Security Aspects

Identify weaknesses in security and privacy and analyse risks

In this paper the church refers to the Grantham Heights Uniting Church. The web server belongs to the Uniting Church synod. Some weaknesses in security and privacy have been noted when looking at the church computer system. The weaknesses in security are in the following areas:

Passwords

Passwords are not used to access the church computer. As such, there is no changing of passwords on any sort of regular basis. A policy exists of not allowing people outside the church to access the computer on a physical level. In this respect, passwords would seem not be necessary. However, as hackers can arrive from the Internet, then the lack of passwords is a problem. Records on the computer are kept confidential from people who come to the church, but a hacker could access them. The lack of password control is a bad risk to the security of the church computer, as a password is usually the most fundamental and first line of defence.

Access to Personal Information

People whose sensitive information is collected are supposed to be told how to contact the church, ask for access to their personal information, find out what purposes the information is collected and find out if his or her personal information is sent to anyone else according to privacy laws within Australia and NSW. However, this particular area was thought to be not applicable according to the church. Organisations with a turnover of less than 3 million dollars; who are not providing a health service or keep any records to do with health; who do not keep personal information for a benefit, service or an advantage does not have to comply with the privacy legislation. They can opt in if they wish.

As some of the information collected is related to a counselling service, any information that relates to health, including mental health, then would fall into the privacy legislation, and as such should be able to be made available upon request by the person who it is about. A risk could exist then, if people desired to get their own information and did not know how to get it. Another risk might be the accidental disclosure of other people's information if they were shown a computer screen that had their information as well as other people's information on it. The church itself does not use the information for running the church, as the information is only used for the benefit of the pastor and the particular client in the counselling situation. People are however, able to gain access to their information on a face to face basis with the pastor.

Develop and implement security procedures within defined legal requirement and adopted protocols

Certain security procedures are to be developed to deal with the use of personal information according to privacy legislation. Only necessary personal information is to be collected. The information is to be protected from misuse, loss, unauthorised access and modification or disclosure. Access to particular persons information is to be made available to them on request. No government issued identifiers are to be used for identifying anyone. Any collecting of sensitive information such as health, religious belief, and sexual preferences are to be done without consent. This applies especially for the counselling service that the pastor provides.

Minimise attacks by using appropriate hardware and software technologies

There are numerous threats that appear on the Internet or are spread through the Internet. These are such things as viruses, worms, Trojans, hackers, Denial of Service, sniffers and information theft. There are also internal threats from such things as staff and backdoors.

The site is to be hosted on a server owned by the Uniting Church synod. Numerous congregations use this server. This server already has a multilevel approach to security in existence that uses appropriate hardware and software technologies. Their aim is to minimise attacks upon the web server and the internal church network.

The software technologies to be used are:

Anti-Virus Programs

Anti-virus programs are used on the server that the Uniting Church synod owns. They scan the files that the server receives and looks for patterns that match known malicious software. The anti-virus scanners are set to update them automatically every two weeks, to keep up to date. If any notification is received through such things as radio or TV or the Internet, that there is a major problem with a virus or worm, then the anti-virus software can be updated manually at that time.

As the church computer accesses the Internet then an anti-virus scanner should be installed. There is not one at present. It should be configured to perform heuristic analysis and be able to scan zipped files as well as other types of files. All possible entry points are to be considered and taken into account. Suggested areas that may be an entry point are the Internet, downloaded files, floppy disks and CDROMs created by burners. All mail attachments are to be scanned. A floppy disk for rescue purposes will be made as part of the installation of the anti-virus software.

Integrity Checking

Integrity checking software is not currently installed on the web server or the church computer. It is to be recommended that this type of software be installed on the server. The idea behind this is that a database of file checksums for critical system files will be created for each of the computers. The integrity checker will then be run at regular intervals to ascertain if they have been changed by a hacker.

A hacker may try to insert such things as trapdoors that allow them access to the church computers. A baseline checksum that is checked against the current checksums for any differences will determine if there has been any tampering of files. The database containing the checksums is to be kept on a CDROM with another copy kept offsite. It is not proposed at this time to put integrity checkers on the Grantham Heights church computer.

Back to Software Technologies

Audit Logs

The audit logs that the web server produces are to be enabled, as are the firewall logs. Both of these are to be examined on a semi-regular basis with the aim of the detection of abnormal activity. The types of things that are to be looked for are the web access logs to see if any CGI script attacks have been done; firewall logs for attempts to access the secure web server and to scan for any buffer overflow commands. The logs will be used to identify the source of some hacking attempts or denial of service attacks. The firewall logs on the church computer are to be looked at occasionally as well, once one is installed.

Firewalls

Firewalls are already used on the web server as they restrict the ability of some remote control programs such as Trojans to execute if they rely on a port that is generally blocked. Their firewall is a combination of hardware and software. There are certain benefits that result for the server such as the protection of vulnerable services, restricted access to any vulnerable machines, and the stealthing of any machines. The firewall server is to act as a gateway. It hides the existence of any of the internal machines from any hackers on the Internet. All access to the Internet will go through it and this means the Internet traffic will be able to be watched closely, so any misuse could be noticed quickly.

At present, there is no firewall on the church computer. It is proposed that one be installed. The suggested firewall to be used is Outpost by www.agnitum.com. This free firewall has many features such as stealthing, content blocking, blocking of ads, use choice as to what types of packets are sent and received and other features.

Back to Software Technologies

Backups

Backups are done of critical files including all of the critical files on the web server. The backups are hardware (backup tapes) and software. The backup tapes are stored onsite and offsite. Backups are to be done as a full backup every Friday and an incremental backup every other day. The backups are to be done automatically. A recovery from the tapes should be practiced every 6 months.

Encryption software

Encryption software using cryptography is used already on the web server to secure all financial matters or transmission of any sensitive information. Public Key Cryptography is already used where each party has both a public and a private key. The public key is available for all. The private key is not. DES is used along with RSA. The public key cryptography provides a "wrapper" for the "session key". RSA public/private keys could be used to encrypt a symmetric (DES) key. The encrypted DES key is then sent to the recipient. The recipient uses RSA to decrypt the DES key, and the DES key is used to decrypt all further transmissions of data including transactions. The ability to enable rapid e-mail and transaction decryption, and the supporting of efficient and frequent key changes is a bonus. The server and the other party must ensure the security of the private key. A considerable number of security attacks may try to get direct access to the private key. The private key needs to be secured by a password.

The hardware technologies to be used are:

Network Intrusion Hardware

Network Intrusion detection system hardware is not presently installed on the web server. It is recommended that one be installed. A sensor is to be put on the inside of the network firewall. This will be able to report on events that is critical to the network. It will monitor the network traffic and some system events. It will be set to look for the signatures of known attacks such as a port scan of hosts in the range 10.0.0.1 to 10.0.0.255 that are used on the internal network; report any packets with a virus signature of a particular virus; and report any attempts to use more than 64 HTTP connections to a single internal destination server within 30 seconds. The Grantham Heights church computer is not on a network and so this type of hardware is not to be installed.

Physical Security Measures

Certain physical security measures are to be taken to protect the server itself. Desk mounts should be used to ensure that the server cannot be taken away by unauthorised personnel. If there was a break-in and the server was taken it would be difficult to keep the web site up and running. There is to be backups done, but if the server is gone, then the restore cannot be done until another server is obtained. The server is already kept in a locked room accessible only by authorised personnel.

Back to Hardware Technologies

Virtual Private Network and Smart Cards

It is not proposed at this time to institute a Virtual Private Network or smart cards for the church due to cost considerations and the small amount of E-Commerce that the church will be engaged in.

Implement Public Key Infrastructure (PKI)

The PKI system is used already on the server for any churches that need it. It provides for those churches such things as:

Symmetric key exchange
Authentication
Nonrepudiation (cannot deny authorship)
Guaranteed integrity of communication

It enables the hosted sites and any customers to securely and privately exchange data between themselves. The sorts of data that we will be exchanging are personal details and financial details.

PKI makes use of a system known as public key cryptography and documented policies in order to ensure that transactions are authentic and secure. Public key cryptography uses two keys to scramble and decipher messages. One key is known as a ‘public key’ and is widely distributed. The other key is called a ‘private key’. This key is kept secret by an individual. Messages are protected by scrambling them with the public key of the recipient. Computer algorithms make certain that only the private key held by the person you are mailing or sending data to are able to decrypt or unscramble the information. The larger the key files involved, the higher the level of security. In a PKI system, certificates and keys are issued by Certification Authorities (CAs) under defined guidelines. This ensures a high level of reliability.

The first step that the server operators did was to get a digital certificate from Verisign. A digital certificate is the digital equivalent of an employee badge, passport, or driver’s license. It is a small, digitally signed file that is able to uniquely identify the server. It gives the servers public key, a validation period and is digitally signed by a certifying authority. An application for the certificate was made by the server's operators and the necessary fees paid. Verisign checked up on the details of the server credentials to ensure that the organisation the server belongs to do in fact exist. They act as the certificate authority as well as the registration authority. A digital certificate was sent out for the server.

The current cost of a certificate is $895 US. This type of certificate enables 128 bit SSL encryption, which is a world wide standard. Other features of this certificate are authentication by Verisign of who the server organisation is, remote checking of the server security by Verisign, an extended warranty for the Uniting Church synod against economic loss if the certificate fails during its currency and access to a database on security kept by Verisign. The delivery time for the certificate is two days.

The second step that was done was to install the digital certificate on the web server that the web sites are located on. This protects any data or transmissions of data between the server and the customers computer. The data is encrypted and therefore is unreadable by anyone or any computer in between. A certificate management scheme is already in existence.

When the church wants to send sensitive or private Email messages between them and another party public and private keys will be used. The public key will be part of the digital certificate on the directory that it is installed into. The private key is to to be sent over the Internet. Instead, it is used to decrypt any text encrypted with the public key by the recipient. This way the sender of the message is authenticated and privacy is ensured. The following table illustrates how it is going to work.

To do this	Use whose	Kind of key
Send an encrypted message	Use the receiver's	Public key
Send an encrypted signature	Use the sender's	Private key
Decrypt an encrypted message	Use the receiver's	Private key
Decrypt an encrypted message and authenticate the sender	Use the sender's	Public key

The actual way that transactions are done with SSL is described below in the Information Protection section.

Identify and remediate Security Risks when using E-Commerce over Interconnected Networks

There are numerous security risks that arise when using E-Commerce over interconnected networks. The areas that contain security risks are:

Business Practices

The Business Practices relate to the very nature of the transactions. A customer may not know that the order will actually be filled. The retailer may be a front and then disappear with the money without sending out the goods. There is then an element of risk for the customer. As a result, there needs to be the development of trust between the church and the customer. This trust is to arise from three main factors - experience-based, identity authentication and quality authentication. The customer needs the following questions answered:

What experience have I or others had with this organisation?
Who am I dealing with?
What is the quality of goods/services offered?
Will there be a warranty and how can unsatisfactory goods be returned?

The church needs to follow well developed business practices and have a checkable history. Otherwise, customers could face an increase of such things as loss, fraud or inconvenience. The church will need certain information such as name, address and payment details so they can process an order if one is required. The customer does not want this information provided to other people or organisations without their explicit permission. Errors in any database may occur, and customers should be able to correct these as needed.

The church should state on their web site what their business practices are and if there is any problems, a third party could adjudicate between customers and the church if needed. Such business practices would cover areas like delivery time, delivery methods, methods of payment, product return procedures, complaint handling procedures and contact information.

Trust then is to be established by fostering repeat encounters with its customers and by third party endorsements.

Back to Security Risks

Information Privacy Practices

E-Commerce is global as it can span the world. This means that there are standards to meet in more than one country and also the need to comply with laws in more than one country. Merchants may need to ensure that they meet privacy provisions from more than one country. They need to set some standards regarding privacy. A privacy policy or privacy statement may be the answer.

Customers are concerned about how a web site and its owners will use their information, how their information is protected, what methods are available for correcting information and who would have access to the information. If such a thing as a privacy policy is not in place, and/or procedures and controls are not in place the consumers may go somewhere else instead.

Countries around the world, such as USA and Australia are setting standards regarding privacy that web sites must follow.

The church would disclose on the web site what specific kinds and sources of information are being collected and maintained as well as what the use of that information will be and if applicable what the third party distribution of that information would be. Such things as collection of names, addresses, credit cards, Email address and IP address could be stated as what is collected in order to provide a service to and bill the customer. The church also needs to ensure that the person conducting the transaction is who they claim to be. For example, only authorised signatories should be able to access a business bank account.

Back to Security Risks

Transaction Integrity

Electronic transactions and documents may get lost, changed, duplicated or incorrectly processed. This brings into question the integrity of electronic transactions and documents. Disputes may arise regarding terms of transactions or billing issues.

Customers need to know that the web site has effective transaction integrity controls as well as a checkable history of accurate transactions and billing customers.

The church could state how each transaction is checked for accuracy and receive positive acknowledgement from the customer that an order is to be processed. This could be done by a final button to click that once clicked will finalise the order.

The church has to ensure that the correct goods or services are sent to the customer. This could be done by ensuring that the packing slips are generated from the order and that the order is checked against these before being shipped to the customer. Each customer could be given a unique identifier number that is not based on a government issued number such as Medicare number. A feedback questionnaire sent to the customer would be a valuable tool in ascertaining the correct functioning of the order system.

All costs to the customer must be displayed including any taxes such as GST, before the customer presses the final button to confirm the order. A facility to allow printing of the order could be given to the customer if they wish to have a hard copy of the order.

Back to Security Risks

Information Protection

There are two main classes of risk and these are disruption, destruction and disaster and unauthorised access. There must be customer confidence that the people behind a web site take appropriate steps to protect customer information. Confidentiality of any sensitive information transmitted over the Internet can be compromised. Credit card numbers may be intercepted and subsequently misused. Third parties may gain access to directories on a server that they are not entitled to access. Incorrect access may even extend to networks or consumers home computers.

There are different types of attacks that the server may suffer from and these are:

Network packet sniffers that attempt to capture traffic, that may include passwords or other sensitive information
IP Spoofing where an attacker outside of the network pretends to be a legitimate user of the network and may try to alter authority
Password attacks where an attacker tries sheer brute strength to crack passwords by using password cracking programs or may just try to guess passwords because they may be a commonly used easily guessed word

Asymmetric encryption is to be used to ensure the confidentiality of sensitive information transmitted over the Internet. This uses different keys to encode and decode. The keys are not invertible. This means that if you have one key, you cannot determine the corresponding key. Secure Socket layer (SSL) technology is to be used at the 128 bit level A SSL connection request goes to port 443 on a secure server. The client and the server exchange X.509 certificates and establish each others identity. The client randomly generates 4 keys - one pair of keys for each direction and encrypts these with the server’s public key. The encryption algorithm and hash function are negotiated in what is called a handshake and the client sends a list of supported schemes. The server then decides which is the strongest one and the data such as files and commands are exchanged.

The information sent then will be encrypted and network packet sniffers will have trouble in deciphering what is sent. An alternative method of ordering such as telephone ordering could be provided for those customers who refuse to use the Internet for the actual order. Some customers like to do their shopping research over the Internet, but may wish to do their order in a more traditional way such as over the phone.

The church could register its own domain name and this would protect its Internet identity. This would be a unique name that no other individual or organisation could use. The church is to obtain a digital certificate, such as one issued by Verisign or to use the digital certificate that the Uniting Churches Communication Unit has. The Communication Unit is responsible for the server that a lot of Uniting Church web sites are hosted on. Digital certificates and digital signatures will help to protect the information with regard to privacy and integrity.

Digital signatures use public key encryption and authenticate messages. They are based on the private key and the message itself. The author encrypts message with his private key and anyone can then use the public key to decrypt the signature and verify that decrypted text matches the transmitted text.

Firewalls that are designed to protect the integrity of the network as well as the confidential information held within it and security practices such as anti-virus software installed and running would help to prevent the release of information to third parties who do not have the right of access to the information. The firewall could be given a list of IP addresses to allow or disallow. The firewall is to be regularly tested by qualified personnel to see how strong it is and whether it repels unauthorised access attempts. Breaches in security would have a detrimental effect on the customers and the church and as such the customers need to know that there are effective information protection controls in place. An example of this would be to turn off directory browsing as that enables people to go virtually anywhere on a server.

Anti-virus software is to be enabled and running. All files are to be scanned using heuristic analysis. All Email attachments are to be scanned. People are also to be asked to exercise common sense and not open emails that look suspicious, such as those with a subject that does not make sense.

A proxy server is another option that the Uniting church server could be. There are two different types. The first type is Packet Filter Routers such as the illustration on the left that look at the packets being sent and/or received and pass or reject them based on their source/destination information and application type (HTTP, ftp, TELNET, Email).

The second type is Application Proxy Servers. These are the use of an intermediate server between user and outside world as shown in the diagram on the right. The server on the Internet that the customer is using communicates with the proxy server as does the client computer on the church network. IP addresses are hidden and IP-level routing is prevented. The internal network uses specific IP addresses that are not used on the Internet ant the proxy translates them when sending out requests to the Internet. Outside users are blocked from any vulnerable intranet services.

IP tunnelling is another option that the server could use. A virtual private tunnel is created on the Internet. The remote user wraps packets in the IP header that is then directed to the proxy server. The inside packet is encrypted. There are certain benefits from this such as allowing for the verification of remote users and the ensuring of privacy. The Proxy server strips off the IP header and then forwards the packet to its intended recipient. When the packet is decrypted it verifies the identity of the sender.

The people running the server need to ensure the physical security of the IT equipment. Some methods of physical security are to ensure that the IT equipment is stored in a secure and lockable location and that up-to-date logs of all equipment are kept. Other measures are to ensure that all staff where the server is located are aware of the security policies and report any suspicious activities. Internal risks are to be minimised by making sure that all passwords and access rights are revoked when staff resign, not giving any single member of staff complete access to all data, implementing and maintaining a strong password policy and the conducting of internal security audits on a regular basis.

Back to Security Risks

Consumer Recourse

Customers of the church may be concerned about how their complaints may be handled. They also may be concerned about any warranty disputes. They may be in another country and wonder how their rights are protected. Court action is expensive for all concerned. Instead, third party dispute resolution can be the answer. An independent third party could be used to adjudicate to the betterment of all.

Implement Security Audit procedures

A security audit is a review of the current technical security infrastructure. Key management are to be interviewed and various business processes analysed. There is an identification of areas that are vulnerable to attacks by insiders and outsiders and the delivery of a final document.

The security audits are to be done in order to check the church's safety as well as the safety of the church, and to ascertain if there is a need for intrusion detection measures. We will be able to have relevant information about the security of the church computer and server, measure compliance with security policy, assess potential damage of security incidents and to assess risk and security levels.

It is proposed that the initial security audit be instituted on 20 October 2002 and be completed every 6 months after that to ensure the integrity of the server, the web site and the overall business environment of the Church.

We are going to audit two areas of the church. One area is the actual church itself, i.e. Grantham Heights Uniting Church and the other area that we are going to audit is the web server that the web site will be located on. The server belongs to the Uniting Church of NSW and is located at www.nsw.uca.org.au. As this is a server that is at a remote location, it will be necessary to involve the staff at that location. The Grantham Heights Uniting Church will have one questionnaire to answer and the Uniting Church staff at the other location will have that questionnaire as well as another one that is concerned with the web server itself.

The questionnaire that will be given to both parties is as follows:

Questionnaire regarding Security

Please fill in the required information. For answers that are Yes or No,
please circle the answer.

1. Are passwords used to access the Church computer?
Yes
No

2. Are passwords changed on a regular basis?
Yes
No

3. Do people write down their password and put it where it is visible?
Yes
No

4. Are names, nicknames, pet's names or family members names used as passwords?
Yes
No

5. Are records on the computer or written records kept confidential?
Yes
No

6. Are people who are not office holders in the Church allowed to access the computer?
Yes
No

7. Is anti-virus software used?
Yes
No

8. How often is the anti-virus software updated?

9. Is the updating of the anti-virus software done automatically by the program itself?
Yes
No

10. Is email checked by the anti-virus program?
Yes
No

11. Which firewall is used on the server?

12. Is the firewall set on automatic update?
Yes
No

13. Is the web browser 128-bit security?
Yes
No

14. Are updates regarding the web browser, the operating system and other software ever done?
Yes
No

15. Are the church computers located away from members of the public?
Yes
No

16. Is real time protection used for the anti-virus program?
Yes
No

17. Is data ever backed up?
Yes
No

18. How often is data backed up?

19. Are restorations ever practiced?
Yes
No

20. Are there security experts the Church can call in if there is a security problem?
Yes
No

21. Is the computer regularly checked for errors by programs such as Microsoft Scandisk?
Yes
No

22. How often is the scandisk done?

23. Does the church have networked computers?
Yes
No

24. Is file and/or print sharing turned on in the church computer?
Yes
No

25. Are files downloaded from the Internet?
Yes
No

26. Are downloaded files checked by an anti-virus program?
Yes
No

There are procedures in place to protect the personal information and data from the following - misuse, loss, unauthorised access and modification or disclosure. These procedures relate to

Firewalls
Password access
Secure servers
Storage of any hard copies in an area with security procedures agreed to by unit staff
Destruction of hard copy printouts using shredders

The questionnaire that will be given to the staff who control the server and the network is as follows:

                      Questionnaire regarding Server and Network Security

Please fill in the required information. For answers that are Yes or No, 
please circle the answer.
  
1. Is the firewall on the server functioning?
      Yes    
      No

2. Is the firewall on the server set to automatically update itself?    
      Yes
      No

3. Are there any conflicts between other software and the firewall software installed
on the server?
      Yes
      No

4. Are any programs apart from web browsers set to not ask the firewall for permission
to access the Internet?
      Yes
      No

5. Are passwords used to gain access to the server and the network?
      Yes
      No

6. Do the passwords have a minimum length of 6 characters and contain a mixture 
of numbers and letters?
      Yes
      No
   
7. Are passwords changed every three months?
      Yes
      No

8. Are passwords reused by the staff?
      Yes
      No

8. Is the updating of the anti-virus software installed on the server and the network
done automatically by the program itself?
      Yes
      No

9. Is email checked by the anti-virus program on the server or the networked computers?
      Yes
      No

10. Are updates to the operating system of the server and the networked computers done
on a regular basis?
      Yes
      No

11. Are patches and fixes applied to the server when notified?
      Yes
      No

12. Is the server using 128-bit security?
      Yes
      No

13. Are updates regarding the web browser, the operating system and other software
ever done?
      Yes
      No

14. Is the server located in a secure area away from members of the public?
      Yes
      No

15. Is the secure area locked when no-one is in the server room?
      Yes
      No

16. Is there intrusion detection software on the server?
      Yes
      No


17. Does the intrusion detection software work?
      Yes
      No

18. Is sensitive information encrypted on the server?
      Yes
      No

19. Is data on the server backed up incrementally?
      Yes
      No


20. Are restorations ever practiced?
      Yes
      No

21. Is the digital certificate on the server kept up to date?
      Yes
      No

22. Is all software on the server and the networked computers correctly licensed?
      Yes
      No

23. Is logging of accesses to the server turned on?
      Yes
      No

24. Is any software brought in by employees and installed on the server or on any of
the networked computers?
      Yes
      No

25. Do the unit staff keep hard copies of data in unsecure locations?
      Yes
      No

26. Are shredders used to destroy hard copies of printouts when no longer required?
      Yes
      No

Any issues that are raised by the security audit that show potential problem areas are to be rectified within a fortnight of the audit and are to be examined a week later. Any questionnaires filled out in paper form are to be kept in a secured cupboard and shredded after two years, unless required longer or for any related purpose.

Back to Main Menu