Fluent Essays

Project 3 is 8 pagesProject 5 is 10 pagesDetails are attached below................. project_3_instructions.docx umgc_cst_620_project_5.docx Unformatted Attachment Preview Project 3: Mobile Application Threat Modeling Threat Model Report: An eight- to 10-page double-spaced Word document with citations in APA format. The report should include your findings and any recommendations for mitigating the threats found. The page count does not include figures, diagrams, tables, or citations. Threat modeling begins with a clear understanding of the system in question. There are several areas to consider when trying to understand threats to an application. The areas of concern include the mobile application structure, the data, identifying threat agents and methods of attack, and controls to prevent attacks. The threat model should be created with an outline or checklist of items that need to be documented, reviewed, and discussed when developing a mobile application. In this project, you will create a threat model. There are seven steps that will lead you through this project, beginning with the scenario as it might occur in the workplace, and continuing with Step 1: “Describe Your Mobile Application Architecture.” Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than two weeks to complete. The following are the deliverables for this project: Step 1: Describe Your Mobile Application Architecture In your role as a cyber threat analyst, senior management has entrusted you to identify how a particular mobile application of your choosing conforms to mobile architecture standards. You are asked to: 1. Describe device-specific features used by the application, wireless transmission protocols, data transmission media, interaction with hardware components, and other applications. 2. Identify the needs and requirements for application security, computing security, and device management and security. 3. Describe the operational environment and use cases. 4. Identify the operating system security and enclave/computing environment security concerns, if there are any. This can be fictional or modeled after a real-world application. This will be part of your final report. Click the following links and review the topics and their resources. These resources will guide you in completing this task: • • • • network security threats threat modeling mobile architectures application security • • operating system security enclave/computing environment Begin by first reviewing the OWASP Mobile Security Project Testing Guide. Architecture Considerations Although mobile applications vary in function, they can be described in general as follows: • • • • • • • wireless interfaces transmission type hardware interaction interaction with on device applications/services interaction with off device applications/services encryption protocols platforms In Section 1 of your research report, you will focus your discussion on the security threats, vulnerabilities, and mitigations of the above considerations. The following resources will continue to educate your management about mobile devices and mobile application security: mobile platform security, mobile protocols and security, mobile security vulnerabilities, and related technologies and their security. Related technologies can include the hardware and software needed to interoperate with mobile devices and mobile applications. Include an overview of these topics in your report. Use Mobile Application and Architecture Considerations to review the architectural considerations for mobile applications and architecture. Then, include those that are relevant to your mobile application in your report to senior management. Address the following questions: 1. What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)? 2. What are the common hardware components? 3. What are the authentication specifics? 4. What should or shouldnt the app do? You will include this information in your report. When you have completed the work for Section 1, describing the architecture for your app, move on to the next step, where you will define the requirements for the app. Step 2: Define the Requirements for Your Mobile Application In the previous step, you described your app’s architecture. In Step 2, you will define what purpose the mobile app serves from a business perspective and what data the app will store, transmit, and receive. Include a data flow diagram to showing exactly how data are handled and managed by the application. You can use fictional information or model it after a real world application. Here are some questions to consider as you define your requirements: 1. What is the business function of the app? 2. What data does the application store/process? (provide data flow diagram) a. This diagram should outline network, device file system, and application data flows b. How are data transmitted between third-party APIs and app(s)? c. Will there be remote access and connectivity? Read this resource about mobile VPN security, and include any of these security issues in your report. d. Are there different data-handling requirements between different mobile platforms? (iOS/Android/Windows/J2ME) e. Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for device data backups? f. Does personal data intermingle with corporate data? g. Is there specific business logic built into the app to process data? 3. What does the data give you (or an attacker) access to? Think about data at restand data in motion as they relate to your app. a. Do stored credentials provide authentication? b. Do stored keys allow attackers to break crypto functions (data integrity)? 4. Are third-party data being stored and/or transmitted? a. What are the privacy requirements of user data? Consider, for example, a unique device identifier (UDID) or geolocation being transmitted to a third party. b. Are there user privacy-specific regulatory requirements to meet? 5. How do other data on the device affect the app? Consider, for example, authentication credentials shared between apps. 6. Compare between jailbroken (i.e., a device with hacked or bypassed digital rights software) and nonjailbroken devices. a. How do the differences affect app data? This can also relate to threat agent identification. In this step, you defined the app’s requirements. Move to the next step, where you will identify any threats to the app’s operation. Step 3: Identify Threats and Threat Agents Now that you have identified the mobile app’s requirements, you will define its threats. In Section 3 of the report, you will: 1. Identify possible threats to the mobile application a. Identify the threat agents 2. Outline the process for defining what threats apply to your mobile application Review this threat agent identification example resource. Review this list of threat agents. After you have identified threats and threat agents, move to the next step, where you will consider the ways an attacker might reach your app’s data. Step 4: Identify Methods of Attack In the previous step, you identified threat agents. In this step and in Section 4 of the report, you will identify different methods an attacker can use to reach the data. These data can be sensitive information to the device or something sensitive to the app itself. Read these resources on cyberattacks. Provide senior management an understanding of the possible methods of attack of your app. When you have identified the attack methods, move to the next step, where you will analyze threats to your app. Step 5: Consider Controls You have identified the methods of attack, and now you will discuss the controls to prevent attacks. Consider the following questions: Note: Not all of the following may apply. You will address only the areas that apply to the application you have chosen. • • • • • What are the controls to prevent an attack? Conduct independent research and then define these controls by platform (e.g., Apple iOS, Android, Windows Mobile). What are the controls to detect an attack? Define these controls by platform. What are the controls to mitigate/minimize impact of an attack? Define these controls by platform. What are the privacy controls (i.e., controls to protect users’ private information)? An example of this would be a security prompt for users to access an address book or geolocation. Create a mapping of controls to each specific method of attack (defined in the previous step) o Create a level of assurance framework based on controls implemented. This would be subjective to a certain point, but it would be useful in guiding organizations that want to achieve a certain level of risk management based on the threats and vulnerabilities. UMGC CST 620 Project 5: Database Security Assessment Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle. Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement. System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system. Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project: Deliverables • An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report. Step 1: Provide an Overview for Vendors As the contracting officers technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospitals different organization al needs. What departments or individuals will use the Security Concerns Common to All RDBMSs, and for what purposes? Provide an overview with the types of data that may be stored in the system and the importance of keeping these data secure. Include this information in the RFP. After the overview is complete, move to the next step to provide context for the vendors with an overview of needs. Step 2: Provide Context for the Work Now that you have provided vendors with an overview of your hospitals needs, you will provide the vendors with a context for the work needed. Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate. Details are important in order for the vendors to provide optimal services. It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs. • • • • • • • error handling and information leakage insecure handling cross-site scripting (XSS/CSRF) flaws SQL injections insecure configuration management authentication (with a focus on broken authentication) access control (with a focus on broken access control) Describe the security concepts and concerns for databases. Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders. Include this information in the RFP. In the next step, you will provide security standards for the vendors. Step 3: Provide Vendor Security Standards In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes. Read the following resources to prepare: • • • • database models Common Criteria (CC) for information technology security evaluation evaluated assurance levels (EALs) continuity of service Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include these security standards in the RFP. In the next step, you will describe defense models for the RFP. Step 4: Describe Defense Models Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access. Provide requirements in the RFP for the vendor to state its overall strategy for defensiv e principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles. Read these resources on enclave computing environment: • • enclave/computing environment cyber operations in DoD policy and plans Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions. Define enclave computing boundary defense. Include enclave firewalls to separate databases and networks. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP. In the next step, you will consider database defenses. Step 5: Provide a Requirement Statement for System Structure In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system. Provide requirement statements for a web interface to: 1. Allow patients and other health care providers to view, modify, and update the database. 2. Allow integrated access across multiple systems. 3. Prevent data exfiltration through external media. State these requirements in the context of the medical database. Include this information in the RFP. In the next step, you will outline operating system security components. Step 6: Provide Operating System Security Components In the previous step, you composed requirement statements regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms. Read these resources on operating system security. Then: 1. Provide requirements for segmentation by operating system rings to ensure processes do not affect each other. 2. Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring. Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications: 1. Describe the expected security gain from incorporating TPM. 2. Provide requirement statements that adhere to the trusted computing base (TCB) standard. 3. Provide examples of components to consider in the TCB. 4. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection. Read the following resources to familiarize yourself with these concepts: • • trusted computing trusted computing base Include this information in the RFP. In the following step, you will write requirements for levels of security. Step 7: Write Requirements for Multiple Independent Levels of Security The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge. The healthcare database should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users. Write requirement statements for MILS for your database in the RFP. 1. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model. 2. Indicate any limitations for the application of these models. Read the following resources and note which cybersecurity models are most beneficial to your database: • • • multiple independent levels of security (MILS) cybersecurity models insecure handling Include requirement statements for addressing insecure handling of data. Include this information in your RFP. In the next step, you will consider access control. Step 8: Include Access Control Concepts, Capabilities In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems. Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access. Include the requirement statements in the RFP. In the next step, you will incorporate additional security requirements and request vendors to provide a test plan. Step 9: Include Test Plan Requirements In the previous step, you defined access control requirements. Here, you will define test plan requirements for vendors. Incorporate a short paragraph requiring the vendor to propose a test plan after reviewing these guidelines for a test and remediation results (TPRR) report. Provide requirements for the vendor to supply an approximate timeline for the delivery of technology. Step 10: Compile the RFP Document In this final step, you will compile the RFP for a secure health care database mana gement system. Review the document to make sure nothing is missed before submission. Submit the following deliverables to your assignment folder. ... Purchase answer to see full attachment