Intelligence Sub Menu:
Benefits by Industry:
Key Interest Areas:
Information For:
|
SIFT Note Library
SIFT Note 2005-07 - 11 Aug 05
Data Trust Boundaries in Client-Server Applications
In the information security game, trust is often your enemy. Application architects often fail to consider when and where trust should be placed, sometimes resulting in significant risk exposure.
A trust boundary is a physical or virtual demarcation separating different levels of trust. That is, where the “trustworthiness” of entities changes from one side of the boundary to the other. In modern applications, such boundaries have the responsibility of sanitising data and enforcing data format policy.
It can be tempting – and from our experience is quite common – to place the trust boundary between the client application and the client’s operating system (as illustrated in Figure 1). While this approach to offloading the burden of sanitising data from the server can bring overall system performance gains, it can also introduce a significant risk.
As an example of a system in which the client is largely considered “trusted”, consider an automatic teller machine (ATM) connected to a banking network. The interface to an ATM is limited (generally with a simple keypad and structured approach to data input) and users have no access to the network. Although this may generally be a reasonable assumption, it is not guaranteed.
The basis of the assumption is that the potential threat is coming from ATM users and not employees of the bank and/or the ATM vendor, who each have physical access to the machines. Although the majority of attacks may be “external” in nature, the greatest losses are inflicted by “internal” attacks. Obviously there are other controls to prevent insider attacks in the situation of banks and ATMs, but it serves a useful purpose in illustrating the concept of a trust boundary.
In most cases with client-server applications communicating via the Internet, the “client” is wholly controlled by the attacker – as a result of which the server should be designed with this threat scenario in mind. The attacker can use the client as they wish, modify it, stop it, remove it altogether or even create their own client. No form of client protection – including cryptography – will help as attackers are often also legitimate users. All key material required for client-server communication must be assumed to be in possession of the attacker.
For instance, a client application could be made to call operating system functions at a server. If the trust boundary is placed at the client, the system could function by having the client send command strings to the server (eg. ‘check_user attacker’). Although the client software will not allow the attacker to change the command significantly, the attacker could simply create their own client and provide the command ‘add_user attacker’ instead. Placing the boundary at the server and only allowing the user to provide the parameter ‘attacker’ to the call would allow the server to process the call securely.
Web applications have long suffered from trust boundary issues. Most attacks relevant to web applications such as SQL injection, server-side include injection and poor exception handling are a direct result of either not placing the data trust boundary at the server or not enforcing it correctly.
The effect of misplacing a trust boundary can be devastating to the security of an entire application and subsequently the security of the organisation employing the application. In the world of secure client-server applications the trust boundary should only ever be in one place – the server.
Further information:
E-mail us for more information
Business Continuity - APRA BCM Standard Released
Earlier this year, the Australian Prudential Regulation Authority (APRA) issued their long awaited prudential standards for Business Continuity Management (BCM). The new standards will apply to authorised deposit-taking institutions (ADIs) and general insurers.
While most ADIs and insurers have existing BCM practices, APRA investigations regularly uncover inadequacies in these. Among the inadequacies are incomplete risk assessments, deficiencies in business impact analysis, and ineffective, out of date and ill-documented recovery and continuity plans.
The new standards are aimed at guiding ADIs and general insurers towards implementing a more holistic approach to BCM. The standards state that business continuity involves an integrated process of:
1. Risk assessment;
2. Business impact analysis;
3. Consideration of recovery strategies;
4. Business continuity planning;
5. Establishing business continuity/crisis management teams; and
6. Review and testing.
Key requirements of the standards include:
- The Board and Senior Management must consider Business Continuity (BC) risks and controls as part of the overall risk management framework
- Critical business functions, resources and infrastructure which, if disrupted, would have a material impact on the company’s business operations, reputation or profitability, must be identified.
- The impact of plausible disruption scenarios on critical business functions, resources and infrastructure must be assessed. Appropriate recovery strategies to ensure all necessary resources are readily available to withstand the impact of the disruption must be in place.
- Thorough review and testing procedures must be implemented to verify that
the plan enables the company to respond to disruptions and recover critical
business functions.
ADIs and general insurers have a 12 month transitional
period to identify non-compliant components and submit a rectification plan
and timetable to APRA.
The standards mandate that BCM be considered during the planning phase of new business activities, and the introduction of new processes and systems. The formal policy which sets out the BCM approach is required to be summarised as part of the risk management system - the declaration of which is made annually as per APS 310 Auditing and Related Arrangements for Prudential Reporting. Procedures must be in place to ensure all business units are fully aware of, and comply with BCM policy and arrangements.
The APRA standards are largely based upon HB221; an extension of the BC component of AS/NZS 4360, the Australian Risk Management Standard. SIFT believes these standards provide a valuable baseline, providing a uniform approach to ensure the continuity of a key economic infrastructure in Australia. The expected cost of compliance is relatively low, as most ADIs have already invested in BCM personnel and planning.
Further information:
Australian Prudential Regulation Authority publishes business continuity regulations
APRA determines new prudential standards on business continuity management
Prudential Standard GPS222 - Business Continuity Management for General Insurers
Prudential Standard APS232 - Business Continuity Management for ADIs
GovCERT and AusCERT Should Learn From USA
The Australian Attorney-General’s Department (AGD) earlier this year set up a body called the Government Computer Emergency Readiness Team (GovCERT) to deal with the risk of cyber-terrorism. According to the AGD, the purpose of GovCERT is to protect Australia’s critical IT infrastructure and forms a part of the Critical Infrastructure Protection (CIP) Branch of the AGD. GovCERT is designed to fill the gap between the government’s internal security capability and the Australian Computer Emergency Response Team (AusCERT).
Debate has surrounded over the core responsibilities of GovCERT. Graham Ingram, the director of AusCERT has warned that GovCERT’s role should be restricted to planning and coordinating actions in case of an attack, and should not attempt to duplicate the functions fulfilled by AusCERT.
Interviewed by ZDNet Australia, Ingram stated that Australia lacked a plan of action to deal with a cyber-terrorist attack. “If a bomb went off, we have a national counter terrorism plan, which is practiced and everyone’s roles and functions are predetermined. We don’t have a national cyber response plan – if something happened tomorrow, nobody has a clue who does what.”
Ingram suggests that the best option is for government to support AusCERT and use it in conjunction with the new capabilities of GovCERT.
Information security professionals have voiced the concern of a GovCERT and AusCERT standoff compromising Australia’s effectiveness in dealing with the increasing threat of a major cyber-terrorism incident. However, there is an understanding that AusCERT is not in a position to share intelligence with US government agencies to the extent GovCERT is, and hence a clear solution is for GovCERT and AusCERT to undertake a co-operative effort.
As a functional model of such a demarcation, it is worth considering the US partnership between CERT/CC (R for Response) and US-CERT (R for Readiness).
CERT/CC, the CERT Co-ordination Centre, is US Government funded, yet remains a non-government organisation. CERT/CC is the central reporting centre for Internet security problems.
In September 2003, the US Department of Homeland Security announced the creation of US-CERT. The goal of US-CERT is to provide warning, co-ordination and analysis of cyber threats, vulnerabilities and attacks. US-CERT provides a facility for US citizens, businesses and other institutions to communicate and co-ordinate directly with the US government regarding issues relating to cyber security. US-CERT utilises CERT/CC’s capabilities to help prevent, protect and respond to IT security incidents across the Internet.
Advisories previously produced by the CERT/CC are still available from the CERT/CC web site. US-CERT alerts are posted on the US-CERT web site, with CERT/CC providing links to the most recent alerts. Through aggregating information, the amount of information released into the public domain is greater than the sum of the parts produced by each.
SIFT believes a similar co-operative effort between AusCERT and GovCERT will enhance Australia’s readiness and response capability against cyber-security incidents.
Further information:
AusCERT, GovCERT vie for Technology Space
AusCERT Threatened by Anti-Cyberterrorism Plans
Partnership Between the CERT Coordination Center and US-CERT
Cyber Terrorism in Australia: A Risk to Business and a Plan to Prepare
The Importance of Data Destruction
Today's corporate world is dominated by information and as a result, corporations invest heavily in IT infrastructure in order to store it, manage it and distribute it. Computer hardware is frequently upgraded and old or obsolete equipment is often sold, given away or simply dumped. This hardware includes used hard drives that, at some point in time, may have contained sensitive or confidential information.
As the primary persistent storage on modern computers, hard drives contain all documents, emails and other forms of information or media that a user has stored. In addition, almost all actions that a user performs will leave traces on the hard drive due to caching and virtual memory mechanisms. The result of this is that a hard drive will contain traces of almost everything that an employee used the computer for. This may consist of client details, usernames and passwords, customer data, business strategy documents, product designs and more. The importance of such information is obvious and as a result, organisations need to ensure that they have an adequate hardware disposal policy.
Organisations must exercise caution in their hardware disposal process as failure to properly destroy sensitive data can result in significant brand damage and less frequently, direct financial loss. In a study conducted by two MIT graduates, over 50% of the second-hand hard drives they acquired from eBay and other similar sales, had recoverable data. Furthermore, recent developments in US federal law require parties that handle other people’s personal information to ensure the destruction of the data. Failure to render the information irretrievable can result in prosecution and costly financial penalties. Thus, when old equipment is discarded, re-assigned, sold or given away it is vital that any sensitive data contained on the device is thoroughly destroyed.
The total deletion of data from hard drives is extremely difficult due to the characteristics of magnetic storage devices. Traces from previous writes on the drive remain after successive rewrites and, with the correct equipment, may be recoverable. This means that it is not enough to simply format disks at their end-of-life, as traces of the deleted data will remain. Instead, a number of successive rewrites with random data is required in order to make data recovery largely infeasible. Even after performing this form of secure deletion, it may still be possible for some organisations to recover data that was previously on the drive. To truly remove all traces of the data, it is usually necessary to degauss the media or physically destroy the drive.
An additional protective measure is to mandate the encryption of all sensitive data. However, encryption can be broken and is no guarantee that the data cannot be recovered. Encryption can be used as an additional defence against data recovery but should not be solely relied upon to keep highly sensitive data confidential.
The hardware disposal policy adopted by an organisation will depend on the particular requirements of that organisation. Certain types of information intrinsically have greater value, and greater time-based value, and the types of information stored on the disks being disposed of must be taken into account. For regular data, the deletion and random rewrite of the storage device using a purpose-built tool is usually adequate. However, for highly sensitive data the media should be destroyed to make data recovery impossible. Regardless of the method chosen, a hardware disposal process must be consistently followed to ensure the confidentiality of sensitive business data.
Further information:
Discarded computer hard drives prove a trove of personal info
Secure Deletion of Data from Magnetic and Solid-State Memory
Data returns from the dead
Got a nanny? You need a shredder
Top
|
|
SIFT announces merger with stratsec
12 May 09
SIFT announces its official merger with stratsec, to form the largest independent information security consulting firm in Australasia, and a major player in the SE-Asian region.
more...
SIFT Team Delivering 3 Presentations at Ruxcon!
21 Nov 08
The Ruxcon information security conference is once again being held in Sydney on the 29th to the 30th of November. The not-for-profit conference is regarded throughout Australia and the world as one of the leading information security research events.
more...
|
