Effective Computer Security Policies

David Sims, P.E.

D. P. Sims & AssociatesHouston, Texas USAdpsims@dpsims.com

What is Security?

• Informally, a system is secure if you can depend on it to behave as you expect.

• A system that meets its specifications.

• Alternatively, it is a system you trust.

Dimensions of

Security• Confidentiality• Integrity• Availability• Auditability• Correctness and Consistency• Control

How to AchieveSecurity?

• Perfect Security is possible if you power down your system, encase it in concrete and surround it by armed guards.

• “Just say no to computing.”

• This solves lots of our other problems, too.

How to Achieve

Security• Our next best approach is to

understand the threats and losses, then reduce our risk of loss to acceptable levels - Risk assesment and abatement.

• Fundamental to this, we must know what we are protecting!

Achieving Better

Security• There are three approaches to

achieving better security. A combination of all three is better than any single one:– “Technical Security” (software,

hardware, personnel, operations)– Increasing the cost of discovery (legal

methods, administrative action)– Establishing social pressure to prevent

inappropriate behavior. Policy helps here.

• Countering potential risks leads to an increased sense of trust.

Why Worry?

Why should I worry about this security stuff anyhow? There’s nothing on my machine is worth anything? What do I have to lose?

“

”

Worries:

• Information has value– when combined– when altered– when disclosed

• Resource use has value– unauthorized use– denial of service

Worries:

• Damage to reputation– damage to your personal reputation– damage to your group– damage to your company

• Your system is not alone– other machines on the network– shared resources and files– indirect liability

Is This You?

He’s had the password “wizard” for the last 5 years now. All his secretaries knew it. But he’s the VP of Engineering and we can’t force him to change it.

“

”

Big Concept

If you think you have responsibility for computer security, but you don’t have corresponding authority (including budget authority), then your real function in the organization is to take the blame when (not if) disaster strikes.

Corollary: consider this a sign that it is time to look for another job.

Is This You?

I’m not sure what it is I’m guarding. I’m not even sure what I’m guarding it against. But I can assure you - no hacker is going to get to it from the net!

Often signaled by paying for commercial products before doing a risk assesment or policy formation, or by repetitive purchase of the “latest” technology.

“

”

Insider misuses

19%

Outsider attacks

3%

Bugs and errors65%

Disasters13%

Big Myth

The biggest threat is from the “outside”.

Reality: Only about 3% of serious incidents in a typical business environment are from “outside.”

NCCCD Data

Spotting an intruder

(US DoD)8932

7860

39019

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

Attacked Broken into Detected Reported

Source: CSI Primer

Other Important

Concepts• Security is not a game..... and not a

“hacker” thing, either.• Security is everybody’s

responsibility.• All the ‘good guys” are not

necessarily on your side.• We let vendors sell us shoddy

software.• Security is more than fixing bugs

(but that certainly seems to be a big part of it!)

Four Common Failures

• Focus is on computers and networks instead of on information.

• Organization has no formal policy. Thus, personnel cannot consistently make necessary decisions.

• Organization has no reasonable response plans for violations, incidents and disasters.

• Plans don’t work when needed because they haven’t been regularly tested, updated, and rehearsed. (E.g., failure of operational security)

Threat and Risk

Assessment• Determine what you are protecting• Determine threats• Determine cost-effective measures

to counter the threats• Reassess threat information

periodically

Security as Software Engineering

• You need requirements - risk & threat assessment

• You make specifications based on requirements - security policy & guidelines

• You build according to specifications• You test according to specifications and

requirements (V&V) - penetration testing, response rehersals, auditing, etc.

• You debug - incident response

Security Policy

• You need to know what you are protecting• You need to know why it needs protecting• You need to know its value• You need to know threats• You need ownership (stewardship)

– You need a clear statement of responsibility

– You need a clear statement of authority

Policy

• Your policy should be short, precise and easy to understand.

• Questions and conflicts should be resolvable by referring to the policy statement.

• Responsibilities should be paired with authority

• Policy specifies guards for people as well as data - specify rights, too.

• Policy guards property, reputation, continuation of business as well as data.

• Policy is public....and should be.

Include In Your

Policy• Statement of purpose• Who labels data & access• Who does audit• Who does response• Who sets guidelines and standards• Interpretation and review• Escrow and authority resolution

Don’t Include

• Names of personnel

• Names of products

• Names of specific standards or levels

In Your Policy

• Who is allowed access

• Who authorizes access

• Disaster planning• Individual

responsibilities• Role of outsiders

• Privacy of data

• Penalties

• Priorities

• Unauthorized copies

• Ownership of data

• Appropriate use

Security Standards

(mandatory)• Based on need, economics,

circumstances, and threat.• Platform-independent• Evolve slowly and codify succesful

practice• Embody standards of performance

and metrics to measure that performance.

• Include steps for periodic review.

Standards include

• How backups are done (frequency, storage, etc.)

• Audit procedures• Importation of new softwaare• Addition of new equipment/repair• Networking and

telecommunications issues (may include encryption)

• Physical security• Disaster recovery

Per-system Guidelines

• These are specific to the machine, environment, and software involved.

• One person should be accountable for implementing these guidelines.

• These may change frequently and be very variable.

Educate your users

• Make your users part of your security plan!

• Teach them about good passwords• Teach them about proper protections• Have users report suspicious activity• Teach them to resist social engineering• Help them understand that “latest” does

not necessarily equate to “best”

Operational Controls &

Security• Configuration of your systems and

day-to-day operation are cornerstones to good security.

• Configuration should be for security as well as ease-of-use and maintainability.

• Is it easy for you to:– firewall your machines?– Compare configurations and code?– Examine audit trails– Do backups & restores?

Operational concerns

• Do you have a “standard” configuration?

• Do you perform security rechecks?– periodically– randomly– after upgrades– after restores

Configuration problems

• Inappropriate permissions & set-up• Missing bug fixes• Excess priviledge

You must get it right the first time !

Audit and Feedback

• Monitor compliance• Update threats and assets• Evaluate new features• Renew user awareness• Seek out improvements

....remember, the problem is not computers, it is people.

Yes, but what can _I_ do ??

• Is your client’s data safely put away?• Have you recently changed your password(s)?• Do you leave your computer running unattended?• Is your password-protected screensaver active?• Do you regularly backup critical data?• Do you have current software virus protection?• Do you use only properly licensed software?• Is your removable media stored safely?• Have you destroyed out of date CD-ROMs and

Floppies?• Have you disabled auto-answer on your modem?• Have you reported a security risk this quarter?