Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Federal Government from Web 2.0 Application Security Risks

Published byJeremiah Parsley Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Federal Government from Web 2.0 Application Security Risks"— Presentation transcript:

1 Protecting Federal Government from Web 2.0 Application Security Risks
Dr. Sarbari Gupta, CISSP, CISA Electrosoft 11417 Sunset Hills Road, #228 Reston, VA 20190

2

3 Agenda Web 2.0 Fundamentals Web 2.0 and the US Feds Web 2.0 Risks
FISMA and Web 2.0

4 Web 2.0 Fundamentals

5 Created by Rob Cottingham at http://mashable

6 What is Web 2.0? Social Media/Web Applications such as:
Facebook/LinkedIn Twitter RSS Feeds Blogs Wikis Web Chat Podcasts Mashups Photo/Video-sharing Virtual Worlds

7 Characteristics of Web 2.0 Tools
Applications hosted on Web platform Users are Content Creators/Editors Highly Interactive Supports Rich Content / Media Types Easy to Use

8 Web 1.0 Content Model Web Platform Site Content Security Controls
Webmaster Web Platform Browser Users Sys Admin Hackers

9 Web 2.0 Content Model (I) Content Outside Content Evil Users Providers
Web 2.0 Tool Web Platform Tool Programmer Benign Users Security Controls Sys Admin

10 Web 2.0 Content Model (II) Web 2.0 Clients are Content Creators
Web 2.0 Server provides Data Aggregation from Varied Sources Platform for Information Exchange Storage for User/Client-created Content Segregation between Users (if needed)

11 Technologies enabling Web 2.0
AJAX (Asynchronous JavaScript and XML) JSON (JavaScript Object Notation) REST (Representational State Transfer) SOAP (Simple Object Access Protocol) and others …

12 Web 2.0 and the US Federal Government

13 Drivers for Fed Adoption of Web 2.0
Jan 21, 2009 – Memorandum on Transparency and Open Government Promotes Transparency, Participation and Collaboration Feb 24, M-09-12, President's Memorandum on Transparency and Open Government - Interagency Collaboration Establishes mechanisms to seek participation/collaboration Dec 8, M Open Government Initiative Describes 4 Specific Steps for Agencies to implement Open Government

14 Benefits for Fed Adoption of Web 2.0 Tools
Increase education/outreach/training Allow Rapid dissemination of information Support Recruitment Promote citizen participation in Government Facilitate interactive communication

15 Fed Policy for Web 2.0 Apr 7, 2010 – Memo on Social Media, Web-based Interactive Technologies and the Paperwork Reduction Act Describes activities that are not subject to the Paperwork Reduction Act (PRA) Jun 25, 2010 – M Guidance for the Use of Third- Party Websites and Applications Protecting Individual Privacy while using 3rd party websites/tools to engage with public Nov 3, 2010 – M – Sharing Data While Protecting Personal Privacy Promotes data sharing while embracing responsible stewardship

16 Fed Initiatives for Web 2.0
GSA/ Office of Citizen Services answers.usa.gov; webcontent.gov; Apps.gov CIA – Facebook for recruiting HHS – Pandemic Flu Leadership Blog USPTO – Collect input towards pending patents DoD – Virtual Worlds to simulate terrorism Library of Congress – Flickr to make public aware of holdings

17 Web 2.0 Risks

18 Web 2.0 Use Cases* for Government
Inward Intra-organizational (internal Wikis, SharePoint) Inbound “Crowd-sourcing” (public polls, change.gov) Internal Sharing Direction Outward Inter-Institutional (GovLoop, STAR-TIDES) Outbound Govt engagement on commercial Social Media (Twitter) External Group Individual Interaction Level * Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

19 Top Web 2.0 Security Risks Spear Fishing* Social Engineering*
Web Application Attacks* Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Security Flaws in (Aggregation) Partner Sites Weak Authentication Controls Information Leakage Injection Flaws * Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009

20 OWASP Top 10 (2010) A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

21 Implications … Application Security Vulnerabilities are at the core of Web 2.0 risks Web 2.0 Applications provide new avenues for old threats due to their: Complexity Popularity Ubiquity

22 FISMA and Web 2.0

23 Federal Information Security Landscape
Federal Practices in Information Security are driven by REGULATORY COMPLIANCE Title III of E-Government Act of Federal Information Security Management Act (FISMA) Privacy Act of 1974 OMB Circular A-130, Appendix III OMB Memos, … FISMA is implemented through NIST guidelines Special Pubs , , …

24 NIST SP Rev 3 Title: Recommended Security Controls for Federal Information Systems and Organizations Published: August 2009 Approach: Risk Management Framework Categorize Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize Information System Monitor Security Controls 18 families of Security Controls ID FAMILY CLASS AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability CA Security Assessment and Authorization Management CM Configuration Management CP Contingency Planning IA Identification and Authentication IR Incident Response MA Maintenance MP Media Protection PE Physical and Environmental Protection PL Planning PS Personnel Security RA Risk Assessment SA System and Services Acquisition SC System and Communications Protection SI System and Information Integrity PM Program Management

25 FISMA Definition of “Information Security”
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information.

26 Parsing the FISMA Definition …
Assets to be protected Information Information Systems Information needs to be protected for C-I-A Confidentiality (C) Integrity (I) Availability (A)

27 Web 2.0 Content Model Content Outside Content Evil Users Providers
Web 2.0 Tool Web Platform Tool Programmer Benign Users Security Controls Sys Admin

28 Web 2.0 Usage Models for Feds
Fed Users are Web 2.0 Clients – Web 2.0 Server is in the Cloud FISMA Controls may suffice to protect the IT resources used by the Fed Users Feds Host Web 2.0 Applications/Servers FISMA controls provide little or no protection for (citizen) Users

29 FISMA and Web 2.0 Content User supplied Web 2.0 content can be protected for C-I-A per FISMA … and yet be dangerous to other Users Protecting Users of Government Web 2.0 Apps is … not within the scope of FISMA

30 Introducing Safety & Reliability (I)
When Government builds a bridge over a river Concern #1: Is the bridge reliable? Concern #2: Is the bridge safe? Concern #n: Is the bridge protected from harm (by Users)?

31 Introducing Safety & Reliability (II)
When Government builds a Web 2.0 Application Concern #1: Is the underlying Information System protected from harm (by Users)? Concern #2: Is the Web 2.0 content protected for C-I- A? The concerns that do not currently surface Is the Application reliable? Is the Application safe?

32 Final Thoughts How do we protect US Federal Government and Citizens from Web 2.0 Risks? Promulgate policy to ensure the safety and reliability of Government information systems from the Users’ perspective Add security controls to explicitly require safety and reliability checks

Download ppt "Protecting Federal Government from Web 2.0 Application Security Risks"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
1 From the File Room to Facebook: Best Practices and Standards for Managing Social Media Records Chad Doran, CRM Chief Records Management Officer Arlington.

1 From the File Room to Facebook: Best Practices and Standards for Managing Social Media Records Chad Doran, CRM Chief Records Management Officer Arlington.
OWASP Mobile Top 10 Beau Woods

OWASP Mobile Top 10 Beau Woods
2009 Data Protection Seminar

2009 Data Protection Seminar
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.

Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation AppSec DC Promoting Application Security within Federal Government Dr. Sarbari Gupta, CISSP, CISA Founder/President.

The OWASP Foundation AppSec DC Promoting Application Security within Federal Government Dr. Sarbari Gupta, CISSP, CISA Founder/President.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.

Similar presentations

Ads by Google