Protecting Federal Government from Web 2.0 Application

Security RisksDr. Sarbari Gupta, CISSP, CISAsarbari@electrosoft-inc.com

Electrosoft11417 Sunset Hills Road, #228

Reston, VA 20190www.electrosoft-inc.com

Agenda

•Web 2.0 Fundamentals

•Web 2.0 and the US Feds

•Web 2.0 Risks

•FISMA and Web 2.0

Web 2.0 Fundamentals

Created by Rob Cottingham at http://mashable.com/2010/08/10/social-media-web-comics/#24865-Noise-to-Signal

What is Web 2.0?

•Social Media/Web Applications such as: – Facebook/LinkedIn

– Twitter

– RSS Feeds

– Blogs

– Wikis

– Web Chat

– Podcasts

– Mashups

– Photo/Video-sharing

– Virtual Worlds

– …

Characteristics of Web 2.0 Tools

•Applications hosted on Web platform

•Users are Content Creators/Editors

•Highly Interactive

•Supports Rich Content / Media Types

•Easy to Use

Web 1.0 Content Model

Site Content

Web Platform

Sys Admin

Webmaster

Browser Users

Hackers

Security Controls

Web 2.0 Content Model (I)

Content

Web 2.0 Tool

Sys Admin

Tool Programmer

Benign Users

Evil Users

Security Controls

Web Platform

Outside Content Providers

Web 2.0 Content Model (II)

•Web 2.0 Clients are Content Creators

•Web 2.0 Server provides

– Data Aggregation from Varied Sources

– Platform for Information Exchange

– Storage for User/Client-created Content

– Segregation between Users (if needed)

Technologies enabling Web 2.0

•AJAX (Asynchronous JavaScript and XML)

•JSON (JavaScript Object Notation)

•REST (Representational State Transfer)

•SOAP (Simple Object Access Protocol)

•and others …

Web 2.0 and the US Federal Government

Drivers for Fed Adoption of Web 2.0

• Jan 21, 2009 – Memorandum on Transparency and Open Government

– Promotes Transparency, Participation and Collaboration

• Feb 24, 2000 - M-09-12, President's Memorandum on Transparency and Open Government - Interagency Collaboration

– Establishes mechanisms to seek participation/collaboration

• Dec 8, 2009 - M-10-06 Open Government Initiative

– Describes 4 Specific Steps for Agencies to implement Open Government

Benefits for Fed Adoption of Web 2.0

Tools•Increase education/outreach/training

•Allow Rapid dissemination of information

•Support Recruitment

•Promote citizen participation in Government

•Facilitate interactive communication

Fed Policy for Web 2.0

• Apr 7, 2010 – Memo on Social Media, Web-based Interactive Technologies and the Paperwork Reduction Act

– Describes activities that are not subject to the Paperwork Reduction Act (PRA)

• Jun 25, 2010 – M-10-23 - Guidance for the Use of Third-Party Websites and Applications

– Protecting Individual Privacy while using 3rd party websites/tools to engage with public

• Nov 3, 2010 – M-11-02 – Sharing Data While Protecting Personal Privacy

– Promotes data sharing while embracing responsible stewardship

Fed Initiatives for Web 2.0

• GSA/ Office of Citizen Services– www.usa.gov; answers.usa.gov; webcontent.gov;

http://search.usa.gov; Apps.gov

• CIA – Facebook for recruiting

• HHS – Pandemic Flu Leadership Blog

• USPTO – Collect input towards pending patents

• DoD – Virtual Worlds to simulate terrorism

• Library of Congress – Flickr to make public aware of holdings

Web 2.0 Risks

Web 2.0 Use Cases* for Government

* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

Inward Intra-organizational

(internal Wikis, SharePoint)

Inbound“Crowd-sourcing”

(public polls, change.gov)

OutwardInter-Institutional

(GovLoop, STAR-TIDES)

OutboundGovt engagement on

commercial Social Media (Twitter)

IndividualGroupInteraction Level

Inte

rnal

Exte

rnal

Shari

ng

Dir

ect

ion

Top Web 2.0 Security Risks

• Spear Fishing*

• Social Engineering*

• Web Application Attacks*

– Cross Site Scripting (XSS)

– Cross Site Request Forgery (XSRF)

– Security Flaws in (Aggregation) Partner Sites

– Weak Authentication Controls

– Information Leakage

– Injection Flaws

* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

OWASP Top 10 (2010)• A1: Injection

• A2: Cross-Site Scripting (XSS)

• A3: Broken Authentication and Session Management

• A4: Insecure Direct Object References

• A5: Cross-Site Request Forgery (CSRF)

• A6: Security Misconfiguration

• A7: Insecure Cryptographic Storage

• A8: Failure to Restrict URL Access

• A9: Insufficient Transport Layer Protection

• A10: Unvalidated Redirects and Forwards

Implications …

•Application Security Vulnerabilities are at the core of Web 2.0 risks

•Web 2.0 Applications provide new avenues for old threats due to their:

– Complexity

– Popularity

– Ubiquity

FISMA and Web 2.0

Federal Information Security Landscape

• Federal Practices in Information Security are driven by REGULATORY COMPLIANCE

– Title III of E-Government Act of 2002 - Federal Information Security Management Act (FISMA)

– Privacy Act of 1974

– OMB Circular A-130, Appendix III

– OMB Memos, …

• FISMA is implemented through NIST guidelines

– Special Pubs 800-37, 800-53, …

NIST SP 800-53 Rev 3• Title: Recommended

Security Controls for Federal Information Systems and Organizations

• Published: August 2009

• Approach: Risk Management Framework

– Categorize Information System

– Select Security Controls

– Implement Security Controls

– Assess Security Controls

– Authorize Information System

– Monitor Security Controls

• 18 families of Security Controls

ID FAMILY CLASS

AC Access Control Technical

AT Awareness and Training Operational

AU Audit and Accountability Technical

CA Security Assessment and Authorization Management

CM Configuration Management Operational

CP Contingency Planning Operational

IA Identification and Authentication Technical

IR Incident Response Operational

MA Maintenance Operational

MP Media Protection Operational

PE Physical and Environmental Protection Operational

PL Planning Management

PS Personnel Security Operational

RA Risk Assessment Management

SA System and Services Acquisition Management

SC System and Communications Protection Technical

SI System and Information Integrity Operational

PM Program Management Management

FISMA Definition of “Information Security”• Protecting information and information systems

from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

• (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;

• (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

• (C) availability, which means ensuring timely and reliable access to and use of information.

Parsing the FISMA Definition …

•Assets to be protected

– Information

– Information Systems

• Information needs to be protected for C-I-A

– Confidentiality (C)

– Integrity (I)

– Availability (A)

Web 2.0 Content Model

Content

Web 2.0 Tool

Sys Admin

Tool Programmer

Benign Users

Evil Users

Security Controls

Web Platform

Outside Content Providers

Web 2.0 Usage Models for Feds

• Fed Users are Web 2.0 Clients – Web 2.0 Server is in the Cloud

– FISMA Controls may suffice to protect the IT resources used by the Fed Users

• Feds Host Web 2.0 Applications/Servers

– FISMA controls provide little or no protection for (citizen) Users

FISMA and Web 2.0 Content

•User supplied Web 2.0 content can be protected for C-I-A per FISMA …

– and yet be dangerous to other Users

•Protecting Users of Government Web 2.0 Apps is …

– not within the scope of FISMA

Introducing Safety & Reliability (I)

•When Government builds a bridge over a river

– Concern #1: Is the bridge reliable?

– Concern #2: Is the bridge safe?

– …

– Concern #n: Is the bridge protected from harm (by Users)?

Introducing Safety & Reliability (II)

• When Government builds a Web 2.0 Application

– Concern #1: Is the underlying Information System protected from harm (by Users)?

– Concern #2: Is the Web 2.0 content protected for C-I-A?

• The concerns that do not currently surface

– Is the Application reliable?

– Is the Application safe?

Final Thoughts

•How do we protect US Federal Government and Citizens from Web 2.0 Risks?

– Promulgate policy to ensure the safety and reliability of Government information systems from the Users’ perspective

– Add security controls to explicitly require safety and reliability checks