Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Database Attacks and Countermeasures module. Aggregation is a security concern where a user does not have access to sensitive data, but based on the information available to them, they are able to figure out that sensitive data. A screen scraper is one way of collecting information from a database.
Inference is the ability of someone to figure out or derive information based on the facts that they've learned about the system. The countermeasures that can be used to combat aggregation and inference are cell suppression, where you hide or not show specific cells that contain information that could be used in an inference attack, polyinstantiation, where you implant misleading information into a table, and partitioning, where you divide the database into different parts.
Polyinstantiation is where you have multiple instances of data. You're basically creating another copy of an object with different values for its variables in order to reduce the ability for someone to infer data. You're basically publishing a cover story to mislead someone with a lower classification so they can't infer data at a higher classification.
You would display a different value based on the individual's clearance level. For example, we see at the bottom here in the table that we have two records for the same shipment, Q22175. If the person requesting the information is unclassified, they will see that this shipment contains food and it is destined for Africa.
But if they have top secret clearance, they will be able to see the true information about the shipment, that it contains weapons and it is destined for the Ukraine. Database tables are isolated for security. We do not allow users to access the tables directly, we force them to use a trusted front end.
This allows multi-level security for your database and it puts a control in place between the subjects and the objects, because the user cannot directly interact with the database. This allows multiple rings of isolation between the user and the data, and the user access is restricted by the form or view that they are presented with based on their clearance.
It is important to maintain the confidentiality of your database if it contains sensitive information. Transparent Data Encryption or TDE is a technology that is offered by Microsoft and Oracle to encrypt database files. TDE protects data at rest and encrypts your database on the hard drive and also on the backup media.
Enterprises will typically employ TDE in order to be compliant with standards such as PCIDSS, the Payment Card Industry Data Security Standard, which require credit card data to be stored in an encrypted format. Remote journaling, or log shipping, is a technique of backing up not an entire database, but just the transactions or changes that have occurred to that database, to another location, so if the database is damaged in some way, you can roll back or restore the database using that remote journaling.
You should remember remote journaling and log shipping for the CISSP examination, and remember that it is a way of backing up not the whole database, but just the changes that are occurring. There are several ways you can control database access. A view is a user access control or mechanism in order to restrict users so that they can only pull up certain information in the database.
Content-dependent controls are based on the sensitivity of the data, and allow you to have a static access control list which states which users are permitted to access that data. Here you're controlling the access based on what is in the object itself, and the query results depend upon the value in the table and who is authorized to view that data.
Context-dependent database access is based on a sequence of rules where the computer can make decisions on whether or not to allow access based on the context of the request. For example a user may be permitted to access several documents independently, but if the user begins accessing those documents in a short amount of time in sequence, the system can disable that user's further access to sensitive information because it can assume that the user is trying to steal that information or access information they should not have access to.
This has a history mechanism built into it where it can keep track of what information has been accessed by which user and in what sequence they accessed that information. No matter which way you decide to control access to your database, it is critical to make sure that you audit the activities of your users, both successful accesses to data and failed or attempts to access data that were not successful.
For the CISSP exam you should remember that a view is a way of controlling user access to data and that we can put either content-dependent controls or context-dependent controls in place. This concludes our Database Attacks and Countermeasures module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!