IT Application Security and Control

CONTENTS

1. Part 1
1.1 Weekly assignment: Steganography exercise
1.2 Weekly assignment: Digital Watermarking exercise
1.3 Churchill secondary school data protection report
1.4 Final Report

2. Part 2
2.1 Lab: Database Authentication
2.2 Lab: Database Authorization: Privileges and role based security
2.3 Lab: Database Authorization and data integrity (Views, Constraints)
2.4 Lab: Implementing Virtual private database
2.5 Churchill secondary school database security policy
2.5.1 Database Security Policy
2.5.2 Database Security policy implementation
2.5.3 Final Report

References

PARTI

1.1 Weekly Assignment: steganography exercise

To,

Mr. Wickchad Managing Director Wickchad Motors

Subject: - Advise on the use of steganography for inter-branch email conmiunication

Dear Mr.Wickchad,

I have analysed the proposed method for the use of steganography for inter-branch email conmiunication. I am including the details of my analysis below in detail.

The proposed pictare consists of 8m pixels.

So 8m pixels = 8000000 pixels

Picture uses 2 bytes to define colour of each pixel. So it is 16 bit grayscale image.

Sampling factor = 0.5 Expected result:

Can hide 400 pages of A4 text 1 word = 5 characters (Including Space).

A4 page = 50 lines.

1 line =10 words.

After the detailed analysis of the proposed method, I saw that the expected result does not match the actual results. Below I am including the actual results with calculation and explanation.

Calculation of size of the digital picture:

1 MB = 1024KB

1 KB = 1024 bytes

1 byte = 8 bits

Bit Depth = 8 * 2 = 16 bit

Colour Depth = 2¹⁶ = 65536 colours

Size = Number of Pixels * Number of bits used to store a pixel File Size = 8000000 * 2 bytes = 16000000 bytes = 15.25 MB Variation of colour in each pixel Each pixel consists of 2 bytes. So 2 bytes =16 bit.

For 16 bit colour depth is 2¹⁶ = 65536 colours.

Therefore each pixel can be defined to have 65536 colour variations. Number of characters of data that can be hidden in picture

Abbildung in dieser Leseprobe nicht enthalten

Actual Result

We can hide 100 pages of A4 text.

50000 Words 5000 lines

Conclusion: There is a miscalculation in the proposed method of DataSec pic as shown above the expected results does not meet the actual results.

The correct figure of number of A4 pages of text can be hidden is 100.

Advantages of the proposed method by DataSec pic

The proposed method of DataSec pic has advantages such as we can hide 100 pages of A4 text which is beneficial for shorter communications.

Disadvantages of the proposed method by DataSec pic

The proposed method can be intercepted easily and it is less secure.

Suggestions: I suggest for keeping email communication among inter-branches more secure, we should use the 32 bit or higher bit depth which provides 2³² colours variation in each pixel and that makes it difficult to intercept the communication. This provides the secure communication among inter-branches and we can even increase the hiding capability which suites longer conversations.

Regards

-Dileep

Security Consultant WickChad motors.

1.2 Weekly Assignment: Digital watermarking exercise

4m pixels = 4000000 pixels Two bytes to define colour of each pixel,

a) Each character is stored in 1 byte.

Phrase = thisphotoisthecopyrightofphotographerdavidchadwick = 50 characters.

To hide this 50 characters phrase we need 400 bits.

i.e. For 8 bits 1 character can be hidden

? 50 character to be hidden

50 * 8 = 400 bits.

b) 20 identical phrases as a) are to be stored in the photograph as watermark.

So 20 * 50 = 1000 characters.

To store 1000 characters we need 8000 bits.

As for every 8 bit 1 character is hidden, bit depth is 16 bit as it uses 2 bytes to store colour. Therefore sampling factor can be calculated as numbers of bits/total bits in picture.

Total bits in picture = 16 * 4000000.

Number of bits including 20 phrases = 800 bits Sampling factor = 8000/64000000 = 0.000125

Higher the sampling factor weaker the approach. So the sampling factor for this approach is small. This approach is good and is stronger.

Approach is stronger as there is a large of amount space to hide the 20 phrases and it is difficult to know the digits altered.

c) Pic Scout Image tracker protects the images of the image owner by licensing it. Pic Scout Image Tracker can be used to license the images on web for the creative professional with image information. It allows to select the finest quality images and to improve the satisfaction of the clients.

It also allows the image owners to distribute the picture safely on web by licensing it. The image licensors can track where the images reside in web and are being used.

d) The program should be designed in such a way that it searches all the pixel bits with the lower case alphabets ASCII code. The pixel bit which matches the lower case alphabets ASCII code can be detected. And then the default value values of RGB colours which are not matched in each pixel might contain the watemiarking. By detecting these areas we can further proceed to detect where the watemiark is hidden. By editing these areas by the default value of RGB colour we can remove the watemiarking.

We can remove the hidden watemiarks by clone tool by selecting the bits to copy to the image. However for this first we need to first detect the bits where the watemiark is hidden. And then the missing bit must be filled with the appropriate colour bits.

Now a days we can remove the visible watemiark by using the spot healing tool provided by the softwares such as Photoshop, creativity suite and others.

1.3 Churchill secondary school Data protection report

School

Data protection report for Churchill school is as follows:

1) Data must be held for specifically for the specified and lawful purpose and not processed in anyway incompatible with those purposes.
2) Data must be obtained and processed, fairly and lawfully.
3) Data must not be kept no longer than necessary for stated purpose.
4) Data must be accurate and up-to-date.
5) Data must be processed with respect to the rights of datasubjects.
6) Appropriate technical/ Organizational measures to be taken against loss/unauthorized disclosure/ corruption of data.

Head and vice head teacher:

Head and vice head teacher have full access to the data. As Head and vice head teacher are the authorized personnels, the data must be encrypted by using encryption techniques such as symmetric encryption and digital signatures.

In education the student personal details must be kept for a limited time and the infomiation must be synchronized to the UK data controller.

The following data protection act applies to Head and vice head teacher of the Churchill secondary school for the usage of data:

1) Must be held only for educational purpose only and not processed in any way incompatible with this purpose.
The student details must be held for the educational purpose only. The details must not be provided to any other purposes such as marketing etc.
2) Must be processed with respect to the rights of data subjects.
Data must be accessed only when it is necessary to access it and upon the request only.
3) Must be obtained and processed, fairly and lawfully.
Details of the staffs must be obtained, processed fairly and as per the UK government educational institution laws.
4) Must be accurate, relevant, and not excessive for purpose.
Staff such as teachers must be provided limited access such as limiting to view the student details of his/her engaging class only.
Teaching assistants must only have read-only access to teaching materials to which teacher they are allocated.
In the same way for other staffs.
5) Must be accurate and up-to-date.
The staff and students data such as personal details, qualifications, marks obtained must be accurate and up-to-date. Head and vice head teacher must not provide false information about the staff for the UK government.
6) Should not be transferred to a country or territory outside the European economic area.
The student details and staff details must not be transferred to other countries. At some case upon the request from the authorized personnel for the verification of the student or by the employer the details of the student or staff can be provided for the further education or for the employment purpose only, however personal details must not be provided without the without authorization for any other purpose.
7) Appropriate school measures to be taken against the loss/ unauthorized disclosure/ corruption of data.
If any of the staff discloses the data or losses the data or corrupts the data appropriate measures must be taken such as compensating for the damage, or handing the staff to police.

Teachers:

Teachers must have full access to all teaching materials and pupil’s profile for the class which they are managing or handling.

The following data protection act applies to the teachers of the Churchill secondary school for the usage of data:

1) Must be obtained and processed, fairly and lawfully.
Teachers must obtain the data of the students only when it is necessary and/or upon request from parents or students only or to review the perfomiance of the students or to improve the performance only,
2) Must be processed with respect to the rights of data subjects.
Teachers must only use the teaching materials for educational purpose in school only.
3) Must be kept no longer than necessary for the educational purpose.
When they are not handling a class they must not use the same details for any other purpose.
4) Must not be transferred to a country or territory outside the European economic area.
Personal details of the students must not be disclosed to anyone, except to student’s parents upon specific authorization.

Teaching assistant:

Teaching assistant must only have read only access to teaching materials from the teacher they are assigned to.

The following data protection act applies for the Teaching assistants in Churchill secondary school.

1) Must be obtained and processed, fairly and lawfully.
Teaching assistants must only view the teaching materials allocated to them only for the teaching purpose.
2) Must be processed with respect to the rights of data subjects

Educational psychologist:

Educational psychologist must have full access to pupil’s personal profiles such as their marks obtained, age and the like.

The following data protection acts is applicable for educational psychologists in Churchill secondary school:

1) Must be processed with respect to the rights of data subjects.
Educational psychologists must only use the data to obtain the information about the students for advising them to improve their performance.
2) Must be held only for specified and lawful purposes and not processed in any way incompatible with those purposes.
Educational psychologist must only use the infomiation of the students to advise the students to improve the problems by knowing the cause of the problem.

Administration staff:

Administrative staff must have read only access to the financial and administrative data only.

The following data protection act applies to Members of administration in Churchill secondary school:

1) Must be processed with respect to the rights of data subjects.
Members of administration only deal with finance and administrative data, anything beyond that must not be collected with the students or the relatives of the students.
2) Must be accurate and up-to-date.
Members of administration must update the finance and administrative data correctly without any mistake.
3) Must be obtained and processed, fairly and lawfully.
If student pays the fees then it must be obtained, processed fairly and lawfully by providing the receipt of it.

1.4 Final Report (Conclusion)

IT Application security plays an important role in maintaining the security of the data or Information in all kinds of organization. Confidentiality, Authenticity, and Integrity of the data is important in all the organization.

In this Parti Coursework, we leamt how to make the communication of the organization more secure with their inter-branches by using steganography. We analysed and evaluated the proposed approach whether the expected result matches the actual calculation results. Unfortunately, it didn’t match the actual results so advise has been made to make the approach better to the managing director of Wickchad motors by writing a letter.

Next, we also leamt about digital watemiarking. Hiding the watemiark in the image, tool used to make it and to detect the image on web where it resides.

Finally, Data protection policy has been created for the Churchill secondary school and for the staffs of the school by taking the legal laws into consideration.

PART 2

2.1 LAB; Database Authentication

2.1.1 Overview

In this laboratory project we explored the different aspects of the database authentication as well as the use of the user accounts and password controls.

By this lab, we will be able to

Use the data dictionary to find information about users and security information

Create new user accounts

Detemiine password limits for database users

Create and assign profiles

Lab 2.1.2: Exploring data dictionary

a) Open SQL*Plus window and connect using your yoda account, that was tested last week.

We can connect to the yoda database by using the command: connect username/password@databasename;

Ex: connect kdl05/kdl05@yoda;

It must say connected once the command is entered if the username, password and database name is correct.

b) Find out how many objects in the data dictionary hold information about users; write downs the number.

To find how many objects in the data dictionary hold the infomiation about users, you can use the following SQL command:

select * from dictionary where table_name like '%USERS%';

Questioni: How many objects in the data dictionary hold information about users?

There are six Objects in the data dictionary which holds Information about users as given below.

USER USERS

Abbildung in dieser Leseprobe nicht enthalten

c) Investigate what information can you get from the table USERUSERS about each user?

The information can be got by using: desc USER USERS;

Question 2: What information about each user can you derive from the table USER USERS?

We can derive the information like Username, User id, Account Status, Lock date, Expiry date, Default Tablespace, Temporary Tablespace, Created, Initial resource consumer group of the each user and datatypes.

d) Find out all details of your account from the USER USERS.

The details of the account can be found out by using the command: select * from USERUSERS where username= ’KD105’;

e) Question 3: Can you see password in USER USERS table? Explain.

No, we cannot see the password in the USER_USERS table because the passwords are stored encrypted in the data dictionary which cannot be decrypted other than the oracle database engine.

Lab 2.1.3: Creating a new user

1) You need to create a new user in yoda database.

CREATE USER kdl05_a IDENTIFIED BY connect!;

a) Create a new user with following information Username=xxxx_A (Where xxxx is your yoda username), Password=connectl (password is case sensitive)

The new user can be created by using the command:

CREATE USER kd!05_a IDENTIFIED BY connect!;

b) Connect to SQL*Plus as a new user

To connect to the new user following command is used: Connect kdl 05 _a/connectl @yoda;

c) Question 4: What is the result? Write down the error and explain.

The error is “ORA-01045: User kdl05_a lacks the CREATE SESSION privilege; login denied”.

We created the user successfully but we did not grant the session for the new user. Until and unless the session is granted the user cannot login.

[...]