New Paradigms In FileMaker Platform Security
October 19th 2015
Traditionally, the framework for Information Security management has focused on activities designed to preserve the Confidentiality, Integrity, and Availability (CIA) of digital assets, and, on occasion, of physical IT infrastructure assets. That focus must now shift; in fact, it is already shifting.
By way of a brief review, CIA focuses on three elements:
Confidentiality focuses on preventing unauthorized access to data and viewing of those data;
Integrity focuses on assuring that data cannot be manipulated or altered by unauthorized processes; and,
Availability focuses on assuring that data are present and ready for use, and not purposefully or inadvertently destroyed or otherwise made inaccessible.
When a breach occurs, it creates an adverse impact on the People, Assets, Operations, and Reputation of the organization that suffered the breach. There are four levels of adverse impact: Limited, Serious, Severe, and Catastrophic.
This traditional approach to Information Security concentrated a lot of attention on the physical infrastructure of networks, servers, files, firewalls, and similar items. The underlying theory here is that protecting the digital asset mandates blocking attackers from entering the network infrastructure. That is still a legitimate and valid concern and requirement. But it is no longer sufficient just to block access. We must now shift and expand our focus to other elements.
FileMaker developers and FileMaker Server Administrators have two core security missions now. The first is to guard the data themselves at the data level; the second is to provide for Resilience of systems after they are attacked and likely are breached. So, in addition to the traditional–and still useful—CIA, we now have CIAR.
Ponemon Institute, the renown security analytics company, offers an excellent definition of Resilience as an organization’s:
“…capacity…to maintain…[its] core purpose and integrity in the face of cyberattacks.”
Such an approach presumes that cyberattacks directed towards FileMaker hosted systems will occur, and that such attacks likely will succeed. In the face of these attacks, organizations deploying the FileMaker Platform must be able to continue to operate at something highly resembling normal levels. They must also, as a condition precedent to that requirement, be able to have restored their system and quickly to have detected and recognized an attack when it first occurs. An organization’s success in all these ventures will vary depending on the type and the severity of the breach and to an even greater extent on the level of its preparedness.
—Causes of Breaches in FileMaker Platform Systems—
There are four major causes of breaches in FileMaker Platform systems:
1. Vulnerabilities in the software. FileMaker, Inc. works on these and reports fixes from time to time. See http://thefmkb.com/13585
2. Misconfiguration of the software, especially FileMaker Server, but the other products as well.
3. Failure by developers to use the security tools provided in the products, especially Encryption at Rest (EAR), File Access Protection, finely-grained Privilege Sets, Encryption in Transit, and strong passwords.
4. Invention by developers of their own artificial (ersatz) “security” systems. These contrivances detract from actual security and weaken it. This includes such practices as “scripted security” processes, artificial authentication systems, storage of passwords in data elements, use of On-Open scripts to enforce privilege management, equating User Interface elements with actual security, and similar practices.
—How To Promote Preservation of CIAR—
How then do we promote Confidentiality, Integrity, Availability, and Resilience of FileMaker Platform systems? Here are seven core elements we can use to promote CIAR.
1. Realize that when a cyberattack occurs, it is the Strength of the Defender, not the Strength of the Attacker, that likely will determine the outcome. These attacks will occur; breaches will ensue as a result. How an organization survives a breach, particularly a serious or greater level breach, will determine how, and whether, it is able to continue in operation.
2. Focus on the data; they are the critical element. We must try to protect the data at the data level so as to deny the Attacker the fruits of the attack. This includes the hosted files and all backup copies.
3. Employ Encryption at Rest (EAR) with a strong Encryption Password. The “strength-ometer” in FileMaker Pro Advanced provides a clue as to the strength of the Encryption Password. If an Attacker exfiltrates digital assets from the network or the server, strong encryption goes a long way to preserving the Confidentiality of these data.
4. Properly use the tools that FileMaker, Inc. has introduced into the Platform, as previously noted. In addition to EAR, this includes File Access Protection and finely-grained Privilege Sets. The former inhibits and blocks unauthorized access from external files into the protected file. The latter, the finely-grained Privilege Sets, control behavior of everything from the User Interface, to scripts, to value lists, to file meta-data. Additionally it can inhibit, although not totally restrict, unauthorized access to a file from external API’s such as Apple Events, Active X, FMPURL, XML, and PHP.
5. Avoid ersatz contrivances. I have, over the past 15 or so years, seen literally hundreds and hundreds of these systems. All have introduced vulnerabilities not otherwise present. All provide rich attack vectors to compromise all or part of FileMaker Pro files. And they also impart a false sense of security and confidence that the files have adequate protection.
6. Thoroughly understand at a deep, hands-on level how the entire Family of Products actually works when it comes to security behaviors. Understand the vulnerabilities present in the Platform. Understand what additional vulnerabilities you introduce by failing to use the tools provided. Understand the vulnerabilities you also introduce by using artificial contrivances. Finally, follow Best Practices. These are there for a reason. Furthermore, they usually have become Best Practices because of some incident that led to the compromise of CIAR.
7. And finally, develop a Security Incident Response Plan. When the attack is underway, when the damage is already done, it is too late, and a particularly inopportune time, to try to craft a response. Think through these items in advance; try to develop specific scenarios for response. These will not be perfect nor totally predictable. As Admiral William F. Halsey remarked, “No battle plan survives its first encounter with the enemy fleet.”
There are consequences flowing from failures to preserve CIAR of FileMaker Platform systems. There are regulatory strictures and penalties particularly in the health care, financial services, and education markets. There can be criminal and civil liabilities for data breaches resulting in losses and exposures. Certainly there is damage to organizational reputation and damage to customer or client relationships. And finally, there can be business stoppages caused by breaches and loses.
Confidentiality, Integrity, Availability, and Resilience of FileMaker Platform assets are important. Developers and Administrators can meet these requirements through judicious use of the tools FileMaker, Inc. provides, through a thorough and hands-on understanding of how the products work, and, through avoidance of artificial, ersatz “security” contrivances.
In the coming weeks and months and on into 2016, I will be exploring and reporting on these items related to CIAR.
Steven H. Blackwell