Homework answers / question archive / Project 5: Database Security Assessment Modern health care systems incorporate databases for effective and efficient management of patient health care

Project 5: Database Security Assessment Modern health care systems incorporate databases for effective and efficient management of patient health care

Computer Science

Share With

Project 5: Database Security Assessment Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle. Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement. System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system. Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project: Deliverables • • An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report. An MS-Excel spreadsheet with lab results. There are 11 steps in this project. You will begin with the workplace scenario and continue with Step 1: "Provide an Overview for Vendors." Step 1: Provide an Overview for Vendors As the contracting officer's technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMSs, and for what purposes? Provide an overview with the types of data that may be stored in the system and the importance of keeping these data secure. Include this information in the RFP. After the overview is complete, move to the next step to provide context for the vendors with an overview of needs. Step 2: Provide Context for the Work Now that you have provided vendors with an overview of your hospital's needs, you will provide the vendors with a context for the work needed. Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate. Details are important in order for the vendors to provide optimal services. It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs. • • • • • • • error handling and information leakage insecure handling cross-site scripting (XSS/CSRF) flaws SQL injections insecure configuration management authentication (with a focus on broken authentication) access control (with a focus on broken access control) Describe the security concepts and concerns for databases. Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders. Include this information in the RFP. In the next step, you will provide security standards for the vendors. Step 3: Provide Vendor Security Standards In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes. Read the following resources to prepare: • • • • database models Common Criteria (CC) for information technology security evaluation evaluated assurance levels (EALs) continuity of service Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include these security standards in the RFP. In the next step, you will describe defense models for the RFP. Step 4: Describe Defense Models Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access. Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles. Read these resources on enclave computing environment: • • enclave/computing environment cyber operations in DoD policy and plans Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions. Define enclave computing boundary defense. Include enclave firewalls to separate databases and networks. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP. In the next step, you will consider database defenses. Step 6: Provide a Requirement Statement for System Structure In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system. Provide requirement statements for a web interface to: 1. Allow patients and other health care providers to view, modify, and update the database. 2. Allow integrated access across multiple systems. 3. Prevent data exfiltration through external media. State these requirements in the context of the medical database. Include this information in the RFP. In the next step, you will outline operating system security components. Step 7: Provide Operating System Security Components In the previous step, you composed requirement statements regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms. Read these resources on operating system security. Then: 1. Provide requirements for segmentation by operating system rings to ensure processes do not affect each other. 2. Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring. Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications: 1. Describe the expected security gain from incorporating TPM. 2. Provide requirement statements that adhere to the trusted computing base (TCB) standard. 3. Provide examples of components to consider in the TCB. 4. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection. Read the following resources to familiarize yourself with these concepts: • • trusted computing trusted computing base Include this information in the RFP. In the following step, you will write requirements for levels of security. Step 8: Write Requirements for Multiple Independent Levels of Security The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge. The healthcare database should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users. Write requirement statements for MILS for your database in the RFP. 1. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model. 2. Indicate any limitations for the application of these models. Read the following resources and note which cybersecurity models are most beneficial to your database: • • • multiple independent levels of security (MILS) cybersecurity models insecure handling Include requirement statements for addressing insecure handling of data. Include this information in your RFP. In the next step, you will consider access control. Step 9: Include Access Control Concepts, Capabilities In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems. Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access. Include the requirement statements in the RFP. In the next step, you will incorporate additional security requirements and request vendors to provide a test plan. Step 10: Include Test Plan Requirements In the previous step, you defined access control requirements. Here, you will define test plan requirements for vendors. Incorporate a short paragraph requiring the vendor to propose a test plan after reviewing these guidelines for a test and remediation results (TPRR) report. Provide requirements for the vendor to supply an approximate timeline for the delivery of technology. Step 11: Compile the RFP Document In this final step, you will compile the RFP for a secure health care database management system. Review the document to make sure nothing is missed before submission. Submit the following deliverables to your assignment folder. Deliverables • • An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report. An MS-Excel spreadsheet with lab results. CST620 Project Checklist Student Name: Date: Project 1: Requires the Following THREE Pieces 1. Enterprise Key Management Plan (8 to 10 pages) 2. Enterprise Key Management Policy (2 to 3 pages, double-spaced) 3. Lab Experience Report with Screenshots Specific Details 1. Enterprise Key Management Plan (8-10 pages) Identify Components of Key Management Provide a high-level, top-layer network view (diagram) of the systems in Superior Health Care Identify data at rest, data in use, and data in motion. Identify where data are stored and how it’s accessed. Identify areas where insecure handling may be a concern for your organization. Identify Key Management Gaps, Risks, Solutions, and Challenges Incorporate and cite actual gaps in key management within your key management plan. Identify crypto attack and other risks to the cryptographic systems posed by these gaps. Propose solutions organizations may use to address these gaps and identify necessary components of these solutions. Identify challenges, including remedies, other organizations have faced in implementing a key management system Provide a summary table of the information within your key management plan. Provide Additional Considerations for the CISO Explain the uses of encryption and the benefits of securing communications by hash functions and other types of encryption. Evaluate and assess whether or not to incorporate file encryption full disc encryption, and partition encryption. Discuss the benefits of using DES, triple DES, or other encryption technologies. Describe the use and purpose of hashes and digital signatures in providing message authentication and integrity. Explain the use of cryptography and cryptanalysis in data confidentiality. Determine if it will be more effective to develop the SEs to perform these tasks, taking into consideration the need, cost, and benefits of adding cryptanalysts to the organization’s workforce. Discuss alternative ways for obtaining cryptanalysis if the organization chooses not to maintain this new skilled community in-house Explain the concepts and practices commonly used for data confidentiality: the private and public key protocol for authentication, public key infrastructure (PKI), the x.509 cryptography standard, and PKI security Analyze Cryptographic Systems Describe the cryptographic system, its effectiveness and efficiencies. Provide an analysis of the trade-offs of different cryptographic systems. Include information on Security index rating, Level of complexity, and Availability or utilization of system resources the possible complexity and expense of implementing and operating various cryptographic ciphers *****Enterprise key Management Plan Feedback***** 2. Enterprise key Management Policy (2-3 pages) Discuss Digital Certificates Discuss different scenarios and hypothetical situations the policy should address. Provide policy standards, guidance, and procedures that would be invoked by the enterprise key management policy using three scenarios *****Enterprise key Management Policy Feedback***** 3. Lab Experience Report with Screenshots Summarizes the Lab Experience and Findings Responds to the Questions Provides Screenshots of Key Results *****Lab Experience Report Feedback***** Areas to Improve CST620 Project Checklist Student Name: Date: Project 2: Requires the Following THREE Pieces 1. Malicious Network Activity Report (8 to 10 pages) 2. Joint Network Defense Bulletin (1 to 2 pages, double-spaced) 3. Lab Experience Report with Screenshots Specific Details 1. Malicious Network Activity Report (8 to 10 pages) Create a Network Architecture Overview Describe the various data transmission components including User Datagram Protocol (UDP) Transmission Control Protocol/Internet Protocol (TCP/IP) Internet packets IP Address Schemes WellKnown Ports and Applications Address the meaning and relevance of: The sender or source that transmits a message The encoder used to code messages The medium or channel that carries the message The decoding mechanisms used The receiver or destination of the messages Describe: Intrusion detection system (IDS), The intrusion prevention system (IPS) The firewalls that have been established The link between the operating systems, the software, and hardware components in the network, firewall, and IDS that make up the network defense implementation of the banks’ networks. Identify: How banks use firewalls. How banks use IDSs The difference between these technologies Include: The network infrastructure information The IP address schemes which will involve the IP addressing assignment model The public and private addressing and address allocations Identify potential risks in setting up the IP addressing scheme Identify: Any well-known ports and applications that are used The risks associated with those ports and applications being identified and possibly targeted Identify Network Attacks Provide techniques for monitoring the identified attacks Propose and describe a honeypot environment to lure hackers to the network and include the following in your proposal: Explain how a honeypot environment is set up. Explain the security and protection mechanisms a bank would need for a honeypot. Discuss some network traffic indicators that will tell you that your honeypot trap is working. Identify False Negatives and False Positives Identify what are false positives and false negatives Discuss how false positives and false negatives are determined? Discuss how false positives and false negatives tested? Which is riskier to the health of the network, a false positive or a false negative? Describe your analysis about testing for false negatives and false positives using tools such as IDSes and firewalls, Discuss the concept of performing statistical analysis of false positives and false negatives. Explain how banks can reduce these issues. *****1. Malicious Network Activity Report Feedback***** 2. Joint Network Defense Bulletin Create the Joint Network Defense Bulletin Compile the information you have gathered, taking care to eliminate any sensitive bank specific information Bulletin should be addressed to the FBI Chief and the FS-ISAC representative. *****2. Joint Network Defense Bulletin Feedback***** 3. Lab Experience Report Summarizes the Lab Experience and Findings Responds to the Questions Provides Screenshots of Key Results *****3. Lab Experience Report Feedback***** Areas to Improve CST620 Project Checklist Student Name: Date: Project 3: Requires the Following TWO Pieces 1. Threat Model Report: (8 to 10 pages) 2. Lab Experience Report with Screenshots Specific Details 1. Threat Model Report: (8 to 10 pages) Describe Your Mobile Application Architecture a) Describe device-specific features used by the application, wireless transmission protocols, data transmission media, interaction with hardware components, and other applications. b) Identify the needs and requirements for application security, computing security, and device management and security. c) Describe the operational environment and use cases. d) Identify the operating system security and enclave/computing environment security concerns, if there are any. Include an overview of topics such as mobile platform security, mobile protocols and security, mobile security vulnerabilities, and related technologies and their security, in your report. Include the Mobile Application considerations that are relevant to your mobile application What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)? What are the common hardware components? What are the authentication specifics? What should or shouldn't the app do? Define the Requirements for Your Mobile Application What is the business function of the app? What data does the application store/process (provide data flow diagram)? The diagram outlines network, device file system, and application data flows How are data transmitted between third-party APIs and app(s)? Will there be remote access and connectivity? Read this resource about mobile VPN security, and include any of these security issues in your report. Are there different data-handling requirements between different mobile platforms? (iOS/Android/Blackberry/Windows/J2ME) Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for device data backups Is there specific business logic built into the app to process data? What does the data give you (or an attacker) access to? Think about data at rest and data in motion as they relate to your app. Do stored credentials provide authentication? Do stored keys allow attackers to break crypto functions (data integrity)? Are third-party data being stored and/or transmitted? What are the privacy requirements of user data? Consider, for example, a unique device identifier (UDID) or geolocation being transmitted to a third party. Are there user privacy-specific regulatory requirements to meet? How do other data on the device affect the app? Consider, for example, authentication credentials shared between apps. Compare between jailbroken (i.e., a device with hacked or bypassed digital rights software) and nonjailbroken devices. How do the differences affect app data? This can also relate to threat agent identification. Identify Threats and Threat Agents Identify possible threats to the mobile application and Threat agents Outline the process for defining what threats apply to your mobile application Does personal data intermingle with corporate data? Identify Methods of Attack Provide senior management an understanding of the possible methods of attack of your app. Controls What are the controls to prevent an attack? Conduct independent research, then define these controls by platform (e.g., Apple iOS, Android, Windows Mobile, BlackBerry). What are the controls to detect an attack? Define these controls by platform. What are the controls to mitigate/minimize impact of an attack? Define these controls by platform. What are the privacy controls (i.e., controls to protect users’ private information)? An example of this would be a security prompt for users to access an address book or geolocation. *******Threat Model Report Feedback******* 2. Lab Experience Report Summarizes the Lab Experience and Findings Responds to the Questions Provides Screenshots of Key Results *******Lab Experience Report Feedback****** Areas to Improve CST620 Project Checklist Student Name: Date: Project 4: Requires the Following ONE Piece 1. Life Cycle Management Report (10 to 15 pages) Specific Details 1. Life Cycle Management Report (10 to 15 pages) Initiating the Project and Defining Its Scope Choose a fictional or actual organization. Describe the mission of the organization and the business need to move to a cloud environment. Identify the scope of the security architecture and include a topology. Focus on issues the application security engineers can control. Examples of topology include Amazon Web services, Generic Hadoop, Map-r, Cloudera, or MS Azure. Combine security development lifecycle and software development lifecycle methodologies. Consider what model you are following such as Waterfall, Spiral, Agile, and Extreme Programming. Address confidentiality, integrity, and availability requirements for data at rest and data in transit. Where in the system are the data most vulnerable? Describe the concepts and products you chose and explain why these were chosen. Include possible software and hardware components as well as an operating system and the security protections needed for those components. Begin Functional Analysis and Design—Use SQUARE for Requirements Information Gathering Identify the SQUARE process and provide an overview of how to collect requirements for the security technology and/or techniques that are being proposed. Learning Different Ways to Secure Data in the Cloud Include a discussion about securing data in the cloud Provide Analysis and Planning forencryption, Evaluating Technologies Compare different technologies and techniques, including access control, and other techniques. Consider their efficiency, effectiveness, and other factors that may affect the security of the data in the cloud Conclude which is generally a better, stronger technique and why. Create System Design Specifications Conduct independent research on system design specifications and propose a set of design specifications that meet the design requirements. Explain the Software Development Plan Identify different design and development considerations for the system Provide a Plan for Testing and Integration Include testing for software functions as well as compatibility with other software that may exist on those devices. Include cloud data transactions as well as data transactions outside the cloud Provide research and justification for applying data confidentiality and data integrity protections Consider examples of technologies and/or techniques that can be used to protect the data in transit. Provide the expected results from implementing these technologies and/or techniques. Adapt and Deploy Software as a Service Provide a description of the SaaS adaptation and deployment strategy in the final report. Include a deployment strategy for the SaaS cloud infrastructure. Discuss cloud topology where these techniques are employed Various techniques used by various components Provide a Plan for Operations and Maintenance Prepare a plan for operations and maintenance of the system which includes: An auditing plan to assess the strength of the security controls for the data in transit. A process for continuous monitoring of the data in transit. Create a Disposal Plan Prepare a disposal plan for the system including tools and techniques used for disposal *******Life Cycle Management Report Feedback******* Areas to Improve CST620 Project Checklist Student Name: Date: Project 5: Requires the Following Two Pieces 1. An RFP (10 to 12 pages) 2. An MS-Excel spreadsheet with lab results Specific Details 1. An RFP (10 to 12 pages) Provide an Overview for Vendors Provide vendors with an overview of your organization Identify which departments or individuals will use the Security Concerns Common to All RDBMS, and for what purposes Include the types of data that may be stored in the system and the importance of keeping these data secure Provide Context for the Work Explain the attributes of the database and describe the environment in which it will operate Describe the security concepts and concerns for databases Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders Vendor Standards Provide a set of internationallyProvide recognized standardsSecurity that competing vendors will incorporate into the database Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks Describe Defense Models Define the use of defense models Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles Explain the importance of understanding these principles Explainenclave how enclave computing relates to defensive Define computing boundary defense, includeprinciples. enclave firewalls to separate databases and networks. Define the different environments you expect the databases to be working in and the security policies applicable Explore Database Defensive Methods Include information about threats, risks, and possible recommendation strategies to these threats. Requirement for System Structure State requirement Provide statementsafor a web interfaceStatement to do the following, all in the context of the medical database a) Allow patients and other healthcare providers to view, modify, and update the database. b) Allow integrated access across multiple systems. c) Prevent data exfiltration through external media. Provide Operating System Security Components Provide requirements for segmentation by operating system rings to ensure processes do not affect each other Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring. Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. Include the specifications below Describe the expected security gain from incorporating TPM. Provide requirement statements that adhere to the trusted computing base (TCB) standard. Provide examples of components to consider in the TCB. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection. Write Requirements for Multiple Independent Levels of Security Write requirement statements for MILS for your database in the RFP. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, BellLaPadula Model, and the Chinese Wall Model. Indicate any limitations for the application of these models. Include requirement statements for addressing insecure handling of data. Include Access Control Concepts, and Capabilities Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access. Include Test Plan Requirements Incorporate a short paragraph requiring the vendor to propose a test plan Provide requirements for the vendor to supply an approximate timeline for the delivery of technology. *******RFP Feedback******* 2. An MS-Excel spreadsheet with lab results Summarizes the Lab Experience and Findings and respond to the questions Provides Screenshots of key results and attach your MS-Excel spreadsheet with lab results *******MS-Excel spreadsheet with lab results Feedback****** Areas to Improve Access Control 1 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Learning Topic Access Control Dover Castle Dover castle, built by King Henry II, was a way to control physical access. Author: Jake Keup. Source: Wikimedia Commons. License: CC BY 2.0. Access control is the process by which permissions are granted for given 4/24/2021, 8:45 PM Access Control 2 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include: Role?based access control: Access is granted based on individual roles. Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions. Attribute?based access control: Access is granted based on assigned attributes. Discretionary access control: Access is granted based on the identity and/or group membership of the user. The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats. 4/24/2021, 8:45 PM Access Control 3 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Resources Required Technological Safeguards (https://lti.umgc.edu /contentadaptor/topics/byid/4fb7de4e? 64e9?4084?83c8?152930d1d965) ID Management Issues and Requirements (https://lti.umgc.edu/contentadaptor/topics/byid/a8963bea? 7cba?47b9?8be1?ccffc7faecad) NIST 800?53v4 (https://lti.umgc.edu/contentadaptor/topics /byid/ead48b84?8dbd?4279?9093?1456c7a70e14) (Pages F?7 through F?36) An Introduction to Role?Based Access Control (https://lti.umgc.edu/contentadaptor/topics /byid/5aefed15?9929?458a?b849?26a1497b7c66) Attribute?Based Access Control (https://lti.umgc.edu /contentadaptor/topics/byid/ae4cebd4?4980?41b0?9a6b? 76dade047866) Database Security & Access Control Models: A Brief Overview (https://lti.umgc.edu/contentadaptor/topics /byid/ac02a03d?a4e6?4f74?8dec?48f61011c459) Access Control as a Service for the Cloud (https://lti.umgc.edu/contentadaptor/topics/byid/7fa422b2? f0af?405d?af24?5d2963508871) Security Information in Production and Operations: A Study on Audit Trails in Database Systems (https://lti.umgc.edu /contentadaptor/topics/byid/1ef6dbbc?fba8?4fbd? 8ad0?5178cdc34d5f) State?of?the?Art Authentication, Access Control, and Secure 4/24/2021, 8:45 PM Access Control 4 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Integration in Smart Grid (https://lti.umgc.edu /contentadaptor/topics/byid/9df7318a?edca?4067? bbde?7144f57ff592) RFID Privacy Risk Evaluation Based on Synthetic Method of Extended Attack Tree and Information Feature Entropy (https://lti.umgc.edu/contentadaptor/topics/byid/dd96b7d4? dae3?4d2c?8026?c1c547dd1cde) Broken Access Control (https://lti.umgc.edu/contentadaptor /topics/byid/357e6164?2ea5?4a79?b42e?cb65ff7aec79) Web Application Security (https://lti.umgc.edu/contentadaptor /topics/byid/53483274?77d9?47c8?9899?c71f56b14d52) Recommended Trust?Based Access Control Model From Sociological Approach in Dynamic Online Social Network Environment (https://lti.umgc.edu/contentadaptor/topics/byid/b435114b? 1415?43d9?89a4?2b9d2e9e46f4) Dynamic Access Control Model for Security Client Services in Smart Grid (https://lti.umgc.edu/contentadaptor/topics /byid/13f6ed4d?8d36?444b?a3e3?f9b76ced1719) RFID Security Issues (https://lti.umgc.edu/contentadaptor /topics/byid/f46e4e18?85d6?4e32?a2a2?6b8d641404fa) Assessment of Access Control Systems (https://lti.umgc.edu /contentadaptor/topics/byid/f9ac97c2?1d65?4c8a?955f? ac738a1305ce) A Survey of Access Control Models (https://lti.umgc.edu /contentadaptor/topics/byid/4f659aa4?0815?4030? ae69?3119e0814543) Cloud Multidomain Access Control Model Based on Role and Trust?Degree (https://lti.umgc.edu/contentadaptor/topics 4/24/2021, 8:45 PM Access Control 5 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... /byid/9af7f492?ac89?4c7a?992f?b4796cf3196e) Using Security Labels for Directory Access Control & Replication Control (https://lti.umgc.edu/contentadaptor /topics/byid/dd208227?cb08?4870?b88d?c32e37411458) OWASP Top 10 for .NET Developers Part 3: Broken Authentication and Session Management (https://lti.umgc.edu/contentadaptor/topics /byid/2bf14b05?806e?4eaf?b394?f4077306913e) 4/24/2021, 8:45 PM Access Control 6 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Check Your Knowledge Choose the best answer to each question: Question 1 When a user can dynamically (or selectively) assign privileges for other users of the system, this is called which of the following access control models? SoD MAC RBAC DAC Question 2 When a retail company places access control policies in place for its cashiers, it has implemented which of the following types of policies? role?based policy identity?based policy mandatory access policy separation of duties policy Question 3 4/24/2021, 8:45 PM Access Control 7 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... A sensitivity level attached to an object must contain which of the following in mandatory access control? the item's classification the item's classification and category set the item's category the item's need to know Question 4 When controlling access to an object by a subject, security professionals must set up access rules. The following are the three access control models that can be used to set up these rules. mandatory, discretionary, nondiscretionary role?based, identity?based, attribute?based MAC, DAC, RBAC none of the above Question 5 Rule?based access control (RuBAC) access is determined by rules that are in which of the following categories? discretionary access control (DAC) role?based access control (RBAC) 4/24/2021, 8:45 PM Access Control 8 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... nondiscretionary access control (NDAC) identity?based access control Question 6 Which of the following is the category with rules that are not established by user preferences and can only be changed administratively? nondiscretionary access control discretionary access control mandatory access control system?based access control Question 7 Which of the following is true of the mandatory access control environment? The system or security administrator will define the permissions for subjects. The administrator does not dictate the user's access. The administrator configures the proper level of access as dictated by the data. all of the above Question 8 4/24/2021, 8:45 PM Access Control 9 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Which of the following is defined as the dominance relationship of the MAC system? The security clearance of the subject is reviewed and compared with the object sensitivity level or classification level. The security clearance of the subject is not important because the system provides authorization. The security clearance of the subject is compared with the separation of duties policy, and access is provided. The security clearance of the subject has to be at the highest level of top secret. Question 9 Which of the following is not an access control technique? remote access controls discretionary access control mandatory access control role?based access control Question 10 In some access control models, the data owner or resource owner can specify access to resources based on identity. Which of the following access control models does this describe? 4/24/2021, 8:45 PM Access Control 10 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... discretionary access control mandatory access control identity?based access control rule?based access control Question 11 As the name implies, which of the following access control models is an example of DAC based on the characteristic of the user? role?based access control rule?based access control identity?based access control mandatory access control Licenses and Attributions Chapter Twelve: Western Europe and Byzantium circa 1000?1500 CE (https://open.umn.edu/opentextbooks/textbooks/world?history? cultures?states?and?societies?to?1500) from World History: Cultures, States, and Societies to 1500 by Berger et al. is available under a Creative Commons Attribution?ShareAlike 4.0 International (https://creativecommons.org/licenses/by?sa/4.0/) license. UMUC has modified this work and it is available under the original license. 4/24/2021, 8:45 PM Access Control 11 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... © 2021 University of Maryland Global Campus All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information located at external sites. 4/24/2021, 8:45 PM Authentication 1 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Learning Topic Authentication Authentication is the process by which credentials are presented and validated to enable access. There are a number of different methods of authentication. Passwords are the most common type of authentication and are usually coupled with user identification (user IDs). Tokens and certificates are often used in place of passwords to provide a higher level of security. Tokens can contain unique identifiers (e.g., digital signatures or keys). Tokens can also store biometric data—for example, fingerprints. There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two?factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user's password. Another authentication scheme is the Challenge?Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user's password to authenticate. 4/24/2021, 8:44 PM Authentication 2 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Resources Required NIST Special Publication 800?57 Part 1 (https://doi.org/10.6028/NIST.SP.800?57pt1r5) How to Authenticate Users with API Keys (/content /umuc/tgs/cst/cst620/2212/learning?resource? list/how?to?authenticate?users?with?api? keys.html?ou=546459) Has the Time Come to Kill the Password? (/content /umuc/tgs/cst/cst620/2212/learning?resource? list/has?the?time?come?to?kill?the? password?.html?ou=546459) Key Management Cheat Sheet (/content/umuc/tgs /cst/cst620/2212/learning?resource?list/key? management?cheat?sheet.html?ou=546459) User Authentication with OAuth 2.0 (/content /umuc/tgs/cst/cst620/2212/learning?resource? list/user?authentication?with?oauth? 2?0.html?ou=546459) Centralized Authentication Using OpenLDAP (/content/umuc/tgs/cst/cst620/2212/learning? resource?list/centralized?authentication?using? openldap.html?ou=546459) Message Authentication Codes (/content /dam/course?content/tgs/cst/cst?620/document /MessageAuthenticationCodes.pdf?ou=546459) Recommended 4/24/2021, 8:44 PM Authentication 3 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Production Best Practices: Security (/content /umuc/tgs/cst/cst620/2212/learning?resource? list/production?best?practices?? security.html?ou=546459) Broken Authentication and Session Management (/content/umuc/tgs/cst/cst620/2212/learning? resource?list/broken?authentication?and?session? management.html?ou=546459) Message Authentication and Source Privacy in Wireless Networks (/content/dam/course?content /tgs/cst/cst?620/document /MessageAuthenticationandSourcePrivacyinWireles sNetworks.pdf?ou=546459) Biometrics (/content/umuc/tgs/cst/cst620 /2212/learning?resource? list/biometrics.html?ou=546459) Security How?To: WPA2?Enterprise on Your Home Network (/content/dam/course?content/tgs/cst /cst?620/document/SecurityHow?ToWPA2? EnterpriseonYourHomeNetwork.pdf?ou=546459) Protecting Your System: User Access Security (/content/dam/course?content/tgs/cst/cst?620 /document /ProtectingYourSystem_UserAccessSecurity.pdf?ou =546459) Authentication (/content/umuc/tgs/cst/cst620 /2212/learning?resource? list/authentication.html?ou=546459) Toward Secure and Dependable Message Authentication in WSN (/content/dam/course? content/tgs/cst/cst?620/document 4/24/2021, 8:44 PM Authentication 4 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... /TowardsSecureandDependableMessageAuthentica tioninWSN.pdf?ou=546459) OWASP Top 10 for .NET Developers Part 3: Broken Authentication and Session Management (/content /umuc/tgs/cst/cst620/2212/learning?resource? list/owasp?top?10?for??net?developers? part?3??broken?authentication?a.html?ou=546459) Activity: Message Authentication (https://lti.umgc.edu/contentadaptor/topics /byid/1a09f264?6674?48f6?ba08?52e0c55afc0c) Authentication Summary (https://lti.umgc.edu /contentadaptor/topics /byid/d05f43a3?3951?4be4?93a0?19f898aa2b41) Multifactor Authentication Overview (https://lti.umgc.edu/contentadaptor/topics /byid/1570b4eb?fc1e?4a09?baef?aa627f537e19) Authentication and Information Assurance (https://lti.umgc.edu/contentadaptor/topics /byid/80eae6bf?8f7b?4033?9004?aa5b9e08c62b) 4/24/2021, 8:44 PM Authentication 5 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Check Your Knowledge Choose the best answer to each question: Question 1 Which of the following is the least secure password that can be enhanced by the use of a token to supply better security? one?time password static password dynamic password passphrase password Question 2 When a message is encrypted, it provides for which of the following? confidentiality nonrepudiation authentication authorization Question 3 If you digitally sign a message, which of the following are 4/24/2021, 8:44 PM Authentication 6 of 11 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... covered? authentication nonrepudiation integrity all of the above Question 4 When employees access the company network via remote access, which of the following provides the most reliable authentication? virtual private networks synchronous token with a one?time password asynchronous token with a one?time password both synchronous tokens and asynchronous tokens with one?time passwords Question 5 Point?to?point authentication protocols include which of the following? EAP (Extensible Authentication Protocol) CHAP (Challenge Handshake Authentication Protocol) PAP (Password Authentication Protocol) 4/24/2021, 8:44 PM Cross-Site Scripting (XSS/CSRF) Flaws 1 of 2 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Learning Topic Cross?Site Scripting (XSS/CSRF) Flaws Cross?site scripting (XSS) refers to injection of malicious scripts on trusted websites. XSS enables attackers to inject client?side script into web pages viewed by other users. For example, imagine a victim is using a web application (e.g., email or an e?commerce site) and is currently logged in to the account. If malicious code is present while the victim is logged in, that code sends the session information to the attacker's email account. The attacker can then tap into the user's session and log in while the victim is still using the application. This is an example of session hijacking using XSS. Since XSS flaws are common in current web applications, the vulnerabilities are used by attackers to get unauthorized access to sensitive data. 4/24/2021, 8:43 PM Cross-Site Scripting (XSS/CSRF) Flaws 2 of 2 https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t... Resources Required You Know About XSS. How About XSRF/CSRF? (/content/umuc/tgs/cst/cst620/2212/learning? resource?list/you?know?about?xss??how?about?xsrf? csrf?.html?ou=546459) Threats, Controls, and Countermeasures (https://coursecontent.umgc.edu/umgc/shareable? content/tata/CSEC645/CSEC645_m08/index.html) © 2021 University of Maryland Global Campus All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information located at external sites. 4/24/2021, 8:43 PM