Title: Protecting Federal Government from Web 2.0 Application Security Risks
1Protecting Federal Government from Web 2.0
Application Security Risks
- Dr. Sarbari Gupta, CISSP, CISA
- sarbari_at_electrosoft-inc.com
- Electrosoft
- 11417 Sunset Hills Road, 228
- Reston, VA 20190
- www.electrosoft-inc.com
2(No Transcript)
3Agenda
- Web 2.0 Fundamentals
- Web 2.0 and the US Feds
- Web 2.0 Risks
- FISMA and Web 2.0
4Web 2.0 Fundamentals
5Created by Rob Cottingham at http//mashable.com/2
010/08/10/social-media-web-comics/24865-Noise-to-
Signal
6What is Web 2.0?
- Social Media/Web Applications such as
- Facebook/LinkedIn
- Twitter
- RSS Feeds
- Blogs
- Wikis
- Web Chat
- Podcasts
- Mashups
- Photo/Video-sharing
- Virtual Worlds
7Characteristics of Web 2.0 Tools
- Applications hosted on Web platform
- Users are Content Creators/Editors
- Highly Interactive
- Supports Rich Content / Media Types
- Easy to Use
8Web 1.0 Content Model
Security Controls
Site Content
Webmaster
Web Platform
Browser Users
Sys Admin
Hackers
9Web 2.0 Content Model (I)
Outside Content Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Benign Users
Security Controls
Sys Admin
10Web 2.0 Content Model (II)
- Web 2.0 Clients are Content Creators
- Web 2.0 Server provides
- Data Aggregation from Varied Sources
- Platform for Information Exchange
- Storage for User/Client-created Content
- Segregation between Users (if needed)
11Technologies enabling Web 2.0
- AJAX (Asynchronous JavaScript and XML)
- JSON (JavaScript Object Notation)
- REST (Representational State Transfer)
- SOAP (Simple Object Access Protocol)
- and others
12Web 2.0 and the US Federal Government
13Drivers for Fed Adoption of Web 2.0
- Jan 21, 2009 Memorandum on Transparency and
Open Government - Promotes Transparency, Participation and
Collaboration - Feb 24, 2000 - M-09-12, President's Memorandum on
Transparency and Open Government - Interagency
Collaboration - Establishes mechanisms to seek participation/colla
boration - Dec 8, 2009 - M-10-06 Open Government Initiative
- Describes 4 Specific Steps for Agencies to
implement Open Government
14Benefits for Fed Adoption of Web 2.0 Tools
- Increase education/outreach/training
- Allow Rapid dissemination of information
- Support Recruitment
- Promote citizen participation in Government
- Facilitate interactive communication
15Fed Policy for Web 2.0
- Apr 7, 2010 Memo on Social Media, Web-based
Interactive Technologies and the Paperwork
Reduction Act - Describes activities that are not subject to the
Paperwork Reduction Act (PRA) - Jun 25, 2010 M-10-23 - Guidance for the Use of
Third-Party Websites and Applications - Protecting Individual Privacy while using 3rd
party websites/tools to engage with public - Nov 3, 2010 M-11-02 Sharing Data While
Protecting Personal Privacy - Promotes data sharing while embracing responsible
stewardship
16Fed Initiatives for Web 2.0
- GSA/ Office of Citizen Services
- www.usa.gov answers.usa.gov webcontent.gov
http//search.usa.gov Apps.gov - CIA Facebook for recruiting
- HHS Pandemic Flu Leadership Blog
- USPTO Collect input towards pending patents
- DoD Virtual Worlds to simulate terrorism
- Library of Congress Flickr to make public aware
of holdings
17Web 2.0 Risks
18Web 2.0 Use Cases for Government
Inward Intra-organizational (internal Wikis,
SharePoint)
Inbound Crowd-sourcing (public polls,
change.gov)
Internal
Sharing Direction
Outward Inter-Institutional (GovLoop, STAR-TIDES)
Outbound Govt engagement on commercial Social
Media (Twitter)
External
Group
Individual
Interaction Level
Guidelines for Secure Use of Social Media by
Federal Departments and Agencies, ISIMC, V1.0,
Sept 2009
19Top Web 2.0 Security Risks
- Spear Fishing
- Social Engineering
- Web Application Attacks
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (XSRF)
- Security Flaws in (Aggregation) Partner Sites
- Weak Authentication Controls
- Information Leakage
- Injection Flaws
Guidelines for Secure Use of Social Media by
Federal Departments and Agencies, ISIMC, V1.0,
Sept 2009
20OWASP Top 10 (2010)
- A1 Injection
- A2 Cross-Site Scripting (XSS)
- A3 Broken Authentication and Session Management
- A4 Insecure Direct Object References
- A5 Cross-Site Request Forgery (CSRF)
- A6 Security Misconfiguration
- A7 Insecure Cryptographic Storage
- A8 Failure to Restrict URL Access
- A9 Insufficient Transport Layer Protection
- A10 Unvalidated Redirects and Forwards
21Implications
- Application Security Vulnerabilities are at the
core of Web 2.0 risks - Web 2.0 Applications provide new avenues for old
threats due to their - Complexity
- Popularity
- Ubiquity
22FISMA and Web 2.0
23Federal Information Security Landscape
- Federal Practices in Information Security are
driven by REGULATORY COMPLIANCE - Title III of E-Government Act of 2002 - Federal
Information Security Management Act (FISMA) - Privacy Act of 1974
- OMB Circular A-130, Appendix III
- OMB Memos,
- FISMA is implemented through NIST guidelines
- Special Pubs 800-37, 800-53,
24NIST SP 800-53 Rev 3
- Title Recommended Security Controls for Federal
Information Systems and Organizations - Published August 2009
- Approach Risk Management Framework
- Categorize Information System
- Select Security Controls
- Implement Security Controls
- Assess Security Controls
- Authorize Information System
- Monitor Security Controls
- 18 families of Security Controls
25FISMA Definition of Information Security
- Protecting information and information systems
from unauthorized access, use, disclosure,
disruption, modification, or destruction in order
to provide - (A) integrity, which means guarding against
improper information modification or destruction,
and includes ensuring information non-repudiation
and authenticity - (B) confidentiality, which means preserving
authorized restrictions on access and disclosure,
including means for protecting personal privacy
and proprietary information and - (C) availability, which means ensuring timely and
reliable access to and use of information.
26Parsing the FISMA Definition
- Assets to be protected
- Information
- Information Systems
- Information needs to be protected for C-I-A
- Confidentiality (C)
- Integrity (I)
- Availability (A)
27Web 2.0 Content Model
Outside Content Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Benign Users
Security Controls
Sys Admin
28Web 2.0 Usage Models for Feds
- Fed Users are Web 2.0 Clients Web 2.0 Server is
in the Cloud - FISMA Controls may suffice to protect the IT
resources used by the Fed Users - Feds Host Web 2.0 Applications/Servers
- FISMA controls provide little or no protection
for (citizen) Users
29FISMA and Web 2.0 Content
- User supplied Web 2.0 content can be protected
for C-I-A per FISMA - and yet be dangerous to other Users
- Protecting Users of Government Web 2.0 Apps is
- not within the scope of FISMA
30Introducing Safety Reliability (I)
- When Government builds a bridge over a river
- Concern 1 Is the bridge reliable?
- Concern 2 Is the bridge safe?
-
- Concern n Is the bridge protected from harm (by
Users)?
31Introducing Safety Reliability (II)
- When Government builds a Web 2.0 Application
- Concern 1 Is the underlying Information System
protected from harm (by Users)? - Concern 2 Is the Web 2.0 content protected for
C-I-A? - The concerns that do not currently surface
- Is the Application reliable?
- Is the Application safe?
32Final Thoughts
- How do we protect US Federal Government and
Citizens from Web 2.0 Risks? - Promulgate policy to ensure the safety and
reliability of Government information systems
from the Users perspective - Add security controls to explicitly require
safety and reliability checks