1 WEBSITE MIGRATION PLAN This plan aims to ensure the smooth migration of a government website to the Integrated Government Philippines (igovphil) Web Hosting Service. It is divided into three parts: first is a situational analysis, wherein it will discuss the status of the national government agencies websites, the agencies' concerns, the quality of their websites, and the current situation of ASTI/PREGINET web hosting; second is a problem statement and goals setting; third is the strategic action agenda. I. SITUATIONAL ANALYSIS stage 3 - interactive, 94, 29% Status of National Government Agencies Websites as of December 2012 stage 4 - transactional, 12, 4% No websites, 20, 6% stage 1 - emerging, 43, 13% stage 2 - enhanced, 157, 48% Figure 1: Percentage of Government Agencies Websites in Accordance to the UN-APSA Five Stages of E-Government There are 326 national government agencies (NGA). Out of this figure, only 33% or 106 NGA are in transactional and interactive stage, in compliance with the Five Stages of E-Government of the United Nations-American Standard Public Administration (UN-APSA). It means that these agencies' websites frequently act as portals, offer services that allow the users to download and submit forms online, and conduct online transactions using online payment systems, which only 12 agencies have. Majority of the NGA, around 200 or 65%, are into the informative stage, while the remaining 6% remains to have no web presence to date. The number of agencies with no web presence is greater than the number of agencies that offer complete online services to the public. This situation has been assessed by the team through informal consultations with selected agencies. Situations, Issues and Concerns The public facing of the government agencies websites have the following features: Unorganized/clattered information, which means that there are parts/sections in their website that can already be ommitted. It reflects a horror vaccui (an aversion to empty space) impression wherein all spaces in the websites must be used and filled in.
2 No standard look and feel. All government agencies websites have different design and layout, contents/sections, signifying absence of uniformity. Unprofessional and unsecured. This is demonstrated by the hacking incidents that defaced a number of government websites. It gives an idea that these agencies have incompetent IT personnel maintaining the site or have availed of commercial web hosting services or free web hosting services online. Security does matter. The agency website assessment and informal consultation has brought the following issues and concerns that explain why there are still 20 agencies that have no web presence and that the majority is still in the informative stage: 1. Absence of top management support. This is one of the major concerns of agencies because lack of it contributes to lack of budget and lack of appreciation on the importance of having a public facing website. 2. Lack of funds. Government agencies that lack funds barely allocate a portion to web hosting services which results in either availing of free web hosting services online or having no web presence at all. 3. Lack of technically skilled personnel and/or difficulty in retaining them. This is one of the reasons why government agencies resort to free web hosting services online, to have no web presence or to subscribe to commercial web hosting companies. 4. Lack of sustainability plan. The absence of a sustainability plan presents an obstacle in achieving a professional and secured website. There is a need to conduct the following activities in order to have a more secured, professional and transactional website: o Regularly update the content. o Upgrade the platform in terms of hardware, software and middleware. The middleware serves as the link between the Government Enterprise Architecture and the Government Information System, integrating standard plans and strategies to improve the services and operational efficiency of government agencies. o Provide capability building activities to web administrators. o Align the government agencies' goals toward a transactional website wherein it caters to the needs of the citizens, allowing them to transact everything online, minimizing the need for personal appearance. In the Information Age, a website is not only a marketing arm but it also functions as an online service provider. Of the 306 agencies with web presence, 59 are hosted at the Technology Institute of the Department of Science and Technology.
3 Our existing technical support provided by ASTI s PREGINET Web Hosting Services Overview of PREGINET The Philippine Research, Education and Government Information Network (PREGINET) is a service program to help interconnect local academic, government, and research institutions for the purpose of collaborative research and education. It is a nationwide broadband network operated by the of the Department of Science and Technology (DOST). It aims to advance the development of next-generation technologies, applications and services for its clients on areas such as distance education, agriculture, bioinformatics, telehealth, disaster management, and networking. It allows experimentation and testing of new innovations and equipment such as ATM, wireless broadband, IP over SONET/SDH, and DSL technologies. It is the first government-led initiative to establish a National Research Education Network in the Philippines. Such networks helped advanced countries in the early 1990s developed in terms of research and collaboration activities. Applications Running in the Network Several network applications running in ASTI-PREGINET helps boost its role in the R&D arena. Subject applications help ASTI-PREGINET'S partner-institutions to access local and foreign content, enable real-time interaction, and facilitate formation of usercommunities. The value-added services of PREGINET are as follows: 1. Network Connectivity. By becoming a part of the ASTI-PREGINET network, partner-institutions would have: 10/155Mbps connections to the commodity internet; 155Mbps connection to international RENs; and Faster access to large amount of data and databases through ASTI-PREGINET's strong partnership with major telecommunication providers in the country. 2. Web Hosting. The ASTI-PREGINET web hosting service allows the government agencies, local government units, state universities and colleges, and nongovernment organizations to have web presence and online promotion of its products and services in a secured network web hosting facility. 3. Multicast. A simultaneous delivery of information to a group of destinations using the most efficient strategy to deliver messages over each link of the network, creating copies only when the links to the destinations split. It is usually implemented in Internet Protocol (IP) Multicast, a technique for many-to-many communication over an IP infrastructure. The ASTI-PREGINET network provides support for Multiprotocol Extensions for Border Gateway Protocol (BGP), Protocol
4 Independent Multicast-Sparse Mode, and Multicast Source Discovery on all core routers. Among ASTI-PREGINET services that are multicast capable are the AccessGrid.org, Digital Video Transport System, Research Channel, and SOI Asia Project. 4. Server Co-location. Server co-location at ASTI-PREGINET facilities is also offered to its partners. The ASTI-PREGINET facilities offer its partner-institutions a secure and reliable place to physically house their hardware and equipment. 5. Philippine Open Internet Exchange (PhOpenIX). The only Exchange in the Philippine Internet industry operated by a neutral institution that allows the exchanges of Internet traffic in a free-market environment among local Internet and data service providers. 6. Video Streaming. One of ASTI-PREGINET s ways to broadcast events and lectures to its partners via Internet in real time. 7. Video Conferencing. A communication technology that allows interaction via simultaneous video and audio transmissions. It is advocated by ASTI-PREGINET because of its cost-efficiency and capability to achieve the same results as with a face-to-face meeting. 8. Voice over IP (VoIP). A communication technology that allows voice communication and multimedia sessions over IP networks. ASTI-PREGINET is one of the pioneers in conducting research on VoIP in the Philippines before it started to enter the mainstream. The DOST network, as well as all partners to the ASTI- PREGINET were the first ones to have VoIP capability. 9. Internet Protocol version 6 (IPv6). In light of the onset of the worldwide migration from Internet Protocol version 4 (IPv4) to IPv6, ASTI-PREGINET initiated the use of IPv6 in the Philippines. IPv6 responds to the current problem of Internet address exhaustion. Through ASTI-PREGINET and the DOST-Information and Communication Technology Office (formerly Commission on Information and Communications Technology), the Office of the President issued Executive Order No. 893 to encourage the use of IPv6, since exhaustion of IPv4 threatens to deter investments in Internet-based infrastructure, applications and services. 10. Digital Video Transport System (DVTS). It is a simple and inexpensive method of transmitting high-quality video and audio over the Internet. DVTS brings Internet video production within reach for a broad range of organizations that would not otherwise have the necessary money or know-how. DVTS is a step toward a world in which organizations can tune in their computers to a series of educational channel and send and receive high-quality video across the Internet with the same ease as sending and receiving without any capital expenditures. Usually, DVTS is used in high-quality telemedicine.
5 ASTI-PREGINET's partner-institutions are already saving their communication expenses with the use of VoIP, video conferencing, and video streaming. Said advanced networking technologies are also being optimized in the field of telemedicine, distance learning, and disaster management, among others. Web Hosting Fees Basic Features Standard Package Web Hosting Specifications Corporate Package Price P9,500.00/year P20,000.00/year Set-up FREE FREE Disk Space 2 GB 6GB DNS Administration - FREE No. Accounts Up to 10 Accounts (200 MB inbox quota) Up to 30 Accounts (600 MB inbox quota) Website Platform (Wordpress, Drupal, Joomla) Supported Supported No. of database/s 1 3 Database Support Open Source Database systems (postgresql, mysql) Open Source Database systems( postgresql, mysql) Remote Access FTP and web (cpanel) FTP and web (cpanel) Convenience Customer Service Security Control Panel Instant Activation Support, FAQ, Ensure 24/7 uptime Host-based Firewall Redundant Power Supply (UPS) Control Panel Instant Activation Support, FAQ, Ensure 24/7 uptime Host-based Firewall Redundant Power Supply (UPS)
6 Web Hosting Clientele The ASTI-PREGINET is currently hosting about 59 government websites from different sectors which include: Office of the Vice President (OVP) House of Representatives (HoR) Presidential Broadcast Staff Radio Television Malacanang Industrial Technology Development Institute (ITDI) Metro Manila Development Authority (MMDA) National Disaster Risk Reduction Management Council (NDRRMC) Office of Civil Defense (OCD) National Archives of the Philippines (NAP) DPWH ARMM League of Philippine Provinces(LPP) LGU Davao del Norte LGU Kiangan, Ifugao Provincial Government of Camiguin Physic Society of the Philippines Philippine Science High School (PSHS) Main Campus and Provincial Campuses Public-Private Partnership Center of the Philippines (PPP) Iloilo State College of Fisheries - Main Campus Northwest Samar State University Sorsogon State College Current Resources 1. Manpower ASTI-PREGINET has only one staff handling the web hosting services, which also acts as Network Security Administrator. 2. Web Hosting Software Management There are two licenses that needs to be renewed every three years. 3. Hardware There are two dedicated servers allocated for the web hosting service with an estimate life span of three to five years. 4. Interconnectivity Utilizing the existing 200 Mbps commodity Internet from Globe and another 200Mbps burstible to 400 Mbps redundant commodity internet from WiFi City. 5. Capability Building Through ASTI's Training Unit, it offers courses for Joomla and network administration.
7 Challenges Web hosting is a value added service of PREGINET which collects a minimal financial contribution mainly for electricity. No full blast marketing due to shortage of dedicated technical staff to handle the whole web hosting operation and technical support. The Web Hosting Software Management need to get regular funding for its license fees. The hardware needs upgrade for the increasing demand of web hosting services from government agencies, local government units and state universities and colleges. Most of the partner agencies do not have technical staff to manage their Cpanel Account and web content. Many of the government websites are vulnerable to hacking due to lack of security measures in the development side. Web hosting facility requires additional resources if it is to accommodate the increasing demand. II. PROBLEM STATEMENT This Website Migration Plan aims to address the following problems: Vulnerability of government agencies websites. Absence of a standard 'look and feel' of government websites. Goals and Objectives 1. To work toward a fully-integrated Government Portal The Website Migration Plan will serve as a strategy to achieve a fully-integrated Government Portal as envisioned by the Philippine Government. The igovphil Project Web Hosting Service will provide centralized security for all migrated websites, ensuring that all agency websites will be up-and-running with very minimal or zero downtime due to security attacks. 2. To ensure a smooth transition of migrating government websites from individual agencies' hosting to a consolidated platform Migrating government websites into a consolidated platform would be a difficult task to accomplish considering that existing government websites uses a mix of different platforms, operating systems, databases, and/or Content Management System (CMS). Having a migration plan that has guidelines and procedures on evaluation, prioritization, performance audit and security checks and actual migration for the targeted government websites would facilitate the smooth transition of the websites into the igovphil Project Web Hosting Service.
8 3. To ensure a robust and secure web hosting platform for government websites The primary objective of migrating all government websites to the Government Data Center/Cloud is to address the security issues being experienced by these websites. These security issues usually come in the form of hacking/defacement and distributed denial of service. Several reasons can be cited as to why these security issues abound: the use of unmaintained, undocumented, home-brewed Content Management System, utilizing unsecured web hosting facilities primarily due to unpatched OS or platforms, and phishing attacks caused by unsuspecting system or admin users. Having government agency websites hosted in the government data center that follows the prescribed platforms, set of standards and policies, and employing a centralized security system can ensure that the websites will be hosted in a robust and secure web hosting platform. III. STRATEGIC ACTION AGENDA Migration/Compliance Procedures This Migration Procedure is broken into phases. Each phase is described below. The entire process includes website assessment until turnover and operation/maintenance. 1. Assessment of a government agency's current website survey For each agency interested in migrating its own website, the igovphil Migration Unit (MU) will issue a survey or checklist form wherein the interested agency will indicate the details of its current website. From this survey, the MU will be able to determine the agency's readiness to migrate. Furthermore, the data that will be gleaned from the survey will help the MU to fine tune the webhosting service's features to accommodate an agency's unusual requirements if there are any. Add scorecard for the following parameters: security (40%), content (10%), technical capability (30%), platform (20%) 2. Prioritization The survey will be used for prioritizing which agencies will be migrated first. First priority: High priority will be given to websites that have been defaced or hacked within the past 12 months. The use of a standard CMS (e.g. Joomla, Drupal, WordPress) Use of Operating System and programming languages. While the IGovPhil can run most Operating Systems and programming languages, Linux and PHP are the only ones currently supported as these two and MySQL comprise the three major components of our recommended CMS platforms.
9 Criticality of an agency's website, e.g., does this website offer a very important service that needs to be migrated as soon as possible? Availability of a technical person to migrate the website. This is a critical requirement as this single person will probably do the migration himself. Second priority: If a particular agency does not use a standard CMS, the MU can recommend two options, (1) ask the agency to migrate to a new CMS before it gets hosted on the igovphil Webhosting service or (2) put the agency's website on a virtual machine where it has sole access to the machine's resources. Furthermore, in Option 2, the agency website can be hosted on a physical machine (provided by the agency itself) and colocated at igovphil s data center or, the website can be hosted on a virtual machine hosted on igovphil s Cloud. In either case, care will be taken so that the agency website is appropriately sandboxed from the rest of the data center. Current webhosting contracts with other commercial web hosting providers. Some agencies that have outstanding contracts with their commercial web hosting providers may be reluctant to migrate over to the new web hosting service. Hence, they may opt not to migrate immediately. Website's resource requirements, e.g., if a current agency website uses too much disk or database storage, they may not be prioritized. For websites requiring HTTPS, the agencies wanting to migrate to the new webhosting platform should indicate in the Survey Form their requirements. This is to give the MU some time to reconfigure the platform for HTTPS. 3. Implementation of a Migration Checklist Assuming the agency's website gets prioritized for migration, the following checklist will be used to ensure a successful migration. Did the current website pass the security and audit checks? More importantly, from a standards based point of view, ICTO will have to establish information security guidelines and principles based on the ISO/IEC 27002:2005 standard. This is a global standard for implementing and improving information security management in an organization. While the whole process may take awhile, a more practical security and audit checklist shall be prepared to address website migration. See Section 4 for details. Did the website adhere to the Government Website Template Requirements? In the EO/AO institutionalizing the Uniform Website Content Policy (UWCP) of the Government and Establishment of Government Web Hosting Service under the Information and Communications -DOST, it says that all agencies shall make their content compliant with the UWCP within 180 days of its successful migration. This implies that regardless of the platform (e.g CMS) used and unless the UWCP mandates the use of a standard CMS, all agencies websites will be surely migrated. In defense of the use of using a standard CMS, it eases maintenance for everyone involved as there is a strong community support available for all CMS flavors.
10 Review of technical requirements o DNS o Upload access (SFTP or FTP) o Account access (creation of accounts) o Hard disk and DB sizing o Orientation of the features of the webhosting solution (via ) to the agency s technical person Availability of a capable technical person coming from the agency who will actually do the migration (e.g. copying of files, coordination with MU) Set a date for migration and final turnover. This is critical as some agencies can not go offline at certain periods of the year. 4. Initial Security and Audit Checks before going online If the agency fails the security and audit check, it may not be allowed to migrate to the new webhosting service. This is a necessary requirement to prevent insecure websites from compromising the rest of the websites in the webhosting service. All websites will be subjected to automated code, vulnerability and exploitation security checks before actual migration. Internally though, ICTO s MU will have to subject its own computer and network infrastructure against physical, network, protocols / services, user, data storage, passwords, and system administration security checks to make sure that its own systems are safe and secure. The ISO/IEC 27002:2005 standard should be adapted. 5. Actual Migration Actual migration can take one week to a few months. What is important though is to implement a content freeze while the migration is ongoing. This is to prevent inconsistencies between the source and destination website. Also, it is important that the content freeze duration be set at a reasonable amount of time in order to prevent the website from accumulating stale content while migrating. As soon as the migration is over, the website is now officially hosted at our premises. NOTE: The succeeding sections, although not exactly considered as part of the migration procedure, are included so that we can present a complete picture of how websites are handled in the igovphil Webhosting Service. 6. Implementation of a Staging Server The staging server will be provided by the MU to all agency websites currently hosted on the webhosting platform. It will serve as a testing platform for any changes to an agency s website. Changes to content and plugins, as well as the CMS platform itself can be done in the staging server. Once the technical person in charge of the website is satisfied that the changes will not result in a broken website, he can effect the changes in the production server.
11 7. Regular Backups, Security and Performance Monitoring Over the course of the maintenance and operation of the hosted websites, it is the MU s responsibility that it runs regular backups, security checks and performance monitoring against the webhosting service. Backups are needed to ensure that in cases of a hard disk failure, website defacements, or just plain human error, we will be able recover from the website s original condition. Regular security checks are also needed because new exploits crop up from time to time and it is important that these exploits are captured and addressed as they manifest themselves. Penetration testing mechanisms will be implemented and will be run on a regular basis to address this issue. A log correlator or Security Event and Information Managment (SIEM) system and an Intrusion Detection/Intrusion Prevention (IDS/IPS) system will also be implemented and jointly monitored with the ICTO s Cybersecurity Group. And last, anti-ddos systems will be implemented in strategic parts of the network to prevent brute force attacks on our systems and networks. Finally, the resources consumed by websites tend to grow or wane as time goes by. As they grow in popularity, disk space, CPU usage and bandwidth requirements tend to grow as well. Hence, the initial resources allocated to the websites will have to be tweaked so that they do not slow down unnecessarily. On the other hand, there could be a case (although not very often) when a website is given more resources than it needs. Whether a website needs more or less resources, a performance monitoring system is needed to keep track of these resources so that we can make informed decisions on how to allocate resources. 8. Implementation of a trouble-ticketing and feedback system A critical system that is needed in the day-to-day operation of the webhosting service is the trouble-ticketing and feedback system. Normally, trouble-ticketing is usually separate from the feedback system. However, with the software application we plan to deploy, it can do both trouble-ticketing, and customer service. It can even be used for data center and network operations - wherein, tickets will be filed to keep track of internal issues. Tickets in general, just as the name suggests, are assigned to persons to keep track of the task or issue at hand. For instance, when an agency s website is defaced,the technical person can file a ticket on our website so that the tech support assigned on that shift can address the issue. If he is not able to address the issue within his shift, he may endorse it to the tech support who will be coming in the next shift. As for the agency s technical person, he can use the ticket for making follow-ups to the webhosting service technical guys. Having a trouble-ticketing system makes for an effective resolution of problems in a timely, efficient and systematic manner.
12 Computer Security Audit Checklist This section discusses methods for performing a security audit on a computer system or network. It is by no means extensive but in the absence of ICTO s compliance to ISO 27002:2005, this document should suffice to lessen the risk of security breaches in the igovphil Data Center. An in-depth checklist, one that deals with the technical aspects of computer security is impossible to formulate at this point as there are different hardware and software in the data center. What this document aims to do is provide some general guidelines on how to secure the data center, without being too specific to any technology or vendor-specific product. The actual security implementation for each component in the data center will be left up to the system administrators who maintain it. The complete document is shown below under Annex 2. Government Website Template Guidelines The Government Website Template is an initiative of the Office of the President- Presidential Communications Development and Strategic Planning Office (OP-PCDSPO) and the DOST-ASTI to institutionalize a corporate identity for all government websites through a standard design, navigation and content. It aims to improve the delivery of timely and needed information and services to the citizens. It also endeavors to make the bureaucracy more efficient, effective and transparent through the use of interactive, interconnected and inter-related government applications. The complete guidelines will form part of Annex 1. Cyber-Security and Protection 1. Coordination and Cooperation. Increase involvement in the cyber-security community. Creation of Information and Communications Technology Office Community Emergency Response Team (ICTO-CERT). - Service Hotline Center - 24/7 monitoring - Creation of incident database Assignment of a contact person per agency that has the authority and operational control over website or other web services being provided. Creation of government agency contact person masterlist. Membership to Local and International Cyber-Security Organization. 2. Assessment and Mitigation. Pre-Attack - Agreement for the conduct of analysis - Conduct of physical security assessment
13 - Conduct of vulnerability assessment - Recommend mitigation Post-Attack - Agreement for the conduct of analysis - Conduct of initial server scanning - Conduct of log analysis - Source code review (if possible) - Recommend mitigation - Conduct of pre-attack Suggested Activities/Resources - Basic Ethical Hacking Training - Licensed Vulnerability Assessment and Penetration Software Tools - Additional technical staff to conduct schedule and per request Vulnerability Assessment Test - To conduct schedule and per request penetration software test - To conduct regular routine check-ups on server and network logs - To conduct regular reports and updates on hacking activities 3. Activities aligned with the awareness campaign to promote cyber-security. Regular issuance of CyberSecurity Bulletin Conduct of Cyber-Security Seminars Issuance of General Guidelines on the Security of Government Web Servers Issuance of General Guidelines to secure government network. IV. SUGGESTED STRATEGIES FOR IMPLEMENTATION AND OPERATIONS The PREGINET Team of the DOST-ASTI has been providing professional web services to several national agencies for years. This, and the lessons learned and best practices attained in addressing various challenges, will be the foundation of a full-fledged web hosting facility that will serve all national government agencies. During the implementation phase, the igovphil Project team will do the following: Develop templates for NGAs, LGUs, SUCs using common CMS like Joomla!, WordPress and Drupal, subject to vulnerability assessment before mass deployment. Develop guidelines for the use of government website template in building websites, and other supporting documents, like proper use of the Philippine flag, ensuring corporate identities of sites, and highlights of this migration plan. Develop elearning training materials. Conduct orientation and trainer s training on the use of the templates and relevance of support documents. Conduct accreditation assessment to potential trainers and developers who can provide expert service to government agencies.
14 For the operations phase, we propose that under the new ICTO rationalized structure, SIMS-Applications and data management services division will: maintain a team of CMS-expert developers that will continue to develop and produce templates as needed to provide updates and check on potential plug-ins that agencies can adopt; and to continuously upgrade to enable a self-service facility in the future; and maintain a team of security experts that will proactively check on all CMS templates and plug-ins vulnerability, as well as to ensure security of all hosted applications. As for the actual migration of agency websites, we propose that: ICTO must come up with a list of accredited trainers and web developers who will be accessible to anybody who needs their assistance. We take the responsibility for ensuring that every individual and companies we accredit are competent; and ICTO must come up with price range of consulting and technical services necessary in building a website. As for the sustainability of the initiative, we propose the following: Conduct continuous capability building and knowledge exchange conference for our security experts, accredited developers and trainers, and agency web developers. Involve the CMS community in the continuous development of templates and continuous evaluation of plug-ins as well as to ensure continuous supply of manpower for the pool. Create a team of network security experts from the private sector and the academe that will collaboratively work in case of an attack; and devise an incentive mechanism for this. Funding Requirements To enable web hosting services to all government instrumentalities, the ICTO-SIMS will require an additional 29 million pesos to cover cost of professional services as mentioned above, cost of security tools and applications, cost of additional servers and storage facilities, cost of conducting the training and orientation, and other MOOE. Attached as Annex 3 is the projected monthly cash program. Annexes Annex 1: Government Website Template Guidelines See attached document Annex 2: Computer Security Audit Checklist This section discusses methods for performing a security audit on a computer system or network. It is by no means extensive but in the absence of ICTO s compliance to
15 ISO 27002:2005, this document should suffice to lessen the risk of security breaches in the igovphil Data Center. An in-depth checklist, one that deals with the technical aspects of computer security is impossible to formulate at this point as there are different hardware and software in the data center. What this document aims to do is provide some general guidelines on how to secure the data center, without being too specific to any technology or vendor-specific product. The actual security implementation for each component in the data center will be left up to the system administrators who maintain it. Physical Security Computer system administrators always overlook the physical security aspect of the systems that they maintain. They spend lots of time and money to purchase the latest firewall, anti-virus, and intrusion detection systems but neglect that their computer system is vulnerable to physical attacks, e.g. computer system is not located in a isolated location where only a few have access to it. To this end, the questions below will guide system administrators what do to improve physical security. Is the system located on a stable, sturdy surface? Is the system safe from fire, sunlight, wind, dust, water, humidity, or extreme temperatures? Is the system located in a monitored, isolated area that sees little human traffic? Is it monitored 24/7? Is the room/building in which the system is located secured by lock and alarm system to which only a few trusted personnel have access? Are these locks and alarms locked and armed during off-hours? Does the lock and alarm system have the capability to log personnel who have entered the data center s premises? Is the terminal of the system secured to prevent someone from casually walking up to the system and using it (even if just for a few seconds)? Are all users logged out from the terminal? Are security controls in place that will prevent an ordinary user to restart or reboot the system and boot the system insecurely? Are the power and reset switches protected or disabled? Are any input devices to the system secured/turned off: are all removable disk drives locked/secured? Are the parallel/serial/infared/usb/scsi ports secured or removed? Are any attached hard drives physically locked down to the system? When disposing hard drives, are you reasonably secure that there are no confidential data in them?
16 Network Security After securing the physical aspect of the computer system, the diligent system administrator must address network security next. Unlike physical security which is pretty straightforward, network security is much more complex. It involves the overall understanding of how the data center is connected in the network as well as understanding the interplay of the protocols and services running in the network. Physical network: Is the network connection a secure "pipe" with no danger of unauthorized rewiring? Do only authorized personnel have physical access to the physical network to which the system is attached? Do you know and trust all of the various points where your physical network connection is managed/administered by another person or entity? Are the other systems on the same network physically and electronically secure? If your system is reasonably secure but another system on the network is not, your system's vulnerability is increased greatly. In cases where some parts of the network are insecure, it is prudent to implement some kind of network segmentation through a firewall/router. Approved Network Traffic Do you know the names, functionality, vendor, and nature of the software on your system that participates in any network activity? Have you checked all the vendors for security patches, and do you regularly receive security updates about patches/vulnerabilities to the software you use in a networked environment? Do you take inventory of all the active equipment that is running on the network? Is this inventory updated regularly? Have you thoroughly tested any and all services that interact with the network to insure that they do not, by default, provide any unauthorized users with useful security information that could be used to attack the system? Are firewalls implemented in strategic locations of the network? Do you effectively limit your users abilities to make sensitive information about the system available over the network? Do you only allow trusted users shell/command line access to your system? Are you aware of any security holes created by certain software packages interacting with each other? Do you keep sufficient logs of all approved network activity? Are you aware of all the software that should be interacting with the network, the port numbers they use, the size and location of their binaries, etc.? Do user accounts that are accessible over the network regularly have their passwords changed? Do you encrypt sensitive data that is transferred over the network?
17 Unapproved Network Traffic Do you regularly check for repeated unauthorized attempts to connect to your system over a network? Do you keep sufficient logs of all network activity related to your system? Are these logs filtered for priority and importance? Are they stored centrally and can they be correlated with security incidents? Do you regularly check for unauthorized programs running on your system that could potentially allow a user to connect over the network? Do you monitor for excessive or unusual network activity that comes to your system? Protocols and Services Once the physical and network security are in place, protocols and services security should be tackled next. The thing about protocols and services is that they are generally standard and are regulated by a group of professionals and experts forming an association or organization (e.g. IEEE). However, it is in the implementation of these protocols and services that we encounter security problems. This is probably due to the fact that programmers have different levels of aptitude; hence, the quality of code varies from one implementation to the next which leads to some network programs being more or less secure than others. However, because of the sheer number of alternative software available on the Internet, it is always possible to find the right software that is appropriate to one s technical skills, budget, choice of platform as well as the security risks attendant to an application s choice. While it is generally safe to assume that software that comes pre-installed on a new system is reasonably secure, you should always check with software vendors for security patches, release notes, and other relevant information to your particular configuration. For any software that you install onto a new system, make sure you are fully aware of the credentials of the vendor, any security patches, existing exploits, and release notes that exist. You should make it a habit to check in with vendors every month or so for new releases that may have security fixes. It's also a good idea to subscribe to mailing lists for your software, or general mailing lists, that would announce security holes early. Misconfiguration is probably the most common cause of someone exploiting a security hole. Most software is written to be reasonably secure, but even the most secure software can be used for unintended purposes if it is poorly configured. Always follow the vendor's instructions for installing software, and always take notes on any problems you encounter in the configuration process. If a piece of software requires special privileges to be installed or run (e.g. running setuid on a UNIX system), make sure you understand the full implications of having it do so, and any side-effects created in the process. Test your configuration of the software thoroughly; try to break it, try to hack into it, and see if others can do the same.
18 If a program accesses sensitive data, make sure that it can only be executed by authorized users, and make sure that any logs or temporary information is stored in a safe place and promptly disposed of; people can do amazing things with the simple information found in a system log file. If a piece of software runs as a daemon (i.e. it is constantly running and responds to requests from users locally or over the network), make sure it properly handles buffer overflows, denial of service attacks, and general heavy system load. It's generally a good idea to have as few services as possible running as daemons, as they allow continuous and typically unmonitored access to your system. Be aware of all the services that are supposed to be running on your system, the typical amount of resources (e.g. CPU time, memory, disk space) that they take up. Check for unidentifiable daemons or software, or programs that are unusual in their resource consumption. Remember that most security breaches occur using the existing configuration of a system rather than installing a new one; unless you're careful, an intruder can manipulate the system to their liking and you won't notice anything out of the ordinary. Run process accounting to keep track of typical software usage patterns of your users. By default, install a file integrity checker on all your systems to make snapshots of all important files. Application Security Application security is usually within the domain of the application programmer. However, there are some tools available that can improve the application s security through the use of the following two (2) applications: Web Application Vulnerability Testing tools and Source Code Audit tools. User Security There are two broad types of users in a system. The first one is the kind of users that actually log in to the system and use it directly. The other kind are the ones that interact with the service installed on the system. Note that both types of users are usually present and the ratio of one to the other may vary greatly. Either kind poses a different set of security risks altogether. However, regardless of the type of user, if the user tries to circumvent the security controls in place or has poor security habits, then the system is in danger of being compromised. Develop a standard method for creating and maintaining user accounts. Develop clear and concise acceptable use policies, and publish them well to your users. Don't create user accounts for people or organizations whom you have not previously interacted with in some form, or who have been known to have security problems on other systems. You should set limits on the amount of resources a user can consume, from number of logins to amount of disk space; make sure that the user cannot cause a security breach or take down the system out of pure stupidity (e.g. a recursive script that creates a 10 M file each time)
19 In some cases, you may want to limit the manner in which a user can connect to the system; if you're providing a terminal login, make sure the terminal itself is secure and reasonably maintained. If you provide direct access via protocols such as telnet, consider running services such as tcp_wrappers or identd that verify the user is connecting from the system they claim to be connecting from. Keep accurate logs of user activity; specifically, connection time, connection duration, and the place where they logged in/connected from. In some cases you may want to log more detail with process accounting, user command history, and activity monitoring. You should regularly check for irregular user activity; there are many programs available that constantly "patrol" for failed attempts on the part of users to gain administrator privileges, access files that they shouldn't, or perform other unauthorized tasks. Data Storage Security Data and file storage security is every bit as important as the previous sections. Everything on a computer system is considered data (e.g. logs, databases, files, binaries) and implementing the right set of security controls can be very difficult even for the seasoned system administrator. Know the file ownership scheme that your system implements; is it group based, user based, role based, or some combination of these? Know the different levels of protection you can apply to files and directories, and be aware of who has access to make changes to these protections. Know the general structure of your filesystems, how much is stored where, and who typically accesses what parts of them. Keep logs of disk activity (e.g. significant changes in disk space used) and of any disk problems. Make sure that users are only able to access the parts of the system relevant to their use of it; your protection scheme should clearly and easily include a logical and conceptual separation of user and data files from system files. Make sure that the file ownership schemes are consistent for various directories (i.e. that the owner of a directory owns all the files in that directory, etc.) Insure that users cannot have access to more disk resources than you intend; often user disk quotes are the best solution to this. If your filesystems are available via any sort of network or sharing protocol., carefully examine the security of these protocols (see the protocols/services section above). Always check your configuration of these services to make sure that only authorized users and hosts are allowed to access shared data; many configurations by default allow for unauthorized access. Always maintain secure backups of a system; the most standard conventional method is to backup files to a tape disk and then to remove that tape from the site to guard against data loss from fire, flooding, etc. In the case of operating systems, it's a good idea to maintain a known good copy of your operating system's configuration on a read-only media such as a CD-ROM. Furthermore, these backups
20 should be tested regularly if they can be restored to their original state. And lastly, if the backups are stored online, make sure that these backups are timestamped and hashed to prevent tampering of the backup. If you maintain any databases, make sure that the database is accessible only to authorized users, both on the client side (via a data querying tool such as SQLnet) and on the server side (i.e. the actual database files stored on the disk drive of your system). As with other services, make sure any network and sharing of databases is done securely. Passwords Passwords are the central components in most security schemes; user accounts, sensitive websites, system services are all protected by them. If you know the right passwords, you can gain administrative privileges on a system where you may not even be a user or infiltrate an environment you've never even worked with before. They are conventionally accepted as a good way to implement security because they can be incorporated easily into most operating systems and sensitive software, and yet can be made complex enough to be difficult to "crack", while still being remembered by a user. Their downfall as a security scheme are in their power; one password is all you need to have complete access to an entire system, and passwords CAN be cracked. The best you can do is try to make these two events very unlikely. Require unique, complex passwords for all user accounts on your system; it's not acceptable to have "guest" accounts or other accounts that don't require any sort of authentication. If an account is not ever used for connection (i.e. that account will never be accessed), remove its ability to login altogether. Passwords should be LONG but EASY to remember. Please see for tips on how to generate passwords. Enforce password rotation and expiration; users should never be able to keep a password for more than a few months at a time, as someone could easily (but unnoticeably) brute force hack a password over a long period of time. You should also advise users against using the same password in other places. The password file or similar mechanism for storing the passwords should be encrypted, and should not be available to the average user if possible (e.g. via shadowing). If a user can obtain the password file, they can use another system to try to crack the passwords without you noticing. Never write passwords down or store them in anything but human memory. System passwords should be changed at least once a month, and should not be shared with more people than is necessary.