 I think we can start and can you hear me here? That's good. Okay, so welcome to the security session and it's always quite hard to be the last session of the day and it looks like there are not that many people as with the public dashboards, so we don't need to switch the room, so we are quite comfortable with that, yeah. Thanks for the previous session on public dashboards that spent a lot of time in security, so we probably will skip some slides here or at least they will complement the topic. And today we have four different presentations, one from me and three from our external speakers, guests and all the topics are super interesting, so I was very excited to see them together and this is the first time when we have a dedicated security track at the HS2 conference and welcome to the session. So this one is about the HS2 security features and I realized that although we know them quite well, we never had it anywhere listed together, so the session is an attempt to bring all the security features together, try to explain them or remind about them and attract some attention to what we are working on, so it's a kind of a mix of what we already have from the product perspective and also what we are working on as a security team and it might be quite useful just to remind to see what we have and maybe it will trigger a discussion on what we don't have and the last practical announcement of the day today and tomorrow after all the sessions I will be present in the experts lounge and can answer any of the security questions you have. If we have any questions during this session, please ask at the end and we'll have more time in the evening after all the presentations will be done. So let's start with security features and the first one is access control, it's a trivial one, it's a core functionality of the HS2 and it can be configured everywhere and it's essential so users can belong to group and have role assignments which explain what users can do their permissions and every group can explain like admins, like division users, like field workers or whoever and it's a way to segregate them across different regions, types of responsibilities and every role within the group can for the user can find great authorities. In addition to that, users can have restrictions based on the analytical dimensions and what can be exported to the reports. This is, as I mentioned, the core functionality and as many of the products role management is a quite complicated task. So what we're working on is trying to create automated reports on roles and group assignments to ensure that role control or access control is done properly. The next one is LDAP authentication. So there is quite a lot of confusion between LDAP as single sign-on and it's also the core functionality and in fact the LDAP authentication it resolves or two problems, it helps to resolve two problems. The first one is keeping a centralized directory of users and which comes from Active Directory, Azure ID, OpenLab or any other compatible service and the second it provides basic authentication with a password that is stored in the external LDAP directory. This is a core functionality that can be configured anywhere and it's supported from the very first versions. However, with the development of the technology, we don't recommend relying on LDAP solely, we recommend using single sign-on or any other solutions which are present separately. In addition to LDAP, we have multi-factor authentication and during the recent months, surprisingly, I got quite a lot of questions if we have it in the product and we emphasize this that yes, we do have multi-factor authentication, it's available since version 2.30 and you can use either Google Authenticator or any other compatible application for modern smartphones or even for feature phones that transfer on the G2ME platform for legacy phones. The only requirement is to keep time synchronization in place which is relatively easy on the devices connected to the cellular networks. So it is not only for the modern phones, you can use it on the low-end devices in the emerging markets. Then we have single sign-on which is available quite for a long time and it supports OpenID Connect and it can be integrated with various platforms. We have several tutorials on how to do that, Octa Key Clock, Google Workspace, Microsoft, SSO, it can be used with multiple services quite widely and we encourage the users to test and report what is not working but at the same point of time it's the preferred way to do centralized and secure authentication. In the case you support even a single sign-on, multi-factor authentication is delegated to the authentication provider or to indeed identity provider. Then we have personal access tokens. We use it quite for a while and even we had the security vulnerability recently in the personal access tokens implementation but the feature, the vulnerability is now fixed and the feature is generally available. So we discuss it in relation with the dashboards that once you implement authentication it is important to keep the credential securely and personal access token is one of the ways to avoid storing user passwords in the authentication scenarios especially avoiding basic authentication using API calls and other techniques that help you to use non-tractive features of the product. Then user impersonation, this is a new feature and we would strongly ask you to test and provide feedback on that. We have a documentation on how to use it in the DHS documentation but it's in short its ability to run features and interact with the system on the hook. We would like to inform that we definitely recommend having database backup everywhere and there are any official tools or the part of the tools that we recommend that can help you to backup your Postgres instances. And the very new addition to that for those who use our security feature stack it's called virtual patching. We started applying virtual patches to or recommending virtual patches for the configurations that run behind the reverse proxies. So if your DHS2 instance sits behind nginx proxy you can and there is a known vulnerability or set vulnerabilities that can be potentially harmful to the system. We issue from time to time security patches that can be applied and tested on the test environments and you can apply them in production otherwise. It is a small piece of nginx configuration that is a regux rule or some kind of a workaround that blocks or alters insecure requests or potentially malicious requests and you can using these patches you can mitigate the vulnerability or temporary mitigate vulnerability by applying this patch before you prepare to upgrade the DHS2 version to the nginx secure release. This is an experimental feature. It is not always available and not all types of the vulnerabilities can be fixed that way. But we think that it is a good addition to the whole stack and we experiment quite a lot with virtual patching and it is quite easy to apply and test. So this is kind of an important addition to our security problem. Then a couple of updates on what we've been working on. So let's start with the reference setup. So the first problem that we generally have with testing security is that all installations of DHS2 are unique and the most of implementers use different operating system platforms releases different support styles methods tools and whatever and it is quite hard for us to recommend a universal or kind of a general way of ensuring security of the systems. So that's why we came with the idea of the reference setup which is a dedicated installation or the preferred way of configuring the system where we test new security features where we test protection and where we suggest everyone to perform public penetration testing of our instances. So this is the dedicated setup where using the recommended components and you can either compare all the setup is done in public so you can download the configuration files and you can use any security tools to test it or advise your penetration testers or third-party consultants to make a penetration test of this instance and the same approach we have internally. So once we release a new version we continuously test it using this kind of setup and you can probably compare what we have set up using any of the inventory that will be also presented today by another speaker and using this tooling you can check that how different your setup is from the ideal security configuration that we have and also we started working actively with community and we launched the security whole of fame where we mentioned credits to the researchers who submitted vulnerabilities or important security updates to the DHS2 product. So this is one more way of interacting and we are going to promote a crowdsourcing approach to security and encourage more people to look for vulnerabilities in DHS2 because security is a joint effort for everyone. That's it from my side if you have any questions this please ask we have a couple of minutes and after that if you'd like we can talk after the meeting. Thank you. Hello everyone. I'm Blessings Kamanga from Malawi Minister of Health so together with my colleague. My name is Brett Onyans as well from the Ministry of Health in Malawi. Yeah so we'll be presenting on strengthening information security in DHS2 implementation in Malawi. So in the presentation we'll talk about the Malawi HHS architecture as well as a bit of DHS2 implementation and then we'll talk a bit about information security and then finally we'll talk about the strategy that we have put in place to ensure that we have strengthened our DHS2 implementation. So to give a background we started implementing DHS2 in the era 2000 so during that time it was just DHS version 1 and then in 2013 that's when we started implementing the web based version and then that time it was just correcting the routine aggregate data on the health and service delivery but later in 2019 we developed the One-Earth surveillance platform and it is this platform that we used during the COVID-19 pandemic to ensure that we capture the surveillance data as well as the vaccination data and it is the same platform that we used to have data that would help in responding to the quality outbreak in Malawi and then in 2021 I think yesterday we had a good presentation on the integrated community health information system so we have that system. So in terms of data capturing the lowest level is at the community level and then we also have data being collected at the facility level and then it gets aggregated as we go up. Now with all those systems you would notice that at each level we have different systems that are being used and then for example I talked of the ICS on the community level and then as we go up we have all those other systems so at the bottom level we are collecting more individual level data and then it gets aggregated up the level. So with that it calls for a security you have to ensure that for the individual level data not everyone is just accessing it and how we need to ensure that only those who are supposed to access that data are indeed accessing the data. Now to ensure that all those systems are also talking to each other we implemented the interoperability layer based on the open health information exchange framework so we have on the bottom the individual level data collection systems and then we have interoperability layer in the middle and then we have the business domain services and the register services that will ensure that there is that interoperability. Now when we come to information security most of the times people think of information security as just having a username and a password but it goes beyond goes beyond that so for example if we there are some areas that are neglected so if we follow the medical terms would look at the other aspects as maybe neglected tropical diseases. So we have some other areas that are neglected so for example it goes beyond the username and the password it goes beyond ensuring that only the systems are available and also the data that is in that system that doesn't just get modified anyhow. So it's only when we understand the course that comes with information security so those are some of examples where information security ready to expense of several pounds. Now in order to strengthen the information security we have to do more so there are several things that we have to do so these range from political will having legislatures and so for example in America we have the health insurance portability and accountability act hyper and then in the EU region we have the general data protection regulation which regulates how the individual level information can what can be shared. So we have to put in measures that I would ensure that we strengthen our system so I'll call upon my colleague Brett just to highlight what measures we are putting in place we are planning to put in place in Malawi to ensure that we strengthen our DHS to implementation. Okay thank you very much blessings so to go off what do you think I'll be going over what measures will be putting in place in order to strengthen our information security so going forward we'll actually have completely separate department I could say inside the digital health division specifically focusing on security and privacy as blessings had iterated I mean the blessing is stated earlier a lot of what's initially thought of as security is just a username and password but you know trying to educate people and trying to make sure that not only is it a username and password it's not just password one two three and making sure all of that is enforced as well so the as you see in this diagram here there'll be specifically three government staff technical support in total of six people who are helping drive this security this drive for better security as well we'll be applying the ISO 27001 standard we've gone as far as had trainings how many individuals was it again I think it was three four four four individuals we had trained for the standard and of course like like has been iterated so many times throughout this policy is really really important because ultimately the not every not every environment is the same and ultimately the the ISO standard is is that it provides standards but we also need to address certain certain key challenges we encounter in Malawi as well continuous monitoring evaluation security risks and continuing to improve the the information security within the country it's not a we do it and it's done it's just an ongoing process and the policy helps ensure that continuing educating and training people also ensures that because some people don't even understand the importance of security you think you'd think that just having password one two three is bad you find people even go as far as sending admin privileges over whatsapp or just having it in a simple text file so having to also educate and train people to understand that having the security is important and having people actually accountable to the things that happen within their profiles we're we're dealing with some very sensitive information we don't want any of that to leak because ultimately for these systems to to work people have to have faith so this this provides the the framework for trust for our systems believe that's all anything else yeah so I would like to thank the partners listed on the on the board for the support that they provide to the ministry as well as for funding uh uh our office as we've been working uh so uh thank you very much that's we take questions now yes I'm not sure you can hear me can you hear me yes okay great um yeah thank you for this presentation I wanted to ask a question actually on the um uh the slide on the organization where you have the privacy and security group is that it um I think that's that's really great to see I mean and and also it's not just one person right you're talking about six people so you're you're able to actually do some some real work on on privacy and security which is really good um I was wondering is this this is just within the ministry of health so there is there also an uh like a broader privacy and security organization that you're working with or are there other ministries that have their own departments or it's it's exclusively in the ministry of health for now um I can say as far as this diagram here it's just it's just the ministry of health um I can't really say uh I can't really say that um uh it's like any other dedicated dedicated privacy and security um divisions within the within the greater you know government and like um of course we have the regulations by like uh MACRA there's telecommunications and other and the ICT so that's what MACRA also uh was responsible for setting the policies for that so there there is some crossover there but as far as this goes in terms of dedicated staff it's just within the ministry of health got it thank you I also have a question um besides just to hear uh how did you decide to implement isms so what was the key driver for that or how did you start apart because it's it's not a trivial choice because people as I just mentioned they sometimes they think about securing passwords maybe doing some backups uh installing antivirus but taking this kind of challenge which is it's quite advanced it's very adorable so how how did it start for you uh do you want to finish I started you started um so I can say um I guess the first problem is scale because we could say that the it was kind of handled across many different people uh myself included blessings as well and our infrastructure and IT team but as we've grown as the and as the system has gotten more complex the the the push for this is because we've seen that it's kind of difficult for um just you know juggling two hats and as complex and as complicated as security is it's it was just decided that it needs to be its own its own section there's a needs its own department yeah so uh just to add uh it's because now we are moving towards collecting the individual ever data so there are more and more systems that would be collecting so with that we thought of at least having something in place as they're saying goes say provision is better than if you are you don't upgrade up with specials whereby we are spending some money uh having lawsuits and they like so uh that's why we took uh that direction yeah uh I had a couple of questions more but we we take it first thanks um so I I guess the first question that I had was uh in relation to uh check and I think it's not just to this team but I'm wondering what um people do in terms of uh securing data between let's say within the same organization so let's say you've been given private data and um of course um people you know we all signed some sort of confidentiality agreements but then maybe people work from multiple organizations affects us the same uh data at the right time how are you um looking into um securing that sort of data in terms of and not just yes of course people can access it but avoiding people also modifying uh other people's records so that's maybe on the tractor side and I think this is um a follow on or still in this same specific area um so I know that the audit uh the audit button it's a little human on the tractor exist inside the tractor that you can be able to audit historical changes on uh DHS too um but what I'm wondering is if it's just consistently working for everybody else yeah uh thank you very much for for that question so I need much people from different organizations organizations do have access to this data but then what we have in place it's like some sort of procedures for example if someone is accessing the data you have to indicate why that person is accessing that data and then also you have to indicate for like for how long uh that data is being accessed and the uh also in terms of the system privileges and the right uh you have to ensure that we give that person the right uh privileges so it could be maybe only a specific stage within the tractor program and also uh the right and then uh like reviewing the system now and again as uh my coindicated we have some logs and the like so it's always important to review those logs now and uh and then because you can detect uh some of the other things and the right well just just in a little bit of an addition to what Blessings has said um you know earlier in my career I thought the technology was the hard part ironically the technology is the easy part the difficult part is the people so of course we can have the policies and procedures in place but generally your biggest threat to your system is always the people on the inside so you just have to keep keep an eye on everything of course you know you don't want to you don't want to be like completely you know over their shoulder but you know you want to just at least like you said with the auditing and logging so generally that's that's where the biggest challenge comes from um I have one more full of questions for question uh so um you mentioned that the reason for implementing isms was the scale and just to give a bit more estimate so I see on the slide how many people you have but what about just some approximate number what how many servers or laptops or how many devices or assets you have just understand the scale uh jeez like 5000 I'm thinking with it because we also have to take the laptops there's the servers there's the tablets there's people using mobile phones so it's I could throw it at like yeah it's normally three three five thousand something like that and it doesn't make sense because of this scale it's important yeah and any other questions from the audience because I have one more yeah uh you mentioned that uh you thought that technology will be difficult but then it turned out to be about people right uh from a technical perspective like putting people aside or maybe also including but a bit more specific what was the most difficult on the way on implementing sms so what's the current what's the most difficult to handle while becoming compliant yeah so uh as I as Brett said people the difficult the difficult part so uh we noted that for for for example uh when people are asking for access they would ask for open ended access so I just need a username and password but then maybe they were project based the project done they don't even release that access they go so uh if we don't keep an eye on that you notice that uh with time you have a lot of users that's uh they're not even supposed to access the system but because you don't have a system in place that would be great to say okay you get access for how long don't access two months two months is gone uh maybe you revoke uh that access uh and like but also uh it's not uh just about that but also within the offices sometimes because uh there can be that can lead to uh some uh social security breaches and like like how you put up the passwords for example you're in the office then you know you have a lot of passwords you take a sticker write it sound you know much as the office has the keys but it's two more there's something that you have to be responsible for so uh they are all those uh factors that uh that I consider thank you any other questions how long did it take you to achieve your um accreditation how long did it take you to move through your period of accreditation okay so uh what we did uh we sent some uh officers to the uh British Standards Institute uh just to uh go through the ISO 27 001 in terms of uh to implement it what needs to be implemented so uh they were at PSI for uh for one for one week and then from there there were some action points which were drawn to say moving forward uh this is uh what is uh going to happen but then uh it's like a cycle so uh there'll be like status and then continuous improvements uh having the meetings uh assessing the risks and the uh going on like that yeah okay just second thank you so thank you for your presentation so maybe I missed it but my question is on student data security so how do you ensure that security issues at maybe community level or it's it facility level where you then collect data I know we're going to give tablets to your data collector so how do you ensure that is secure where anything is that stuff uh let's say that's the first straightforward answer is that those are called the principle of least privilege only give people access to like as blessings has stated only give people access to what they need for a set period of time just make sure you're you're monitoring how how that information is accessed um security is not perfect there's no 100 percent 100 percent secure system um you can just try your best to mitigate and try to see the best ways to to at least know what's happening because the worst thing that could happen is a data leak and you have no idea what's what's going on and you know tomorrow you just find front page story lots of personal information being published so I could say the simplest one is the least privilege just make sure you only give access to people for to in terms of the credentials make sure that um the policies are in place so that credentials are are secure in terms of the passwords only gives the access don't you don't give someone into the system full access you only give them exactly what they need and just keep an eye on what they're doing yeah so uh just to add so at community level normally the healthcare workers they're given the the tablets so with the tablets it means there's the component of the username and the password and then apart from that because once you have logged in it means you're always logged in so there's also that advocate to ensure that they put an extra password or even a fingerprint to ensure that they do access uh they are it's only the person which is allowed to access the tablet uh does that and then uh because not everyone uh may have a tablet there are some who opt to use their own gadgets of course which is not highly recommended but we're in a session how do we do so we also encourage that for those that are using uh their own personal gadgets they also have to ensure that uh they follow suit uh in terms of ensuring that they put the username uh they put the password as well as uh if it allows to put the uh the fingerprint and then the other components uh it's in terms of uh when replacing the gadgets so you know sometimes you are excited uh you have new gadgets and then you forget even to log out on the other gadgets so whenever gadgets are being distributed uh it has to be a procedure there's a procedure say okay you are getting a new tablet where's the old one clear out everything if there was and that is the synced uh and then uh login with the new account and then it continues thank you just to add again um stated the the problem the difficult one is is is managing people uh well you'll keep hearing that until you get tired of hearing you say it but um but pretty much to encompass everything blessing as I said mostly it's strong policies and procedures and ensuring those policies and procedures are enforced that's because um because the technology can only do so much but if you make sure that you have strong policies in place you review those policies and you make sure those policies are enforced that usually more or less in the day what's going on okay uh the last question please because we have the explanation I noticed that uh uh password some uh places require you to change uh relatively frequently some require certain strength others are very weak and even uh so I don't know whether you have any policies on because it strength is some very sophisticated places yeah yeah so uh for the passwords uh because mostly they're using the uh date test to capture uh of which uh like the password police and the like it's inherent from the uh the mother instance of the uh the date test to so normally uh it's that but in terms of now like the password uh for accessing so for logging into the uh actual device uh that one uh sort of control was uh everyone is allowed to uh put uh his or her other password but they probably say it's only the one which is implemented on the uh date test to cite the action you're referring to like the pin to actually open the tab there yes yeah like the pin to like to get into the device there's no real policy for getting into the device which it's only inside of the actual dhs to uh that but there's still the password also because the the other issue we have to take into account is uh why people always put password one two three because we kind of kind of forget so there has to be that balance of being very secure but also you have to remember these people need to be able to remember the passwords that they venture into the system and we have one question on zoom the very very last one let's do that before moving to next question okay thank you for giving me the floor uh I am from Togo and uh I see at the top of uh the chat uh on the presentation isms implementation strategy I see at the top of that of the chat ministry of health I want to know more about this implementation if uh the ministry of health can get data also from a from sms or it is only the the it is only implementation to send data I want to know more about it okay so uh the information security management system uh it's not there to keep the like like giving the data that can be used to access it's like a system that is strengthening the implementation of another system uh to ensure that it's secure so as it was highlighted on the steps there are things that I have to put in place and then within that there are also some other documents that you have to to provide so for example like having the assessing the security social security risks uh measuring the impact what impact those ones would have and then identifying the controls that would do I want to put so all that it's like that's it's like kind of a system uh that it's not there just to maybe provide access some access data from that system and direct but it's there just to ensure that it aids the implementation of the uh the uh the other system I hope your question is a responder too okay let's thank you so much for patience out on the question and we have a next presentation now online hi bobo car can you unmute and the share the screen hello hello hello everyone um can you hear me yes we can yes we can and uh can you share the presentation as well it's okay can you see my screen yes we can great if you go ahead good afternoon everyone and currently uh in the annual conference um my name i'm bobo consisting of the software security engineer um i also currently work with the gambier minister of health so um i'll be doing a presentation um the goal of this presentation is mostly to um introduce the community um to a tool that i've developed and that could help um the hs to implement this um conduct security assessments um in an automated fashion so automating the hs to security assessment so um a brief um background um my it's my security background it's a brief one being security since 2011 back in high school days and you would go around trying to break into wi-fi networks that we're using with up encryption or fun though you have also be engaged in higher security research um back in 2014 uh to 2017 before i joined the minister of health i was part of a community um that were involved in finding exploits steel bricks ice steel bricks i club security as well um also helped i've also helped the gambier security um the gambier police force also um uncover or unmask a cyber criminal operation um some criminals are we're engaging robbers high high-level target robbers and work millions of dialysis um i was able to leverage my security skills um specifically ostent open source intelligence to find the culprits and help the police um the do their job also certified certified ethical hacker the uc council uc certification also micro masters cyber security micro credential um offered by which has the institute of technology it's my brief security background so um we'll be talking about the following crimes first is what is compliance because before we talk about security assessment um i think we should also at least talk about compliance no security assessment or security and compliance work hand in hand so we can't be doing regular security assessments and just let go and forget about compliance it's part of it a closely in a related closely related um compliance and security are intertwined as a second why you should start out the meeting your security assessments and the next one would be the resources that we could use um especially in the issues to implementations um these are benchmarks and other things that we could use to have um in our security assessments and the last one would be a demo on the tool i built to help automate the hs to security assessments so what is compliance and why should the hs to implement us um care about it compliance is simpler put is the action of fact of applying with one or more regulations um it ensures our organizations are in line with a set of regulatory frameworks and standards specific to our industry example for the gdpr general data the heaper the u.s health insurance portability accountability act the pc id ss payment card industry data security standard the iso 27001 and the next framework also uh why should the hs to implement us really care about compliance um staying compliance as we all know especially in cracker implementations and ensures um alignment with the respective regulatory standards and and best practices standards like gdpr gdpr people um depending on what industry we're we're in mostly healthcare people would come into play and if we're dealing with um european citizen data gdpr also most likely we would have to be compliant with gdpr compliance is a critical pill in securing the hs implementations that handle personally identifiable information pia so long as we are handling these sensitive data um it's very important that we are compliant at least i'm compliant to one of those regulations or following or leveraging um to the best of of our abilities or one of the frameworks that could help us comply um to to the respective regulations um non-compliance can also lead to huge financial penalties and reputation damage the last thing we want to have is a data bridge and and also the last thing we want is to be non-compliant and you know not following the best practices and having to pay huge sum uh word millions of dollars in some cases compliance and security assessments are intertwined why um solely relying on compliance without a basis on security assessments gives us a a sense of security like um you can't be compliant without doing your regular security assessments as your penetration tests the internal security assessments or external hiring an external firm to do um your regular security assessments for you to make sure um audio security your security lapses are identified and they prove upon so um they both work hand in hand we conduct security assessments to identify and and address the lapses in our security control controls in order to achieve compliance so we conduct security assessments and make sure we pass all the checks or at least you know go by one of the frameworks recommended frameworks and to make sure our security controls are following the best practices and also compliant to whichever regulation or standard we we are following why you should start automating your security assessments um why you should automate all security checks that can be automated security assessments um as we know can be overwhelming um so automation or sort of time automate the checks that are that can be automated um it's the best way to go because you can you could have like hundreds of checks that you're supposed to do that you're supposed to run on the system processes here business processes and they're different processes so automate as much as you can what can be automated the rest um there's some processes that can't be automated like business processes um that has to do with policies internal IT policies and other things yeah but anything that can be automated should be automated to save time and then resources manually running running checks is our error prone which can be devastating in production environments as we all know what's the time when you're doing an integration test or security assessment just have been following a checklist maybe have your organization has a dedicated checklist or that that you use regularly to run on your systems to make sure um those security controls are in place um so this time you don't want to do this manually um manually on your in your production systems because yeah as you all know something may go wrong you may run a check and misconfigure something or which your whole system down production system in that case automated checks can be run by non-security experts without the need to hire or pay for external services if resources are scarce especially in most issues implementations in Africa you all know sometimes resources can be a little scarce and so having a tool that that will help your sys admins even if they don't have a background in security to just run a script and follow some best practices and see if their security controls are in place or following the best practices really helps so we should automate as much as we can with our security assessments anything that can be automated so resources these are some of the resources we could use dhs2 back in 2020 2021 used to have a checklist um an excel checklist that has a list of security assessments that i believe most countries we're using um the countries that regularly do security assessments on their dhs2 instances um to use and as reference to make sure all those checks or their security controls are aligned with that checklist so there's also post-graph scroll um cis benchmark sender for information security and the open skype also has an ubuntu benchmark why ubuntu because most dhs2 implementations are deployed um and ubuntu so there's another cis benchmark also uh or definitely ubuntu ubuntu distributions 20 or 4 22 or 4 um and last on the dhs2 security tools that we built to help automate um the tool actually references the dhs2 security checklists um and automate all the the checks that that can be automated which we would be digging into which we would take a look at so demo before we dig into the tool by there any questions if not we can just dig into the tool and just the dhs2 security tool do you have any questions so far okay okay we can proceed so um first off i would like to just have a brief one two two um it's a it's built using leveraging ansible and also um it has a set of scripts um that uh ansible task um that runs and um as you can see this it has a guss file so this serves as a playbook an ansible playbook that went executed um because it's into these sub tasks directories and running check um so all these checks as you can see um in the task directory um there's a db application ap dg and then also a vulnerable check also and and all these checks uh reference from the we're taking from the dhs2 security assessment checklist so what i did is to kind of write scripts that automate which i never check um so you wouldn't have to because typically um you would have to run some of these scripts um manually on any system on the systems you will be doing assessments on and which as i mentioned earlier can be error-prone so um having doing it in an automated and tested way that shows us that you know the scripts are not gonna make any changes on intended changes or modifier configurations which could be yeah so the oos level has all the checks they do check ssh um configuration security configurations make sure they are all configured the right way the permissions and and other things and the database level also checks for encryption and some other and in many other security checks that's encryption of your backups so um i would just show the security assessment checklist now so uh this is the this is what the checklist looks like um it's provided by the dhs2 security team um although it's not the most up-to-date security checklist assessment checklist and and i'm sure um there's a better one so it gives anyone any implementation uh any partner if you want to conduct a security assessment reference in this checklist um you can reach out to michael the dhs2 security team i have to be able to provide a more up-to-date one so you can see all these checks um colored in yellow um are all automated in the dhs2 security tools so the other checks um some some of them can't be automated and these are like these are processes like it's an incident response line and then having an it policy and making sure your end users use a secure browser that is that processes that has to be that have to be implemented and or enforced internally in your organizations so um what i would do the last um thing is to just um do a demo a quick demo on the tool have to run it have to clone it from the github proposal you have it on your dhs2 server that you want to conduct the security assessment on and run it is a very straightforward thing to do so i would just hop onto the github repository so to use the tool all we need to do is to just clone it from the github repository and the link is in the resources um on the slides so you can get it from there so i would just clone it and hop onto a live server where i would run it on so currently it has these features it has a security audit rule which is complete it's also going to have a security patch rule where which helps to patch every security hole that the audit may detect and also in the future um an incident response for so that could help respond to incidents in an automated way so i would just uh as i said into the live i can solve a bit bigger problem just okay yeah that's fine yeah so this is a live server um currently using the um not the dhs2 box as bob says it's time to run in the recommended way of deploying dhs2 instances which is the containerized way um using lxc Linux containers um you can see um you have a continuous here the hmi as proxy let's say internet and money money and the database so all we need to do is to just clone yeah you also you have to make sure also you have git installed on yourself if you can clone so just clone the repository i'm currently in my home directory so yeah it's there dhs2 security tools i just see the internet and if i list um i'll see the script so all i need to do now is to just run the script should be run with set of privileges as well and that's it um within a few seconds runs those checks all those automated checks and gives you the summary here if there is if there are any checks that failed as you can see here it's looking for the goss binary um goss is a goal binary that's does the same thing as server spec for those of you that know server spec those checking server configurations so the reason i used it is that it's very fast it's light and fast like so you just um if it was answerable alone um it could have taken us a few minutes to just run all those checks but it goss does it in a few seconds so that's why i chose it in the tool so as you can see um all this assessment started and there's some security some some important security configurations of mistening the system 20 out of 45 tests failed please check report in the directory or temp directory that's where the report is located and we it gives us a summary also of the checks of all the checks that are failed um as you can see this the security assessment id is a id mean security assessment following the DHS to security assessment checklist so there's an or s or a or s level check um or then it checks if um only limited services required cells that are exposed to the internet that's you only have required services no extra service like let's say um some other parts that you're not using exposed to the internet you know having talent you know and other services that really can pose security issues to your system so actually the server has some services that are not supposed to be running that i'm not using so that's why it's detected that and also it checks for host base security monitoring whether there any security monitoring running tool also um deployed or being utilized as we all know um security monitoring and alerting this key in in making sure our systems are secure because without monitoring and then what's going on into our system in our systems it's very difficult to respond or or fix holes if there any um it also checks whether or s level encryption is also addressed is also implemented currently it's not implemented on this DHS to server so it detected that um if database backup files have the correct permissions database backup files um there's a certain permission that they should have nothing beyond 600 so it shouldn't be wall readable or writeable um and there should be a secure way to save to store them and make sure they have the right permissions um also it checks for network base security monitoring and alerting tool yeah network base and host base so there should be a network base and host base security monitoring and alerting tool as for the DHS and security assessment checkers also checks if um SSL rating is at least a at least your SSL certificate has configurations at least that that's a or a a plus for at least a which is not the case here so that's why it detected it so availability of resources monitoring tools as well the database backups are encrypted offside backups also are taken and regular automated backups are also taken which is not the case so it's given me all the failed test summaries so you can quickly just view our report here from this directory it saves it here and from here this gives us a comprehensive report of um the security assessment just one we just so you can see all the tests that are passed and filled to see here successful if it is true it means it's successful if it is if it is false that it means it failed as you can see this one is a failed test it was checking for disk encryption it it's it's filled so this is goss specific this the goss form form app is in json so there are ways you can convert this to html and also apply some more defensive things like gradient and other things so at the very bottom you have the summary here the field count not the total duration the number of seconds or milliseconds it took you can see it took only 1.6 seconds it could have taken a lot longer if we were using just um raw scripts or uh or Ansible directly so yeah that's it um to get this we can just we can just extract this you can use scp whatever fdp tool scp is recommended because it's more secure just extract this from the server and save it locally or share with um with your partners or your team and and I can it yeah that's all thank you any questions thank you for the presentation and yeah and we are a bit out of time but if you have any quick questions uh let's ask just a second um yes thank you so much for okay thank you so much for the presentation um I was just wondering um and I and I believe this this might be true but I'm just wondering if uh with the scripts that you have for checking uh yeah with checking the systems does it mean that it's only uh customized or would work mainly for people who are using a specific setup maybe setting it up with bob's tools or is it just um generally applicable to to other setups yeah yeah thanks it's a good question so out of now the tool only um it supports the hs2 lxc implementation that's the way of deploying the hsc instances um deployment implementations that's using lxc containers as the bob tools either the bob tools or the new the hs2 security tools um yeah and um currently there's an issue around the people to support also the boombox the hs2 boombox way of deployment which is which is what is also included in the documentation the official hsc documentation that that would be supported also um very soon okay thank you so if you have any other questions let's do it offline and in the chat and we have one more presentation for today thank you yes um thank you okay so let me share my screen I hope you can see me yes perfect okay so on my side of course I'll present the security and privacy hs2 ecosystem by name I'm Ibrahim Udkama from the University of Jerusalem so today I'll try to present our use case and experience on this sector of course we can't hear you no no yeah we can't hear you unfortunately okay there okay yes how we can okay perfect okay yeah so I'll be talking about navigating the intersection of security and policy in dhs2 ecosystem mainly I'll be or I'll be presenting issue that address the safety challenges of dhs2 APIs through the mediators so as we know always other previous presenters showed uh very nice web portals or dashboards public dashboards that users interact uh play with excuse me we can't see your screen no okay can you see my screen nope not good okay let me fix it okay let me reshate again there not yet or let me share a specific window maybe sorry there there yes now we can okay so I have to share a specific window okay so as I said earlier like I'll be addressing the security challenges of dhs2 APIs through the mediators so as other presenters demonstrated or showed the portals the web dashboards that they are easily accessible online without any authentication or so so in our use case it was more in uh in Tanzania or in uh the minister of health we have various web portals which users interact so in our case that brought all this aspect of uh security through the dhs2 mediators that they connect the web portals and the dhs2 backends we had some of the web portals that were a little bit sensitive with the information that they do carry or the information that they inquire from users so through that okay so through that we like we had first to come up with the design in mind like okay so how do we orchestrate all this and maintain the security aspect of the whole architecture as the is what I can say like with security policy measures in mind to secure the whole architecture and communication uh with key aspects like authentication and authorization in the mediator in the dhs2 backend abstracting it from the portals and also making secure communication and hiding of sensitive data in the api or dhs2 api responses and the data that are being captured from the that communication between the portal and the api so as you can see on the right side this is a simple high-level diagram architecture of the flow where the user will interact with the web portal inside the server where there'll be a mid-area api that connects the web portal and lastly there'll be a dhs2 backend which communicates only with the mediator api in the middle so of course yes by this things look the secure by design so time went the portal went live people started using it everything was cool like we were enjoying our life then there's this saying and there's this code saying anything that can go wrong will go wrong so I think that time actually caught up so there are multiple attempts like to one of the portal that was processing or was acquiring sensitive information from the users so there are multiple attacks to the portal whereby we noticed some of the malicious acts they were trying to hijack it or trying to pass in and know know some gibberish characters in the dhs2 api basically by filtering like they studied how the portal was communicating with the mediator through the browser network trace then they tried to play with it by injecting various characters in the querying of the api let's say you say query where program equals two then that's where they inject like gibberish characters they know themselves how they work so that led to incidences that were unexplainable like for example we started noticing okay suddenly the dhs2 freezes like it's happened running but actually like it's unresponsive so we noticed the like okay what's happening after going the server trying to diagnose these things you might find like the server was down for example you can see the picture on the right top actually the instance was down for like 39 minutes so actually it wasn't down but actually it was in a mode of processing something that it doesn't understand so in the end it tries to eat up all the CPUs it tried to eat up it eats up all the RAM inside or the resources available so that actually was so frustrating when I said because like okay so what was happening what is going on so after that we had to do a threat analysis like what is going on as you can see in the bottom picture this actually were logs that were being logged by the mediator like what was coming in you could see people or attackers were trying to inject some url codes or params which they wanted to see the passwords in the slash etc slash password directory good thing is that all this orchestration this one back here it's a dhs2 is dockerized the api midway is dockerized the port everything itself dockerized so after analyzing the threats we notice okay so at least the impact like they didn't have the entire system their effect was only inside or it was contained inside the docker orchestration but then we wonder docker so why did the dhs2 misbehave or acted that way so we noticed that there are some types of queries that you can make direct to the dhs2 api it will not go down but actually dhs2 it will go in a mode of processing kind of so it will block any other requests until that that request it's being solved so most of the requests you are who are holding suspense for example even if you try to authenticate it will hold even if you try to maybe query another api resources it will stay on hold so how to solve that because you have to manually restart the dhs2 instance yeah so that went on we had like a little bit of complaints like for example let's say there were scenarios in the airport like travelers were tried a little bit they were tried a little bit to use the system if the system was interviable was unresponsive so there were travelers a few years many serious furious like everybody's furious so after that we had to update the architecture like okay so how do we how do we solve this so we had some few security reinforcements so basically there were three key aspects needed to be strengthened and monitored so the first what we do we did the this in gnex url url filtering automatically got suspicious url patterns i think one of the presented earlier presented about that virtual virtual patching so this is something like that but it might be not like that direct but it's more dealing with in gnex automatically ignore certain url matching patterns that we introduce to filter this kind of malicious attempts second thing in the immediate api incoming payloads we introduced the inspection because we noticed also some of the attackers used those payloads they say in the port we have an input of let's say first name you're trying to register first name that's where somebody injects some gibberish characters inside that input when it goes to dhs2 it will cause that harm of dhs2 being in suspense mode like it's trying to resolve something it doesn't understand so we introduced in the middle here api by filtering or inspecting the payloads that they are coming are they safe or do they have that pattern of attack then thirdly in the dhs because we were using the dhs2 localize the implementation we patterned the glow root i do believe most of you are aware of it after that the dhs2 and go root were running parallel inside the same same container or the same same docker image with that helped us to monitor the source usage the amount of traffic it gets and the source uses like what holds up the computation on the instance what uses much resources what api calls they are so intensive and etc in order like for us to act quick and to like to stop any kind of unsuspected or unsuspicious behavior that dhs might might experience so all this architecture basically towards to protect the dhs from being attacked by those outside attackers or i think one of the days we found like there was a company that was trying to do penetration testing through that portal yeah so with this vulnerability patches and reinforcement all midnight crises and sudden system outages who are completely gone because like you can see based on this flow here like we just tried to update the middle and also we tried to update the engine x url filtering mechanism with heavy monitoring so my message is security is a race against time vulnerability may exist long before you discover them act with agents to identify and patch vulnerabilities before they they are exploited as scientists thank you any questions thank you so much do you have any questions okay oh awesome of course thank you very much i wonder if you were attending the the public portal session i think there's a lot of similar considerations and similar approaches that you took as well um so yeah i'm curious if you have any thoughts on kind of a standardized way to to go about protecting public access to to data as you've done here and some of the considerations we had there particularly maybe pushing versus polling data to to prevent access to dhs too for particularly public uh use cases of course yes um i try to understand that i think most of the implementation that you were earlier presented i was glad some of them we already implemented but uh for in our case how this portal work were more for both sizes like pulling and pushing because at some point it was pulling data from the portal to the dhs and some point it is pushing like so you know i said like it was in both but it was not in one direction right yes okay yeah thanks good good interesting uh learnings i think for for everyone to to consider especially when opening up dhs due to to larger audiences thank you thank you okay thank you once again and that's all for today on security session and i'll be in the expert lounge for those who would like to talk about for the security topics and have a great conference of days ahead thank you