Risk Assessment on National Football League Team Websites

The National Football League (NFL) is the largest and most prestigious professional American football league.  It was formed by eleven teams in 1920 as the American Professional Football Association and adopted the name National Football League in 1922. The league currently consists of thirty two from U.S. cities and regions, divided evenly into two conferences (AFC and NFC), with four, four-team divisions.  The NFL has the highest per-game attendance of any domestic professional sports league in the world, drawing over 67,000 spectators per game in 2006.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TABLE OF CONTENTS

 

 

EXECUTIVE SUMMARY

 

  1. INTRODUCTION………………………..………………………………. 5

 

1.1       PURPOSE…………………………………………………………..            5

1.2       SCOPE…….………………………………………………………..            5

1.3       BACKGROUND…….……………………………………………..            5

 

  1. RISK ASSESSMENT APPROACH…………………………….…………. 6

 

2.1 PARTICIPANTS………………………………….……….….………… 6

2.2 RISK MODEL………………………………….………………………. 6

 

  1. RISK ASSESSMENT……….…………..…………………………….…. 6

 

3.1 STEP 1: SYSTEM CHARACTERIZATION……………………………… 6

3.1.1 Information-Gathering Techniques……………………………..   7

3.1.2 System-Related Information……………………………..………  7

3.1.3 Data Used by System……………………………………………….8

3.1.4 System Users…………………………………………………………8

3.1.5 Flow Diagram……………………………………………………….8

3.2 STEP 2: THREAT IDENTIFICATION…………………………………            9

3.2.1 Threat-Source Identification, Motivation and Actions………….   9

3.3 STEP 3: VULNERABILITY IDENTIFICATION……………….……..           10

3.3.1 Vulnerability Sources…………………………….……………….   10

3.3.2 System Security Testing……………………………………………  13

3.3.3 Development of Security Requirements Checklist……………….  14

3.4 STEP 4: CONTROL ANALYSIS………………………………………            14

3.4.1 Control Methods…………………………………….……………     15

3.4.2 Control Categories…………………………………………………  15

3.5 STEP 5: LIKELIHOOD DETERMINATION………………………….            16

3.6 STEP 6: IMPACT ANALYSIS…………………………………………            16

3.7 STEP 7: RISK DETERMINATION…………………………………… 17

3.7.1 Risk-Level Matrix………………………………………..…………  18

3.7.2 Description of Risk Level……………………………………….  18

3.8 STEP 8: CONTROL RECOMMENDATIONS………………………………..            18

3.9 STEP 9: RESULTS DOCUMENTATION……….……..………………            22

3.9.1 Risk Assessment Results………………………………………22

 

Appendix A. References……………………………………………………………            A-1

 

 

EXECUTIVE SUMMARY

The National Football League (NFL) is the largest and most prestigious professional American football league.  It was formed by eleven teams in 1920 as the American Professional Football Association and adopted the name National Football League in 1922. The league currently consists of thirty two from U.S. cities and regions, divided evenly into two conferences (AFC and NFC), with four, four-team divisions.  The NFL has the highest per-game attendance of any domestic professional sports league in the world, drawing over 67,000 spectators per game in 2006.

NFL teams collect and maintain data on their fans that purchase tickets and team merchandise.  Therefore teams must protect this information on their networks.  Following a Massachusetts Superior Court ruling, the New England Patriots are now in possession of customer data from 13,000 users of ticket reseller site StubHub. The NFL team forbids ticket holders to resell their passes. The Patriots, however, asked for details surrounding not only sellers and buyers, but those who made bids as well. Massachusetts Superior Court Judge Allan van Gestel ruled that StubHub had to turn the information over to the Patriots. The decision was the result of a court case lobbed by the Patriots in an effort to crack down on season ticket holders who resell their tickets to other people.  Massachusetts has a law against scalping tickets — ticket holders can only resell their tickets at a nominal US$2 over the face value of the ticket.  Regardless of anti-scalping laws, the customer data collected by StubHub as part of its business is now in the hands of the Patriots, who are widely expected to revoke tickets from their StubHub-selling season ticket holders.  The big question, then, is whether this kind of court case presents a problem for online consumers. (Maxcer, 2007)

 

University of Maryland, University College students have been tasked to conduct a risk assessment of an organization of their choosing as an assignment for INFA 610, Computer Security, Software Assurance, Hardware Assurance, and Security Management.  This risk assessment assesses the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by threats internal and external to National Football League team web sites.  For the purposes of this risk assessment, the Green Bay Packers website (developed by DM Interactive) is used as a model to represent the common NFL team web site.

  1. Introduction

 

1.1 Purpose

 

The purpose of this risk assessment is to identify threats and vulnerabilities related to football franchises of the National Football League.  The risk assessment will be utilized to identify risk mitigation related to NFL team information technology systems.

 

1.2 Scope

 

The scope of this risk assessment covers a web based application developed and maintained by DM Interactive for the NFL’s Green Bay Packers football team. The goal is to take an overall view of the web site and then select a couple of key areas for assessment.  The Packers.com web site provides fans with both news and the ability to purchase Green Bay Packers team merchandise and tickets.  Each NFL team is franchised, and independently operated.  However, this risk assessment is intended to be useful for any of the thirty-two teams that currently make up the league.  In other words, this risk assessment could be viewed as belonging to the Green Bay packers, but can also be considered to have relevance relevant to any team of the NFL with a web site that provides similar content and merchandise.  It is understood that each NFL team is operated independently and will therefore have a certain degree of uniqueness from other teams.  However, this risk assessment can easily be modified for those unique instances of exclusivity.  Once again, the development of this risk assessment is on the website of the NFL’s Green Bay Packers franchise.  The focus will be on the systems that support electronic commerce (i.e. ticket sales, customer information, merchandising, etc.) and related functions.

 

1.3 Background

 

  1. Team Name – Packers
  2. Team Location – Green Bay, Wisconsin
  3. Industry – National Football League Franchise
  4. Company profile – Green Bay Packers, Inc.
  5. Management – Bob Harlan, President & CEO; John Jones, COO & Executive Vice President; Mike Hatley, Vice President of Football Operations.
  6. Website – packers.com (Houston Business Journal, n.d.)

 

  1. Risk Assessment Approach

 

  • The participants (e.g., risk assessment team members)

 

Role Name
System Owner David Troup
Security Administrator Bill Red
Database Administrator John Black
Network Manager Jane Doe
Risk Assessment Team Vern Gardner, Joseph Brown, Mary White

 

2.3   The risk model

 

This risk assessment was conducted in accordance with the methodology described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems.

 

  1. Risk Assessment

 

A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution’s reputation.  The extent of the information security program should be commensurate with the degree of risk associated with the institution’s systems, networks, and information assets.  For example, compared to an information-only Web site, organizations offering transactional Internet activities are exposed to greater risks. (FDIC, 1999)

 

3.1   STEP 1: System Characterization

 

The Green Bay Packers business website is developed and maintained by DM Interactive (DMI) of Green Bay, Wisconsin.  DMI was founded in 1995 by David Troup and established itself early with interactive web site development as an offshoot of a successful Internet Service Provider.  (DM Interactive.com, n.d.)

 

The system is used to provide full-scope coverage of the NFL’s Green Bay Packers via the Packers.com web site.  It includes the latest news about the team, players, special events, statistics and other items of interest for NFL fans.  The system is also used for e-commerce.  Fans can purchase single game football tickets (Packer’s season tickets have been sold out since 1960), and a wide variety of Green Bay Packer football related merchandise. (Packers.com, n.d.)

 

3.1.1   Information gathering techniques

 

The information gathering techniques used to perform this risk assessment includes the use of the Internet and the source of research information includes corporate and federal security organizations (i.e. NIST, SANS, Symantec, etc.), periodicals, journals, and magazines.

 

  • System-Related Information

 

The following components in Table 3.1.2 identify system-related information for DM Interactive as listed on their Internet web site. (DM Interactive.com, n.d.)

 

Component Description
 

Applications

Web page developed by DM Interactive of Green Bay, Wisconsin.  Uses custom application development: C, C++, Perl, Python, Cold Fusion, PHP, Java, HTML
 

Databases

 

Oracle, MySQL, Postgress, SAP, HO, IBM

 

Server Configurations/Operating Systems

 

Unix, Sun, Linux, BSD, OSX

 

Interconnections

Multiple Carrier Fiber Interconnect.  Tier 1 Co-location Facility
 

Protocols

SSL used for transmission between client web browser and web server

 

Table-3.1.2 System-Related Information

 

  • Data used by system

 

Data collected when purchasing merchandise from the Green Bay Packers web site is listed in Table 3.1.3 below.

 

Data Description
 

 

Personally Identifiable Information

Includes:

  • Name
  • Address
  • Phone Number
  • Email Address
 

 

 

Financial Information

Includes:

  • Credit Card #
  • Verification Code
  • Expiration Date
  • Card Type
  • Authorization Reference
  • Transaction Reference
 

 

 

Ordering Information

Includes:

  • Merchandise type (i.e. clothing, tickets)
  • Date of Order
  • Quantity of Order
  • Shipping Date
  • Method of Shipment

 

Table-3.1.3 System Data

 

  • System users

 

Table 3.1.4 identifies users of the system.

 

Users Description
 

 

Customers

Access the system via web browser. Can create a system account with username and password.  Can update personal and financial information as needed.
 

DM Interactive  IT personnel

Manage the system including firewalls and networks.  Maintain security configuration of the system.
 

Packers.com operations personnel

Utilize information contained in the database for management reporting. Generate reports/queries.

 

Table-3.1.4 System Users

 

3.1.5   Flow diagram

 

Figure 1 below is a flow diagram that shows the technology components reviewed as part of the Packers.com website.

 

Figure-1 Flow Diagram

 

 

3.2   STEP 2: Threat Identification

 

Hackers, disgruntled employees, organized crime, and competitors are all examples of potential internal and external sources of threat to an information system.  The average Internet user can quickly and easily find information describing how to break into a variety of systems by exploiting known security flaws and software bugs with basically any search Internet search engine.  Vulnerability assessment tools can be misused to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Other sources of threat can include environmental threats such as power failures, chemicals, and pollution as well as natural threats such as floods as earthquakes.

 

  • Threat-Source Identification, Motivation and Actions

 

The matrix in table 3.2.1 below provides a threat source, motivation and threat actions for threat identification.  The threat source any circumstance or event with the potential to cause harm to an IT system.  The motivation is what compels a threat source to take certain threat actions.  The threat actions describe the measure taken by the threat source.

 

Threat Motivation Threat Actions
Hacker  

§  Challenge

§  Self Image

§  Defiance

 

§  Unauthorized access

§  Social Engineering

§  Computer Crime

Fire/Water Damage §  Accidental Loss §  Damage to equipment

§  Damage to physical records and data

Organized Crime §  Money

§  Identity Theft

§  Data Destruction

§  Phishing

§  Unauthorized access

§  Computer Crime

Insider §  Money

§  Property

§  Getting even

§  Human Error

§  Negligence and Apathy

 

§  Unauthorized access

§  Theft or destruction of data

§  Theft of or destruction of  equipment

 

Table-3.2.1 Threat, Motivation and Threat Actions

 

3.3   STEP 3: Vulnerability Identification

 

  • Vulnerability Sources

 

This section will attempt to identify potential vulnerabilities applicable to the system-related information for DM Interactive as listed previously in table 3.1.2.

 

Table 3.3.1 below provides vulnerability/threat pairs for DM Interactive.

 

Vulnerability Threat-Source Threat Action
Applications Hackers, Organized Crime, and other Unauthorized Users Buffer overflows, backdoors, web defacement.
Databases Hackers, Organized Crime, and other Unauthorized Users Gain unauthorized access to sensitive customer data.
Server Configuration / Operating Systems Hackers, Organized Crime, and other Unauthorized Users Unauthorized Access, theft, modification, or destruction of data. Botnets, virus, worms, Trojans horse infections.
Interconnections Hackers, terminated employees, criminals Port scan for unused services and exploit open unsecured ports.
Protocols Hackers, Organized Crime Web Page Spoofing, IP Spoofing, Syn Flood, Smurf
Human Threat Employees, contracted support personnel, terminated personnel Unauthorized Access, theft, modification, or destruction of data. Inadvertent errors. Damage to IS equipment.

 

Table-3.3.1 Vulnerability/Threat Pairs

 

Applications:  Web application vulnerabilities provide the potential for an unauthorized party to gain access to critical and proprietary information, use resources inappropriately, interrupt business or commit fraud.  A Web application is a software program that typically contains scripts to interact with the end user. A Web application consists of three components (Figure 2):

 

  • The Web server sends pages to the end user’s browser,
  • The application server processes the data for the user, and
  • The database stores all of required data.

 

 

Figure-2 Web Application Components

 

Web applications have become a universal conduit because of the rapid growth of the Internet. Some commonly used types of Web applications are web mail, shopping carts and portals. These applications allow masses of people to access systems quickly without geographic restrictions. However, Web applications introduce a magnitude of security risks and challenges so it’s essential to implement strong security measures to mitigate significant risks. (Kennedy, 2005)

 

Databases:  The need for database security is clear; yet organizations often get distracted or led astray and don’t address the problem before it is too late. Consider these common pitfalls that plague databases:

 

  • Weak user account settings. Databases lack user settings found in more mature operating system environments where they are frequently mandated by corporate policy or government regulations.  Often, the default accounts and passwords, which are commonly known, are not disabled or modified to prevent access.
  • Insufficient segregation of duties. No established security administrator role exists in the database management area.  This forces database administrators (DBAs) to be both the administrator for users and passwords as well as the performance and operations expert, resulting in management inefficiencies. In addition, it eliminates the opportunity for the traditional checks and balances in job functions that are sound business practices.
  • Inadequate audit trails. The auditing capabilities of databases are often ignored in the name of enhanced performance or saved disk space. Inadequate auditing reduces accountability and reduces the effectiveness of forensic analysis.  These audit trails are crucial to understanding the actions taken against certain sets of data; the fact that they log events directly associated with the data makes them essential to monitoring access and activities.
  • Unused database security features. It is common to build security into individual applications while neglecting database security. But security measures that are built into an application only apply to users of the client software. (Hurwitz, 2001)

 

Server Configuration / Operating Systems:  While there are an enormous variety of operating systems to choose from, only four “core” lineages exist in the mainstream — Windows, OS X, Linux and UNIX. Each system carries its own baggage of vulnerabilities ranging from local exploits and user introduced weaknesses to remotely available attack vectors.

 

As far as “straight-out-of-box” conditions go, both Microsoft’s Windows and Apple’s OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside.

 

The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks. Compared with the Microsoft and Apple products, however, UNIX and Linux systems tend to have a higher learning curve for acceptance as desktop platforms.  (Schneier, 2007)

 

Interconnections: System interconnection is the direct connection of systems for the purpose of sharing information resources. System interconnection, if not appropriately protected, may result in a compromise of all connected systems and the data they store, process, or transmit. It is important that system operators, information owners, and management obtain as much information as possible about the vulnerabilities associated with system interconnection and information sharing and the increased controls required for mitigating those vulnerabilities. (NIST, 2003).

 

Protocols: Routing protocols are subject to attacks that can harm individual users or network operations as a whole.  Routing protocols are subject to threats at various levels.  For example, threats can affect the transport subsystem, where the routing protocol can be subject to attacks on its underlying protocol.  An attacker may also attack messages that carry control information in a routing protocol to break a neighboring (e.g., peering, adjacency) relationship.  An attacker may also attack messages that carry data information in order to break a database exchange between two routers or to affect the database maintenance functionality.  (www.faqs.org, 2006)

 

  • System Security Testing

 

Vulnerability scanning will be considered as a possible test of system security for DM Interactive.  One issue with vulnerability scanners is their impact on the devices they are scanning. On the one hand you want the scan to be able to be performed in the background without affecting the device. On the other hand, you want to be sure that the scan is thorough. Often, in the interest of being thorough and depending on how the scanner gathers its information or verifies that the device is vulnerable, the scan can be intrusive and cause adverse affects and even system crashes on the device being scanned. (Bradley, n.d.)  A few products such as eEye Retina and SAINT will be reviewed for possible use on the system.

 

Penetration testing will also be performed to complement the review of security controls in place and to ensure that different components of the system are secure.  The core services offered by the system will be tested.  These include: DNS, firewall systems, password syntax, interconnections, web servers, and databases.

 

  • Development of Security Requirements Checklist

 

Table 3.3.3 provides a checklist of security requirements suggested for use in determining DM Interactive’s system’s vulnerabilities.

 

Security Area Security Criteria Observations
 

 

Management Security

Assignment of responsibilities
Incident response capability
Periodic review of security controls
Risk assessment
Security and technical training
Policies and procedures
 

Operational Security

Environmental controls (dust, chemicals, smoke)
Electrical power controls
Facility protection
Temperature control
 

 

 

Technical Security

Communications (e.g. system interconnections, routers)
Discretionary access control
Cryptography
Threats and vulnerabilities analysis
Information classification
Identification and authentication
System audit

 

Table-3.3.3 Security Requirements Checklist

 

3.4   STEP 4: Control Analysis

 

T he selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.  There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:

 

  • What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
  • Have the selected security controls been implemented or is there a realistic plan for their implementation?
  • What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective5 in their application?

 

The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, controls, and mitigates risks to its information and information systems.  (NIST, 2006)

 

  • Control Methods

 

Recommended best practices suggest a defense in depth approach in order to best mitigate potential threats.   There are various methods of control that will:

 

  • Reduce risk changes in enterprise system design and management
  • Reduce risk through improved risk information management
  • Neutralize risk through diversification across enterprises, space, and time
  • Retain risk (accept risks as they exist)

 

  • Control Categories

 

Using vulnerability assessment tools and performing regular penetration analyses will assist DM Interactive in determining what security weaknesses exist in its information systems.  Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals.  Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the DM Interactive to potential external break-ins or internal misuse of the system(s) being monitored.  An intrusion prevention system (IPS) can inhibit attempts to violate security policy and includes such controls as access control enforcement, encryption, and authentication.  Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected.  DM Interactive should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements. (FDIC, 1999)

 

3.5   STEP 5: Likelihood Determination

 

The below matrix provides a definition for the level of likelihood that an exploit can be exercised. I have also assigned a level of likelihood to each of the defined vulnerabilities.

 

Likelihood of Occurrence (Weight Factor) Definition
 

High (1.0)

The threat source is highly motivated and adequately capable, and controls to prevent the vulnerability from being exercised are ineffective.
 

Medium (0.5)

The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
 

Low (0.1)

The threat-source lacks motivation or capability, or controls are in place to prevent, or significantly impede, the vulnerability from being exercised.

 

Table-3.5

 

3.6   STEP 6: Impact Analysis

 

The list below defines the impact of an exploited vulnerability. Using this list, I will assign an impact to the vulnerability.

 

Impact (Score) Definition
 

 

 

 

 

 

 

High (100)

The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.  Examples:

 

• A severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions

• Major damage to organizational assets

• Major financial loss

• Severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

 

 

 

 

 

 

 

 

Medium (50)

 

The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.  Examples:

 

• Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced

• Significant damage to organizational assets

• Significant financial loss

• Significant harm to individuals that does not involve loss of life or serious life threatening injuries.  Controls are in place that may impede successful exercise of the vulnerability.

 

 

 

 

Low (10)

 

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.  Examples:

• Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced

• Minor damage to organizational assets

• Minor financial loss

• Minor harm to individuals.

 

Table-3.6

 

3.7   STEP 7: Risk Determination

 

The risk determination evaluates the Likelihood of the exploited threat and the Impact of the exploited vulnerability. The likelihood level is assigned a value of (1.0 for High), (0.5 for a Medium), and (0.1 for a Low rating.) The magnitude of the Impact is placed on a scale of 0-100 (High 100, Medium 50, Low 10.). Table 3.7 below illustrates the risk determination.

 

 

Threat likelihood

 

Impact
Low

(10)

Medium

(50)

High

(100)

 

High = 1.0

Low Risk

10 x 1.0 = 10

Medium Risk

50 x 1.0 = 50

High Risk

100 x 1.0 = 100

 

Medium = 0.5

Low Risk

10 x 0.5 = 5

Medium Risk

50 x 0.5 = 25

High Risk

100 x 0.5 = 50

 

Low = 0.1

Low Risk

10 x 0.1 = 1

Medium Risk

50 x 0.1 = 5

High Risk

100 x 0.1 = 10

 

Table 3.7 Risk Determination

 

  • Risk Level Matrix

 

 

Vulnerability Low (10) Medium (50) High (100) Risk Level
Applications = 0.5 25 Medium
Databases = 0.5 50 High
Server Configuration /

Operating Systems = 1.0

100 High
Interconnections = 0.1 5 Low
Protocols = 0.1 25 Medium

Table-3.7.1 Risk Level Matrix

 

3.7.2    Description of Risk Level

 

Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)

 

Vulnerability Likelihood Level
Applications Medium
Databases High
Server Configuration / Operating Systems High
Interconnections Low
Protocols Medium

 

3.8   STEP 8: Control Recommendations

 

The following section presents the system-related components with control recommendations that are intended to mitigate potential threats against DM Interactive system vulnerabilities.

 

Applications:  It is recommended that DM Interactive employ a system baselining tool.  This is by far the easiest and most effective way to determine what, if anything has been changed on their system.  If a change was anticipated and approved then the baseline will be updated. If any unauthorized changes are discovered, DM Interactive may have the ability to reverse them directly from the utility itself.  Antivirus, adware, and spyware tools are recommended for the system.

 

Databases:  For database controls, the following areas of focus are recommended:

 

  • Server Security
  • Database Connections
  • Restricting Database Access

 

Since the database is not a web server, there should be no such thing as an anonymous connection. The database back end should never be on the same machine as the web server.  This makes sense not just for security, but also performance. If your database server is supplying information to a web server then it should be configured to allow connections only from that web server.  If it’s a back end for a web server, then only that web server’s address should be allowed to access that database server.  (Weidman, n.d.)

 

For users making database connections via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don’t allow the data to ever be submitted.

 

There are many ways to restrict open access from the Internet and each database system has its own set of unique features as well as each OS.  Here are a few methods that are recommended for DM Interactive:

 

  • Trusted IP addresses – UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
  • Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.

 

Oracle has a wealth of authentication methods:

 

  • Kerberos security- This popular “ticket”-based authentication system sidesteps several security risks.
  • Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users.
  • Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
  • Authentication servers-Secure authentication servers provide positive identification for external users.
  • Port access security – All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.  (Weidman, n.d.)

 

Server Configuration / Operating Systems:  Recommend automated mechanism to audit account creation, modification, and disabling.  Employ packet-filtering firewalls; restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel.  Automatically lock accounts until released by an administrator when the maximum number of unsuccessful attempts are exceeded.  Employ a secure web server that uses the Secure Socket Layers (SSL) technology to establish an encrypted connection between the Web Server and the client using at least 128-bit encryption technology.

 

Interconnections:   An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) should be deployed on the network in an effort to find network attacks, to analyze and correlate these anomalies, and to react as needed.  The use of IDS/IPS devices can help to answer the following questions:

 

  • Is the organization under attack?
  • What IP/network is the source?
  • What IP/network is the target?
  • Which attack, if known, is being executed?

 

In a sense, an intrusion detection/prevention system provides an ability to see the traffic coming and going across the network wires.  Although an IDS/IPS is as only effective as the signatures it uses to detect the intrusions, the network placement of the IDS/IPS sensors, and the analyst examining the IDS/IPS alerts, it is still a necessary and corroborative network device to add to an organizations defense in depth strategy.  (US CERT, 2005)

 

Protocols:  Employ Internet Protocol Security (IPsec) to protect communications.

IPsec is the most commonly used network layer security control for protecting communications. It was developed by the IPsec Working Group of the Internet Engineering Task Force (IETF) as a framework of open standards. Depending upon the implementation and configuration, IPsec can provide the following types of protection:

 

  • Ensuring the confidentiality of data through the application of a cryptographic algorithm and a secret key, known only to the two parties exchanging data. The data that is transmitted can be decrypted only by someone who has the secret key.
  • Assuring the integrity of data through the application of a message authentication code (MAC), this is a cryptographic hash of the data. The checksum is sent with the data.  The recipient can detect when the data has been changed, either intentionally or unintentionally during transit, if a new MAC is calculated on the received data and it does not match the original MAC.
  • Providing peer authentication to ensure that network traffic and data are sent from the expected host. The receiving IPsec endpoint can confirm the identity of the sending IPsec endpoint.
  • Providing replay protection to assure that the same data is not delivered multiple times and that the data is delivered in an acceptable order. IPsec cannot, however, ensure that the data has been received in the exact order that it was sent.
  • Providing traffic analysis protection by obscuring the identities of the endpoints and the size of the data. Those who are monitoring network traffic may not know which parties are communicating, how often communications occur, or how much data is being exchanged.
  • Providing access control by assuring that only authorized users can access particular network resources. IPsec endpoints can also allow or block certain types of network traffic, such as allowing web server access but denying file sharing.  (Raddick, n.d.)

 

3.9   STEP 9: Results Documentation

 

This section provides the results of the risk assessment that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.

 

  • Risk Assessment Results

 

Item # Observation Threat Source/ Vulnerability Existing Controls Likelihood Impact Risk Rating Recommended Controls
1 Server configuration/ operating system does not have a known good baseline configuration System/ disaster recovery None High High High Require use baselining tools

 

2 Cross site scripting Hackers/ Cross-site

scripting

 

 

None Medium Medium Medium Validation of all headers,

cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a

rigorous specification of what should be allowed

3 Data could be

inappropriately

extracted / modified from

DM Interactive database by entering SQL commands into input fields

Hackers and Criminals /

SQL Injection

 

Limited

validation

checks on

inputs

 

 

 

Medium High High Ensure that all parameters are validated before they are used. A centralized

component or library is likely to be the most effective, as the code performing the checking should all be in one place.

Each parameter should be checked against a strict format that specifies exactly what input will be allowed.

 

4 Web server and

application server

running unnecessary

services

All / Unnecessary

Services

 

None Medium Medium Medium Reconfigure systems to

remove unnecessary services

5 Disaster recovery plan has not been

Established

Environment/

Disaster Recovery

Weekly

backup only

 

Medium High Medium Develop and test a disaster

recovery plan

6 Protocols Hackers and criminals.

A multitude of attacks such as: TCP connection, spoofing, IP spoofing, smurf, syn flood,

Solutions above the transport layer (i.e. SSL and SSH) does not protect against DOS attacks caused by spoofed packets. Low Medium Medium Implement IPsec

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix A:  References

 

Bradley, T. (n.d.).  Introduction into Vulnerability Scanning.  Retrieved on November 22, 2007 from http://netsecurity.about.com/cs/hackertools/a/aa030404.htm

 

FDIC – Federal Deposit Insurance Corporation. (1999, July).  Risk Assessment Tools and Practices for Information System Security.  Retrieved November 22, 2007 from http://www.fdic.gov/news/news/ financial/1999/FIL9968a.HTML

 

Houston Business Journal (n.d.).  Green Bay Packers, Inc. Profile.  Retrieved November 24, 2007 from http://www.bizjournals.com/houston/gen/company. html?gcode=0ED6ECA3996D4A3B84C9E570D3DB64F5

 

Hurwitz Group, Inc. (2001, May).  Common Vulnerabilities in Database Security.  Retrieved November 30, 2007 from http://database.ittoolbox.com/pub/AM1015 02d.pdf

 

Kennedy, S. (2005, February). Common Web Application Vulnerabilities.  Retrieved November 30, 2007 from http://www.computerworld.com/printthis/2005/0,4814,999 81,00.html

 

Maxcer, Chris. (2007). Patriots Pummel StubHub – 13,000 to Nothing.  Retrieved October 23, 2007 from http://www.technewsworld.com/story/59918.html

 

NIST – National Institute of Standards and Technology. (2003, February).  Special Publication 800-18: Guide For Developing Security Plans For Information Technology Systems.  Retrieved November 30, 2007 from http://csrc.nist.gov/ publications/nistbul/html-archive/april-99.html

 

NIST – National Institute of Standards and Technology. (2006, December). Special Publication 800-53: Recommended Security Controls for Federal Information Systems.  Retrieved November 30, 2007 from http://csrc.nist.gov/publications/ PubsDrafts.html

 

Radack, S. (n.d.). Protecting Sensitive Information Transmitted in Public Networks. Retrieved December 1, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnapr06.htm

 

Schneier, Bruce. (2007, April).  2006 Operating System Vulnerability Study.  Retrieved on November 30, 2007 from http://www.schneier.com/blog/archives/2007/04/2006_ operating.html

 

U.S. CERT. (2005, May).  White Paper: Current Malware Theats and Mitigation Strategies.  Retrieved November 30, 2007 from http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf

 

Weidman, B. (n.d.). Database Security: Common-Sense Principles.  Retrieved December 1, 2007 from http://www.governmentsecurity.org/articles/DatabaseSecurityCommon-sensePrinciples.php

 

www.faqs.org. (2006, October). RFC 4593 – Generic Threats to Routing Protocols.  Retrieved November 30, 2007 from http://www.faqs.org/rfcs/rfc4593.html

 

 

Figure Caption

Figure 1. Enhanced Windows metafile image of flow diagram.

Figure 2. Jpeg image of web application components.