine multiple statements within the input fields and try to
generate a response.

Blind SQLi - Here, it does not transfer the data via the web application. The attacker
can not see the result of an attack in-band.

1. Boolean-based SQL Injection - Here, the attacker will send an SQL query
to the database asking the application to return a different result depending
on whether the query returns True or False.
 2. Time-based SQL Injection - In this attack, the attacker sends an SQL query
to the database, which makes the database wait for a particular amount of
time before sharing the result. The response time helps the attacker to
decide whether a query is True or False.

Out-of-bound SQL Injection - Out-of-bound is not so popular, as it depends on the

features that are enabled on the database server being used by the web
applications. It can be like a misconfiguration error by the database administrator.