Once the basic hosting infrastructure and server environments are secured, the next layer to secure is access to the application itself. The cloud edition of the software is accessed via Web Browser and standard HTTP or HTTPS protocols. Inherent in this architecture are many security features such as the isolation of the ability to write and/or execute files on the server.
We have built into the application protections from common attack vectors such as SQL Injection attacks. All request variables and form fields submitted on forms and query strings are parsed through filters that detect attempts to insert database string commands as a launchpad to run SQL commands such as table selects, inserts or drop commands.
This article covers other techniques we offer that when utilised and configured appropriately will provide an excellent standard of security for access to the application itself via the front door.
Password Authentication Policies
Our built in password authentication system allows you to configure password policies such as the following:
- Minimum Password length in number of characters
- Minimum Password complexity - for example you can choose whether passwords must contain lower and upper case letters, whether they should contain at least one punctuation character and a number.
- Password expiry period - you can specify a number of days after which a password expires and must be changed by an end user before being allowed to login.
- Barring Password Re-use - you can prevent users from selecting a new password upon expiry that they simply append a new character or number onto the end in a predictable sequence. You can for example, prevent a new password being selected that resembles up to 12 previously selected passwords for that same user.
- Auto-disable an account after X password authentication failures - you can optionally enable a setting that prevents an account from being able to be used after X successive password authentication failures. We generally recommend that this setting be turned off as it does present an attack vector whereby a malicious person could deny access to specific end users simply by knowing their username and the URL of the login page.
In addition to these policies, the ValuePRO database encrypts and hashes the passwords such that anyone with read access to the system database cannot see individual user's passwords in clear text. For this reason, anyone contacting ValuePRO Technical Support, other than a nominated Master User/Account Administrator cannot get assistance with passwords and security matters.
By far the most effective layer of protection is our two-factor authentication process which is enabled on all ValuePRO instances by default. We are very reluctant to allow this activation process to be disabled and if we are instructed to disable it we will require a written authority and acknowledgement of the security risks of removing it.
Users are challenged each time they login from an unrecognised terminal. We make use of the browser's cookie system for identifying a terminal. We can issue the challenge to an email address (note that the system won't tell the user which of their email addresses that the activation code has been sent to).
An attacker would therefore need to know the URL of the system login page, the ValuePRO username and password as well as be able to have knowledge of which email address is associated to that user as well as to have access to that user's email account. Activation codes automatically expire only 15 minutes after sending - adding in a time pressure to an attack.
In addition, the Two Factor authentication token can be sent to a mobile number as an SMS message - while there is a transmission cost associated with this option, it is generally considered to be more secure than an email based token as the mobile effectively acts as a hardware based login token which present more difficulty to attack.
LDAP Integration (Active Directory/Single Sign on)
Valuation practices that have sophisticated IT services and make use of Windows Domain Controllers or Active Directory can enable LDAP based authentication. This can be enabled or disabled on each user's profile. Some users such as third party contractors or casual users may not have an account on the company's Active Directory server. By therefore enabling mixed mode authentication in this manner, you can optimise the experience for each user.
The LDAP authentication for your employees means that users are able to sign in to their ValuePRO instance using the same username and password combination that they already use for access their Windows Laptop or Desktop computer and any other network resource. Having a single sign on like this makes systems more secure as users have only a one username and password combination to manage and recall. Users are more likely to select and remember stronger password combinations when they have fewer such passwords to recall.
Another option that ValuePRO supports is to auto-login a user based on their network login details - this enables you to bypass the username and password and activation processes by simply validating that the currently logged in Windows User matches the corresponding user account registered in ValuePRO. To enable this function, we strongly suggest that it be combined with a VPN wrapper and/or an IP range whitelist to ensure that the network credentials are not being spoofed.
Wrapping ValuePRO inside your existing VPN
Another option that valuation firms can investigate is to wrap access to your ValuePRO instance inside your existing or new VPN (Virtual Private Network). This essentially prevents any user who has not first logged into your VPN from being able to access your ValuePRO instance.
Please contact ValuePRO Technical Support should you wish to implement this option. Customers should consider the usability and uptime implications of this security layer for end users. For many customers, wrapping the application in a VPN will mean that service uptime is limited by the uptime and availability of the VPN itself. In addition, remote users, especially those on iPad and remote tablet devices may find the additional VPN login process a speed bump and inconvenience that negates some of the huge advantages offered by ValuePRO being a primarily web based interface.
For customers with a very fixed geographic region of operations, you may wish to make use of the Geofencing options that the product provides. ValuePRO subscribes to the GeoIP database and we use this database in real time at every login to map the user's currently presented IP address to their geographic location. We then map to the above shown list of permitted countries that users are allowed to login from that your Master User is able to configure. If the user is not currently logging in from a country on the permitted list, the login screen is disabled and a login attempt cannot even be made.
From a security perspective, geofencing offers a surface layer of protection from random unskilled attack vectors from overseas of the company's normal operating area. Its important to note of course that a skilled and determined attacker would clearly have access to tools such as VPNs and Botnets that would bypass a geofence.
There are 3 levels of SSL Certificate that can be registered and used for TLS (Transport Layer Security) or encryption of traffic between the end user's browser and the ValuePRO web servers. These include Domain Name Validation, Organisation Validation and Extended Validation.
Given that at some stage your ValuePRO instance may be exposed in part to your customers (eg the customer on-line ordering and job tracking portal) we strongly recommend that customers directly implement the Extended Validation option. As this process requires validation of the organisation, we need cooperation with your senior management team to assist you in the registration process.
Should you wish to enable SSL on your ValuePRO instance, please contact ValuePRO Technical Support.
From a security and general performance perspective it is important to note the following:
- Most forms of SSL have well documented and known security vulnerabilities that are usually one or two steps ahead of patches and updates - SSL and other mainstream TLS techniques should not be considered foolproof and customers shouldn't have an expectation that a "secured" connection means that their communications between the browser and the server cannot be eavesdropped.
- The SSL encryption/decryption process on both the client and server sides increase the loads on both the client machine and the server - users could experience increased latency and performance impacts, especially when using lower end hardware on the client side.
- SSL may need to be disabled temporarily on occasion to assist our support team in debugging the deployment of new features to your instance or in investigating support tickets.
- We have a system setting that enables your users to be forced onto a HTTPS session (even if they attempt to initiate the session by using the HTTP address). This should always be turned to ON if you wish to ensure the use of SSL.
Tablet Software - Hardware Fingerprinting and License Key
All external devices and client side software that interacts with your ValuePRO database have a license key associated with their use. Upon the first time one of these devices synchronises with valid credentials and a previously unused license key, a hardware fingerprint key is generated and encrypted on the device and transmitted to the server. That hardware fingerprint is then transmitted and stored against that LicenseKey profile. If a subsequent sync supplies a different hardware profile for the same credentials and license key, a synchronisation error will be generated and the system will reject any uploaded or downloaded data.
The hardware fingerprint is generated by the client product executable during synchronisation and the hash algorithm takes into account several variables that cannot be easily spoofed or guessed, including time based variables - so its not possible to simply re-submit a known string value as the hardware fingerprint.
To enable a license key to be shifted from one device to another, a Master User must login to the Mobile Licenses management screen on the system and "release" the hardware lock on that license key. The lock is then re-established to the new device immediately upon its next synchronisation.
Access Logs and Auditing, Security Event Push Notifications
ValuePRO offers some excellent audit tools for both "pull" and "push" of security events. The application logs IP address, device type, operating system version numbers, even screen resolution of the device. It automatically records and tags all events to the logged in session.
Login failures can trigger an email alert to a customer nominated email address so that login failures and new workstation activation attempts (success or fail) can be configured as deemed appropriate by your internal IT infosec policies.