| 2.3 Risk
15. Risk Limit Control | |
|---|
| 2.3.15. Risk Limit Control: | | Application services exist to minimise and mitigate against risk by provision of adequate limits and controls to prevent unwanted consequences. While humans shall probe and push the limits, internal controls must be able to cope and impose adequate limits that keep risk within documented boundaries. | | Where an application service is given the responsibility to make a calculation, no matter how trivial that calculation, the input data to the calculation must be complete and correct. Data integrity must have limits and controls to ensure that an invoice for 0.01 is not generate or a due date is not 12 years into the future. The application is defective where its calculated values are illogical and have inadequate controls to prevent such problems. |
| Options: | | As far as is possible, data entry should be provisioned by drop down lists where the permitted values are all within designed limits. Every text free format field value is by definition high risk and should only be used for descriptive purposes. |
| Rule: | | Calculations must only be done using field values that have been selected from a list or are restricted to certain permitted values for edit controls such as numberic amounts. Calculations must not be performed where text entry is not formally validated to be in accordance with documented limits. | | The most effective way to demonstrate good design is where drop down lists are employed that dictate that only valid data can be entered and data quality is maximised. Poor application design is where free format text is employed for other than descriptive purposes. |
| Architect: | | It is not acceptable to blame the user for poor design. Where the user states their business requirements, it is the role of the architect to translate that business requirement into an acceptable application design in accordance with risk analysis. | | The classic problem is where a user intended to enter 1234, but actually entered 134 - what controls can be built into the application service to identify that the number entered is only 10% of what was expected to be entered. Limit controls must be added to minimise the risk of free text data entry fields with internal validation, verification and range checks. |
| 4.1 Business Sector | | The application service provider operates in the business-to-business (B2B) sector where every user is authorized by a senior manager to sign-in to undertake very specific business tasks. This is very different from a Business-to-Consumer (B2C) application where members of the public can self-register. Where an authorized user is found to be misusing (hacking) the application, they will be prevented (blacklisted) from doing business again and may be dismissed by their employer as criminals. |
| 4.2 Attack Surface | | The application service provider operate Internet applications that may be attacked by people in all parts of the world at any time, but such attacks are limited to what visitors are able to view. Each application can be defined in two parts as: | | 1. Public web pages such as the home page that anybody can view and is copied by Google and other search engines so once it is publicly published, it cannot be deleted. | | 2. Private web pages such as the welcome page that only authorized users can view and search engines cannot copy. |
| 4.3 Denial of Service (DoS) | | While every consumer web site may be susceptible to a DoS attack, it is less likely to be a significant threat to a business-to-business Internet application. The solution that has emerged over the last decade is a simple solution to switch to a backup data center and let the DoS attack fight with the firewall. As an objective of a DoS attack is to close the Internet Application, the more pragmatic solution is to close the domain and open up another domain on another data center. When www.sis-management.eu is not available, then www.sis-management.com or www.sis-management.biz or www.sis-management.info may be used. It is likely that the attack will cause a short disruption while users switch to another domain. | | It is recommended that a DoS attack is not included in any test plan as the Internet application is sure to be locked out and users inconvenienced. The application is not designed to continue to be used during an extended DoS attack, but a massive injection of cash would enable a wide number of web servers and firewalls to cope with whatever a criminal could send to the data center. The cost of maintaining 1000 times the bandwidth that is typically used to handle a theoretical DoS attack may not be considered cost effective. |
| 4.4 Competitive Intelligence Threat | | While it is easy to classify all attacks as criminal, it is essential to build a picture of who could gain from any attack. While a competitor may not have the in-house skills to launch a competitive intelligence attack, they may have the finances to motivate others to see what they can glean. What may begin as idle curiosity can become motivated by a no-win-no-fee agreement where the hacker is determined to find some problem. While a modest amount of resources can be justified to test that this kind of attack is thwarted, the real prize is to deliver Internet applications that are cost effective and fit for purpose. | | If it costs £100,000 to develop the application, should a further £20,000 be invested to prove that it is fit for purpose? It is a business decision as to the level of compliance verification that is required and what can be cost justified. |
| 4.5 User Threat | | Users are authorized people who are managed in a business environment to use applications in a professional way. Users are trusted not to be criminals and try to attack the application from the inside, however layers of security are employed to ensure that a user could not accidently access data they did not have the right to view and could not use facilities that they should not be using. | | Users can be classified into several distinct groups that represent different levels of threat as: (1) Agents, (2) Agent-Managers, (3) Cover-Holders, (4) Owners, (5) Reinsurers and (6) Head Office. Each class of user is provided with unique services that are not shared with other user classes. Functional access control is implemented to ensure that each class of user is restricted to use their own services. | | Users work in different offices or are responsible to a specific office. Each office has its own unique data access control to ensure that people in on office cannot have access to data that belongs to another office. Cover-Holder, Ownerand Reinsurer only have access to data that that is shared with them by a Agent and Agent-Manager. | | The integration of the functional and data access control matrix creates a comprehensive set of user privileges and rights that ensure that data is only view by people who have the right to view that data. Threat analysis means that while a user may try to view data that belongs to another office, they will not be aware of the existence of any other office. |
| 6.3 Multiple Data Centers | | The application service provider enjoy the benefit of running operational servers in one location and development servers in other locations. A common factor is Centos Linux that is tested each and every day in extreme measures by distributed development teams. After a fix has been applied to a development machine for a week, it can be safely applied to all operational machines - patch management is normally scheduled for 3am, however the application disruption is typically less than 30 seconds. No public disclosure is made of when an application is to be stopped and restarted. |
| 6.4 Password and Key Management | | All operational data is stored in two physically different secure locations and is stored on multiple devices in each location. In accordance with legal obligations, key must be presented to law enforcement upon request and so all keys are stored without identification in secure NAS devices in different locations. The The application service provider Quality Management System (QMS) encrypts and stores all project information including passwords and the identity of each SSL key stored on the NAS. |
| 6.5 Physical Security | | Having being called into the aftermath when a German Bank in the center of London was raided, it became self-evident that only purpose built secure Internet backbone data centers can provide the level of physical security, power backup and high speed Internet connections needed. The German Bank had 20 people arrive at lunchtime; they pushed by the security guard and smashed the door to the in-house computer room. They used bolt cutters to remove cables and physically walked away with numerous servers within the minute. | | As a direct result, another company invested in a steal bar cage inside the computer room. The following bank holiday weekend, criminals went though the roof into the computer room and took everything including the fire suppression system. | | The application service provider choose not to identify the physical locations of the LINX backbone data centers in the UK and increasingly these physical locations are being stripped of all external name plates and resemble a concrete bunker surrounded by anti-ram posts. What is certain; is that these physical data centers are many times more secure than any in-house computer room, have much more effective power distributions facilities and have a very high speed connection to the Internet. |
| 6.6 Server Rack. | | The server rack has no keyboard, no mouse, no monitor, no active USB ports and no media drive. When a computer fails it is replaced and the failed computer is taken off-site for repair - spare machines are always kept at each site rapid replacement. Any machine that fails is unlikely to go back into an operational data center, but it may be reused in a development data center. | | If a person gained physical access to a rack, without any peripherals it is hard to imagine what they could do. Driver programs for USB ports and install utilities are disabled, so physical attack is unlikely to work. | | The Internet connected firewall is connected to one or more web servers and no other equipment. A vulnerability of any client computer could not impact a web server in any way. |
| 6.7 Secure Computing | The application service provider have implemented a practical security policy that is relevant and effective for the current decade. Safety can be delivered by: - The first rule is that no data must be downloaded or installed on any local computer or smart phone. Data in this context means no downloaded emails, photographs or music.
- The second rule is that no programs must be downloaded or installed on any local computer or smart phone. Programs in this contaxt includes browser add-in and extra tool-bars that can drain a computer before it gets started.
| | While some people still dwell in the good old days of unsafe one-computer-per-desk technology, these 2 simple rules enable clients to enjoy as many computers and smart phones as they like with a virtual dashboard giving instant access to all their mail, documents, music, radio, TV, and business applications no match what computer they are using. When their computer or smart phone is lost, they buy another, switch on and have access to all their data and applications while the criminal gets an empty machine with no business to sell. | | It may sound strange, but people behave in a more secure way when browsing when they do not have anti-virus software installed. An anti-virus program serves no purpose on a computer locked down so nothing can be installed or downloaded and people are much more carful about what they look at. |
| 6.8 Wireless | | Wireless is not secure and never will be secure. It is unacceptable to download, upload any business emails or documents over a wireless network. It is essential that a secure computing policy as identified above is employed so people can use wire in a secure way using their SSL virtual desktop. Each ISP has a duty to monitor all Internet traffic and that includes keeping a copy of all your business emails for many months. Understand that no matter what expensive software and encryption software you have installed on your computer, your business dealing are public property when using wireless communications. HTTPS webmail is the most cost effective solution for every business - it is just a matter of time before older corporations catch up. |
|
|