1 / 32

Protecting Federal Government from Web 2.0 Application Security Risks

Protecting Federal Government from Web 2.0 Application Security Risks. Dr. Sarbari Gupta, CISSP, CISA sarbari@electrosoft-inc.com Electrosoft 11417 Sunset Hills Road, #228 Reston, VA 20190 www.electrosoft-inc.com. Agenda. Web 2.0 Fundamentals Web 2.0 and the US Feds Web 2.0 Risks

wei
Download Presentation

Protecting Federal Government from Web 2.0 Application Security Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Federal Government from Web 2.0 Application Security Risks • Dr. Sarbari Gupta, CISSP, CISA • sarbari@electrosoft-inc.com • Electrosoft • 11417 Sunset Hills Road, #228 • Reston, VA 20190 • www.electrosoft-inc.com

  2. Agenda • Web 2.0 Fundamentals • Web 2.0 and the US Feds • Web 2.0 Risks • FISMA and Web 2.0

  3. Web 2.0 Fundamentals

  4. Created by Rob Cottingham at http://mashable.com/2010/08/10/social-media-web-comics/#24865-Noise-to-Signal

  5. What is Web 2.0? • Social Media/Web Applications such as: • Facebook/LinkedIn • Twitter • RSS Feeds • Blogs • Wikis • Web Chat • Podcasts • Mashups • Photo/Video-sharing • Virtual Worlds • …

  6. Characteristics of Web 2.0 Tools • Applications hosted on Web platform • Users are Content Creators/Editors • Highly Interactive • Supports Rich Content / Media Types • Easy to Use

  7. Web 1.0 Content Model Security Controls Site Content Webmaster Web Platform Browser Users Sys Admin Hackers

  8. Web 2.0 Content Model (I) Outside Content Providers Evil Users Content Web 2.0 Tool Web Platform Tool Programmer Benign Users Security Controls Sys Admin

  9. Web 2.0 Content Model (II) • Web 2.0 Clients are Content Creators • Web 2.0 Server provides • Data Aggregation from Varied Sources • Platform for Information Exchange • Storage for User/Client-created Content • Segregation between Users (if needed)

  10. Technologies enabling Web 2.0 • AJAX (Asynchronous JavaScript and XML) • JSON (JavaScript Object Notation) • REST (Representational State Transfer) • SOAP (Simple Object Access Protocol) • and others …

  11. Web 2.0 and the US Federal Government

  12. Drivers for Fed Adoption of Web 2.0 • Jan 21, 2009 – Memorandum on Transparency and Open Government • Promotes Transparency, Participation and Collaboration • Feb 24, 2000 - M-09-12, President's Memorandum on Transparency and Open Government - Interagency Collaboration • Establishes mechanisms to seek participation/collaboration • Dec 8, 2009 - M-10-06 Open Government Initiative • Describes 4 Specific Steps for Agencies to implement Open Government

  13. Benefits for Fed Adoption of Web 2.0 Tools • Increase education/outreach/training • Allow Rapid dissemination of information • Support Recruitment • Promote citizen participation in Government • Facilitate interactive communication

  14. Fed Policy for Web 2.0 • Apr 7, 2010 – Memo on Social Media, Web-based Interactive Technologies and the Paperwork Reduction Act • Describes activities that are not subject to the Paperwork Reduction Act (PRA) • Jun 25, 2010 – M-10-23 - Guidance for the Use of Third-Party Websites and Applications • Protecting Individual Privacy while using 3rd party websites/tools to engage with public • Nov 3, 2010 – M-11-02 – Sharing Data While Protecting Personal Privacy • Promotes data sharing while embracing responsible stewardship

  15. Fed Initiatives for Web 2.0 • GSA/ Office of Citizen Services • www.usa.gov; answers.usa.gov; webcontent.gov; http://search.usa.gov; Apps.gov • CIA – Facebook for recruiting • HHS – Pandemic Flu Leadership Blog • USPTO – Collect input towards pending patents • DoD – Virtual Worlds to simulate terrorism • Library of Congress – Flickr to make public aware of holdings

  16. Web 2.0 Risks

  17. Web 2.0 Use Cases* for Government Inward Intra-organizational (internal Wikis, SharePoint) Inbound “Crowd-sourcing” (public polls, change.gov) Internal Sharing Direction Outward Inter-Institutional (GovLoop, STAR-TIDES) Outbound Govt engagement on commercial Social Media (Twitter) External Group Individual Interaction Level * Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

  18. Top Web 2.0 Security Risks • Spear Fishing* • Social Engineering* • Web Application Attacks* • Cross Site Scripting (XSS) • Cross Site Request Forgery (XSRF) • Security Flaws in (Aggregation) Partner Sites • Weak Authentication Controls • Information Leakage • Injection Flaws * Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

  19. OWASP Top 10 (2010) • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards

  20. Implications … • Application Security Vulnerabilities are at the core of Web 2.0 risks • Web 2.0 Applications provide new avenues for old threats due to their: • Complexity • Popularity • Ubiquity

  21. FISMA and Web 2.0

  22. Federal Information Security Landscape • Federal Practices in Information Security are driven by REGULATORY COMPLIANCE • Title III of E-Government Act of 2002 - Federal Information Security Management Act (FISMA) • Privacy Act of 1974 • OMB Circular A-130, Appendix III • OMB Memos, … • FISMA is implemented through NIST guidelines • Special Pubs 800-37, 800-53, …

  23. NIST SP 800-53 Rev 3 • Title: Recommended Security Controls for Federal Information Systems and Organizations • Published: August 2009 • Approach: Risk Management Framework • Categorize Information System • Select Security Controls • Implement Security Controls • Assess Security Controls • Authorize Information System • Monitor Security Controls • 18 families of Security Controls

  24. FISMA Definition of “Information Security” • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— • (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; • (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and • (C) availability, which means ensuring timely and reliable access to and use of information.

  25. Parsing the FISMA Definition … • Assets to be protected • Information • Information Systems • Information needs to be protected for C-I-A • Confidentiality (C) • Integrity (I) • Availability (A)

  26. Web 2.0 Content Model Outside Content Providers Evil Users Content Web 2.0 Tool Web Platform Tool Programmer Benign Users Security Controls Sys Admin

  27. Web 2.0 Usage Models for Feds • Fed Users are Web 2.0 Clients – Web 2.0 Server is in the Cloud • FISMA Controls may suffice to protect the IT resources used by the Fed Users • Feds Host Web 2.0 Applications/Servers • FISMA controls provide little or no protection for (citizen) Users

  28. FISMA and Web 2.0 Content • User supplied Web 2.0 content can be protected for C-I-A per FISMA … • and yet be dangerous to other Users • Protecting Users of Government Web 2.0 Apps is … • not within the scope of FISMA

  29. Introducing Safety & Reliability (I) • When Government builds a bridge over a river • Concern #1: Is the bridge reliable? • Concern #2: Is the bridge safe? • … • Concern #n: Is the bridge protected from harm (by Users)?

  30. Introducing Safety & Reliability (II) • When Government builds a Web 2.0 Application • Concern #1: Is the underlying Information System protected from harm (by Users)? • Concern #2: Is the Web 2.0 content protected for C-I-A? • The concerns that do not currently surface • Is the Application reliable? • Is the Application safe?

  31. Final Thoughts • How do we protect US Federal Government and Citizens from Web 2.0 Risks? • Promulgate policy to ensure the safety and reliability of Government information systems from the Users’ perspective • Add security controls to explicitly require safety and reliability checks

More Related