For Official Use Only
Watch List Technical Integration Project
Information Sharing Environment
Plan of Action and Milestones – Expanded
For discussion on ATO
Prepared for
Department of Homeland Security, Office of the Chief Information Officer
WashingtonD.C.
Prepared by
Thomas & Herbert Consulting, LLC
Version Number 1.0
January27, 2006
THE ATTACHED MATERIALS CONTAIN DEPARTMENT OF HOMELAND SECURITY INFORMATION THAT IS "FOR OFFICIAL USE ONLY", OR OTHER TYPES OF SENSITIVE BUT UNCLASSIFIED INFORMATION REQUIRING PROTECTION AGAINST UNAUTHORIZED DISCLOSURE. THE ATTACHED MATERIALS MUST BE HANDLED AND SAFEGUARDED IN ACCORDANCE WITH DEPARTMENT OF HOMELAND SECURITY MANAGEMENT DIRECTIVES GOVERNING PROTECTION AND DISSEMINATION OF SUCH INFORMATION.
AT A MINIMUM, THE ATTACHED MATERIALS WILL BE DISSEMINATED ONLY ON A "NEED-TO-KNOW" BASIS AND WHEN UNATTENDED, MUST BE STORED IN A LOCKED CONTAINER OR AREA OFFERING SUFFICIENT PROTECTION AGAINST THEFT, COMPROMISE, INADVERTENT ACCESS, AND UNAUTHORIZED DISCLOSURE.
`DOCUMENT CHANGE HISTORY
Version Number / Date / Author / Description1.0 / 01/27/2006 / Robert Bollig / Initial Document
For Official Use Only
For Official Use Only
Plan of Action and Milestones Expanded for Discussions on Authority to Operate theDHS Watch List Technical Integration, Information Sharing Environment (Watch List ISE)
To achieve Authority to Operate, the Watch List Integration Project should:
-Implement the actions in the Plan of Actions and Milestones (findings identified in the Security Test and Evaluation of Technical Controls)
-Undergo full Security Test and Evaluation, including evaluation of Management Controls and Operational Controls.
-Implement needed actions to correct findings identified in the Security Test and Evaluation that includes Management Controls and Operational Controls.
-Consider and implement the recommended actions, if appropriate, presented in the Security Test and Evaluation.
-Update the certification and accreditation documents as needed to reflect the changes made in the solution.
-Present the certification and accreditation documents to the Certifying Agent and the Designated Approving Authority to grant authority to operate.
Conduct of the Operational Readiness Review is a separate process certification and accreditation and the award of authority to operate, and is added to the POA&M (Item 16 in STE Findings).
The System Test and Evaluation Report states the above recommended requirements.
1
For Official Use Only
For Official Use Only
Plan of Action and Milestones Expanded for Discussions on Authority to Operate theDHS Watch List Technical Integration, Information Sharing Environment (Watch List ISE)
ST&E Findings
No. / Finding / Platform/Services / Addressed in SSP / Plan of Action / Status / Scheduled Completion Date To Be Mitigated1 / The Oracle™ database security patch, Oracle Critical Patch Update – October 15, 2005, is missing from the database servers.
Reference: DHS Security Architecture Vol. 1, section 5.3.3;
/ Platform / Part of the planned Patch Management Plan for future WLI increment.
2.4.7 Continuous Monitoring
3.6.5 Security Alerts and Advisories
4.4.1 System and Communications Protection Policy and Procedures / No additional milestones required. / Completed
12/06/2005 / 12/06/2005
2 / No access control lists configured in the TIBCO application. TIBCO is responsible for authentication and access control for all interfacing systems. / Platform / Chapter 4.0 Technical Security Controls
4.1 Identification and Authentication.
4.2 Access Control
4.2.14 Permitted actions w/o Identification or Authorization / In the future, based on the identification of government functional requirements and guidance requirements a complete access control list shall be implemented.
This ACL shall be maintained by the DHS ISE Administrator.
Tentative and development users will be added to the TIBCO ACL IAW DHS security policy. / Awaiting government
guidance / 03/15/2006
3 / Watch List ISE application server is authenticating senders and receivers every time a message is sent using cleartext username and password.
This method of authentication has several problems:
- The system is open to denial of service attacks because it must perform some level of processing with each incoming request.
- Cleartext passwords can be discovered off the network and used by an attacker to access to the system (replay attacks).
4.1.2 User Identification and Authentication
Current edition of SSP, subsequent to the ST&E includes a table of accounts planned for WLI. / Possible solutions include:
(1) include the authentication of the message in the wrapper schema,
(2) to authenticate transactions via IP address, or
(3) to complete the authentication before allowing connectivity to send and receive messages.
The needs of organizations attaching to the Data Distribution Engine will be considered in evaluating the courses of action taken. / Awaiting government
guidance
The clear text password was used with Web Service (WS/SOAP) transactions only. This is because we were unable to effect change in the source XML format which is currently TWPDES 1.0+. The source file and the parent wrapper schema could not be affected without making changes to the XML files generated by the SNOW blower. / 04/10/2006
4 / The following Solaris™ operating system security patches are missing from the application and database servers:
- 112945-40 SunOS 5.9: wbem patch
- 112970-09 SunOS 5.9: patch libresolv
- 114875-01 XML library source patch
- 116340-04 SunOS 5.9: gzip and Freeware info files patch
- 118558-17 SunOS 5.9: Kernel patch
- Solaris 9 Patch Report Update, November 16, 2005
2.4.7 Continuous Monitoring
3.6.5 Security Alerts and Advisories
4.4.1 System and Communications Protection Policy and Procedures / Install patches after Government acceptance of current edition of the solution. / Battelle will install these patches.
Patches are deferred until fullowing the Government acceptance test per coordination with the ISSM. / Following Government acceptance test. Deferment authorized by ISSM until February 1, 2006. Original target date: 01/19/2006
5 / Oracle FTP Server available on TCP port 2100 on the database servers. FTP shall not be used to connect to or from any DHS computer.
Reference: DHS 4300A 5.4.5.1f / Platform / Chapter 1.0 System Identification
1.8.3Ports, Protocols, & Services
The SSP identifies known services intended in the design. Additional services were in the process of identification at the time of the ST&E. / Turn off the FTP service. / Future installation procedures will include turning this functionality off because it is not needed and not part of the requirements. / 01/19/2006
6 / Ensure all testing of java server pages (jsp's), etc. are disabled. If left on, pages could allow unauthenticated users to gain privileges on the web application (Watch List ISE) / Services / Not addressed.
Pages were installed to provide a means to demonstrate the capability and are not part of the design. Thus, not specified in the SSP.
1.7.1 Design Objectives and Requirements provides some information on this subject. / After the acceptance testing is completed these clients and JSP pages will be removed from the server. They will no longer be needed. / The JSP pages are only temporary to facilitate the delivery of test clients.
These provided the ability to maintain and push the test clients via HTTP to the test computers without knowing before hand which computer systems would be used for testing.
The code contained in the java client applications will be integrated with the systems that will connect and communicate with the Watch List ISE. / 04/20/2006
7 / Logging is not enabled in the TIBCO application. This finding is based upon examination of the TIBCO configuration files.
Reference: DHS 4300A 5.3 / Platform / 4.3.2 Auditable Events / In the future ensure that the TIBCO logging function is turned on. This logging function shall be monitored and maintained by DHS ISE administrator. / Currently the only logging that is in place is the transaction logs and the message logs that are there for traceability. / 05/15/06
8 / The system has not implemented any sort of data confidentiality mechanism. Methods of client/server communication that are demonstrated did not use any sort of encryption. All data sent to/from the server was observed in the clear, including Watch List ISE updates and authentication strings. / Services / 1.6.9 Encryption/PKI / Effort needed by Development to meet requirements and security policy. / Awaiting identification of requirements in next phase of the project that will provide additional data confidentiality protection criteria.
This POA&M is initiated during a pilot to demonstrate the solution concept. / 04/20/2006
9 / Watch List ISE clients may have the ability to post Watch List data to the Watch List ISE system without authentication. During testing and demonstration of web services, clients relayed messages to the Watch List ISE server with blank username and password fields.
This finding would be rated HIGH if the system were processing operational data. / Services / Not addressed in the SSP / Possible solutions include:
(1) include the authentication of the message in the wrapper schema,or
(2) to complete the authentication before allowing connectivity to send and receive messages.
Assessment of possible solutions will include SSL and use of PKI certificate through DIMC. / Awaiting identification of requirements in next phase of the project that will provide additional functionality and confidentiality protection criteria.
The clear text password was used with Web Service (WS/SOAP) transactions only. This is because we were unable to effect change in the source XML format which is currently TWPDES 1.0+. The source file and the parent wrapper schema could not be affected without making changes to the XML files generated by the SNOW blower. / 05/15/2006
10 / Apache Tomcat reports back version number- allows identification of services by a would-be attacker. / Platform / Chapter 1.0 System Identification
1.8.3Ports, Protocools, & Services
The SSP identifies known services intended in the design. Additional services were in the process of identification at the time of the ST&E. / 02/15/2006 / Coordinate with TIBCO to ensure that upgrade to the latest version of TIBCO and installing the latest version of Apache does not damage proprietary settings put in place by TIBCO. / Planned for execution in the next pahse of the project.
The version of Apache that is used is installed as a part of the TIBCO administrator installation. Changes will be orchestrated IAW the DHS ISE installation guide.
11 / Open ports don't match Watch List ISE System Security Plan. The following open (and undocumented) ports were observed on the application servers:
- 22 TCP – Secure Shell
- 111 UDP/TCP – Sun RPC
- 7500 UDP/TCP – TIBCO
- 7580 TCP - TIBCO
- 7474 TCP - TIBCO
- 8008 TCP - TIBCO
- 8009 TCP – TIBCO
And
Services / Chapter 1.0 System Identification
1.8.3Ports, Protocools, & Services
The SSP identifies known services intended in the design. Additional services were in the process of identification at the time of the ST&E. / Coordinate with TIBCO to determine the need for these ports.
We shall also test these ports internally to determine that are needed for proper operation. If they are not needed we shall insure that the SunOS administrator will turn these ports off. / Ongoing.
Update of System Security Plan will reflect identification of development needs. / 03/01/2006
12 / Open ports don’t match Watch List ISE System Security Plan. The following open (and undocumented) ports were observed on the Database servers:
- 22 TCP – Secure Shell
1.8.3Ports, Protocols, & Services
The SSP identifies known services intended in the design. Additional services were in the process of identification at the time of the ST&E. / We shall test these ports internally to determine that are needed for proper operation. If they are not needed we shall insure that the SunOS administrator will turn these ports off. / Update of System Security Plan will reflect identification of development needs. / 03/01/2006
13 / RPCBIND and INETD services are running on the application and database servers. No services are configured for either RPCBIND or INETD. These services should be turned off. / Platform / Chapter 1.0 System Identification
1.8.3Ports, Protocols, & Services
The SSP identifies known services intended in the design. Additional services were in the process of identification at the time of the ST&E. / Effort needed by Development to meet requirements and security policy. / Awaiting identification of requirements in next phase of the project. / 03/01/2006
14 / No separation of privilege. Watch List ISE application server has only a root account. Watch List ISE I database server has only root and Oracle DBA accounts.
Reference. DHS 4300A SSH 5.1a / Platform / Chapter 4.0 Technical Security Controls
4.2.5 Separation of Duties/4.2.6 Least Privilege
4.1.2 User Identification and Authentication
Current edition of SSP, subsequent to the ST&E includes a table of accounts planned for WLI. / Effort needed by Development to meet requirements and security policy.
Further identification of government functional requirements and guidance on solution needs necessary.
Design specifications developed with customer agencies input. / Awaiting identification of requirements in next phase of the project.. / 03/15/2006
15 / No requirement for session lock or termination introduces the risk of unattended systems being accessed by unauthorized personnel.
Reference: DHS 4300A SSH 5.2.1.1 & 5.2.2.1 / Platform
And Services / 4.2.11 Session Lock/4.2.12 Session Termination
Initial solution requirements did not identify session lock performance criteria.
These services were in the process of identification at the time of the ST&E. / Effort needed by Development to meet requirements and security policy.
Add session termination and session lock features that support requirements. / Effort needed by Development to meet requirements and security policy.
Add session termination and session lock features that support requirements. / 04/15/2006
16 / Operational Readiness Review / Platform And Services / DHS System Development Life Cycle
1.1.1 Production and Deployment Reviews
1.1.1.1 Operational Readiness Review and Approval / Conduct ORR. / In Planning / TBD
1
For Official Use Only
For Official Use Only
Plan of Action and Milestones Expanded for Discussions on Authority to Operate theDHS Watch List Technical Integration, Information Sharing Environment (Watch List ISE)
ST&E Recommendations in addition to Findings
No. / Finding / Platform/Services / Addressed in SSP / Plan of Action / Status / Scheduled Completion Date To Be Mitigated1 / The WLI Applications administration interface has not been built yet, but several technical controls are recommended:
- Use of Transport Layer Security (TLS) (preferred) or Secure Sockets Layer (SSL) v3
- Validate all data entered into input fields prior to processing
- Implement strong authentication for administrator access
- Utilize cryptographically-strong session identifiers
- Restrict access to the administrative interface to well-known, hardedned systems
1.8.1Web Protocols
The SSP states that no web protocols for internet are used. These are different than the web services designed as send or receive connection.
However, a web delivery capability was installed to provide a means to demonstrate the WLI capability. This service was discovered during the ST&E. Hence the observation.
This feature is otherwise undocumented.
Bullets 2 and 4
3.6.7 Software and Information Integrity
3.6.9 Information Input Restrictions
3.6.10 Information Accuracy, Completeness, and Validity
3.6.11 Error Handling
3.6.12 Information Output Handling and Retention
These areas were fully completed because there are no send and receive decisions made at the time of the SSP
Bullets 3 and 5
Chapter 4.0 Technical Security Controls
4.2.5 Separation of Duties/4.2.6 Least Privilege
4.1.2 User Identification and Authentication
Current edition of SSP, subsequent to the ST&E includes a table of accounts planned for WLI. / Assess Implementation in next development increment.
Further identification of government functional requirements and guidance on solution needs necessary.
Design specifications developed with customer agencies input. / Not Started. / TBD
2 / Issue server certificates to all WLI servers and clients. All messages should be signed using a FIPS 140-2 compliant cryptographic protocol. This ensures that all messages are received from a system that has an authorized certificate, the message has not been altered since it was constructed and signed, and because the authenticator is not sent across the wire, an attacker would have no credentials to access the system. / Platform / 1.6.3 System
1.6.9 Encryption and PKI
4.1.7 Cryptographic Module Authentication
4.4.1 System and Communications Protection Policy and Procedures
No encryption is used in the Watch List ISE within the scope of the current SSP. Changes in design and operations characteristics may warrant incorporating encryption in the Watch List ISE when interconnected to other systems. / Assess Implementation in next development increment.
Further identification of government functional requirements and guidance on solution needs necessary.
Design specifications developed with customer agencies input. / Not Started. / TBD
3 / Given the large number of ports available on the WLI servers and the relatively small number of systems connecting to these ports, a properly-configured host-based firewall would provide defense in depth and mitigate exposure to the ports. / Platform and
Services / 1.6.11 Network Configuration
2.4.7 Continuous Monitoring
3.4.3 Configuration Change Control
3.4.7 Least Functionality / Assess Implementation in next development increment. / Not Started. / TBD
4 / Systems are not running a host-based intrusion detection/prevention system. When the WLI system goes operational, proper monitoring with a HIDS/HIPS and file integrity checker such as Tripwire is recommended. / Platform / 1.6.11 Network Configuration
2.4.7 Continuous Monitoring
3.4.3 Configuration Change Control
3.4.7 Least Functionality / Assess Implementation in next development increment. / Not Started. / TBD
5 / The WLI System Security Plan (SSP) declares in several sections that “The WLI Project does not have any authorized users”; however, during testing we observed the following roles which required access to the system:
- System Administrator
- Oracle Administrator
- Test Data injector (Snowblower)
- Test Clients (web service based)
4.2.5 Separation of Duties/4.2.6 Least Privilege
4.1.2 User Identification and Authentication
Current edition of SSP, subsequent to the ST&E includes a table of accounts planned for WLI. / Assess Implementation in next development increment. / Not Started. / TBD
6 / The WLI SSP (section 4.2.17) declares that there is no need for Remote Access, yet the systems were observed to support Secure Shell (SSH). Furthermore, administrators were observed accessing the system remotely using SSH. The SSP should be updated to reflect this access. / Platform and Services / 4.2.17 Remote Access. / Assess Implementation in next development increment.
Turn off this service. / Not Started. / TBD
7 / The WLI SSP (section 4.3.3) identfies that audit logs contain event date and time stamps; however, the systems are not synchronized to a national time standard (NIST/USNO). Consider synchronizing the systems to Ashburn Data Center network time services / Platform and Services / Not addressed. / Assess Implementation in next development increment.
Include in development of next increment. / Not Started. / TBD
8 / The WLI system passes XML messages. The XML parser, implemented by the WLI system, was not evaluated during this assessment and should be tested before the WLI system becomes operational. The following components and functions should be evaluated:
- XML Schema Description (XSD) or Document Type Definition (DTD)
- XML Parser and code that verifies incoming messages
The system description and the requirements driving these characteristics will address this recommendation in the ST&E for the next iteration. / Assess Implementation in next development increment.
Include in ST&E for next increment. / Not Started. / TBD
1