Project 5 Resources:
Deliverables
· A Request for Proposal (RFP), about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report.
· I will provide the lab document.
Database Security Assessment
You are a contracting officer’s technical representative, a security system engineer, at a military hospital. Your department’s leaders are adopting a new medical health care database management system. And they’ve tasked you to create a request for proposal for which different vendors will compete to build and provide to the hospital.
A request for proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions.
To complete the RFP, you must determine the technical and security specifications for the system. You’ll write the requirements for the overall system and provide evaluation standards that will be used in rating the vendor’s performance. Your learning will help you determine your system’s requirements.
As you discover methods of attack, you’ll write prevention and remediation requirements for the vendor to perform. You must identify the different vulnerabilities the database should be hardened against.
Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle.
Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement.
System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system.
Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project:
Step 1: Provide an Overview for Vendors
As the contracting officer’s technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital’s different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMSs, and for what purposes?
Security Concerns Common to All RDBMSs
A relational database management system (RDBMS) is used to organize and manage data tables by using keys in a way that all the data can be accessed without reorganization. The keys represent attributes and uniquely identify rows in a table.
According to Trivedi, Zavarsky, and Butakov, although “many prominent relational database management systems provide inbuilt security controls and mechanisms, the information resided in the data-store are at great risk” (2016). Several features, including authentication, roles and access management, ownership and user schema management, authorization and permission on objects and encryption, are implemented to mitigate security concerns and reduce the chances of unauthorized access.
References
Trivedi, D., Zavarsky, P., & Butakov, S. (2016). Enhancing relational database security by metadata segregation. ScienceDirect, 94. londonessays.com
Provide an overview of the types of data that may be stored in the system and the importance of keeping this data secure. Include this information in the RFP.
After the overview is complete, move to the next step to provide context for the vendors with an overview of their needs.
Step 2: Provide Context for the Work
Now that you have provided vendors with an overview of your hospital’s needs, you will provide the vendors with a context for the work needed.
Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate. Details are important for the vendors to provide optimal services.
It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs.
Error Handling and Information Leakage
Applications must handle errors properly to avoid leakage of sensitive information that can expose them to attack. According to the Open Web Application Security Project (OWASP):
Motivated attackers like to see error messages as they might leak information that leads to further attacks, or may leak privacy-related information. Web application error handling is rarely robust enough to survive a penetration test.
Applications should always fail-safe. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse create, modify or destroy data.
Error-handling applications must ensure that they fail safe, debug errors, handle exceptions, and check function return errors (OWASP, 2015).
References
Open Web Application Security Project (OWASP). (2015). Error handling, auditing, and logging. londonessays.com,_Auditing_and_Logging#Error_Handling
Insecure Handling
Insecure handling of data can harm its quality, confidentiality, and integrity or even cause complete destruction. The potential issues include insecure indexing of web content and external threats, such as malware. According to the Web Application Security Consortium (2010):
Insecure Indexing is a threat to the data confidentiality of the web-site. Indexing web-site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved (albeit not trivially) by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil—it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries. (p. 151)
Malicious code or malware is a program code that intends to access and compromise secure data. Guidelines from the National Institute of Standards and Technology (Souppaya & Scarfone, 2013) discuss how several organiza
tions implement systems to ensure secure handling of data by monitoring access requests:
The security checking is often done through network access control software by placing on each host an agent that monitors various characteristics of the host, such as OS patches and antivirus updates. When the host attempts to connect to the network, a network device such as a router requests information from the host’s agent. If the host does not respond to the request or the response indicates that the host is insecure, the network device causes the host to be placed onto a separate VLAN. (p. 28)
References
Souppaya, M., & Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops: Special Publication 800-83, Revision 1. National Institute of Standards and Technology. londonessays.com
Web Application Security Consortium. (2010). WASC threat classification. londonessays.com
Cross-Site Scripting (XSS/CSRF) Flaws
Cross-site scripting (XSS) refers to injection of malicious scripts on trusted websites. XSS enables attackers to inject client-side script into web pages viewed by other users. For example, imagine a victim is using a web application (e.g., email or an e-commerce site) and is currently logged in to the account. If a malicious code is present while the victim is logged in, that code sends the session information to the attacker’s email account. The attacker can then tap into the user’s session and log in while the victim is still using the application. This is an example of session hijacking using XSS.
Since XSS flaws are common in current web applications, the vulnerabilities are used by attackers to get unauthorized access to sensitive data.
SQL Injections
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data input forms in order to impact the execution of predefined SQL commands (OWASP, 2022). As a common attack vector, it refers to attacks implemented using malicious SQL code by virtue of a code injection technique with the aim of obtaining unauthorized access to sensitive data in a database. In other words, the injection attack can make it possible to execute malicious SQL statements, which control a database server behind a web application. Unfortunately, it is the most common web hacking technique employed by attackers, as a result of vulnerabilities in the SQL statements.As a web security vulnerability, it enables an attacker to interfere with the queries that an application makes to a database. According to OWASP, the main consequences of SQL injection are its effects on confidentiality, authentication, authorization, and integrity. For example, in a situation where the SQL injection attack is successful, it can lead to unauthorized access to sensitive data such as personally identifiable information, passwords, credit card details, and many others. A typical example includes retrieving hidden data or subverting application logic. The risks of SQL injections can be mitigated or minimized by implementing defense mechanisms and controls such as input validation, stored procedures, the principle of least privilege, and adopting application development best practices.
References
OWASP (2022). SQL Injection. Retrieved from londonessays.com
Insecure Configuration Management
Insecure configuration management refers to security problems that arise due to improper configuration of servers, which provide content and invoke applications.
According to the Open Web Application Security Project (OWASP), examples of server configuration issues include unpatched security flaws in the server software; server software flaws or misconfigurations; unnecessary default, backup, or sample files; improper file and directory permissions; unnecessary services enabled; default accounts with their default passwords; administrative or debugging functions that are enabled or accessible; overly informative error messages; misconfigured SSL (Secure Sockets Layer) certificates and encryption settings; use of self-signed certificates to achieve authentication and man-in-the-middle protection; use of default certificates; and improper authentication with external systems (OWASP, 2015).
References
Open Web Application Security Project (OWASP). (2015). Insecure configuration management. londonessays.com
Authentication (with a focus on broken authentication)
Authentication is the process by which credentials are presented and validated to enable access. There are a number of different methods of authentication. Passwords are the most common type of authentication and are usually coupled with user identification (user IDs). Tokens and certificates are often used in place of passwords to provide a higher level of security. Tokens can contain unique identifiers (e.g., digital signatures or keys). Tokens can also store biometric data—for example, fingerprints.
There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user’s password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user’s password to authenticate.
Access Control
Access control is the process by which permissions are granted for given resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include:
· Role-based access control: Access is granted based on individual roles.
· Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions.
· Attribute-based access control: Access is granted based on assigned attributes.
· Discretionary access control: Access is granted based on the identity and/or group membership of the user.
The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats.
Describe the security concepts and concerns for databases.
Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders.
Include this information in the RFP.
In the next step, you will provide security standards for the vendors.
Step 3: Provide Vendor Security Standards
In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes.
Read the following resources to prepare: