Chapter 6: Database Security

PART 1: DATABASE SECURITY CONCEPTS

1. Database Security – Kya hota hai?

Definition:

Database Security ka matlab hai aise techniques, controls, aur processes ka istemal jo
ensure karte hain ke database:

• Unauthorized access se safe ho

• Data integrity maintain rahe
• Confidential information leak na ho
• Attacks aur misuse se protected ho

Yeh security hardware, software, network, aur human controls ka combination hota hai.

Scope of Database Security:

• Authentication & Authorization

• Auditing
• Data Encryption
• Network Protection
• Malware Defense
• Backup & Recovery
• Physical Protection

Real-Life Example:

Sochiye ek hospital ka database jahan patients ke medical records store hain. Agar proper
security na ho:

• Hacker records delete kar sakta hai

 • Ransomware pura database lock kar sakta hai
• Insider data chura kar bech sakta hai

Database Security in tamam risks ko control mein rakhta hai.

2. Threats to Databases – Full List with Explanation

(1) Unauthorized Access

• Weak passwords ya improper access controls se hacker database access kar leta
hai

(2) Insider Threats

• Employees ya contractors jo authorized hain lekin malicious intent rakhte hain

(3) SQL Injection Attacks

• Malicious SQL queries ke zariye data access/change karna

(4) Malware / Ransomware

• Database files encrypt kar ke ransom mangna

• Data corrupt kar dena

(5) Backup Tampering

• Agar backups secure na hon to attacker unhein bhi modify/delete kar sakta hai

(6) Insecure APIs

• Applications jo insecure APIs ke through database access karti hain

• Attackers un APIs ka misuse kar ke data chura sakte hain

(7) Lack of Audit Trails

• Agar koi unusual activity hoti hai aur logs nahi rakhe ja rahe, to issue detect hi nahi
hota
 3. SQL Injection – Full Explanation

Definition:

SQL Injection (SQLi) ek attack technique hai jisme attacker malicious SQL statements
inject karta hai input fields ke zariye — jise application blindly execute kar deti hai.

Attack Example:

Input: ' OR '1'='1

Yeh input agar login form mein diya jaye to query ban jati hai:

SELECT * FROM users WHERE username = '' OR '1'='1';

Yani har user ke data ka access mil jata hai.

Impact of SQLi:

• Entire database ka unauthorized access

• Data delete ya modify ho sakta hai
• Login bypass
• Sensitive info leak (credit cards, passwords)

Prevention Techniques:

• Parameterized queries (Prepared Statements)

• Input validation and sanitization
• Use of ORM (Object Relational Mapping) tools
• Least privilege access

PART 2: DATABASE SECURITY CONTROLS

 1. Controls – Kya hotay hain aur kyun zaroori hain?

Definition:

Controls woh techniques aur policies hoti hain jo data ko unauthorized access, damage,
ya misuse se bachati hain.

Controls preventive, detective, aur corrective hoti hain.

3 Types of Controls:

1. Preventive – Attack hone se pehle rokna (e.g., password policy)

2. Detective – Attack detect karna (e.g., log monitoring)
3. Corrective – Damage hone ke baad fix karna (e.g., restore from backup)

2. Access Control, Encryption at Rest, Data Masking – Full Detail

Access Control:

• Har user ko sirf wahi access milta hai jo usay kaam ke liye chahiye
• Role-Based Access Control (RBAC) commonly use hoti hai
• Example: HR role can’t access finance DB

Encryption at Rest:

• Data jab disk par store hota hai (rest state mein) usay encrypt kiya jata hai
• AES-256 standard commonly used hai
• Agar physical drive chori bhi ho jaye, data unreadable rahega

Data Masking:

• Sensitive data ko hide/replacement data se mask karna

• Useful in development & testing environments
 • Example:
• Actual CNIC: 35202-1234567-9
• Masked CNIC: 35202-XXXXXXX-9

3. Database Activity Monitoring (DAM) – Deep Explanation

Definition:

DAM ek tool ya software hota hai jo database par hone wali har activity ko real-time mein
monitor, analyze aur alert karta hai.

Features of DAM:

• Query logging
• Suspicious activity alert
• Access pattern analysis
• Compliance reporting (HIPAA, GDPR etc)

Use-Case Example:

Agar ek user subah 3 baje suddenly 50,000 records export karta hai, DAM tool alert de
sakta hai:
"Unusual Data Access Detected"

Popular Tools:

• IBM Guardium
• Oracle Audit Vault
• Imperva SecureSphere

PART 3: BACKUP & RECOVERY

 1. Backup & Recovery – Kya hota hai?

Backup:

Backup ka matlab hai database ka duplicate copy tayar karna jo kisi incident (like crash,
ransomware, human error) ki surat mein wapas restore ki ja sake.

Recovery:

Recovery ka matlab hai agar data lost/damaged ho jaye to backup ke zariye system ko
previous working condition mein laana.

Purpose:

• Business continuity
• Disaster recovery
• Ransomware protection
• Human error correction

2. Secure Backups – Best Practices

1. Encrypt Backups:
o AES encryption use karo taake data chori hone par bhi safe rahe
2. Offsite Storage:
o Backups ko alag location (e.g. cloud or physical drive) par store karo
3. Regular Testing:
o Sirf backup lena kaafi nahi — usay test karna bhi zaroori hai
4. Access Control:
o Backup files tak access sirf authorized admins ko hona chahiye
5. Immutable Backups:
o Write-once-read-many (WORM) format mein rakhna
o Ransomware attack ke baad bhi restore possible

3. Disaster Recovery Planning (DRP) – Complete Guide

Definition:
Disaster Recovery Planning ek documented strategy hoti hai jo define karti hai:

• Agar data destroy ho jaye ya system down ho jaye

• Toh kis tarah se minimum time mein systems ko restore kiya jaye

Key DRP Components:

1. Recovery Point Objective (RPO):

o Kitna data loss acceptable hai? (e.g. 15 mins, 1 hour)
2. Recovery Time Objective (RTO):
o Kitne time mein service wapas aani chahiye? (e.g. within 2 hours)
3. Redundant Systems:
o Failover servers, mirrored databases
4. Documentation & Roles:
o Har team member ka role defined hona chahiye
5. DR Drills:
o Time to time practice ki jati hai real disaster ka simulation banakar