DETAILED RISK ASSESSMENT REPORT

Similar documents
Basics of Internet Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

NIST National Institute of Standards and Technology

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Attack and Penetration Testing 101

Criteria for web application security check. Version

The Top Web Application Attacks: Are you vulnerable?

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Best Practices For Department Server and Enterprise System Checklist

Where every interaction matters.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Performing Effective Risk Assessments Dos and Don ts

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Automated Risk Management Using NIST Standards

Payment Card Industry Self-Assessment Questionnaire

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Privacy + Security + Integrity

Security Policy JUNE 1, SalesNOW. Security Policy v v

March

What is Web Security? Motivation

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Information Security Office

Web App Security Audit Services

RISK ASSESSMENT GUIDELINES

Risk Assessment Guide

05.0 Application Development

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Web Engineering Web Application Security Issues

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

IT Security Standard: Network Device Configuration and Management

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Information Security Program Management Standard

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

External Penetration Assessment and Database Access Review

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Passing PCI Compliance How to Address the Application Security Mandates

Information Security for Modern Enterprises

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Managing internet security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK

Web Application Report

Rational AppScan & Ounce Products

NSSA Faculty Involvement in IT Security Auditing at RIT

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

5 Simple Steps to Secure Database Development

Sitefinity Security and Best Practices

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Web Application Security

Security Policy for External Customers

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Stable and Secure Network Infrastructure Benchmarks

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

How to complete the Secure Internet Site Declaration (SISD) form

Internet Security Seminar

Web Security School Final Exam

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

ELECTRONIC INFORMATION SECURITY A.R.

Web Application Security Considerations

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

SNAP WEBHOST SECURITY POLICY

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Check list for web developers

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

COMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA. Ashish Kirtikar

Introduction to Cyber Security / Information Security

FISMA / NIST REVISION 3 COMPLIANCE

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

How To Manage Web Content Management System (Wcm)

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

SERENA SOFTWARE Serena Service Manager Security

Transcription:

DETAILED RISK ASSESSMENT REPORT Executive Summary During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle s Motor Vehicle Registration Online System ( MVROS ). The MVROS provides the ability for State vehicle owners to renew motor vehicle registrations, pay renewal fees, and enter change of address information. The assessment identified several medium risk items that should be addressed by management. Page 1

1. Introduction DETAILED ASSESSMENT 1.1 Purpose The purpose of the risk assessment was to identify threats and vulnerabilities related to the Department of Motor Vehicles Motor Vehicle Registration Online System ( MVROS ). The risk assessment will be utilized to identify risk mitigation plans related to MVROS. The MVROS was identified as a potential high-risk system in the Department s annual enterprise risk assessment. 1.2. Scope of this risk assessment The MVROS system comprises several components. The external (customer) interface is a series of web pages that allow the user to input data and receive information from the application. The online application is a web-based application developed and maintained by the DMV. The application is built using Microsoft s Internet Information Server and uses Active Server Pages. The application has an interface with the motor vehicle registration database and with Paylink an e-commerce payment engine provided by a third party vendor. DMV IT department hosts the application. The application components are physically housed in the DMV s data center in Anytown. The scope of this assessment includes all the components described above except for Paylink. The Paylink interface the component managed by DMV IT is in scope. Also in scope are the supporting systems, which include: DMZ network segment and DMZ firewalls. The web application, DMV database and operating systems supporting these components are all in scope. Page 2

2. Risk Assessment Approach 2.1 Participants Role System Owner System Custodian Security Administrator Database Administrator Network Manager Risk Assessment Team Participant John Smith Mary Blue Tom Sample Elaine Ronnie David Slim Eric Johns, Susan Evans, Terry Wu 2.2 Techniques Used Technique Risk assessment questionnaire Assessment Tools Vulnerability sources The assessment team used a customized version of the self-assessment questionnaire in NIST SP-26 Security Self-Assessment Guide for Information Technology Systems. This questionnaire assisted the team in identifying risks. The assessment team used several security testing tools to review system configurations and identify vulnerabilities in the application. The tools included nmap, nessus, AppScan The team accessed several vulnerability sources to help identify potential vulnerabilities. The sources consulted included: SANS Top 20 (www.sans.org/top20/) OWASP Top 10 (www.owasp.org/documentation/topte n.html) NIST I-CAT vulnerability database (icat.nist.gov) Microsoft Security Advisories (www.microsoft.com/security) CA Alert service (www3.ca.com/securityadvisor) Page 3

Technique Transaction walkthrough Review of documentation Interviews Site visit The assessment team selected at least one transaction (use case) of each type and walked each transaction through the application process to gain an understanding of the data flow and control points. The assessment team reviewed DMV security policies, system documentation, network diagrams and operational manuals related the MVROS. Interviews were conducted to validate information. The team conducted a site visit at the Data Center and reviewed physical access and environmental controls 2.3 Risk Model In determining risks associated with the MVROS, we utilized the following model for classifying risk: Risk = Threat Likelihood x Magnitude of Impact And the following definitions: Threat Likelihood Likelihood (Weight Factor) High (1.0) Medium (0.5) Low (0.1) Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Page 4

Magnitude of Impact Impact (Score) High (100) Definition The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Examples: A severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions Major damage to organizational assets Major financial loss Severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Medium (50) Low (10) The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced Significant damage to organizational assets Significant financial loss Significant harm to individuals that does not involve loss of life or serious life threatening injuries. The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Examples: Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced Minor damage to organizational assets Minor financial loss Minor harm to individuals. Page 5

Risk was calculated as follows: Impact Threat Likelihood Low (10) Medium (50) High (1.0) Low Risk Medium Risk (10 x 1.0 = 10) (50 x 1.0 = 50) Medium (0.5) Low Risk Medium Risk (10 x 0.5 = 5) (50 x 0.5 = 25) Low (0.1) Low Risk Low Risk (10 x 0.1 = 1) (50 x 0.1 = 5) Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10) High (100) High Risk (100 x 1.0 = 100) Medium Risk (100 x 0.5 = 50) Low Risk (100 x 0.1 = 10) 3. System Characterization 3.1 Technology components Component Applications In-house developed uses Microsoft Active Server Pages running under Microsoft Internet Information Server 4.0 Databases Microsoft SQL Server 2000 Operating Systems Microsoft Windows NT version 4.0 SP 2 Networks Checkpoint Firewall Cisco Routers Interconnections Protocols Interface to PayLink SSL used for transmission between client web browser and web server 3.2 Physical Location(s) Location Data Center Help Desk NOC 260 Somewhere Street, Anytown 5500 Senate Road, Anytown 1600 Richmond Avenue, Anytown Page 6

3.3 Data Used By System Data Personally identifiable information Includes: Name Address (current and previous) Phone Number SSN # DOB Vehicle information Includes Vehicle identification number Tag # Date of last emissions test Financial information Tax Credit card # Verification code Expiry date Card type Authorization reference Transaction reference Registration fee 3.4 Users Users State Vehicle Owners DMV IT Personnel DMV Operations DMV Offices Access the system via a web browser. Can renew vehicle registration provided they have a valid credit card. Can also enter change of address information. Manage the MVROS system including firewalls and networks. Maintain security configuration of system. Utilize information contained in the MVR database for management reporting. Generate reports and database queries. Utilize the MVR application for in-person renewals. Page 7

3.5 Flow Diagram The following diagram shows the in-scope technology components reviewed as part of the MVROS. Interface to PayLink Internet Border Router Internet Firewall MVR Website Internal Firewall MVR Application Server MVR Database 4. Vulnerability Statement The following potential vulnerabilities were identified: Vulnerability Cross-site scripting The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user s session token, attack the local machine, or spoof content to fool the user. SQL injection Password strength Unnecessary services Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Passwords used by the web application are inappropriately formulated. Attackers could guess the password of a user to gain access to the system. The web server and application server have unnecessary services running such as telnet, snmp and anonymous ftp Page 8

Vulnerability Disaster recovery Lack of documentation Integrity checks There are no procedures to ensure the ongoing operation of the system in event of a significant business interruption or disaster System specifications, design and operating processes are not documented. The system does not perform sufficient integrity checks on data input into the system. 5. Threat Statement The team identified the following potential threat-sources and associated threat actions applicable to the MVROS: Threat-Source Threat Actions Web defacement Social engineering Hacker System intrusion, break-ins Unauthorized system access Identity theft Computer criminal Spoofing System intrusion Browsing of personally identifiable Insiders (poorly trained, information disgruntled, malicious, Malicious code (e.g., virus) negligent, dishonest, or terminated employees) System bugs Unauthorized system access Environment Natural disaster Page 9

5. Risk Assessment Results {Note: Only partial list included in this example} Item Observation Number 1 User system passwords can be guessed or cracked Threat-Source/ Vulnerability Hackers/ Password effectiveness 2 Cross site scripting Hackers/ Cross-site scripting 3 Data could be inappropriately extracted/modified from DMV database by entering SQL commands into input fields 4 Web server and application server running unnecessary services Hackers + Criminals / SQL Injection All / Unnecessary Services Existing controls Likelihood Impact Risk Rating Recommended controls Passwords Medium Medium Medium Require use of special must be characters alphanumeric and at least 5 characters None Medium Medium Medium Validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed Limited validation checks on inputs High Medium Medium Ensure that all parameters are validated before they are used. A centralized component or library is likely to be the most effective, as the code performing the checking should all be in one place. Each parameter should be checked against a strict format that specifies exactly what input will be allowed. None Medium Medium Medium Reconfigure systems to remove unnecessary services Page 10

Item Observation Number 5 Disaster recovery plan has not been established Threat-Source/ Vulnerability Environment / Disaster Recovery Existing controls Weekly backup only Likelihood Impact Risk Rating Recommended controls Medium High Medium Develop and test a disaster recovery plan Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information