Preventing Unauthorized Access to Data Sets
Question
A web-based front end for a business intelligence application uses pass-through authentication to authenticate users.
The application then uses a service account to perform queries and look up data in a database.
A security analyst discovers employees are accessing data sets they have not been authorized to use.
Which of the following will fix the cause of the issue?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The issue in this scenario is that employees are accessing data sets they are not authorized to use. The reason for this is that the application is using a service account to perform queries and look up data in the database. This means that all users who authenticate using pass-through authentication have the same level of access to the database, regardless of their individual permissions.
To fix this issue, option A suggests changing the security model to force users to access the database as themselves. This would mean that the application would no longer use a service account to perform queries and look up data in the database. Instead, each user would be required to authenticate with their own credentials, and their level of access would be determined based on their individual permissions. This option would address the issue by ensuring that users can only access data sets they are authorized to use.
Option B suggests parameterizing queries to prevent unauthorized SQL queries against the database. This would involve modifying the code of the application to ensure that all user input is sanitized and validated before being used to construct SQL queries. By doing this, any attempts by users to execute unauthorized SQL queries would be blocked, reducing the risk of unauthorized access.
Option C suggests configuring database security logging using syslog or a SIEM. This would involve configuring the database to log all security-related events and forwarding those logs to a centralized log management system, such as a syslog or SIEM. By doing this, any unauthorized access attempts could be detected and investigated, helping to prevent future incidents.
Option D suggests enforcing unique session IDs so users do not get a reused session ID. This would involve modifying the application code to ensure that each user is assigned a unique session ID when they log in. By doing this, it would be more difficult for users to gain unauthorized access to data sets, as they would not be able to reuse a session ID assigned to another user.
Overall, option A is the best solution to fix the cause of the issue, as it addresses the root cause of the problem by ensuring that users can only access data sets they are authorized to use. Option B, C, and D are also useful measures to improve the security of the application, but they are not as effective at preventing unauthorized access as option A.
