Sunday, February 2, 2014

New York's Worry About Database Security

In February 2013, New York has started on a database project with a non-profit technology organization, inBloom, to create a statewide database system that stores student information on to the cloud. The project is expected to go live by March 2014. The mission of the system is to improve education technology. Features of the system include the ability to track student progress, personalize instruction, and easy parental access. For example, from applying this database, parents will have greater and easier interaction with their children’s academic career, and the schools will also be able to identify students who are in danger of not graduating. However, this innovative gesture faces unsatisfied parents, they refuse to use the system due to concerns about the information security and privacy.
Before addressing the public concerns, we should understand the reason for using a database system. Database systems tolerates high flexibility in the environment of growing data, it also allowing users to manipulate and extract desiring queries while operates at a lower cost comparatively to traditional systems. In short, users are able to preform data analysis on massive data sets in an efficient and less expensive way. In this case, the database will be serving education purposes – The portal “offers educators, students and their families the ability – for the first time – to view and verify information and data,” said Ken Wagner, associate state education commissioner (New York Parents Furious at Program, InBloom, That Compiles Private Student Information for Companies That Contract with It to Create Teaching Tools).
Although database system sounds like the “way to go,” it has its downfalls such as vulnerable information security. Since database contains large quality of data, it becomes a key target for cybercriminals to attack and plunder data. An article in relation (The Top Ten Most Common Database Security Vulnerabilities – Charlie Osborne) addressed the common issues of database security. From the article, we can analyze the details of a database and gain insights about the security concerns. The top ten vulnerabilities includes:

1.     Deployment Failures
A common problem of database is the lack of care at the moment of data deployment. Many databases are tested for their proper function, but few are tested for things they should not do.

2.     Broken Database
The SQL Slammer worm of 2003 was able to infect thousands of vulnerable database systems within minutes. The worm was able to take advantage of a bus that was found in the Microsoft’s SQL database software system. Few businesses installed a fix for the bug. As a result, the worm damaged 90 percent of the databases. However, due to the lack of time or resources, many businesses today still do not regularly patch their systems.

3.     Data Leak
Many businesses considers database as back end software, and is secure from the Internet threats. Therefore, not encrypting and secure the system. However, database has contains networking interface, which hackers are able to make their attempts.

4.     Stolen Database Backups
Although external factors are a major threat to businesses, internal factors such as theft were also a common cause of information leak.

5.     The Abuse of Database Features
A research shows that over the past three years, every database exploit has been based on the misuse of a standard database feature. For example, a hacker can gain access through legitimate credentials before forcing the service to run arbitrary code.

6.     A Lack of Segregation
From distributing the administrator and user powers, as well as duties, it will become more difficult for internal fraud or theft.

7.     Hopscotch
Rather than gaining complete access to a database in the first stage, cybercriminals often play a game of Hopscotch – finding a weakness inside the infrastructure that can be used as leverage for more serious attacks until reaching the back-end database system.

8.     SQL Injections
Applications are attacked by injections of unclean variables and malicious codes, which are inserted into strings and passed to an instance of SQL server for parsing and execution.

9.     Sub-standard Key Management
Research found many encryption keys are stored on company disk drives. Leaving these important keys in an unprotected state can leave systems vulnerable to attack.

10. Data Inconsistencies
Inconsistencies are a common thread that brings all vulnerabilities together. It is an administrative instead of a database technology problem.

These are the ten most common database vulnerabilities. However, I believe there are actions that can prevent these problems. Businesses can to develop a consistent practice to look after databases systems for vulnerabilities and threats. Actions such as documentation and automation tracking can improve and ensure the security of the information contained within the system. In addition, applying limitation, distribution, and segregation powers to both internal administrations and external users will also prevent threats. Although the process may be costly, the outcome is also rewarding. If enterprises can commit to resolve these database issues, I believe we can see more success in the New York and inBloom project.

On the other hand, information privacy may be another crucial factor that comes between the project’s successes. Who and of what purpose will businesses be granted with the access to the student information? How much of the individuals’ information will they be granted? This is a discussion we can expect to learn in the future, which are currently being addressed by the parents and their lawyers.

Works Cited
Chapman, Ben, and Corrine Lestch. "New York Parents Furious at Program, InBloom,
That Compiles Private Student Information for Companies That Contract with It
to Create Teaching Tools." NY Daily News. New York Daily News, 13 Mar. 2013. Web. 01 Feb. 2014. <>.
Lane, Adrian. "What Is Big Data?" Dark Reading. Dark Reading, 07 Dec. 2012. Web. 01
Feb. 2014. <>.
Osborne, Charlie. "The Top Ten Most Common Database Security
Vulnerabilities." ZDNet. Zero Day, 26 June 2013. Web. 01 Feb. 2014.
Walsh, George M. "NY Parents, Districts Worry about Database Privacy." The Wall
Street Journal. Dow Jones & Company, 15 Dec. 2013. Web. 01 Feb. 2014.

No comments:

Post a Comment