Presentation is loading. Please wait.

Presentation is loading. Please wait.

Convincing your IT Administrator to Poke a Hole in the Firewall for caTissue Suite: Introduction Ian Fore Feb 28, 2011.

Published byHilary Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "Convincing your IT Administrator to Poke a Hole in the Firewall for caTissue Suite: Introduction Ian Fore Feb 28, 2011."— Presentation transcript:

1 Convincing your IT Administrator to Poke a Hole in the Firewall for caTissue Suite: Introduction Ian Fore Feb 28, 2011

2 Guidelines – Institution Considerations 2

3 This is a question of balancing vulnerability against risk Balance 3

4 Much of the security of caTissue (or any application) depends on how it is configured and operated at a specific site Security is the responsibility of specific sites Local Responsibility 4

5 caTissue Application Security Assessment Presented by: Braulio J. Cabral, MSc. IT, MSc. ISS/PM, SABSA, SOACP CBIIT Enterprise Information Security Program Coordinator SAIC-F Feb 23, 2011

6 References Guide for Applying the Risk Management Framework http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf Risk Management Guide for Information Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Recommended Security Control http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf A Risk-based Security Assessment 6

7 (AC-5) Separation of Duties – M, H caTissue enforces separation of duty by assigning administrators with privilege accounts. Non-administrators cannot create any accounts. (AC-6) Least Privilege – M, H The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. The access control utilized at the network, database, and application software is set up according to the individual role and minimum necessary privileges to perform their duties. This prevents an individual from having full authority or information access to conduct fraudulent activity without collusion. But only if this is effectively done by the installing site Security Controls Evaluation 7

8 (AC-7) Unsuccessful Login Attempts – L, M, H caTissue which is the main interface for users into the system to upload data, does not support “Unsuccessful Login attempts and does not comply with NIH policy of 6 attempts before blocking the account. Compensating control: The system supports strong password which will make it extremely difficult for a brute force attack to guess the password. The risk associated with this control has been deemed LOW for phase one, considering that the effort to guess the password is higher that the possible value of the information at this phase, the risk will be noted in the PO&M documentation for the system system. Security Controls Evaluation 8

9 Compensating control: If using NIH LDAP, the users are forced to change their password every 60 days. Compensating control: SiteScope monitors on the servers continually look for an excessive number of log-in attempts, triggering an alert to the whole Systems Team in the event of suspicious activity. Audit trails are reviewed as appropriate. AC-11) Session Lock – M, H caTissue supports session lock after prolong inactivity time enforcing the user to re-authenticate. This is controlled by a configurable parameter. (AC-12) Session Termination – M, H (1) caTissue supports session termination after a prolong inactivity time, this is accomplished through a configurable parameter. Security Controls Evaluation 9

10 (AC-14) Permitted Actions w/o Identification or Authentication – L, M (1), H (1) The only actions allowed by the system without authentication are: View summary page, request a new account (i.e. request for access, report a problem and view help. These activities have been classified as allowable and do not represent a risk to the system. (AC-17) Remote Access – L, M (1)(2)(3)(4), H (1)(2)(3)(4) Remote access is provided through a terminal tunneled through SSL. Manual and automated reporting is used to track log-in attempts and to alert Systems personnel of suspicious activity for immediate investigation and resolution. (AU-2) Auditable Events – L, M (3), H (1)(2)(3) The following auditable events are logged by the caTissue system. All logins (successful and unsuccessful attempts), all data entry and edits are recorded in the audit trails. Security Controls Evaluation 10

11 (AU-3) Content of Audit Records – L, M (1), H (1)(2) The audit trails provides record of the user id, date and time of transaction, old entry, new entry and reason for change. AU-7) Audit Reduction and Report Generation – M (1), H (1) caTissue system takes advantage of Oracle’s capabilities to store all data and system changes in journaling table that cannot be modified; you can view and run reports on this data. The Systems Team also has set up checks to generate an alert if anyone attempts to modify the journaling table to provide extra security. - The Oracle database has auditing capabilities to track log-in attempts and other system activity. Automatic alerts notify DBAs and Systems Team members if there are excessive log-in attempts within a specified period. Daily reports on the audit data are emailed to the DBA Team for review and follow-up if appropriate. The audit log gets large quickly, so the data is archived daily and saved indefinitely. Security Controls Evaluation 11

12 (AU-8) Time Stamps – L, M (1), H (1) The audit trail records a date and time stamp, as well as the user id, old entry, new entry, and reason for change. AU-9) Protection of Audit Information – L, M, H Only System Administrations can access the audit logs, which are never destroyed (IA)Identification and Authentication Identification and authentication for the caTissue system is accomplished with the implementation of the following security controls: caTissue (main user interface) is capable of using LDAP (for local IdP) or the Common Security Module (database) for authentication (user name and password). caTissue is also capable of using the caBIG Common security Module (CSM) for authentication (username and password) and for authorization Security Controls Evaluations 12

13 (IA-2) User Identification and Authentication – L, M (1), H (2)(3) caTissue (main user interface) can use LDAP (for local IdP) or the Common Security Module (database) for authentication. This instance is using CSM. Oracle database utilizes Oracle native security controls including administrator user name and password, including failed login attempts, password life time, password reuse time password lock and password verify function. (SC-8) Transmission Integrity – M, H (1)The information system protects the integrity of transmitted information. The transmission (input/output) of the data in the system is protected by utilizing encrypted point to point technology (SSL). (SC-9) Transmission Confidentiality – M, H (1) The confidentiality of the data in transit for the system is protected through SSL tunnel to Security Controls Evaluations 13

14 (SC-10) Network Disconnect – M, H The system times out user sessions at (configurable) minutes of inactivity, requiring the user to log back in to the system to continue. Further, the network connection automatically disconnects at the end of a network session. The network session is terminated after a (configurable) minute interval. (SC-12) Cryptographic Key Establishment and Management – M, H Encryption is only used in the storage of network and system passwords. caTissue encrypts its passwords and does have encryption capabilities for sensitive data if required by the data owner, but this functionality is not in use at this time. caTissue does not use tokens, cards, or other devices to generate or display identification code or password information. Security Controls Evaluations 14

15 Findings and Compensating Controls Use of MD5 as SSL Certificate Signature Algorithm Not related to the application, but to the configuration of the container Cross-Site Request Forgery this is due to the time-to-live of the sessions, if the scanner sends the same session before it expires. Cacheable SSL Page Found Only Style sheets and pics Vulnerability Scanning 15

16 2 of 5] Cross-Site Scripting Severity: High Test Type: Application CVE ID(s): N/A CWE ID(s): 79 (parent of 80,82,83,84,86) Remediation Tasks: Filter out hazardous characters from user input Notes: This is happening in internal pages after the user signs-in; it is a risk to be evaluated by the system owner. For someone to exploit the vulnerability, they will have to put a sniffer between the system and the user’s computer. If successful, it can compromise the PC not the system. So it all depends on the motivation behind the attack. Vulnerability Scanning 16

17 SQL Injection String Tests Summary (43860 results recorded) Failures: 0 Warnings: 0 Passes: 43860 SQL Injection String Test Results loginName Submitted Form State: password: Submit: Login Results: This field passed 14620 tests. Vulnerability Scanning 17

18 SQL Injection String Tests Summary (365500 results recorded) For URL: %$$%^^&&&*** Failures: 0 Warnings: 0 Passes: 365500 Vulnerability Scanning 18

19 Q&A

Download ppt "Convincing your IT Administrator to Poke a Hole in the Firewall for caTissue Suite: Introduction Ian Fore Feb 28, 2011."

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Database Management System

Database Management System
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Information Security Policies and Standards

Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Network security policy: best practices

Network security policy: best practices
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Similar presentations

Ads by Google