Implementing Secure Linux Database System - Assignment Example

Name Tutor Course Date Implementing a Secure Linux Database Introduction ACME Software Solutions is a corporate that specializes in developing websites for business enterprises that can either be large or small. Basically, they design websites that introduce the majority of customers to the services and commodities that are being provided by their clients. Sometimes back, a security analyst was hired by ACME Software Solutions; so as to be capable of safe-guarding their database-server after their security system had experienced a number of thwarting compromises. Despite a minimal fortune being spent and the salesman giving his assurance, the safe-guarding occurrences, specifically on the database-server continued. For instance, the security incidences on the database-server comprised the following: the IPTables was run by the server, but only after being permitted by the DAC file; the database server was only capable of running a custom-middleware that had been coded in Ruby; the majority of websites used the database server as a back-end; and the database server was only able to run MySQL on Ubuntu 9.04. My Role ACME Software Solutions have employed me as an external security contractor in order to assist it re-formulates the security design of its database. During the preliminary conference at the offices of ACME, the following are pointed out by the ACME CEO: a gargantuan amount of money was spent while safeguarding the database-server, but no one comprehends how it operates; the operating system that is being employed in ACME is outdated and thus needs proper justification for it to be updated; the database is not secure and thereby complicating life; and logging of the system is not effective. Also, the ACME CEO pointed out that: individuals are capable of doing anything they want and this ought to be minimized; he is not eager to spend an additional expense to enhance the security functionality of the company unless he is given with a proper reason; he is not eager to accept any proposal but prefers seeing examples that are practical, such as screen-shorts e.g. of commands and their results of the things that are being proposed; and the proposed system should be “ISO 27001 compliant,” so as to be capable of meeting the expectations of customers. Basing on my role, this paper will thus scrutinize the implementation a Linux Database System. In doing so, it will look at the following: identify common limitations that are associated with defaulting setups of MySQL/Linux databases; how the setup that is in ACME Software Solutions is incapable of meeting its security requirements; a plan illustrating how the present setup of MySQL/Linux can be altered, so as to be capable of using the functionality that is in existence without extra security tools; and a plan illustrating how the security functionality that is in existence may be added to use support-systems and extra tools. Furthermore the paper will also scrutinize the following: a proposal with regards to how the internal security model of the database can be fundamentally re-configured to maximize security, and at the same time reducing the impact it has on services that are in existence; and a proposal for implementing an “ISO 27001 compliant ISMS,” to be used by the database server, and thus covering the risk critique, risk evaluation, risk treatment; residual risk; ownership, and risk management. Identification of Security flaws, which are common in Linux-based Systems The security flaws in Linux-based systems are likely to occur because we normally get bogged down in the vulnerabilities of the OS-level and overlook the concerns of Layer 7. This trap is dangerous because it is vulnerable to an attack of any Linux-based system. Actually, many security flaws in Linux-based systems are in Layer 7, i.e. the application layer, even if it is as result of common misconfigurations, or with OpenSSL, PHP, or Apache. This is because this vulnerabilities can be accessed through the HTTP (hyper-text transfer protocol) and thereby, being open to the globe (Tajima 37). In Linux-based systems, the security flaws that are common include cross-site scripting; lack of SSL enforcement that is consistent in the website; SQL injection; and encryption SSL ciphers being far below 128 bits. Idyllically, the Linux-based setup for ACME Software Solutions is unlikely to meet up the company’s security requirements because it is vulnerable to the following security flaws: PHP code injection, which permits malicious codes to be executed directly; employing HTTP GET to pass user logins rather than POST requests thus creating a situation that permits escalation of privilege at the OS levels as well as web application; presence of weaker passwords that are easier to guess; its directories/files are weak and thus it is easier to enumerate the system; and its Apache version, or PHP version is outdated. Proposal for getting better the Linux-system security without additional security tools In view of the fact that Linux operating system operates online, it ought to be secured. Ideally, the security system of ACME Software Solutions can be improved without adding new security tools. That is, in order to improve their security system, their existing system can be altered so as to be capable of: making the most of keyring; updating user password; and updating security facets. The current setup of Linux-based security system for ACME Software Solutions can be altered as per diagram below Figure 1: Altering Linux setup without new security system (Perry 46) Configuring the Linux setup as per the diagram above will assist in minimizing the security flaws. This is because the “system call interface module will be capable” of permitting access to user processes, but only to the resources that the kernel exploits explicitly (Perry 46). To that effect, the user processes will not fully depend on the kernel to an interface that is well-defined, and which infrequently changes, despite the alterations in the implementation, particularly of other modules of the kernel (Monroe 50). Proposal for getting better the Linux-security System with new Security Tools The Linux-based security system of ACME Software Solutions can be improved by adding new security tools. For instance, Network device drivers can be introduced to enhance communication with the hardware devices. Furthermore, the device independent interface can be introduced, so as to give a view that is consistent regarding all hardware devices. Also, the network protocol can added to the existing system of ACME Software Solutions, so as to implement the probable network-support protocols. And finally, the existing security system can be supplemented with “The Protocol Independent Interface Module,” that will be useful in providing an autonomous interface of network protocols and/or hardware devices (Rusling 17). The system administrator will configure the new devices as per the diagram below: Figure 2: Altering Linux setup with new security system (Soni 204) Proposal for enhancing the Internal Database Security It is of necessity for the database internal-security model of ACME Software Solutions to be fundamentally re-configured, so as to maximize security and at the same time minimize its effect on the services that are in existence. For this to be performed successfully, a database administrator ought to determine the environment variables that he/she would use, as well as particular variables that the security predicate will be able to check. Nonetheless, the administrator should employ manifold probable combinations together with website details, so as to be capable of blocking any attempt by an intruder (Bertino 12). Ideally, it is of necessity for the database administrator to develop a scheme that is separate, so as to act as a place-holder for almost all security implementation definitions that have been employed. In actual fact, a database administrator should create all objects. This will enable this username to have no access and thereby being unable to log-in to the company’s database. To that effect, the security definitions that ACME owns will be protected. Furthermore, the packages and data of ACME software solutions ought to be encrypted so as to protect the data that is sensitive (Garlan 59). This encryption can be done by use of a static key that is defined in the processes that are external, or which are stored in the company’s database. Basically, it is of necessity for the encryption components to be split by the administrator, so as to escalate the intricacy of the environment as well as the needed effort from probable interlopers to retrieve the entire information, which is needed in decrypting the secured data. Supremely, it is of necessity that that the encrypted data should manipulated by the database administrator. As a matter fact, the database administrator of ACME Software Solutions should also: enhance the security of the environment; and audit access, especially of the data that is sensitive regardless of the access. An Implementation Proposal for an “ISO 27001 Compliant ISMS” for the Database Server ISO 27001 is a standard way of establishing and sustaining security of information systems in corporations (Tanenbaum 36). It is a standard that is open, and which puts down building blocks that are wide, so as to establish the management system. To that effect, the guidelines of an ISO 27001 ISMS (information security-management system) ought to be used by ACME Software Solution in shaping it with regards to organizational requirements. Nevertheless, the management of ACME Software Solutions ought to comprehend manifold risk assessment methodologies. Indeed, in assessing risks, the company can employ FMEA (failure-mode effect analysis) method. Therefore, the company ought to come up with situations that are likely to have an effect on the availability, privacy, and veracity of information. Idyllically, it is vital to maintain organizational culture while coming up with risk assessment processes. Typically, the risk-treatment plan that the will design should be on the basis of the risk assessment method. Prior to selecting a risk control, this company ought to take on a cost-benefit critique of the information asset value as well as the control value. It is mandatory to control risks, but if the company is not interested in setting-up security control then it ought to elucidate that in its applicability statement. After selecting the risk control methodologies, a program of an ISO 27001 ISMS-implementation ought to then be developed by the company (Wirzenius 113). This program will involve putting-up guidelines, strategies, and processes, and then arranging the risk control methods that will be capable of mitigating the risks that have been identified. Actually, it is of good to manage the security controls centrally. In order to validate security spending, organizations may employ metrics, a method that is applicable to technological solutions. Then, the security team of ACME Software Solutions ought to assess whether the security controls that have been implemented provide the expected outcome. If not, they should give a corrective action (Parker 86). Conclusion While identifying the security flaws that are common in Linux-based systems, ACME Software Solutions will be able to: get better their Linux-based system without or by introducing new security tools; enhance their database security that is internal; and implement an ISO 27001 ISMS, for their database-server. In doing this, it will have re-formulated the security design of their database and thus, making it more secure. Works Cited Bertino, Sandhu. “Secure and Dependable Computing: Database Security”. IEE Transactions 2.1 (2005): 3-17 Garlan, David. Introduction: Software Architecture. 2nd ed. Chicago: World Scientific, 1994 Monroe, Robert. “Architectural Objects, Styles and Design Patterns.” IEEE Software 3.2 (1997): 45-50 Parker, Timothy. Slackware Linux: Unleashed. 4th ed. Indianapolis: Sams Publishing, 1997  Perry, Dewayne. “Software Architecture: A Study Foundation.” Software Engineering Notes 16.3 (1992): 41-49  Rusling, David. The Linux Kernel. 6 Aug. 2009, 24 Jul. 2010 Soni, Nord. “Software Architecture: Industrial Applications.” IEEE ICSE 5.6 (1995): 197-207 Tajima, Keishi. Security Flaws detection in Databases. 3rd ed. Management: ACM Sigmoid, 1996 Tanenbaum, Andrew. Modern Operating Systems. 6th ed. New York: Prentice Hall, 1992 Wirzenius, Lars. A Guide to Linux System Administrator. 12 Nov. 2009, 24 Jul. 2010 Read More