1. Stratford University Securing Multi-Agency Database
(MAD5)
Submitted By Project Managers:
Derick B. Peterson, Joyce Perry, Melissa Walker, and Angel Eleazer
On behalf of
The entire class
Database Security (SOF 620)
Professor Rasoul Ahari
Stratford University Falls Church, Virginia
September 25, 2014

2. Table of Contents
Table of Contents............................................................................................................................2
Abstract..........................................................................................................................................3
Security Requirements....................................................................................................................6
Elasticity Requirement .................................................................................................................26
High Availability Requirements.....................................................................................................29
Attachments.................................................................................................................................33
References....................................................................................................................................36
Appendixes...................................................................................................................................38
~ 2 ~

3. Abstract
For the purpose of this project is to build the guidelines for securing a government multi-
agency database. The data is classified at Secure Sensitive Information (SSI) and all
agencies are clear to that security level. Five different government agencies will need
access to this data and the five are: FBI, DHS, DSS, CIA and DIA. Each agency will only
have access to their own data in other words "for their eyes only”. For example, FBI
personnel will not be able to access data meant for DSS and so on. All agencies will be
accessing this data via a web interface https: (i.e. IE v9 or higher, Chrome v35 and above,
Firefox v24 and above.). There are mixes of Operating Systems (OS) within each agency
consisting of Windows 7 and 8 only. Agencies will be able to print and archive reports
from this application. This database will consist of over 20,000 records per agency and
will continue to grow.
Introduction:
Database Security is an important part of a well-rounded security infrastructure and it is
important to protect the data from unauthorized use, disclosure, modification or
destruction. Ensuring that users have the proper authority to see the data, load new data,
or update existing data is an important aspect of database development. Databases are a
core component of many computing systems and without the proper security, data may
not be properly retained and shared electronically or could be lost and may end up in the
wrong hands.
~ 3 ~

4. As part of the SOF620 Database Security Team’s mission, five different government
agencies contracted this class, SOF620 Database Security, Quarter 4 to provide detailed
security recommendations for the purposes of securing a joint-agency shared database
classified at Secure Sensitive Information (SSI). The five agencies that will be utilizing
this database are the Federal Bureau of Investigations (FBI), the Department of
Homeland Security (DHS), the Defense Security Service (DSS), the Central Intelligence
Agency (CIA) and the Defense Intelligence Agency (DIA). This paper describes the
requirements and recommendations that should be addressed in order to achieve a
defense in depth infrastructure when it comes to database security. This paper is
designed to outline the security measures for the implementation of two virtual server
environments, one located at the FBI Headquarters in Washington, D.C. and the other
located at the DHS facility in Northern Virginia. These agencies would like to use
MySQL Cluster Carrier Grade Edition software in a cloud configuration with
virtualization. The servers will be load balanced and each location will have their own
database administrators. Each one of these security requirements addresses the security
objectives of confidentiality, integrity and availability while ensuring the security posture
is at it’s utmost high. Each agency has agreed to follow the recommendations identified
in this paper and will continue to reassess their security architecture as their requirements
continue to increase. As more and more vulnerabilities are identified, the agencies will
continue to conduct continuous monitoring and a re-examination of their network and
system topologies.
The SOF620 Database Security Project Team worked together effectively and efficiently
to provide the most secure recommendations for this joint-agency database environment
~ 4 ~

5. and conveyed the importance of security with the requirements provided by the five
agencies. These types of requirements allowed the team to research and provide the most
up-to-date security configurations when it comes to database security. The team highly
recommends that database security be an integral part of all system life-cycle phases and
that database security be reviewed whenever changes occur to missions, information
systems, security requirements, or threat, and whenever there are significant adverse
changes to system vulnerabilities.
~ 5 ~

6. Security Requirements
SEE0001 Accessibility
Description: Users can only access the app through only one browser at a time.
Recommendation: This requirement is the first listed under Security Requirements and
labeled as an Accessibility threat with a high-level, explicit priority. This requirement is
written to specify that even though the web-based application is accessible through
multiple browsers IE v9 or higher, Chrome v35 or higher, and Firefox v24 and higher, the
web-based application can only open on one browser at a time. This means that an
authenticated user can use a single browser at a single time to login to the application.
Therefore, if the application is open in IE, it will not open in Chrome or Firefox. If the
user tries to login in a new browser, the application will automatically log out in the IE
window.
SEE0002 Document View
Description: Users should only be able to view documents from their respective
agencies.
Recommendation: This requirement is the second listed requirement from the Securities
tab and is labeled as a Security threat with a high-level, explicit priority. This requirement
is written to specify that even though there will be multiple agencies hosting data on this
site, only users from their respective agency will be able to gain access to information
pertaining to their agency. This means that only the agent from DHS will be able to
locate and open data pertaining to the DHS agency.
SEE0003 Elasticity
Description: This is the requirement which is labeled as Elasticity thread with a high-
level, explicit priority.
Recommendation: This requirement is written to specify that the web-based application
must only be compatible with Windows 7 and Windows 8. These Operating systems
followed Windows Vista and is designed to be a sleeker operating system than its
predecessor, with faster performance and fewer compatibility issues. Windows 7 also
include several new features, such as multi-touch support for touch screen interfaces, a
simple home networking system called "Home Group," and an improved Windows
Search feature.
SEE0004 User Access
~ 6 ~

7. Description: Users accessing their department's information must see "For your eyes
only" on their data records
Recommendation: This is the fourth requirement first listed under Security
Requirements and labeled as a Security warning with a high-level, explicit priority. The
requirement specifies a required text stating “For your eyes only” must be written on all
data displayed for their intended users. The text “For your eyes only” must be displayed
in a prominent and perceptible manner- in the color red, at the top of each document, and
in bold writing. This is an explicit requirement to inform all users that data accessed from
the application is not to be shared, distributed, copied or otherwise altered without
clearance/permission. As such the text “For your eyes only” remains unalterable and is
always visible whether it is read as a web-file or printed for any services.
SEE0005 Access Limits
Description: Users from only FBI, DHS, DSS, CIA and DIA will be able to access the
web-based application
Recommendation: This is the fourth requirement first listed under Security
Requirements and labeled as a Security warning with a high-level, explicit priority. The
requirement specifies a required text stating “For your eyes only” must be written on all
data displayed for their intended users. The text “For your eyes only” must be displayed
in a prominent and perceptible manner- in the color red, at the top of each document, and
in bold writing. This is an explicit requirement to inform all users that data accessed from
the application is not to be shared, distributed, copied or otherwise altered without
clearance/permission. As such the text “For your eyes only” remains unalterable and is
always visible whether it is read as a web-file or printed for any services.
SEE0006 Compliance-Audit Planning
Description: Audit plans, activities and operational action items focusing on data
duplication, access, and data boundary limitations shall be designed to minimize the risk
of business process disruption. Audit activities must be planned and agreed upon in
advance by stakeholders.
Recommendation: Compliance-Auditing allows agencies to monitor the environment
and identify potential attacks. Proactive monitoring of all components within an IT
environment is always a best practice. System performance and availability depend on
the timely detection and resolution of potential issues before they present problems to
users. From a database security perspective, monitoring is critical to identifying potential
exploits in real time, thereby reducing the impact of any breach. Compliance solutions
must also consider Separation of Duties and need-to-know when allowing access to
sensitive audit information and access to said information itself must also be audited.
Ultimately, reports need to be rendered to demonstrate to auditors that the mandates are
in effect.
The five agencies must work together to create a joint policy that will encourage proper
database administration and secure access over the network, while limiting direct server
access to an only-when-necessary situation. Having a policy in place recommending
~ 7 ~

8. database administration staff use network-based tools will help increase visibility of
database activity because local access of the SQL Servers will only happen when
necessary. Cases requiring direct server access would be patching and routine
maintenance. The situations requiring direct database access would be associated with a
change ticket creating an audit trail for the activity. Forcing staff to use network-based
tools may remove the need and added cost and maintenance of database agents. This will
help ensure the monitoring of SQL activity by an appliance using network traces, without
having to rely on a host agent to monitor access. Once auditing it enabled, it is important
to centralize the audit data and create reports so you can review the audit records. Create
a business process and standard operating procedures (SOPs) that includes reviewing the
audit trails on a daily/regular basis.
The following database activity logging/planning that should included in the SOPs are:
• User Account Additions, Modifications, Suspensions, and Deletions
• User Account changes to Rights (the authorization rights of an account)
• Escalation of privileges
• Object ownership changes
• Login and logout, and failed login attempts of the Administrator Account(s)
(account assignment for database administration), Application credentials, and
credentials used for direct database access
• Password changes
• Database security policy / configuration changes
o Authentication modes
o Password controls
o Remote access enabled or disabled
• Native auditing enabled or disabled
• Audit system configuration changes and attempts to purge, modify, or erase audit
trails or database logs
• Sensitive transactions, as required and defined by the data owner
• Allowed access to sensitive resources, as required and defined by the data owner
• Failed access to sensitive resources, as required and defined by the data owner
• Failed SQL attempts to data (object does not exist, insufficient privileges)
• Changes to the database schema (DDL (Data Definition Language) commands)
• Database backup and restore operations
• Database startup and shutdown operation
• Attempts to access OS functionality via the database (execute commands, read /
modify files and settings)
• There should be sufficient information in the log record to establish what events
occurred and who (or what) caused them:
o Type of Event
o When the Event Occurred
o User credential associated with the Event
o Program or Command Used to Initiate the Event (exact SQL)
o Names of database tables accessed, if applicable
~ 8 ~

9. o Source host name or IP address of the user connection
o Status (success or failure) of the attempt
• Monitoring should be active for the following logging events:
o User account additions and changes should be reconciled against an
account request and approval log
o Significant instances of failed password attempts and against multiple
accounts within a short time frame which may indicate hacking attempts
o Significant instances of failed access attempts to the database not
authorized to the account ID
o Attempts to SELECT the list of users and passwords
o All direct access to the database from accounts which should be limited to
access through an application
o Use of nonstandard tools (E.g. Excel, Access) to directly access DBMS
o Use of any “utility programs” (E.g. Toad) to directly access DBMS
o Use of the Application ID (ApplID) from a source other than the defined
owner Application location (based on host name or IP address)
o Log failures, manual logging shut down and attempts to purge
o Attempts to access OS functionality via the database
o Known attack profiles, such as Buffer overflow, Denial of Service, SQL
injection
o Audit database usage outside normal operating hours
The controls above need assessment and confirmation by the assigned database custodian
and the agency’s information security manager. Each one of this controls fall under NIST
SP 800-53, which is the regulatory guidance for federal agencies. In cases where the
database cannot meet the above requirements, the information systems security staff will
perform a risk assessment and document the control deficiencies. The agency security
staff will present this report to the Senior Information Assurance Manager, and the
authorizing official will sign a risk acceptance form based on the risk assessment
performed by the agency’s security staff. Auditing should be conducted on a daily basis
and an extensive auditing/compliancy program must be conducted on an annual basis.
This annual audit should be conducted by a third party agency or directorate so there will
not be a conflict of interest of the personnel performing the duties. All the activities
listed in this requirement ID should be outlined in the agency’s policies and further
explained in the agency’s SOPs. Again, recommend this be a joint-effort so there will
not be any discrepancies when it comes to compliancy and auditing.
SEE0007 Audit Tools Access
Description: Access to, and use of, audit tools that interact with the organizations
information systems shall be appropriately segmented and restricted to prevent
compromise and misuse of log data.
Recommendation: audit tools that reside on the agencies networks must have the proper
access to be able to monitor all assets on the network. The proper TCP/IP ports must be
enabled to allow access only the designated auditing systems approved for the agencies
~ 9 ~

10. networks. The following gathering of information and service enumeration must be
perform for proper access and reported to the network configuration manager for access,
and the information assurance staff for network configuration approvals, diagram updates
and reports.
• Ping sweep
o Network segment where database server resides
• Service enumeration / port scan
o Identify other services running
• Oracle
o TCP 1521
• SQL Server
o TCP 1433; UDP 1434
• DB2
o TCP 50000
• MySQL
o TCP 3306
• Vulnerability Test Access
o OS probes for known vulnerabilities
o Identify vulnerable TCP/IP services
o Database probes for known weaknesses and vulnerabilities
o Specifically test for default accounts and weak passwords
• Tools for Access
o Nessus (www.nessus.org)
o AppDetective (www.appsecinc.com)
o NGSSquirrel (www.ngssoftware.com)
o SoureFire (www.sourcefire.com)
o Host-Based Security System (HBSS)
(www.disa.mil/services/cybersecurity/HBSS)
o Snort (IDS) (www.snort.org)
o NMAP(insecure.org)
o DB2 Audit Programs (www.auditnet.org/docs)
o SQL Server Audit Tools (www.sqlsecurity.com)
o Imperva SecureSphere (www.imperva.com)
o ArcSight SIEM (www8.hp.com)
o Windows Event Viewer (www.microsoft.com)
All tools listed above have specific port requirements and the network/system
administrator should refer to the proper documentation for each device. Other required
ports for auditing access can be found in SQL security documentation and checklists such
as DISA STIGS (iase.disa.mil/stigs), SQL Server Security (msdn.microsoft.com), IBM
DB2 Security (www.net-security.org/dl/articles/Securing_IBM_DB2.pdf), Center for
Internet Security Benchmarks (Cisecurity.org (Oracle, SQL Server, MySQL))
~ 10 ~

11. SEE0008 Audit Logging/Intrusion Detection
Description: Audit logs recording privileged user access activities, authorized and
unauthorized access attempts, user session tracking, system exceptions, and information
security events shall be retained, complying with applicable policies and regulations.
Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion
detection (IDS) tools implemented to help facilitate timely detection, investigation by
root cause analysis and response to incidents. Physical and logical user access to audit
logs shall be restricted to authorized personnel.
Recommendation: The audit logs should be robust enough to identify users, statements
and responses. During the SDLC (Software Development Life Cycle), agencies should
identify sensitive data, transactions and privileged accounts. Audit trails may be the last
line of defense if an attacker can circumvent other security controls. Although audit trails
are after an attack and do not prevent attacks, they are critical to any forensic
investigation due to a breach. Additionally, audit logs have operational benefits when
there are application issues requiring a more intensive debugging effort. Audit logs can
help identify difficult problems. By creating audit logs, changes to database configuration
and data can be captured for each entity accessing the database, providing a log for
compliance and security analysis. Auditing can also detect attempts to access
unauthorized data. The agencies information assurance staff or computer emergency
response team must review these logs on a daily basis to look for anomalies in the
system/database. Audit logs should be able to do the following.
- Track Changes to Database Configuration. Any time a database configuration is
changed, the action should be recorded in an audit log, which should include the change
action, the identity of the user and a timestamp.
- Track Changes to Data. It should be possible to configure the audit log to capture every
query or write operation to the database, must be reviewed on a daily basis. Care,
however, should be exercised when configuring this rule for applications. For example, if
the application is inserting tens of thousands of records per second, writing each
operation to the audit log can impose a performance overhead to the database. It is the
responsibility of the project team to determine any trade-offs between performance and
security. Furthermore, the following audits should be captured and logged.
• Identify Database Administrators
• Identify Database environments and versions
• Arrange database access
o Select access to system tables/views
• Run initial SQL queries to obtain database security information
• OS Accounts & Related Password Controls
• Privileged OS Accounts
• Group Membership
o Unix groups
o Windows 2000 Administrators Group
o Owner / Service Accounts for Database Management System software
• Program & File Protection
~ 11 ~

12. o OS Directory and File Permissions
• Secure Configuration (Hardening)
• Security Patch Management
• SQL Server Logins
• Server Roles
• SQL Server Databases
o Database Roles
o Statement & Object Permissions
• Use of Generic & Shared User Accounts
• Use of OS Authentication
• Application Connections to Database
• Default / weak passwords
• Hard-coded passwords in application code and scripts
• Lack of Password Controls
• Control over Administrative Users
o dba (technical and application support)
o developers
• System Privileges and Authorities
• Object Privileges required for Production environment
• Public Access to Production Schemas
• Default access provided to PUBLIC
• Security Events
• System Access
 Logins – Success / Fail
 Account / Role / Permissions Changes
o Data Access
 SELECT – Success / Fail
o Data Change
 INSERT, UPDATE, DELETE
o Schema / Object Changes
 CREATE, ALTER, DROP
o Privileged User Activity
• Monitoring, Analysis and Follow-up Processes
• OS Application Event Log - Logins
• SQL Error Log - Logins
• Profiler – Events based on selected criteria
• C2 Audit mechanism
An Intrusion Detection system such as Snort IDS or SourceFire (IDS) should be deployed
to monitor network or system activities for malicious activities or policy violations and
produces reports to a management station. IDS come in a variety of “flavors” and
~ 12 ~

13. approach the goal of detecting suspicious traffic in different ways. Both can look for
specific attacks that must be forwarded to the CERT for further investigation. An
Intrusion Prevention System (IPS) such as SourceFire (IPS) and Host-Based Security
System (HBSS) should also be deployed to identify, monitor and inspect client
application for both security and compliance initiatives. IDS/IPS also monitors network
behavior, user identity, assessing and responding to attacks and maintaining defenses.
Security Information &Event Management (SIEM) like ArcSight provides real-time
monitoring, threat intelligence, behavior profiling and application monitoring. It can
collect, correlate and report on security events enterprise-wide so the agencies can detect
unusual or unauthorized activities as they occur. There are varies products that can
perform these actions and the ones listed are just to name a few. No matter what is
chosen, all will have to be configured correctly and reports reviewed daily to maximize a
secure enterprise network across the five agencies.
SEE0009 Protection of Audit Information
Description: The system protects audit information and audit tools from unauthorized
access, modification, and deletion. Auditing roles will be established on all devices that
can be audited.
Recommendation: Audit information includes all information (e.g., audit records, audit
settings, and audit reports) needed to successfully audit the database and system activity.
Ensure that the system backs up audit records at least once every twenty-four hours to a
different system or media than the system being audited. The Agencies should only
authorize access to management of audit functionality to only a limited subset of
privileged users.
SEE0010 Audit Record Retention
DESCRIPTION: The organization retains audit records for one year to provide support
for after-the-fact investigations of security incidents and to meet regulatory and
organizational information retention requirements.
RECOMMENDATION: Audit/Review/Compilation working papers should be held for
7 years. Audit/Review/Compilation Statements and Reports should be retained
permanently.
SEE0011 Content of Audit Records
Description: The system produces audit records that contain sufficient information to, at
a minimum, establish what type of event occurred, when (date and time) the event
occurred, where the event occurred, the source of the event, the outcome (success or
failure) of the event, and the identity of any user/subject associated with the event. An
ICS system usually has a front-end server(s), workstation(s) and possibly laptops that
produce audit logs in great detail. Other ICS components are limited in what events can
be audited; enabling auditing on controllers/PLCs can create a self-denial of service
because the CPU and memory are limited. Generate reports for compliance and forensics.
~ 13 ~

14. RECOMMENDATION: It is recommended that the agencies centrally manage the
content of the content of the audit record generated by (all information systems to the
maximum extent possible) by:
a. Ant-Malware Software
b. Intrusion Detection Systems/Intrusion Protection Systems (IDS/IPS)
c. Remote Access Software
d. Web Proxies
e. Vulnerability Management Software
f. Authentication Servers
g. Routers
h. Firewalls
i. Network Quarantine Servers
j. Operating Systems
SEE0012 Response to Audit Failures
Description: The system enforces configurable traffic volume thresholds representing
auditing capacity for network traffic, failed logins, and database errors.
SQL Server permits the auditing of both login successes and failures, depending on the
need. This auditing feature is turned on by using SQL Server Management Studio. The
Administrator must connect to the SQL Server in Object Explorer and then right-click on
the SQL Server and choose the Properties option from the pop-up menu. You should see
the server properties like in Exhibit 1. The Administrator would then click on the
Security page to set the login auditing like in Exhibit 2.
There will be four options available:
• None - Neither successful nor failed logins will be audited.
• Failed logins only - Failed logins will be audited, but successful logins will be
ignored.
• Successful logins only - Successful logins will be audited, but failed logins will
be ignored.
• Both failed and successful logins - Login will be audited regardless of success
and failure.
SEE0013 System Monitoring
Description: Audit database usage outside normal operating hours.
Because Microsoft Windows server is the operating system, the System Monitor
graphical tool will be used to measure the performance of SQL Server. This will be used
to view SQL Server objects, performance counters, and the behavior of other objects,
such as processors, memory, cache, threads, and processes. Each object has an associated
set of counters that measure device usage, queue lengths, delays, and other indicators of
throughput and internal congestion.
~ 14 ~

15. System Monitor Performance
When the administrator monitors SQL Server and the Microsoft Windows operating
system to investigate performance-related issues, they will concentrate their initial efforts
in three main areas:
Disk activity
Processor utilization
Memory usage
Monitoring a computer on which System Monitor is running can affect computer
performance slightly. Therefore, the administrator will either log the System Monitor
data to another disk (or computer) to reduce the effect on the computer being monitored,
or run System Monitor from a remote computer. The administrator will monitor only the
counters of interested. If the administrator monitors too many counters, resource usage
overhead will be added to the monitoring process and affect the performance of the
computer that is being monitored.
The system will be monitored on continuous basics seven days a week to include
holidays. The system performance will also be monitored during any unforeseen
circumstances that may cause the government agencies to shut down during normal
operating hours.
SEE0014 Account Review
Description: Accounts are reviewed every 90 days explicit re-approval is required or
access to the resource is automatically revoke. Limit user rights to Data based on need to
know.
Recommendation: This focus on management and review of computer accounts to
maintain access control on all systems. For example these standards can apply to anyone
who has a campus computer account such as faculty, staff, students, parents, alumni,
vendors, volunteers, affiliates, and members of the public. This will ensure that access to
computer systems is appropriately requested, approved, granted, terminated, and
reviewed on a regular basis. Management of computer accounts is critical in protecting
sensitive data and minimizing risks. However, this will is not limited to, access granted
by system accounts, application accounts, or database accounts. The target audience is
anyone who has responsibility for requesting, approving, terminating, using, and
reviewing computer accounts.
SEE0015 Audit Content Changes
Description: Changes to code and sensitive data must be audited and logged.
Recommendation: This concerns the protection of sensitive information from
unauthorized disclosure. Controls needs to be implement based on the level of sensitivity
to the data, as this will determine how stringent controls over its access should be. It is
very important to assure the organization’s ability to maintain information confidential,
as compromises in confidentiality could lead to significant public reputation harm,
particularly where the information relates to sensitive client data.
~ 15 ~

16. SEE0016 Audit Storage Capacity
Description: The information system enforces configurable network communications
traffic volume thresholds reflecting limits on auditing capacity and network traffic above
thresholds.
Recommendation: The main objective under this is to ensure that the computer systems
will continue to provide a satisfactory level of performance in the longer term. This will
involve IT operation staff having to make estimates of future CPU requirements, disk
storage capacity and network loads capacity. Further, this is focused on the amount of
internal storage and the amount and type of offline storage the security and privacy
requirements of the program.
SEE0017 Real-time Correlation and Attack Identification
Description: Alerts provide organizations with urgent messages. Real-time alerts provide
these messages at information technology speed (i.e., the time from event detection to
alert occurs in seconds or less).
Recommendation: Real-time correlation software transforms raw security event data
into actionable information to the respective persons in fraction of seconds, so you can
tackle the right threats at the right time. Ensuring that all five organizations i.e. FBI,
DHS, DSS, CIA and DIA has an accurate, comprehensive, and real-time understanding of
security risk is essential for keeping your business secure and compliant.
However, most event correlation technologies capture and correlate security event data
from security devices only, leaving important data from other core applications and
databases overlooked.
SEE0018 Vulnerability Scanning
Description: Vulnerability Scanning must be done to identify security holes and
weaknesses within the application. This will also verify patch verification when security
patches have been applied.
Recommendation: FBI, DHS, DSS, CIA and DIA organizations should follow
continuous vulnerability monitor, which identifies server- and client-side vulnerabilities.
Vulnerability Scanning must be done to identify security holes and weaknesses within the
application. This will also verify patch verification when security patches have been
applied on operating systems. Vulnerability scanning typically refers to the scanning of
systems that are connected to the Internet but can also refer to system audits on internal
networks that are not connected to the Internet in order to assess the threat.
SEE0019 Time Stamps
Description: Compares the internal information systems clocks and synchronizes the
internal system clocks to the authoritative time source.
Recommendation: E-Security is a turnkey, network-attached appliance that keeps
accurate time and creates secure time stamps to record creation time, filing time, or the
timing of other events associated with electronic records and applications. By deploying a
~ 16 ~

17. highly accurate and tamper-resistant electronic time stamping solution, organizations can
verify the accuracy of time stamps used for digital records and improve the integrity and
audit ability of a broad range of critical processes. We can achieve this using its kind of
Microsoft Authenticode, the code-signing standard for Windows platforms.
SEE0020 Security Assessments
Description: Assessments of database security controls to determine the extent to which
the controls are implemented correctly. The results should be compared to a baseline
configuration. Comprehensive security assessment reports document the results of the
assessment and include remediation instructions if controls aren’t implemented correctly.
The report should be automatically sent to designated officials.
Recommendations: An effective security risk assessment can prevent breaches, reduce
the impact of realized breaches, and keep your company's name from appearing in the
spotlight for all the wrong reasons. Regular IT security risk assessments also enable
organizations to build up a cache of historical data that can be used to effectively gauge
and communicate monetary impact related to risks -- and, hopefully, convince upper
management to take decisive action to reduce the organization's threat surface.
There are basically three risk management components:
• Evaluation and assessment, to identify assets and evaluate their properties and
characteristics.
• Risk assessment, to discover threats and vulnerabilities that pose risk to assets.
• Risk mitigation, to address risk by transferring, eliminating or accepting it.
SEE0021 Continuous Monitoring
Description: Ongoing security status monitoring of Agency defined metrics in
accordance to their continuous monitoring strategy.
Recommendations: Continuous monitoring is a risk management approach to
cybersecurity that maintains an accurate picture of an agency’s security risk posture,
provides visibility into assets, and leverages use of automated data feeds to quantify risk,
ensure effectiveness of security controls, and implement prioritized remedies. A well-
designed and well-managed continuous monitoring program can effectively transform an
otherwise static security control assessment and risk determination process into a
dynamic process that provides essential, near real-time security status.
SEE0022 Single Sign-On Authentication
Description: The system will provide authentication sign-on via web-interface before
obtaining access to data
~ 17 ~

18. Recommendation: The Authentication Single Sign-On integrated services within each of
the agencies network environment will enable end user to connect to MAD5 application
that uses a common authentication mechanism. These services store and transmit
encrypted user credentials across local and network boundaries. The Authentication
Single Sign-On services will request and verify user's credentials after user log into the
agency's network, so that MAD5 system will use user's credentials to determine the
actions that user can perform based on user rights.
With single sign-on authentication implemented, users from various agencies can log into
their account and grant access to their data from inside the MAD5 application. The
application then contacts data center with the login data and requests access to a specified
service. After authentication, the roles associated with user are used for access a
protected resources in MAD5 application. Once authorized access, MAD5 application
can access the service data, allowing the user to create, read, update, or delete service
data as needed using your application interface.
SEE0023 Web Application Fields
Description: The web app must show fields to enter in user credentials such as
usernames and passwords before a user can proceed.
Recommendation: This requirement is listed under Accessibility tab and categorized as
high and implicit priority. This is written to specify that the web application must request
login information from users by showing empty forms for them to enter. The application
will then authenticate the user in the system before user can proceed to the next step. If
the login information is not valid, user will be denied access and asked for login
information again.
SEI0024 Protecting Data-At-Rest On Workstations
Description: The file system on user's workstation should be encrypted to provide data
at rest protection for all data downloaded to workstations and to store archived reports
Recommendations: User's data on workstations and MySQL multi-agency database for
MAD5 system will be protected by securing agencies data at-rest and data in motion in
the context of cloud computing.
In order to protect data-at-rest on agencies user's workstation the file systems on
workstations should be encrypted for all data downloaded and stored to workstations.
There are many technologies available for encrypting data stored on end user devices:
full disk encryption, volume and virtual disk encryption, and file/folder encryption
(Karen Scarfone, et al., 2007). To protect data-at-rest on user's workstation full disk
encryption (FDE) can be considered as a solution that is most commonly used on desktop
and laptop computers.
Because the decryption and encryption is performed by the hard drive itself, with no OS
participation, typically there is very little performance impact (Karen Scarfone, et al.,
2007).
McAfee industry-leading data protection solutions as key components in McAfee
~ 18 ~

19. protection suites can also be used for extensible, customized protection that fits security
needs of user's workstations.
To protect MySQL multi-agency database from unauthorized third parties gaining access
to the hard disks or backups on which the database is stored, the database encryption via
Transparent Data Encryption (TDE) mechanism can be used. TDE will protect data-at-
rest by performing real-time I/O encryption and decryption of a MySQL database’s data
by using Gazzang ezNcrypt solution (Gilad Parann-Nissany, 2012).
SEI0025 Secure Printing
Description: Any files sent to “Secure Print” networked printer will expire after 12
hours if not retrieved during that time. .
Recommendation: To counter the risks associated with access of MAD5 sensitive data,
agencies will need to integrate printing security into their IT security strategy so that
users within each agency facilities will be able to print and archive reports from web
application.
To protect SSI data on while printing to network devices (Frank Topinka & Amy Jaffe,
2013):
• Authenticate users and protect data before the data prints by using pin codes, LDAP
authentication, smart cards
• Encrypt print jobs to protect data. Use the device’s embedded security (IPSec) to protect
information traveling to or from devices
• The PIN code should be assigned to the print job by agencies users before sending the job
to be printed. The job is held in the job list until user release it on printer device
• Remove data by using the device’s built-in capability to overwrite stored data
• Monitor and manage printing
There is a number of vendors such as HP, Xerox, etc that provide an imaging and printing
security framework in order to safeguard data and documents at each stage of printing.
For example, by utilizing Xerox Secure Print will allow user to control the print timing of
sensitive documents so that any files sent to network printer will expire after predefined
number of hours if not retrieved during that time.
SEI0026 Print Queue
Description: Print queue for MySQL reports should be password protected by
utilizing Secure Print feature on user's workstation
Recommendation: See Requirement SEI0025
SEI0027 MySQL "root" Account
Description: MySQL "root" account will be disabled and new MySQL account with
~ 19 ~

20. administrative rights will be created with strong password during post-installation process
Recommendation: Securing MySQL is an essential part of the MySQL installation and
post-installation processes. Despite the default installation is pretty secure by itself
already, some additional steps have to be performed (MySQL 5.7 Reference Manual,
2014).
To make MySQL installation more secure against attack or misuse the following post-
installation steps will be required:
• Password of the "root" account is blank by default during installation. To address this
vulnerability, a strong password for the "root" user will be used, and "root" account
will be either removed or renamed
• MySQL stores passwords for user accounts in the mysql.user table. Access to this
table should never be granted to any non-administrative accounts
• The MAD5 web application will connect to the database using a user name different
from the one used for administrative or installation purposes
• MySQL services should not be run as "root" user
• Assign anonymous accounts passwords or remove them to prevent clients from
connecting as anonymous users without a password
• By default, anyone can access test databases including anonymous users, therefore for
the MAD5 production environment the test database will be deleted during post-
installation steps
• Remote access should be disabled, only access from local machine should be allowed
• To restrict MySQL from opening a network socket, the skip-networking parameter
should be added in my.cnf and my.ini configuration files
The following restrictive grant syntax should be considered as an alternative to disable
network access to database server in order to allow web server to communicate with
MySQL database server over network:
GRANT SELECT, INSERT ON mydb.* TO 'someuser'@'hostname'
SEI0028 Remote Access
Description: Remote access to MySQL database will be disabled by utilizing restrictive
grant syntax
Recommendation: See Requirement IDSEI0027
SEI0029 Securing Data in Motion
Description: SSL will be used as a means of securing the encrypted connection between
the applications server and web-based client applications to provide encryption of data in
transmission
Recommendation: By default, MySQL uses unencrypted connections between the client
and server. This can cause data tampering while it is in transit between client and server.
To mitigate this threat, it is necessary to implement encrypted channels of
~ 20 ~

21. communication. According to MySQL 5.6 Reference Manual the MySQL supports
secure (encrypted) connections between MySQL clients and the server using the Secure
Sockets Layer (SSL) protocol. MySQL enables encryption on a per-connection basis.
Secure connections can be based either on the OpenSSL API or MySQL’s built-in yaSSL
(Chris Conlon, 2011). To make it easier to use secure connections, MySQL is bundled
with yaSSL:
• YaSSL provides secure client/server communication
• Can be implemented on almost any OS that support TCP/IP
MySQL multi-agency database will implement secure SSL tunnel to provide encryption
for data in motion.
SEI0030 Password Security
Description: All passwords shall be transmitted and stored in encrypted form
Recommendation: The MAD5 authentication systems will prevent passwords and other
credentials from unauthorized disclosure. Storing and transmitting passwords in plaintext
puts them at risk of exposure to hackers, eavesdroppers, and malware. To prevent such
exposure, strong authentication systems use multiple mechanisms to reduce the
likelihood that unencrypted credentials will be exposed, and to ensure that any
authentication data that does get stored and transmitted will be of limited use to an
attacker.
One of the fundamental security techniques used by authentication systems is the use of
cryptographic hash functions to encode credentials for storage and transmission. The
server computes the hash value of the submitted password from a client computer (or
accepts the hash from the client directly) and compares it to its own stored hash for the
account making the request. If they match, the client is authenticated.
MySQL stores passwords for user accounts in the mysql.user table. Access to this table
should never be granted to any non-administrative accounts. MySQL supports stronger
encryption for user account passwords, available through an authentication plugin named
sha256_password that implements SHA-256 password hashing which is FIPS 180-4
compliant.
MySQL uses passwords in two phases of client/server communication:
• When a client attempts to connect to the server, there is an initial authentication step
in which the client must present a password that has a hash value matching the hash
value stored in the user table for the account the client wants to use.
• After the client connects, it can (if it has sufficient privileges) set or change the
password hash for accounts listed in the user table.
SEI0031 MySQL Test Database
Description: MySQL test database will be removed from production environment
~ 21 ~

22. during post-installation process
Recommendation: See Requirement IDSEI0027
SEI0032 MySQL Anonymous Accounts
Description: MySQL anonymous accounts will be removed during post-installation
process
Recommendation: See Requirement IDSEI0027
SEI0033 Object Level Security
Description: User Authentication with object level security based on groups and column
level security to restrict access to documents based on user access privileges shall be used
Recommendation: Database security entails allowing or disallowing user actions on the
database and the objects within it. The use of user and group structure along with
schemas and security domains in MAD5 application allows to control access to data and
to restrict the use of various MySQL database resources.
Discretionary access control regulates all user access to named objects through privileges.
Each user within each agency has a security domain—a set of properties that determine
such things as:
• The actions (privileges and roles) available to the user
• The system resource limits for the user
Defining the appropriate user and groups in MAD5 deployment defines security on two
levels: what user can do and what user can see. This security model provides an easy
administration of user accounts in order to lock down security as tightly as possible for
MAD5 functionality and content. The main goal of security model is to restrict users
from performing actions or accessing data not required for their function, while at the
same time allowing them to see and do what is made available to them.
SEI0034 Web Interface Security
Description: All users in all agencies will be accessing data via a web interface by using
IE v9 or higher, Chrome v35 and above, Firefox v24 and above.
Recommendation: Web browsers such as Internet Explorer, Mozilla Firefox, and
Chrome, will be installed on MAD5 user's workstation and it is vital to configure them
securely. Often, the web browser is not set up in a secure default configuration which can
lead quickly to a variety of computer problems caused by anything from spyware being
installed without user's knowledge to intruders taking control of computer.
There is an increasing threat from software attacks that take advantage of vulnerable web
browsers. This problem is made worse by a number of factors, including the following:
• Web page addresses can be disguised or take user to an unexpected site.
• Many web browsers are configured to provide increased functionality at the cost
~ 22 ~

23. of decreased security.
• New security vulnerabilities may have been discovered since the software was
configured and packaged by the manufacturer.
• Computer systems and software packages may be bundled with additional
software, which increases the number of vulnerabilities that may be attacked.
• Many users do not know how to configure their web browsers securely.
• Many users are unwilling to enable or disable functionality as required to secure
their web browser.
As a result, exploiting vulnerabilities in web browsers has become a popular way
for attackers to compromise computer systems. Out of date web browsers are less
stable, and much more vulnerable to viruses, spyware, malware, and other
security issues. Therefore All MAD5 users in all agencies will be accessing data
via a web interface by using IE v9 or higher, Chrome v35 and above, Firefox v24
and above.
SEI0035 User’s Access Control
Description: User's access control shall be agency-based which means that access to
resources will be granted based on a user’s association with the agency. Each user can
belong to one agency only.
Recommendation: The Agency facilities must establish a process to authorize and
document access privileges based on a legitimate and demonstrated need to have system
access to MAD5 users. Access privilege documentation must be maintained in a manner
that makes it easily retrievable by individual user account.
Prior to initial account distribution, positive identification of individuals receiving
accounts must be conducted. Positive physical identification can be done by anyone the
system administrator can trust to perform this task. During the first instance of access
with a new account, the initial password must be changed by the individual responsible
for the account, in compliance with the password controls defined in this policy.
When system users are no longer part of an organization, or their duties change, their
account access must be appropriately modified or terminated. Requests to change access
privileges must be signed and forwarded to the appropriate designated individual by the
responsible manager.
The Agency facilities must control access to resources based on the following access
criteria, as appropriate:
• Identity (user ID). The identity must be unique in order to support individual
accountability.
• Roles. Access to information must also be controlled by the job assignment or
function (i.e., the role) of the user who is seeking access.
~ 23 ~

24. • Location. Access to particular system resources will be based upon physical or
logical location.
• Access would be denied for a sixth user, even if the user were otherwise
authorized to use the application.
• Access Modes. The Agency facilities will consider the types of access, or access
modes. Common access modes, which can be used in both operating and
application systems, include read, write, execute, and delete.
SEI0036 MySQL Authentication Plug-in
Description: MySQL pluggable authentication interface shall be used to authenticate
MySQL client connections against external resource such as LDAP, Windows Active
Directory to enable user authentication against LDAP with single-sign-on (SSO) as
alternative to username and password credentials
Recommendation: As of MySQL 5.5.16, commercial distributions of MySQL include
an authentication plugin that enables MySQL Server to use PAM (Pluggable
Authentication Modules) to authenticate MySQL users. PAM enables a system to use a
standard interface to access various kinds of authentication methods, such as Unix
passwords or an LDAP directory.
The PAM plugin uses the information passed to it by MySQL Server (such as user name,
host name, password, and authentication string), plus whatever method is available for
PAM lookup. The plugin checks the user credentials against PAM and returns
'Authentication succeeded, Username is user_name' or 'Authentication failed'.
The PAM authentication plugin provides these capabilities:
• External authentication: The plugin enables MySQL Server to accept connections
from users defined outside the MySQL grant tables.
• Proxy user support: The plugin can return to MySQL a user name different from the
login user, based on the groups the external user is in and the authentication string
provided. This means that the plugin can return the MySQL user that defines the
privileges the external PAM-authenticated user should have.
SEE0037 Password Expirations
Description: Passwords must expire every 60 days for all users. The system must be
reset their password on the 61th day.
Recommendation:
• Never share a computer account
• Never use the same password for more than one account
• Never tell a password to anyone, including people who claim to be from customer
service or security
~ 24 ~

25. • Never write down a password
• Never communicate a password by telephone, e-mail or instant messaging
• Being careful to log off before leaving a computer unattended
• Changing passwords whenever there is suspicion they may have been
compromised
• Operating system password and application passwords are different
• Password should be alpha-numeric
SEE0038 GFE Data Security
Description: All users should use Government Furnished Equipment (GFE) to access the
application. The GFE must be equipped with high security (ie: Symantec Endpoint
Encryption) and Secure VPN (Virtual Private Network) available.
Recommendation: Use of strong encryption technology is essential to ensure that
the agencies information systems and data are protected against unauthorized
access, fraud and theft.
Agencies users must use approved encryption as required by Federal Information
Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic
Modules.
The security policy for GFE user's devices is designed to protect the confidentiality,
integrity and availability of the Federal Agencies information and information
systems to be adopted by all users in order for SSI data to be securely stored,
transported and transferred across the network.
User's data on workstations will be encrypted by means of full hard disk encryption
utilizing Symantec EndPoint or McAfee protection suites.
To ensure an agency's users are connected to the MAD5 application resided in the
cloud, and data transmitted securely over the network virtual private network
(VPN) solution will be employed and VPN client will be installed on user's
workstations. In this case VPN channel between workstation and remote network
resources is considered as a method for securing and encrypting agency's
communications. VPN channel secures user's computer Internet connection to
guarantee that all of the data users are sending and receiving is encrypted and
secured.
~ 25 ~

26. Elasticity Requirement
ELE0001 Hosting
Description: The web-based app must be able to host at least 100% of personnel at any
time.
Recommendation: The number of users who have access to the database, using the web
app should not be limited and be able to host 100% of personnel at any time.
Bandwidth: Use bandwidth to determine peak and idle times. Using this information to
project how much bandwidth will be needed in the future. This will enable to plan for the
peak bandwidth, thereby avoiding problems associated with inadequate bandwidth. To
enhance the availability of web app by identifying services that must be available, then
identifying the points at which those services can fail. Increasing availability also means
reducing the probability of failure. System availability directly depends on the hardware
and software, and the effectiveness of operating procedures.
ELE0002 Location Access
Description: Authenticated users must be able to access the web app from any location
or time zone from certified devices
Recommendation: For security purposes data available through web application has to
be protected. This includes processes for authentication, authorization, asset handling,
input, and logging and auditing. Once an end user is authenticated, an application checks
the specific permissions for that user, his location, and device certification. The client
runs in any web browser, the user should be able to access it from secure devices that run
on any platform at any time from any location and provide a consistent access to the
database. Web applications should provide the same functionality and gain the benefit of
working across multiple platforms.
ELE0003 Server Locations
Description: There must be 2 minimum virtual servers located at separate locations. One
each at FBI and DHS Locations
Recommendation: This is the third requirement which is labeled as Elasticity thread
with a high-level, explicit priority. This requirement is written to specify that there must
be 2 minimum virtual servers located at separate locations. There will be two servers, one
a FBI and the other at the DHS facility.
ELE0004 OS
Description: The web-based application must only be compatible with Windows 7 and
Windows 8.
Recommendation: This is the requirement which is labeled as Elasticity thread with a
high-level, explicit priority. This requirement is written to specify that the web-based
application must only be compatible with Windows 7 and Windows 8. These Operating
~ 26 ~

27. systems followed Windows Vista and is designed to be a sleeker operating system than
its predecessor, with faster performance and fewer compatibility issues. Windows 7 also
include several new features, such as multi-touch support for touch screen interfaces, a
simple home networking system called "Home Group," and an improved Windows
Search feature.
ELI0005 Scale-Out Solution
Description: Clustering and virtualization solution on a cloud environment combined
with MySQL replication will be used to provide scale-out capability geographically
distributed load balancing solutions
Recommendation: To implement, support and maintain virtual servers located at
separate locations - one each at FBI and DHS locations - the MySQL clustering and
virtualization solution on a cloud environment combined with MySQL replication will be
used.
The architecture of MySQL Cluster is designed to accommodate requirements to
automatically scale read/write within and across geographically dispersed data centers
and to scale queries with the following capabilities:
• Auto-sharing for write-scalability;
• In-memory, real-time responsiveness;
• Active / active geographic replication;
• Online scaling and schema upgrades;
• SQL and NoSQL interfaces;
To service growing agencies demand, the Scale-Out architecture can be implemented by
using MySQL Replication to power agencies mission-critical website, underlying
systems infrastructure, and business-support tools (Guide to Scaling Web Databases with
MySQL Cluster, 2013).
ELI0006 Response Time
Description: Response time should not exceed more than 30 seconds for Internet-
connected clients for all concurrent users
Recommendation: Best practice is to get the response time of web application to be
under 500ms, this will free up the application for more requests and deliver a high quality
user experience to the users. The request must then be processed by application, and then
a response delivered back to the router within 30 seconds to avoid the timeout. When a
timeout is detected the router will return a customizable error page to the application
logs. While the router has returned a response to the client, application will not know that
the request it is processing has reached a time-out, and application will continue to work
on the request. To avoid this situation setting a timeout within your application and
keeping the value well under 30 seconds, such as 10 or 15 seconds. Unlike the routing
~ 27 ~

28. timeout, these timers will begin when the request begins being processed by application.
MySQL Cluster's real-time design delivers predictable, millisecond response times with
the ability to service millions of operations per second. Support for in-memory and disk-
based data, automatic data partitioning (sharing) with load balancing and the ability to
add nodes to a running cluster with zero downtime allows linear database scalability to
handle the most unpredictable workloads (MySQL Strategy Whitepaper, 2014).
More concurrency of query executions requires significantly more server memory. In an
extreme case if the amount of memory needed by all active connections exceeds server
memory, the MySQL server may revert to memory/disk swapping, which will greatly
impact user response times.
ELI0007 MySQL Thread Pool
Description: MySQL Thread Pool should be configured and utilized to accommodate
increasing number of total and concurrent users to sustain performance and scalability as
concurrent user loads, number of records in database and query execution continue to
grow
Recommendation: By default the MySQL Database provides a complex thread-
handling model that provides excellent throughput and performance for online and web-
based applications. To meet challenges around the most demanding application user and
workloads MySQL Enterprise Edition provides the MySQL Thread Pool. The Thread
Pool is a user configurable option that provides an efficient, alternate thread-handling
model designed to sustain performance and scalability as concurrent user loads ontinue
to grow. In these use cases the Thread Pool addresses the limitations to scalability by
(MySQL Enterprise Edition Product Guide, 2013):
• Managing/controlling query execution until the MySQL server has the resources to execute it
• Splitting threads into managed Thread Groups. Inbound connections are assigned to a group
via a round-robin algorithm and the number of concurrent connections/threads per group is
limited based on queue prioritization and nature of queries awaiting execution. Transactional
queries are given a higher priority in queue than non-transactional, but queue prioritization
can be overridden at the user level as needed
• Avoiding deadlocks when queries are stalled or executing for long period of time
~ 28 ~

29. High Availability Requirements
HAE0001 Web-Based Application
Description: The user must be able to access the database through an Internet based GUI
Recommendation: The MySQL GUI Tools package is a combination of several tools
which will help you manage your MySQL databases. You can install this application
pack on your local computer and use it to remotely administer your databases. The
MySQL GUI Tools Tutorial covers the following topics .How to use MySQL
Administrator to back-up databases. How to use MySQL Administrator to restore a
database? How to use MySQL Query Browser to access a database and execute queries
on it? You can download the MySQL GUI Tools package from the MySQL official
website. If your database is big (over 50MB) you may face difficulties exporting and
importing it via the PHP Admin tool in control Panel. In such cases the MySQL GUI
Tools would be a great solution. Before you can connect to your MySQL database you
have to allow your host to access the server. For more information on how to do this
check our tutorial on Adding MySQL access hosts. Enter the login details for the MySQL
connection. The Server Host should be your domain name and you can use your control
Panel login details in order to access all databases in your account. Alternatively, you can
use the MySQL username you have created through the MySQL Databases tool in your
control Panel in order to connect to the database that it has access to.
HAE0002 Web Accessibility
Description: The app must be accessible through latest versions of Internet Explorer,
Chrome, and Firefox (i.e. IE v9 or higher, Chrome v35 and above, Firefox v24 and
above.)
Recommendation: The app must be accessible through latest versions of Internet
Explorer, Chrome, and Firefox You can use the Docs editors if you have enabled cookies
and JavaScript in your browser. You must also have one of the two most recent versions
of the following browsers to give access .Chrome version 35 and latest, Firefox version
24 and supporting the latest version, Safari Mac systems, and Internet Explorer latest
version 9.
HAE0003 Elasticity
Description: The database must be able to host a minimum of 20,000 records, which
must continue to grow over time.
Recommendation: This requirement is for making sure that the database is able to host a
minimum of 20,000 records, which tends to grow overtime.
HAI0005 User Credentials
Description: The web app must show fields to enter in user credentials such as
usernames and passwords before a user can proceed
~ 29 ~

30. Recommendation: As per this requirement we are making sure that the web page has an
editable field for entering the user credentials such as username and password before user
could proceed further on the website.
HAI0006 Response Time
Description: Response time for users accessing documents must not be greater than
fifteen (15) seconds for at least ninety percent (90%) of the records and response time
must not be greater than thirty (30) seconds for at least ninety nine percent (99%) of the
records
Recommendation: Quantifying end-user response time goals can be thought of in terms
of the following activities:
• Determine application functionality and usage.
• Verbalize and capture performance requirements and goals.
• Quantify performance requirements and goals.
• Record performance requirements and goals.
Before we can effectively determine the desired performance characteristics of an
application, we need to identify the scenarios for which we want to characterize
performance. When identifying the business scenarios that have a critical need for
performance requirements and goals, it may be useful to think in terms of the following
four categories:
• Frequently used scenarios
• Performance-intensive scenarios
• Business-critical scenarios
• Scenarios of special interest (possibly due to contractual obligations or
stakeholder visibility)
HAI0007 Recovery Time
Description: Recovery time following a failure will be no more than 15 minutes.
Recommendation: It is important to set expectations with agencies users. While
avoiding any form of downtime is always highly desirable, it is largely impractical.
Higher levels of availability are typically achieved by deploying systems with increasing
levels of redundancy and fault-tolerance. However, greater redundancy will also increase
the total cost and complexity of the system due to requirements for more hardware and
software, as well as demanding a larger investment in IT staff, processes, and services
(MySQL Strategy Whitepaper, 2014).
MAD5 will be using Geographically-Replicated Clusters with MySQL Database
Replication architecture certified and supported by Oracle that will be utilized to achieve
highly available database services. This approach enables to delivering highly available
MySQL services.
~ 30 ~

31. The MAD5 web-based application will include MySQL new replication features
designed to enable next generation web, cloud, and mobile services with self-healing
replication topologies and high performance master and slaves. New key features enable
replication transactional integrity to be tracked through a replication master/slave
topology, providing a foundation for self-healing recovery within required time frame of
15 minutes in case of system failure.
Moreover, the recommended usage of the Oracle VM Template for MySQL to provision
virtualized and highly available MySQL database also provides detection and
automatically restarts instances within the server pool after failures of physical server
hardware, VM instances or MySQL.
HAI0008 Availability Level
Description: The system should provide an availability level of "three nines" while
supporting its intended function 99.9 percent of the time, i.e. equivalent to an annual
downtime of 8.76
Recommendation: The down time values are given based on a requirement of 24/7
availability. If a system is only required to be available for part of that time, Monday to
Friday from 9 a.m. to 5 p.m. for example, then the calculation should be based on that
time span. A system that is required to be available 40 hours a week needs an annual
down time of less than 2 minutes to achieve five nines availability, but since maintenance
and other planned outages can be scheduled outside of working hours, it is easier to
achieve this goal.
Overall availability is calculated based on the total down time of the system over a period
of time (5.3 minutes over a year equals 99.999% availability), but it can also be expressed
using an alternative calculation that takes into account the time required to recover from a
failure. In the calculation below, MTTF (Mean Time To Failure) is the average time
between system failures and MTTR (Mean Time To Recover) is the average time to
recover from these failures:
MTTF
Availability == ---------------------
MTTF+MTTR
This is not a major change to the perception of availability—recovery time was always
included in the time that the system was unavailable, but it does serve to clearly indicate
the importance of rapid recovery in increasing availability. A system that is up for a year
before a failure, but then takes three days to recover from that failure, is not as available
as a system that fails ten times in that same year but recovers within 10 minutes. Clients
do not differentiate between hardware and software failures. They do not care if the hard
disk crashed or if the data integrity rules failed; they simply measure the time that the
system was unusable. In the industry, hardware failure accounts for less than 20 percent
of all system outages—it is therefore imperative that a "High Availability" system views
~ 31 ~

32. people and process failure at least as thoroughly and perhaps more so, than hardware
failure.
HAI0009 Oracle VM Template for MySQL
Description: The Oracle VM Template should be used to provision virtualized and
highly available MySQL databases to deliver high availability solution
Recommendation: The Oracle VM Template for MySQL Enterprise Edition ensures
rapid deployment and helps eliminate configuration efforts and risks by providing a pre-
installed and preconfigured virtualized software image, taking advantage of Oracle VM’s
mechanisms to deliver high availability (MySQL Enterprise Edition Product Guide,
2013). Oracle VM Template protects MySQL against planned and unplanned downtime.
By using the High Availability features of the Oracle VM Template for MySQL, agencies
can meet SLA demands:
• Automatic recovery from failures, Oracle VM automatically restarts failed MySQL
instances on available servers in the server pool after outages of the physical server,
VM or MySQL database.
• Live Migration, enables operations staff to move running instances of MySQL to
alternative hosts within a server pool when they need to perform maintenance
operations
~ 32 ~

33. Attachments
Stratford University Securing Multi-Agency Database (MAD5)--Analysis Sheet
~ 33 ~
Work Request Number Task Order 101 Priority (High, Med, Low) High
Request Information
Requested Date 8/28/2014 Requester Name RA Request office Stratford
Change Request Analyze RTM for securing a government multi-agency database MAD5.
Analysis Start Date 8/28/2014 Analyst Assigned Alek Samedov
Analysis Completed Date 9/4/2014
Analysis QA Date 9/4/2014 Analysis QAed By Nataliia Kakhidze, Shamsu Uddin
Approver Name RA Approved by
Lead Walkthrough Analyst Sanju Singh Participant in
Walkthrough
Project Implementation
Project Overview
Secure MAD5 to meet following 5 agencies database security requirements:
1. FBI
2. DHS
3. DSS
4. CIA
5. DIA
Strategy We build our RTM, based on that we will provide security solutions according to the agencies
requirements at SSI level. RTM Provides Configured auditing storage capacity and auditing
failure response.
Constraints and
Limitations Auditing responses, network volume and auditing capacity. This solution only applies to the 5
agencies mentioned above and applicable to the cloud environment only. For SSI level only.
Environment 1. IE 9 or higher
2. Firefox 24 and above
3. Chrome 35 and above
Impacted Modules, Tables and Fields
Module
/ Code
Module Name Type of Change Description of Change
ST01 MAD5_DB Spec/Module Initially prepare a analysis sheet.
NT01 NT_01 Network/capacity Preparation to the required configured limitations

34. ~ 34 ~
History of Document Changes
Date Initials Description
9/3/2014 MJ SEE008 was added "Log unauthorized access attempts by IP identification, user ID, date and time."
9/3/2014 MJ SEE0037 was added ” Enforce password policies for length, character requirements, and updates and
provide the ability to disable log-on capabilities if unsuccessful password entry is attempted after
five (5) unsuccessful attempts and automatically notify security administration staff upon disabling
log-on capabilities.”
Additional Analysis Information
1. Modified Security 6210 to include FBI security requirement.
2. Modified Security 6210 to include SSO security requirement.
3. Network capacities are to be improved.
4. Storage volume has to be increased.
5. Configuration of thresholds to be done on a requirement basis.
Application Release Notes
After clarification for the SEE0008 and SEE0037, Login authorization and Security requirements were enhanced.
1. 38 or more security requirements.
2. Modifying the existing security base for MAD5 database.
3. Five Agencies
4. Added ATF requirements.
5. Improvising on network requirements.
Test and Additional Notes
1 "Log file review should be conducted on a regular basis to validate that log entries have IP identification, user
ID, date and time stamps."
2 "Run password policy test to validate that user account will be disabled after 5 unsuccessful attempts to login
and notification send to administrator".
3 Negative Tests (E.g. FBI only allow people to use VPN or certain token type)
White/Clear-Box Testing Internally Within the Database
4 Scaffolding code (e.g. triggers or updateable views) which support refactoring
5 Existence tests for database schema elements (tables, procedures, ...)
6 Typical unit tests for your stored procedures, functions, and triggers
7 View definitions
8 Referential integrity (RI) rules
9 Default values for a column
10 Data invariants for a single column
Black-Box Testing at the Interface
11 O/R mappings (including the meta data)
12 Incoming data values
13 Outgoing data values (from queries, stored functions, views ...)

35. Link to RTM document:
https://docs.google.com/spreadsheets/d/1kmBn9ebRV8BgO3Yw3l3k8WjH0QjFALGUV
4Zz-dBhmdA/edit?usp=sharing
~ 35 ~

36. References
Adam Hansen (2011). Securing Data in the Cloud & Hosted Environments. Retrieved from
http://www.rackspace.com/blog/securing-data-in-the-cloud-hosted-environments/
Chris Conlon (2011). YaSSL - Securing MySQL. Retrieved from
http://www.yassl.com/files/yassl_securing_mysql.pdf
Data Security Company to Support Transparent Data Encryption, 2014. Retrieved from
http://www.porticor.com/2014/08/data-security-company-support-transparent-data-encryption/
Gilad Parann-Nissany (2012). MySQL in the Cloud. MySQL Journal. Retrieved from
http://mysql.ulitzer.com/node/2267908
Gilad Parann-Nissany (2012). Transparent Data Encryption in the Cloud. MySQL Journal.
Retrieved from http://mysql.ulitzer.com/node/2216221
Gilad Parann-Nissany (2014). Encrypted Data in the Cloud? MySQL Journal. Retrieved from
http://mysql.ulitzer.com/node/3174272
FIPS 140-2, Federal Information Processing Standard (FIPS) 140-2, Security Requirements for
Cryptographic Modules, May 2001.
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems,
March 2006.
Frank Topinka & Amy Jaffe (2013). Data Security. Retrieved from
http://www.enxmag.com/2013_months/march2013/article_HowSecureIsYourDocument_32013.h
tm
Karen Scarfone, Murugiah Souppaya, Matt Sexton (2007). Guide to Storage Encryption
Technologies for End User Devices. National Institute of Standards and Technology
Kristy Westphal (2010). Secure MySQL Database Design. Retrieved from
http://www.symantec.com/connect/articles/secure-mysql-database-design
MySQL 5.7 Reference Manual (2014). Security in MySQL. Retrieved from
http://dev.mysql.com/doc/connectors/en/index.html
MySQL White Paper (2013). Guide to Scaling Web Databases with MySQL Cluster. Oracle
Corporation
MySQL White Paper (2013). MySQL Enterprise Edition Product Guide. Oracle Corporation
MySQL Strategy Whitepaper (2014). A Guide to High Availability. Oracle Corporation
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems
and Organizations, August 2009.
~ 36 ~

37. NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November
2007.
http://wikibon.org/wiki/v/Technology_Risk_Management_for_Virtualized_Sourcing_Strategies
~ 37 ~

38. Appendixes
Exhibit1
~ 38 ~

39. Exhibit 2
~ 39 ~

40. ~ 40 ~