Computer Security - Oracle and MySQL Server - Assignment Example

Student’s name Professor’s name Class name 20 October 2012 Question 1: Security evaluation Evaluation of a software system is a fundamental aspect in ensuring that the system meets the user requirements specified in its system requirements specification document. To achieve this, analysis of the whole functionalities contained in a system is done. In addition, evaluation of the security details contained in the system should also be analyzed (Biffl et. al 102). Functionalities are the unique actions that a system allows users to execute and produce an output or lead to performance of an operation. Security in a system engrosses the integrated functionalities on a system that that ensure data and operations contained in it cannot be interfered by an attacker (Beizer, 45). Comparison between oracle and MySQL server Oracle and MySQL are the most widely used database management systems. A database management system is software running usually in a mainframe computer costs or any other server computer holding all information that belongs to an individual, company, or organization. Databases hold a lot of vital information ranging from a company’s sales, inventory control and all changes implemented on a system. It is thereby vital that whenever one uses a database, he selects a database system that has high security implementation details. A database with much vulnerability can lead a company to great losses. Oracle provides the following key features that form the basis of its functionalities. These are the oracle management server, change server, and administrative alerts. The oracle management server provides a central administration mechanism that allows monitoring and tuning of a number of database resources. This ensures smooth flow of data between a user’s application and the system database. The change manager allows the administrator to make changes to a database and confirm all changes implemented in a system. It also allows an administrator to have a general control for all changes implemented on a system. Furthermore, oracle provides specialized alerts whenever a change is to be implemented. This is usually through e-mail alerts of pager alerts whenever an error an unauthorized access appears in a system (Haubrich, 6). Oracle applies use of only one lock functionality on which millions and millions system resources get control from it. This is vital insuring that security enhanced. That is, whenever a third wants to access information contained in a resource authentication is always from the central lock. Having a central lock ensures that management of access authorization is well organized. However, a when lock authentication is distributed, it becomes easier for a third party to break into a specific lock without the others knowing that an unauthorized access is happening in a system. MySQL is a less cost database that is common in databases that are driven by web sites. That is, MySQL is usually for non-mission critical applications. Major features in MySQL include that has little overhead. It holds very little data stored in a system database. Stored procedures are the major ways of analyzing the data contained in a database. It employs use of triggers to as alert for data accessed or changed (Haubrich, 7). However, since MySQL has limited storage space, managing a million database changes becomes very complex to send security updates. This database system uses data structures located in the MySQL memory for locking data contained in the specified resources. It means, in MySQL, when the overhead data is stored increases, it directly increases the number of locks used to control data access in a system. For example, a company that stores more than one million rows of data tables, respectively the numbers of locks used are around one million (Haubrich, 8). Clearly, managing more than a million locks becomes very complex for a system. It makes it slower to process its operations. Generally, it is clear that oracle provides better functionalities compared to MySQL. It makes transaction processing faster, easier to manage and controlling user access levels. It also ensures that high-level data security compared to MySQL that has an inferior data security. When data processed becomes huge MySQL, processing is slower thus making it inferior compared to oracle. Analysis of Linux Operating system Linux is one of the major operating systems used in most big companies that prefer data operations to be done in a safely and organized manner. Linux operating system provides a logical user interface where users with adequate knowledge in the operating system can to do operations with it. Files are stored in well-organized disk files and user access to the resources is mainly under well-strategized authentication controls (Information Technology, 10). In terms of functionality, Linux has a mechanism where programs co-ordinate with other programs within the operating to enhance smooth flow of data. It provides freely distributable code that is compatible with several computer platforms. In addition, Linux provides its own set of customizable programs. These programs are essential in ensuring that programs that contain bugs can easily be prevented from affecting the system’s operations. Actually, the Linux operating system does not allow any unauthenticated third party programs from being installed into the system. However, the major worry in Linux is that it is very hard to install. It is also complex to learn or even putting it into proper use. The operating system is divided into three major sections; the memory management section, file management section and the process management section. Memory management section provides the functionalities to store and retrieved data from a computer’s hard disk. The file management section in Linux plays an essential role in ensuring that there is completely no vulnerability in the data stored in files. It controls operations on files stored in the system and creation of new files. Furthermore, it provides directory maintenance where an administrator has a clearly set out mechanism to see which files were created or deleted. In a multiuser environment, this mechanism allows configuration on access level to every user on a list of files. This guarantees that whenever unauthorized access comes in, it becomes impossible to access data files thus making Linux one of the best operating system in terms of security. Process management section provides the major functionalities involved in performing transactions and operations in the operating system. Linux has an in built mechanism called kernel that ensures smooth data and program communication. This functionality ascertains that incase of multiple use of programs, the operating system does not hang. Immediately when a program begins execution, the system controls it as a process (Information Technology, 15). A single program can then be executed at two different locations at the same time and controlled as a single process with same attributes. This ensures that no user interferes with another user’s operations. Therefore, more than one program can execute simultaneously without imposing any significant slowness in the system. Furthermore, the kernel manages all the processes in all their operational aspects. Kernel creates a program, suspends it, or even terminates a program. It acts as the central control point for a system thus allowing an administrator to have significant controls on the operations. It is vital acknowledge that Linux is a fantastic operating system both in terms of functionality and that no unauthorized access can easily be implemented on it. Through the authentication interfaces between the kernel and the basic input and output system it further ensures that the whole operating system is safe from third party access (Information Technology, 17). Review of PayPal online management system PayPal is one of the most common online payment systems that are being used in the world today. This system has aided a large group of businesspersons in conducting their transactions. A businessperson wanting to buy something from an online shop does not have to reach the physical shop. Transactions are conducted online and he or she waits for delivery of his products. PayPal has some great features that make its functionalities highly recognizable to its users and those who evaluate its ability to meet the expected functional requirements. That is, it provides quality properties of an excellent online payment system. It employs use of an online digital wallet card that contains details of each user of the digital account. In addition, PayPal provides an electronic credit card that users all over the world can use to access their account information online (PayPal Standard Integration guide, 38). It provides a well-implemented set of security mechanisms that ensure a person’s data cannot be accessed by another unless he gives out the account login details at his own need. Through an online user authentication, the system ensures that only registered users can access valuable information placed on the PayPal website. Furthermore, the system has a built in authentication mechanism that communicates with the main servers of the system. Generally, it contains a secured user connection buttons that users interact with in performance of an online transaction (PayPal Standard Integration guide, 15). Lastly yet importantly, the website for PayPal is always well configured with security mechanism that enhances safety of its performance. It does not provide ownership information that makes it hard for hackers to access details of the site. Encryption ensures that only users with the decryption information can access the data stored in the system. Thus, it is vital to note that PayPal online payment system meets the qualities of a first class online payment system. Question 2 Smart phones have become the major communication mechanisms particularly in performing business transactions for a company. Clients and employees in most companies use smart phones to record details of their daily business operations. Due to their ability to perform transactions, involving cash transfer and recording of valuable information, smart phones have become the target of most hackers. Advancement in the smart phone technology is growing speedily and so are the hackers’ sophistications (Khardem, 102). The attack tree below is aimed to analyze the security threats that Smartphone users are always prone to in their daily operations. Particular emphasis has been laid on the company employees who have been allowed to make use of their smart phones in doing online sales transactions. The scope of this attack tree is limited to a state whereby a company performs online sales of goods. When transactions are conducted, an employee can enter the details through an online system integrated with the android operating system. The attacker goal here is to obtain an employee’s password to the system and then make changes to the data contained, transfer details to his own storage location and possibly lead to malfunctions in the system. Basic security practices applied by the employees are that whenever one logs into the system, he conducts sales transactions, and when through ensures he is logged out. When left the system is logged into and left hanging, it simplifies a hacker’s intent of using that moment to change details contained. Attack tree Table Analysis The attack tree begins at the root (OR) node where the attacker’s main goal is initiated. The idea here is to obtain the employee’s login password to the company’s sales management system. This node is followed by the node where the attacker initiates attacks on the connection used by the employee to access the servers storing the database information for all sales transactions conducted. The node is an AND node, it is directly connected to two major ways to be implemented by the attacker. First, he uses the distributed denial of service attack at the router gateway used by the employee’s smart phone to access the servers. This is at the leaf node, distributed denial of service (DDos) at the gateway. Assumption here is that the attacker has knowledge of the network configuration in the company. He sends an infinite number of packets to the gateway so that the gateway becomes unable to manage. When successful in stopping connection to the gateway it redirects the packets sent by the employees to his specific destination and checks for the relevant information he needs. It unsuccessful, he can perform packet sniffing to at the node (OR) where he uses tools specialized tools to capture the packets sent through the company’s website. At this node, the attacker can take one of two moves or both. Website spoofing node, where he creates an exact copy of the company’s for sales management. He ensures that the website allows any user to login. When accidentally an employee logs into this fake one, he immediately uses the details to compromise the original site. The second option is domain name service (DNS) spoofing through the (DNS spoofing), leaf node. Here, the attacker alters the hostname-to-Internet Protocol address in the server such that whenever a user asks for data, he is directed to the server of the attacker. This greatly aids him in capturing essential company data. From the root node, an attacker can go direct to the node of obtaining data as it is entered. At this (OR) node, an attacker can use either software base keyloggers or visual observation as the leaf nodes. The assumption at the software based key loggers is that the keylogger was successfully installed at the user’s smart phone. This aids him in capturing every digit keyed in and thus aiding him in determining login details. In visual observation, assumption is that a bugger has been put into the smart phone’s operating system thus allowing the attacker to view exactly the information put into by the employee. An attacker can also employ a move direct from the root node to the node of convincing an employee (OR node). At this node, he connects to the leaf node, Social engineering. Here, he can send an e-mail that resembles that of a manager in a company convincing an employee to click the link for more details coming from the Head office. Through the link, an attacker can capture relevant information about the system thus make alterations. Finally, yet importantly, the attacker can move direct from root node to the leaf node (Online password guessing). Here, he uses his knowledge of people’s cognitive ability to set passwords. If successful in guessing the password, the attacker can create great changes to the sales system and thus much loss to the company. Works Cited “Information Technology”, Operating System Case Study: Linux “PayPal Standard Integration guide”, The PayPal System, Retrieved from https://cms.paypal.com/cms_content/US/en_US/files/developer/PP_WebsitePaymentsStandard_IntegrationGuide.pdf Beizer, Boris. Software System Testing and Quality Assurance. New York, New York: Van Nostrand Reinhold, 1983. Print. Biffl, Stefan, Dietmar Winkler, and Johannes Bergsmann. Software Quality: 4th International Conference, Swqd 2012, Vienna, Austria, January 17-19, 2012. Berlin: Springer, 2012. Print. Haubrich, J. A comparison of oracle and MySQL Retrieved from http://www.bus.iastate.edu/mennecke/533/s04/MySQLOracle.ppt Khardem, S. 2010. Security Issues in Smartphones and their effects on the Telecom Networks, p. 1-43. Retrieved from http://publications.lib.chalmers.se/records/fulltext/128680.pdf Retrieved from http://www.eie.polyu.edu.hk/~enpklun/ENG224/Linux.ppt Read More