Convincing your IT Administrator to Poke a Hole in the Firewall
for caTissue Suite:
IntroductionIan Fore
Feb 28, 2011
Guidelines – Institution Considerations
2
• This is a question of balancing vulnerability against risk
Balance
3
• Much of the security of caTissue (or any application) depends on how it is configured and operated at a specific site
• Security is the responsibility of specific sites
Local Responsibility
4
caTissue
Application Security Assessment
Presented by: Braulio J. Cabral, MSc. IT, MSc. ISS/PM, SABSA, SOACP
CBIIT Enterprise Information Security Program Coordinator
SAIC-F
Feb 23, 2011
References• Guide for Applying the Risk Management Framework
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf• Risk Management Guide for Information Systems
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf• Recommended Security Control
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf
A Risk-based Security Assessment
6
• (AC-5) Separation of Duties – M, H• caTissue enforces separation of duty by assigning administrators with
privilege accounts. Non-administrators cannot create any accounts.• (AC-6) Least Privilege – M, H
The information system enforces the most restrictive set of rights/privileges
or accesses needed by users (or processes acting on behalf of users) for
the performance of specified tasks.
• The access control utilized at the network, database, and application
software is set up according to the individual role and minimum necessary privileges to perform their duties. This prevents an individual from having full authority or information access to conduct fraudulent activity without collusion.
• But only if this is effectively done by the installing site
Security Controls Evaluation
7
(AC-7) Unsuccessful Login Attempts – L, M, H• caTissue which is the main interface for users into the system to upload
data, does not support “Unsuccessful Login attempts and does not comply with NIH policy of 6 attempts before blocking the account.
Compensating control:
The system supports strong password which will make it extremely difficult
for a brute force attack to guess the password. The risk associated with this
control has been deemed LOW for phase one, considering that the effort to
guess the password is higher that the possible value of the information at this
phase, the risk will be noted in the PO&M documentation for the system
system.
Security Controls Evaluation
8
Compensating control:
If using NIH LDAP, the users are forced to change their password every 60 days.
Compensating control:
SiteScope monitors on the servers continually look for an excessive number of log-in attempts, triggering an alert to the whole Systems Team in the event of suspicious activity. Audit trails are reviewed as appropriate.
• AC-11) Session Lock – M, H• caTissue supports session lock after prolong inactivity time enforcing the
user to re-authenticate. This is controlled by a configurable parameter.• (AC-12) Session Termination – M, H (1)
• caTissue supports session termination after a prolong inactivity time, this is accomplished through a configurable parameter.
Security Controls Evaluation
9
• (AC-14) Permitted Actions w/o Identification or Authentication – L, M (1), H (1)• The only actions allowed by the system without authentication are: View
summary page, request a new account (i.e. request for access, report a problem and view help. These activities have been classified as allowable and do not represent a risk to the system.
• (AC-17) Remote Access – L, M (1)(2)(3)(4), H (1)(2)(3)(4)• Remote access is provided through a terminal tunneled through SSL.
Manual and automated reporting is used to track log-in attempts and to alert Systems personnel of suspicious activity for immediate investigation and resolution.
• (AU-2) Auditable Events – L, M (3), H (1)(2)(3)
• The following auditable events are logged by the caTissue system. All logins (successful and unsuccessful attempts), all data entry and edits are recorded in the audit trails.
Security Controls Evaluation
10
• (AU-3) Content of Audit Records – L, M (1), H (1)(2)• The audit trails provides record of the user id, date and time of transaction,
old entry, new entry and reason for change.• AU-7) Audit Reduction and Report Generation – M (1), H (1)
• caTissue system takes advantage of Oracle’s capabilities to store all data and system changes in journaling table that cannot be modified; you can view and run reports on this data. The Systems Team also has set up checks to generate an alert if anyone attempts to modify the journaling table to provide extra security.
• - The Oracle database has auditing capabilities to track log-in attempts and other system activity. Automatic alerts notify DBAs and Systems Team members if there are excessive log-in attempts within a specified period. Daily reports on the audit data are emailed to the DBA Team for review and follow-up if appropriate. The audit log gets large quickly, so the data is archived daily and saved indefinitely.
Security Controls Evaluation
11
• (AU-8) Time Stamps – L, M (1), H (1)• The audit trail records a date and time stamp, as well as the user id, old
entry, new entry, and reason for change.• AU-9) Protection of Audit Information – L, M, H
• Only System Administrations can access the audit logs, which are never destroyed
• (IA)Identification and Authentication• Identification and authentication for the caTissue system is
accomplished with the implementation of the following security controls:• caTissue (main user interface) is capable of using LDAP (for local IdP) or
the Common Security Module (database) for authentication (user name and password). caTissue is also capable of using the caBIG Common security Module (CSM) for authentication (username and password) and for authorization
Security Controls Evaluations
12
• (IA-2) User Identification and Authentication – L, M (1), H (2)(3)• caTissue (main user interface) can use LDAP (for local IdP) or the
Common Security Module (database) for authentication. This instance is using CSM.
• Oracle database utilizes Oracle native security controls including administrator user name and password, including failed login attempts, password life time, password reuse time password lock and password verify function.
• (SC-8) Transmission Integrity – M, H (1)The information system protects the integrity of transmitted information.• The transmission (input/output) of the data in the system is protected by
utilizing encrypted point to point technology (SSL).• (SC-9) Transmission Confidentiality – M, H (1)
• The confidentiality of the data in transit for the system is protected through SSL tunnel to
Security Controls Evaluations
13
• (SC-10) Network Disconnect – M, H • The system times out user sessions at (configurable) minutes of inactivity,
requiring the user to log back in to the system to continue. Further, the network connection automatically disconnects at the end of a network session. The network session is terminated after a (configurable) minute interval.
• (SC-12) Cryptographic Key Establishment and Management – M, H
• Encryption is only used in the storage of network and system passwords. caTissue encrypts its passwords and does have encryption capabilities for sensitive data if required by the data owner, but this functionality is not in use at this time. caTissue does not use tokens, cards, or other devices to generate or display identification code or password information.
Security Controls Evaluations
14
Findings and Compensating Controls
Use of MD5 as SSL Certificate Signature Algorithm• Not related to the application, but to the configuration of the container
Cross-Site Request Forgery• this is due to the time-to-live of the sessions, if the scanner sends the
same session before it expires.
Cacheable SSL Page Found• Only Style sheets and pics
Vulnerability Scanning
15
2 of 5] Cross-Site Scripting
Severity: High
Test Type: Application
CVE ID(s): N/A
CWE ID(s): 79 (parent of 80,82,83,84,86)• Remediation Tasks: Filter out hazardous characters from user input
• Notes: This is happening in internal pages after the user signs-in; it is a
risk to be evaluated by the system owner. For someone to exploit the vulnerability, they will have to put a sniffer between the system and the user’s computer. If successful, it can compromise the PC not the system. So it all depends on the motivation behind the attack.
Vulnerability Scanning
16
• SQL Injection String Tests Summary (43860 results recorded)
Failures: 0
Warnings: 0
Passes: 43860
• SQL Injection String Test Results
loginName
Submitted Form State:
password:
Submit: Login
Results:
This field passed 14620 tests.
Vulnerability Scanning
17
• SQL Injection String Tests Summary (365500 results recorded) • For URL: %%$$%^^&&&***• Failures: 0• Warnings: 0• Passes: 365500
Vulnerability Scanning
18
Q&A
Top Related