Know the Client • Own the Problem • Share the Solution
Security Aspects of Web Site Design
Office of Enterprise Security(What we look for in web applications and Why)
Know the Client • Own the Problem • Share the Solution
Introduction to Rick Wolfinger
• Began security career in 1983 working for the U.S. Air Force in Electronic Security Command (Okinawa, Japan and SAC Headquarters).
• Responsible for computer and communications systems on SAC Airborne Command Post aircraft and National Emergency Airborne Command Post aircraft.
• Worked as defense contractor in England (6 years) and Denver, Colorado (6 years) supporting United States Department of Defense.
• Began working for State of Michigan October 2002.
Know the Client • Own the Problem • Share the Solution
Who’s Job Is Security ?
• How many think security is my job?
• How many think security is your job?
• How many think security is our job?
NOTE: Determining proper level of Security for web application is not strictly objective process.
Know the Client • Own the Problem • Share the Solution
SOM Sees Threats Daily
Typical Incidents per day (approx.)
• 1500 e-mail viruses• 38,000 scans/probes• 620 web server attacks• 3 computer hack
attempts
Know the Client • Own the Problem • Share the Solution
Enterprise Security Orientation Overview
Enterprise Security has created an orientation overview to communicate the following:
• Who we are
• How we can help
• Current projects that help reduce risk of viruses, theft or misuse of data for Michigan citizens, etc.
Know the Client • Own the Problem • Share the Solution
Questions I Ask& Things I look for
1. Is the data in this application sensitive? Is it FOIABLE?2. Who are the users?3. Is this application internet or intranet? If intranet, are there plans to
make it internet?4. Does this application have the Privacy and Security policies on all
pages?5. What is the risk of financial loss to SOM?6. What is the risk of embarrassment to SOM or governor?7. If login and password are needed, can I page BACK and FORWARD
past the login screen?8. Is there a network diagram available?9. Does the application allow the use of cookies?10. Is there an audit process for the application?
Answers to these questions determine what security is needed for an application.
Know the Client • Own the Problem • Share the Solution
Examples of Bad Password Design
• “If you answer yes to one on-line question, a password will be automatically sent to you.”
• Application designed to accept a password one character long.
• Application designed to accept Social Security Number as password.
Know the Client • Own the Problem • Share the Solution
Applications/Servers Security Checklist
• Should be completed 2-4 weeks before application is launched.
• Not intended to be used as a guide during development of application.
• Signed hardcopy should be returned to Office of Enterprise Security.
Know the Client • Own the Problem • Share the Solution
30 Standards form basis for Security Recommendations• 1410.17 Michigan State Government
Network Security Policy
--section 6.6 for password information
• 1310.16 Acceptable Use of the State Telecommunications Network
• 1460.00 SOM Acceptable Use Policy
Know the Client • Own the Problem • Share the Solution
Cookie Policy• Our policy regarding cookies is contained in the State of Michigan Privacy Policy
that can be accessed as follows <http://www.michigan.gov/emi/0,1303,7-102----PP,00.html>.
• Cookies are allowable as long as the home page can be viewed and accessed without cookies.
• In other words, you cannot force a user to accept a cookie upon entering the site's home page. All access to state content or services must be anonymous - without cookies. So the home page must be simply the opening page in straight HTML that indicates what the application is for, what it will do and what types of technology are required, such as use of cookies.
• Since some applications cannot function without the use of cookies, the user must be notified IN ADVANCE of their use before proceeding with the online service. So the choice of accepting or not accepting the cookie is totally up to the user.
Know the Client • Own the Problem • Share the Solution
The Secure Michigan Initiative
In order to establish a current baseline, a rapid enterprise-wide risk assessment was conducted. This assessment, conducted in the summer of 2002, was based upon the guidance and principles from the National Institute of Standards (NIST) Security Handbook, the International Standards Organization (ISO) 17799 Security standards, and the Federal Information Systems Controls Audit Manual from the General Accounting Office (GAO). This rapid risk assessment covered all areas of IT security. Every agency within the State of Michigan was interviewed for the rapid risk assessment.
Know the Client • Own the Problem • Share the Solution
Identity Theft
• The nature of identity theft has changed and the threat today is more likely than ever to come from insiders. December 3, 2002
• Complaints to the FTC have more than doubled, to 85,820 last year from 31,113 in 2000. For the first six months of this year, the agency received 70,000 complaints about identity theft. December 3, 2002
Know the Client • Own the Problem • Share the Solution
ID Theft (continued)
National Credit Reporting numbers are:• Equifax: 1-800-525-6285• Experian (formerly TRW): 1-888-397-
3742• Trans Union: 1-800-680-7289• Social Security Administration (fraud
line): 1-800-269-0271
Know the Client • Own the Problem • Share the Solution
Michigan Online Security Training (MOST)
• MOST is being developed by Enterprise Security in cooperation with Walsh College
• Designed to increase awareness and knowledge of security for SOM employees
• Web-based program contains basic security concepts and a test-your-knowledge module
• Look for “Al” the owl
Know the Client • Own the Problem • Share the Solution
References• ID Theft
http://www.usatoday.com/money/workplace/2003-01-23-idtheft-cover_x.htmhttp://www.msnbc.com/news/960638.asp
• Viruses get smarter http://www.computerworld.com/securitytopics/security/story/0,10801,77794,00.html
• Computer Security Audit Checklist http://www.summersault.com/chris/techno/security/auditlist.html
• Security Audit White Paper http://www.pestpatrol.com/ProductDocs/PestPatrolAuditorsGuide.pdf
Know the Client • Own the Problem • Share the Solution
Web Applications…..hackers newest target
• The defensive perimeter of firewalls and intrusion-detection systems that most companies rely on for network security is being bypassed by hackers who have made Web applications their newest targets, security experts warned last week. "Perimeter defense is becoming an irrelevant term," said Kevin Soo Hoo, senior security architect at Cambridge, Mass.-based security consultancy @Stake Inc. "The emphasis [in hacking] is now shifting to the application layer. The Web application is becoming the primary vehicle for attack."
• The increased demand for Web functionality has pushed almost all traffic through Ports 80 and 443 on most Web servers -- typically the only two ports that are left open by most companies. And that's where hackers are turning to gain access to enterprise networks and data, said Soo Hoo. "As a result, the threat model is changing. It makes the firewall no longer the line of defense that it once was." http://www.stratum8.com/intro.html
Know the Client • Own the Problem • Share the Solution
Questions and Comments