Standard Jet DBnb` Ugr@?~1y0̝cßFNn7ќ](#`{6n߱aCT:3y[ |*|: f_Љ$g'DeFx -bT4.0dv YFS HH Y   Y Y  Y Y  Y  Y  Y   Y  Y  Y  Y  Y 2Y  Y   Y  Y ConnectDatabaseDateCreateDateUpdate FlagsForeignNameIdLvLvExtraLvModule LvPropName OwnerParentIdRmtInfoLongRmtInfoShortTypeYYIdParentIdName        OYSGY Y Y  Y 2ACMFInheritableObjectIdSID  AtYObjectId YSY  Y Y Y  Y  Y Y  Y AttributeExpressionFlagLvExtra Name1 Name2ObjectId Ordernzf edY"ObjectIdAttribute -YSY Y Y  Y  Y  Y  Y  Y ccolumn grbiticolumnszColumnszObject$szReferencedColumn$szReferencedObjectszRelationship   YYYszObject$szReferencedObjectszRelationshipYv1b N  : k & W  C t/   @@@@ @@ @ @@@ @@@  @ JO`YbOJmJJMMQkkfJUQkOJmJLJkQkSdi`k `dOo^Qk iQ^JmYdbkWYfkiQfdimk kMiYfmk kvkiQ^ mJL^QkJOOYmYdbJ^OdMo`QbmJmYdbJiQJkJiSdiJkJiSdiM`JiSdimWJiSdiqoJkSdimWJkkQmOdMo`QbmJmYdbJkkQmkJmSdimWJmmJM\QimvfQkM`SdimWM`SdiqoMdobmQi`QJkoiQOdMo`QbmJmYdbMdobmQi`QJkoiQkQbmivfdYbmkQfSdimW `kvkJMMQkkdL[QMmk!`kvkJMMQkku`^"`kvkJMQk`kvkdL[QMmk`kvkhoQiYQk`kvkiQ^JmYdbkWYfkfid[QMmiYk\WYkmdiv$mWiQJmOdMo`QbmJmYdb%mWiQJmk&qoSdimW'qo^bQiJLY^YmYQk(qo^bQiJLY^YmvOdMo`QbmJmYdb)JMMQkk^Jvdom`kvkOL+ FJB>DL6DO:6S>8Q6HMJHSHOL6J6F<:BJ+ +;K[*+ OB8QF:>JFQ:Q>@>JLLB>@>L:DOLFMHmWJkkQmkJiSdiJkJkkQmkJkkQmOdMo`QbmJmYdbJmmJM\QimvfQkJm>mW MdobmQi`QJkoiQkJiSdiM` MdobmQi`QJkoiQkMdobmQi`QJkoiQOdMo`QbmJmYdb MdobmQi`QJkoiQkMdobmQi`QJkoiQkSdiqo^bQiJLY^YmYQk QbmivfdYbmkQf>mW mWiQJmJiQJkmJ>mWmWiQJmkJkkQmkSdimWiQJmkmWiQJmkJm>mWmWiQJmkQf>mWmWiQJmkmJ>mWmWiQJmkmWiQJmOdMo`QbmJmYdbmWiQJmkqo^bQiJLY^YmYQkSdimWiQJmkqo^bQiJLY^YmYQkJiSdiqoqo^bQiJLY^YmYQkMdobmQi`QJkoiQkSdiqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkSdimWiQJmkqo^bQiJLY^YmYQkqo^bQiJLY^YmvOdMo`QbmJmYdbJLY^YmvOdMo`QbmJmYdb  @ @ @ @ @ @ @ @ @     * + ,         !"#$*06;AGNTZ_fl r!y"$%&'() @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @    ()*$%& ' ( ) * + , - . / 0 1 2 3 4 56789:;<=>?@ABCDEFGHIJKLMNO        !! !!"""#"$#%#&#' !"#+,-./0123456$7$8$9*:*;*<0=0>0?6@6A6B;C;D;EAFAGAHGIGJGNNNTTTZZZ _ _ _ f fflllrrryyy'()*+,-./012345678<=>  !"#### 7 @ @@ @@+ FJB>DL6DO:6S>8Q6HMJHSHOL6J6F<:BJ+ +;K[+ OB8QF:>JFQ:Q>@>JLLB>@>L:DOLFMHmW JkkQmkJiSdiJk JkkQmkJkkQmOdMo`QbmJmYdb JmmJM\QimvfQkJm>mW MdobmQi`QJkoiQkJiSdiM` MdobmQi`QJkoiQkMdobmQi`QJkoiQOdMo`QbmJmYdbMdobmQi`QJkoiQkMdobmQi`QJkoiQkSdiqo^bQiJLY^YmYQkQbmivfdYbmkQf>mWmWiQJmJiQJkmJ>mWmWiQJmkJkkQmkSdimWiQJmkmWiQJmkJm>mWmWiQJmkQf>mWmWiQJmkmJ>mWmWiQJmkmWiQJmOdMo`QbmJmYdbmWiQJmkqo^bQiJLY^YmYQkSdimWiQJmkqo^bQiJLY^YmYQkJiSdiqoqo^bQiJLY^YmYQkMdobmQi`QJkoiQkSdiqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkSdimWiQJmkqo^bQiJLY^YmYQkqo^bQiJLY^YmvOdMo`QbmJmYdb @@@ @@@@JiSdiJkJiSdiJk JiSdiM`JiSdiM` JiSdimWJiSdimWJiSdiqoJiSdiqoJkSdimW JkSdimWJkkQmOdMo`QbmJmYdbJkkQmOdMo`QbmJmYdb JmSdimW JmSdimWM`SdimWM`SdimWM`SdiqoM`SdiqoMdobmQi`QJkoiQOdMo`QbmJmYdbMdobmQi`QJkoiQOdMo`QbmJmYdbQfSdimWQfSdimWmWiQJmOdMo`QbmJmYdbmWiQJmOdMo`QbmJmYdbqoSdimWqoSdimWqo^bQiJLY^YmvOdMo`QbmJmYdbqo^bQiJLY^YmvOdMo`QbmJmYdb @     JOOYmYdbJ^OdMo`QbmJmYdbJOOYmYdbJ^OdMo`QbmJmYdbJOOYmYdbJ^OdMo`QbmJmYdbJOOYmYdbJ^OdMo`QbmJmYdbJiQJkJiQJkJiQJkJiQJkJkkQmk JkkQmk JkkQmk JmmJM\QimvfQk MdobmQi`QJkoiQkMdobmQi`QJkoiQk MdobmQi`QJkoiQkMdobmQi`QJkoiQkQbmivfdYbmkmWiQJmkmWiQJmkmWiQJmkmWiQJmkmWiQJmkmWiQJmkmWiQJmkqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkqo^bQiJLY^YmYQkqo^bQiJLY^YmYQks-d Oc P  m 2 d  ] YI 8G+Q.*EčDjl   .˔خ@.˔خ@AdditionalDocumentationAssetDocumen .˔خ@.˔خ@AdditionalDocumentationAssetDocumentationEUttttttttttr  }@}@{D61E824A-8E2E-454A-BB64-54B27DB8C936}EUnnnnnnnnnnl }@}@{8A647B07-D20F-41E0-9CA9-F9DB0A08326A}EUnnnnnnnnnnl >M/@}@VulnerabilityDocumentationEUw@bbbVVVVVVVT @}@a!@VulnerabilitiesEU@LLL@@@@@@@> @}@L}@VUforTHEU@<<<0000000. @E}@G@ThreatsEU @<<<0000000. @.v@F:@ThreatDocumentationEUM@TTTHHHHHHHF @yw@w@MSysAccessXMLEU4MR2KeepLocal  T|||<<<<<<<: @lY}@K}@EPforTHEU@<<<0000000. @fҲ}@ ޗۤ@EntryPointsEU:@DDD88888886 @_>Q}@Mg@CountermeasuresEU @LLL@@@@@@@> @ZTf/@\&@CountermeasureDocumentationEU}@dddXXXXXXXV @Tɯ}@K}@CMforVUEU@<<<0000000. @NH}@3@CMforTHEUp@<<<0000000. @A}@P}@ATforTHEU@<<<0000000. @;}@Sgخ@AssetsEU @:::......., @6k خ@̔خ@AssetDocumentationEU@RRRFFFFFFFD @0H}@qۤ@ASforTHEU@<<<0000000. @*}@ۤ@ARforVUEU+@<<<0000000. @N }@P}@ARforCMEU@<<<0000000. @a خ@خ@ARforASEU@<<<0000000. @5¡}@]y@@AreasEU,@888,,,,,,,* @wۥ@ s@AdditionalDocumentationEU@\\\PPPPPPPN @ 5@pVخ@AdminEUdh#8,,,,,,,,,*  ::~@2%s@AccessLayoutEU4MR2KeepLocal T"@zz:::::::8 @^}@^}@SysRelEU.........., ^}@^}@ScriptsEU0000000000. ^}@^}@ReportsEU0000000000. ^}@^}@ModulesEU0000000000. ^}@^}@FormsEU,,,,,,,,,,* ^}@^}@DataAccessPagesEU@@@@@@@@@@> ݟ}@ݟ}@MSysRelationshipsDWDDDDDDDDDDB ݟ}@ݟ}@MSysQueriesDW88888888886 ݟ}@ݟ}@MSysACEsDW22222222220 ݟ}@ݟ}@MSysObjectsDW88888888886 ݟ}@ݟ}@RelationshipsDW<<<<<<<<<<: ݟ}@ݟ}@DatabasesDW44444444442 ݟ}@ݟ}@TablesDW.........., q YNY  Y  Y  Y DocumentIDDocumentFileDocumentTitleDescriptiondMitOQY6YZYYYY.rC.rD.rE.rFDocumentIDPrimaryKeyHv1b @@  @  @ .Y  = 251N Y  Y  Y Y Y Y Y  AreaIDAreaNameDescriptionUseForThreats*UseForVulnerabilities*UseForCountermeasuresUseForAssetsmentsttrdengYYY*Y$YY.rC.rD.rE.rFAreaID1PrimaryKeyHv1b@ @ @w tP, N Operating System;~Software3 Hardware3 Reputation{ Software Modules;Business procedures;Users configuration;Application servers;Networking;Data {Regulations{Operational{  @          @         YYNY Y AssetID AreaIDDhaDa sYYY;YY AreaIDAreasARforASAssetsARforAS CountermeasureIDPrimaryKeyv1        @ { }YNY Y  CountermeasureID AreaIDemDc!onib"#YYYYY_Y AreaIDAreasARforCM CountermeasureID,CountermeasuresARforCMPrimaryKeyv1`ϾϳϳϳϳϳϳϳϳϨ                   @                           @                          @@                          ]YN%%Y Y ThreatID AreaID%'%(%)YYYYYPrimaryKeyThreatAreaID ThreatAreasTA4THThreatIDThreatsTA4THv1@@$ϾϾϾϳ    $@@&&& &&&  & &  &  &  &  &  &  &  $ @&&&&& & & & & &  &  &  &  &  $ @&&&&&&  & &  &  &  &  &  &  &  yYN++Y Y VulnerabilityID AreaIDly"l+-ilertn+.bl+/YYYYY AreaIDAreasARforVUPrimaryKey,VulnerabilitiesARforVUVulnerabilityIDv1@ *Ͼϳ         * @, ,, ,,,, , , , , , ,  *@@,,,, ,  , ,  ,  ,  ,  ,  ,  ,  * @,,,, ,  , ,  ,  ,  ,  ,  ,  , r YN11Y Y Y AssetIDThreatID Damage[\13[]14[^Y15YY;YYYAssetIDAssetsA4THPrimaryKeyThreatID.ThreatsAssetsForThreatsv1 n0       1 12 2!! 0 @22222222 2 222222 0@@2222 22 2 2  2  2 2 2 2 2 2 0 @22222 2 2 2  2  2 2 2 2 2 2O YN77Y Y AssetIDDocumentID78797:YYY;YYYRAdditionalDocumentationAssetDocumentation0AssetsAssetDocumentationDocumentIDPrimaryKeyThreatIDv1 6 6 6 jY = 251N  <<Y  Y  Y Y Y  Y Y Y Y AssetIDAssetNameDescriptionFixedValue FixedValuePeriodRecurringValue"IncludeFixedValue*IncludeRecurringValueDisabled<?Y<@Y0YY6YY.rC.rD.rEAssetIDPrimaryKey<<Hv1b @@6LVAL РϠXIf rates are inaccurate or corrupted and the service is not provided in a stable manner, the public will not trust the service and may look for alternative options causing looser affect If the website goes down, due to an exploit, the company will lose sales and will need to report due to privacy and PCI security implicationsExposure of orders may be a violation of privacyIf rates are inaccurate or corrupted and the service is not provided iIf the website goes down, due to an exploit, the company will lose sales and will need to report due to privacy and PCI security implicationsExposure of orders may be a violation of privacyIf rates are inaccurate or corrupted and the service is not provided in a stable manner,If the website goes down, due to an exploit, the company will lose sales and will need tIf the system is breached, then buyers will not shop at the online siteIAt the company's current level of operation, if 1000 credit cards, valid date, address and phone are breached, the company will be liable to At the company's current level of operation, if 1000 credit cards, valiAt the company's current level of operation, if 1000 credit cards, valid date, address and phone are breached, the company will be liable to a 250000 fine from visaExposure of orders may be a violation of privacy;ϗϗϗR  TThe stability of the state's economy>@=L@   T Credit card detailsH@ =;/ Trust  Internal pricelistCompany's internal pricingV. Credit card detailsH@ =;/ *Customer order details`@=>2;>>>>>;>>>>> uYNBBY Y ThreatIDAttackerTypeIDDagBD[BE[BF[YYGYYYAttackerTypeID$AttackerTypesAT4THPrimaryKeyThreatIDThreatsAT4THv1@ A     ACCCCCCCC A@CCC C C C C CACCC C C C C C YNHHY  Y  Y t Y  TypeIDTypeNameDescriptionToolsAvailableHLYHMYAYY.rCPrimaryKeyTypeID1HHHH v1b GϚState's enemiesEconomistState's enemiesHackerInsider@K\@J'Web userLVALAccess to economist passwords and desktop applicationsAccess to the LAN and currency rates database.HLVALZZEconomist may be interested in tampering with the rates data for gaining personal profitMalicious insider may be an employee or a subcontractor of the treasury department.GIIIIIGIIIII UY NOO  Y Y Y Y ThreatID CountermeasureIDMitigationLevel(IncludedInMitigation OQ haDhORNaaertnOSbaYY_YYYL{8A647B07-D20F-41E0-9CA9-F9DB0A08326A}L{D61E824A-8E2E-454A-BB64-54B27DB8C936} CountermeasureIDPrimaryKeyThreatIDv1N$ϵϵϵϵϵϵϵϵϵϵϦϦϦϦϦϦϦϦϦϦϦϗyj[L                    dUPPU N @PPPPPP#PPPP P"P!PPPPPPPPPPPPPPPPPPx N@@@PPPPPPPP#P P! P P" P P P P P P P P P P P P P P P P P P N @PPPPPPPP P!P# P P" P P P P P P P P P P P P P P P P P P YNUUY Y VulnerabilityID CountermeasureIDnalyUWDeslUXUYYY_YYY CountermeasureID`CountermeasuresCountermeasuresForVulnerabilitiesPrimaryKeyThreatID`VulnerabilitiesCountermeasuresForVulnerabilitiesv1@@sT   T @VV VVVVVVVVVVVVVVVVVV T@@VVVV V  VVV V V V V V V V V V V V V T @VVVV V  VVV V V V V V V V V V V V V YN[[Y Y  CountermeasureIDDocumentID![\"[]#[^YYY_YYYdAdditionalDocumentationCountermeasureDocumentationTCountermeasuresCountermeasureDocumentationDocumentIDPrimaryKeyThreatIDv1@  Z Z Z dY = 251N  ``Y  Y  Y Y Y Y   Y Y Y Y  Y   CountermeasureID$CountermeasureNameDescription.FixedImplementationCostFixedCostPeriod6RecurringImplementationCostDetailedDesignImplemented IncludeFixedCost(IncludeRecurringCostDisabledY`dCr.`eIDYNYYZYTYY.rC.rD.rE.rF CountermeasureIDPrimaryKey```` v1b  (( LVAL  The cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is based on the yearly effort for deploying the policy by system administration.Data in database should be manipulated only via stored procedures. The parameters of the stored procedures should be validate for their content befThe cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is based on the yearly effort for deploying the policy by system administration.Data in database should be manipulated only via stored procedures. The parametersThe cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is based on the yearly effort for deplThe cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is based on the yearly effort for deploying the policy bThe cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is based on the yearly effort for deploying the policy by system administration.Data in database should be manipulated only via sThe cost estimation is based on the one time expense for purchasing and deploying the appliance by system administration.The cost estimation is bThe cost estimation is based on the one time expense for purchasing and deploying the appliance by sThe Do not pass the MS SQL exceptions to a WebUser without filtering. Replace msg with "Please contact the system admin"Data in database should be manipulated only via stored procedures. The parameters of the stored procedures should be validate for their content before executing the stored procedure. The cost here is the one time effort for developing this software feature. _O3NQQQQQQQQQQM̓  PSet severe punishments in law against insiders economical crimesTTT PSet severe punishments in law against insiders economical crimesTTT;0uSecurity o PSet severe punishments in law against insiders economical crimesTTT; PSet severe punishments in law against insiders economical crimesTTT;0uSecurity officer will have man PSet severe punishments in law against insiders economical crimesTTT; PSet severe punishments in law against insiders economical crimesTTT; PSet severe punishments in law against insiders economical crimesTT PSet severe punishments in law against insiders eco PSet severe punishments in law against insiders economical crimesTTT; Do not provide any server or system error code information@ aZZN Do not provide any server or system error code infor Do not provide any server or system error code information@ aZZN? Implement key exchange with entity authentication@cQQE?0uSecurity officer will have mandate to assure the personal integrity of economistseee;  NEnforce data access via stored procedures with formal parameters content validation@assg? NImplement validation of input fields in rates web pages"@aWWK? Database login accounts should be given the minimal rights that are necessary for their functionality`@cy? Install firewall<@ c00$LVAL0  Use of generated passwords which are changed automatically Key exchange without entity authentication may lead to a set of attacks known as  man-in-the-middle attacks. These attacks take place through the impersonation of a truKey exchange without entity authentication may lead to a set of attacks known as  man-in-the-middle attacks. These attacks take place through the impersonation ofKey exchange without entity authentication may lead to a set of attacks known as  man-in-the-middle attacks. These attacks take place through the impersonation of a trusted server by a malicious server. If the user skips or ignores the failure of authentication, the server may request authentication information from the user and then use this information with the true server to either sniff the legitimate traffic between the user and host or simply to log in manually with the user s credentials.Web application account used for retrieving daily rates is assigned with read only permissions. Admin account is given update privileges only on FC rates data. DB administrator is the only account with full rights on the database that can access and modify data. The cost reflects administration effort.For example: validate input query string in order query page. The cost expresses the one time effort for developing this software feature.Use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Login messages from client to backend serverd sent should be tagged and checksummed with time sensitive values so as to prevent replay style attacks. _ @bbbbbbbbbbbbbbbbbb _ @bbbbbbbbbbbbbbbbbbY0NggY  Y  Y eEntryPointIDEntryPointNameDescriptiongjgkYlYY.rCIDPrimaryKeyggHv1bdLVALvwhich is available to the economistswhich is available to the public.fm?The database serverA computer machine on the LAN%%The economist desktop application for updating ratesH@hH<The rates page of the Web applicationB@h9- fiiii fiiii iYNmmY Y EntryPointIDThreatIDmoDmpEmqFYYfYYYEntryPointID EntryPointsEP4THPrimaryKeyThreatIDThreatsEP4THv1@@llnnnnnnnn l@nnnnnnnnlnnn n n n n n Y NssY Y DataIDTeIsxYAOIndexv1Kr[ DPM0wSysAccessObjectsLLLLLLLLLLJ Kr[ࡱ>   Root Entry 0t΁@ VBAϫ }g0t΁VBAProject0Jg0t΁VBA0Jg0Ogdir_VBA_PROJECTPROJECT,%PROJECTwm1  !"#$%&'()*+-./0ɱ0* pHdProject1,@ Z= n sPB %J< rst dole>stdole h%^*\G{0002`0430-C 0046}#2.0#0#C:\WINDOWS\System32\e2.tlb#OLE Automation#`DAO>JDAO5A A5E401A5Agram Files\CommonMicrosoft Shared\;\dao360.dll# 3.6 Ob LibraryHADO DB> ADZDB\\\10-8AA006D2EA4N1N.S\ado\ms@21T+ActiveX Data-s 2.1K.")"*am  *\G{000204EF-0000-0000-C000-000000000046}#4.0#9#C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL#Visual Basic For Applications*\G{4AFFC9A0-5F99-101B-AF4E-00AA003F0F07}#9.0#0#C:\Program Files\Microsoft Office2003\OFFICE11\MSACC.OLB#Microsoft Access 11.0 Object Library*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\WINDOWS\System32\stdole2.tlb#OLE Automation*\G{00025E01-0000-0000-C000-000000000046}#5.0#0#C:\Program FiKr[les\Common Files\Microsoft Shared\DAO\dao360.dll#Microsoft DAO 3.6 Object Library*\G{00000201-0000-0010-8000-00AA006D2EA4}#2.1#0#C:\Program Files\Common Files\System\ado\msado21.tlb#Microsoft ActiveX Data Objects 2.1 Library sPB)"x %AccessVBAWin16~Win32MacVBA6#Project1 stdole`DAOADODBsH   ID="{BEF604E4-2F34-450F-B552-1D0C2B4D5C02}" Name="Project1" HelpContextID="0" VersionCompatible32="393222000" CMG="0D0FDBE8E5F1E9F1E9F1E9F1E9" DPB="1A18CCE3D8E4D8E4D8" GC="2725F1F6F30E010F010FFE" [Host Extender Info] &H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000 ijMSysDbAcessVBAData2 Forms  ϫ }gϫ }gCmdbarsϫ }gϫ }gModules ϫ }gϫ }gReportsϫ }gϫ }gScripts ϫ }gϫ }gPropData3Databasesϫ }g0t΁0ϫ }g& }gBlob DirData4CustomGroupsϫ }gϫ }gDataAccessPages ϫ }gϫ }gKr[ rtuvwS YNzzY   Y Y - Y  Y ! Y !-Id LValueObjectGuidObjectNameProperty Value-!-!z{!--!-!z|!--!-!z}!-YYYId$ObjectGuidProperty$ObjectNamePropertyzHv1b  y y yۏ Software Development3