eAuditor V9 AI
System security
Check,
How many security features affecting user safety are in place with the eAuditor V9 AI system
Vulnerability tests
Considering the very wide application of the eAuditor system in all sectors of the economy and the possible high impact of the system’s operation on the IT infrastructure, system security tests were conducted. The tests will be repeated in the future and apply to all BTC product lines.
Security in IT infrastructure management systems is a crucial element due to the potential for these systems to interfere with IT infrastructure.
Scope of safety tests
The scope of the tests included security verification of the eAuditor V9 AI system:
- Threat Modeling,
- Penetration testing of web applications and REST APIs,
- Thick client (agent) application security testing.
Components tested:
- Web application “eAuditor”,
- Agent,
- REST APIs used by agents.
A total of 126 vulnerability tests were conducted as part of the tests. Where vulnerabilities occurred, they were analyzed and removed.
Threat modeling
Threat modeling is a process in which potential threats have been identified, classified and prioritized.
Penetration testing of web applications and REST APIs
Penetration testing is a basic security assessment process that allows assessing the technical level of security of networks and services, as a whole. In addition to the technical aspect of security, properly executed penetration tests can also illustrate the effectiveness of processes within an organization – for example, answer the question of whether the implemented process for updating systems is working properly and is effective, and illustrate the effectiveness of an organization’s response to IT incidents. Penetration tests are designed to assess the IT environment for known as well as unknown (“0day”) vulnerabilities that compromise the security of the information processed by the organization.
The OWASP ASVS (Application Security Verification Standard) was used in the process of testing web applications.
The OWASP ASVS (Application Security Verification Standard) defines best practices for testing applications and protection mechanisms of web applications. The use of the OWASP ASVS standard on allowed, among other things. for verification of the following types of vulnerabilities:
- “Injection” attacks – e.g. SQL injection, XML injection, code injection, command injection,
- Manage authentication and authorization,
- Cross-Site Scripting (XSS) attacks – Reflected, Stored, DOM-based,
- Dangerous direct references to objects located on servers,
- Configuration errors that directly affect security,
- Availability of sensitive data without authentication/authorization,
- Protection of the transmission channel (configuration of SSL/TLS, or other protocols used),
- The ability to bypass authentication, or vulnerability to “Local/Remote File Inclusion” attacks,
- Cross-Site Request Forgery,
- Vulnerability of system components (e.g., errors in the web server, or running modules),
- “Open Redirection.
In addition, checks collected within the OWASP REST Security Chear Sheet available at:
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
Thick client application evaluation
The thick-client application security tests were designed to assess the application’s security for known as well as unknown (“0-day”) vulnerabilities that compromise the security of the information processed with it.
The following aspects were evaluated:
- Publicly known vulnerabilities in software and libraries used,
- Business logic of the application,
- Solution architecture,
- Security of data stored on the station with the client installed – for example, encryption keys, credentials, sensitive information and others,
- How to communicate with the server – including ensuring proper authentication of clients and authorization of operations,
- Security of communication with the server – ensuring confidentiality and integrity of transmitted data,
- Vulnerabilities of heap and stack overflows – “Stack Overflow”/”Heap Overflow”,
- Vulnerabilities related to incorrect estimation of the range of values of accepted variables (“Integer Overflow”),
- Incorrect passing of arguments to functions that operate on strings (“Format String”),
- Errors due to type incompatibility (“Type Confusion”),
- Security of processes/application resources – e.g., credentials in process memory, process permissions, security of used resources (shared memory, “pipes”, or other IPC mechanisms), or permissions to used files,
- Vulnerability to DLL hijacking attacks,
- Permissions for services (“services”) of the application,
- Proper use of cryptography within the application.
Examination of the source code
No source code study was conducted.
Tools used
The analysis of this type of software included. The following tools:
- IDA Professional and Hex-Rays Decompiler – disassembling and decompiling code to thoroughly understand application functionality, or reviewing applications for programming errors,
- Burp Suite Professional – as a tool for analyzing HTTP/HTTPS traffic when this type of communication is used by an application,
- Wireshark – to analyze network traffic,
- WinDbg – a debugger for the Windows platform – control the application during testing, as well as control the used memory/objects during detailed analysis,
- GDB – a debugger for the Linux platform – controls the application during testing, as well as controls the memory/objects used during detailed analysis,
- Tools to control access to system files/objects – e.g.. Process Monitor (Windows Sysinternals tool).
Vulnerability classification
Common Vulnerability Scoring System (CVSS).
The pentester team relied on the Common Vulnerability Scoring System (CVSS) to accurately assess the risk posed by the detected vulnerability. This results in the ability to accurately reflect the risk of an identified vulnerability numerically, along with showing the result in the form of a descriptive representation (risk – low, medium, high, critical).
The base score consists of the following:
- Attack Vector (Attack Vector/AV) – reflects the context in which the vulnerability can be exploited:
- Network (Network/N) – the vulnerable element is related to the network stack/vulnerability can be exploited remotely,
- Adjacent/A – the attack must be launched from the same shared physical network (e.g., Bluetooth/IEEE 802.11), logical network (e.g., local IP subnet) or a specially restricted administrative domain,
- Local (Local/L) – an attack that can be carried out locally, e.g. with commands issued locally on a keyboard, or remotely with an authenticated SSH session,
- Physical (Physical/P) – the attack requires the attacker to directly (physically) interact with the device,
- Attack Complexity/AC – describes conditions beyond the attacker’s control that are necessary to exploit the vulnerability:
- Low (Low/L) – the attacker can expect repeated success when exploiting a vulnerable element,
- High (High/H) – a successful attack depends on conditions beyond the attacker’s control, such as the need to bypass advanced security mechanisms before exploiting the vulnerability itself.
- Privileges Required/PR – shows the level of privileges an attacker must have to exploit the vulnerability:
- None (None/N) – the attack can be carried out without authentication,
- Low (Low/L) – basic permissions are required to exploit the vulnerability, which normally only affects a specific user’s settings and data,
- High (High/H) – the attack requires permissions that provide significant (e.g., administrative) control over the vulnerable component, allowing access to settings and files throughout the component.
- Required User Interaction/UI – takes into account the requirements for human (e.g., application user) interaction in the process of carrying out an attack:
- None (None/N) – the attack can be carried out without interaction from the victim,
- Required (Required/R) – the success of the attack depends on a specific interaction of the victim.
- Scope (Scope/S) – determines whether the vulnerable part of the system affects other additional elements beyond its security scope:
- Unchanged/U – the exploited vulnerability can only affect resources managed by the same security authority,
- Changed (Changed/C) – the exploited vulnerability may affect resources beyond the scope of security managed by the security authority for the vulnerable element.
- Confidentiality/C – determines the impact of successful exploitation of vulnerabilities on the confidentiality of processed data:
- None (None/N) – there is no loss of confidentiality within the vulnerable element,
- Low (Low/L) – there is some loss of confidentiality, but disclosure of information does not cause direct, serious loss to the affected element,
- High (High/H) – there is a complete loss of confidentiality, as a result of which all resources within the affected component may be disclosed,
- Integrity (Integrity/I) – determines the impact of successful exploitation of vulnerabilities on the integrity of processed data:
- None (None/N) – there is no loss of system integrity,
- Low (Low/L) – modification of data by an attacker is possible to a limited extent,
- High (High/H) – there is a complete loss of system integrity.
- Availability (Availability/A) – shows the impact on the availability of the attacked element due to a successfully exploited vulnerability:
- None (None/N) – has no effect on accessibility within the affected element,
- Low (Low/L) – performance is limited or there are interruptions in resource availability,
- High (High/H) – there is a complete loss of accessibility to the attacked resource.
Implementing entity
The entity implementing the security tests was an entity independent of BTC Sp. Ltd. holding, among other things. The following certifications:
- OSCE (Offensive Security Certified Expert),
- OSCP (Offensive Security Certified Professional),
- CSSA (Certified SCADA Security Architect),
- CISSP (Certified Information Systems Security Professional),
- CISA (Certified Information Systems Auditor).
Enhance security - implement two-factor authentication.
Two-factor authentication
Two-factor authentication in eAuditor enables additional security of user credentials during the login process. This results in the introduction of an additional authentication layer referred to as ePass. As a result, in addition to the standard way of logging in (providing the access element of login and password), which confirms user credentials through the system for local accounts or AD DS/LDAP for domain accounts, physical hardware security authentication is required.
How is the configuration of key authentication done?
Key authentication is configured by default and uses HTTP (unencrypted data transfer for the Internet).
In addition, the configuration of encrypted HTTPS communication is required for two-factor authentication.
Technical support
As part of the implementation, IT administrators receive full support in generating the certificate and configuring Apache Tomcat 8.5 or later.
Increase security by implementing tokens
Two-step verification with security key
The system allows the use of hardware-based security for two-step authentication and authorization of user accounts.
Hardware security allows additional protection of the system against unauthorized access.
How to use two-factor authentication
The default system configuration uses the HTTP protocol (data transmission is not encrypted).
In order to use two-factor authentication, it is required to configure encrypted communication – HTTPS.
Creating a free certificate
In the absence of a commercial certificate, it is possible to generate a free version.
To generate a free certificate you need to:
- Run CMD (as administrator),
- Navigate to the “bin” directory in the location where the runtime environment (JVM) was installed e.g.: C:³³³³ Program FilesJavajre1.8.0_91³.
- Execute the following command in CMD: keytool.exe -genkey -alias tomcat -keyalg RSA -validity 3650 -keystore C:tomcat.jks
- Enter all the required parameters (name, password, etc.),
- After generating the certificate, go to Windows services and disable the service responsible for apache tomcat,
- After stopping the service, navigate to the apache tomcat directory > RODO > CONF
- Then open the file “server.xml”
- Remove the following connector in the file:
connectionTimeout="20000" redirectPort="8443" />
- Then add a new connector:
clientAuth="false" sslProtocol="TLS" keystoreFile="C:tomcat.jks" keystorePass="WPROWADZONEHASŁO" connectionTimeout="20000" redirectPort="8443" />
- After the configuration changes, start the Apache Tomcat service
Apache Tomcat 8.5 configuration – ePass
In order to use two-factor authentication, additional configuration of Apache Tomcat is required.
Configuration should be changed in the server.xml file (similar to the point above)
maxThreads="300" SSLEnabled="true" acceptCount="300" maxPostSize="-1">
myCA2.crt is a certificate used to sign and verify client certificates.
Generate the myCA2.crt certificate using openssl with the following commands:
openssl genrsa -des3 -out myCA2.key 4096
Console configuration
The system allows you to specify which users are to use two-factor authentication. Configuration is done in the window responsible for modifying/adding a new user.
NAME CERT. – certificate name (CN field). Fill in in case you want to assign a certificate that was not created for this login.
REQUIRED CERT. – if checked, only a certificate can be logged on to this user.
USB Token – Token Specifications
Supported operating systems
- 32bit and 64bit Windows XP SP3, Server2003 , Vista, Server2008, 7
- 32bit and 64bit Linux
- MAC OS X
- Software ‘middleware’
- Microsoft Windows MiniDriver
- Windows middleware for Windows CSP
- PKCS#11 library for Windows, Linux, MAC
Standards
- X.509 v3 certificate store, SSL v3, IPSec, ISO 7816 1-4 8 9 12, CCID
Cryptographic functions
- Generation of a key pair (inside the key)
- Electronic signature AND signature verification (inside the key)
- Data encryption and decryption (inside the key)
- Cryptographic algorithms
- RSA 512/1024/RSA 2048 bit
- ECDSA 192/256 bit (*)
- DES/3DES
- AES 128/192/256 bit
- SHA-1 / SHA-256
(*) Key available in 2 variants to choose from:
- Cryptography APIs: Microsoft Crypto API (CAPI), Cryptography API: Next Generation (CNG)
2) Microsoft Smart Card MiniDrive: PKCS#11, PC/SC
Processor
- 16 bit smart card chip (Common Criteria EAL 5+ certified)
Memory
- 64KB (EEPROM)
Persistence of memory
- At least 500,000 write/read cycles
- More than 10 years
Connecting
- USB 2.0, Type A connector
Energy consumption
- Less than 250mW
Operating temperature
- 0 to +70 degrees
Storage temperature
- -20 to +85 degrees
Moisture
- 0% to 100% non-condensing
Enhance authentication security by email confirmation
Two-step verification with email
The system allows you to set up a two-factor login to the administration console.
The code is generated each time for each user covered by two-factor login. The two-factor login can be assigned to all or only to specific users of the system.
In order to assign a user the duty of two-step login, you should:
- Go to Settings view > Administrators.
- Then select the user to whom the two-factor login mode will be set.
- Click the icon marked with the gear symbol (modify).
- Check the option for TWO-TAP LOGIN WITH MAIL CODE.
Approve the changes with the OK button.
Two-Factor Logging (2FA)
To modify the two-factor login policy, you need to:
- Go to the administrator settings view.
- Click the screw icon on the right at the top of the view table.
- Click Login Settings.
- Check the possibility of two-factor login.
- Click Details.
- Set up logging:
- Validity of the code [minuty] – how long after sending the code is valid.
- time between emails [sekundy] – how much time must elapse before another email can be sent.
- Subject – email subject with code.
- Content – the content of the email with the code.
Be sure to set up an SMTP server so that the system can send code notifications.
Utilize basic system configuration options to enhance security
Secure configuration of the eAuditor system
Client-server connection (eAuditor, HV DLP)
Communication is done using TLS 1.3.
eServer and eAgent have SSL certificates (4096 bit).
Application configuration
Configuration of the application is possible by editing the config.properties file
Defining AD DS addresses
Acceptable server addresses that can be used for import from AD.
Setting [] will disable the ability to import from AD.
props.activedirectory.allowedservers = ["172.16.115.17"]
Defining the path to the backup
Acceptable paths to backup.
Setting [] will disable the ability to perform backups.
props.dbbackup.allowedpaths = ["c:/btc/backup-db/ehelpdesk*"]
Defining the path to import data
Setting [] will disable the ability to import data from a file.
props.imports.allowedpaths = ["c:/btc/import/*"]
Defining the path to save reports
Setting [] will disable the ability to save reports.
props.reportssend.allowedpaths = ["c:/btc/reports/*"]
Defining a server for data import
Setting [] will disable the ability to import data from a file.
props.imports.allowedservers = ["127.0.0.1","172.16.115.251"]
Acceptable servers in the “Host” header.
props.headerhost.allowedservers = ["172.16.115.251:8543","dbr-hvdlpdev:8543"]
Acceptable servers under the header “Origin”
Acceptable SMTP servers.
Setting [] will disable the ability to send emails.
props.headeroriginhost.allowedservers = ["172.16.115.251:8543","dbr-hvdlpdev:8543"]
props.smtp.allowedservers = ["127.0.0.1"]