6What is Web 2.0? Social Media/Web Applications such as: Facebook/LinkedInTwitterRSS FeedsBlogsWikisWeb ChatPodcastsMashupsPhoto/Video-sharingVirtual Worlds…
7Characteristics of Web 2.0 Tools Applications hosted on Web platformUsers are Content Creators/EditorsHighly InteractiveSupports Rich Content / Media TypesEasy to Use
8Web 1.0 Content Model Web Platform Site Content Security Controls WebmasterWeb PlatformBrowser UsersSys AdminHackers
9Web 2.0 Content Model (I) Content Outside Content Evil Users Providers Web 2.0 ToolWeb PlatformTool ProgrammerBenign UsersSecurity ControlsSys Admin
10Web 2.0 Content Model (II) Web 2.0 Clients are Content Creators Web 2.0 Server providesData Aggregation from Varied SourcesPlatform for Information ExchangeStorage for User/Client-created ContentSegregation between Users (if needed)
13Drivers for Fed Adoption of Web 2.0 Jan 21, 2009 – Memorandum on Transparency and Open GovernmentPromotes Transparency, Participation and CollaborationFeb 24, M-09-12, President's Memorandum on Transparency and Open Government - Interagency CollaborationEstablishes mechanisms to seek participation/collaborationDec 8, M Open Government InitiativeDescribes 4 Specific Steps for Agencies to implement Open Government
14Benefits for Fed Adoption of Web 2.0 Tools Increase education/outreach/trainingAllow Rapid dissemination of informationSupport RecruitmentPromote citizen participation in GovernmentFacilitate interactive communication
15Fed Policy for Web 2.0Apr 7, 2010 – Memo on Social Media, Web-based Interactive Technologies and the Paperwork Reduction ActDescribes activities that are not subject to the Paperwork Reduction Act (PRA)Jun 25, 2010 – M Guidance for the Use of Third- Party Websites and ApplicationsProtecting Individual Privacy while using 3rd party websites/tools to engage with publicNov 3, 2010 – M – Sharing Data While Protecting Personal PrivacyPromotes data sharing while embracing responsible stewardship
16Fed Initiatives for Web 2.0 GSA/ Office of Citizen Servicesanswers.usa.gov; webcontent.gov; Apps.govCIA – Facebook for recruitingHHS – Pandemic Flu Leadership BlogUSPTO – Collect input towards pending patentsDoD – Virtual Worlds to simulate terrorismLibrary of Congress – Flickr to make public aware of holdings
18Web 2.0 Use Cases* for Government InwardIntra-organizational(internal Wikis, SharePoint)Inbound“Crowd-sourcing”(public polls, change.gov)InternalSharing DirectionOutwardInter-Institutional(GovLoop, STAR-TIDES)OutboundGovt engagement oncommercial Social Media(Twitter)ExternalGroupIndividualInteraction Level* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009
19Top Web 2.0 Security Risks Spear Fishing* Social Engineering* Web Application Attacks*Cross Site Scripting (XSS)Cross Site Request Forgery (XSRF)Security Flaws in (Aggregation) Partner SitesWeak Authentication ControlsInformation LeakageInjection Flaws* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009
20OWASP Top 10 (2010) A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
21Implications …Application Security Vulnerabilities are at the core of Web 2.0 risksWeb 2.0 Applications provide new avenues for old threats due to their:ComplexityPopularityUbiquity
23Federal Information Security Landscape Federal Practices in Information Security are driven by REGULATORY COMPLIANCETitle III of E-Government Act of Federal Information Security Management Act (FISMA)Privacy Act of 1974OMB Circular A-130, Appendix IIIOMB Memos, …FISMA is implemented through NIST guidelinesSpecial Pubs , , …
24NIST SP Rev 3Title: Recommended Security Controls for Federal Information Systems and OrganizationsPublished: August 2009Approach: Risk Management FrameworkCategorize Information SystemSelect Security ControlsImplement Security ControlsAssess Security ControlsAuthorize Information SystemMonitor Security Controls18 families of Security ControlsIDFAMILYCLASSACAccess ControlTechnicalATAwareness and TrainingOperationalAUAudit and AccountabilityCASecurity Assessment and AuthorizationManagementCMConfiguration ManagementCPContingency PlanningIAIdentification and AuthenticationIRIncident ResponseMAMaintenanceMPMedia ProtectionPEPhysical and Environmental ProtectionPLPlanningPSPersonnel SecurityRARisk AssessmentSASystem and Services AcquisitionSCSystem and Communications ProtectionSISystem and Information IntegrityPMProgram Management
25FISMA Definition of “Information Security” Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and(C) availability, which means ensuring timely and reliable access to and use of information.
26Parsing the FISMA Definition … Assets to be protectedInformationInformation SystemsInformation needs to be protected for C-I-AConfidentiality (C)Integrity (I)Availability (A)
27Web 2.0 Content Model Content Outside Content Evil Users Providers Web 2.0 ToolWeb PlatformTool ProgrammerBenign UsersSecurity ControlsSys Admin
28Web 2.0 Usage Models for Feds Fed Users are Web 2.0 Clients – Web 2.0 Server is in the CloudFISMA Controls may suffice to protect the IT resources used by the Fed UsersFeds Host Web 2.0 Applications/ServersFISMA controls provide little or no protection for (citizen) Users
29FISMA and Web 2.0 ContentUser supplied Web 2.0 content can be protected for C-I-A per FISMA …and yet be dangerous to other UsersProtecting Users of Government Web 2.0 Apps is …not within the scope of FISMA
30Introducing Safety & Reliability (I) When Government builds a bridge over a riverConcern #1: Is the bridge reliable?Concern #2: Is the bridge safe?…Concern #n: Is the bridge protected from harm (by Users)?
31Introducing Safety & Reliability (II) When Government builds a Web 2.0 ApplicationConcern #1: Is the underlying Information System protected from harm (by Users)?Concern #2: Is the Web 2.0 content protected for C-I- A?The concerns that do not currently surfaceIs the Application reliable?Is the Application safe?
32Final ThoughtsHow do we protect US Federal Government and Citizens from Web 2.0 Risks?Promulgate policy to ensure the safety and reliability of Government information systems from the Users’ perspectiveAdd security controls to explicitly require safety and reliability checks