Chief Security Officer White Paper Series for SPI Dynamics CSO White Paper Series Protecting Privacy with Web Application Security Featuring SPI Dynamics WebInspectTM By Jim Reavis November, 2003 Copyright 2003, Reavis Consulting Group 1 Chief Security Officer White Paper Series for SPI Dynamics Table of Contents Introduction......................................................................................................................... 2 The Need for Online Privacy .............................................................................................. 2 Web Servers: the Conduit for Privacy Leaks...................................................................... 4 Using SPI Dynamics WebInspect to protect Web Servers against privacy leaks............... 6 Summary ............................................................................................................................. 7 References........................................................................................................................... 8 About................................................................................................................................... 8 Introduction Enterprises of all types have made information privacy a high priority issue. While regulated industries such as healthcare and finance receive much of the attention, all businesses are at risk to expensive civil litigation due to privacy violations. This paper explains how web servers are the main conduits for violating the privacy of customer and employee information and how SPI Dynamics WebInspect is the essential technology to protect electronic privacy. The Need for Online Privacy The loss of privacy is one of the most profound problems of our age. While privacy was not an enumerated right in some of the great founding documents of Western Civilization such as the Declaration of Independence or the U.S. Constitution, the idea that a person can keep a substantial portion of their life concealed from all others has been an implicit assumption we have all made. However, the notion of a fundamental right to privacy has been under assault from technology advances that have created the capability to monitor who we are, where we go and the decisions we make down to the most minute detail. In the online world, the privacy problem manifests itself in many ways. It is often necessary to share personally identifiable information (PII) in order to shop, meet friends and pursue our interests. In addition, many of the core activities of our life are finding their ways online: the medical attention we have sought, the legal battles we have fought, the political candidates we support, etc. To make the privacy problem worse, technology has found many methods to compile the PII we have knowingly and unknowingly provided, creating frighteningly accurate personal profiles. This information can be used to provide more targeted marketing of products that are appropriate to our tastes, but also can unleash a barrage of unwanted attention based upon on a single visit to a certain web site at some point in the past. Copyright 2003, Reavis Consulting Group 2 Chief Security Officer White Paper Series for SPI Dynamics While many of these privacy affronts may be objectionable, they are often legal. However, illegal uses of privacy information abound on the Internet: stolen credit cards, identity theft and blackmail are but a few. Organizations of all sizes are learning that many constituencies care about the loss of privacy. Governments of the world, consumer advocacy groups and corporations are united in their concern for protecting online privacy, if not united in their motives and methods for privacy safeguards. Government concern for information privacy has grown markedly since large-scale commercialization of the Internet began Marketplace Concerns over Privacy in the early 1990s. The general trend has been to start with regulations 78% of public have refused to provide targeted at industries deemed to have the information to a business because they thought most sensitive consumer information, it was too personal or not needed -Harris and to gradually encompass most market Interactive--IBM segments to some degree. Among the notable regulations worth highlighting: Privacy concerns are #1 reason off-line people do not go online ­ Consumer Privacy Survey GLBA. The Gramm-Leach-Bliley Act 92% of online families do not trust online mandates that financial institutions companies to safeguard their information provide privacy protection for private ­ Odyssey Research 2001 customers. Passed by Congress in 1999, GLBA has three broad privacy prescriptions: customer data must be adequately secured to prevent compromise, financial institutions must disclose their policies for sharing information, and an "opt-out" option must be provided for customers who do not want certain personal information disclosed. HIPAA. The Health Insurance Portability & Accountability Act of 1996 requires any healthcare organization to secure "individually identifiable health information". HIPAA affects a wide range of healthcare providers, insurance companies, and other organizations providing services within the industry that cause them to come into contact with patient data. The fines can be steep: $25K for multiple violations and $250K for malicious misuse of patient data, but these amounts are paltry compared to the cost of civil litigation. COPPA. The Children's Online Privacy Protection Act became law in 2000. It is designed to guard against the collection of personal information from children under the age of 13. The Act spells out specific information that can be collected, how privacy policies must be displayed, parental consent, and many other provisions. The law is administered by the Federal Trade Commission, which has levied substantial fines on several e-commerce businesses. California SB 1386. Also known as the Security Breach Notification Act, SB 1386 is an important development in privacy legislation that was enacted in 2003. This law applies to all industries, and requires public notification of all customers who reside in Copyright 2003, Reavis Consulting Group 3 Chief Security Officer White Paper Series for SPI Dynamics California, if the organization in question suspects that a security breach may have compromised personal information. According to the language of the law, the business does not to be headquartered in California, it merely needs to have a single customer there. Interestingly, organizations that encrypt customer data are exempt from reporting requirements. Like many laws targeted at online business activities, many businesses are waiting to see how the court system interprets this law after a legal challenge. However, as of this writing, no fewer than ten other states are considering implementing similar legislation, and some representatives in the U.S. Congress are proposing a federal version. We feel that SB 1386 in some form and similar laws are here to stay. European Union Directive on Data Protection. The EU Directive, passed in 1998, is meant to protect the privacy of citizens of member nations, and prohibits the transfer of personally identifiable information to non-European Union nations that do not meet EU standards for privacy protection. A "Safe Harbor" agreement was reached between the U.S. and the EU, allowing U.S. The FTC and Microsoft Passport companies to continue doing business with European citizens by complying The Federal Trade Commission announced a with equivalent standards for privacy settlement with Microsoft in August of 2002 protection. over misleading privacy statements regarding its Passport authentication service. The FTC asserted Microsoft provided less security for Personally Identifiable Information (PII) than it claimed, and also collected more extensive personal information than it disclosed. As part of the settlement, Microsoft will submit to annual audits by the FTC for 20 years. It is clear that the many wonderful benefits of the global Internet come at a price to our individual privacy. The invasive power of technology will need to be countered by both legal means as well as through technology designed to enhance privacy protection. Web Servers: the Conduit for Privacy Leaks Web servers are the primary culprits for divulging Personally Identifiable Information. A majority of documented privacy violations are based upon web application vulnerabilities, which is only logical as the web server is every corporation's public face. In some cases, the web server contains the PII itself. In very basic web server implementations, often in support of small and medium-sized businesses, all data is stored on a single server. Worse yet, these servers commonly use insecure default settings and very little care is taken to secure them. An attacker generally needs to find just a single problem to compromise the server and obtain the personal information. However, even very large, sophisticated organizations have left sensitive PII on the web server by following poor programming practices. For example, developers will often use temporary files to capture personal information. The files may contain sensitive data that is posted to a database, but are not deleted in a timely manner after the post process and accumulate on the web server. Copyright 2003, Reavis Consulting Group 4 Chief Security Officer White Paper Series for SPI Dynamics More often, the web server acts as a conduit to sensitive personal information stored elsewhere. This is difficult to prevent without proactive, secure application design considerations. The implicit "web of trust" creates situations where a compromised web server is able to freely query backend database servers, who are programmed to trust requests originating from their web server. Figure 1 demonstrates how this web of trust can allow a hacker to access sensitive personal information from deep within a corporate network no matter how many layers of firewall protection are in place. An attacker coming from the Internet can exploit application layer vulnerabilities to compromise the DMZ-situated web server. The compromised web server can relay data requests to an application server, located within a trusted network, bypassing a second layer of firewall protection. Finally, the application server can retrieve sensitive data from a database server deep within a corporate network. This sensitive data can then be sent to the attacker on the Internet, who created a privacy violation without directly breaching several layers of firewall protection and without having access credentials to the database server. Figure 1 ­ Breach Threats from Web Application Trust (source SPI Dynamics) Within virtually every organization, the web servers are the primary computer systems that have the "bull's eye" painted on them from the perspective of the hacker. While a defaced home page is bad enough, SQL Injection and Cross-Site Scripting attacks lay bare the contents of sensitive databases that may contain customer information. It is simply not an option to disassociate these databases from the web of trust, but instead we must design our applications and systems according to the principle of least privileges. Web server default configurations must be diligently changed to more secure settings. Furthermore, we must harden our web applications to prevent manipulation of web Copyright 2003, Reavis Consulting Group 5 Chief Security Officer White Paper Series for SPI Dynamics queries and forms, which allow attackers to exploit the "web of trust" to violate your customers' privacy. Using SPI Dynamics WebInspect to protect Web Servers against privacy leaks SPI Dynamics' WebInspect is a family of web assessment products capable of automatically discovering and reporting a comprehensive list of vulnerabilities affecting the entire web server environment, including application and database servers. By implementing a compliance wizard system in version 4, WebInspect has the capability to map these vulnerabilities to regulatory violations, simplifying the process of privacy compliance with HIPAA, GLBA, Sarbanes-Oxley and SB 1386. In addition, the compliance wizard capabilities are configurable and can be customized to match recognize best practices such as ISO17799, NIST, or internal standards that may provide superior risk mitigation to web-based threats. WebInspect can be used by all stakeholders concerned with application security and privacy: Application Developers. As was mentioned in our previous white paper, Managing Risk and Reducing the Cost of Web Application Security, each dollar spent in identifying security vulnerabilities during the application design phase saves $60 during the production phase. Before ever writing a line of code, developers should have awareness training regarding corporate privacy standards as well as education in secure programming practices. Developers can, for example, use WebInspect to provide modular testing of their software components to ensure that all password requests provide field masking. Quality Assurance. QA teams perform regression testing to identify security vulnerabilities missed by developers. They will often push more scenarios at the software than the developers are able to do, and force the software to interoperate with products that may create compatibility issues. The automation of WebInspect allows the QA team to do more regression testing with less resources, and can also allow QA to perform privacy-specific testing. Security Operations. Security engineers will have a different perspective in testing for security vulnerabilities that can create privacy breaches. They are charged with operating an application securely in production, which will cause the application to interact with system components not foreseen by the original developer. For example, legacy network infrastructure may force applications to communicate with downgraded and less secure versions of Secure Sockets Layer (SSL), creating a new vulnerability not present in the developer's lab. Security operations can use WebInspect with a modified policy to perform more holistic types of tests. Audit. By having an intimate knowledge of regulatory compliance and key business drivers, auditors can use WebInspect's compliance templates to provide authoritative reports demonstrating compliance status. In Figure 2, WebInspect's Policy Manager is Copyright 2003, Reavis Consulting Group 6 Chief Security Officer White Paper Series for SPI Dynamics being configured to search for policy issues related to SB 1386. In this example, web server applications are being checked for proper authentication and encryption criteria. By knowing ahead of time that proper encryption is in place, the organization may be exempted from notification requirements of the regulation. WebInspect can provide the auditor with a pass/fail grade on specific compliance issues. Figure 2 ­ WebInspect Policy Manager (source SPI Dynamics) Summary It can take many years for a business to earn its customers' trust, but it can all be lost in a nanosecond. Disclosing a customer's personal information is one of the most serious failures of an organization, and can even be its death knell. Regulatory violations and fines related to HIPAA, GLBA, Sarbanes-Oxley and SB 1386 can pale in comparison to the damages suffered from litigious customer advocates, bad publicity and a loss of reputation. The damages caused by privacy glitches are difficult to predict and represent a wildcard that Chief Security Officers must face. It is incumbent upon CSOs that they develop Copyright 2003, Reavis Consulting Group 7 Chief Security Officer White Paper Series for SPI Dynamics privacy programs that teach security and privacy awareness to all stakeholders of the application development lifecycle, and that privacy checkups be inherent through this lifecycle. We also recommend that Chief Security Officers prioritize the quantification of risk due to privacy violations within their organization. Key to understanding this risk is assessing the web security measures currently in place to protect personally identifiable information (PII). WebInspect from SPI Dynamics is a strategic component of privacy risk assessment and has unique capabilities to map privacy vulnerabilities back to specific regulatory requirements. Assuring privacy is more than an event, it is a continuous process, and automated web application security assessment is critical to all phases of this process. References Center for Democracy & Technology, "Briefing on European Union Data Directives", December 1999 http://www.cdt.org/privacy/eudirective/ Department of Commerce, Department of Commerce Safe Harbor Site, July 2000 http://www.export.gov/safeharbor/ Electronic Privacy Information Center http://www.epic.org/ Phoenix Health Systems, "HIPAA Primer", March 2003 http://www.hipaadvisory.com/regs/HIPAAprimer1.htm Reavis Consulting Group, "Managing Risk and Reducing the Cost of Web Application Security", October 2003 http://www.spidynamics.com/ SPI Dynamics, "Achieving GLBA Compliance for Web Applications Through Security Testing", October 2003 http://www.spidynamics.com/whitepapers/WebInspect_GLBA.pdf About The CSOinformerTM White Paper Series is a service of Reavis Consulting Group. All content, unless otherwise noted, is the sole property of Reavis Consulting Group. Please send all inquiries to: Reavis Consulting Group 2553 Crescent St Ferndale, WA 98248 (360) 739-9629 Copyright 2003, Reavis Consulting Group (360) 380-1119 Fax www.reavis.org www.csoinformer.com research@csoinformer.com 8