Project 5 Resources:
Deliverables
· A Request for Proposal (RFP), about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report.
· I will provide the lab document.
Database Security Assessment
You are a contracting officer's technical representative, a security system engineer, at a military hospital. Your department's leaders are adopting a new medical health care database management system. And they've tasked you to create a request for proposal for which different vendors will compete to build and provide to the hospital.
A request for proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions.
To complete the RFP, you must determine the technical and security specifications for the system. You'll write the requirements for the overall system and provide evaluation standards that will be used in rating the vendor's performance. Your learning will help you determine your system's requirements.
As you discover methods of attack, you'll write prevention and remediation requirements for the vendor to perform. You must identify the different vulnerabilities the database should be hardened against.
Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle.
Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement.
System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system.
Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project:
Step 1: Provide an Overview for Vendors
As the contracting officer's technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMSs, and for what purposes?
Security Concerns Common to All RDBMSs
A relational database management system (RDBMS) is used to organize and manage data tables by using keys in a way that all the data can be accessed without reorganization. The keys represent attributes and uniquely identify rows in a table.
According to Trivedi, Zavarsky, and Butakov, although “many prominent relational database management systems provide inbuilt security controls and mechanisms, the information resided in the data-store are at great risk” (2016). Several features, including authentication, roles and access management, ownership and user schema management, authorization and permission on objects and encryption, are implemented to mitigate security concerns and reduce the chances of unauthorized access.
References
Trivedi, D., Zavarsky, P., & Butakov, S. (2016). Enhancing relational database security by metadata segregation. ScienceDirect, 94. http://ac.els-cdn.com/S1877050916318208/1-s2.0-S1877050916318208-main.pdf?_tid=480c35ae-a161-11e6-a664-00000aab0f01&acdnat=1478135167_7bd287eb942d2056a92b63c754097bcf
Provide an overview of the types of data that may be stored in the system and the importance of keeping this data secure. Include this information in the RFP.
After the overview is complete, move to the next step to provide context for the vendors with an overview of their needs.
Step 2: Provide Context for the Work
Now that you have provided vendors with an overview of your hospital's needs, you will provide the vendors with a context for the work needed.
Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate. Details are important for the vendors to provide optimal services.
It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs.
Error Handling and Information Leakage
Applications must handle errors properly to avoid leakage of sensitive information that can expose them to attack. According to the Open Web Application Security Project (OWASP):
Motivated attackers like to see error messages as they might leak information that leads to further attacks, or may leak privacy-related information. Web application error handling is rarely robust enough to survive a penetration test.
Applications should always fail-safe. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse create, modify or destroy data.
Error-handling applications must ensure that they fail safe, debug errors, handle exceptions, and check function return errors (OWASP, 2015).
References
Open Web Application Security Project (OWASP). (2015). Error handling, auditing, and logging. https://www.owasp.org/index.php/Error_Handling,_Auditing_and_Logging#Error_Handling
Insecure Handling
Insecure handling of data can harm its quality, confidentiality, and integrity or even cause complete destruction. The potential issues include insecure indexing of web content and external threats, such as malware. According to the Web Application Security Consortium (2010):
Insecure Indexing is a threat to the data confidentiality of the web-site. Indexing web-site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved (albeit not trivially) by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil—it's not easy to distinguish the attacker's queries from a legitimate user's queries. (p. 151)
Malicious code or malware is a program code that intends to access and compromise secure data. Guidelines from the National Institute of Standards and Technology (Souppaya & Scarfone, 2013) discuss how several organizations implement systems to ensure secure handling of data by monitoring access requests:
The security checking is often done through network access control software by placing on each host an agent that monitors various characteristics of the host, such as OS patches and antivirus updates. When the host attempts to connect to the network, a network device such as a router requests information from the host's agent. If the host does not respond to the request or the response indicates that the host is insecure, the network device causes the host to be placed onto a separate VLAN. (p. 28)
References
Souppaya, M., & Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops: Special Publication 800-83, Revision 1. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
Web Application Security Consortium. (2010). WASC threat classification. http://projects.webappsec.org/f/WASC-TC-v2_0.pdf
Cross-Site Scripting (XSS/CSRF) Flaws
Cross-site scripting (XSS) refers to injection of malicious scripts on trusted websites. XSS enables attackers to inject client-side script into web pages viewed by other users. For example, imagine a victim is using a web application (e.g., email or an e-commerce site) and is currently logged in to the account. If a malicious code is present while the victim is logged in, that code sends the session information to the attacker's email account. The attacker can then tap into the user's session and log in while the victim is still using the application. This is an example of session hijacking using XSS.
Since XSS flaws are common in current web applications, the vulnerabilities are used by attackers to get unauthorized access to sensitive data.
SQL Injections
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data input forms in order to impact the execution of predefined SQL commands (OWASP, 2022). As a common attack vector, it refers to attacks implemented using malicious SQL code by virtue of a code injection technique with the aim of obtaining unauthorized access to sensitive data in a database. In other words, the injection attack can make it possible to execute malicious SQL statements, which control a database server behind a web application. Unfortunately, it is the most common web hacking technique employed by attackers, as a result of vulnerabilities in the SQL statements.As a web security vulnerability, it enables an attacker to interfere with the queries that an application makes to a database. According to OWASP, the main consequences of SQL injection are its effects on confidentiality, authentication, authorization, and integrity. For example, in a situation where the SQL injection attack is successful, it can lead to unauthorized access to sensitive data such as personally identifiable information, passwords, credit card details, and many others. A typical example includes retrieving hidden data or subverting application logic. The risks of SQL injections can be mitigated or minimized by implementing defense mechanisms and controls such as input validation, stored procedures, the principle of least privilege, and adopting application development best practices.
References
OWASP (2022). SQL Injection. Retrieved from https://owasp.org/www-community/attacks/SQL_Injection
Insecure Configuration Management
Insecure configuration management refers to security problems that arise due to improper configuration of servers, which provide content and invoke applications.
According to the Open Web Application Security Project (OWASP), examples of server configuration issues include unpatched security flaws in the server software; server software flaws or misconfigurations; unnecessary default, backup, or sample files; improper file and directory permissions; unnecessary services enabled; default accounts with their default passwords; administrative or debugging functions that are enabled or accessible; overly informative error messages; misconfigured SSL (Secure Sockets Layer) certificates and encryption settings; use of self-signed certificates to achieve authentication and man-in-the-middle protection; use of default certificates; and improper authentication with external systems (OWASP, 2015).
References
Open Web Application Security Project (OWASP). (2015). Insecure configuration management. https://www.owasp.org/index.php/Insecure_Configuration_Management
Authentication (with a focus on broken authentication)
Authentication is the process by which credentials are presented and validated to enable access. There are a number of different methods of authentication. Passwords are the most common type of authentication and are usually coupled with user identification (user IDs). Tokens and certificates are often used in place of passwords to provide a higher level of security. Tokens can contain unique identifiers (e.g., digital signatures or keys). Tokens can also store biometric data—for example, fingerprints.
There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user's password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user's password to authenticate.
Access Control
Access control is the process by which permissions are granted for given resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include:
· Role-based access control: Access is granted based on individual roles.
· Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions.
· Attribute-based access control: Access is granted based on assigned attributes.
· Discretionary access control: Access is granted based on the identity and/or group membership of the user.
The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats.
Describe the security concepts and concerns for databases.
Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders.
Include this information in the RFP.
In the next step, you will provide security standards for the vendors.
Step 3: Provide Vendor Security Standards
In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes.
Read the following resources to prepare:
Hierarchical Model
The hierarchical database model defines data in a hierarchically arranged order. This model can be pictured as a relationship based on a binary tree, where a single table acts as the “root” of the database from which other tables “branch” out.Relationships in this type of a system are thought of in terms of parent and children nodes, such that a child may only have one parent, but a parent can have multiple children. This concept is referred to as having a one-to-many relationship.Pointers link parent and children nodes. A parent will have a list of pointers, so it knows where each of its children is located. The main issue with the hierarchical model is that the user must have a prior knowledge of how the database is structured in order to understand where components map.The hierarchical model is more efficient than the flat-file model because it eliminates some redundant data.The hierarchical database model suffers from two primary drawbacks:
1. A record cannot be added to a child table until it has already been incorporated into the parent table.
2. Redundancy still occurs because hierarchical databases handle one-to-many relationships well, but do not handle many-to-many relationships well because a child may only have one parent. In many cases, the child should be related to more than one parent.
Network Model
Network databases were created to remediate some of the inefficiencies in the hierarchical model. Network databases are based on mathematical concepts introduced by set theory to create the database structure, allowing for many-to-many relationships to exist, where children can have multiple parents and parents can have multiple children.
A relational database comprises a collection of tables, each of which holds data in tuples and fields. In the relational database model, tables are related to one another by using “keys.” Each table has a primary key, which uniquely identifies each record, so that no record can be recorded twice under the same primary ID value, eliminating data record duplication. When two tables are related to one another, they share a field called a foreign key. The values in each of the tables will be the same. There are some instances where a primary key can be the foreign key. This interlinking of data provides for a more efficient way to store and retrieve data.
Object-Oriented Model
Object-oriented databases or object database management systems store information as objects rather than data such as integers, strings, or real numbers. Objects contain both executable code and data.
In object-oriented programming, classes are used to define the data and methods the object will contain. The class is like a template to the object and is used to create instances of the object. The class does not itself contain data or methods but defines the data and methods contained in the object.
Reference: The Computer Technology Documentation Project. (n.d.). Object Oriented Databases. Retrieved from http://www.comptechdoc.org/independent/database/basicdb/dataobject.html
In-Memory Model
In-memory databases can provide a significant performance advantage over disk-oriented databases since they avoid disk Input Output, and since their storage managers are built and optimized for complete memory residency. These systems rely on main memory as a storage mechanism. This optimizes search capabilities by eliminating “seek time” when retrieving, querying, and getting datasets. Many of these systems use NoSQL, a language similar to SQL, but NoSQL does not rely on tabular models in traditional relational database systems. These methods are emerging, but include columnar, document, key-value, graph, and multi-model databases.In-memory databases and NoSQL can be combined to create powerful database systems, scaling to large size and clustering over multi-nodes. Large web-based services such as Google Search, Facebook, and Amazon use NoSQL for massive processing.References: Belzer, J., Holzman, A. G. & Kent, A. (1980). Encyclopedia of computer science and technology: Volume 14 – very large data base systems to zero-memory and Markov information source. New York, NY: Marcel Dekker.IEEE Journal bulletin: Data engineering, special issue on main-memory database systems (2013, June). Retrieved from http://sites.computer.org/debull/A13june/issue1.htmLahiri, T., Neimat, M-A., & Folkman, S. (2013). Oracle times ten: An in-memory database for enterprise applications. Retrieved from http://sites.computer.org/debull/A13june/p6.pdfStrauch, C. (2012). NoSQL databases. Retrieved from http://www.christof-strauch.de/nosqldbs.pdf
Common Criteria (CC) for Information Technology Security Evaluation
The Common Criteria for Information Technology Security Evaluation is a framework or set of standards to evaluate the security of computer systems. According to the United States Computer Emergency Readiness Team, the Common Criteria were developed by the United States, Canada, France, Germany, the Netherlands, and the United Kingdom (US-CERT, 2013):
This effort built on earlier standards, including Europe's Information Technology Security Evaluation Criteria (ITSEC), the United States' Trusted Computer System Evaluation Criteria (TCSEC), and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) (Caplan, 1999). The CC is an international standard (ISO/IEC 15408) for computer security. A Common Criteria evaluation allows an objective evaluation to validate that a particular product satisfies a defined set of security requirements.
Though CC focuses on evaluation of systems, it is also useful for the development of security requirements. Seven Common Criteria evaluation assurance levels (EALs) have been defined to indicate the different levels of security functional requirements.
References
Caplan, K., & Sanders, J. (1999). Building an international security standard. IT Professional, 1(2), 29–34. doi:10.1109/6294.774938
United States Computer Emergency Readiness Team (US-CERT). (2013). The common criteria. The United States Computer Emergency Readiness Team. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/the-common-criteria
Evaluated Assurance Levels (EALs)
Evaluated assurance levels (EALs) refer to levels of functional and assurance security requirements defined under the Common Criteria. According to the United States Computer Emergency Readiness Team (US-CERT), the seven EALs are (Mead, 2013):
· EAL1: functionally tested
· EAL2: structurally tested
· EAL3: methodically tested and checked
· EAL4: methodically designed, tested, and reviewed
· EAL5: semiformally designed and tested
· EAL6: semiformally verified designed and tested
· EAL7: formally verified designed and tested
As the names suggest, the higher-level EALs are more robust and used for high risk and high value assets.
References
Mead, N. (2013). The Common Criteria. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/the-common-criteria.
Continuity of Service
Continuity of service is an important part of businesses so that they can mitigate disruptions and disasters. The Ready Business Campaign, created by the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA), emphasizes the importance of plans for continuity of service (Ready Business Campaign, n.d.):
When business is disrupted, it can cost money. Lost revenues, plus extra expenses, means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential.
The campaign also outlines four key steps for business continuity:
1. conduct a business impact analysis to identify critical functions and processes
2. identify and document resources to recover critical business functions and processes
3. organize a business continuity team and compile a business continuity plan
4. conduct training and testing for the business continuity team
References
Ready Business Campaign. (n.d). Business continuity plan. https://www.ready.gov/business/implementation/continuity.
Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks.
Threats
Mobile devices and their users face many threats. In a number of cases the device itself is compromised with malware before the end user even purchases it. Threats to mobile devices are extensive and cover all aspects, from the user to the application software, hardware, and operating system.
The device itself can become compromised through malware delivered via application installations that are often downloaded for “free.” These applications may send SMS (short message service or text) messages that charge the user's service provider for messages the user did not intend to send. Mobile application malware may also attempt to steal bank account credentials.
Network attacks are also common where “evil twin” or rogue wireless access points are positioned to trick the device or the end user into connecting, often unknowingly, to a network that is not secure.
Malware has been found that may take control of a user's mobile device microphone or camera, causing a breach in user privacy. GPS and location services on a mobile device are also often leveraged to invade a user's privacy or deliver malicious attacks.
References
Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics (Special Publication 800-101, Revision 1). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
Kirk, J. (2014, March 5). New Android devices infected with pre-installed malware. http://www.tripwire.com/state-of-security/latest-security-news/new-android-devices-infected-pre-installed-malware/
Include these security standards in the RFP.
In the next step, you will describe defense models for the RFP.
Step 4: Describe Defense Models
Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access.
Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles
Defensive Principles
Defensive principles refer to the principles/policies implemented for security design. According to Cisco, the key principles are defense-in-depth, compartmentalization, least privilege, weakest link, separation and rotation of duties, hierarchically trusted components and protection, mediated access, accountability, and traceability (Cisco, n.d.).
The most commonly used principle is defense-in-depth, where several security features are layered over each other in order to protect a system. This helps to “manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach” (McGaw, 2013).
References
Cisco. (n.d.). Principles of secure network design. http://www.learncisco.net/courses/iins/common-security-threats/security-architecture-design-guidelines.html.
McGaw, G. (2013). Thirteen principles to ensure enterprise system security. TechTarget. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security.
Read these resources on enclave computing environment:
Enclave/Computing Environment
Enclave refers to a part of the network which is divided from the network, so that there is restricted access and sharing of confidential data. According to Mikkelsen and Jacobsen (2016):
The main principle relies upon the concept of a protected memory container, also referred to as an enclave. The enclave can be created through application code, where sensitive data are explicitly marked. When the application is executed, a sensitive part of the application's memory space is encapsulated within an enclave. (p. 218)
Enclaves do not interact with the other parts of the network, so the enclave computing environment promotes security and integrity of data and reduces threats.
References
Mikkelsen, S. A., & Jacobsen, R. H. (2016). Securing the home energy management platform. http://cdn.intechopen.com/pdfs-wm/50458.pdf
Cyber Operations in DoD Policy and Plans
The Department of Defense (DoD), in conjunction with other government agencies, creates policies and plans for operating in cyberspace and “focuses on building capabilities for effective cybersecurity and cyber operations to defend DoD networks, systems, and information; defend the nation against cyberattacks of significant consequence; and support operational and contingency plans” (DoD, 2015).
Consequently, DoD has set five strategic goals for cyberspace missions (DoD, 2015):
1. Build and maintain ready forces and capabilities to conduct cyberspace operations
2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions
3. Be prepared to defend the US homeland and US vital interests from disruptive or destructive cyberattacks of significant consequence
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
References
Department of Defense (DoD). (2015). The DoD cyber strategy. http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions.
Define enclave computing boundary defense.
Include enclave firewalls to separate databases and networks.
Define the different environments you expect the databases to be working in and the security policies applicable.
Provide this information in the RFP.
In the next step, you will consider database defenses.
Step 5: Explore Database Defensive Methods (Lab I will provide)
You have identified ways of protecting databases, and you are encouraged to use that knowledge and your expertise to explore how a database system can be secured. You can also review any of the previous resources as you perform your lab. This lab will give you an opportunity to evaluate some of the threats and risks associated with databases and help you provide recommendations to leadership. Now, try some of the protective techniques and preventive measures discussed, and explore how these can be done on a MySQL database server.
Perform the lab activity.
Explore defensive methods that should be used in protecting databases.
Include information about threats, risks, and possible recommendation strategies to these threats.
Include this information in your RFP.
In the next step, you will provide a requirement statement for system structure
Step 6: Provide a Requirement Statement for System Structure
In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system.
Provide requirement statements for a web interface to:
1. Allow patients and other health care providers to view, modify, and update the database.
2. Allow integrated access across multiple systems.
3. Prevent data exfiltration through external media.
State these requirements in the context of the medical database. Include this information in the RFP.
In the next step, you will outline operating system security components.
Step 7: Provide Operating System Security Components
In the previous step, you composed requirement statements regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms.
Read these resources on operating system security. Then:
Operating System Security
Operating systems (OSs) are prone to several threats, including viruses, malware, snooping, spoofing, and denial of service. The three main aspects of OS security are confidentiality or prevention of theft, integrity or prevention of damage, and availability or prevention of service denial (Heiser, 2008).
It is worth noting that users pose one of the biggest threats to security:
The weakest point within any system is often the end user. It comes as no surprise, therefore, that a large percentage of security breaches over the last decade have come from the inside of an organization, often unknowingly by the user… Whether through careless actions or by deliberate intent, this is something that should be considered first and foremost in securing an OS. (Carnaghan, n.d.)
References
Heiser, G. (2008). Security: An advanced introduction. University of New South Wales (UNSW). http://www.cse.unsw.edu.au/~cs9242/08/lectures/06-security.pdf
Carnaghan, I. (n.d.). Operating systems security: Protection measures analysis. https://www.carnaghan.com/2015/10/operating-systems-security-protection-measures-analysis/
1. Provide requirements for segmentation by operating system rings to ensure processes do not affect each other.
2. Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring.
Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications:
1. Describe the expected security gain from incorporating TPM.
2. Provide requirement statements that adhere to the trusted computing base (TCB) standard.
3. Provide examples of components to consider in the TCB.
4. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection.
Read the following resources to familiarize yourself with these concepts:
Trusted Computing
Trusted computing is the standard developed by Trusted Computing Group (TCG), and according to the National Institute of Standards and Technology (NIST), it “is defined as the use of a computer when there is confidence that the computer will behave as expected” (Kittleson, n.d.).
References
Kittleson, N. (n.d.). Trusted computing overview. National Institute of Standards and Technology. US Department of Commerce. https://scap.nist.gov/events/2012/itsac/presentations/day2/4oct_11am_kittleson.pdf
Trusted Computing Base
The National Institute of Standards and Technology (NIST) defines trusted computing base (TCB) as “the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy” (Nieles et al., 2017). The TCB is enforced as a unified security policy for systems and products, and TCB's effectiveness depends on its correct implementation by the administrators.
References
Nieles, M., Dempsey, K., & Yan Pillitteri, V. (2017). An introduction to information security (Special Publication 800-12, Revision 1). National Institute of Standards and Technology, US Department of Commerce. https://doi.org/10.6028/NIST.SP.800-12r1
Include this information in the RFP.
In the following step, you will write requirements for levels of security.
Step 8: Write Requirements for Multiple Independent Levels of Security
The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge.
Access control is the process by which permissions are granted for given resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include:
· Role-based access control: Access is granted based on individual roles.
· Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions.
· Attribute-based access control: Access is granted based on assigned attributes.
· Discretionary access control: Access is granted based on the identity and/or group membership of the user.
Access Control
The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats.
Authentication
Authentication is the process by which credentials are presented and validated to enable access. There are a number of different methods of authentication. Passwords are the most common type of authentication and are usually coupled with user identification (user IDs). Tokens and certificates are often used in place of passwords to provide a higher level of security. Tokens can contain unique identifiers (e.g., digital signatures or keys). Tokens can also store biometric data—for example, fingerprints.
There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user's password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user's password to authenticate.
The healthcare database should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users.
Write requirement statements for MILS for your database in the RFP.
1. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model.
2. Indicate any limitations for the application of these models.
Read the following resources and note which cybersecurity models are most beneficial to your database:
Multiple Independent Levels of Security (MILS)
Multiple Independent Levels of Security (MILS) is a security architecture based on separation of functionality and control of information flow. According to Harrison et al. (2005):
Multiple Independent Levels of Security and Safety (MILS) is a joint research effort between academia, industry, and government to develop and implement a high-assurance, real-time architecture for embedded systems. The goal of the MILS architecture is to ensure that all system security policies are nonbypassable, evaluatable, always invoked, and tamper-proof. Using these formally proven security policies guarantees information flow control, data isolation, predictable process control, damage limitation, and resource availability.
MILS is implemented using mechanisms built in the kernels and middleware components to create authorized communication paths (Harrison et al., 2005).
References
Harrison, S. W., Hanebutte, N., Oman, P. W., & Alves-Foss, J. (2005, October). The MILS architecture for a secure global information grid. Journal of Software Engineering. http://static1.1.sqspcdn.com/static/f/702523/9277782/1288928922607/200510-Harrison.pdf?token=F%2B8Wfg1xFsXYDlE8inVd55i5Ml0%3D
Cybersecurity Models
The evolution of computer security has spurred the development of models that reflect the current understanding of the field, the state of information technology, or the requirements of a specific industry. These models have aided in the maturation of computer security concepts as well as in the development of computer security policies and solutions consistent with emerging threats and vulnerabilities. The models provide frameworks for the development of security solutions that are underpinned with scholarly concepts, research, and rigorous testing.
Insecure Handling
Insecure handling of data can harm its quality, confidentiality, and integrity or even cause complete destruction. The potential issues include insecure indexing of web content and external threats, such as malware. According to the Web Application Security Consortium (2010):
Insecure Indexing is a threat to the data confidentiality of the web-site. Indexing web-site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved (albeit not trivially) by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil—it's not easy to distinguish the attacker's queries from a legitimate user's queries. (p. 151)
Malicious code or malware is a program code that intends to access and compromise secure data. Guidelines from the National Institute of Standards and Technology (Souppaya & Scarfone, 2013) discuss how several organizations implement systems to ensure secure handling of data by monitoring access requests:
The security checking is often done through network access control software by placing on each host an agent that monitors various characteristics of the host, such as OS patches and antivirus updates. When the host attempts to connect to the network, a network device such as a router requests information from the host's agent. If the host does not respond to the request or the response indicates that the host is insecure, the network device causes the host to be placed onto a separate VLAN. (p. 28)
References
Souppaya, M., & Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops: Special Publication 800-83, Revision 1. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
Web Application Security Consortium. (2010). WASC threat classification. http://projects.webappsec.org/f/WASC-TC-v2_0.pdf
Include requirement statements for addressing insecure handling of data.
Include this information in your RFP.
In the next step, you will consider access control.
Step 9: Include Access Control Concepts, Capabilities
In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems.
Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control.
Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access.
Access Control
Access control is the process by which permissions are granted for given resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include:
· Role-based access control: Access is granted based on individual roles.
· Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions.
· Attribute-based access control: Access is granted based on assigned attributes.
· Discretionary access control: Access is granted based on the identity and/or group membership of the user.
The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats.
Authentication
Authentication is the process by which credentials are presented and validated to enable access. There are a number of different methods of authentication. Passwords are the most common type of authentication and are usually coupled with user identification (user IDs). Tokens and certificates are often used in place of passwords to provide a higher level of security. Tokens can contain unique identifiers (e.g., digital signatures or keys). Tokens can also store biometric data—for example, fingerprints.
There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user's password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user's password to authenticate.
Direct Object Access
Direct object access or reference occurs “when an application provides direct access to objects based on user-supplied input” (OWASP, 2014). This may expose resources, create vulnerability, and lead to unauthorized access of sensitive data.
According to the Open Web Application Security Project (OWASP):
Insecure direct object references allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
References
Open Web Application Security Project (OWASP). (2014). Testing for insecure direct object references. https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
Include the requirement statements in the RFP.
In the next step, you will incorporate additional security requirements and request vendors to provide a test plan.
Step 10: Include Test Plan Requirements
In the previous step, you defined access control requirements. Here, you will define test plan requirements for vendors.
Incorporate a short paragraph requiring the vendor to propose a test plan after reviewing these guidelines for a test and remediation results (TPRR) report.
Guideline for Creating a Test Plan and Remediation
Results (TPRR) Report
Your Test Plan and Remediation Results report should consist of the following sections.
Each section should be a minimum of two pages, but no more than three. The final
product should be 12–15 pages in length.
1. Define the cybersecurity models used (Bell-LaPadula, Biba, Chinese Wall, and
the read/write permissions associated with each.)
A. The error and error handling and information leakage in each case and the
insecure handling in each case and identify the test conditions to test each
security model.
B. Identify the remediation for these security violations and include in the
TPRR.
2. Define cross-site scripting (XSS/CSRF) flaws.
A. Identify the test conditions to test cross-site scripting error including the
possible script and code.
B. Identify remediation for these security violations. For the “white listing”
option, test for the valid input and include in the TPRR.
3. Define the issues associated with SQL injections through the web input, as the
database’s users would provide input.
A. Identify the test conditions to test malicious SQL injections and include
possible scenario and conditions.
B. Identify remediation for this security violation. For the “blacklisting” option,
test for the valid and invalid input and include in the TPRR.
4. Identify remediation for these security violations and include possible
mechanisms to prevent memory leakage. Define the issues associated with
insecure configuration management.
A. Identify the test conditions to test insecure configurations. Include: lack of
patching, lack of interoperability of components, lack of encryption key
management.
B. Identify remediation of this security violation.
6. Define the errors associated with broken authentication and broken access.
A. Identify the test conditions to test broken access and broken
authentication. Include violations of role based access controls, mandatory
access controls, discretionary access controls.
B. Identify the remediation for these security violations and possible
examples to remedy broken access controls and broken authentication
mechanisms.
Provide requirements for the vendor to supply an approximate timeline for the delivery of technology.
Step 11: Compile the RFP Document
In this final step, you will compile the RFP for a secure health care database management system. Review the document to make sure nothing is missed before submission. Submit the following deliverables to your assignment folder by following the instructions below.
Deliverables
· An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report.