Professional Documents
Culture Documents
Mongodb-Bilal Rafi
Mongodb-Bilal Rafi
Mongodb-Bilal Rafi
v
INFORMATION SECURITY
ASSIGNMENT
Equifax bank
Submitted to:
Whoever put this thing online was using an old version they hadn’t reconfigured, or a newer
version with the protection disabled. They might do that for convenience, ignorant or uncaring
about the security implications.(Celesti, Fazio, & Villari, 2019)
Naked Security asked MongoDB why it couldn’t just force developers to turn on authentication
whenever they deliberately removed the remote access protections on the database. A
spokesperson told us:
We respect that our innovative users ask for freedom to set their own course and we do what
we can to keep that possible, while at the same time answering to the standards of care expected
in safety-conscious measured operations. That balance has meant offering both a frictionless
experience for developers and a thorough configuration guide to complex controls like
authentication. We believe setting localhost by default puts users in a mode where they have to
make a conscious decision about their own appropriate path to network safety.
.
3. Recommend five controls from the 20 CSCs to protect it. Please refer to 20 CSC
document provided.
S.no CIS CSC Identify Protect Detect Respond Recover
1. Secure
Configuration of IP
End-User
Devices.
2. Continuous
Vulnerability RA CM MI
Assessment &
Remediation
3. Account
Monitoring and AC CM
Control
4. Data Protection
DS
5. Application
Software IP
Security
3. Organization get a lot of loss because it lost many its customer after that.
4. People blamed the organization for its incapability if they could not even
properly protect their personal detail.
5. Attackers make change in the whole data and change the original with the
incorrect one.(Naik et al., 2019)
1. People lost their personal information people complained that unknown people tried
contacting them.
3. Someone illegally accessed with the user personal accounts and using their data.
Inventory of Authorized and Unauthorized Devices(Mongodb1, n.d.).
6. For each security issue identified in the previous question, recommend a suitable
control and proper tools. Please refer to 20 CSC document provided.
S.no Security Issue CSC Control Security Tools
7. For the previous question, link each tool with proper risk decision (defence,
transference, mitigation, acceptance, termination).
system.
8. If you have a very low budget for security, which tools you will use? Explain pros and
cons.
Kali Linux
Kali Linux is an amazing Linux distro based on Debian, and it is created for offensive
security purposes. We don’t recommend this Linux distro if you are a beginner and
don’t know anything about Linux. Apart from it, Kali Linux is also best if you are doing
programming or doing web or any other development. If you want to use it, you can
easily download and install the latest version of Kali Linux. Apart from it, Kali Linus
also gives complete control to configure the distro as per your requirements.
Pros and cons:
To enable authentication, create login credentials for each user or process that accesses
MongoDB. Suppose several users need administrative access to the database. Instead of
sharing credentials, which increases the likelihood that the account will be compromised, issue
each person their own credential and assign them privileges according to their roles, described
nexts(Singh, 2019b).
Instead of giving authorizations to individual users, associate authorizations with roles such as
application server, database administrator, developer, BI tool, and more. Predefined roles are
available out of the box such as dbAdmin, dbOwner, clusterAdmin, and more. Those roles can
be further customized to meet the needs of particular teams and functional areas while
ensuring consistent policies across the organization(Singh, 2019a).
One way that data leaks occur is that an intruder gains remote access to the database. By
limiting remote connections to the database, you reduce this risk. The best practice is to allow
connections only from specified IP addresses, a practice known as whitelisting. With
MongoDB Atlas, the fully managed service for MongoDB, each Atlas project gets its own
VPC. For additional security, customers can enable VPC peering to the private networks
housing their applications to prevent access over the public internet(Celesti, Fazio, & Villari,
2019).
In most data leaks, the data is readable by unauthorized users. Encrypting data makes it
unreadable by those who do not have the keys to decrypt it.
• Encrypting data at rest. Encrypt the data where it is stored. At rest encryption is not
available for MongoDB Community Edition; it requires MongoDB Enterprise or
MongoDB Atlas.
• Encrypting data in transit. By default, with MongoDB, all data is encrypted in transit
using TLS.
9. Individual reflection (Minimum of 200 words): Summarize lessons learned from this
incident.
Even if security or DevOps teams can detect an unsecured database, among all the noise of
security alerting – and recognise its potential severity – responding to and containing such a
misconfiguration even in less than 13 hours may be a tall order, let alone in under 9 minutes,
so prevention is a much stronger defence than cure. For Mongo, access control needs to be
setup manually. However, secured or not, databases shouldn’t really be directly exposed to the
internet as they don't benefit from the same multi-factor authentication as other web services,
exposing them to credential stuffing and brute force attacks. Instead, they should be firewalled
off, or secured through a VPN. Ideally you should have some way of making this impossible
via policy, rather than simply trying to detect it when it happens. Most modern cloud platforms
can help in this task, and so organisations who have fully made the jump may benefit here.
Detecting it when it happens is the next best thing, and a solid backup for if (or when) the policy
control fails, or for cloud environments where policy enforcement is not an option. Intruder can
help with the latter. We identify and prioritise any exposed databases on your external
infrastructure(Singh, 2019a). For Mongo in particular, we’ll also make sure to let you know if
any unsecured instances are detected. Alongside daily checks for the latest emerging threats,
we proactively monitor for more elementary problems, such as when insecure ports and
services are opened up to the internet. Our reduced-noise reporting identifies and ranks areas
of the perimeter to target for optimal attack surface reduction(Naik et al., 2019).
References
Celesti, A., Fazio, M., & Villari, M. (2019). A study on join operations in MongoDB
preserving collections data models for future internet applications. Future Internet, 11(4),
1–17.
https://doi.org/10.3390/fi11040083
Chaturvedi, A. (2010). Security Challenges and Solutions in Mobile Smartphone Applications.
9(1), 1–21. https://doi.org/10.21275/ART20204190
Singh, S. (2019a). Security Analysis of MongoDB. International Journal for Digital Society,
10(4), 1556–1561. https://doi.org/10.20533/ijds.2040.2570.2019.0193
Singh, S. (2019b). Security Analysis of MongoDB Sahib Singh Heinz College , Carnegie Mellon
University. 10(4), 1556–1561.
Celesti, A., Fazio, M., & Villari, M. (2019). A study on join operations in MongoDB preserving
collections data models for future internet applications. Future Internet, 11(4), 1–17.
https://doi.org/10.3390/fi11040083
Chaturvedi, A. (2010). Security Challenges and Solutions in Mobile Smartphone Applications.
9(1), 1–21. https://doi.org/10.21275/ART20204190
Gyorodi, C., Gyorodi, R., Pecherle, G., & Olah, A. (2015). A comparative study: MongoDB vs.
MySQL. 2015 13th International Conference on Engineering of Modern Electric Systems,
EMES 2015, (June). https://doi.org/10.1109/EMES.2015.7158433
Mongodb1. (n.d.).
Naik, S., Dandagwhal, R. D., Wani, C. N., & Giri, S. K. (2019). A review on various aspects of
auxetic materials. AIP Conference Proceedings, 2105(05), 90–92.
https://doi.org/10.1063/1.5100689
Rama, S., Charan, C., Dasari, T., & Ram, S. (2019). Performance Evaluation of Structured and
Unstructured Data in PIG/HADOOP and MONGO-DB Environments. Retrieved from
https://repository.stcloudstate.edu/msia_etds/79
Singh, S. (2019). Security Analysis of MongoDB. International Journal for Digital Society,
10(4), 1556–1561. https://doi.org/10.20533/ijds.2040.2570.2019.0193