Project: Database Security Assessment - Group Project Case Study

You are a contracting officer's technical representative, a Security System Engineer, SSE, at a military hospital. Your department's leaders are adopting a new medical health care database management system. And they've tasked you to put together a team to create a request for proposal for which different vendors will compete to build and provide to the hospital.

A Request For Proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions. To complete the RFP, you must determine the technical and security specifications for the system. You'll write the requirements for the overall system and also provide evaluation standards that will be used in rating the vendor's performance. Your learning will help you determine your system's requirements. As you discover methods of attack, you'll write prevention and remediation requirements for the vendor to perform. Additionally, you'll produce a report detailing a test plan and remediation results. This document will accompany the RFP and will include security guidelines for vendors. You must identify the different vulnerabilities the database should be hardened against. You have a good relationship with the vendors in determining these requirements for the procurement. You'll work in partnership in your teams to define test protocol of the database management system and to devise remediation. These results will be incorporated into the test plan and remediation results and will also be part of the RFP. Work in partnership teams to test and validate the remediation and attacks and to create the RFP.

Team Formation and Division of Work -

As described in the scenario, you will be working in a small team (usually five members). Your instructor has provided an area for your group discussions, collaboration, and file sharing. Take some time to learn about your teammates (introductions, LinkedIn profiles and bios) to understand the experience and expertise of the team members.

Studies on teamwork outline the typical team stages of forming, storming, norming, and performing (see Tuckman, Bruce W. (1965), "Developmental sequence in small groups," Psychological Bulletin, 63, 384-399.) This guidance on teamwork may be helpful.

In order to do well, you and your team members must start communicating or "forming" immediately and discuss how you will divide the work. Review the project and if you have portions of the work that play well to your strengths, make this known to your team members. Then develop a project plan and schedule to get the work done.

Finally, agree on a communications plan, which allows your team members to know where the project stands. During this stage, you may have disagreements or differences of opinion about roles and division of work. This is a normal aspect of "storming."

Once you start agreeing on roles and tasks, you are well on your way to "norming." You should settle on a collaboration space and share drafts of your work in your classroom team locker so your team members and the instructor can see the work progression. All team members must contribute, but the deliverables need to be cohesive. Therefore, each of you will need to review each other's work and help each other.

While you may have to use collaborative tools outside the classroom, maintain the key documents in the respective team project locker in the classroom. Your team will use this area to establish ground rules for communication and collaboration. Team members will gain an overview of the entire project, establish roles, agree on the division of work, and complete and sign the Team Project Charter.

If you decide to use Google Docs for your collaborative work, you could also choose a Google drive with appropriate sharing with your team members and your instructor, and provide information on this in your team locker. Part of teamwork is looking at each other's work and providing constructive feedback and improvements.

If you sense problems during your team communications sessions, discuss risk management and project adjustments your team may need to make. If you sense trouble, contact your instructor and request intervention as soon as you recognize issues.

After the plan is completed, elect one person to attach or link the final document to the team project locker. This step should have been completed early in the term between Weeks 2 and 4.

Setting up the team roles and expectations is an important part of this project and completing the charter is critical to the project's success. When you have completed this important step, move to the next step.

The Team Project -

Today's health care systems incorporate databases for more effective and efficient management of patient health care. The databases are prone to cyberattack and must be designed and built with security controls from the beginning of the life cycle. Though much can be accomplished hardening the database earliest in the life cycle, much of the security is added after the fact, forcing hospital and healthcare IT professionals to try to catch up to the threats. It is becoming more critical that database security requirements are defined at the requirements stage of acquisition and procurement. Through specific security requirements and testing and sharing of test and remediation data, system security engineers and other acquisition personnel can collaborate more effectively with vendors wishing to fulfill and build health care database systems.

Parts of your final deliverable will be developed through your learning in the lab. Your team will submit the following deliverables for this project:

• An RFP about 12-15 pages double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations. There is no penalty for using additional pages. Include a minimum of three references. Include a reference list with the report.
• A set of about 5-10 PowerPoint slides as an executive overview briefing that reflects the key elements of your team report.
• An MS-Excel lab template of results.

Your RFP should also detail a test plan and remediation results (TPRR). Most steps of this project should take no more than two hours to complete, and the project as a whole should take no more than three weeks to complete.

There are 11 steps that will lead you through this project, beginning with the workplace scenario, and then continuing with Step 1: "Provide an Overview for Vendors."

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

Step 1: Provide an Overview for Vendors

As the liaison between your hospital and potential vendors, it is your duty to provide vendors with an overview of your organization. Work with your teammates to establish information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What groups or individuals will use the database, and for what purposes?

To be completed by a designated team member:

Discuss the types of data that may be stored in the system, and discuss the importance of keeping this data secure. Include this information in the RFP.

After the overview is complete, move to the next step, where the team will provide context for the vendors with an overview of needs.

Step 2: View Access Log and Provide Context for the Work

Now that the team has provided vendors with an overview of your hospital's needs, you will provide the vendors with a context for the work that is needed.

To be completed by a designated team member:

Provide the context of the work that is being asked for. You are closest to the application and implementation, and you are giving guidance to the vendors by determining the attributes of the database and describing the environment in which it would be operable.

It is important to understand the vulnerability of a relational database management system (RDBMS). To that end, read about security concerns common to all RDBMSs. Then, provide the security concepts and concerns for databases. As a standard, the database with the information for medical personnel and emergency responders needs to identify at least three, no more than five, security assurance and security functional requirements of the database. Include this in the RFP.

In the next step, the team will provide security standards for the vendors.

Step 3: Provide Vendor Security Standards

In the previous step, the team provided context for tasks in the RFP. In this step, the team will provide a set of internationally recognized standards for the competing vendors to incorporate into the manufacturing of the database and security mechanisms.

These standards will serve additionally as metrics of security performance to measure the security processes incorporated in the product. To prepare, read the following resources:

• Database Models
• Common Criteria (CC) for information technology security evaluation
• evaluated assurance levels (EALs)
• Continuity of service

To be completed by a designated team member:

Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include this in the RFP.

In the next step, the team will describe defense models for the RFP.

Step 4: Describe Defense Models

Now that team members have established security standards for the RFP, they will now focus on defense models. As the contracting officer's technical representative (COTR), you can provide an approximate timeline for delivery since the networking environment will have numerous users and classes of access to be granted.

To be completed by a designated team member:

Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles.

Then, read these resources on the enclave computing environment. Explain how it relates to the defensive principles. The network domains should be at different security levels and have different accesses, as well as different read and write permissions using non-members of the enclave to taint access to resources and information in the enclave, or vice versa. Read these resources on enclave computing.

• enclave/computing environment
• cyber operations in DoD policy and plans

In the enclave computing environment, define enclave boundary defense and include enclave firewalls separating databases and networks. This can be fictional or modeled after an existing model, using your IEEE standard citation format. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP.

In the next step, the team will consider database defenses.

Step 5: Explore Database Defensive Methods

You have identified ways of protecting databases. Now, explore how these may be done on a MySQL database. Review any of the previous resources as you perform a Workspace lab. The lab will give you an opportunity to see some of the threats and risks to databases. Then, it will allow you to try some of the protective techniques and preventive measures discussed.

Each team member will do the lab and collaborate on defensive methods that should be used in protecting databases. Also include information about threats and risk that need to deal with and possible recommendation to these threats.

You will include this in your submission of the RFP.

In the next step, the team will provide a requirement statement.

Step 6: Provide a Requirement Statement for System Structure

To be completed by a designated team member:

In the previous step, you identified defense requirements for the vendor. The next part of the RFP will focus on the structure of the system.

The database will have a web input interface that the patient and other health care providers will use to see the data, glean information from the data, and modify and update the data in the database. Provide requirement statements that direct the vendors to demonstrate that the section of the system is part of a larger system or that memory is part of a larger memory block, and that the access and restrictions are integrated across the components or integrated with external media. State these requirements in the context of the medical database, and include it all in the RFP.

In the next step, the team will outline security components.

Step 7: Provide Operating System Security Components

In the previous step, you composed a requirement statement regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms. Begin by first reading these resources on operating system security.

To be completed by a designated team member:

Then, provide requirements for the segmentation by operating system rings to ensure that processes do not affect each other. Provide an example of such a process in your requirement that could violate the segmentation mechanism and make sure the requirement statement you provide prevents that from occurring.

Specify requirements statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. Describe the expected security gain from incorporating this TPM. In addition, provide requirements statements that ensure the trusted computing base (TCB). Give examples of components to consider in the TCB and provide requirements of how to ensure protection of these components, such as authentication procedures and antimalware protection. To familiarize with yourself with these concepts, review the following resources:

• trusted computing
• trusted computing base

You will include this in the RFP.

In the following step, the team will write requirements for levels of security.

Step 8: Write Requirements for Multiple Independent Levels of Security

The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Since you are determining and incorporating the requirements into the RFP, in your role as SSE, you are also devising prototyping test plans and executing tests against sample databases to determine the requirements for access, access control, identification and authentication, and the security models that define read and write access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge.

The health care database should have capabilities for multiple independent levels of security (MILS). Your organization plans on expanding the user base of the database, and the web interface and the database read, write, and access controls should be built incorporating security models.

To be completed by a designated team member:

Write requirement statements for MILS in your database. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula model and and the Chinese Wall model. Indicate any limitations for the application of these models. Review the content of the following resources. As you're reading, note which cybersecurity models are most beneficial to your database.

• multiple independent levels of security (MILS)
• cybersecurity models
• insecure handling

Include requirement statements regarding the vendor's insecure handling solutions. They are to be accounted for in whatever security model the vendor chooses to incorporate, based on the definitions of the security model that you included with the requirements statement. Include this in the RFP.

In the next step, you will consider access control.

Guideline for Creating a Test Plan and Remediation Results (TPRR) Report Your Test Plan and Remediation Results report should consist of the following sections. Each section should be a minimum of two pages, but no more than three. The final product should be 12-15 pages in length.

1. Define the cybersecurity models used (Bell-LaPadula, Biba, Chinese Wall, and the read/write permissions associated with each.) A. The error and error handling and information leakage in each case and the insecure handling in each case and identify the test conditions to test each security model. B. Identify the remediation for these security violations and include in the TPRR.

2. Define cross-site scripting (XSS/CSRF) flaws. A. Identify the test conditions to test cross-site scripting error including the possible script and code. B. Identify remediation for these security violations. For the "white listing" option, test for the valid input and include in the TPRR.

3. Define the issues associated with SQL injections through the web input, as the database's users would provide input. A. Identify the test conditions to test malicious SQL injections and include possible scenario and conditions. B. Identify remediation for this security violation. For the "blacklisting" option, test for the valid and invalid input and include in the TPRR.

4. Identify remediation for these security violations and include possible mechanisms to prevent memory leakage. Define the issues associated with insecure configuration management. A. Identify the test conditions to test insecure configurations. Include: lack of patching, lack of interoperability of components, lack of encryption key management. B. Identify remediation of this security violation.

5. Define the errors associated with broken authentication and broken access. A. Identify the test conditions to test broken access and broken authentication. Include violations of role based access controls, mandatory access controls, discretionary access controls. B. Identify the remediation for these security violations and possible examples to remedy broken access controls and broken authentication mechanisms.

Step 9: Include Access Control Concepts, Capabilities

In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems. Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control.

To be completed by a designated team member:

Provide requirements statements for the vendor regarding access control concepts, authentication, and direct object access. Include the requirement statement in the RFP.

In the next step, you will create a test plan and review your remediation efforts, as well as come up with a report for vendors.

Step 10: Create a Test Plan and Review Remediation Results; Create Report for Vendors

In this step, you will define test protocol for vendors. You are aware of several possible vulnerabilities to database asset security, and you will create the test procedure for testing that vulnerability and providing remediation of that vulnerability for the test and remediation results report (TPRR). The TPRR will be included in the RFP for the vendors to use to demonstrate hardening against those vulnerabilities.

Read these resources in preparation for creating a test plan and remediation:

• error handling and information leakage
• insecure handling
• cross-site scripting (XSS/CSRF) flaws
• SQL injections
• memory leakage
• insecure configuration management
• authentication (with a focus on broken authentication)
• access control (with a focus on broken access control)

To be completed in collaboration with all team members:

As a group, review these TPRR guidelines: Guideline for Creating a Test Plan and Remediation Results (TPRR) Report. Then, divide the TPRR components among team members. Each team member should complete a portion of the TPRR. The team will compile each part of the TPRR into one document. Then, add this document into the RFP.

Step 11: Compile RFP document

To be completed in collaboration with all team members:

In this final step, the team members will compile the requirement statements and TPRR into one written report as the request for proposal for a secure health care database management system document. Team members will review the document to make sure nothing was missed before submission.

You will need to submit the following as a team:

• An RFP about 12-15 pages double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations. There is no penalty for using additional pages. Include a minimum of three references. Include a reference list with the report.
• Provide a set of about 5-10 PowerPoint slides as an executive overview briefing that reflects the key elements of your team report.
• MS-Excel lab template of results.

Need section 6 and 8 completed and follow the instruction from the beginning.

Attachment:- Assignment File.rar