Defence Signals Directorate Reveal their secrets....Protect our own

Library

Infosec policy

Internet Systems - Security and Authentication Issues

Version 1.0

January 2001

Objective

This guide provides Commonwealth Government Program Managers with concise, useful information regarding Internet security issues. It is intended to support the Internet Security information published on the AGIMO (formerly NOIE) Web site (opens new window).

The guide exposes Program Managers to some of the new or distinctive security issues that are likely to confront them in online service delivery projects. These may differ from some of the traditional security issues they may be more familiar with from experience with previous IT or physical service delivery projects.

Introduction

A majority of Government agencies are using the Internet to deliver services to their clients and to their internal workforce. The imperative to use the Internet is accompanied by an obligation to consider and manage the potential threats to Government data and systems. The installation of web server technology creates a 'window' into an Agency's network that can potentially be misused by attackers. A poorly configured or poorly maintained web server is likely to introduce problems that allow unauthorised attackers to perform actions outside the scope of legitimate activity, impacting on confidentiality, integrity or availability. Examples of such actions are:

  • Examining files on a web server that would not normally be released via the web;
  • Retrieval of private information that had not been adequately protected;
  • Retrieval of certain technical or identifying information about the server computer (for example the type of web server or operating system version being used) which may allow a potential attacker to target and attack the computer more effectively;
  • Execution of commands remotely on a server computer, by for example exploiting a weakness or vulnerability in a database linked to a webpage on site, that may allow the attacker to change the system or web pages in some way;
  • Using data entry fields or the URL field to enter commands or unusual character strings in an attempt to elicit an unusual response or action;
  • Using extant default configuration files to bypass established security controls. In their default configuration many web servers include settings that give legitimate web site developers many options in the way they build a site, but which if left preserved on a ‘live’ web site could be used by an attacker to compromise a system.

Internet system security, and indeed, IT security in general, usually aims to meet the following objectives:

  • To protect the confidentiality of identified information by restricting access on a need-to-know basis;
  • To protect the integrity of information submitted to, contained within or retrieved from the web site;
  • To protect the availability of the system.

Internet security mechanisms will necessarily vary from Agency to Agency, depending upon the nature of the system and the data requiring protection, and depending upon the level of residual risk that the Agency is prepared to accept. A Threat and Risk Assessment should be performed by the Agency, focusing on the Internet service assets. Appropriate security mechanisms can then be identified to reduce the unacceptable risks, and then implemented in accordance with an established Security Plan. A Cost Benefit analysis is a component of this overall process.

Building security into a system that has already been designed, or worse, completed, can be very difficult and expensive. It is important that security be considered as early as possible during the development of an Internet based service delivery system.

Security Management

An Agency CEO is responsible for the effectiveness of all computer security measures implemented within an Agency. Senior staff are normally assigned to assist the CEO in this task. The following outcomes are important to the viability of security management -

  • The creation of both operational security and security management positions – for example - Agency Security Advisor, IT Security Manager, Firewall administrator, etc, each with clearly defined responsibilities;
  • The conduct of a regular security Threat and Risk review;
  • The creation of a viable Agency Security Plan that describes the necessary security mechanisms and security procedures;
  • A regular review of the Security Plan, and the introduction of security mechanisms and features as required;
  • The introduction of a computer system Auditing and Review capability that informs operational staff and is useful to Agency senior management.

Effective IT security plans usually rely on several layers of protection and apply equally to internal arrangements and external service providers. There are specific security requirements described in the Protective Security Manual for each level of Government classified data.

It is important to note that even if information on a web site or Internet system is regarded as "Unclassified" there will be security requirements relating to the protection of private and sensitive information. There will also be security requirements relating to the ongoing integrity and availability of the information and the computer system.

Every Internet system will always carry some residual security risk. Effective security management includes the reduction of extant risk to an acceptable level, and acknowledged acceptance of the residual risk. It is normal to consider and document treatment options that would be used if the threats associated with the residual risk actually become apparent.

Protecting Sensitive Information

A range of firewall products, gateways, authentication mechanisms, access control mechanisms and encryption facilities can be used to protect sensitive, unclassified information at the Internet boundary. The marketplace offers much choice and complexity, at a wide range of cost.

Standard "out-of-the-box" systems usually have inadequate default security mechanisms. Good configuration practice and good security management is often required to gain optimal benefit from standard commercially available security products. For example, it is not appropriate to just state, "We will use SSL to protect our data transfers", when SSL can be configured in a number of ways, ranging from potentially vulnerable to relatively secure.

It is essential that reasonable, practical security objectives to protect sensitive information be established for every Internet system. The security objectives will drive the design, selection and creation of the security mechanisms in a system. The objectives can be regarded as a subset of the more obvious functional objectives associated with an Internet system – and the overall testing and acceptance regime should cover the entire set.

It can be difficult to demonstrate that security objectives have been adequately addressed in a completed system. One way of approaching the issue is to allow trustworthy people who were not involved in the design and development to assist with testing the security mechanisms. The aim is to try to think as an attacker would. An attacker has no respect for system design, and they will try many weird and unexpected methods to breach security.

Protecting Government Classified Information

Many Commercial grade products do not provide sufficient security features to adequately protect Government Classified information on the Internet. In the case of Non-National Security information, Agencies should either use Defence Signals Directorate (DSD) approved security products that have been evaluated under the Australasian Information Security Evaluation Program (AISEP), or Agencies should consult DSD for further advice.

DSD should definitely be consulted regarding any requirement to protect National Security information that is being transmitted over a lower classification network - Government Furnished Equipment is required in this case.

Guidelines and Grades for Web Server and Client Security

ACSI-33 contains guidelines for Web Server systems. It can be used to assist Agencies to determine the type of security mechanisms and procedures that may be required.

The DSD Gateway Certification Guide can also be used to assist Agencies to comply with the requirements of the Protective Security Manual.

Annex A to this Chapter contains a link to a checklist designed to immediately assess the ‘health’ of an Agency’s current IT security measures.

Use of a Public Key Infrastructure for Authentication and Confidentiality

Public Key Infrastructure (PKI) and the use of digital signatures provides a firm foundation for the conduct of electronic commerce and other business transactions over the Internet.

Transactions via the Internet are conducted in a manner that allows information to pass through several network "hops" or computer systems. It is likely that a large proportion of transactions via the Internet and other open systems that relate to Government business are at the 'In Confidence' level, or are in other ways sensitive. Depending on the application, under these circumstances it may be important for agencies to ensure that, for example, a transmission received or sent by an agency, is from who it says it is from (authentication), and/or that it has not been read or changed in transit (integrity and confidentiality), and it may also be important that neither party can deny that it was sent or received (non-repudiation). PKI and the use of digital signatures can provide all of these services to agencies that have applications that require them.

In the general sense authentication is the process used to establish a person’s identity (Evidence of Identity (EOI)). In the electronic environment there may have been no prior relationship between the parties to a transaction or communication. In these circumstances authentication is useful for establishing with a high degree of trust the source of the message and also perhaps ensuring that the message was not modified or replaced in transit.

'Gatekeeper: A strategy for public key technology use in Government' is the Government's policy on the appropriateness, implementation and accreditation of the PKI based 'authentication systems' within Government, other jurisdictions and those other third parties or organisations who may choose to accept it. Gatekeeper accredited Certification Authorities provide advice and support for PKI. Registration Authorities provide advice and assistance on matters relating to EOI.

Although the basic nature of commercial and business transactions has not changed because they may now be conducted online, Government use of online technologies and PKI is supported by the Electronic Transactions Act - 1999. States and Territories are committed to enacting reciprocal legislation.

The use of cryptography in Government systems, and specifically the need to use evaluated cryptographic products, is detailed in Australian Communications-Electronic Security Instructions 33 (ACSI 33).

Web Server Security

A web server is a conceptually simple piece of software that responds to requests for information by distributing pages formatted in the Hypertext Markup Language (HTML). Web servers vary significantly in complexity, but in general, the more complex the web server, the greater the potential for it to contain errors. Some of these errors may impact on the security of the server in question. Keeping up to date with the most recent security fixes and patches for a web server will usually provide protection against a majority of known attacks. However, the primary factor in web site security is the appropriate application of good design, proper server configuration and effective management techniques.

Some simple operating-system configuration mechanisms can be used to reduce the effectiveness of attacks against a web server. They include the following -

  • Privilege reduction. The web server should be run as a non-privileged user, with limited access to system resources.
  • File system limitation. The web server should have limited access to the host server’s file system.
  • Limited interactive system access. All non-administrative users should be removed from the computer that runs the web server to decrease further the risk of circumventing any web server access controls.
  • Data and command validation. Under some circumstances there should be validation of expected data and command strings. An attacker may take advantage of a lack of validation checking by entering unexpected commands and unusual character strings, in an attempt to elicit an unusual response and a possible security compromise.
  • Sterile environment. Unnecessary files and executables should be removed from the Web server environment, to deny an attacker any potential opportunity to bypass established security.

Active Content

Active server content is used by many web servers to enhance the functionality available to web browsers (for example in Netscape Communicator and Microsoft Internet Explorer). It is generally used when the web server needs to respond to user input – for example, when a user provides a search engine with words to use in a search.

Unlike client side content, active server content generally executes on the computer system that runs the web server. The active server software could present an attacker with an opportunity to discover exploitable errors and possibly compromise the computer system on which it is installed. Poorly written active content, or active content that has been accidentally or deliberately configured to provide a security hole can:

  • Be fooled into executing commands on the local system, which provides an attacker with an entry point into the Agency;
    or
  • Leak information about the web server system that may give an attacker enough information to break into the computer;
    or
  • Use significant processor instructions, memory or disk space as part of the run cycle, and therefore be party to a denial of service attack.

Active content is one of the biggest dangers to any web site’s security. If a risk assessment identifies that web servers are a valuable resource, active content checking should be one of the first things the site should implement. Wherever possible, active content should be examined, prior to installation, by a programmer or security professional who is aware of the associated risks. Sites should review audit logs for attempts to subvert active content processing.

Auditing

Program Managers can monitor the security of their networks via audit logs. Audit log monitoring is especially important when any risk reduction strategy in force includes procedures and specific configuration settings to reduce risk to a manageable level. If a system could become less secure because of an accidental or deliberate change in configuration setting, or through a lack of attention to established procedure, then it is reasonable to audit and review the system regularly to be assured that this has not occurred.

Audit logs have two main uses - statistics and security. In particular:

  • Logs can identify the source of some hacking or denial of service attacks.
  • Logs can pinpoint problems with the web server configuration.
  • Usage statistics can identify when an upgrade of network bandwidth is likely to be required.
  • Usage statistics can identify the most or least popular pages on a site.
  • If access controls are in use on a web server, audit logs can be distributed to owners of the data within the restricted area, in order to distribute the audit analysis responsibility, and to potentially identify situations where unauthorised users can access sensitive data.

Program Managers should ensure there is an agreed response plan to deal with any detected security incident. The response plan should include advice to senior management and an agreed set of decision points and actions involving selected stakeholders.

Effective audit reporting should not only focus on usage statistics and a summary of audit log events; it will also provide comment in terms of the effectiveness of the network security plan and procedures. Managing audit logs is a crucial, non-trivial, task that usually requires ongoing maintenance and monitoring. It is important to ensure that there is a realistic plan for managing and reading the data that is produced.

Further Reading and Assistance

The following documents are recommended for further reading:

  • ACSI-33: Security Guidelines for Australian Government IT Systems - available from the DSD web site, http://www.dsd.gov.au/library/acsi33/acsi33.html
  • Gateway Certification Guide - available from the DSD web site, http://www.dsd.gov.au/infosec/assistance_services/gateway.html
  • Evaluated Products List (EPL) - available from the DSD web site,
  • AS/NZS 4444.1:1999 Information Security Management – Code of Practice for Information Security Management - available from Standards Australia and the Australian Government Bookshop
  • AS/NZS 4444.2:2000 Information Security Management – Specification for Information Security Management Systems - available from Standards Australia and the Australian Government Bookshop
  • AS/NZS 4360:1999 Risk Management - Specification for Risk Management - available from Standards Australia and the Australian Government Bookshop
  • HB 231:2000 Information Security Risk Management Guidelines – available from standards Australia and the Australian Government Bookshop
  • Protective Security Manual
  • Gatekeeper - ‘Gatekeeper: A Strategy for Public Key Technology Use in Government – available from the AGIMO (formerly NOIE) web site at: www.agimo.gov.au/infrastructure/gatekeeper
  • ABN-DSC – more information is available from: www.agimo.gov.au/infrastructure/gatekeeper/abn-dsc

DSD’s Information Security Advice and Assistance Team can be contacted via:

Annex A

WEBSITE AND INTERNET SYSTEM SECURITY CHECKLIST

Scope

DSD and AGIMO (formerly NOIE) have a checklist that can be used as a "self-assessment" tool by Government Agencies. It will provide a starting point when considering the need for adequate website and Internet security. The Checklist can also be used as a basis for discussions with the Defence Signals Directorate regarding any areas of concern regarding Internet security.

The Checklist does however focus predominantly on only one aspect of an Agency’s security risk. A comprehensive security environment requires a systematic and coordinated approach to physical, personnel, communication and technical security and should not be solely orientated towards a single area of risk such as website security or particular Internet systems. The Commonwealth Protective Security Manual (PSM) and Australian Communications Security Instructions 33 (ACSI-33) provide advice for developing and implementing an Agency Security Plan. Australian Standard AS/NZS 4444, Information Security Management, also provides very useful guidance. The DSD Gateway Certification Guide provides advice for developing a secure organisational gateway to the Internet and other networks.

Purpose

The Checklist is intended to raise awareness of Internet Security issues at Government Agencies. If you choose to consult further, it will also enable the Defence Signals Directorate to assist you with assessing the need for additional security and privacy initiatives and programs.

Document Sensitivity

Please also carefully consider the classification and necessary protection of the completed checklist – you may find that in totality it contains sensitive information about your site.

Enquiries and Assistance

Should you require further information or assistance, please contact the Defence Signals Directorate’s Information Security Advice and Assistance Team:

Checklist

The Internet Security Checklist in PDF (opens a new window)
The Internet Security Checklist in HTML (opens a new window).