Security Aspects of Web Site Design Office of Enterprise Security (What we look for in web applications and Why)

Know the Client • Own the Problem • Share the Solution

Security Aspects of Web Site Design

Office of Enterprise Security(What we look for in web applications and Why)


Introduction to Rick Wolfinger

• Began security career in 1983 working for the U.S. Air Force in Electronic Security Command (Okinawa, Japan and SAC Headquarters).

• Responsible for computer and communications systems on SAC Airborne Command Post aircraft and National Emergency Airborne Command Post aircraft.

• Worked as defense contractor in England (6 years) and Denver, Colorado (6 years) supporting United States Department of Defense.

• Began working for State of Michigan October 2002.


Who’s Job Is Security ?

• How many think security is my job?

• How many think security is your job?

• How many think security is our job?

NOTE: Determining proper level of Security for web application is not strictly objective process.


SOM Sees Threats Daily

Typical Incidents per day (approx.)

• 1500 e-mail viruses• 38,000 scans/probes• 620 web server attacks• 3 computer hack

attempts


Enterprise Security Orientation Overview

Enterprise Security has created an orientation overview to communicate the following:

• Who we are

• How we can help

• Current projects that help reduce risk of viruses, theft or misuse of data for Michigan citizens, etc.


Questions I Ask& Things I look for

1. Is the data in this application sensitive? Is it FOIABLE?2. Who are the users?3. Is this application internet or intranet? If intranet, are there plans to

make it internet?4. Does this application have the Privacy and Security policies on all

pages?5. What is the risk of financial loss to SOM?6. What is the risk of embarrassment to SOM or governor?7. If login and password are needed, can I page BACK and FORWARD

past the login screen?8. Is there a network diagram available?9. Does the application allow the use of cookies?10. Is there an audit process for the application?

Answers to these questions determine what security is needed for an application.


Examples of Bad Password Design

• “If you answer yes to one on-line question, a password will be automatically sent to you.”

• Application designed to accept a password one character long.

• Application designed to accept Social Security Number as password.


Applications/Servers Security Checklist

• Should be completed 2-4 weeks before application is launched.

• Not intended to be used as a guide during development of application.

• Signed hardcopy should be returned to Office of Enterprise Security.


30 Standards form basis for Security Recommendations• 1410.17 Michigan State Government

Network Security Policy

--section 6.6 for password information

• 1310.16 Acceptable Use of the State Telecommunications Network

• 1460.00 SOM Acceptable Use Policy


Cookie Policy• Our policy regarding cookies is contained in the State of Michigan Privacy Policy

that can be accessed as follows <http://www.michigan.gov/emi/0,1303,7-102----PP,00.html>.

• Cookies are allowable as long as the home page can be viewed and accessed without cookies.

• In other words, you cannot force a user to accept a cookie upon entering the site's home page. All access to state content or services must be anonymous - without cookies. So the home page must be simply the opening page in straight HTML that indicates what the application is for, what it will do and what types of technology are required, such as use of cookies.

• Since some applications cannot function without the use of cookies, the user must be notified IN ADVANCE of their use before proceeding with the online service. So the choice of accepting or not accepting the cookie is totally up to the user.


The Secure Michigan Initiative

In order to establish a current baseline, a rapid enterprise-wide risk assessment was conducted. This assessment, conducted in the summer of 2002, was based upon the guidance and principles from the National Institute of Standards (NIST) Security Handbook, the International Standards Organization (ISO) 17799 Security standards, and the Federal Information Systems Controls Audit Manual from the General Accounting Office (GAO). This rapid risk assessment covered all areas of IT security. Every agency within the State of Michigan was interviewed for the rapid risk assessment.


Identity Theft

• The nature of identity theft has changed and the threat today is more likely than ever to come from insiders. December 3, 2002

• Complaints to the FTC have more than doubled, to 85,820 last year from 31,113 in 2000. For the first six months of this year, the agency received 70,000 complaints about identity theft. December 3, 2002


ID Theft (continued)

National Credit Reporting numbers are:• Equifax: 1-800-525-6285• Experian (formerly TRW): 1-888-397-

3742• Trans Union: 1-800-680-7289• Social Security Administration (fraud

line): 1-800-269-0271


Michigan Online Security Training (MOST)

• MOST is being developed by Enterprise Security in cooperation with Walsh College

• Designed to increase awareness and knowledge of security for SOM employees

• Web-based program contains basic security concepts and a test-your-knowledge module

• Look for “Al” the owl


References• ID Theft

http://www.usatoday.com/money/workplace/2003-01-23-idtheft-cover_x.htmhttp://www.msnbc.com/news/960638.asp

• Viruses get smarter http://www.computerworld.com/securitytopics/security/story/0,10801,77794,00.html

• Computer Security Audit Checklist http://www.summersault.com/chris/techno/security/auditlist.html

• Security Audit White Paper http://www.pestpatrol.com/ProductDocs/PestPatrolAuditorsGuide.pdf


Web Applications…..hackers newest target

• The defensive perimeter of firewalls and intrusion-detection systems that most companies rely on for network security is being bypassed by hackers who have made Web applications their newest targets, security experts warned last week. "Perimeter defense is becoming an irrelevant term," said Kevin Soo Hoo, senior security architect at Cambridge, Mass.-based security consultancy @Stake Inc. "The emphasis [in hacking] is now shifting to the application layer. The Web application is becoming the primary vehicle for attack."

• The increased demand for Web functionality has pushed almost all traffic through Ports 80 and 443 on most Web servers -- typically the only two ports that are left open by most companies. And that's where hackers are turning to gain access to enterprise networks and data, said Soo Hoo. "As a result, the threat model is changing. It makes the firewall no longer the line of defense that it once was." http://www.stratum8.com/intro.html


Questions and Comments

Documents

Security Aspects of Web Site Design Office of Enterprise Security (What we look for in web applications and Why)