140 likes | 276 Views
Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005. Internet Assessment. Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems).
E N D
Electronic Security Initiative2005 Security AssessmentEmail & Security Services23 August 2005
Internet Assessment • Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems) • High risk exposures were corrected by IEEE IT Staff as soon as they were found.
Wireless and Dial-up • Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities • E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure
Web Applications • Results of the Web Applications Assessment discovered a total of 39 vulnerabilities across 3 web applications. • The development staff responsible for these applications is working to remediate these security issues.
Web Applications (Cont’d) Remediation: XPLORE Security Issues (11 Security Issues Remain) • High Risk (1 issue) • No encryption for application login (TBR 1Q 2006) • Username & Password: Clear Text • Risk: possible lost of information. • Explore Team willing to take the risk
Web Applications (Cont’d) Remediation of XPLORE Security Issues • Medium Risk (5 issues) • Username Passed in Clear Text Cookie (TBR 1Q 2006) Risk: User credentials can be compromised • Arbitrary URL Redirection (TBR 1Q 2006) Risk: Facilitates phishing/social engineering attacks • AutoComplete - Not Disabled (TBR 3Q 2006) Risk: Username and Password is Cached • Weak Passwords (TBR 3Q 2006) Risk: Passwords can be guessed • Inadequate Lockout Policy (TBR 3Q 2006) Risk: Enable brute force attacks to guess user passwords
Web Applications (Cont’d) Remediation of XPLORE Security Issues • Solving security issues require programming changes, testing and QA. • Most of the critical issues are scheduled to be remediated by 1Q 2006, with the next release of XPLORE. • All remaining issues are to be remediated by 3Q 2006, with future releases of Xplore.
Web Applications (Cont’d) Remediation: Renewal Security Issues (7 Security Issues Remain) • High Risk (3 issues) • Option exists for unencrypted authentication (TBR 9/1/2005) Risk: User credentials are sent in cleartext • Application does not enforce password complexity (TBR 9/1/2005) Risk: Passwords can be guessed • Username and Password exposed in the URL (TBR 9/1/2005) Risk: This information can be easily retrieved from a browser history or log file
Web Applications (Cont’d) Remediation of Renewal Security Issues • Med Risk (3 issues) • AutoComplete not disabled (TBR 9/1/2005) Risk: Username and Password is cached in the browser • Cross-site Scripting Vulnerabilities (TBR 9/1/2005) Risk: Scripts can be injected into the Renewal application • Inadequate Account Lockout Policy (TBR 9/1/2005) Risk: Enable brute force attacks to guess user passwords
Web Applications (Cont’d) Remediation of Renewal Security Issues • The High & Medium risk issues are scheduled to be addressed with the next release of Renewal –1 Sep 2005
Web Applications (Cont’d) Remediation: Catalog Security Issues (7 Security issues remain) • High Risk (1 issue) • Option exists for unencrypted transaction (TRB 9/1/2005) Risk: Sensitive information could be captured by an attacker • Actual transmission of Credit Card information is encrypted
Web Applications (Cont’d) Remediation of Catalog Security Issues • Medium Risk (3 issues) • AutoComplete is not disabled (TBR 9/1/2005) Risk: Username and Password is Cached in the browser • Arbitrary URL Redirection (Remediation Not Possible) Risk: Facilitates phishing/social engineering attacks • Remediation not possible due to limitations of the tools in use. (Commerce Server) • Will no longer exist after BMS takes over the Shop function, scheduled for May 2006. • Inadequate Account Lockout Policy (Remediation Not Possible) Risk: Enables brute force attacks to guess user passwords • Remediation not possible due to limitations of the tools in use to authenticate users • Will no longer exist after BMS takes over the Shop function, scheduled for May 2006.
2005 Security Assessment Next Steps • IEEE has remediated all vulnerabilities not requiring programming changes. The final E&Y report will be delivered by COB Wednesday August 23th. • Original scheduled delivery date: 12 Aug 2005 (Missed) • Vendor requested extension due to: • ASC close down – Blackhat/Defcon • Lead IEEE tester out of the office (Personal Matter) • Additional time to confirm fixes (re-testing) • Complex security issues, requiring programming changes, have been prioritized for implementation.