210 likes | 397 Views
Internet security. Are Our Compliance Regulations Falling Behind. In the beginning. New security threats were introduced at each stage of the Web’s growth as previous threats were not always addressed. The Web inherits all of the Internet’s security vulnerabilities .
E N D
Internet security Are Our Compliance Regulations Falling Behind
In the beginning • New security threats were introduced at each stage of the Web’s growth as previous threats were not always addressed. • The Web inherits all of the Internet’s security vulnerabilities. • In the late 1970’s, the Internet was used only by a select few scientists and researchers, mostly computer scientists
early issues • Several security concerns arose in the early days, of the Internet. For the most part, they were application-specific. • E-mail could be easily forged by anyone who understood the smtpprotocol • Telnet presented a serious security problem because passwords were transmitted in the clear
Internet dangers • A TCP/IP protocol suite flaw, discovered by Steve Bellovin, allowed attackers to spoof their IP address in packets by creating IP packets with bogus addresses. • The greatest threat to the internet is that the client and server are running the same protocols • As long as DNS is vulnerable and is used to map URLs to sites, there can be no integrity on the Web.
The second stage • HTTP protocol and the HTML format. • The number of internet users increased dramatically • Netscape Navigator was introduced with a GUI user friendly interface • Never before had so many computers in the world run the same large Internet application.
The third stage • Being able to allow two-way communication between Web servers and clients. • CGI (Common Gateway Interface scripts)allowed users to type into forms on the Web pages. • Now the World Wide Web is a household phrase • The smallest company needed a home page to survive and compete in the business world
Present Times & Present Issues • Sony, Face book, Twitter, Word Press, Iranian State sites. • While the hacking continues through web applications, one has to wonder “WHO’S ON FIRST”. • 250M websites • most of which are insecure
The Gramm-Leach-Bliley Act (GLBA) • enacted to ensure protection over customer’s records and information • ensure customers security and confidentiality of nonpublic personal information • implement administrative, technical and physical safeguards • protect against anticipated threats and hazards to information security • Protect against unauthorized access to or use of information.
Access control guidance • Authentication • Network Access • Operating System Access • Application Access • Remote Access.
Proper Procedures • Under Application Access, "Financial Institutions should control access to applications by using authentication and authorization controls that are robust for the risk of the application. • Monitoring access rights to ensure they are minimum required for the user's current business needs • Using time-of-day limitations on access • Logging access and security events • Using software that enable rapid analysis of users activities
HIPAA Privacy Rule • Access Control technical policies and procedures that allow only authorized person to access electronic information • Audit Controls must implement hardware, software, and procedures to record and examine access and other activity in information systems that contain or us e-PHI (electronic protected health information) and • Transmission Security must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network. • but no details on web applications and securing the code.
North American Electric Reliability Corporation (NERC) • Critical Infrastructure Protection (CIP) Cyber Security Standards, to protect the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems. • The CIP Cyber Security Standards mandatory and enforceable across all users, owners, and operators of the bulk-power system.
R4.1. A document identifying the vulnerability assessment process • R4.2. A review to verify that only ports and services required for operations at these access points are enabled • R4.3. The discovery of all access points to the Electronic Security Perimeter • R4.4. A review of controls for default accounts, passwords, and network management community strings • R4.5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. • Again, nothing mentioned about web applications and finding vulnerabilities or including a remedy plan.
Federal Information Security Management ACT (FISMA) • all federal agencies document and implement controls for information technology systems that support their operations and assets. • Cryptography- practice and study of techniques for secure communication in the presence of third parties • Public-key cryptography • mobile code • virtualization • session authenticity,
Payment Card Industry (PCI) Data Security Standard (DSS) • to encourage, enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally • clearly defines the requirement for securing web applications • review public-facing web application • Manually or automated application vulnerability security assessment tools • Install a web-application firewall in front of public0facing web applications
having a web-application firewall (WAF) and enforcement. • enforcement is supposed to be done by five credit card companies through acquiring banks • Code review • Web assessments take into consideration outside attacker trying to pull data from your system. • still allows for the backend being vulnerable
SummaryDo we really need more regulations? • Too many regulations can be bureaucratic and costly • Desperate situations require desperate measures • 75 percent of attacks occurring through the web application layer • billions of users are going on the internet and shopping or entering their personal information • it is only a matter of time before their information will be stolen
What could be done? • The government could provide tax incentives and loans to encourage the protection of websites • Regulations need to be updated • the government and authorities are generally the last to know when there is an attack. • It is only dealt with after the fact, and once the milk is spilled you cannot put it back in the bottle
Epilog • It seems to me that everyone is doing what they can, but not all that they can. • The world is just crossing their fingers and hoping for the best, and when the worst shows up they deal with it after the fact instead of proactively.