security best practices - advsol.com · security best practices jeremy wilson (c) systems global ....
TRANSCRIPT
Security Best Practices
Jeremy Wilson
(C) Systems Global
IT security
Agenda
• Security breaches today
• Recent iMIS vulnerabilities
• Attack vector mitigation
• Secure web site implementation
• Penetration testing
• ASI Corporate Security Initiative
• PCI Compliance
• Suggestions and Challenges
Security Breaches Today
• By the numbers…in the US 2005 to April 2014 – Recorded breaches = 4,455
– Records exposed = 626,327,451
– Cost per record = $188
– Total cost = $117.8B
• Breach attack patterns – 52% of stolen data due to “hacktivism”
– 40% of breaches incorporated malware
– Malicious or criminal attacks rather than negligence or system glitches
Security Breaches Today
• Primary data breach targets…
– Financial
– Retail
– Government
• Membership organizations emerging
– Controversial missions/philosophies
– Play to self-anointed judgment of “hactivists”
– Least likely to have protections in place
Security Breaches Today
• Cyber risk and liability – Target® breach of 2013…potential company
liability of $90/exposed record = $3.6B
– Target ® directors and officers also facing derivative suits
– Brand value drops 17-31% after a breach
– Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
Security Breaches Today – Ebay part 1
Security Breaches Today – Ebay part 2
Security Breaches Today - iCloud
Security Breaches Today - iCloud
Security Breaches Today - iCloud
Security Breaches Today - Drupal
Security Breaches Today - Drupal
Security Breaches Today
• Front page news
• Would your membership / donor base survive something similar?
• What cost to your “brand”
• Liability
• Does your Level of Investment match the potential cost?
Security Breaches Today
• Refactoring old approaches: Many web attack techniques from previous years constantly being improved. Innovative attack vectors morph new technology functionality with previously known techniques to produce combinations.
• Encryption: Transport Layer Security (TLS) related attack techniques consistently revealed to contain significant vulnerabilities since 2010. Deep technical white hat research finds/closes the openings.
• Creativity: New attack techniques seen in 2013 ranged from simple concepts adapted in a unique way to cause a problem, to deep technical and theoretical research on encryption and TLS flaws. Looking at something simple in a new light might be all it takes at times.
Security Breaches Today
Web security today is both a proactive and
reactive process…one must be fully
prepared in both aspects to survive in the
current threat environment.
Recent iMIS Vulnerabilities
• Staff admin role .aspx files
– Discovered during independent penetration testing by a customer
• Claimsmap file delivery
– Discovered during recent development of more extensive security protection
• Unauthenticated PanelEditor data access
– Discovered during iMIS 20.1 regression and by James Schwartz of Bursting Silver
Recent iMIS Vulnerabilities
• Telerik Document Manager - Avoid the Unsupported Workaround
• It is possible, via direct edits to a .config file and .ascx file in the iMIS system, to enable a Telerik feature called the Document Manager on the ContentHTML iPart. While this technique has been mentioned in pre-iMIS 20 training classes, and on iMIS Community, it has never been supported by ASI. Files uploaded to an iMIS web site in this way cannot be secured, and are available via URL to an unauthenticated user (i.e. anyone on the web). In certain circumstances, the technique can be further exploited to access and/or execute any file on the web site server, which can lead to full system compromise. ASI recommends that use of this technique should be discontinued immediately due to its potential security risk.
Recent iMIS vulnerabilities
• Hotfix for content management .aspx and claimsmap.xml vulnerabilities – ftp.advsol.com/download/Restricted/Hotfixes/Se
curity/Security_15.1.3-20.0.15(C)Hotfix.zip
• 15.2.15 hotfix for PanelEditor vulnerability – ftp.advsol.com/download/Restricted/Hotfixes/Se
curity/Security_15.2.15.4667(A)Hotfix.zip
• 20.0.1 hotfix for PanelEditor vulnerability – ftp.advsol.com/download/Restricted/Hotfixes/Se
curity/Security_20.0.1.420(A)Hotfix.zip
Recent iMIS vulnerabilities
• WSDL exposure – Secure the Membership and Query web service files
membershipwebservice.asmx and queryservice.asmx
– Only authenticated users with SysAdmin role can view or manipulate data through either service
– http://docs.imis.com/20.0/#!securingthewebservic.htm
• .NET stack error messages leak system info – Create benign custom error page to redirect to
– In web.config set <customErrors mode=“On”>
– https://www.owasp.org/index.php/ASP.NET_Misconfigurations
– http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common-mistakes-in-the-web-config-file.aspx
Keep your errors private
Basic Best Practice
• Custom Error Messages
• Wrong configuration: <configuration>
<system.web>
<customErrors mode="Off">
• Right configuration: <configuration>
<system.web>
<customErrors mode="RemoteOnly">
Attack Vector Mitigation
• SQL injection - untrusted data submitted by the user is sent
to the SQL interpreter as part of the SQL query. http://en.wikipedia.org/wiki/SQL_injection
– Validate user input
– Don’t create SQL by concatenating with user input, use parameterized
stored procedures or queries
– Make sure that Custom errors are turned on for the web site for remote
access
• Cross-Site scripting - attacks target client side scripts to
manipulate the client side script to execute in the manner
desired by the attacker http://en.wikipedia.org/wiki/Cross-site_scripting
– Validate input to the website
– Encode output sent to the browser, stop unsafe JavaScript from
running.
– Make sure output coding is context sensitive: HTML, JavaScript, …
Attack Vector Mitigation
• Broken authentication and session management - most vulnerable point is session key/id hijacking – Avoid cookieless sessions
– Avoid homegrown authentication schemes
– Use SSL
– Protect session ids in cookies
– Expire sessions early and often
• Insecure Direct Object References - an observable key tied to individual user information, and exposed in URLs – Ultimately direct object references can be exploited due to the
lack of proper access control.
– Never assume URLs are safe, only because they are not visible
Attack Vector Mitigation
• Cross-Site Request Forgery - a malicious website sends a request to a web application that a user is already authenticated with, from a different web site – For protection, randomness is introduced via CSRF token. The
token is a random string, know both to the legitimate page where the form is and to the web browser via a cookie.
• Security Misconfiguration – out of date frameworks, libraries can be vulnerable to security misconfiguration – Protect sensitive data in web.config
– Get custom error tracking under control
– Automate security configuration of the web.config settings
– Have a strategy for keeping frameworks, libraries up to date
– Lock down http handlers
Attack Vector Mitigation
• Insufficient Transport Layer Protection -
security weakness caused by not taking
any measure to protect the network
traffic
– Enable SSL
– Avoid security anti patterns, such as Login
over http, embedding login forms in insecure
pages and sensitive data in the URL
Attack Vector Mitigation
• Insecure Cryptographic Storage – not storing sensitive data, such as passwords or financial info, securely – Salted hash keys to make complicate decryption
– Multiple excessive try detection methods to shield against brute force attacks
– Secure private keys
• Failure to Restrict URL Access - error in access control settings results in user being able to access content that are meant to be restricted or hidden – Use appropriate authorization to restrict access
– Restrict file access that can be served up remotely by IIS
– Clean up/remove unnecessary files from web directories
– Use virtual directories for Web access, separate URL scheme from the underlying file structure
Attack Vector Mitigation
• Additional resources
– Open Web Application Security Project
(OWASP)
– NIST Framework for Improving Critical
Infrastructure Cybersecurity
– Verizon 2014 Data Breach Investigations
Report
Secure Web Implementation
Secure Web Implementation
• Protect each site with a valid SSL
certificate and HTTPS protocol
• Isolate web servers in the DMZ zone
• Protect services in the Trusted zone
• Disallow non-VPN or non-direct RDP
access to any server
Secure Web Implementation
• Limit SQL Server access to web-
based access…myLittleAdmin
• Restrict file system access to
SFTP…BitVise, SecureFX, WinSCP
Penetration Testing
• Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques
• Various end targets… – Full web site (Amazon, Google, iMIS customer)
– Web application product (iMIS 20 out-of-the-box)
• Various forms… – Social engineering
– Application security
– Physical penetration
Penetration Testing
• Automated testing tools – Pros – covers a lot of ground very fast, cost efficient,
consistent and repeatable, best suited for rapidly evolving web applications
– Cons – can frequently flag false positives, only as good as the latest signature database of known exploits
• Adaptive (manual) testing techniques – Pros – follows the black hat mindset, uncovers
application-specific combinatorial vulnerabilities, leverages non-related tools, much more rigorous
– Cons – labor-intensive, not easily repeatable, money sink
Penetration Testing
• ASI committed to conducting self penetration testing – iMIS 20-100/200 and 20-300 platforms
– Integral to pre-EA/GA regression testing
– Employ Netsparker tool as a start, will likely expand to others
• ASI engaging independent penetration testing services in 2014 – Currently GA iMIS 20-100 and 20-300 platforms
– Adaptive pen testing techniques and methodology
ASI Corporate Security Initiative
• Formed mid-2013 to address the issue of iMIS running as a secure web application for the benefit of our customers
• Focused on three areas to mitigate our risk exposure with the use of the iMIS product – Web application product development
– Site implementation
– Cloud services
• Phase 1 complete, Phase 2 emphasis on establishing a corporate Software Security Assurance Plan with associated policies/procedures
PCI Compliance
• iMIS PCI Compliant
– Have you enabled it?
• iMIS’s PCI compliance isn’t the end of
the story
– Your infrastructure
– Your processes
– YOUR RESPONSIBILITY
Some (obvious) Best Practice Suggestions
• Password policy – Complexity & Lifetime
– Defaults – anyone still using manager?
• Accounts – Don’t use “SA”
• Automatic Updates – apply them!
• Firewall
• Your staff accounts are (probably) more important than your customer’s accounts
Some security questions to take away
• What percentage of your IT spend is security related – Is this in proportion to the potential impact of a hacker obtaining your contact database?
• Do your staff complain enough about how often they have to change their password, the websites you don’t let them visit or the files that get stripped out of their email?
• How do YOU monitor IT security. What processes have you got in place in case of a breach? How would you know if there was a breach?
• Do you know if you’ve been hacked?
Resources
• Articles – Verizon 2014 Data Breach Investigations Report -
www.verizonenterprise.com/DBIR/2014/
– https://www.owasp.org/index.php/ASP.NET_Misconfigurations
– http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common-mistakes-in-the-web-config-file.aspx
• iMIS Security Hotfixes – ftp.advsol.com/download/Restricted/Hotfixes/Security/Security_
15.1.3-20.0.15(C)Hotfix.zip
– ftp.advsol.com/download/Restricted/Hotfixes/Security/Security_15.2.15.4667(A)Hotfix.zip
– ftp.advsol.com/download/Restricted/Hotfixes/Security/Security_20.0.1.420(A)Hotfix.zip
Resources
• Best Practices – OWASP - www.owasp.org/index.php/Main_Page
– NIST - www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
– www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf
– www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf
• Tools – BitVise bitvise.com
– SecureFX vandyke.com/products/securefx/
– WinSCP winscp.net
– myLittleAdmin mylittleadmin.com
– GreenSQL www.greensql.com
– Netsparker www.netsparker.com/