Card Set Information

2015-04-29 13:46:08
Show Answers:

  1. Client/server architecture:
    • Third layer of a typical three tier is the database layer
    • Can be implemented as 1-tier, 2-tier or n-tier.
  2. How do you protect against an inference attack?
    User random data elements to hide logical patterns.
  3. True/False:
    Data and information is classified into different levels of confidentiality to ensure that only authorized users access the information.
  4. Elements of Database Security:
    • Data is the most important and valuable asset of the DB environment.
    • The operating system access point is defined as authentication to the system.
    • Reducing access point size reduces security risks, which increases DB security.
  5. Which are true related to security threats?
    • A DOS flood is the intent to overload the system with numerous requests
    • Spoofing code is malicious code that appears to be legitimate code.
  6. True/False:
    A Birthday attack is Slower than a brute-force attack
  7. Some things that are true about encryption:
    • Weak keys are secret keys that exhibit a poor level of encryption
    • The process of creating mathematical attacks of cryptographic systems is called cryptanalysis.
  8. Data integrity:
    • If a database is not correctly normalized it may result in inconsistent and redundant data.
    • Users may enter invalid data mistakenly or intentionally.
  9. Hardening a Oracle database:
    • Database STIG's focuses on relational databases and has an Oracle specific section
    • It is recomended that you use a vulnerability assessment to show what changes should be made
    • Vulnerability scans should be made at the database level and the operating system level.
  10. Measures used to offset security threats:
    • Availability is the property of a system or system resource that is accessibly by an authorized system entity
    • A business is responsible for protecting the privacy of its data
    • Data confidentiallity refers to the process of protecting confidential information.
  11. Making logical connections between seemingly unrelated data elements to extract sensitive information is called:
    Inference attack
  12. Database security methodology used to protect the database.
    • Design phase of DB security methodology results in a blueprint of the adopted security model that is used to enforce security.
    • Comparable to the software development life cycle
    • After the DB goes into production security audits should be performed preriodically.
  13. True/False:
    Presenting a fake driver's license illegally to buy alcohol is an example of spoofing.
  14. True/False:
    The data files in which the data resides are protected by the DB management system, and that protection is enforced by operating system file permisssions
  15. True/False:
    Social engineering vulnerability is an example of "Installation and configuration error"
  16. True/False:
    DB security can also be defined as a collection of security policies and procedures, data constraints, security methods and security tools blended together to implement all necessary measures to secure the integrity accessibility and confidentiality of every component of the DB environment.
  17. Information Security Architecture:
    • Security personnel and admin enforce and keep security in order.
    • Policies and procedures are documented instructions on how security is supposed to be carried out.
    • Security programs are tools that protect computer system servers from malicious attacks and viruses.
  18. Various malware:
    • Trojan horse is code that penetrates a computer system or network disguised as legitimate code.
    • Worms don't infect other programs, but can run without the execution of an infected application.
  19. True/False:
    Smurf is a denial of service attack
  20. True/False:
    Availability of a database is defined as being accessible and usable by authorized users.
  21. What are some best practices for securing a database?
    • Remove or lock all predifined accounts that are no longer needed or used
    • DBA should implement the principle of least privilege 
    • Apply the latest OS and RDBMS patches.
  22. Database links:
    • Connection from one DB to another DB
    • enables a user to perform DML statements or other valid SQL statements while logged onto a different DB.
  23. Which of the following are not best practices:
    Use default passwords when creating new user accounts.
  24. Best practices for administering users is DBMS.
    • Direct access to DB tables should be blocked
    • Always change default passwords and never write them down
    • Give access permissions to users only as required.
    • implement strong password policy.
  25. Password policies and procedures:
    • Complex passwords are those that are made up of a combo of upper and lowercase letters, digits and symbols.
    • Password encryption is a method that encrypts the password and stores it in a way that it cannot be read directly.
  26. When an oracle user is created the new user cannot log into the account until the DBA provides the _____ system privilege to allow the account to connect to the DB
  27. Select the statements that are true of user authentication and admin in Oracle.
    • 3 types of DB authentication - BY PASSWORD, EXTERNALLY, GLOBALLY
    • IDENTIFIED BY clause of the CREATE USER statement tells oracle how to authenticate a user.
    • Default profile has no resource limitations or Password restrictions.
  28. Authentication methods:
    • Physical allows physical entrance to the company property.
    • Kerberos enables 2 partes to exchange info over an open network by assigning a unique key to each user.
    • Private key from a PKI system is usually kept as a digital certificate of the user's system.
  29. True/False:
    In Oracle you can view all users by the querying the DBA_USERS data dictionary.
  30. The ____ clause of the create user statement tells oracle how to authenticate a user account.
  31. True/False:
    The PASSWORD AGING clause tells oracle to expire the password and prompts the user to enter a new password.
  32. Which of the following is not a valid authentication method?
  33. Unix file permissions:
    • -rw-r-r--, means that everyone can read the file
    • each file has 3 permission settings
    • r - read, w-write, x-execute
  34. True/False:
    When creating an oracle user using external authentication, you must set the windows registry string OSAUTH_PREFIX_DOMAIN to FALSE.
  35. What is not true about OS security enviornment.
    Using OS services to access data directly in the DB files is the fastest and most secure method to get access to info in the DB.
  36. How an operating system relates to the DB management system:
    • To access a DB locally, a user can be authenticated by the OS.
    • The OS acts as the first line of defense for an security violations.
  37. An encrypted password can be retrieved in orcal from the PASSWORD column in the _____ data dictionary view.
  38. True of the components of an OS
    • are used as the access point to the DB
    • services layer is an entry point and gateway to the OS.
    • The main component of the OS security enviornment is services.
  39. The ____ clause specifies the detault storage for the user.
    Default Tablespace
  40. True statements about the OS
    • An OS controls the flow of activities and enforces security measures
    • Authentication is a process that validates the ID of the user in order to permit access to the OS
    • The OS is in charge of scheduling jobs and tasks to be run on a computer system
    • No app can be run without the OS
  41. You can view all users by querying:
  42. True/False:
    Authorization is a process that verifies the ID of the user to permit access to the OS
    • False.
    • This is authentication.
  43. True of privileges and permissions
    • SELECT is an example of object privileges
    • remove privileges from users using the REVOKE statement.
  44. True about Database application security.
    • The access matrix model uses a matrix to represent the 2 main entities that can be used for any security implementation.
    • When a user has access to level 3, they also have access to the levels below it.
    • Security policies should be created for each user of the DB.
  45. True of DB roles:
    • set of privileges that allows a user to perform certain functions in the DB
    • User can manually set a role within a session with the SET ROLE command
    • Roles should not be assigned to other roles.
  46. True of profiles and resource limits
    • Limiting resources helps to deter DoS attacks.
    • With a profile you can limit the amount of time for a user session
    • if a user reaches the defined number of failed login attempts, the the account will lock.
  47. True of password security:
    • generally the stronger the password the longer it takes to break.
    • User authentication depends on a password to ensure the user account's ID.
    • The majority of hacks today are due to poor password policies.
  48. True/False:  A role is like a user, it can own objects:
  49. True/False:  Profiles, passwords, privileges and roles are the 4 aspects of user administration and security.
  50. The default user profile in oracle is _____
  51. To view all profiles created in the DB, query the data dictionary view ____
  52. To view dynamic statistics in oracle use the _____ data dictionary view.
  53. True of system object privileges:
    • An object owner can grant object privs to another user
    • an example or a system privilege is CREATE SESSION
    • example of an object privilege is a table owner granting a user SELECT on that table.
  54. True of managing privileges:
    • Many system ANY privileges can be used to attain more privielges
    • Using the GRANT OPTION with object privs allows the grantee to propogate the privilgege on.
    • Roles can be used to group privs and admin privs to users.
  55. In oracle ____ view contains all roles that are in the DB.
  56. The purpose of password _____ is to decrease the chances of a hacker guessing or breaking a password.
  57. True of authentication:
    • Kerberos requires a trusted 3rd resource to generate the secure key.
    • In NTLM and Kerberos, the user's password is never actually sent accross the network.
  58. True of DCL (Data control language)
    • you can grant a privilege by using the GRANT statement.
    • The CASCADE option revokes the permissions from the user the and user who granted the permission.
  59. True/False:  Using SQL*Plus you can issue and ALTER USER statement to modify an attribute of a user.
  60. True of profiles:
    • created using CREATE PROFILE
    • modified using ALTER PROFILE
    • to view all profiles, query DBA_PROFILES.
  61. True of VPD's:
    • security framework that implements fine-grained access control for tables, views and synonyms.
    • ensure that sensitive data is not read or written by adding conditions to a where clause.
    • each user can only update the data they are entitled to
    • implements filtering using query rewriting.
  62. True/False:  Implementation of row level security is better organized and simpler with the oracle VPD feature.
  63. Valid definitions of predefined user-environment attributes specific to Oracle.
    • OS_USER attribute contains the OS system username for the current connected session.
    • SESSIONID contains the auditing session identifier for the current connected session.
    • you can set specific application context suing the DBMS_SESSION.
  64. True of row-level security
    • after the application detects the security level, a predicate is used to filter the rows that can be seen by the user.
    • better organized and simpler with Oracle VPD.
    • RLS consists of 3 main components - Policy, Policy function, and Predicate.
  65. You can get most of the session information from the dynamic performance view _____
  66. A ____ is a shared database schema containing data that belongs to may different users and each user can view or update on the data they own.
  67. True/False:  Oracle has the capability to restrict updates or inserts at the column level
  68. When implementing a VPD using a view you an use ____ on insert to populate the user name automatically into a control column.
  69. True about an oracle DB
    • SYS_CONTEXT function is used to get values for all predefined attributes
    • any user with the CREATE ANY CONTEXT  and EXECUTE privileges on the DBMS_SESSION can create and set context.
    • data dictionary views enable an admin to see everything created and stored in the DB.
  70. True/False:  You cannot implement row-level security using a combo of view objects, triggers and application contexts
  71. True/False:  If a query references a security-relevant column, then the default behavior of column-level VPD restricts the number of rows returned.
  72. True about VPD:
    • can be implemented with views and triggers
    • app context allows DV apps variables to be retrieved by DB Sessions
    • SET_CONTEXT allows you to define your own app context
  73. True/False:  you can construct a view that hides columns or rows from users
  74. True of column-level security:
    • Oracle can restrict updates or inserts at the column level
    • you can construct a view that hides columns or rows from users
    • SEC_RELEVANT_COLS contains all columns that have values that are hidden from the user.
  75. True about VPD's:
    • uses DBMS_RLS package to implement a VPD
    • Row-level security and fine grained access are used to refer to VPD
    • allows functionality that extends the application security to any level
    • you can use column data masking for select statement.
  76. True about Views and VPD's:
    • view limits what users can see and accomplish with the data
    • VPD can be created without views
    • view can hide columns or rows from users
  77. True of viewing VPD policies and app contexts
    • USER_POLICIES contains all policies owned by the current user
    • ADD_POLICY_CONTEXT adds an application context to a policy
  78. True/False:  SET_CONTEXT  is one of the procedures that you can use in oracle to define you own app context
  79. True about oracle VPD's:
    • A policy group is a set of policies that are managed through an application context
    • by deault all users with SYSDBA privs are exempt from VPD policies.
  80. True/False:  you cannot use a package for a policy function.
  81. True of Triggers and trigger auditing:
    • Triggers must be created and defined for every object
    • tigger auditing is programmed
    • trigger audting provides transparency
  82. True about DB auditing activities:
    • AUDIT SESSION an audit record is created for each connection to the instance
    • you can audit views as well as base tables
    • priv auditing you can qualify an audit statement by user.
  83. True/False:  A major advantage of FGA is column sensitivity
  84. True of standard DB auditing:
    • AUDIT_TRAIL enables database auditing
    • DBA can disable auditing
    • standard auditing can be used when a statement fails.
  85. True/False:  an error is recorded to the Alert Log when a background process fails.
  86. True/False:  The programmatic nature of app auditing is a drawback
  87. True of various types of auditing.
    • Schema auditing records the usage of statements on specific objects
    • statement auditing can track ddl statements
  88. True of audit trail:
    • Can alert you to suspicious DB activity
    • OS value for AUDIT_TRAIL indicates that the trail will be stored in a file
    • Oracle provides an alert log for auditing DB activities.
  89. True/False:  AUDIT_CONDITION parameter for ADD_POLICY contains the name of columns that you would like to audit.
  90. True of fine grained auditing:
    • allows the admin to setup an alert when a certain event occurs
    • requires definitions of policies
    • gives granular control of what to audit
  91. True of auditing with oracle:
    • AUDIT ALL command audits all statements
    • can audit statements by access or be session.
  92. Unfortunately it is not possible to capture and audit SQL queries such as updata payroll by 10% for username=scott.
  93. ____ auditing is also known as FGA
    Column level
  94. ____ is simply an internal mechanism that allows the DBA to set up auditing policies on tables
  95. True about FGA
    • policies are created using DBMS_FGA.ADD_POLICY
    • gives granular control over auditing
    • records can be stored in the DB or the OS
    • When an FGA policy is added the database does not require a restart.
  96. True about an alert log:
    • records all modified initialization parameters
    • error is recorded to an alert log when a background process fails
    • records the date and time of each occurrence
    • any change to the physical structure is recorded in the alert log.
  97. True/False:  DML stands for data manipulation language
  98. True/False:  The OF clause for the CREATE TRIGGER statement specifies the table the trigger affects
    • False
    • On specifies it.
  99. True of triggers:
    • diferent types of triggers are always executed in a specific order.
    • a table can have multiple triggers.
    • if you update a table with a trigger the audit record will still be written even if the transaction is rolled back
  100. True/False:  One major weakness of trigger auditing is that it is tightly coupled with the corresponding DB application
  101. To view dynamic stats in oracle use the______ data dictionary view
  102. True/False:  
    Languages like Java and C++ support parameterized queries that allow the app to invoke prepared statements in the DB.  Software written in these languages is safe from SQL injection attacks
  103. True/False:  
    USER_CATALOG is simply a catalog of the tables, views, synonyms and sequences owned by the current user
  104. True of DBMS_CRYPTO:
    • can be used to encrypt data
    • can be used to decrypt data
    • not all users can use, SYSDBA needs to grant permissions.
  105. True/False:  
    It is not possible to delete entire tables using SQL injection
  106. DB stored procedures are to SQL injections as they can use dynamic SQL statements.
  107. Encrypted data is not at risk due to SQL injections
  108. True about compliance:
    • DB compliance focuses on DB secuity complying with specific regulations
    • Most regulations forcon an access to sensitive data
    • some regs restrict the access of the DBA
    • Regs are focused on 2 main areas governance and sensitive data.
  109. true about data dictionary to view table info.
    • ALL_TABLES view returns info about all tables accessible to the current user.
    • to view PK of a table run ALL_CONS_COLUMNS view using the contraint_Name.
  110. True about data dictionary views:
    • There are four groups - USER, ALL, DBA, V$
    • V$ are dynamic
    • DBA provides info about the entire DB.
  111. True/False:  
    Since SQL injection is related to inadequate input validation, strong input validation helps prevent such attacks
  112. True about Data Dictionary
    • contains all privs, roles that each user has
    • data dictionary views are not updateable.
  113. True about DB activity monitoring:
    • technology used for monitoring and analyzing DB activity
    • most important function is being able to show SQL that has been executed.
    • has the ability to send alerts.
  114. True about Data dictionary views and user roles
    • USER_USERS shows the current users basic account info
    • ROLE_TABS_PRIVS shows privileges granted to roles
    • USER_OBJECTS shows info about all the objects owned by that user.
  115. True of SQL injection attacks:
    • made through input fields in an application
    • an example is bypassing normal login
    • can involve the attacker inserting data.
  116. True about protecting from SQL injection
    • Never use string concatenation to create dynamic queries
    • In java, used bind variables
    • Test with an SQL injection detection tool.
  117. In oracle there are three major groups of dictionary views USER, ANY and DBA.
    • False
    • also V$
  118. System privs are privs that allow you to dertain things within the database as a whole. These privs are specific to objects or set of objects.
  119. To find the PK for a table in oracle you can use the _____ view
  120. True about detecting misuse and intrusions.
    • DB activity monitoring has the ability to detect misuse and intrusion.
    • use as a baseline along with error detection
    • regularly monitor DB, OS and firewall logs for intrusions.