CYBERSECURITY TIPS AND TOOLSWEBSITE HARDENING Frosty Walker Chief

CYBERSECURITY TIPS AND TOOLSWEBSITE HARDENING Frosty Walker Chief Information Security Officer Texas Education Agency Frosty. Walker@tea. texas. gov (512) 463 -5095

Data Security Advisory Committee The Data Security Advisory Committee (DSAC) provides guidance to the Texas education communities, maximizing collaboration and communication regarding information security issues and resources which can be utilized within the educational communities served. The DSAC is currently comprised of representatives from school districts, ESCs, TEA and the private sector.

Texas Gateway https: //www. texasgateway. org/ Cybersecurity Tips and Tools

Planning a Secure Application Maintaining an Existing Site

Process Flow Chart

Simple Application Diagram HTTPS (SSL via TLS 1. 2) Port 443 with HTTP Strict Transport Security https: //www. owasp. org/index. php/HTTP_Strict_Transport_Security_Cheat_Sheet

Application Diagram with Firewall

Application Diagram with Segmented Network

Vulnerability Scanning Program • Once the development of the application starts, we should be prepared to start your Vulnerability Scanning. • Vulnerability Scanning should take place as sprints or modules are completed. • The most economical and efficient time to correct security issues are during this early phase of the project. • By the time the application is ready to move into TEST, it should be clean of most vulnerabilities or we have documented artifacts and potential remediation steps to resolve the issues during a TEST release. • Each release version in TEST should be scanned and remediation efforts scheduled. • Prior to being promoted into PRODUCTION, all vulnerabilities (not warnings) should be remediated. • As soon as it is in production, it should be scanned again to make sure it is clean.

Vulnerability Scanning Program Once the application is in production, we start routine scanning for any issues (at a minimum once a quarter) and planned remediation. Additionally, any new releases should be scanned and remediated in DEV/TEST prior to being promoted to production.

Who needs an Application Vulnerability Scanning Program? If you develop applications in-house, you need a Vulnerability Scanning Program. A vulnerability Scanner should do at least four things: Identify security issues Identify where the security issues are located Estimate the amount of time it will take to remediate the issue References how to resolve the security issue

What should be included in a Vulnerability Scanning Program? All of your publicly-facing applications at a minimum should be routinely scanned for vulnerabilities and remediation steps should be taken to resolve issues in a timely manner.

“You can outsource everything, except responsibility. ” John Keel, Texas State Auditor

Sample Contract Language with NYE conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate administrative, technical, and physical security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partnermanaged information resource.

The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1. 2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.

Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The following sample list of requirements is given to exemplify best application and development practices: a. Usage-limiting techniques and other protective countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. b. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. c. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data.

Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and USCERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.

Sample Contract Language with Vendor conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate administrative, technical, and physical security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partnermanaged information resource.

The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1. 2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.

Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security.

a. b. c. d. The following sample list of requirements is given to exemplify best application and development practices. Usage-limiting techniques and other protective countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data. Vendor agrees to run quarterly Vulnerability Scans on any NYE application in production and will share Vulnerability Scan report with NYE along with a roadmap for completion remediation of all vulnerabilities within a 90 day timeframe

Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and USCERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.

Questions?