Thursday, 20 November 2008

Securing an inherently insecure application?

How does one go about securing an application that is mission critical, continent wide, revenue earning and only designed with basic user access control in mind? That is the task that my team and I are now facing following on from the assessment mentioned in the previous post.

The application uses data files managed by Pervasive SQL for content, process and transaction mapping as well as configuration. The bulk of the users need access to all the files in order to get the functionality from the application in order to do their job and a good portion of those users require write access.

The main problem that we are facing is that the users have too much access, especially by today's standards to the nuts and bolts of the application, but they need that access to access the functionality in the system. Back in the day when a mapped network drive was magic and could be considered the "backend" it may have too much for inquisitive users to handle, but nowadays, even full on database queries are not too much for an inquisitive user to poke at, given access to the right tools.

Setting permissions at a folder level almost impossible, well it is impossible. It is only almost impossible if the users accept not being able to use some functionality. It means that permissions will need to be set a file level - management overhead deluxe!

The removal of tools that allow users to edit data files is a must, but some users require those tools to assist in the support of the application and troubleshooting in country. Did I already mention too much access? Well now we can add too much trust with no trust guaranteeing controls and too much access... A matter of time before there is an incident.

So at the moment the mitigation research is following along the lines of:
  • Kung Fu NTFS Permissions - I can feel the smoke coming out of my brain already
  • Application white listing
  • File version tampering monitoring
  • Support process review
  • Applicability of the application (business is not going to like this one - read the first sentence again)

No comments: