Security

What are the system password management options ?

Top
February 20, 2013

What are the system password management options ?

The system has many standard password options.

Overview 

The system administrator can configure the system password management and storage options to find the correct balance between convenience, performance and security.  The password and login options can be configured at the global level and at a per user level. 

System Password Options

  1. Password expires after X days.
    • The user will be required to enter a new password after this period has expired.
  2. Passwords can not be re-used within X days
    • The minimum period before the user may re-use their old passwords. 
  3. Passwords must have minimum length
    • The longer the password, in general the harder the password is to guess. 
  4. Passwords must have maximum length
    • There is no practical system level length restriction.
  5. Passwords must include both alpha & numeric characters
    • Requiring the user to create passwords with both alphabetic characters and numbers can increase the strength of the password.
  6. Passwords may not contain more than a set number of sequential characters.
    • This option prevents the users from entering a password like '123456'
  7. The number of log in attempts before the user is disabled.
    • This option prevents brute force attempts at guessing a user's password. 
  8. The number of days before an inactive user is disabled.
    • This option automatically disabled inactive users which reduces the opportunity for hackers to find and use an old account.
    • The option use be set to a reasonably high number of days so that people aren't lockout just by going on leave. 
  9. If "remember me" is enabled for desktop browsers. 
    • Should we offer to remember the user's with a permanent cookie on a desktop computer ? 
    • This is a very convenient feature but leads to a security risk if the computer is stolen. 
  10. If "remember me" is enabled for mobile browsers.
    • Should we offer to remember the user's with a permanent cookie on a mobile/tablet ?
    • This is a very convenient feature but leads to a security risk if the computer is stolen.
  11. Remember me can be configured for use only within trusted zones
    • This allows for users to choose "remember me" within an office environment but will not be given as an option in the airport terminal. 
    • Even if the remember me option had been previously been checked on for a device with a "trusted zone" if an attempt to re-login when the device is now in a non-trusted zone the previous remember me request will be ignored. 
  12. The email template to send the user when resetting their password.
    • This email template can be customized to give detail instructions on special procedures for resetting passwords. 
  13. The Action URLs allow the next step to be configured once a user logs in/out, changes a password or resets their password. 
  14. The default storage algorithm
    • The system default password storage algorithm can be overridden on a per login record basis. 
    • When a user's password is changed the password will be saved according to the chosen storage algorithm.
    • Different algorithms have different properties such as performance and resistance to being decrypted. 
  15. Block login attempts by browser strings. 
    • The system does not support IE6 so any attempt to login with this browser will be blocked and a message is shown.

Password options

 User Password Options

  1.  General user contact details
    • Title
    • First/Last name
    • Business unit 
    • Phone 
    • Email 
    • and many more.
  2. The login ID
  3. The password
    • The password is never sent back in a web form. A hacker can not view source to see the details.
  4. The base access level for this user.
    • Owner- Most access controls do not apply to the owner of the system "with great power comes great responsibility"
    • User- Most user actions are controlled by a series of complex Access Control Limits
    • Readonly - All the restrictions of a user but in addition all classes are readonly by default.
    • Guest- Has no access by default, tables and records must be expressly granted. 
  5. Disable the user.
    • The user will no longer able to access the system. 
    • Any current session will be terminated. 
  6. Force expire the user's password. 
    • The user will be required to change their password the next time they log in. 
    • "Force expire" is defaulted on when an administrator resets the user's password.
  7. Never expire is only used for functional accounts. 
    • This option should be used sparingly. 
    • A login that is marked as never expire will not be disabled even if multiple wrong password attempts are made. 
    • One primary account is often marked as "never expiry" so that you are not lock out of the system by a hacker attempting 5 times on all logins. 
  8. Functional allows multiple concurrent users to use the same login. 
    • Normally the system logs out a user when they login with a different browser. This makes it very obvious if someone is using your account. 
  9. SSO mode and Domain are used for integration with Microsoft NTLM single sign on and can only be used within an Microsoft intranet  environment. 

User Login

Password Storage Algorithms

 

Type Description
Best Practice 2017

A salted & PBKDF2 hash of the password with 23456 iterations. The resulting hash is stored in the database as an encrypted value. Key length 1024

Performance

Sample times: 272 ms, Min: 111 ms, Avg: 122 ms, Median: 115 ms, Count: 100

Advantages:-
  • Very hard to brute force crack due the the large memory requirements of the PBKDF2 algorithm and the large number of iterations of hashing.
  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
Risks:-
  • The actual password value can NOT be retrieved/used in anyway.
  • Resolving a valid password will take a minimum of 100ms per call. 
References:-
Encrypted Salted PBKDF2 and SHA-512 Hashed 1234 times.

A salted & PBKDF2 hash of the password with a large number (1234) of iterations. The resulting hash is stored in as encrypted value with a key length of 64

Performance

Sample times: Max: 7 ms, Min: 3,224 μs, Avg: 3,905 μs, Median: 3,653 μs, Count: 100

Advantages:-
  • Very hard to brute force crack due the the large memory requirements of the PBKDF2 algorithm and the large number of iterations of hashing.
  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
Risks:-
  • The actual password value can NOT be retrieved/used in anyway.
References:-
Encrypted Salted SHA-512 Hash

A salted and SHA-512 hash of the original password stored in as encrypted value.

Advantages:-
  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
Risks:-
Salted Encrypted

The password with a random salt is stored in an encrypted format in the database. The encryption key is stored in a separate database to the encrypted value.

Risks
  • If the encryption key is retrieved from the master database and the encrypted value is retrieved from the client database the actual password can be decrypted. 
Advantages
  • The password value can be used ( non destructive storage of the original password). An example of a need to use the actual password can be to access other systems such as file servers etc.
  • Can NOT find matching passwords due to the random salt.

What are the security, back-up, disaster recovery and firewall services ?

Top
November 27, 2013

What are the security, back-up, disaster recovery and firewall services ?

stSoftware systems have security measures, back-up procedures and a range of disaster recovery options.

Security

Industry standard best practice for passwords for both the web server and Linux machines. Site designers do not have direct access to the underlying Linux server, the raw database or files. All changes are done within sandbox of the system. 

Back ups

All databases are backed up nightly.

All client documents are backed up nightly and consistency check of the raw file checksum is performed. 

The backups are kept for a week on site.

The machines themselves are backed up as a whole to an off site secure backup location. A full or partial restore of the machine can be done from the off site recovery centre.

Firewall

The standard system is Linux will all ports closed except HTTP, HTTPS and SSH. 

SSH is configured to block IP addresses after a series of failed log in requests. All SSH requests that are from unknown locations or from foreign countries are blocked by default.

Redundancy 

All raw files which are stored separately to the database itself are sent to both the main site and the disaster recovery site when the files are uploaded. Each version of a file is kept and never modified ( new version created ). When a file is uploaded a file checksum of the raw file is performed and stored in the database, the file is then encrypted and the key is stored in the database.  The compressed/encrypted resulting file is sent to the redundant file servers for permanent storage.

The hosting provider has a 2 hour hardware replacement

Does the system mask sensitive information from log files like credit card numbers

Top
March 11, 2013

Does the system mask sensitive information from log files like credit card numbers

Yes, the system has option to mask information from log files

Logs data can be masked based on Java regular expressions. (http://docs.oracle.com/javase/tutorial/essential/regex/index.html)

Example -  mask credit card number from log files or mask only the password from connection URL.

String like: My master card number number "4444333322221111" will be masked to "My master card number number "****************"

String like: "nigel:pass@host.com" will be masked to "nigel:******@host.com"

 

 

 

Tags: PCI

User Access Control Limits

Top
December 5, 2013

User Access Control Limits

The same ACLs are applied to all requests.

Every class in the system has ACLs (Access Control Limits ) which prevent CRUD ( Create, Read, Update and Delete) of records that are unauthorized. These ACLs are applied to all requests regardless of where or how the requests is made.

The same ACLs apply to web forms, SOAP requests, ReST or any other protocol.

Access Control Limits

Tags: ACLs

System security overview

Top
December 13, 2013

System security overview

Industry best practices are used to secure our systems for the whole of the SDLC

Overview

stSoftware systems are designed to meet or exceeds all aspects of the Australian Government Protective Security Policy Framework PSPF. At stSoftware, we take security very seriously. Our servers are locked down to be accessed only via secure shell and from specific IP addresses and are constantly monitored. There is no direct access by developers or business users to the underlying system. All changes by site developers are kept within a sandbox to only ever allow changes that are validated and prevent direct access to the underlying machines.

Network design

Best practice network design for a fully redundant, fault tolerant stSoftware server cluster has:-

Server Lockdown

All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

Password Management

The system administrator can configure the system password options to find the correct balance between convenience and security. The password and login options can be configured at the user level also.

Data Access Layer 

All protocols access the underlying data through the DAL (data access layer). There is NO direct access to the underlying data store no matter which protocol is used. Each protocol accepts the request to read or write data and then perform the protocols validations and then passes the request on to the DAL to execute the request which in turn validates the request, checks the user's access and perform any validations before returning the result.

Standard SQL injection and Cross Site Script attacks are performed on each component as part of normal nightly unit testing. 

 

References

  • http://www.sans.org/reading-room/whitepapers/detection/identify-malicious-http-requests-34067

How to view current active sessions for a user ?

Top
April 8, 2014

How to view current active sessions for a user ?

Click on the "Welcome" message to view your setup.

Overview

By clicking on the "Welcome user name" you will be shown your user set up, with the list of current sessions.

If you see an IP address that is unfamiliar to you, we suggest you change your password immediately to secure your account against unauthorized access. Your current IP address is displayed below the table. In most cases, we guess the location by matching your IP address to a broad geographical location. The location and IP mappings might not always be accurate, especially in cases where the logins are old.

Click on any of the active sessions to see the full session details and forcibly logout the session if required.

List of current sessions