Login Signup
Verified Document

Cyber Vulnerabilities Of Itrust Database Application Research Paper

Related Topics:
Flooding Natural Disasters Security Breach Electronic Health Records
Open Document Cite Document

Cyber Threats and Vulnerabilities of Database Application In the contemporary business environment, private and public organizations are increasing using database applications to store employee and customer records. Similar to private organizations that produce goods and services, increasing number of healthcare organizations are also taking the advantages of the associated benefits of the database to store employee and patient's records. (Goodrich, & Tamassia, 2011). While there are different types of database applications tailored to serve different industries, the iTrust database has been developed for a healthcare industry. The iTrust is a cloud-based healthcare database application that assists medical providers storing and managing medical records of patients and health providers.

Similar to a traditional database that contains a number of tables to store medical records, iTrust also has tables to store medical records, the iTrust also serves as the patient-centric application used to maintain an EHR (electronic health record) that combines medical information from different sources assisting in presenting the history of patients records. Despite the benefits that iTrust provides to healthcare organizations, the iTrust faces different security risks from web spoofing, insider threats, and coding errors leading to SQL injections. (Anderson, 2008).

The objective of this document is to analyze and assess the security vulnerabilities and threats of the iTrust database application. The paper identifies the Cross-Site Scripting, SQL injection, Session Hijacking, Response Splitting, and natural disasters as the threats facing the iTrust database application.

1. Analysis and Assessment of iTrust Security Threats and Vulnerabilities

Response Spitting

A response spitting is an HTTP header injection vulnerabilities, which can be used to create Cross-Site Scripting for iTrust database attack. In other words, the response spitting is the type of iTrust database vulnerability that allows an attacker injecting the custom strings on the web HTTP header. The attacker can use the combination of response spitting and other attack vectors to steal session data and cookies as well as other sensitive information. The response spitting can also be used to intercept a web server and cause persistence defacement of the browser. (Sfetcu, 2014).

Cross-Site Scripting (XSS)

The XSS (Cross-Site Scripting) is a type of iTrust database vulnerability that enables attackers injecting client-side scripts into a web application. The XSS allows an attacker injecting codes that look trustworthy and trick the user into clicking the code to perform operations or obtain the copy of the cookie. The motive of XSS vulnerabilities is to bypass the access control letting attackers penetrating into the database applications. In the United States, the XSS accounts for approximately 84% of iTrust database vulnerabilities, and the effects can range from petty security risks to large security risks depending on the sensitivity of data. The following example reveals the strategies an attacker can employ to get access to the Patient ID, pid using the XSS:

Patient ID:

The above code can cause a problem in the system because it can be presented as a malicious URL, then use the social engineering tricks to lure victims into clicking the malicious URL.

Session Hijacking: Use strong random numbers for session IDs

The session hijacking is an example of iTrust vulnerabilities that involves cookie hijacking to exploit a valid computer session. Typically, the attacker uses a session hijacking to gain unauthorized access to services or sensitive information in the database systems. Particularly, an attacker can use the session hijacking to authenticate a remote server to access saved cookies. A session fixation is one of the methods of session hijacking where an attacker sends an email link containing a particular session ID and wait for the user to log in to collect information. The attacker can also use the session side-jacking using packet sniffing to penetrate into network traffic between two or more parties to steal sensitive information. The strategy allows an attacker to intercept data submitted in the server. An attacker can also use malware to penetrate into the iTrust database to steal the cookies files without the knowledge of users.

SQL Injection

"A SQL injection attack is performed when a user exploits a lack of input validation to force unintended system behavior by altering the logical structure of a SQL statement with special characters." (Smith, Shin, & Williams, 2008 p 51). The SQL injection vulnerabilities occur when there is no input validation to prevent SQL injection. Typically, the SQL injection can destroy the iTrust database because the attacker can inject SQL commands via web page input to alter the SQL statements to compromise the security protocols of the database. A smart input in the iTrust database that can lead to SQL injection is as follows:

Patient Id:

108 or 1=1

Server Result

SELECT * FROM Patients WHERE PatientId = 108 or 1=1

The SQL is the same as the...

getParameter ("patientName");
try {

Data data = connection.createData ( ... );

ResultSet results = data.executeQuery ( query );

Natural Disasters

Natural disasters such as flooding, landslide, tornados, hurricanes, and volcanic eruption can cause immense damages to database systems consequently, lead to a loss of data. If an organization stores their entire data in the central database without implementing an appropriate backup technique, a disaster can lead to a loss of entire data making the business operations becoming standstill. The issues can lead to loss of customer, loss of reputation, and financial loss.

Recovery

When natural disasters have led to a security breach, an organization is required to implement a recovery planning to recover the lost data. However, the time and costs for recovery can be challenging for an organization if the planning is not planned before the disaster. In the process of recovery, the affected organization may not recover all data because the recovery planning is not integrated into the iTrust database management.

Offsite Data Recovery (Cold, Warm, Hot)

After the natural disaster, an organization is required to recover data from cold, warm, and hot sites. The example of hot sites are servers as well as live site running in case of disaster. All these sites are the critical sites for an organization business operation. However, a warm site is a site that allows a pre-installation of hardware and pre-configuration of bandwidth that to restore data for business operations. An example of cold sites is network connectivity center and data center. However, an organization business operations can be in standstill if cold, warm, and hot sites are located in the same locations with the location of the iTrust database during a natural disaster.

Insider Threats

A disgruntled employee and other malicious employees can cause a damage to the iTrust database application. Moreover, an employee within the organization may steal sensitive information from the database for monetary gains.

2. Identification of Security Measures to address Threats and Vulnerabilities.

Context-sensitive Encoding

A strategy to address the threats from response splitting is to perform a context-sensitive encoding. The benefit of context encoding is to improve bug reporting. A bug is an error in the system development, and an attacker can take the advantages of bugs to penetrate the database and steal sensitive information. Thus, a context encoding assists in detecting the bugs and improving bug reporting. A context-sensitive encoding is also very important in program optimization. (Bidgoli, 2006).

Use of Parameterized SQL statement

The primary defense against the SQL injection is to use the parameterized SQL queries. The parameterized SQL queries prevent an attacker to change the intent of the queries in the database. Moreover, a developer can blacklist characters or words that can be used for SQL input to prevent SQL injection attacks. The primary benefit of parameterized statements is to protect the iTrust database from SQL injections.

Example of parameterized SQL statement is as follows:

INSERT INTO PATIENT (name, cost) VALUES (?, ?)

The above statement is immune against the SQL injection.

Another example of parameterized SQL statement is as follows:

txtPatientId = getRequestString ("PatientId");

txtSQL = "SELECT * FROM Patients WHERE PatientId = @0";

db.Execute (txtSQL, txtPatientId);

In the above code, @ marker serves as parameter to protect SQL from SQL injection.

Stored Procedure

The stored procedure using no dynamic SQL is another strategy to prevent SQL injection. One of the benefits of using stored procedure is to prevent the database against SQL injection. Stored procedure consists of a logical set of SQL queries used to perform specific tasks. Typically, the stored statements are considered secured because they handle the SQL more correctly than ordinary SQL statements that may provoke the SQL injections.

The following SQL statements are the example of secured SQL statements.

Secure Usage

1 -- Execute Immediate - named parameter

2 sqlStmt: = 'SELECT cus_id FROM customers WHERE cus_email =: email';

3 EXECUTE IMMEDIATE cus_email;

Recovery

The backup method storing data offsite is the strategy to guide against the natural disaster that can lead to a loss of data. An organization should back up all their data and store them offsite should in the case of natural disaster, the organization will turn to backup data and…

Continue Reading...
Sources used in this document:
Reference

Anderson, R. (2008). Security engineering -- A guide to building dependable distributed systems (2nd ed.). New York, NY: John Wiley & Sons Publishing, Inc. Chapter 26, "System Evaluation and Assurance"

Bidgoli, H. (2006).Handbook of information security, volume 2. New York, NY: John Wiley & Sons, Inc.

Goodrich, M., and Tamassia, R. (2011). Introduction to Computer Security. Chapter 9, Security Models and Practice, pp. 460-474 sections: 9.3, 9.4 and 9.5.

Sfetcu, N. (2014). Web Design & Development. Opciones de descarga.
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Database Security
Words: 2424 Length: 9 Document Type: Term Paper

Database Security The focus of this study is that of database security. Databases and database technology are such that play critical roles in the use of computers whether it be in business, electronic commerce, engineering, medicine, genetics, law, education or other such entities requiring the use of computer technology. A database is quite simply a collection of data that is related such as a database containing customer information, supplier information, employee

Read More
Essay
Database Security Plan and Requirements Definition for
Words: 2108 Length: 8 Document Type: Research Paper

Database Security Plan and Requirements Definition for a University Department The database security plan and requirements definition were developed. The plan included, at the outset, the inclusion of major stakeholder at the University and described their roles in initiating, implementing, and maintaining the plan. Individuals responsible for daily and other periodic tasks were developed. A major consideration in planning the security was the policy that governs granting of access. The need-to-know,

Read More
Essay
Database Security Design of an
Words: 2976 Length: 11 Document Type: Term Paper

With optimistic concurrency control, the database checks resources to determine if any conflicts have occurred only when attempting to change data. If a conflict occurs, the application must read the data and attempt the change again. Pessimistic concurrency, on the other hand, control locks resources as they are required, for the duration of a transaction. Unless deadlocks occur, a transaction is assured of successful completion 5.5 Audit Tracking Although auditing does

Read More
Essay
Database Security and SQL Injection
Words: 364 Length: 1 Document Type: Research Proposal

Database designers and administrators can work concomitantly with it professionals and researchers to implement the security measures necessary to mitigate risks to data. I have been a database user at my company for a number of years. As such, I am allowed access from only a limited number of locations; one static connection at home, one at work, and one laptop connection that I carry with me when traveling. Each

Read More
Essay
Database Security Over the Last
Words: 904 Length: 2 Document Type: Article Review

Strengths vs. Weaknesses The article 2007 Survey on Database Security; highlights the most pressing issues that could be facing an organization (someone from within who could have access to the data). Where, this strength points out a situation that many it managers are overlooking. However, the weakness of the article is that it points out the problem, while at the same time saying there is no effective solution. In many ways

Read More
Essay
Case Study of Database Security
Words: 1297 Length: 4 Document Type: Case Study

Database Security Case Study Database Security: Case Study The objective of this study is to answer specific questions following have read the case study which is the focus of this work in writing including naming the concepts which are illustrated in the case study and why a customer database is useful for companies related in the case study under review. This work will additionally answer as to what would occur if the

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now