We’ve been VerAfied! Part Two

If you have not read part one of this post, read it here.

 

Veracode’s Risk Adjusted Verification Methodology

The ‘VerAfied’ standards-based mark of security quality is one established by Veracode to provide a pragmatic approach to measure and compare risk levels related to application security, and is wholly designed with industry standards in mind.  Its basis is the “Security Quality Score”, which is an aggregate of all the security flaws uncovered by the above scans, categorized by severity of flaw, and normalized to a 0 to 100 scale.  As stated above, PortalGuard has achieved a ‘100’ “Security Quality Score” for both the Static and Dynamic evaluation types, and has therefore been confirmed to contain no vulnerabilities for any severity levels (varying from very low, to very high) in either test, nor any traces of vulnerabilities within the OWASP Top 10 or CWE/SANS Top 25 lists of vulnerabilities.  The major credibility behind the ‘VerAfied’ mark is that it aims to combine an array of respected industry standards into one meaningful system.  Some of the industry standards it leverages are:

MITRE’s  Common Weakness Enumeration (CWE) – A compilation of identified flaws, each associated with a CWE ID number, and a severity measurement based on the confidentiality, integrity, and availability impacts the flaw may cause as defined in FIRST’s CVSS, described below.

FIRST’s  Common Vulnerability Scoring System (CVSS) – Is a vulnerability scoring system utilized by the National Vulnerability Database, NIST’s U.S government repository of standards based vulnerability management data, as well as other major software corporations.  The system has been highly recommended and described by Gartner as “…a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”

NIST’s  definitions of assurance levels – Found in their OMB document M-04-04, the assurance levels described there contain are organized according to damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, among others.  Specifically, Veracode’s scans support the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.

 

For more information on these systems, please visit their organizations’ respective websites included above.  More information regarding Veracode and their mark of quality can be found on their website.

 

We are very excited to have worked with Veracode on achieving PortalGuard’s ‘VerAfied’ status, and even more excited to have had our product pass all of their vulnerability scans with perfect scores, and flying colors.

Trying to Secure a Global Perimeter? – Remote Workers and Access Pose a Threat

A trend has been on the rise in many organizations that has caused the way security is implemented to change dramatically. That is the introduction of a remote workforce. The trend to have remote workers has been on the rise and is only increasing as time goes on. The perimeter which you were responsible for securing and was within the four walls of the organization’s headquarters, has now expanded to a global perimeter. At a trade show we attended, an attendee was discussing this same topic with the PortalGuard team and casually took his smartphone out of his pocket saying, “This is the perimeter which I as the CISO have to secure. Wherever this device is, is how far our organizational security must reach”.

To shed some light on the reasons there has been an increase in remote workers and to highlight the industries which have the most remote workers, Microsoft created a Remote Working Study – Industry PowerPoint which lays out the facts. After surveying 4,523 information workers in the U.S. there were multiple facts discovered:

  • 57% of the information workers said that their organization has a policy to allow them to work remotely
  • These workers would actually prefer to work remotely twice as much as they are now
  • The support for working remotely really comes from their peers and not from upper management
  • The primary reasons they enjoy working remotely is to be able to balance work and home priorities and avoid long commutes
  • 77% say that their organization provides technical support for working remotely
  • View the Full Microsoft PowerPoint 

After reading the whole report there is definitely IT Security concerns which have been created with this remote workforce. For example, BYOD or Bring Your Own Device has become an issue as these mobile workers are using their personal tablets, smartphones, etc. to access organizational information. Also securing external access is often a headache for the IT staff. By allowing external access, for example to email via Outlook Web Access (OWA), the organization has to balance between usability and security. To make it usable the access has to be available anywhere at any time, but this also makes it available to unauthorized users. If you’re organization falls into the industries which have a larger remote workforce, financial, manufacturing, retail/hospitality, and professional services, this makes you a large target for attacks and malicious behavior.

So how do you monitor a global, ever changing, perimeter?

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Outlook Web App Authentication Types

Outlook Web App (OWA), formerly Outlook Web Access, is the web interface to Exchange Server 2010 email.  OWA allows users to access their email from a web browser and not be dependent on having the Outlook application installed on the computer they are using.  As with any application that allows users to access sensitive data, users must first authenticate before gaining access to their email.

OWA has four built-in authentication methods:

Integrated Authentication: Domain users  that are already logged into the internal Domain through the initial Windows login get automatic access to OWA without being prompted.

Basic Authentication: Username and password are collected via the standard Windows Security dialog and sent over HTTP to the server.

Digest Authentication: This method is similar to Basic Authentication except that the password is hashed before transmission.

Forms-Based Authentication: Login credentials are collected from a Sign-in web page branded as the OWA login page.

In addition, OWA can also be configured to use Claims-Based Authentication. Claims-based authentication is an industry standard that uses a SAML token for authentication.  On its own, OWA does not support claims-based authentication, however, Windows Identity Foundation (WIF) comes with a service that can convert a claims token into a Windows Token that OWA can use to authenticate the user.

Check back shortly to see more articles that describe each authentication method in more detail.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Does Your OWA Site Show Up in Google?

Does your organization’s Outlook Web App (OWA) site show up in Google? There are many examples of OWA implementations which are easily searched through Google, for example Marriott (https://owa.marriott.com/jump/) or Boston University (http://www.bu.edu/tech/comm/email/exchange/owa/). Although there are security measures you can take such as implementing Forms-based Authentication, having users select strong passwords, and using SSL encryption, having your OWA as a public facing site opens up vulnerabilities which hackers are aware of. Although you are trying to provide your employees with anywhere anytime access it could be a huge risk to your organization since many attacks start with email accounts.

The linked article actually goes into details on how to test an OWA implementation or any webmail site for the ability to be hacked. Although, it is meant to be helpful to test the vulnerabilities of your OWA implementation the article also provides a road map for attackers. There are multiple steps, with the first step being to enumerate usernames of an organization. To do this there are multiple tools to assist hackers in searching your website and any available data to determine the pattern for creating usernames (Ex. John Smith = JSmith). For example Metagoofil searches a particular domain and documents and parses out metadata looking for multiple pieces of information including usernames. The next step  is to create a password list to be used when making login attempts. Then programs such as OWABF (OWA Brute Force) is used to perform brute force attacks on the OWA login. Even with strike-out limits in place, there are multiple ways to automate the attack and gain access to a public OWA account. Read More…

This information is not meant to make you worry, but actually double check how you are securing your OWA login. A strong suggestion would be to consider strengthening authentication both around the OWA login and any self-service password management functionality you have in place using either two-factor authentication or transparent user authentication.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

OWA Security Risks – Are You Overlooking Something?

The perimeter for security is expanding as more and more of the workforce is becoming mobile and requiring remote access to company resources. Not only are these workers asking for access remotely but also on a 24×7 consistent basis. One of the main resources that must be available is email which for many organizations Outlook Web App (OWA) is the answer.

As with many aspects of the migration to having a mobile workforce there is huge concern for how this will change the IT structure of the organization, especially when it comes to data security. Most attacks start with email accounts making OWA a huge target.

Although most companies are protecting their OWA deployments with forms-based authentication as a minimum, there are still vulnerabilities which should be of concern.

In the upcoming weeks we will be highlighting some of these security threats you should be aware of when having your “OWA open to the world”:

  • User security awareness: leaving the browser and session open on a public machine
  • Brute-force attacks: such as Outlook Web App Brute Force made specifically for OWA attacks
  • Man-in-the-Middle attacks
  • Keystroke Loggers
  • Weak passwords
  • BYOD: users using personal devices to access OWA
  • Spoofed HTTPS connections
  • Enumerating usernames (MetaGoofil, FOCA, theHarvester)
  • Providing remote access to users
  • Checking email in a public location
  • OWABF
  • WMAT

And many more…

Remember there are always risks when it comes to mixing email with web server technology and OWA is a widely adopted form of the integration. Check back with more to come in the following posts.

###

Visit PortalGuard.com for information about how the authentication platform can secure your OWA implementation.

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169