attachment_19.docx

The Cybersecurity Technology (CST) Program

CST 620 Lab Experience Report Template Shape  Description automatically generated with medium confidence

CST Lab Experience Report Template

LAB EXPERIENCE REPORT TEMPLATE

[CST 620 PROJECT 5]

PROBING AND SECURING DATABASE MANAGEMENT SYSTEMS

DATE: <Insert Date>

COURSE SECTION #: <Insert Section #> (e.g. 7641, 9040, 9042, etc.)

SEMESTER/TERM: <Insert Term #> (e.g. 2222, 2225, 2228, etc.)

YOUR NAME: <Insert Name>

Use this lab experience report template to document your findings from the lab and make sure to complete all required tasks in each part of the lab and respond to all questions. The template is designed to be used as a guide for your lab and not necessarily a project requirement.

ADDITIONAL LAB GUIDANCE

Below is a list of additional guidance and/or recommendations for your lab experience report:

· Completing the labs: All sections or parts of the labs should be completed as required.

· Answering the lab questions: You are required to answer all the lab questions (if any).

· Taking screenshots: While taking screenshots is recommended in your lab, try to limit them, and only focus on the applicable ones to support your lab report.

· Writing your lab experience report: You are required to write a summary of the lab experience report based on your findings and incorporate them into your final deliverables.

· Using a file name convention: Please change the generic file name of this template to reflect part of your name, the course ID, or the project/lab title.

· e.g. 1: CST620 Project 5 Lab-Securing Database Management Systems

· e.g. 2: CST620 Project 5 Lab-Securing Database Management Systems—John Doe

· e.g. 3: CST620-Project 5 Lab_Securing Database Management Systems (7/15/22)

In compiling your findings, think of how your experience performing the labs is related to the overall project goals. You are required to collect information from the lab to understand potential security challenges, analyze, develop your lab experience report, and incorporate key components in the final project report.

Please make sure to pay attention to each item above and use it as a supplemental guide in addition to the project requirements. Finally, note that successfully completing the lab is important for achieving the overall project goals.

THE REQUIRED LAB QUESTIONS

As a cybersecurity consultant for APX Data Systems (ADS), you were tasked with leading a project team to implement database systems that conform to the HIPAA security rule for one hospital client. The database system should be capable of hosting highly sensitive information such as personally identifiable information (PII), personal health information (PHI), and electronic personal health information (ePHI) to comply with federal regulations. Part of your responsibility was to review, evaluate, and make recommendations with respect to the maintenance of a secure database system for the client. Based on the knowledge and experience gained from the lab, answer the following questions.

PART 2: STARTING THE LAB—Connecting to MySQL Server and Securing the Initial Root Account, Securing MySQL Account with Automated Secure Installation, Creating a New MySQL Admin Account with Privileges, etc.

1. You now know that the installation of MySQL creates only a root user account that has all privileges and can execute any database statement. However, if the root account has no password, the security of MySQL installation is obviously compromised in the sense that anyone can connect to the server as root and be granted all privileges. Besides configuring the security settings, what other security control measures can you implement to make MySQL more secure?

2. What other ways can you configure the security settings to secure a MySQL server installation?

3. Using the secure MySQL installer script, how can you mitigate against having anonymous users’ unauthorized access to the database system?

4. How do you start and switch to MySQL on Kali Linux or a Linux OS in general? Where are MySQL database files stored in Linux? Also, what is the default port for MySQL Server?

5. Once you set up databases, users, and permissions, consider what the daily management of your MySQL databases, user accounts, and privileges look like. Developers, business users, contractors, vendors, and several others need access on a daily or regular basis. How will you manage database credentials as the infrastructure grows based on your experience in the lab so far?

6. How will you ensure each user has as much granular access and only performs specific tasks with assigned privileges and nothing more?

PART 3: MANAGING AND SECURING MYSQL DATABASE SYSTEMS (DBMS)—Creating and Accessing MySQL Databases, Evaluating MySQL Access Control Systems and Account Management, Testing MySQL Access Control and Assigned Privileges, etc.

1. Instead of using 'cst620-admin'@'localhost' in the create user statement, one can decide to use wildcards as in ‘cst620-admin’@‘%’, where ‘%’ is the wildcard in place of localhost'. With wildcard, a user can connect from any client host, but this is not a best practice due to potential security risks. In your opinion, what potential security risks are likely to occur and what security control measures would you take to address it?

2. When a user attempts to connect to a MySQL server, the server accepts or rejects the connection based on Whether the user account is locked or unlocked as one condition. During the connection request, what else must happen for the server to verify a user after providing proper credentials? What constitutes a full identification and what role does it play in this regard?

3. The MySQL server performs identity and credentials verification and accepts the connection only if specified conditions are satisfied. What does the server system use to perform identity and credentials verification? [Hint: the columns in the user table can provide a useful clue].

4. Considering MySQL server authentication, is it possible for the client hostname and username combination of an incoming connection request to match more than one row in a user table? Why or why not?

5. In your opinion, and from MySQL security experience gained so far, why do you think creating remote user accounts instead of local-based accounts can create unintended security vulnerabilities and thus potential threats?

6. Which one of the cst620-user, cst620-user1, and cst620-user2 users cannot deleted another user, database, or table? How can you determine this if at all possible?

7. From a MySQL database security standpoint, your frontend applications may use scripts to interact with the backend database system. Assuming a malicious user or a hacker is trying to conduct SQL injection or cross-site scripting attack, even if the front-end application (e.g. forms) is compromised, why do you think it would still be a challenge for this attacker to alter backend MySQL statements and be able to manipulate the user-supplied data.

8. Security misconfiguration related to such endpoints as application servers, web servers, security appliances, and other platforms pose huge security flaws to security professionals and business leaders. If a malicious actor happens to target your internal network, describe how properly configured MySQL database permissions and firewalls can mitigate any potential compromise?

9. Throughout this lab exercise, you witnessed how MySQL misconfiguration can pose security challenges to database security admins and the profession as a whole. Based on this knowledge do you think enhanced security is a by-product of good security administration? If not, why?

10. Considering the access, version_id, plugin, authentication_string, and password_last_changed parameters of the structure of JSON inside the "Priv" column for cst620-user, what is/are the impact(s) on the MySQL security?

NOTE: Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.

SUMMARY OF THE LAB EXPERIENCE REPORT

Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate a key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.

References

[List your references in APA 7/IEEE format here.]

2

image1.png