Secure Databases
The statement, 'or '1'='1, always returns ____.
True
____ statements provide an opportunity for an intruder to attach his or her own queries onto already existing legitimate statements.
UNION
Appropriate ____ control is essential to ensure the confidentiality, integrity, and availability of the DBMS.
access
The process for which permissions are applied to a user is known as ____.
authorization
____ are responsible for the theft and destruction that affect our systems.
black hats
A ____ is a piece of information that is used to verify identity, such as a person's username and password, an application's secure ID, or a host's network name and address.
credential
A(n) ____ SQL statement is a SQL statement that is generated on the fly by an application (such as a Web application), using a string of characters derived from a user's input parameters into a form within the application itself.
dynamic
Including ____ processes between the user input and the dynamically created statement that define certain limitations for a user's input can easily reduce the number of SQL injection attacks.
filtering
The term ____ refers to those who have mastered the firmware and software of modern computer systems, and enjoy the exploration and analysis of network security with no intent to intrude or cause harm.
hacker
On all database management systems, user passwords are stored using a nonreversible ____ within a table for which privileges are needed to access.
hash
It can be beneficial, if the resources are available, to create a ____ environment to mislead intruders.
honeypot
Viruses that do not become active until predetermined specific conditions are met are known as ____ bombs.
logic
Through ____ and monitors, an experienced security professional can identify a potential attack.
logs
A(n) ____ attack involves the intruder using one avenue, such as with Web applications, to initiate the injection and a different one to obtain the results.
multichannel
Preparing for a database security audit requires the auditor to gather as much information about the database environment as possible to define the specific ____.
perimeter
The first step in preparation for an audit is the ____ stage.
planning and preparation
It is possible for the DNS server to be attacked, an intrusion called DNS ____.
poisoning
A security audit tests to ensure that the proper ____ and procedures are in place to handle a potential vulnerability.
policies
The auditor or auditing committee's recommendations are typically followed by a specific set of ____ actions.
remediation
The auditing process generally includes three steps: prepare, audit, and ____.
report
A virus that installs itself or takes residence directly in the main system memory of a computer is known as a ____ virus.
resident
The database ____ is the overall logical structure of the objects within the database.
schema
The audit ____ is the area or system on which the security audit will focus.
scope
In a ____ attack, an intruder uses only one channel for which to execute SQL injections and obtain the returned results.
single-channel
A ____ Uniform Resource Locator (URL) is used to fool a user into believing that the site is a legitimate or well-known site, such as Yahoo! or Google.
spoofed
A(n) ____ SQL statement is a statement that is built by the user and the full text of the statement is known at compilation.
static
Filters will often use ____ comparisons to identify dangerous code being input or displayed as output.
string
A SQL injection executed without an error returned from the database is known as a(n) ____ injection.
successful
Once a list of accessible databases is discovered, the next step for an intruder is to extract the ____ within the target database.
tables
____ is the process of confirming the identity of those individuals or applications that request access to a secure environment.
Authentication
____ attacks often involve the act of obtaining passwords or specific pieces of information through iterative trial and error.
Brute force
____ refers to the efforts taken through policy, procedure, and design in order to create and maintain the privacy and discretion of information and systems.
Confidentiality
____ determines the dynamic behavior of a program by examining its static code.
Data flow analysis
____ responses, if present, can provide the most reliable means by which to identify the database.
Database
____ utilization and sensitive data storage are two considerations that must be included in any database security audit.
Encryption
____ audits can be requested by governing bodies or financial institutions out of concern for noncompliance or corrupt undertakings.
External
The statement, 'or '1'='2, always returns ____.
False
____ audits utilize an external group of individuals who are hired or employed by the government or other standard-setting groups for the purpose of conducting an audit.
Formal
For MySQL, the ____ command is used to provide access to a privilege.
GRANT
____ testing conducted on error messages offers administrators and security professionals great insight into their own systems.
Inferential
____ refers to the efforts taken through policy, procedure, and design in order to create and maintain reliable, consistent, and complete information and systems.
Integrity
____ applications are designed to monitor external requests that are sent to obtain access to the database, and the database environment's responses to these requests.
Middleware
JavaScript used within a Web application can almost provide certainty that the database being used is ____.
Oracle
The ____ role is a special role in which every SQL Server database user is a member and cannot be removed.
PUBLIC
____ is the attempt to obtain PII from people through the use of spoofed e-mail addresses and URLs.
Phishing
____ is a strategy that allows the database to contain multiple instances of a record, all pointing to the same primary key, but which contains and displays different values to users of different security classifications.
Polyinstantiation
____ is the system administrator login in SQL Server and it holds great power on the database.
SA
____ is the default generic database administrator account for Oracle databases.
SYSTEM
____ use human interaction to manipulate people into gaining access to systems, unauthorized areas, and confidential information.
Social Engineers
____ queries are used to analyze the data in a database for auditing users and finding trends.
Statistical