Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mission-Critical: Security for Blackboard Learn, Secure Configuration and Application-level Monitoring

Mission-Critical: Security for Blackboard Learn, Secure Configuration and Application-level Monitoring

What's the big picture for Security Controls in Blackboard Learn within the Security Ecosystem? And how do the security topics in this conference fit into this picture? Stephanie Tan will highlight new and recently changed Security Controls in Blackboard Learn with live demos and software upgrade considerations, best practices for a secure Blackboard Learn configuration, and how to leverage new security logs for forensics and situational awareness. She will discuss how Blackboard Learn's Security Program has evolved since she first came to BbWorld in 2011. Walk away knowing how to fine-tune your Blackboard Learn platform, whether self-hosted or managed hosted, in order to protect it from security threats appropriate to your organization.

38de4fdaebea027b568e2ec5ee180d02?s=128

Stephanie

July 08, 2013
Tweet

Transcript

  1. Mission-Critical Stephanie Tan stephanie.tan@blackboard.com Director, Security Security for Blackboard Learn,

    Secure Configuration and Application-level Monitoring
  2. On the Agenda 1. Security Sessions @ BbWorld & DevCon

    2. How do I find more information about Security in Blackboard Learn? 3. New and Recently Changed Security Controls 4. Secure Configuration Checklist 5. Application-level Security Monitoring
  3. Security @ BbWorld & DevCon 2013 Part of a Security

    Ecosystem
  4. 3:45PM - 4:30 PM Murano 3201A 11:15 AM - 12:00

    PM Murano 3201A 10:00 AM - 10:45 AM Murano 3201A 1. The Security Mindset: Securing Social Media Integrations and Social Learning for Blackboard Learn Security @ BbWorld & DevCon 2013 Monday Tuesday 2. Mission Critical: Security for Blackboard Learn - New Security Controls, Secure Configuration and Application-level Monitoring 3. Going Outside the Application: Securing the Environment for Blackboard Learn 3:10 PM - 4:05 PM Venetian G 4. Security in Blackboard Learn: Product Security Roadmap and the Big Picture
  5. Later at BbWorld... Product Security Roadmap session slides will NOT

    be available since the session contains forward-looking statements Security in Blackboard Learn: Product Security Roadmap and the Big Picture Where: VENETIAN G When: Tuesday, July 9, 3:10 PM - 4:05 PM
  6. Previous Years 2011 • Blackboard Security Reference Architecture, Secure Configuration

    of Learn, Logging & Monitoring, & Vulnerability Management • Introduction to the Blackboard Learn Security Program 2012 • Troubleshooting Security Issues • Secure Building Block Development & Verification • Mission Critical: Secure Configuration of Blackboard Learn and Upcoming Changes to Blackboard Learn Security Controls • How to Turn on the Lights to Your Blackboard Learn Environment with Zabbix
  7. How do I find more information about Security in Blackboard

    Learn?
  8. Dedicated Security Team Public Policy: http://goo.gl/srUIM Report Vulnerabilities to LearnSecurity@blackboard.com

  9. Behind the Blackboard https://behind.blackboard.com Search "Security Advisory"

  10. Blackboard Help https://help.blackboard.com Release Notes Security Docs

  11. Secure Building Blocks http://goo.gl/ti4j6 At the DevCon Hack-a-thon: Using the

    Blackboard Learn Security API to prevent common types of vulnerabilities
  12. New and Recently Changed Security Controls

  13. Key Security Control Areas 1. Access Control (AC) 2. Identification

    and Authentication (IA) 3. Audit and Accountability (AA) 4. System and Communications Protection (SC) 5. System and Information Integrity (SI) • More information on existing controls are at: https://help.blackboard. com • Direct link to 9.1 SP12 Security Section: http://goo.gl/XsJnO
  14. 1. Access Control Recent Improvements 9.1 SP8 9.1 SP10 9.1

    SP12 Request Authenticity Verification Security API URL Signatures API for Inline Receipt Messages
  15. URL Signatures for Inline Receipt Messages • Released: 9.1 SP10

    • API improvement • Violations are logged to Central Security Log ReceiptOptions ro = new ReceiptOptions(); ro.addSuccessMessage("My message " + EscapeUtility.escapeForHTML(myUsername) + "" Succeeded"); // Escape since variable is not // intended to contain HTML InlineReceiptUtil.addReceiptToRequest(request, ro); Example Valid Use of API
  16. 1. Access Control Secure Configuration 1. Review default entitlements assigned

    to each system and course role 2. Anonymous Access - Four levels a. System Admin > Security > Gateway Options b. System Admin > Course Settings > Course Tools c. System Admin > Course Settings > Default Course Settings d. System Admin > Organization Settings > Default Organization Settings
  17. 2. Identification and Authentication Recent Improvements User Password Storage, 9.1

    SP12 • One-way Hashed AND Cryptographically Salted • Default Algorithm: salted SHA-512 from SHA-2 family Poll: PBKDF2? bcrypt? scrypt?
  18. {SSHA}HmacSHA512:SHA-512:3000: YHQ5mxGVxMwfsygj4WW1RVrAbciIVr7mGNcYiNq/zYTWASrUGEiGR87a2dRGLNc3PF4xnUxZPBe8 TOg6T7lx8A==: zMb2jM6WoXJdfhG4O9uSBmht8tUM2oW+FOwiawqAqw/tYZMuggdeEyeXROdVrc4gwJb9u+2PjtEwvs 5ikQWDPg== Algorithm Family Salting Algorithm Hash

    Algorithm # of Hash Iterations Hash Value User Password Storage On-login, user passwords will automatically migrate...
  19. {SSHA}HmacSHA512:SHA-512:3000: YHQ5mxGVxMwfsygj4WW1RVrAbciIVr7mGNcYiNq/zYTWASrUGEiGR87a2dRGLNc3PF4xnUxZPBe8 TOg6T7lx8A==: zMb2jM6WoXJdfhG4O9uSBmht8tUM2oW+FOwiawqAqw/tYZMuggdeEyeXROdVrc4gwJb9u+2PjtEwvs 5ikQWDPg== Algorithm Family Salting Algorithm Hash

    Algorithm # of Hash Iterations Hash Value User Password Storage On-login, user passwords will automatically migrate... timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9. 1.120113.0|evt_code=28|evt_name=user password storage migration|sev=0|cat=authentication|outcome=success|dhost=appsec-demo.pd.local|src_ip=10. 100.100.100|suid=13286|suser=securitystudent01|session_id=6|msg=User password storage hash migrated successfully.|http_useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22|act= |request=/webapps/login/ ....and generate a log entry
  20. 2. Identification and Authentication Secure Configuration 1. Secure User Password

    Migrations a. Verify successful password migrations - monitor user accounts that have not migrated, reset password b. Verify application administrator passwords migrated 2. Fully use third party authentication systems (e.g. LDAP, AD) a. The obvious: strong passwords b. Login Failure Throttling 3. Do not use shared accounts - no accountability! (*mitigation in next section) 4. Disable Persistent Cookies a. System Admin > Content Management > Technical Settings > Authentication Settings
  21. 3. Audit and Accountability Recent Improvements 9.1 SP8 9.1 SP10

    9.1 SP12 • Security Authentication Log • Standard Security Event Codes • Input Validation Filter Log • Standard Security Logging Framework and Central Security Log
  22. 3. Audit and Accountability Secure Configuration 1. Using a Load

    Balancer? a. Ensure Client IP Address appears in ALL LOGS - verify now! X-Forwarded-For 2. Proper log archiving a. How far back do you need to go? 3. Usage of Log Monitoring System (*next section) 4. Grade History a. Enable Grade History b. Do not allow Instructors/Assistants to change auditing status c. Do not allow Instructors/Assistants to clear grade history
  23. 4. System and Communications Protection Recent Improvements 9.1 SP8 9.1

    SP9 9.1 SP7HF1 SSL Choice/Hybrid Deprecated SSL Offloading Support • Forwarding Client IP • Logs++ • Session Fingerprinting++ Session Management Cookie HttpOnly and Secure Flags
  24. 4. System and Communications Protection Secure Configuration 1. SSL System-wide

    a. Tip: Mixed content warnings? Upload into Learn 2. Web Servers a. Ensure high strength ciphers (SSLv3, TLSv1) b. Minimum 2048-bit key SSL Certificate c. Apache: Quieter headers (OnServerSignature Off) SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA: +HIGH:!MEDIUM:!SSLv2
  25. 4. System and Communications Protection Secure Configuration 3. Reduce Session

    Timeout a. Default is up to four hours b. Modify the "bb.session.invalidation" task in BB_HOME/config/bb-tasks.xml 4. Enable Session Fingerprinting a. Enable AND Create new session when fingerprint changes b. Note: Bb Mobile users should not enable this setting
  26. 5. System and Information Integrity Recent Improvements 9.1 SP12 9.1

    SP10 Alternate Domain for Serving Content Security API from OWASP ESAPI Input Validation Filter B2 and Log Student Safe HTML for the Content Editor
  27. HTML Sanitizer • For places that allow HTML • Visual

    Text Box Editor (VTBE) in Blogs, Discussion Boards • HTML file uploads • Replaces the previous HTML sanitizer • Uses Open Web Application Security Project's AntiSamy API. • New API ensures user-supplied HTML/CSS is in compliance within an application's rules. Related Threats Elevation of Privilege from script injection into the browser Student Safe HTML for the Content Editor
  28. YOU can control what HTML tags and attributes students may

    enter Student Safe HTML for the Content Editor
  29. Student Safe HTML for the Content Editor

  30. You could…for example… • Allow <iframe> safely by restricting it

    to approved locations • Restrict embedded media to come from approved sources (e.g. Youtube, slideshare, etc) Student Safe HTML for the Content Editor
  31. YOU can test it out too, with feedback loop No

    more mysterious <script> -> <xxxx> <script>alert('uh oh')</script> <b>hello, my name is slim shady</b> <b>hello, my name is slim shady</b> Student Safe HTML for the Content Editor
  32. 5. System and Information Integrity Secure Configuration 1. Configure Alternate

    Domain for Serving Content a. Not a default setting because it requires certificates 2. Tailor Safe HTML Policy to your needs 3. Review usage of "Add/edit trusted content with scripts" privilege 4. Whitelist Allowed File and MIME types a. Current model: “allow.all=true” b. Switch to: "deny.all=true" c. BB_HOME/config/internal/bb-file-filter-configuration. properties
  33. Security Logs

  34. Standardized Security Logs • Standardized Log Format - pipe-delimited key/value

    pairs • Standardized Event Codes • Field Verbosity - 21+ log fields (e.g. date/time to the millisecond, user ID, event code, origin of the request, destination of the request, outcome of the event, etc) • Accountability - user IDs, source IP Address, and browser user agent Log Log Location Authentication Log bb-authentication-log.txt Input Validation Filter Log bb-input-validation-filter-log.txt Central Security Events Log bb-security-validation-log.txt
  35. Standard Event Codes (as of SP12) http://goo.gl/GLIZ2 Event Code Definition

    Available Beginning in 0 Login 9.1 SP8 1 Invalid Username 9.1 SP8 2 Invalid Password 9.1 SP8 3 Logout 9.1 SP8 4 Session Expiration 9.1 SP8 5 Error 9.1 SP8 6 Info 9.1 SP8 28 User Password Migration 9.1 SP12 Authentication Events Even t Cod e Definition Available Beginning in 13 Invalid or Missing Cross-site Request Forgery Nonce Detected 9.1 SP12 14 Invalid URL Redirection Detected 9.1 SP12 17 Invalid Resource Link in Course Package 9.1 SP12 18 Input Validation Filter B2 Configuration File Updated 9.1 SP8 19 Input Validation Filter B2 Rule Violation Detected and Logged 9.1 SP8 20 Input Validation Filter B2 Rule Violation Detected and HTML Escaped 9.1 SP8 21 Input Validation Filter B2 Rule Violation Detected and Safe HTML Filtered 9.1 SP8 22 Input Validation Filter B2 Rule Violation Detected and Exception Thrown 9.1 SP8 23 Security Library OWASP ESAPI B2 Not Available but is called 9.1 SP10 24 Inline Receipt Message Signature Validation Failure Detected and Exception Thrown 9.1 SP12 26 Invalid Input Detected 9.1 SP12 Application Sensors System Security Config Changes Event Code Definition Available Beginning in 18 Input Validation Filter B2 Configuration File Updated 9.1 SP8 23 Security Library OWASP ESAPI B2 Not Available but is called 9.1 SP10
  36. Verbose Logs http://goo.gl/R2jbl timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9. 1.120113.0|evt_code=14|evt_name=url redirection

    violated|sev=6|cat=input validation|outcome=failure|dhost=appsec- targ07|src_ip=10.100.100.100 |suid=_1_1|suser=administrator|session_id=1095|ms g=Invalid url in request and exception thrown. May an indicator of attempts to perform arbitrary redirects to malicious websites. |http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537. 22|act=exception|request=/webapps/portal/execute/ tabs/tabManageModules|requestparam=|requestval=ht tp://www.blackboard.com 21+ Fields • Event time (to the millisecond) with time zone • Event codes • Event names • Destination host • Source IP • User PK ID • Username • User agent • Affected URL • Affected parameter
  37. App Server Log Agent Logs Log Management Server App Server

    Log Agent Logs App Server Log Agent Logs
  38. Example Log Agent with Splunk Universal Forwarder Sample Configuration •

    Bb Learn Central Security • Bb Learn Authentication Logs • Bb Learn Input Validation Filter Logs • Bb Learn Services Logs • Apache Web Server logs • Apache Tomcat logs • Apache Web Server + User PK ID logs Demo http://goo.gl/0DcOh Instructions http://goo.gl/5eQe7
  39. Did anyone use one of the shared accounts we can't

    get rid of?
  40. How long are most users on for? Reduce session time-out

    window Who are my top users? Is everyone following Change Management?
  41. Curious students?

  42. Loose anonymous user settings? Who is online, right now?

  43. Security @ Blackboard

  44. Security @ Blackboard Security Training • Online training, in-person workshops

    • Secure Coding Cheatsheets for Developers Security Engineering • Product Security Roadmap Security Testing • Third Party Security Testing • Targeted Security Assessments for new features • Nightly Static Analysis using Sonar, FindBugs, PMD, AppScan • Nightly Dynamic Analysis using AppScan and Burp
  45. Security @ Blackboard OWASP Top Ten Vulnerability Types Vulnerability Category

    Prevention Methods Detection Methods 1. Injection • PreparedStatements (Secure Code training) • Nightly Static Analysis Scans • Targeted Security Assessments 2. Cross-site Scripting (XSS) • Security API - OWASP ESAPI • Safe HTML • Roadmap: Secure Input Policy Framework • Nightly Dynamic Analysis Scans • Nightly Static Analysis Scans • Targeted Security Assessments • Roadmap: QA-driven Security Scans using AppScan and Burp 3. Broken Authentication and Session Management • httpOnly and Secure flags on session management cookies • 3rd party integrations are tied with Bb session controls
  46. Security @ Blackboard OWASP Top Ten Vulnerability Types Vulnerability Category

    Prevention Methods Detection Methods 4. Insecure Direct Object References • Secure Code training • Targeted Security Assessments 5. Failure to Restrict URL Access Access to unauthorized area • Secure Code training • Targeted Security Assessments 6. Cross-site Request Forgery • Request Authenticity Framework (default-secure) • Targeted Security Assessments • Nightly Static Analysis Scans 7. Security Misconfiguration • Secure Design training • Targeted Security Assessments 8. Unvalidated Redirects and Forwards • Secure Code training • Targeted Security Assessments • Roadmap: QA-driven Security Scans using AppScan and Burp
  47. Security @ Blackboard OWASP Top Ten Vulnerability Types Vulnerability Category

    Prevention Methods Detection Methods 9. Insecure Cryptographic Storage • User Password Storage in salted SHA-512 • Roadmap: Secrets Management API and Key Management, roll-out to System Passwords • Targeted Security Assessments 10. Insufficient Transport Layer Protection • Default high-strength ciphers in bundled Apache 1.3 configuration • Roadmap: Remove SSL Choice option (deprecation announced) • Regular infrastructure scans
  48. Tangible Results Track record in delivering security controls/features that enable

    customers to harden systems, forensically discover information, and proactively monitor Release 9.1 Service Pack 8 • Apache 1.3 Death - You can now run Apache 2.x • Security Log Standardized – Authentication Log • SSL Offloading Support -> Forwarding Client IP -> Logs++ -> Session Fingerprinting++ Release 9.1 Service Pack 10 • Fraudulent Request Protection by default • Safer File Rendering - Rendering Files from an Alternate Domain • Student Safe HTML Building Block • Input Validation Filter Building Block + Security Log Release 9.1 Service Pack 12 • Secure User Password Storage • Security Events Framework and Log
  49. Thank You Stephanie Tan stephanie.tan@blackboard.com Director, Security