Thursday, 20 November 2008

Securing an inherently insecure application?

How does one go about securing an application that is mission critical, continent wide, revenue earning and only designed with basic user access control in mind? That is the task that my team and I are now facing following on from the assessment mentioned in the previous post.

The application uses data files managed by Pervasive SQL for content, process and transaction mapping as well as configuration. The bulk of the users need access to all the files in order to get the functionality from the application in order to do their job and a good portion of those users require write access.

The main problem that we are facing is that the users have too much access, especially by today's standards to the nuts and bolts of the application, but they need that access to access the functionality in the system. Back in the day when a mapped network drive was magic and could be considered the "backend" it may have too much for inquisitive users to handle, but nowadays, even full on database queries are not too much for an inquisitive user to poke at, given access to the right tools.

Setting permissions at a folder level almost impossible, well it is impossible. It is only almost impossible if the users accept not being able to use some functionality. It means that permissions will need to be set a file level - management overhead deluxe!

The removal of tools that allow users to edit data files is a must, but some users require those tools to assist in the support of the application and troubleshooting in country. Did I already mention too much access? Well now we can add too much trust with no trust guaranteeing controls and too much access... A matter of time before there is an incident.

So at the moment the mitigation research is following along the lines of:
  • Kung Fu NTFS Permissions - I can feel the smoke coming out of my brain already
  • Application white listing
  • File version tampering monitoring
  • Support process review
  • Applicability of the application (business is not going to like this one - read the first sentence again)

Friday, 14 November 2008

People, Process and Technology!

I am currently working on a security assessment of one of the large applications in the bank due a series on incidents in the application and it is quite concerning from my side that the technical resources of the system are just looking at the people side of the solution. Different for a change, isn't it?

They are saying that if the users could be trusted, then we wouldn't need to do all this. I find this a change from the usual technical mindset, which is lets throw more technology at the problem. What is also concerning, is that fingers are being pointed to the platform from the business application and vica versa, but when asked for their implementation and configuration guidelines, none exist. Also when asked about the logical access control standards or the backup process, I get a blank stare.

The technology at the moment is not getting off the hook lightly, there are concerns in it. The concerns could have be signficantly reduced if the correct processes and supporting standards were in place.

Little wonder then that the people in the PPT (People Process and Technology) triangle can start manipulating the system? PPT is as important for a solution to be secure as Confidentiality, Integrity and Availability.

Solutions need to developed incorporating two triangles and whilst you can't merge them to make them the hexagon of holistic solution desgin, all the points do need to be taken into account.

Needless to say the Assessment's scope has increased significantly to a holistic review of the Information Security posture of the solution and its environment from a purely technical review.

I am looking forward to the result of the full audit of the environment as I think that it will be the first deliverable of a mature approach to the Information Risk Management approach (as opposed to an IT Security approach) that the department is trying to move towards.

Tuesday, 04 November 2008

NIST: Technical Guide to Information Security Testing and Assessment

NIST have released their Technical Guide to Information Security Testing and Assessment (SP 800-115). The document outlines at a high level what an assessment program should contain and the various facets thereof. It is extremely important for every assessment to include the classic powerpoint extension of any solution, People, Process and Technology (PPT).

The guide is not technical (for techies) but does present a good overview of what a Security Assessment program within an organisation should contain, its general approach and what skills are required by the people within the team. Don't expect job descriptions or list of applications that they must be proficient in...

A good read if you are setting up an Assessment unit within your organisation or if you want to put in place some structure around your existing Security Assessment programme. I will definately be using it to put a bit of structure into my teams assessment process, particularily around the business engagement, planning and the policy environment.