COMP3357 Managing Cyber Risk Richard Henson University of Worcester March 2017

Week 7 – Assessing Risk based on Information System architecture Objectives: Understand Data Modelling for Relational Databases Relate Context Diagram/Level 1 DFD to an Entity Relationship Model Relate External Data Flow to internal data stores… identify those that are potentially high risk Balance the risk between: having high risk data stores open to the Internet allowing employees in the field to do their jobs v external attack on data

In the beginning was the database… (!) Ideally, an organisation should model its data into a logically linked data structure… write queries to ask questions of that data structure guard the completed database structure & queries like it’s Fort Knox!

“Flatfile” data stores and Databases Some so-called databases in organisations are just lists of data organised according to “fields” (e.g. spreadsheets…) retrieval of search strings or numerical data can take a looonnnggg… time sometimes many such datafiles! Proper database logically links data: hierarchically relationally object-oriented Relational still popular mainly because of SQL

SQL keeps on giving! SQL invented… back in 1967(!) navigate through links to retrieve data store new data in the appropriate place in the structure ORACLE made relational databases/SQL popular for small systems (1988) Web Connectivity/SQL made relational databases usable remotely

Relational Databases Tight data structure saved data can be rapidly located… Real advantage of a true relational database… SQL can be used for read/write & query database operations across whole system BUT… all has to be properly designed

Database Design (1) Same principles apply as with any other relational database management system (RDBMS)… identify entities (data “objects”) produce entity relationships (links) define logic relationships between entities (using one/more common attributes

Database Design (2) For an optimised structure… make sure data is fully normalised create tables &links created scripted SQL statements to: extract data from specific fields in particular tables put data into specific fields in particular tables If “self-taught”, a dynamic web developer are may be unaware of data modelling... may build the data round the processing… should be the other way round (!)

Resolving the “Many-Many” relationship Essential… many information systems have failed through lack of knowledge of entity modelling… Product Customer many:many relationship…!!!

Link Entity… Many of each won’t work! option 1: “programme” the whole thing from scratch as OO database, allowing “repeats” (!) option 2: use Relational Database… and use “link” entities to remove many:many problem Product XYZ (order?) Customer

Relational Data Model: is one more entity enough? One customer makes the order can make multiple orders 1:many relationship One or more products… make order but product and order still many:many Product & Order need a further entity between them…

Possible basic data (entity) model for a Shopping System order product Order line No entity relationships shown! customer Where does Shopping Cart fit?

Possible “sales” Data Model with entities/attributes added Field names may vary but the principle is the same… Queries: field names must match with server script variables (parameters)

Data Model to include sales, purchasing, HR, accounts (1) A typical retail organisation will have to: buy/store goods sell those goods (with value added?) at a higher price Need a digital information system to manage all of this… minimal human intervention (!)

Data Model for Online Shop Orderlines Suppliers Customers Stock Orders Employees Products

Data model including fields (music shop…)

Additional Function… For completeness, the data model will need an “accounts” or “admin” function link to “orders” entity store financial data interact with relevant external agencies…

(Internally & Externally) Accessing a database (Internally & Externally) Internal: use an Intranet.. External: use an Extranet Use server-scripts with embedded SQL commands to link to and communicate smoothly with database tables

Server Scripts Very different from client-side embedded code... (!) provide close control of relational databases via SQL commands… run only on a web server only interact with client & HTML browser through a client-server model

Demands of Applications using centralised data storage! If a remote web app is to be used… the database must be: secure readily accessible (read) from all clients alterable (write) only by specific persons

How Server Scripts can Interact with Databases Contain embedded SQL code that can extract data from or send data to a database

How Server Scripts can Interact with Databases Whenever a database is updated… updated data picked up by server-script when it runs updated data displayed on client

How Server Scripts can Interact with Databases Whenever a browser form captures data… data transferred directly to relevant server then stored in specified database field(s)

How Server Scripts Interact with Databases Whenever database information needs to be presented: database fields and records taken into server memory data sent to local machine to be displayed within a HTML format

Remote Parameter Passing Essential in web searches find a match with database contents using keyword(s) Essential for online shopping product selection passing data into a remote SQL query Parameters need to be secure when passed to/from a remote source otherwise, false data can be introduced

Mechanism for variable passing between Dynamic Web Pages Use HTML “forms” <form>..... </form> HTML “GET” or “POST”? Disadvanges of HTML “GET” function: parameter/s tagged on to the URL e.g. GET www.address /thetest.aspx?firstname=richard&password=holid ays&lastname=henson&action=transferbankfunds v. long URLs… PLUS… easily changed by man-in-the-middle attack

Protecting Database Queries Essential, and relatively inexpensive so an obvious course of action? BUT… code generator may not make validation options obvious may require programming skills (!) best practice to have… client-side validation (on HTML form) AND server-side validation (on search strings that invoke an SQL query)

Conclusion Relational databases still very popular Need correct design Dependent on SQL queries Query strings (parameters) between internal and external agencies often use HTML can be a big (non-coding) vulnerability important to identify and label

Further Reading The GDPR will dominate developments over the next couple of years. Here is a good summary of GDPR and security of web apps: https://www.united-security-providers.com/blog/the- impact-of-gdpr-on-companies-providing-web-access- to-applications/