Museum Status
To help provide the most relevant information I have split this into two parts, the first being a brief status report on the current status of each application, followed by background information on the current roadblocks we are facing and the path to resolution.
Sites that are only experiencing errors related to mixed content / HTTPS can be accessed by bypassing the browser built-in security setting while using google chrome. A video demonstration can be seen here: https://www.youtube.com/watch?v=0abAq0BBUks
The two issue types commonly listed (CORS and HTTPS) we are waiting for OCIO to assist in resolving them.
Current System Status
DEA – Awaiting resolution of CORS to validate backend stability. Also requires HTTPS support before public usage. May potentially have backend issues, but will not be able to verify until the frontend of the system is functional.
HOL (And variants) – Experiencing HTTPS issues, see above video for how to bypass.
HNS – Experiencing HTTPS issues, see above video for how to bypass.
vSysLab – Experiencing HTTPS issues, see above video for how to bypass.
OSUC DB Mgr – Experiencing HTTPS issues and CORS issues.
BLB – Awaiting HTTPS and CORS for public access.
Specimage – Awaiting CORS for public access.
Background and current progress
I would first like to say that the database is online and fully functional, and all data contained within is restored and secure.
During the process of restoring the administrative applications we have encountered several critical security flaws that we had to halt our progress to resolve and work with David Sweasey of Risk Management and Governance to put exceptions in place to allow us to document and minimize the risk.
The security issues were already present within the database; however, it is only now that they have come to the surface. As we [ASCTechnology Services Application Development Team] are now maintaining and developing the database systems and related applications we are mandated to adhere to professional industry standard best practices to ensure the security and functionality of systems that we maintain. While we have been progressively working on improving a variety of areas behind the scenes over the last two months, the remaining issues that sites are experiencing is outlined below.
The first issue currently experienced by all applications is adding full support for HTTPS, which is the Hyper Text Transfer Protocol over Transport Layer Security. This standard dictates protocols and methodology for end-to-end encryption and identity verification of resources to protect against malicious attacks including: - Sidejacking - Packet Sniffing - Session Hijacking - Man-In-The-Middle - Providing forward secrecy - Content injection / manipulation - Bad Router Attacks
We are mandated by our security offices to have all operations follow an HTTPS-Only standard configuration, and you can read more about why this is important and details of the benefits at the following information sites: https://https.cio.gov/everything/ https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https https://en.wikipedia.org/wiki/HTTPS
Several applications are also currently experiencing issues with CORS, which is Cross Origin Resource Sharing. This is a series of standards and protocols that dictate the appropriate methodology to protect content providers and users from a variety of dangerous attacks, most notably XSS. XSS, otherwise known as Cross Site Scripting is a classification of attacks that allow malicious code injection into a user’s browser with goals ranging from session hijacking to privilege escalation. Cross Site Scripting has consistently placed highly on OWASP's Top 10 Web Security Threats list, since its inception in 2010. More information regarding the OWASP project can be found here: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
An outline of the most recent 2017 OWASP Top 10 Report can be seen at:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
A brief overview of other threats that can occur from CORS and their related risk are outlined here: https://mobilejazz.com/blog/which-security-risks-do-cors-imply/
In addition, we are working to resolve issues related to Broken Authentification, allowing a malicious actor to impersonate an authorized user to gain access to an administrative system. This issue is primarily present within the OSUC DB Manager application.
The OSUC Manager application is currently one of our highest priorities and we are approaching the problem with a multi-pronged methodology utilizing resources from a variety college and university departments to bring it back online as quickly as possible. In addition to ASC Technology Services Application Development Team we are also receiving support from the OCIO Database Administrative Team to resolve the remaining HTTPS and CORS vulnerabilities and the ASC Director of IT Risk Managament and Governance David Sweasey to put IT Acknowledged Risk exceptions in place until the backend infrastructure can be rebuilt, creating a permanent resolution to the potential attack vectors.
We have also resolved a variety of additional security vulnerabilities over the last two months including Network Security, Firewall Security, System's Configuration Security, SELinux, VPN-Based Access Control, Data Retention Protocols, VEEAM Backups, and many other industry standard techniques and methods.
If you would like to further discuss any security related aspects of any MBD Applications that we are migrating to ASC Technology Services Infrastructure and the estimated timelines for full functionality to be restored for these projects, I would be happy to schedule a meeting with you to discuss this further.