Security for Web 2.0 and Externally Hosted Technologies Simon Szykman Chief Information Officer National Institute of Standards and Technology
Mar 13, 2016
Security for Web 2.0 and Externally Hosted Technologies
Simon SzykmanChief Information Officer
National Institute of Standards and Technology
What is External Hosting• Any external information system operated on behalf of
an agency, including web applications
What is Web 2.0?• “...a broad collection of recent trends in Internet
technologies and business models. Particular focus has been given to user-created content, lightweight technology, service-based access and shared revenue models. “ (Gartner, 2006)
• Web 2.0 is not any one single thing, frequently involves external hosting.
Dissemination of information to the public using third party sites.
Collaboration, both public and private, using third party sites and applications.
Using a service from a third party hosted application:• Payment processing• Emergency notification systems• Scientific applications• HR applications
Open, collaborative web applications can be more difficult to protect.
New technologies are increasingly available and easy to use – users may not understand who they’re actually sharing information with.
Focus is on functionality and speed of use - not on weighing the risks.
Agency websites or those provided on behalf of your agency could be defaced or compromised through new technical vulnerabilities.
Sites could be used to target users through browser vulnerabilities or social engineering.
Compromised site could be used as a launching point for attacks against other sites/systems.
Sensitive information could be lost. Compromised site could be used to disseminate
false or altered information. Reputation could be harmed eroding public and
Congressional confidence.
January 27th - My.BarackObama.com Infects Visitors With Trojan
February 12 - Digg.com Hit By Comments Spam That Leads To Malware
February 21 - Travel-Booking Site for Federal Agencies Hacked February 27th - Facebook Users Are Still Abused By Rogue
Applications March 2nd - New Worm Spreads Across Facebook, MySpace,
Hi5 And Other Social Networks March 9th - Spam from 750 Compromised Twitter Accounts
Invites Users To Visit Porn Website March 11th - Google Docs Users May Have Had Their
Documents Shared With Strangers
All Federal Government IT, IT services, and IT services being operated on behalf of the Federal Government must be tested and authorized.
The head of each agency shall provide “information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of • information systems used or operated by an agency or • by a contractor of an agency or• other organization on behalf of an agency”
Web 2.0 and externally hosted services are an extension of the Federal organization
Need to apply Risk Management Framework to these technologies.
If an incident happens, no amount of third-party (ir)responsibility will avert agency accountability.
Regulations require implementing and validating controls specified in federal security standards.• Includes Information, IT, Physical and Personnel
security requirements. What must be implemented and how it is
implemented depends on impact to the mission.• Low impact systems: 101 controls
No-impact systems don’t exist. Policies are based on standards as well as
current threats and risks.
(OMB) Circular A-130, Appendix III:
"adequate security" means security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Point of testing is to document everything so that the Authorizing Officials can make an informed decision on risk.
With third party IT services, probably will not be able to test everything.
Probably will have failures that can not be fixed. Scope controls, look at mitigations. Must get to the point of “adequate security” where
there is a balance. Authorizing Officials must feel that the risks are
balanced by the mitigations.
Testing divided into two areas:• Testing of what the third party controls• Testing of what the Federal agency controls
Analyze all controls to determine scope.
Depth of testing will be based on impact.
Could include:• Previous security audits (internal or external)• Interviews - in person, phone
Risk of relying on interview, not test• C&A (or equivalent) documents from the vendor
Contingency plans, system diagrams, documented access controls, maintenance procedures, vulnerability scan results, personnel security practices, physical security documentation, software and hardware inventories, etc...
• Tests that the third party permits the agency to perform• Continuous monitoring or equivalent• Remediation plans and activities (POA&Ms)• Company reputation – news reports
Internal testing (internal to the Federal agency): Assess what is controlled on your side• Password controls or controls on access to hosted
application or information • Authorization policies/procedures• Disaster recovery• Incident response• Procedures for interfacing with third party
Case 1 - YouTube:• Hosting publicly available data only on
www.youtube.com• What is the risk? Site could be defaced / videos
replaced causing possible erosion of NIST’s reputation. Data can not be stolen, it is already publicly available.
• How tested? Insured proper incident response in case of defacement. Scoped and tested other applicable controls. Accepted some risk for not fully testing all possible controls based on impact of data and impact of a compromise as well as company reputation.
Case 2 – Emergency Notification System:• Third party hosts NIST staff contact information. NIST
can access via third party web site in case of an emergency and issue emails or phone calls to staff.
• What is the risk? Contact information includes PII. Compromise of system could result in PII loss or issuing false emergency announcements.
• In this case another agency (GSA) did full C&A against FISMA regulations. Examined GSA’s C&A packet, comfortable with results and moved forward.
• Conducting additional local testing of things within NIST’s control and risk assessment before going live.
Apply the Risk Management Framework.• Assess as much of the security picture as possible,
locally and on the third-party side. Examine total cost of ownership. Look at security
as part of cost, don’t always go for the lowest bidder.
Limit access to applications and information to only those that need access.
Develop and document procedures so everyone knows what to do when something unexpected happens.
Create policy on Web 2.0. Excerpt from NIST Web 2.0/Social Media Policy:
Web 2.0 or social media software and services often present computer security issues beyond those created with static Web pages. Use of Web 2.0 software or services for deploying official NIST Web content must ensure compliance with NIST and DOC information system security policies. For example, software or services must be tested for security vulnerabilities and formally approved prior to use by the Office of the Chief Information Officer (i.e., through the NIST IT Security Certification and Accreditation process). In addition, NIST OUs must ensure that NIST-hosted software and services are aligned with the existing and planned NIST information technology infrastructure.
Ensure that Access & Use Policies for individuals account for social media and web 2.0 technologies.
Make sure that internal customers know to engage CIO/security staff (early!) when exploring the use of web 2.0 technologies and deployment of externally hosted applications/services.
Make sure clear security requirement are documented in contracts.