Security Aspects of Web Site Design

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Introduction and Overview of Digital Crime and Digital Terrorism
Lesson 1: Introduction to IT Business and Careers
Protecting Personal Information Guidance for Business.
Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.
David A. Brown Chief Information Security Officer State of Ohio
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Lesson 1: Introduction to IT Business and Careers
Hands-On Ethical Hacking and Network Defense
1 Telstra in Confidence Managing Security for our Mobile Technology.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Chapter 1 Introduction to Security
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Factors to be taken into account when designing ICT Security Policies
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!
** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.
A First Course in Information Security
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
2015 ANNUAL TRAINING By: Denise Goff
An Educational Computer Based Training Program CBTCBT.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Security Aspects of Web Site Design Office of Enterprise Security (What we look for in web applications and Why)
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.
Legal Division CSAA Insurance Group, a AAA Insurer Protecting Your Identity: What to Know, What to Do 2015 Risky Business Week.
Report task. Security risks such as hacking, viruses and id theft Security prevention such as Firewalls, SSL and general security standards The laws which.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Note1 (Admi1) Overview of administering security.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.
Information Security: Current Threats Marc Scarborough Information Security Officer
Why Privacy & Security Awareness Training?. Why is privacy & security awareness training required?
Managing Information Security Personnel By Christopher Boehm.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
CITA 352 Chapter 1 Ethical Hacking Overview. Introduction to Ethical Hacking Ethical hackers –Hired by companies to perform penetration tests Penetration.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
NCDPI Information Technology k-12 Cybersecurity Study
E&O Risk Management: Meeting the Challenge of Change
UNIT I INTRODUCTION Growing IT Security Importance and New Career Opportunities – Becoming an Information Security Specialist – Conceptualizing.
User Awareness Information Forum
Security Aspects of Web Site Design
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
EC-Council v9 Exam Questions
Year 10 ICT ECDL/ICDL IT Security.
Information Security based on International Standard ISO 27001
Protecting Your Identity:
Advanced Services Cyber Security 101 © ABB February, | Slide 1.
Red Flags Rule An Introduction County College of Morris
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Contents subject to change.
Identity Theft Prevention Program Training
Ethics Communication Channels
Clemson University Red Flags Rule Training
Epic Introduction Basics
CONVERCENT INCIDENT REPORTING Employee Training
6. Application Software Security
Hire Xpress User’s Training A Human Resources guide to Hire Xpress
Anna Adams Martina Angela Sasse
Presentation transcript:

Security Aspects of Web Site Design Office of Enterprise Security (What we look for in web applications and Why)

Introduction to Rick Wolfinger Began security career in 1983 working for the U.S. Air Force in Electronic Security Command (Okinawa, Japan and SAC Headquarters). Responsible for computer and communications systems on SAC Airborne Command Post aircraft and National Emergency Airborne Command Post aircraft. Worked as defense contractor in England (6 years) and Denver, Colorado (6 years) supporting United States Department of Defense. Began working for State of Michigan October 2002.

Who’s Job Is Security ? How many think security is my job? How many think security is your job? How many think security is our job? NOTE: Determining proper level of Security for web application is not strictly objective process.

SOM Sees Threats Daily Typical Incidents per day (approx.) 1500 e-mail viruses 38,000 scans/probes 620 web server attacks 3 computer hack attempts

Enterprise Security Orientation Overview Enterprise Security has created an orientation overview to communicate the following: Who we are How we can help Current projects that help reduce risk of viruses, theft or misuse of data for Michigan citizens, etc.

Questions I Ask & Things I look for Is the data in this application sensitive? Is it FOIABLE? Who are the users? Is this application internet or intranet? If intranet, are there plans to make it internet? Does this application have the Privacy and Security policies on all pages? What is the risk of financial loss to SOM? What is the risk of embarrassment to SOM or governor? If login and password are needed, can I page BACK and FORWARD past the login screen? Is there a network diagram available? Does the application allow the use of cookies? Is there an audit process for the application? Answers to these questions determine what security is needed for an application.

Examples of Bad Password Design “If you answer yes to one on-line question, a password will be automatically sent to you.” Application designed to accept a password one character long. Application designed to accept Social Security Number as password.

Applications/Servers Security Checklist Should be completed 2-4 weeks before application is launched. Not intended to be used as a guide during development of application. Signed hardcopy should be returned to Office of Enterprise Security.

30 Standards form basis for Security Recommendations 1410.17 Michigan State Government Network Security Policy --section 6.6 for password information 1310.16 Acceptable Use of the State Telecommunications Network 1460.00 SOM Acceptable Use Policy

Cookie Policy Our policy regarding cookies is contained in the State of Michigan Privacy Policy that can be accessed as follows <http://www.michigan.gov/emi/0,1303,7-102----PP,00.html>. Cookies are allowable as long as the home page can be viewed and accessed without cookies. In other words, you cannot force a user to accept a cookie upon entering the site's home page. All access to state content or services must be anonymous - without cookies. So the home page must be simply the opening page in straight HTML that indicates what the application is for, what it will do and what types of technology are required, such as use of cookies. Since some applications cannot function without the use of cookies, the user must be notified IN ADVANCE of their use before proceeding with the online service. So the choice of accepting or not accepting the cookie is totally up to the user.

The Secure Michigan Initiative In order to establish a current baseline, a rapid enterprise-wide risk assessment was conducted. This assessment, conducted in the summer of 2002, was based upon the guidance and principles from the National Institute of Standards (NIST) Security Handbook, the International Standards Organization (ISO) 17799 Security standards, and the Federal Information Systems Controls Audit Manual from the General Accounting Office (GAO). This rapid risk assessment covered all areas of IT security. Every agency within the State of Michigan was interviewed for the rapid risk assessment.

Identity Theft The nature of identity theft has changed and the threat today is more likely than ever to come from insiders. December 3, 2002 Complaints to the FTC have more than doubled, to 85,820 last year from 31,113 in 2000. For the first six months of this year, the agency received 70,000 complaints about identity theft. December 3, 2002

ID Theft (continued) National Credit Reporting numbers are: Equifax: 1-800-525-6285 Experian (formerly TRW): 1-888-397-3742 Trans Union: 1-800-680-7289 Social Security Administration (fraud line): 1-800-269-0271

Michigan Online Security Training (MOST) MOST is being developed by Enterprise Security in cooperation with Walsh College Designed to increase awareness and knowledge of security for SOM employees Web-based program contains basic security concepts and a test-your-knowledge module Look for “Al” the owl

References ID Theft http://www.usatoday.com/money/workplace/2003-01-23-idtheft-cover_x.htm http://www.msnbc.com/news/960638.asp Viruses get smarter http://www.computerworld.com/securitytopics/security/story/0,10801,77794,00.html Computer Security Audit Checklist http://www.summersault.com/chris/techno/security/auditlist.html Security Audit White Paper http://www.pestpatrol.com/ProductDocs/PestPatrolAuditorsGuide.pdf

Web Applications….. hackers newest target The defensive perimeter of firewalls and intrusion-detection systems that most companies rely on for network security is being bypassed by hackers who have made Web applications their newest targets, security experts warned last week. "Perimeter defense is becoming an irrelevant term," said Kevin Soo Hoo, senior security architect at Cambridge, Mass.-based security consultancy @Stake Inc. "The emphasis [in hacking] is now shifting to the application layer. The Web application is becoming the primary vehicle for attack." The increased demand for Web functionality has pushed almost all traffic through Ports 80 and 443 on most Web servers -- typically the only two ports that are left open by most companies. And that's where hackers are turning to gain access to enterprise networks and data, said Soo Hoo. "As a result, the threat model is changing. It makes the firewall no longer the line of defense that it once was." http://www.stratum8.com/intro.html

Questions and Comments