Security in Business and Applicatins Madisn Hajeb Stefan Hurst Benjamin Vn Slade
Intrductin Prject Cncept - Implement security in a small business setting Original Plan - D sme security audits fr small cmpanies Actual Plan - One cmpany need a security review and the ther cmpany needed help with user tracking security
Tw Different Prjects 1. Krames Staywell Access Tracker 2. Wind River Security Review
Krames Staywell Access Tracker (KSAT)
TASK Help them achieve HIPAA cmpliance by implementing a new applicatins
Tw Initial Prjects Applicatin 1 Track the access emplyees have t applicatins that deal with Electrnic Health Patient Infrmatin (EPHI) Applicatin 2 Cllect all the lg files in a central lcatin and create an applicatin that can easily present thse lgs t an end-user fr later review Drpped because they already have a Splunk server ding what they need
Plan Initially wanted t implement with Request Tracker, r RT fr shrt. Even thugh we lked int this, it seemed as if this may be scpe creep. Step Back: What is the end gal f this applicatin? RT is meant t d just that, rganize requests. NOT fr tracking access t applicatins They culd change sme plicies and use RT t make applicatin requests, but, in the end, they still need t track wh has access t what
KSAT - Requirements Gathering CRUD applicatin Stre all pertinent emplyee infrmatin N applicatin specifics, just free frm applicatins Ability t edit all infrmatin Search fields fr things RT Integratin? Lg usernames, what they did, and timestamps Finish by interviewing all emplyees
Actin Setting up a testing envirnment Windws Server 2008 Standard VM XAMPP Server (Apache, PHP, and MySQL) Cisc VPN frm hme If we are n the schl's netwrk, VPN is nt required Special thanks t Jn Sldan and Dr. Randy Byle fr helping t get a testing envirnment up and running
Sitemap
ERD
Prcess Agile prcess
Settings File We created a central lcatin fr are specific url, database, and user settings. This made the transitin frm ur testing envirnment t their prductin envirnment much easier.
Lgin Page Cnnects t a Micrsft Active Directry Allws t have a nrmal user grup and an administratr grup We nly utilized ne grup, s bth settings pint the same grup. Allws them t add mre cntrl later if needed
Successful Lgin Landing Page After a successful lgin, the user is taken t the emplyee page
KSAT Dem
Interviews After applicatin cmpletin Given cmpany laptps Each individual emplyee Query emplyees abut all access they may have t applicatins dealing with EPHI
KSAT - Cmplicatins Unfreseen applicatin errrs Slight miscmmunicatin n hw the applicatin functins After KSAT was develped we fund ut that many f the applicatins g thrugh a Develpment, Staging, and Prductin envirnment. It wuld have helped t have an extra table in the DB where we culd define "envirnments" Interview Cmmunicatin Each emplyee has their wn naming cnventins fr applicatins, making ppulating KSAT difficult INTERNET EXPLORER! CSS always lked slightly different in IE
KSAT - Lessns Learned Planning Planning Planning... Understand the business prcess t the fullest Helps fr applicatin building prcess Helps fr interview prcess t fill database Cnstantly make sure yu are n the same page as the cmpany Sme peple are ging t be difficult t wrk with
Wind River Security Review Excavatin cmpany lcated in Salt Lake City with jb sites thrughut Utah Have dne many jbs here at the University f Utah, including wrk n the new business buildings
Task Security review f the technlgy and physical space f the ffice Fllwed a security checklist fr small businesses Prvide recmmendatins abut security and system upgrades Prvide recmmendatins fr security plicies in the ffice
Requirements Gathering Access files frm hme Mnitr emplyee activity Feel cnfident in cmputer security Change as few habits as pssible
Initial Review Lgged all hardware n the netwrk Renamed cmputers numerically Physical security interview
Actin Set up SSL n email VPN Nessus scan fr vulnerabilities Fixed all critical and imprtant errrs User accunts and flder access n server Active Directry Wrkarund Trained emplyees Keylggers Brwser Security Mnitring Systems Backup
Key Learning Pints Small cmpanies are less receptive t mnetary slutins Mney was a large stalling pint Security plicies are difficult t enfrce in a small casual ffice (withut AD) Peple are resistant t change and new habits/sftware/plicies
Cmparisn Wind River Cncern: General Security Medium Risk: They are nt dealing with health infrmatin, but they are dealing with many clients and financial bids Legally bund t prtect client financial data hused n the server Krames Staywell Cncern: HIPAA Cmpliance Higher Risk: Dealing with Patient infrmatin and emplyee lgin infrmatin Legally required t prvide a lg sheet f emplyee access accrding t HIPAA, s pressed fr time befre the next audit
Cnclusin Security practices can be applied in many different business applicatins and scenaris Tw cmpletely different businesses need security, but they need very different things The umbrella f "security" is large and disparate at times
Questins?