03_SecurityPolicies

7/30/2019 03_SecurityPolicies

1/21

Slide #4-1

Chng 3: Chnh sch an ninh

Tng quan V chnh sch an ninh

What they coverPolicy languages

V cc k thut

Types


2/21

Slide #4-2

Security Policy

Chnh sch phn chia h thng thnh 2 trng thi:Authorized (secure)

These are states the system can enterUnauthorized (nonsecure) If the system enters any of these states, its a

security violation

Mt h thng an ton:Starts in authorized stateNever enters unauthorized state


3/21

Slide #4-3

Tnh bo mt

Xset of entities, Iinformation Ihas confidentiality property with respect to Xif

no x

Xcan obtain information from I Ican be disclosed to others Example:

Xset of students

Ifinal exam answer key Iis confidential with respect to Xif students cannot

obtain final exam answer key


4/21

Slide #4-4

Tnh ton vn

Xset of entities, Iinformation

Ihas integrity property with respect to Xif all x

Xtrust information in I Types of integrity:

trust I, its conveyance and protection (data integrity)

Iinformation about origin of something or an identity(origin integrity, authentication)

Iresource: means resource functions as it should(assurance)


5/21

Slide #4-5

Tnh kh dng

Xset of entities, Iresource

Ihas availability property with respect to Xif all x

Xcan access I Types of availability:

traditional:x gets access or not

quality of service: promised a level of access (forexample, a specific level of bandwidth) and not meet it,

even though some access is achieved


6/21

Slide #4-6

Cc kiu chnh sch

Chnh sch qun i (chnh quyn)Policy primarily protecting confidentiality

Chnh sch thng miPolicy primarily protecting integrity

Chnh sch bo mt

Policy protecting only confidentiality Chnh sch ton vn

Policy protecting only integrity


7/21

Slide #4-7

Tnh ton vn trong giao dch

Bt u trng thi bn vng Consistent defined by specification

Thc hin mt chui cc thao tc (transaction)Actions cannot be interrupted

If actions complete, system in consistent state

If actions do not complete, system reverts tobeginning (consistent) state


8/21

Slide #4-8

S tin cy

Ngi qun tr ci mt bn v li:

1. Trusts patch came from vendor, not

tampered with in transit

2. Trusts vendor tested patch thoroughly

3. Trusts vendors test environmentcorresponds to local environment

4. Trusts patch is installed correctly


9/21


10/21

Slide #4-10

Answer Part 1

B gian ln Policy forbids copying homework assignment Bill did it System entered unauthorized state (Bill having a copy

of Annes assignment)

Nu khng pht biu r rng trong chnh sch anninh, th l ngm nhNot credible that a unit of the university allows

something that the university as a whole forbids, unlessthe unit explicitly says so


11/21

Slide #4-11

Answer Part 2

A khng bo v file bi tpNot required by security policy

A khng vi phm chnh sch an ninh

Nu chnh sch yu cu SV phi bo v filebi tp, th A vi phm chnh sch an ninh


12/21

Slide #4-12

K thut

Cch thc hoc quy trnh lm cho chnhsch c hiu lc:

Access controls (like bits to prevent someonefrom reading a homework file)

Disallowing people from bringing CDs and

floppy disks into a computer facility to controlwhat is placed on systems


13/21

Slide #4-13

V d v chnh sch

Chnh sch an ninh cho mt trng HInstitution has multiple campuses, administered

from central officeEach campus has its own administration, and

unique aspects and needs

Chnh sch s dng hp php Chnh sch cho h thng email


14/21

Slide #4-14

Chnh sch s dng hp php

Dng cho tng campus

Mc tiu ca h thng my tnh Cc mc ch c bn: Truy cp ti nguyn, trao i thng tin, tn

trng quyn ring t, tn trng tnh ton vn ca h thng

K thut thc hin chnh sch: quy nh hnh chnh Warnings

Denial of computer access

Disciplinary action up to and including expulsion

Thng bo chnh thc cho cng ng ngi dng


15/21

Slide #4-15

Chnh sch th in t

Dng cho ton trng

Gm 3 phnSummary

Full policy

Interpretation at the campus


16/21

Slide #4-16

Summary

Cnh bo email khng phi ring tCan be read during normal system

administrationCan be forged, altered, and forwarded

Unusual because the policy alerts users to

the threatsUsually, policies say how to prevent problems,

but do not define the threats


17/21

Slide #4-17

Summary

Nhng g nn v khng nn lmThink before you send

Be courteous, respectful of others Dont interfere with others use of email

C th s dng cho mc ch c nhn,

nhng hn ch


18/21

Slide #4-18

Uses of E-mail

C th gi nc danhException: if it violates laws or other policies

Khng gy phin h cho ngi khcNo spam, letter bombs, e-mailed worms, etc.

Hn ch s dng cho mc ch c nhn

Cannot interfere with university businessSuch e-mail may be a university recordsubject to disclosure


19/21

Slide #4-19

Security of E-mail

Nh trng c th c Wont go out of its way to do so

Allowed for legitimate business purposesAllowed to keep e-mail robust, reliable

Cho php lu tr hoc ghi nh li

May be able to recover e-mail from end system(backed up, for example)


20/21

Slide #4-20

Implementation

Thm vo cc yu cu c th ca cc c s Example: incidental personal use not allowed if it

benefits a non-university organization

Allows implementation to take into account differencesbetween campuses

Procedures for inspecting, monitoring, disclosinge-mail contents

Backups


21/21

Slide #4-21

Key Points

Chnh sch m t nhng g c php

K thut iu khin vic cc chnh sch

c p dng nh th no S tin cy lm nn tng cho cc vn an

ninh

03_SecurityPolicies

Documents

Transcript of 03_SecurityPolicies