Protecting Federal Government from Web 2.0 Application Security Risks

1
Protecting Federal Government from Web 2.0
Application Security Risks

• Dr. Sarbari Gupta, CISSP, CISA
• sarbari_at_electrosoft-inc.com
• Electrosoft
• 11417 Sunset Hills Road, 228
• Reston, VA 20190
• www.electrosoft-inc.com

2
(No Transcript)
3
Agenda

• Web 2.0 Fundamentals
• Web 2.0 and the US Feds
• Web 2.0 Risks
• FISMA and Web 2.0

4
Web 2.0 Fundamentals
5
Created by Rob Cottingham at http//mashable.com/2
010/08/10/social-media-web-comics/24865-Noise-to-
Signal
6
What is Web 2.0?

• Social Media/Web Applications such as
• Facebook/LinkedIn
• Twitter
• RSS Feeds
• Blogs
• Wikis
• Web Chat
• Podcasts
• Mashups
• Photo/Video-sharing
• Virtual Worlds

7
Characteristics of Web 2.0 Tools

• Applications hosted on Web platform
• Users are Content Creators/Editors
• Highly Interactive
• Supports Rich Content / Media Types
• Easy to Use

8
Web 1.0 Content Model
Security Controls
Site Content
Webmaster
Web Platform
Browser Users
Sys Admin
Hackers
9
Web 2.0 Content Model (I)
Outside Content Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Benign Users
Security Controls
Sys Admin
10
Web 2.0 Content Model (II)

• Web 2.0 Clients are Content Creators
• Web 2.0 Server provides
• Data Aggregation from Varied Sources
• Platform for Information Exchange
• Storage for User/Client-created Content
• Segregation between Users (if needed)

11
Technologies enabling Web 2.0

• AJAX (Asynchronous JavaScript and XML)
• JSON (JavaScript Object Notation)
• REST (Representational State Transfer)
• SOAP (Simple Object Access Protocol)
• and others

12
Web 2.0 and the US Federal Government
13
Drivers for Fed Adoption of Web 2.0

• Jan 21, 2009 Memorandum on Transparency and
  Open Government
• Promotes Transparency, Participation and
  Collaboration
• Feb 24, 2000 - M-09-12, President's Memorandum on
  Transparency and Open Government - Interagency
  Collaboration
• Establishes mechanisms to seek participation/colla
  boration
• Dec 8, 2009 - M-10-06 Open Government Initiative
• Describes 4 Specific Steps for Agencies to
  implement Open Government

14
Benefits for Fed Adoption of Web 2.0 Tools

• Increase education/outreach/training
• Allow Rapid dissemination of information
• Support Recruitment
• Promote citizen participation in Government
• Facilitate interactive communication

15
Fed Policy for Web 2.0

• Apr 7, 2010 Memo on Social Media, Web-based
  Interactive Technologies and the Paperwork
  Reduction Act
• Describes activities that are not subject to the
  Paperwork Reduction Act (PRA)
• Jun 25, 2010 M-10-23 - Guidance for the Use of
  Third-Party Websites and Applications
• Protecting Individual Privacy while using 3rd
  party websites/tools to engage with public
• Nov 3, 2010 M-11-02 Sharing Data While
  Protecting Personal Privacy
• Promotes data sharing while embracing responsible
  stewardship

16
Fed Initiatives for Web 2.0

• GSA/ Office of Citizen Services
• www.usa.gov answers.usa.gov webcontent.gov
  http//search.usa.gov Apps.gov
• CIA Facebook for recruiting
• HHS Pandemic Flu Leadership Blog
• USPTO Collect input towards pending patents
• DoD Virtual Worlds to simulate terrorism
• Library of Congress Flickr to make public aware
  of holdings

17
Web 2.0 Risks
18
Web 2.0 Use Cases for Government
Inward Intra-organizational (internal Wikis,
SharePoint)
Inbound Crowd-sourcing (public polls,
change.gov)
Internal
Sharing Direction
Outward Inter-Institutional (GovLoop, STAR-TIDES)
Outbound Govt engagement on commercial Social
Media (Twitter)
External
Group
Individual
Interaction Level
Guidelines for Secure Use of Social Media by
Federal Departments and Agencies, ISIMC, V1.0,
Sept 2009
19
Top Web 2.0 Security Risks

• Spear Fishing
• Social Engineering
• Web Application Attacks
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (XSRF)
• Security Flaws in (Aggregation) Partner Sites
• Weak Authentication Controls
• Information Leakage
• Injection Flaws

Guidelines for Secure Use of Social Media by
Federal Departments and Agencies, ISIMC, V1.0,
Sept 2009
20
OWASP Top 10 (2010)

• A1 Injection
• A2 Cross-Site Scripting (XSS)
• A3 Broken Authentication and Session Management
• A4 Insecure Direct Object References
• A5 Cross-Site Request Forgery (CSRF)
• A6 Security Misconfiguration
• A7 Insecure Cryptographic Storage
• A8 Failure to Restrict URL Access
• A9 Insufficient Transport Layer Protection
• A10 Unvalidated Redirects and Forwards

21
Implications

• Application Security Vulnerabilities are at the
  core of Web 2.0 risks
• Web 2.0 Applications provide new avenues for old
  threats due to their
• Complexity
• Popularity
• Ubiquity

22
FISMA and Web 2.0
23
Federal Information Security Landscape

• Federal Practices in Information Security are
  driven by REGULATORY COMPLIANCE
• Title III of E-Government Act of 2002 - Federal
  Information Security Management Act (FISMA)
• Privacy Act of 1974
• OMB Circular A-130, Appendix III
• OMB Memos,
• FISMA is implemented through NIST guidelines
• Special Pubs 800-37, 800-53,

24
NIST SP 800-53 Rev 3

• Title Recommended Security Controls for Federal
  Information Systems and Organizations
• Published August 2009
• Approach Risk Management Framework
• Categorize Information System
• Select Security Controls
• Implement Security Controls
• Assess Security Controls
• Authorize Information System
• Monitor Security Controls
• 18 families of Security Controls

25
FISMA Definition of Information Security

• Protecting information and information systems
  from unauthorized access, use, disclosure,
  disruption, modification, or destruction in order
  to provide
• (A) integrity, which means guarding against
  improper information modification or destruction,
  and includes ensuring information non-repudiation
  and authenticity
• (B) confidentiality, which means preserving
  authorized restrictions on access and disclosure,
  including means for protecting personal privacy
  and proprietary information and
• (C) availability, which means ensuring timely and
  reliable access to and use of information.

26
Parsing the FISMA Definition

• Assets to be protected
• Information
• Information Systems
• Information needs to be protected for C-I-A
• Confidentiality (C)
• Integrity (I)
• Availability (A)

27
Web 2.0 Content Model
Outside Content Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Benign Users
Security Controls
Sys Admin
28
Web 2.0 Usage Models for Feds

• Fed Users are Web 2.0 Clients Web 2.0 Server is
  in the Cloud
• FISMA Controls may suffice to protect the IT
  resources used by the Fed Users
• Feds Host Web 2.0 Applications/Servers
• FISMA controls provide little or no protection
  for (citizen) Users

29
FISMA and Web 2.0 Content

• User supplied Web 2.0 content can be protected
  for C-I-A per FISMA
• and yet be dangerous to other Users
• Protecting Users of Government Web 2.0 Apps is
• not within the scope of FISMA

30
Introducing Safety Reliability (I)

• When Government builds a bridge over a river
• Concern 1 Is the bridge reliable?
• Concern 2 Is the bridge safe?
• Concern n Is the bridge protected from harm (by
  Users)?

31
Introducing Safety Reliability (II)

• When Government builds a Web 2.0 Application
• Concern 1 Is the underlying Information System
  protected from harm (by Users)?
• Concern 2 Is the Web 2.0 content protected for
  C-I-A?
• The concerns that do not currently surface
• Is the Application reliable?
• Is the Application safe?

32
Final Thoughts

• How do we protect US Federal Government and
  Citizens from Web 2.0 Risks?
• Promulgate policy to ensure the safety and
  reliability of Government information systems
  from the Users perspective
• Add security controls to explicitly require
  safety and reliability checks