1.0 Executive Summary
Please note that TrustedSec is not disclosing these exposures as they are still active and present a risk to the integrity of the web site. TrustedSec will release the exposures that have already been addressed and pose no risk to personal information or risk of loss of integrity of the system. In addition, under no circumstance did TrustedSec perform any form of "hacking." All information was gathered through purely passive reconnaissance and enumeration of information that is already available on the Internet (Google). If these exposures exist without actually attacking the site, there is serious question as to the integrity of the system itself and its back-end infrastructure.
TrustedSec cannot state with one hundred percent certainty that the back-end infrastructure is vulnerable, however based on our extensive experience performing application security assessments for over ten years; the web site has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported and TrustedSec would be more than willing to have discussions with HHS to address the security concerns.
TrustedSec's opinion still holds strong that the web site fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the web site itself. This opinion is not unique, as other security researchers such as
It is accurate that no system can ever remain one hundred percent protected against threats, however it is possible to make compromise of the site extremely difficult, protect the information, and detect the attacks as they happen. Additionally, in the event of a compromise, protecting the sensitive data through appropriate access control and monitoring can also inhibit lapses in security. Immediate action must be taken in the federal government to protect sensitive information and remain competitive with other nations. TrustedSec has a section dedicated to the recommendations for the federal government for moving forward and hopes that the testimony on the 16th can lead to better proactive practices around information security and sweeping changes in how contractors are selected in the federal space. This opinion is not TrustedSec's alone; the
2.0 Healthcare.gov Evolution
In the testimony on
TrustedSec still recommends developing a version 2.0 in conjunction with the current site, however there is inherent risk in this approach. The site is currently vulnerable which is evident and highly clear at this point. Immediate action for the time being to patch the existing flaws should be considered while developing a "2.0" future strategy for healthcare.gov with security integration. Additionally, it was recently disclosed that CGI is no longer the contractor performing updates or new rollouts of the webvsite and that
3.0 Monitoring and Detection Capabilities
A memo released on
TrustedSec has documented below a detailed phased rollout of monitoring and detection capabilities:
TrustedSec has detailed recommendations on developing the monitoring and detection capabilities for the healthcare.gov infrastructure. What TrustedSec finds is by early warning indicators and blocking an attacker in the early stages of an attack, an infrastructure can better handle threats towards an infrastructure and minimize the damage. TrustedSec has created a diagram of the standard flow of information, which incorporates the highest risk areas for an organization to protect. INFOSEC cannot protect everything within an environment, but having detection capabilities on the critical pieces of an infrastructure can better reduce a large exposure.
Note that the above is just an example of a centralized approach to monitoring and detection capabilities. High-risk geographies may be entry points into other government agencies, and the protection of places where personal identifiable information (PII), sensitive data, and/or intellectual property reside.
3.1 Short-Term Objectives
In the short-term objectives, developing specific use-cases that can help better detect as well as triaging the current (if any) security assessments to better develop monitoring and detection capabilities should occur. Additionally, standing up a formal security operations center, which was noted back in the November testimony, would be highly beneficial for the detection of attacks.
3.2 Mid-Term Objectives
As the monitoring and detection program continues to expand to the entire infrastructure, it will continue to need tweaks and additions in order to better gain visibility into the organization. This could be getting more visibility into web applications or backend databases, but ultimately the goal is to develop a central repository where all information resides and detect anomalies in the network. The mid-term objectives are primarily focused on once the short-term objectives have been accomplished. The strategy around the mid-term objectives is to further expand the reach of the monitoring and detection program. Initially the focus is basic attacks but grows to more advanced and targeted attacks.
Secondly, focusing on enhancing the overall detection capabilities in new and different types of attack vectors would be desirable in this phase.
3.3 Long-Term Objectives
A monitoring and detection program is a continual program that requires adequate testing and continuous monitoring. Most organizations fail to staff accordingly to identify threats. A monitoring and detection program is one of the most important areas of an information security program as it is the last line of defense if an attacker has circumvented the security controls you have in place and has access to the organization.
Once the short and mid term objectives are complete - a larger focus on continual expansion for full coverage of the architecture should be considered. This would include having full monitoring and detection capabilities across the entire infrastructure. This type of detection ratio will give full visibility in the different anomalies and patterns of attack within the organization. While it may not be applicable to address every system within the organization, key strategy points of attack and the identification of those will be the most challenging part of the deployment plan. As the monitoring and detection program expands, there will need to be considerations on places where detection does not make sense. Most specifically if short and mid term objectives were completed, this would be more of a maintenance and addition of systems versus rapid expansion.
4.0 End-To-End Testing
Appropriate security testing on the healthcare.gov web site and its supporting infrastructure was not fully completed by MITRE (http://abcnews.go.com/blogs/politics/2013/12/exclusive-security-risks-seen-at-healthcare-gov-ahead-of-sign-up-deadline/) and contained significant exposures, which had a long-term remediation date (late 2014 and 2015). This is apparent through testimony and documents released
It was also indicated that Fryer recommended against the
From the evidence presented in the public as well as the research from TrustedSec and independent security researchers, security best were not followed and continue to not be followed in the development of the healthcare.gov web site and its supporting infrastructure. In order for a deployment to be successful and to adequately protect the information and the integrity of the web site, security must be integrated in the very early stages of the application development and through the software development lifecycle. It is extremely difficult to go back after the fact and place small patches and fixes on the system in order to repair inherently flawed software and architectural designs.
In order for an Software Development Lifecycle (SDLC) process to work appropriately and to ensure no new risks are introduced, it is vital that adequate security testing is performed. This should be a combination of source code analysis as well as dynamic testing of the application (testing different use cases). Below is a description of the SDLC process with descriptions of each of the different steps within the security SDLC (SecSDLC).
The process for integration in security requires the ability to work with the SDLC in multiple areas. The first is during the initial requirements analysis phase, which begins to bring in inputs from multiple areas. In this phase, it may be additional functionality for an existing application or it could be a completely new application. In this process, security needs an understanding of what the application is, how it will function, and what type of application this will be (based on sensitive data, regulated, IP, etc.) and the risk associated with it.
The design phase is an important process both architecturally as well as programmatically. TrustedSec recommends utilizing the
When building and implementing the application, ensuring that all security components are in place and that any additional required security measures need to be implemented would occur during this phase. This could be additional technologies such as monitoring and detection capabilities, web application firewalls, or additional controls to ensure the protection of the application based on risk.
The testing phase is one of the most important steps of the whole process. When performing testing on the application, a combination of source code analysis as well as dynamic testing should be performed. This would include testing specific use cases and the business logic of the applications to ensure that there haven't been any major exposures created through the SDLC process. This phase is the most important because it should catch any mistakes or problematic code that may have been introduced in prior phases.
Lastly the evolution phase is enhancements to the application that should undergo the same type of process for security testing. In most cases, visual enhancements (not features) wouldn't require a security review however, when adding new functionality or features, the testing should be quick to identify what exposures that may have been introduced to the web application.
A solid standard for understanding application security is the
Lastly, Application Security isn't the only measure to protect an organization. It relies on a functioning information security program that ensures adequate controls are in place to protect an infrastructure such as healthcare.gov. End-to-end testing needs to be performed at this very moment to identify what the risk level is currently with the healthcare.gov infrastructure. This would include source code analysis, penetration testing, risk assessments, and architectural reviews in order to understand the current risk associated with the overall healthcare.gov system. From there, a roadmap to remediation and action plan to address the risk accordingly should be developed. TrustedSec highly recommends this be performed immediately and by an independent research company.
5.0 Recommendations for Healthcare.gov
A number of recommendations have already been presented in this document; this section is dedicated to summarizing them or adding additional recommendations not covered in this report.
5.1 Quick-fixes on security risk
Fix the current security problems on the web site, which pose a high or critical risk to the confidentiality or integrity of the infrastructure. Develop a "2.0" version which incorporates the new Security Software Development Lifecycle (SecSDLC) process and ensures appropriate end-to-end security testing.
5.2 Develop the SecSDLC Process
Develop the SecSDLC process that focuses on proactive security measures for protecting the information and infrastructure on healthcare.gov.
5.3 Monitoring and Detection
Develop a security operations center and ensure effective controls are in place to monitor attacks against the healthcare.gov infrastructure and supporting sites.
5.4 End-To-End Testing
Perform end-to-end testing to benchmark the existing risk towards the healthcare.gov infrastructure and take appropriate action to reduce the risk as appropriate and acceptable.
6.0 Long-Term Federal Security Adoption
As mentioned earlier, the federal government isn't known for having super secure web sites or even having adequate security to protect U.S. related sensitive data. More sweeping legislature is needed to put the federal government into the 21st century regarding security and technology. This stems from the initial contracting and developing process of any new contract as well as ongoing security measures. Recently the
While this is a start and a good step forward, the problems don't solely reside on healthcare.gov. There needs to be an even broader effort to include the entire federal government. 49 states currently have breach disclosure laws for personally identifiable information and the same should be proposed in the federal space as well. Additionally, while healthcare.gov contains no actual Patient Healthcare Information (PHI), acts such as the Health Insurance Portability and Accountability Act (HIPAA) should be extended to the federal government as well.
Also in the security community is someone highly respected,
The time has come for similar oversight in the cyber arena. Much of our critical infrastructures and economy depend on organizations operating safely in cyberspace. As such, the
TrustedSec supports this approach and believes that in a time where breaches are occurring in both the public and private sector, there has never such a prime opportunity as now to protect assets of the federal government and its people from attack.
Lastly, TrustedSec recommends a unified approach for disclosing flaws within government web sites or a "bug bounty" program that allows the centralization of bug one central place. This would be similar to what
Read this original document at: http://science.house.gov/sites/republicans.science.house.gov/files/documents/HHRG-113-SY-WState-DKennedy-20140116.pdf
Most Popular Stories
- Crimean Referendum Violates International Law: Obama
- Justin Bieber Loses Cool Over Selena Gomez
- Fuentes Makes NAHREP's Top 10 List
- Social Media Can Help a Company's Credit Line
- Hispanic Unemployment Eased in February
- Goya Nutritionist Answers Demand for Healthy Hispanic Dishes
- Juanes Back to Singing About Love
- Boeing Freezes Nonunion Workers' Pensions
- Ukraine Crisis Sets U.S. Stocks Adrift
- Rand Paul Tells Rivals to Peddle Their Own Ideas