Security Aspects of Web Site Design - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Security Aspects of Web Site Design

Description:

Does this application have the Privacy and Security policies on all pages? ... This rapid risk assessment covered all areas of IT security. ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 18
Provided by: wolfi5
Category:

less

Transcript and Presenter's Notes

Title: Security Aspects of Web Site Design


1
Security Aspects of Web Site Design
  • Office of Enterprise Security
  • (What we look for in web applications and Why)

2
Introduction to Rick Wolfinger
  • Began security career in 1983 working for the
    U.S. Air Force in Electronic Security Command
    (Okinawa, Japan and SAC Headquarters).
  • Responsible for computer and communications
    systems on SAC Airborne Command Post aircraft and
    National Emergency Airborne Command Post
    aircraft.
  • Worked as defense contractor in England (6 years)
    and Denver, Colorado (6 years) supporting United
    States Department of Defense.
  • Began working for State of Michigan October 2002.

3
Whos Job Is Security ?
  • How many think security is my job?
  • How many think security is your job?
  • How many think security is our job?
  • NOTE Determining proper level of Security for
    web application is not strictly objective
    process.

4
SOM Sees Threats Daily
  • Typical Incidents per day (approx.)
  • 1500 e-mail viruses
  • 38,000 scans/probes
  • 620 web server attacks
  • 3 computer hack attempts

5
Enterprise Security Orientation Overview
  • Enterprise Security has created an orientation
    overview to communicate the following
  • Who we are
  • How we can help
  • Current projects that help reduce risk of
    viruses, theft or misuse of data for Michigan
    citizens, etc.

6
Questions I Ask Things I look for
  • Is the data in this application sensitive? Is it
    FOIABLE?
  • Who are the users?
  • Is this application internet or intranet? If
    intranet, are there plans to make it internet?
  • Does this application have the Privacy and
    Security policies on all pages?
  • What is the risk of financial loss to SOM?
  • What is the risk of embarrassment to SOM or
    governor?
  • If login and password are needed, can I page BACK
    and FORWARD past the login screen?
  • Is there a network diagram available?
  • Does the application allow the use of cookies?
  • Is there an audit process for the application?
  • ?Answers to these questions determine what
    security is needed for an application.

7
Examples of Bad Password Design
  • If you answer yes to one on-line question, a
    password will be automatically sent to you.
  • Application designed to accept a password one
    character long.
  • Application designed to accept Social Security
    Number as password.

8
Applications/Servers Security Checklist
  • Should be completed 2-4 weeks before application
    is launched.
  • Not intended to be used as a guide during
    development of application.
  • Signed hardcopy should be returned to Office of
    Enterprise Security.

9
30 Standards form basis for Security
Recommendations
  • 1410.17 Michigan State Government Network
    Security Policy
  • --section 6.6 for password information
  • 1310.16 Acceptable Use of the State
    Telecommunications Network
  • 1460.00 SOM Acceptable Use Policy

10
Cookie Policy
  • Our policy regarding cookies is contained in the
    State of Michigan Privacy Policy that can be
    accessed as follows lthttp//www.michigan.gov/emi/0
    ,1303,7-102----PP,00.htmlgt.
  • Cookies are allowable as long as the home page
    can be viewed and accessed without cookies.
  • In other words, you cannot force a user to accept
    a cookie upon entering the site's home page. All
    access to state content or services must be
    anonymous - without cookies. So the home page
    must be simply the opening page in straight HTML
    that indicates what the application is for, what
    it will do and what types of technology are
    required, such as use of cookies.
  • Since some applications cannot function without
    the use of cookies, the user must be notified IN
    ADVANCE of their use before proceeding with the
    online service. So the choice of accepting or not
    accepting the cookie is totally up to the user.

11
The Secure Michigan Initiative
  • In order to establish a current baseline, a
    rapid enterprise-wide risk assessment was
    conducted. This assessment, conducted in the
    summer of 2002, was based upon the guidance and
    principles from the National Institute of
    Standards (NIST) Security Handbook, the
    International Standards Organization (ISO) 17799
    Security standards, and the Federal Information
    Systems Controls Audit Manual from the General
    Accounting Office (GAO). This rapid risk
    assessment covered all areas of IT security.
    Every agency within the State of Michigan was
    interviewed for the rapid risk assessment.

12
Identity Theft
  • The nature of identity theft has changed and the
    threat today is more likely than ever to come
    from insiders. December 3, 2002
  • Complaints to the FTC have more than doubled, to
    85,820 last year from 31,113 in 2000. For the
    first six months of this year, the agency
    received 70,000 complaints about identity theft.
    December 3, 2002

13
ID Theft (continued)
  • National Credit Reporting numbers are
  • Equifax 1-800-525-6285
  • Experian (formerly TRW) 1-888-397-3742
  • Trans Union 1-800-680-7289
  • Social Security Administration (fraud line)
    1-800-269-0271

14
Michigan Online Security Training (MOST)
  • MOST is being developed by Enterprise Security in
    cooperation with Walsh College
  • Designed to increase awareness and knowledge of
    security for SOM employees
  • Web-based program contains basic security
    concepts and a test-your-knowledge module
  • Look for Al the owl

15
References
  • ID Theft
  • http//www.usatoday.com/money/workplace/2003-01-2
    3-idtheft-cover_x.htm
  • http//www.msnbc.com/news/960638.asp
  • Viruses get smarter http//www.computerworld.com/s
    ecuritytopics/security/story/0,10801,77794,00.html
  • Computer Security Audit Checklist
    http//www.summersault.com/chris/techno/security/a
    uditlist.html
  • Security Audit White Paper http//www.pestpatrol.c
    om/ProductDocs/PestPatrolAuditorsGuide.pdf

16
Web Applications..hackers newest target
  • The defensive perimeter of firewalls and
    intrusion-detection systems that most companies
    rely on for network security is being bypassed by
    hackers who have made Web applications their
    newest targets, security experts warned last
    week. "Perimeter defense is becoming an
    irrelevant term," said Kevin Soo Hoo, senior
    security architect at Cambridge, Mass.-based
    security consultancy _at_Stake Inc. "The emphasis
    in hacking is now shifting to the application
    layer. The Web application is becoming the
    primary vehicle for attack."
  • The increased demand for Web functionality has
    pushed almost all traffic through Ports 80 and
    443 on most Web servers -- typically the only two
    ports that are left open by most companies. And
    that's where hackers are turning to gain access
    to enterprise networks and data, said Soo Hoo.
    "As a result, the threat model is changing. It
    makes the firewall no longer the line of defense
    that it once was." http//www.stratum8.com/intro.h
    tml

17
Questions and Comments
Write a Comment
User Comments (0)
About PowerShow.com