database security project_17sep2014 final edits
TRANSCRIPT
Stratford University Securing Multi-Agency Database (MAD5)
Submitted By Project Managers:Derick B. Peterson, Joyce Perry, Melissa Walker, and Angel Eleazer
On behalf ofThe entire class
Database Security (SOF 620)Professor Rasoul Ahari
Stratford University Falls Church, VirginiaSeptember 25, 2014
Table of ContentsAbstract.............................................................................................................................................3
Security Requirements......................................................................................................................6
SEE0001 Accessibility.................................................................................................................6SEE0002 Document View............................................................................................................6SEE0003 Elasticity.......................................................................................................................6SEE0004 User Access..................................................................................................................7SEE0005 Access Limits...............................................................................................................7SEE0006 Compliance-Audit Planning.........................................................................................7SEE0007 Audit Tools Access......................................................................................................9SEE0008 Audit Logging/Intrusion Detection...........................................................................10SEE0009 Protection of Audit Information.................................................................................13SEE0010 Audit Record Retention..............................................................................................13SEE0011 Content of Audit Records..........................................................................................13SEE0012 Response to Audit Failures........................................................................................14SEE0013 System Monitoring.....................................................................................................14SEE0014 Account Review.........................................................................................................15SEE0015 Audit Content Changes..............................................................................................15SEE0016 Audit Storage Capacity..............................................................................................15SEE0017 Real-time Correlation and Attack Identification........................................................16SEE0018 Vulnerability Scanning...............................................................................................16SEE0019 Time Stamps...............................................................................................................16SEE0020 Security Assessments.................................................................................................17SEE0021 Continuous Monitoring..............................................................................................17SEE0022 Single Sign-On Authentication..................................................................................17SEE0023 Web Application Fields..............................................................................................18SEI0024 Protecting Data-At-Rest On Workstations..................................................................18SEI0025 Secure Printing............................................................................................................19SEI0026 Print Queue..................................................................................................................19SEI0027 MySQL "root" Account..............................................................................................19SEI0028 Remote Access............................................................................................................20SEI0029 Securing Data in Motion.............................................................................................20SEI0030 Password Security.......................................................................................................21SEI0031 MySQL Test Database................................................................................................21SEI0032 MySQL Anonymous Accounts..................................................................................21SEI0033 Object Level Security..................................................................................................22SEI0034 Web Interface Security................................................................................................22SEI0035 User’s Access Control.................................................................................................23SEI0036 MySQL Authentication Plug-in..................................................................................24SEE0037 Password Expirations................................................................................................24SEE0038 GFE Data Security.....................................................................................................25
Elasticity Requirement....................................................................................................................26
ELE0001 Hosting.......................................................................................................................26ELE0002 Location Access.........................................................................................................26ELE0003 Server Locations.........................................................................................................26ELE0004 OS...............................................................................................................................26ELI0006 Response Time............................................................................................................27ELI0007 MySQL Thread Pool..................................................................................................28
~ 1 ~
High Availability Requirements......................................................................................................29
HAE0001 Web-Based Application............................................................................................29HAE0002 Web Accessibility.....................................................................................................29HAE0003 Elasticity....................................................................................................................29HAI0005 User Credentials.........................................................................................................29HAI0006 Response Time...........................................................................................................30HAI0007 Recovery Time...........................................................................................................30HAI0008 Availability Level.......................................................................................................31HAI0009 Oracle VM Template for MySQL..............................................................................32
Attachments....................................................................................................................................33
References.......................................................................................................................................36
Appendixes.....................................................................................................................................38
~ 2 ~
Abstract
For the purpose of this project is to build the guidelines for securing a government multi-
agency database. The data is classified at Secure Sensitive Information (SSI) and all
agencies are clear to that security level. Five different government agencies will need
access to this data and the five are: FBI, DHS, DSS, CIA and DIA. Each agency will only
have access to their own data in other words "for their eyes only”. For example, FBI
personnel will not be able to access data meant for DSS and so on. All agencies will be
accessing this data via a web interface https: (i.e. IE v9 or higher, Chrome v35 and above,
Firefox v24 and above.). There are mixes of Operating Systems (OS) within each agency
consisting of Windows 7 and 8 only. Agencies will be able to print and archive reports
from this application. This database will consist of over 20,000 records per agency and
will continue to grow.
Introduction:
Database Security is an important part of a well-rounded security infrastructure and it is
important to protect the data from unauthorized use, disclosure, modification or
destruction. Ensuring that users have the proper authority to see the data, load new data,
or update existing data is an important aspect of database development. Databases are a
core component of many computing systems and without the proper security, data may
not be properly retained and shared electronically or could be lost and may end up in the
wrong hands.
~ 3 ~
As part of the SOF620 Database Security Team’s mission, five different government
agencies contracted this class, SOF620 Database Security, Quarter 4 to provide detailed
security recommendations for the purposes of securing a joint-agency shared database
classified at Secure Sensitive Information (SSI). The five agencies that will be utilizing
this database are the Federal Bureau of Investigations (FBI), the Department of
Homeland Security (DHS), the Defense Security Service (DSS), the Central Intelligence
Agency (CIA) and the Defense Intelligence Agency (DIA). This paper describes the
requirements and recommendations that should be addressed in order to achieve a
defense in depth infrastructure when it comes to database security. This paper is
designed to outline the security measures for the implementation of two virtual server
environments, one located at the FBI Headquarters in Washington, D.C. and the other
located at the DHS facility in Northern Virginia. These agencies would like to use
MySQL Cluster Carrier Grade Edition software in a cloud configuration with
virtualization. The servers will be load balanced and each location will have their own
database administrators. Each one of these security requirements addresses the security
objectives of confidentiality, integrity and availability while ensuring the security posture
is at it’s utmost high. Each agency has agreed to follow the recommendations identified
in this paper and will continue to reassess their security architecture as their requirements
continue to increase. As more and more vulnerabilities are identified, the agencies will
continue to conduct continuous monitoring and a re-examination of their network and
system topologies.
The SOF620 Database Security Project Team worked together effectively and efficiently
to provide the most secure recommendations for this joint-agency database environment
~ 4 ~
and conveyed the importance of security with the requirements provided by the five
agencies. These types of requirements allowed the team to research and provide the most
up-to-date security configurations when it comes to database security. The team highly
recommends that database security be an integral part of all system life-cycle phases and
that database security be reviewed whenever changes occur to missions, information
systems, security requirements, or threat, and whenever there are significant adverse
changes to system vulnerabilities.
~ 5 ~
Security Requirements
SEE0001 Accessibility Description: Users can only access the app through only one browser at a time.
Recommendation: This requirement is the first listed under Security Requirements and labeled as an Accessibility threat with a high-level, explicit priority. This requirement is written to specify that even though the web-based application is accessible through multiple browsers IE v9 or higher, Chrome v35 or higher, and Firefox v24 and higher, the web-based application can only open on one browser at a time. This means that an authenticated user can use a single browser at a single time to login to the application. Therefore, if the application is open in IE, it will not open in Chrome or Firefox. If the user tries to login in a new browser, the application will automatically log out in the IE window.
SEE0002 Document ViewDescription: Users should only be able to view documents from their respective agencies.
Recommendation: This requirement is the second listed requirement from the Securities tab and is labeled as a Security threat with a high-level, explicit priority. This requirement is written to specify that even though there will be multiple agencies hosting data on this site, only users from their respective agency will be able to gain access to information pertaining to their agency. This means that only the agent from DHS will be able to locate and open data pertaining to the DHS agency.
SEE0003 Elasticity Description: This is the requirement which is labeled as Elasticity thread with a high-level, explicit priority.
Recommendation: This requirement is written to specify that the web-based application must only be compatible with Windows 7 and Windows 8. These Operating systems followed Windows Vista and is designed to be a sleeker operating system than its predecessor, with faster performance and fewer compatibility issues. Windows 7 also include several new features, such as multi-touch support for touch screen interfaces, a simple home networking system called "Home Group," and an improved Windows Search feature.
SEE0004 User Access
~ 6 ~
Description: Users accessing their department's information must see "For your eyes only" on their data records
Recommendation: This is the fourth requirement first listed under Security Requirements and labeled as a Security warning with a high-level, explicit priority. The requirement specifies a required text stating “For your eyes only” must be written on all data displayed for their intended users. The text “For your eyes only” must be displayed in a prominent and perceptible manner- in the color red, at the top of each document, and in bold writing. This is an explicit requirement to inform all users that data accessed from the application is not to be shared, distributed, copied or otherwise altered without clearance/permission. As such the text “For your eyes only” remains unalterable and is always visible whether it is read as a web-file or printed for any services.
SEE0005 Access Limits Description: Users from only FBI, DHS, DSS, CIA and DIA will be able to access the web-based application
Recommendation: This is the fourth requirement first listed under Security Requirements and labeled as a Security warning with a high-level, explicit priority. The requirement specifies a required text stating “For your eyes only” must be written on all data displayed for their intended users. The text “For your eyes only” must be displayed in a prominent and perceptible manner- in the color red, at the top of each document, and in bold writing. This is an explicit requirement to inform all users that data accessed from the application is not to be shared, distributed, copied or otherwise altered without clearance/permission. As such the text “For your eyes only” remains unalterable and is always visible whether it is read as a web-file or printed for any services.
SEE0006 Compliance-Audit PlanningDescription: Audit plans, activities and operational action items focusing on data duplication, access, and data boundary limitations shall be designed to minimize the risk of business process disruption. Audit activities must be planned and agreed upon in advance by stakeholders.
Recommendation: Compliance-Auditing allows agencies to monitor the environment and identify potential attacks. Proactive monitoring of all components within an IT environment is always a best practice. System performance and availability depend on the timely detection and resolution of potential issues before they present problems to users. From a database security perspective, monitoring is critical to identifying potential exploits in real time, thereby reducing the impact of any breach. Compliance solutions must also consider Separation of Duties and need-to-know when allowing access to sensitive audit information and access to said information itself must also be audited. Ultimately, reports need to be rendered to demonstrate to auditors that the mandates are in effect.
The five agencies must work together to create a joint policy that will encourage proper database administration and secure access over the network, while limiting direct server
~ 7 ~
access to an only-when-necessary situation. Having a policy in place recommending database administration staff use network-based tools will help increase visibility of database activity because local access of the SQL Servers will only happen when necessary. Cases requiring direct server access would be patching and routine maintenance. The situations requiring direct database access would be associated with a change ticket creating an audit trail for the activity. Forcing staff to use network-based tools may remove the need and added cost and maintenance of database agents. This will help ensure the monitoring of SQL activity by an appliance using network traces, without having to rely on a host agent to monitor access. Once auditing it enabled, it is important to centralize the audit data and create reports so you can review the audit records. Create a business process and standard operating procedures (SOPs) that includes reviewing the audit trails on a daily/regular basis.
The following database activity logging/planning that should included in the SOPs are: User Account Additions, Modifications, Suspensions, and Deletions User Account changes to Rights (the authorization rights of an account) Escalation of privileges Object ownership changes Login and logout, and failed login attempts of the Administrator Account(s)
(account assignment for database administration), Application credentials, and credentials used for direct database access
Password changes Database security policy / configuration changes
o Authentication modes o Password controls o Remote access enabled or disabled
Native auditing enabled or disabled Audit system configuration changes and attempts to purge, modify, or erase audit
trails or database logs Sensitive transactions, as required and defined by the data owner Allowed access to sensitive resources, as required and defined by the data owner Failed access to sensitive resources, as required and defined by the data owner Failed SQL attempts to data (object does not exist, insufficient privileges) Changes to the database schema (DDL (Data Definition Language) commands) Database backup and restore operations Database startup and shutdown operation Attempts to access OS functionality via the database (execute commands, read /
modify files and settings) There should be sufficient information in the log record to establish what events
occurred and who (or what) caused them: o Type of Event o When the Event Occurred o User credential associated with the Event o Program or Command Used to Initiate the Event (exact SQL) o Names of database tables accessed, if applicable o Source host name or IP address of the user connection
~ 8 ~
o Status (success or failure) of the attempt Monitoring should be active for the following logging events:
o User account additions and changes should be reconciled against an account request and approval log
o Significant instances of failed password attempts and against multiple accounts within a short time frame which may indicate hacking attempts
o Significant instances of failed access attempts to the database not authorized to the account ID
o Attempts to SELECT the list of users and passwords o All direct access to the database from accounts which should be limited to
access through an application o Use of nonstandard tools (E.g. Excel, Access) to directly access DBMS o Use of any “utility programs” (E.g. Toad) to directly access DBMS o Use of the Application ID (ApplID) from a source other than the defined
owner Application location (based on host name or IP address) o Log failures, manual logging shut down and attempts to purge o Attempts to access OS functionality via the database o Known attack profiles, such as Buffer overflow, Denial of Service, SQL
injection o Audit database usage outside normal operating hours
The controls above need assessment and confirmation by the assigned database custodian and the agency’s information security manager. Each one of this controls fall under NIST SP 800-53, which is the regulatory guidance for federal agencies. In cases where the database cannot meet the above requirements, the information systems security staff will perform a risk assessment and document the control deficiencies. The agency security staff will present this report to the Senior Information Assurance Manager, and the authorizing official will sign a risk acceptance form based on the risk assessment performed by the agency’s security staff. Auditing should be conducted on a daily basis and an extensive auditing/compliancy program must be conducted on an annual basis. This annual audit should be conducted by a third party agency or directorate so there will not be a conflict of interest of the personnel performing the duties. All the activities listed in this requirement ID should be outlined in the agency’s policies and further explained in the agency’s SOPs. Again, recommend this be a joint-effort so there will not be any discrepancies when it comes to compliancy and auditing.
SEE0007 Audit Tools AccessDescription: Access to, and use of, audit tools that interact with the organizations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data.
Recommendation: audit tools that reside on the agencies networks must have the proper access to be able to monitor all assets on the network. The proper TCP/IP ports must be enabled to allow access only the designated auditing systems approved for the agencies networks. The following gathering of information and service enumeration must be
~ 9 ~
perform for proper access and reported to the network configuration manager for access, and the information assurance staff for network configuration approvals, diagram updates and reports.
Ping sweepo Network segment where database server resides
Service enumeration / port scano Identify other services running
Oracleo TCP 1521
SQL Server o TCP 1433; UDP 1434
DB2o TCP 50000
MySQLo TCP 3306
Vulnerability Test Accesso OS probes for known vulnerabilitieso Identify vulnerable TCP/IP serviceso Database probes for known weaknesses and vulnerabilitieso Specifically test for default accounts and weak passwords
Tools for Accesso Nessus (www.nessus.org)o AppDetective (www.appsecinc.com)o NGSSquirrel (www.ngssoftware.com)o SoureFire (www.sourcefire.com)o Host-Based Security System (HBSS)
(www.disa.mil/services/cybersecurity/HBSS)o Snort (IDS) (www.snort.org)o NMAP(insecure.org)o DB2 Audit Programs (www.auditnet.org/docs)o SQL Server Audit Tools (www.sqlsecurity.com)o Imperva SecureSphere (www.imperva.com)o ArcSight SIEM (www8.hp.com)o Windows Event Viewer (www.microsoft.com)
All tools listed above have specific port requirements and the network/system administrator should refer to the proper documentation for each device. Other required ports for auditing access can be found in SQL security documentation and checklists such as DISA STIGS (iase.disa.mil/stigs), SQL Server Security (msdn.microsoft.com), IBM DB2 Security (www.net-security.org/dl/articles/Securing_IBM_DB2.pdf), Center for Internet Security Benchmarks (Cisecurity.org (Oracle, SQL Server, MySQL))
SEE0008 Audit Logging/Intrusion DetectionDescription: Audit logs recording privileged user access activities, authorized and unauthorized access attempts, user session tracking, system exceptions, and information
~ 10 ~
security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.
Recommendation: The audit logs should be robust enough to identify users, statements and responses. During the SDLC (Software Development Life Cycle), agencies should identify sensitive data, transactions and privileged accounts. Audit trails may be the last line of defense if an attacker can circumvent other security controls. Although audit trails are after an attack and do not prevent attacks, they are critical to any forensic investigation due to a breach. Additionally, audit logs have operational benefits when there are application issues requiring a more intensive debugging effort. Audit logs can help identify difficult problems. By creating audit logs, changes to database configuration and data can be captured for each entity accessing the database, providing a log for compliance and security analysis. Auditing can also detect attempts to access unauthorized data. The agencies information assurance staff or computer emergency response team must review these logs on a daily basis to look for anomalies in the system/database. Audit logs should be able to do the following.- Track Changes to Database Configuration. Any time a database configuration is changed, the action should be recorded in an audit log, which should include the change action, the identity of the user and a timestamp. - Track Changes to Data. It should be possible to configure the audit log to capture every query or write operation to the database, must be reviewed on a daily basis. Care, however, should be exercised when configuring this rule for applications. For example, if the application is inserting tens of thousands of records per second, writing each operation to the audit log can impose a performance overhead to the database. It is the responsibility of the project team to determine any trade-offs between performance and security. Furthermore, the following audits should be captured and logged.
Identify Database Administrators Identify Database environments and versions Arrange database access
o Select access to system tables/views Run initial SQL queries to obtain database security information OS Accounts & Related Password Controls Privileged OS Accounts Group Membership
o Unix groupso Windows 2000 Administrators Group o Owner / Service Accounts for Database Management System software
Program & File Protectiono OS Directory and File Permissions
Secure Configuration (Hardening) Security Patch Management
~ 11 ~
SQL Server Logins Server Roles SQL Server Databases
o Database Roleso Statement & Object Permissions
Use of Generic & Shared User Accounts Use of OS Authentication Application Connections to Database Default / weak passwords Hard-coded passwords in application code and scripts Lack of Password Controls Control over Administrative Users
o dba (technical and application support)o developers
System Privileges and Authorities Object Privileges required for Production environment Public Access to Production Schemas Default access provided to PUBLIC Security Events System Access
Logins – Success / Fail Account / Role / Permissions Changes
o Data Access SELECT – Success / Fail
o Data Change INSERT, UPDATE, DELETE
o Schema / Object Changes CREATE, ALTER, DROP
o Privileged User Activity Monitoring, Analysis and Follow-up Processes OS Application Event Log - Logins SQL Error Log - Logins Profiler – Events based on selected criteria C2 Audit mechanism
An Intrusion Detection system such as Snort IDS or SourceFire (IDS) should be deployed to monitor network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. Both can look for specific attacks that must be forwarded to the CERT for further investigation. An Intrusion Prevention System (IPS) such as SourceFire (IPS) and Host-Based Security System (HBSS) should also be deployed to identify, monitor and inspect client application for both security and compliance initiatives. IDS/IPS also monitors network behavior, user identity, assessing and responding to attacks and maintaining defenses.
~ 12 ~
Security Information &Event Management (SIEM) like ArcSight provides real-time monitoring, threat intelligence, behavior profiling and application monitoring. It can collect, correlate and report on security events enterprise-wide so the agencies can detect unusual or unauthorized activities as they occur. There are varies products that can perform these actions and the ones listed are just to name a few. No matter what is chosen, all will have to be configured correctly and reports reviewed daily to maximize a secure enterprise network across the five agencies.
SEE0009 Protection of Audit InformationDescription: The system protects audit information and audit tools from unauthorized access, modification, and deletion. Auditing roles will be established on all devices that can be audited.
Recommendation: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit the database and system activity. Ensure that the system backs up audit records at least once every twenty-four hours to a different system or media than the system being audited. The Agencies should only authorize access to management of audit functionality to only a limited subset of privileged users.
SEE0010 Audit Record Retention DESCRIPTION: The organization retains audit records for one year to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
RECOMMENDATION: Audit/Review/Compilation working papers should be held for 7 years. Audit/Review/Compilation Statements and Reports should be retained permanently.
SEE0011 Content of Audit RecordsDescription: The system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. An ICS system usually has a front-end server(s), workstation(s) and possibly laptops that produce audit logs in great detail. Other ICS components are limited in what events can be audited; enabling auditing on controllers/PLCs can create a self-denial of service because the CPU and memory are limited. Generate reports for compliance and forensics.
RECOMMENDATION: It is recommended that the agencies centrally manage the content of the content of the audit record generated by (all information systems to the maximum extent possible) by:
a. Ant-Malware Softwareb. Intrusion Detection Systems/Intrusion Protection Systems (IDS/IPS)c. Remote Access Softwared. Web Proxies
~ 13 ~
e. Vulnerability Management Softwaref. Authentication Serversg. Routersh. Firewallsi. Network Quarantine Serversj. Operating Systems
SEE0012 Response to Audit FailuresDescription: The system enforces configurable traffic volume thresholds representing auditing capacity for network traffic, failed logins, and database errors.
SQL Server permits the auditing of both login successes and failures, depending on the need. This auditing feature is turned on by using SQL Server Management Studio. The Administrator must connect to the SQL Server in Object Explorer and then right-click on the SQL Server and choose the Properties option from the pop-up menu. You should see the server properties like in Exhibit 1. The Administrator would then click on the Security page to set the login auditing like in Exhibit 2.
There will be four options available:
None - Neither successful nor failed logins will be audited. Failed logins only - Failed logins will be audited, but successful logins will be
ignored. Successful logins only - Successful logins will be audited, but failed logins will
be ignored. Both failed and successful logins - Login will be audited regardless of success
and failure.
SEE0013 System MonitoringDescription: Audit database usage outside normal operating hours.
Because Microsoft Windows server is the operating system, the System Monitor graphical tool will be used to measure the performance of SQL Server. This will be used to view SQL Server objects, performance counters, and the behavior of other objects, such as processors, memory, cache, threads, and processes. Each object has an associated set of counters that measure device usage, queue lengths, delays, and other indicators of throughput and internal congestion.
System Monitor PerformanceWhen the administrator monitors SQL Server and the Microsoft Windows operating system to investigate performance-related issues, they will concentrate their initial efforts in three main areas:Disk activityProcessor utilizationMemory usage
~ 14 ~
Monitoring a computer on which System Monitor is running can affect computer performance slightly. Therefore, the administrator will either log the System Monitor data to another disk (or computer) to reduce the effect on the computer being monitored, or run System Monitor from a remote computer. The administrator will monitor only the counters of interested. If the administrator monitors too many counters, resource usage overhead will be added to the monitoring process and affect the performance of the computer that is being monitored.The system will be monitored on continuous basics seven days a week to include holidays. The system performance will also be monitored during any unforeseen circumstances that may cause the government agencies to shut down during normal operating hours.
SEE0014 Account Review
Description: Accounts are reviewed every 90 days explicit re-approval is required or access to the resource is automatically revoke. Limit user rights to Data based on need to know.
Recommendation: This focus on management and review of computer accounts to maintain access control on all systems. For example these standards can apply to anyone who has a campus computer account such as faculty, staff, students, parents, alumni, vendors, volunteers, affiliates, and members of the public. This will ensure that access to computer systems is appropriately requested, approved, granted, terminated, and reviewed on a regular basis. Management of computer accounts is critical in protecting sensitive data and minimizing risks. However, this will is not limited to, access granted by system accounts, application accounts, or database accounts. The target audience is anyone who has responsibility for requesting, approving, terminating, using, and reviewing computer accounts.
SEE0015 Audit Content Changes
Description: Changes to code and sensitive data must be audited and logged.
Recommendation: This concerns the protection of sensitive information from unauthorized disclosure. Controls needs to be implement based on the level of sensitivity to the data, as this will determine how stringent controls over its access should be. It is very important to assure the organization’s ability to maintain information confidential, as compromises in confidentiality could lead to significant public reputation harm, particularly where the information relates to sensitive client data.
SEE0016 Audit Storage Capacity Description: The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and network traffic above thresholds.
Recommendation: The main objective under this is to ensure that the computer systems will continue to provide a satisfactory level of performance in the longer term. This will
~ 15 ~
involve IT operation staff having to make estimates of future CPU requirements, disk storage capacity and network loads capacity. Further, this is focused on the amount of internal storage and the amount and type of offline storage the security and privacy requirements of the program.
SEE0017 Real-time Correlation and Attack Identification Description: Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
Recommendation: Real-time correlation software transforms raw security event data into actionable information to the respective persons in fraction of seconds, so you can tackle the right threats at the right time. Ensuring that all five organizations i.e. FBI, DHS, DSS, CIA and DIA has an accurate, comprehensive, and real-time understanding of security risk is essential for keeping your business secure and compliant.However, most event correlation technologies capture and correlate security event data from security devices only, leaving important data from other core applications and databases overlooked.
SEE0018 Vulnerability Scanning Description: Vulnerability Scanning must be done to identify security holes and weaknesses within the application. This will also verify patch verification when security patches have been applied.
Recommendation: FBI, DHS, DSS, CIA and DIA organizations should follow continuous vulnerability monitor, which identifies server- and client-side vulnerabilities. Vulnerability Scanning must be done to identify security holes and weaknesses within the application. This will also verify patch verification when security patches have been applied on operating systems. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat. SEE0019 Time StampsDescription: Compares the internal information systems clocks and synchronizes the internal system clocks to the authoritative time source.
Recommendation: E-Security is a turnkey, network-attached appliance that keeps accurate time and creates secure time stamps to record creation time, filing time, or the timing of other events associated with electronic records and applications. By deploying a highly accurate and tamper-resistant electronic time stamping solution, organizations can verify the accuracy of time stamps used for digital records and improve the integrity and audit ability of a broad range of critical processes. We can achieve this using its kind of Microsoft Authenticode, the code-signing standard for Windows platforms.
~ 16 ~
SEE0020 Security AssessmentsDescription: Assessments of database security controls to determine the extent to which the controls are implemented correctly. The results should be compared to a baseline configuration. Comprehensive security assessment reports document the results of the assessment and include remediation instructions if controls aren’t implemented correctly. The report should be automatically sent to designated officials.
Recommendations: An effective security risk assessment can prevent breaches, reduce the impact of realized breaches, and keep your company's name from appearing in the spotlight for all the wrong reasons. Regular IT security risk assessments also enable organizations to build up a cache of historical data that can be used to effectively gauge and communicate monetary impact related to risks -- and, hopefully, convince upper management to take decisive action to reduce the organization's threat surface.
There are basically three risk management components:
Evaluation and assessment, to identify assets and evaluate their properties and
characteristics.
Risk assessment, to discover threats and vulnerabilities that pose risk to assets.
Risk mitigation, to address risk by transferring, eliminating or accepting it.
SEE0021 Continuous MonitoringDescription: Ongoing security status monitoring of Agency defined metrics in accordance to their continuous monitoring strategy.
Recommendations: Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.
SEE0022 Single Sign-On AuthenticationDescription: The system will provide authentication sign-on via web-interface before obtaining access to data
Recommendation: The Authentication Single Sign-On integrated services within each of the agencies network environment will enable end user to connect to MAD5 application that uses a common authentication mechanism. These services store and transmit encrypted user credentials across local and network boundaries. The Authentication Single Sign-On services will request and verify user's credentials after user log into the
~ 17 ~
agency's network, so that MAD5 system will use user's credentials to determine the actions that user can perform based on user rights.
With single sign-on authentication implemented, users from various agencies can log into their account and grant access to their data from inside the MAD5 application. The application then contacts data center with the login data and requests access to a specified service. After authentication, the roles associated with user are used for access a protected resources in MAD5 application. Once authorized access, MAD5 application can access the service data, allowing the user to create, read, update, or delete service data as needed using your application interface.
SEE0023 Web Application FieldsDescription: The web app must show fields to enter in user credentials such as usernames and passwords before a user can proceed.
Recommendation: This requirement is listed under Accessibility tab and categorized as high and implicit priority. This is written to specify that the web application must request login information from users by showing empty forms for them to enter. The application will then authenticate the user in the system before user can proceed to the next step. If the login information is not valid, user will be denied access and asked for login information again.
SEI0024 Protecting Data-At-Rest On WorkstationsDescription: The file system on user's workstation should be encrypted to provide data at rest protection for all data downloaded to workstations and to store archived reports
Recommendations: User's data on workstations and MySQL multi-agency database for MAD5 system will be protected by securing agencies data at-rest and data in motion in the context of cloud computing.In order to protect data-at-rest on agencies user's workstation the file systems on workstations should be encrypted for all data downloaded and stored to workstations. There are many technologies available for encrypting data stored on end user devices: full disk encryption, volume and virtual disk encryption, and file/folder encryption (Karen Scarfone, et al., 2007). To protect data-at-rest on user's workstation full disk encryption (FDE) can be considered as a solution that is most commonly used on desktop and laptop computers.Because the decryption and encryption is performed by the hard drive itself, with no OS participation, typically there is very little performance impact (Karen Scarfone, et al., 2007). McAfee industry-leading data protection solutions as key components in McAfee protection suites can also be used for extensible, customized protection that fits security needs of user's workstations.To protect MySQL multi-agency database from unauthorized third parties gaining access to the hard disks or backups on which the database is stored, the database encryption via Transparent Data Encryption (TDE) mechanism can be used. TDE will protect data-at-
~ 18 ~
rest by performing real-time I/O encryption and decryption of a MySQL database’s data by using Gazzang ezNcrypt solution (Gilad Parann-Nissany, 2012).
SEI0025 Secure PrintingDescription: Any files sent to “Secure Print” networked printer will expire after 12 hours if not retrieved during that time. .
Recommendation: To counter the risks associated with access of MAD5 sensitive data, agencies will need to integrate printing security into their IT security strategy so that users within each agency facilities will be able to print and archive reports from web application.To protect SSI data on while printing to network devices (Frank Topinka & Amy Jaffe, 2013):
Authenticate users and protect data before the data prints by using pin codes, LDAP authentication, smart cards
Encrypt print jobs to protect data. Use the device’s embedded security (IPSec) to protect information traveling to or from devices
The PIN code should be assigned to the print job by agencies users before sending the job to be printed. The job is held in the job list until user release it on printer device
Remove data by using the device’s built-in capability to overwrite stored data Monitor and manage printing
There is a number of vendors such as HP, Xerox, etc that provide an imaging and printing security framework in order to safeguard data and documents at each stage of printing. For example, by utilizing Xerox Secure Print will allow user to control the print timing of sensitive documents so that any files sent to network printer will expire after predefined number of hours if not retrieved during that time.
SEI0026 Print QueueDescription: Print queue for MySQL reports should be password protected by utilizing Secure Print feature on user's workstation
Recommendation: See Requirement SEI0025
SEI0027 MySQL "root" AccountDescription: MySQL "root" account will be disabled and new MySQL account with administrative rights will be created with strong password during post-installation process
Recommendation: Securing MySQL is an essential part of the MySQL installation and post-installation processes. Despite the default installation is pretty secure by itself already, some additional steps have to be performed (MySQL 5.7 Reference Manual, 2014).
~ 19 ~
To make MySQL installation more secure against attack or misuse the following post-installation steps will be required: Password of the "root" account is blank by default during installation. To address this
vulnerability, a strong password for the "root" user will be used, and "root" account will be either removed or renamed
MySQL stores passwords for user accounts in the mysql.user table. Access to this table should never be granted to any non-administrative accounts
The MAD5 web application will connect to the database using a user name different from the one used for administrative or installation purposes
MySQL services should not be run as "root" user Assign anonymous accounts passwords or remove them to prevent clients from
connecting as anonymous users without a password By default, anyone can access test databases including anonymous users, therefore for
the MAD5 production environment the test database will be deleted during post-installation steps
Remote access should be disabled, only access from local machine should be allowed To restrict MySQL from opening a network socket, the skip-networking parameter
should be added in my.cnf and my.ini configuration filesThe following restrictive grant syntax should be considered as an alternative to disable network access to database server in order to allow web server to communicate with MySQL database server over network:GRANT SELECT, INSERT ON mydb.* TO 'someuser'@'hostname'
SEI0028 Remote AccessDescription: Remote access to MySQL database will be disabled by utilizing restrictive grant syntaxRecommendation: See Requirement IDSEI0027
SEI0029 Securing Data in Motion Description: SSL will be used as a means of securing the encrypted connection between the applications server and web-based client applications to provide encryption of data in transmission
Recommendation: By default, MySQL uses unencrypted connections between the client and server. This can cause data tampering while it is in transit between client and server. To mitigate this threat, it is necessary to implement encrypted channels of communication. According to MySQL 5.6 Reference Manual the MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. MySQL enables encryption on a per-connection basis.Secure connections can be based either on the OpenSSL API or MySQL’s built-in yaSSL (Chris Conlon, 2011). To make it easier to use secure connections, MySQL is bundled with yaSSL: YaSSL provides secure client/server communication Can be implemented on almost any OS that support TCP/IP
~ 20 ~
MySQL multi-agency database will implement secure SSL tunnel to provide encryption for data in motion.
SEI0030 Password SecurityDescription: All passwords shall be transmitted and stored in encrypted form
Recommendation: The MAD5 authentication systems will prevent passwords and other credentials from unauthorized disclosure. Storing and transmitting passwords in plaintext puts them at risk of exposure to hackers, eavesdroppers, and malware. To prevent such exposure, strong authentication systems use multiple mechanisms to reduce the likelihood that unencrypted credentials will be exposed, and to ensure that any authentication data that does get stored and transmitted will be of limited use to an attacker.
One of the fundamental security techniques used by authentication systems is the use of cryptographic hash functions to encode credentials for storage and transmission. The server computes the hash value of the submitted password from a client computer (or accepts the hash from the client directly) and compares it to its own stored hash for the account making the request. If they match, the client is authenticated.
MySQL stores passwords for user accounts in the mysql.user table. Access to this table should never be granted to any non-administrative accounts. MySQL supports stronger encryption for user account passwords, available through an authentication plugin named sha256_password that implements SHA-256 password hashing which is FIPS 180-4 compliant.
MySQL uses passwords in two phases of client/server communication: When a client attempts to connect to the server, there is an initial authentication step
in which the client must present a password that has a hash value matching the hash value stored in the user table for the account the client wants to use.
After the client connects, it can (if it has sufficient privileges) set or change the password hash for accounts listed in the user table.
SEI0031 MySQL Test DatabaseDescription: MySQL test database will be removed from production environment during post-installation process
Recommendation: See Requirement IDSEI0027
SEI0032 MySQL Anonymous AccountsDescription: MySQL anonymous accounts will be removed during post-installation process
Recommendation: See Requirement IDSEI0027
~ 21 ~
SEI0033 Object Level SecurityDescription: User Authentication with object level security based on groups and column level security to restrict access to documents based on user access privileges shall be used
Recommendation: Database security entails allowing or disallowing user actions on the database and the objects within it. The use of user and group structure along with schemas and security domains in MAD5 application allows to control access to data and to restrict the use of various MySQL database resources. Discretionary access control regulates all user access to named objects through privileges. Each user within each agency has a security domain—a set of properties that determine such things as:
The actions (privileges and roles) available to the user The system resource limits for the user
Defining the appropriate user and groups in MAD5 deployment defines security on two levels: what user can do and what user can see. This security model provides an easy administration of user accounts in order to lock down security as tightly as possible for MAD5 functionality and content. The main goal of security model is to restrict users from performing actions or accessing data not required for their function, while at the same time allowing them to see and do what is made available to them.
SEI0034 Web Interface SecurityDescription: All users in all agencies will be accessing data via a web interface by using IE v9 or higher, Chrome v35 and above, Firefox v24 and above.
Recommendation: Web browsers such as Internet Explorer, Mozilla Firefox, and Chrome, will be installed on MAD5 user's workstation and it is vital to configure them securely. Often, the web browser is not set up in a secure default configuration which can lead quickly to a variety of computer problems caused by anything from spyware being installed without user's knowledge to intruders taking control of computer. There is an increasing threat from software attacks that take advantage of vulnerable web browsers. This problem is made worse by a number of factors, including the following:
Web page addresses can be disguised or take user to an unexpected site. Many web browsers are configured to provide increased functionality at the cost
of decreased security. New security vulnerabilities may have been discovered since the software was
configured and packaged by the manufacturer. Computer systems and software packages may be bundled with additional
software, which increases the number of vulnerabilities that may be attacked. Many users do not know how to configure their web browsers securely. Many users are unwilling to enable or disable functionality as required to secure
their web browser. As a result, exploiting vulnerabilities in web browsers has become a popular way
~ 22 ~
for attackers to compromise computer systems. Out of date web browsers are less stable, and much more vulnerable to viruses, spyware, malware, and other security issues. Therefore All MAD5 users in all agencies will be accessing data via a web interface by using IE v9 or higher, Chrome v35 and above, Firefox v24 and above.
SEI0035 User’s Access ControlDescription: User's access control shall be agency-based which means that access to resources will be granted based on a user’s association with the agency. Each user can belong to one agency only.
Recommendation: The Agency facilities must establish a process to authorize and document access privileges based on a legitimate and demonstrated need to have system access to MAD5 users. Access privilege documentation must be maintained in a manner that makes it easily retrievable by individual user account.
Prior to initial account distribution, positive identification of individuals receiving accounts must be conducted. Positive physical identification can be done by anyone the system administrator can trust to perform this task. During the first instance of access with a new account, the initial password must be changed by the individual responsible for the account, in compliance with the password controls defined in this policy.
When system users are no longer part of an organization, or their duties change, their account access must be appropriately modified or terminated. Requests to change access privileges must be signed and forwarded to the appropriate designated individual by the responsible manager.
The Agency facilities must control access to resources based on the following access criteria, as appropriate:
Identity (user ID). The identity must be unique in order to support individual accountability.
Roles. Access to information must also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access.
Location. Access to particular system resources will be based upon physical or logical location.
Access would be denied for a sixth user, even if the user were otherwise authorized to use the application.
Access Modes. The Agency facilities will consider the types of access, or access modes. Common access modes, which can be used in both operating and application systems, include read, write, execute, and delete.
SEI0036 MySQL Authentication Plug-in
~ 23 ~
Description: MySQL pluggable authentication interface shall be used to authenticate MySQL client connections against external resource such as LDAP, Windows Active Directory to enable user authentication against LDAP with single-sign-on (SSO) as alternative to username and password credentials
Recommendation: As of MySQL 5.5.16, commercial distributions of MySQL include an authentication plugin that enables MySQL Server to use PAM (Pluggable Authentication Modules) to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as Unix passwords or an LDAP directory.
The PAM plugin uses the information passed to it by MySQL Server (such as user name, host name, password, and authentication string), plus whatever method is available for PAM lookup. The plugin checks the user credentials against PAM and returns 'Authentication succeeded, Username is user_name' or 'Authentication failed'.
The PAM authentication plugin provides these capabilities: External authentication: The plugin enables MySQL Server to accept connections
from users defined outside the MySQL grant tables. Proxy user support: The plugin can return to MySQL a user name different from the
login user, based on the groups the external user is in and the authentication string provided. This means that the plugin can return the MySQL user that defines the privileges the external PAM-authenticated user should have.
SEE0037 Password ExpirationsDescription: Passwords must expire every 60 days for all users. The system must be reset their password on the 61th day.
Recommendation: Never share a computer account Never use the same password for more than one account Never tell a password to anyone, including people who claim to be from customer
service or security Never write down a password Never communicate a password by telephone, e-mail or instant messaging Being careful to log off before leaving a computer unattended Changing passwords whenever there is suspicion they may have been
compromised Operating system password and application passwords are different Password should be alpha-numeric
~ 24 ~
SEE0038 GFE Data SecurityDescription: All users should use Government Furnished Equipment (GFE) to access the application. The GFE must be equipped with high security (ie: Symantec Endpoint Encryption) and Secure VPN (Virtual Private Network) available.
Recommendation: Use of strong encryption technology is essential to ensure that the agencies information systems and data are protected against unauthorized access, fraud and theft.
Agencies users must use approved encryption as required by Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules.
The security policy for GFE user's devices is designed to protect the confidentiality, integrity and availability of the Federal Agencies information and information systems to be adopted by all users in order for SSI data to be securely stored, transported and transferred across the network.
User's data on workstations will be encrypted by means of full hard disk encryption utilizing Symantec EndPoint or McAfee protection suites.
To ensure an agency's users are connected to the MAD5 application resided in the cloud, and data transmitted securely over the network virtual private network (VPN) solution will be employed and VPN client will be installed on user's workstations. In this case VPN channel between workstation and remote network resources is considered as a method for securing and encrypting agency's communications. VPN channel secures user's computer Internet connection to guarantee that all of the data users are sending and receiving is encrypted and secured.
~ 25 ~
Elasticity Requirement
ELE0001 HostingDescription: The web-based app must be able to host at least 100% of personnel at any time.
Recommendation: The number of users who have access to the database, using the web app should not be limited and be able to host 100% of personnel at any time.Bandwidth: Use bandwidth to determine peak and idle times. Using this information to project how much bandwidth will be needed in the future. This will enable to plan for the peak bandwidth, thereby avoiding problems associated with inadequate bandwidth. To enhance the availability of web app by identifying services that must be available, then identifying the points at which those services can fail. Increasing availability also means reducing the probability of failure. System availability directly depends on the hardware and software, and the effectiveness of operating procedures.
ELE0002 Location AccessDescription: Authenticated users must be able to access the web app from any location or time zone from certified devices
Recommendation: For security purposes data available through web application has to be protected. This includes processes for authentication, authorization, asset handling, input, and logging and auditing. Once an end user is authenticated, an application checks the specific permissions for that user, his location, and device certification. The client runs in any web browser, the user should be able to access it from secure devices that run on any platform at any time from any location and provide a consistent access to the database. Web applications should provide the same functionality and gain the benefit of working across multiple platforms.
ELE0003 Server LocationsDescription: There must be 2 minimum virtual servers located at separate locations. One each at FBI and DHS Locations
Recommendation: This is the third requirement which is labeled as Elasticity thread with a high-level, explicit priority. This requirement is written to specify that there must be 2 minimum virtual servers located at separate locations. There will be two servers, one a FBI and the other at the DHS facility.
ELE0004 OSDescription: The web-based application must only be compatible with Windows 7 and Windows 8.
Recommendation: This is the requirement which is labeled as Elasticity thread with a high-level, explicit priority. This requirement is written to specify that the web-based application must only be compatible with Windows 7 and Windows 8. These Operating
~ 26 ~
systems followed Windows Vista and is designed to be a sleeker operating system than its predecessor, with faster performance and fewer compatibility issues. Windows 7 also include several new features, such as multi-touch support for touch screen interfaces, a simple home networking system called "Home Group," and an improved Windows Search feature.
ELI0005 Scale-Out SolutionDescription: Clustering and virtualization solution on a cloud environment combined with MySQL replication will be used to provide scale-out capability geographically distributed load balancing solutions
Recommendation: To implement, support and maintain virtual servers located at separate locations - one each at FBI and DHS locations - the MySQL clustering and virtualization solution on a cloud environment combined with MySQL replication will be used.The architecture of MySQL Cluster is designed to accommodate requirements to automatically scale read/write within and across geographically dispersed data centers and to scale queries with the following capabilities: Auto-sharing for write-scalability; In-memory, real-time responsiveness; Active / active geographic replication; Online scaling and schema upgrades; SQL and NoSQL interfaces;
To service growing agencies demand, the Scale-Out architecture can be implemented by using MySQL Replication to power agencies mission-critical website, underlying systems infrastructure, and business-support tools (Guide to Scaling Web Databases with MySQL Cluster, 2013).
ELI0006 Response TimeDescription: Response time should not exceed more than 30 seconds for Internet-connected clients for all concurrent users
Recommendation: Best practice is to get the response time of web application to be under 500ms, this will free up the application for more requests and deliver a high quality user experience to the users. The request must then be processed by application, and then a response delivered back to the router within 30 seconds to avoid the timeout. When a timeout is detected the router will return a customizable error page to the application logs. While the router has returned a response to the client, application will not know that the request it is processing has reached a time-out, and application will continue to work on the request. To avoid this situation setting a timeout within your application and keeping the value well under 30 seconds, such as 10 or 15 seconds. Unlike the routing timeout, these timers will begin when the request begins being processed by application.
MySQL Cluster's real-time design delivers predictable, millisecond response times with the ability to service millions of operations per second. Support for in-memory and disk-
~ 27 ~
based data, automatic data partitioning (sharing) with load balancing and the ability to add nodes to a running cluster with zero downtime allows linear database scalability to handle the most unpredictable workloads (MySQL Strategy Whitepaper, 2014).
More concurrency of query executions requires significantly more server memory. In an extreme case if the amount of memory needed by all active connections exceeds server memory, the MySQL server may revert to memory/disk swapping, which will greatly impact user response times.
ELI0007 MySQL Thread PoolDescription: MySQL Thread Pool should be configured and utilized to accommodate increasing number of total and concurrent users to sustain performance and scalability as concurrent user loads, number of records in database and query execution continue to grow
Recommendation: By default the MySQL Database provides a complex thread-handling model that provides excellent throughput and performance for online and web-based applications. To meet challenges around the most demanding application user and workloads MySQL Enterprise Edition provides the MySQL Thread Pool. The Thread Pool is a user configurable option that provides an efficient, alternate thread-handling model designed to sustain performance and scalability as concurrent user loads ontinue to grow. In these use cases the Thread Pool addresses the limitations to scalability by (MySQL Enterprise Edition Product Guide, 2013): Managing/controlling query execution until the MySQL server has the resources to execute it Splitting threads into managed Thread Groups. Inbound connections are assigned to a group
via a round-robin algorithm and the number of concurrent connections/threads per group is limited based on queue prioritization and nature of queries awaiting execution. Transactional queries are given a higher priority in queue than non-transactional, but queue prioritization can be overridden at the user level as needed
Avoiding deadlocks when queries are stalled or executing for long period of time
~ 28 ~
High Availability Requirements
HAE0001 Web-Based ApplicationDescription: The user must be able to access the database through an Internet based GUI
Recommendation: The MySQL GUI Tools package is a combination of several tools which will help you manage your MySQL databases. You can install this application pack on your local computer and use it to remotely administer your databases. The MySQL GUI Tools Tutorial covers the following topics .How to use MySQL Administrator to back-up databases. How to use MySQL Administrator to restore a database? How to use MySQL Query Browser to access a database and execute queries on it? You can download the MySQL GUI Tools package from the MySQL official website. If your database is big (over 50MB) you may face difficulties exporting and importing it via the PHP Admin tool in control Panel. In such cases the MySQL GUI Tools would be a great solution. Before you can connect to your MySQL database you have to allow your host to access the server. For more information on how to do this check our tutorial on Adding MySQL access hosts. Enter the login details for the MySQL connection. The Server Host should be your domain name and you can use your control Panel login details in order to access all databases in your account. Alternatively, you can use the MySQL username you have created through the MySQL Databases tool in your control Panel in order to connect to the database that it has access to.
HAE0002 Web AccessibilityDescription: The app must be accessible through latest versions of Internet Explorer, Chrome, and Firefox (i.e. IE v9 or higher, Chrome v35 and above, Firefox v24 and above.)
Recommendation: The app must be accessible through latest versions of Internet Explorer, Chrome, and Firefox You can use the Docs editors if you have enabled cookies and JavaScript in your browser. You must also have one of the two most recent versions of the following browsers to give access .Chrome version 35 and latest, Firefox version 24 and supporting the latest version, Safari Mac systems, and Internet Explorer latest version 9.
HAE0003 ElasticityDescription: The database must be able to host a minimum of 20,000 records, which must continue to grow over time.
Recommendation: This requirement is for making sure that the database is able to host a minimum of 20,000 records, which tends to grow overtime.
HAI0005 User CredentialsDescription: The web app must show fields to enter in user credentials such as usernames and passwords before a user can proceed
~ 29 ~
Recommendation: As per this requirement we are making sure that the web page has an editable field for entering the user credentials such as username and password before user could proceed further on the website.
HAI0006 Response Time Description: Response time for users accessing documents must not be greater than fifteen (15) seconds for at least ninety percent (90%) of the records and response time must not be greater than thirty (30) seconds for at least ninety nine percent (99%) of the records
Recommendation: Quantifying end-user response time goals can be thought of in terms of the following activities:
Determine application functionality and usage. Verbalize and capture performance requirements and goals. Quantify performance requirements and goals. Record performance requirements and goals.
Before we can effectively determine the desired performance characteristics of an application, we need to identify the scenarios for which we want to characterize performance. When identifying the business scenarios that have a critical need for performance requirements and goals, it may be useful to think in terms of the following four categories:
Frequently used scenarios Performance-intensive scenarios Business-critical scenarios Scenarios of special interest (possibly due to contractual obligations or
stakeholder visibility)
HAI0007 Recovery TimeDescription: Recovery time following a failure will be no more than 15 minutes.
Recommendation: It is important to set expectations with agencies users. While avoiding any form of downtime is always highly desirable, it is largely impractical. Higher levels of availability are typically achieved by deploying systems with increasing levels of redundancy and fault-tolerance. However, greater redundancy will also increase the total cost and complexity of the system due to requirements for more hardware and software, as well as demanding a larger investment in IT staff, processes, and services (MySQL Strategy Whitepaper, 2014).
MAD5 will be using Geographically-Replicated Clusters with MySQL Database Replication architecture certified and supported by Oracle that will be utilized to achieve highly available database services. This approach enables to delivering highly available MySQL services.
~ 30 ~
The MAD5 web-based application will include MySQL new replication features designed to enable next generation web, cloud, and mobile services with self-healing replication topologies and high performance master and slaves. New key features enable replication transactional integrity to be tracked through a replication master/slave topology, providing a foundation for self-healing recovery within required time frame of 15 minutes in case of system failure.
Moreover, the recommended usage of the Oracle VM Template for MySQL to provision virtualized and highly available MySQL database also provides detection and automatically restarts instances within the server pool after failures of physical server hardware, VM instances or MySQL.HAI0008 Availability LevelDescription: The system should provide an availability level of "three nines" while supporting its intended function 99.9 percent of the time, i.e. equivalent to an annual downtime of 8.76
Recommendation: The down time values are given based on a requirement of 24/7 availability. If a system is only required to be available for part of that time, Monday to Friday from 9 a.m. to 5 p.m. for example, then the calculation should be based on that time span. A system that is required to be available 40 hours a week needs an annual down time of less than 2 minutes to achieve five nines availability, but since maintenance and other planned outages can be scheduled outside of working hours, it is easier to achieve this goal.
Overall availability is calculated based on the total down time of the system over a period of time (5.3 minutes over a year equals 99.999% availability), but it can also be expressed using an alternative calculation that takes into account the time required to recover from a failure. In the calculation below, MTTF (Mean Time To Failure) is the average time between system failures and MTTR (Mean Time To Recover) is the average time to recover from these failures:
MTTF
Availability == ---------------------
MTTF+MTTR
This is not a major change to the perception of availability—recovery time was always included in the time that the system was unavailable, but it does serve to clearly indicate the importance of rapid recovery in increasing availability. A system that is up for a year before a failure, but then takes three days to recover from that failure, is not as available as a system that fails ten times in that same year but recovers within 10 minutes. Clients do not differentiate between hardware and software failures. They do not care if the hard disk crashed or if the data integrity rules failed; they simply measure the time that the system was unusable. In the industry, hardware failure accounts for less than 20 percent of all system outages—it is therefore imperative that a "High Availability" system views
~ 31 ~
people and process failure at least as thoroughly and perhaps more so, than hardware failure.
HAI0009 Oracle VM Template for MySQLDescription: The Oracle VM Template should be used to provision virtualized and highly available MySQL databases to deliver high availability solution
Recommendation: The Oracle VM Template for MySQL Enterprise Edition ensures rapid deployment and helps eliminate configuration efforts and risks by providing a pre-installed and preconfigured virtualized software image, taking advantage of Oracle VM’s mechanisms to deliver high availability (MySQL Enterprise Edition Product Guide, 2013). Oracle VM Template protects MySQL against planned and unplanned downtime.By using the High Availability features of the Oracle VM Template for MySQL, agencies can meet SLA demands: Automatic recovery from failures, Oracle VM automatically restarts failed MySQL
instances on available servers in the server pool after outages of the physical server, VM or MySQL database.
Live Migration, enables operations staff to move running instances of MySQL to alternative hosts within a server pool when they need to perform maintenance operations
~ 32 ~
Attachments
Stratford University Securing Multi-Agency Database (MAD5)--Analysis Sheet
Work Request Number Task Order 101 Priority (High, Med, Low) High
Request InformationRequested Date 8/28/2014 Requester Name RA Request office StratfordChange Request Analyze RTM for securing a government multi-agency database MAD5.
Analysis Start Date 8/28/2014 Analyst Assigned Alek SamedovAnalysis Completed Date 9/4/2014Analysis QA Date 9/4/2014 Analysis QAed By Nataliia Kakhidze, Shamsu UddinApprover Name RA Approved byLead Walkthrough Analyst Sanju Singh Participant in
Walkthrough
Project Implementation
Project OverviewSecure MAD5 to meet following 5 agencies database security requirements:1. FBI2. DHS3. DSS4. CIA5. DIA
Strategy We build our RTM, based on that we will provide security solutions according to the agencies requirements at SSI level. RTM Provides Configured auditing storage capacity and auditing failure response.
Constraints and Limitations Auditing responses, network volume and auditing capacity. This solution only applies to the 5
agencies mentioned above and applicable to the cloud environment only. For SSI level only.Environment
1. IE 9 or higher2. Firefox 24 and above3. Chrome 35 and above
Impacted Modules, Tables and Fields
Module / Code
Module Name Type of Change Description of Change
ST01 MAD5_DB Spec/Module Initially prepare a analysis sheet.NT01 NT_01 Network/capacity Preparation to the required configured limitations
~ 33 ~
History of Document Changes
Date Initials Description9/3/2014 MJ SEE008 was added "Log unauthorized access attempts by IP identification, user ID, date and time."9/3/2014 MJ SEE0037 was added ” Enforce password policies for length, character requirements, and updates and
provide the ability to disable log-on capabilities if unsuccessful password entry is attempted after five (5) unsuccessful attempts and automatically notify security administration staff upon disabling log-on capabilities.”
Additional Analysis Information
1. Modified Security 6210 to include FBI security requirement.2. Modified Security 6210 to include SSO security requirement.3. Network capacities are to be improved.4. Storage volume has to be increased.5. Configuration of thresholds to be done on a requirement basis.
Application Release NotesAfter clarification for the SEE0008 and SEE0037, Login authorization and Security requirements were enhanced.1. 38 or more security requirements.2. Modifying the existing security base for MAD5 database.3. Five Agencies4. Added ATF requirements.5. Improvising on network requirements.
Test and Additional Notes1 "Log file review should be conducted on a regular basis to validate that log entries have IP identification, user
ID, date and time stamps."2 "Run password policy test to validate that user account will be disabled after 5 unsuccessful attempts to login
and notification send to administrator".3 Negative Tests (E.g. FBI only allow people to use VPN or certain token type)
White/Clear-Box Testing Internally Within the Database 4 Scaffolding code (e.g. triggers or updateable views) which support refactoring 5 Existence tests for database schema elements (tables, procedures, ...) 6 Typical unit tests for your stored procedures, functions, and triggers7 View definitions8 Referential integrity (RI) rules9 Default values for a column10 Data invariants for a single column
Black-Box Testing at the Interface11 O/R mappings (including the meta data)12 Incoming data values13 Outgoing data values (from queries, stored functions, views ...)
~ 34 ~
Link to RTM document: https://docs.google.com/spreadsheets/d/1kmBn9ebRV8BgO3Yw3l3k8WjH0QjFALGUV4Zz-dBhmdA/edit?usp=sharing
~ 35 ~
ReferencesAdam Hansen (2011). Securing Data in the Cloud & Hosted Environments. Retrieved from http://www.rackspace.com/blog/securing-data-in-the-cloud-hosted-environments/
Chris Conlon (2011). YaSSL - Securing MySQL. Retrieved from http://www.yassl.com/files/yassl_securing_mysql.pdf
Data Security Company to Support Transparent Data Encryption, 2014. Retrieved from http://www.porticor.com/2014/08/data-security-company-support-transparent-data-encryption/
Gilad Parann-Nissany (2012). MySQL in the Cloud. MySQL Journal. Retrieved from http://mysql.ulitzer.com/node/2267908
Gilad Parann-Nissany (2012). Transparent Data Encryption in the Cloud. MySQL Journal. Retrieved from http://mysql.ulitzer.com/node/2216221
Gilad Parann-Nissany (2014). Encrypted Data in the Cloud? MySQL Journal. Retrieved from http://mysql.ulitzer.com/node/3174272
FIPS 140-2, Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, May 2001.
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.
Frank Topinka & Amy Jaffe (2013). Data Security. Retrieved from http://www.enxmag.com/2013_months/march2013/article_HowSecureIsYourDocument_32013.htm
Karen Scarfone, Murugiah Souppaya, Matt Sexton (2007). Guide to Storage Encryption Technologies for End User Devices. National Institute of Standards and Technology
Kristy Westphal (2010). Secure MySQL Database Design. Retrieved from http://www.symantec.com/connect/articles/secure-mysql-database-design
MySQL 5.7 Reference Manual (2014). Security in MySQL. Retrieved from http://dev.mysql.com/doc/connectors/en/index.html
MySQL White Paper (2013). Guide to Scaling Web Databases with MySQL Cluster. Oracle Corporation
MySQL White Paper (2013). MySQL Enterprise Edition Product Guide. Oracle Corporation
MySQL Strategy Whitepaper (2014). A Guide to High Availability. Oracle Corporation
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.
~ 36 ~
NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007.
http://wikibon.org/wiki/v/Technology_Risk_Management_for_Virtualized_Sourcing_Strategies
~ 37 ~
AppendixesExhibit1
~ 38 ~
Exhibit 2
~ 39 ~
~ 40 ~