1 / 14

Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005

Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005. Internet Assessment. Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems).

jariah
Download Presentation

Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Electronic Security Initiative2005 Security AssessmentEmail & Security Services23 August 2005

  2. Internet Assessment • Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems) • High risk exposures were corrected by IEEE IT Staff as soon as they were found.

  3. Wireless and Dial-up • Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities • E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure

  4. Web Applications • Results of the Web Applications Assessment discovered a total of 39 vulnerabilities across 3 web applications. • The development staff responsible for these applications is working to remediate these security issues.

  5. Web Applications (Cont’d)

  6. Web Applications (Cont’d) Remediation: XPLORE Security Issues (11 Security Issues Remain) • High Risk (1 issue) • No encryption for application login (TBR 1Q 2006) • Username & Password: Clear Text • Risk: possible lost of information. • Explore Team willing to take the risk

  7. Web Applications (Cont’d) Remediation of XPLORE Security Issues • Medium Risk (5 issues) • Username Passed in Clear Text Cookie (TBR 1Q 2006) Risk: User credentials can be compromised • Arbitrary URL Redirection (TBR 1Q 2006) Risk: Facilitates phishing/social engineering attacks • AutoComplete - Not Disabled (TBR 3Q 2006) Risk: Username and Password is Cached • Weak Passwords (TBR 3Q 2006) Risk: Passwords can be guessed • Inadequate Lockout Policy (TBR 3Q 2006) Risk: Enable brute force attacks to guess user passwords

  8. Web Applications (Cont’d) Remediation of XPLORE Security Issues • Solving security issues require programming changes, testing and QA. • Most of the critical issues are scheduled to be remediated by 1Q 2006, with the next release of XPLORE. • All remaining issues are to be remediated by 3Q 2006, with future releases of Xplore.

  9. Web Applications (Cont’d) Remediation: Renewal Security Issues (7 Security Issues Remain) • High Risk (3 issues) • Option exists for unencrypted authentication (TBR 9/1/2005) Risk: User credentials are sent in cleartext • Application does not enforce password complexity (TBR 9/1/2005) Risk: Passwords can be guessed • Username and Password exposed in the URL (TBR 9/1/2005) Risk: This information can be easily retrieved from a browser history or log file

  10. Web Applications (Cont’d) Remediation of Renewal Security Issues • Med Risk (3 issues) • AutoComplete not disabled (TBR 9/1/2005) Risk: Username and Password is cached in the browser • Cross-site Scripting Vulnerabilities (TBR 9/1/2005) Risk: Scripts can be injected into the Renewal application • Inadequate Account Lockout Policy (TBR 9/1/2005) Risk: Enable brute force attacks to guess user passwords

  11. Web Applications (Cont’d) Remediation of Renewal Security Issues • The High & Medium risk issues are scheduled to be addressed with the next release of Renewal –1 Sep 2005

  12. Web Applications (Cont’d) Remediation: Catalog Security Issues (7 Security issues remain) • High Risk (1 issue) • Option exists for unencrypted transaction (TRB 9/1/2005) Risk: Sensitive information could be captured by an attacker • Actual transmission of Credit Card information is encrypted

  13. Web Applications (Cont’d) Remediation of Catalog Security Issues • Medium Risk (3 issues) • AutoComplete is not disabled (TBR 9/1/2005) Risk: Username and Password is Cached in the browser • Arbitrary URL Redirection (Remediation Not Possible) Risk: Facilitates phishing/social engineering attacks • Remediation not possible due to limitations of the tools in use. (Commerce Server) • Will no longer exist after BMS takes over the Shop function, scheduled for May 2006. • Inadequate Account Lockout Policy (Remediation Not Possible) Risk: Enables brute force attacks to guess user passwords • Remediation not possible due to limitations of the tools in use to authenticate users • Will no longer exist after BMS takes over the Shop function, scheduled for May 2006.

  14. 2005 Security Assessment Next Steps • IEEE has remediated all vulnerabilities not requiring programming changes. The final E&Y report will be delivered by COB Wednesday August 23th. • Original scheduled delivery date: 12 Aug 2005 (Missed) • Vendor requested extension due to: • ASC close down – Blackhat/Defcon • Lead IEEE tester out of the office (Personal Matter) • Additional time to confirm fixes (re-testing) • Complex security issues, requiring programming changes, have been prioritized for implementation.

More Related