Comprehensive Cybersecurity Tips and Tools for Website Hardening
Frosty Walker, Chief Information Security Officer at Texas Education Agency, leads the Data Security Advisory Committee offering guidance to Texas education communities. Explore resources like the Texas Gateway for cybersecurity tips and tools, process flow charts, application diagrams, and a vulnerability scanning program for secure development practices.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
CYBERSECURITY TIPS AND TOOLS- WEBSITE HARDENING Frosty Walker Chief Information Security Officer Texas Education Agency Frosty.Walker@tea.texas.gov (512) 463-5095
Data Security Advisory Committee The Data Security Advisory Committee (DSAC) provides guidance to the Texas education communities, maximizing collaboration and communication regarding information security issues and resources which can be utilized within the educational communities served. The DSAC is currently comprised of representatives from school districts, ESCs, TEA and the private sector.
Texas Gateway https://www.texasgateway.org/ Cybersecurity Tips and Tools
Planning a Secure Application Maintaining an Existing Site
Simple Application Diagram HTTPS (SSL via TLS 1.2) Port 443 with HTTP Strict Transport Security https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Vulnerability Scanning Program Once the development of the application starts, we should be prepared to start your Vulnerability Scanning. Vulnerability Scanning should take place as sprints or modules are completed. The most economical and efficient time to correct security issues are during this early phase of the project. By the time the application is ready to move into TEST, it should be clean of most vulnerabilities or we have documented artifacts and potential remediation steps to resolve the issues during a TEST release. Each release version in TEST should be scanned and remediation efforts scheduled. Prior to being promoted into PRODUCTION, all vulnerabilities (not warnings) should be remediated. As soon as it is in production, it should be scanned again to make sure it is clean.
Vulnerability Scanning Program Once the application is in production, we start routine scanning for any issues (at a minimum once a quarter) and planned remediation. Additionally, any new releases should be scanned and remediated in DEV/TEST prior to being promoted to production.
Who needs an Application Vulnerability Scanning Program? If you develop applications in-house, you need a Vulnerability Scanning Program. A vulnerability Scanner should do at least four things: Identify security issues Identify where the security issues are located Estimate the amount of time it will take to remediate the issue References how to resolve the security issue
What should be included in a Vulnerability Scanning Program? All of your publicly-facing applications at a minimum should be routinely scanned for vulnerabilities and remediation steps should be taken to resolve issues in a timely manner.
You can outsource everything, except responsibility. John Keel, Texas State Auditor
Sample Contract Language with NYE conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partner- managed information resource. administrative, technical, and physical
The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1.2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.
Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The following sample list of requirements is given to exemplify best application practices: a. Usage-limiting techniques countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. b. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. c. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data. and development and other protective
Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and US- CERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.
Sample Contract Language with Vendor conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partner- managed information resource. administrative, technical, and physical
The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1.2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.
Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security.
The following sample list of requirements is given to exemplify best application practices. a. Usage-limiting techniques countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. b. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. c. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data. d. Vendor agrees to run quarterly Vulnerability Scans on any NYE application in production and will share Vulnerability Scan report with NYE along with a roadmap for completion vulnerabilities within a 90 day timeframe and development and other protective remediation of all
Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and US- CERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.