File000169
-
Upload
desmond-devendran -
Category
Technology
-
view
122 -
download
0
Transcript of File000169
Module LVI - Security Policies
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: How to Stop the Grinch from Stealing your Corporate Data
Organizations are feeling the effects of data leakage every day: the average cost of a data breach for a publicly traded company is $6.3 million and the stock price drops five percent and it takes a full year to recover. Companies spend millions of dollars each year to protect their information from outside threats, but it is becoming more evident that they need to secure data from within by developing an effective Data Leakage Prevention (DLP) strategy. Safend, a leading provider of enterprise endpoint DLP solutions, has devised the top-five tips for keeping your data safe during the holidays and beyond. These tips include:
-- Employ a Sound Auditing Process: Portable storage devices such as iPods, PDAs, smart phones and other mobile devices, have become pervasive in the workplace. Allowing your employees to use their iPods at work may be a good way to increase morale but it also poses a security threat. Knowing what devices are connecting to what endpoints will help administrators monitor and avoid these threats.
–Written Data Security Policies: The major concern with portable devices is the fear that the device may be lost or stolen, putting the data it contains at serious risk. In order to truly ensure the security of confidential data stored on portable devices, effective DLP strategies and policies need to be deployed, including written usage policies.
-- Access Control: To make sure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible enough that they don't hinder productivity, but strong enough to prevent data leakage threats.
-- Encrypt Everything: Many enterprises feel that they have covered all their security bases with the implementation of security policies, employee training and endpoint protection technology and are reluctant to invest in another product or add another level of security.
Source: http://www.reuters.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Access Control Policy • Administrative Security Policies & Procedures• Audit Trails and Logging Policies• Documentation Policy• Evidence Collection Preservation Policies• Information Security Policy• National Information Assurance (IA) Certification and
Accreditation ( C&A) Process Policy• Personal Security Policies & Guidance
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Evidence Collection and Preservation Policies
Information Security Policy
National Information Assurance(IA) Certification and Accreditation
( C&A) Process Policy
Personnel Security Policies & Guidance
Access Control Policy
Administrative Security Policies and Procedures
Audit Trails and Logging Policies
Documentation Policy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy
Access control policy is a permission for a user to perform a set of actions on set of resources
User cannot access a system unless, authorized through one or more access control policies
• Users: The one who uses the system• Resources: The objects that are to be protected• Actions: Activities performed by the user on resources• Relationships: Conditions that exists between users and
resources
Basic elements of an access control policy:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’d)
• Access group : Group of users to which the policy applies• Action group : Group of actions performed by the user on resources• Resource group : Resources controlled by the policy• Relationship : Each resource class can have a set of relationships associated
with it; each resource can have a set of users that fulfill each relationship
Basic elements of an access control policy:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’d)
• Access group to which a user belongs• Actions to which the user is permitted to perform on a specific
action group• How long the user can satisfy a particular relationship with
respect to the resource
Access group policy defines:
Example: [AllUsers,UpdateDoc,doc,creator] implies that the users can update a document, if they are the creator of the document
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’d)
• Access groups• Implicit access group• Explicit access group• User groups
Member groups:
• Action groups
Action:
• Resources• Controller command resources• Data bean resources• Data resources
Resource category:
The different sections associated with access control:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’d)
• Implicit resource groups• Explicit resource groups
Resource groups:
• Relationship groups• Relationship chains
Relationships:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’d)
• Control access to information• Manage the allocation of access rights• Encourage responsible access practices• Control access to computer networks• Restrict access at operating system level• Manage access to application systems• Monitor system access and use• Protect mobile and teleworking assets
Steps involved in access control management:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Policies and Procedures
Administrative security practices describe the resources needed to achieve risk management
Specifies the responsibility to manage the information security risk of the organization
Organization security policies describes the way of maintaining security within the organization
Employees should understand and follow the organizational security policies
Policies may not be followed in certain circumstances because of business requirements
Policies are ignored in situations where they are difficult to be followed
Policies are to be included for the purpose of strong security although they are not followed or ignored every time
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Policies and Procedures (cont’d)
Administrative security policy best practices:
• Describes the information sensitivity in an organization• Defines methods of proper storage, transmission, marking
to that information
Information Policy:
• Describes the security configurations and technical controls that are to be implemented on computer systems by the users and administrators
Security Policy:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Policies and Procedures (cont’d)
• Also called an acceptable use policy• Identifies the authenticated uses and penalties for
misusing organizational systems • Identifies the standard method of installing software on
organizational computers
Use Policy:
• Describes the frequency of information backups and moving them to off-site storage
• These policies identify length of the time backups must be stored prior to reuse
Backup Policy:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Policies and Procedures (cont’d)
Security policies help the employees in performing their duties and identify steps to respond to security incidents
The organizational security procedures are defined as follows:
• This procedure contains the information who can authorize access to an organization’s computer system
• Identifies the Information that is to be maintained by the system administrator to identify users calling for assistance
• Defines who has responsibility to inform system administrator to terminate an account
Procedure for user management:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Policies and Procedures (cont’d)
• Defines the procedure to implement security policies in an organization
• Defines the procedure to manage patches and apply on systems
System administration procedures:
• Defines procedures to make changes in production systems• Changes can also include software and hardware upgrades,
initializing new systems and removing systems that are no longer used
Configuration management procedures:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Policies
Audit trails maintain a record of system activities such as computer events, applications, or user activities
They help to detect security violations, performance problems and flaws
• Audit Data Collector which collects the audit data
• Audit Data Analyzer that analyzes the audit data transferred to it by the Audit Data Collector
A simple auditing model consists of two parts:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Policies (cont’d)
Benefits of Audit trails in the area of computer security:
• Tracking Individual’s actions in an audit trail • Users are completely responsible for violating the security policies
Individual Accountability:
• Audit trails are used for reconstructing events after a problem has occurred• The amount of damage and reasons for occurring a problem can be known through
an audit trail
Reconstructing Events:
• Audit trails can be used as online tools for problem monitoring• This helps to detect disk failures and excess utilization of system resources
Problem Monitoring:
• Audit trail helps in discovering the route cause of a problem and assessing the damage due to an incident
Intrusion Detection:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Policies (cont’d)
System activity is examined by checking the logs
These logs are generated by systems and major software packages
Logs produced can record the users activity on a system or a network
Logging policies vary according to environment
It is impossible to log every command executed on a computer system
Logging policies should define the relevant events that are to be logged
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Policies (cont’d)
Logging policies should include security relevant events in the logs
This could guaranty the forensic information and security violations that required to know how the security violations manifested themselves
• Logs should maintain auditing in a way consistent with the system that generates their entries
• Logs should provide sufficient information in order to support accountability and traceability for all privilege system commands
• Logs should maintain the details regarding user initiated, security-relevant activities
• Logs must be able to rebuild production information for databases
Other logging policy considerations include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy
Documentation policy determines the documentation needs of an organization such as network and server documentation
Network Documentation defines the documentation about switch ports connected to rooms and computers
Server Documentation defines the documentation of configuration information and running services
• Who has the authority to access, read and change the network or server documentation
• Defines the authorized person to be notified about the changes made in the network or server
Both the server and network documentation policies defines:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy (cont’d)
• Name, location, and function of the server• Hardware components of the system• List of software running on the server• Configuration information about the sever• Types of data and the owners of the data stored on the server• Data on the server that is to be backed up• Users or groups having the access to the data stored on server and their
authentication process and protocols• Administrators on the server and the authentication process and protocols• Data and Authentication encryption requirements• User accessing data from remote locations• Administrators administrating the server from remote locations
In server documentation, the following list of items are to be documented and reviewed :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy (cont’d)
• Locations and IP addresses of all hubs, switches, routers, and firewalls on the network
• Various security zones on the network and devices that control access between them
• Locations of every network drop and the associated switch and port on the switch supplying that connection
• Interrelationship between all network devices showing lines running between the network devices
• All subnets on the network and their relationships• All wide area network (WAN) or metropolitan area network (MAN)• Network devices configuration information• DHCP server settings
Things to be documented in network documentation are as follows:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and Preservation Policies
Evidence collection policies are required whenever a security incident occurs
A security incident is defined as an event where the security policy is breached
• Engage a Law Enforcement personnel holding your site’s security policy
• Make a note of time and the dates • Get prepared to be a witness outlining all the actions
along with time • Do not minimize or update the collected data • Analysis of data should be done after collection• Adopt a methodical approach
Guiding Principles of evidence collection:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and Preservation Policies (cont’d)
• List out the systems from which evidence is to be collected
• Find the data which is relevant and acceptable• Obtain the relevant order of volatility for every system• Note the level of the system's clock drift• Think and guess the further evidences from the collected
data• Maintain a clear documentation of every step• Note the witness of the people involved in the incident
Steps involved in evidence collection:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and Preservation Policies (cont’d)
• Evidence collected should be secured properly and the chain of custody should be documented
• Use a common storage media than a obscure storage media• Access to the evidence is to be restricted• Document the following details:
• Where, when and by whom the evidence was discovered• Where, when and by whom was the evidence handled or examined • Where the evidence was stored• Where and when the shipment of evidence occurred
Steps involved in preserving the evidence:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Policy
Information security policies strengthens the security of information resources
They lay foundation for information security within an organization
• Define the integrity, confidentiality, and availability requirements for the information being used
• Ensure that these requirements effectively communicate with the individuals who interact with the information
• Use, manage, and distribute such information in the way consistent with these requirements
The goal of information security policy is to :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Policy (cont’d)
Information security is achieved by the security practices such as the management of vulnerable points and securing system files
In the case of applications, information security is applied to data input and output by encoding information using electronic keys
• Identification of security controls• Input data validation• Control of internal processing• Message integrity• Output data validation• Cryptographic controls use policy• Key management• Operational software control• System test data Protection• Access control to program source code• Security in development and support processes• Vulnerability Management
The security requirements of information systems are as follows:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy
NIACAP setup a standard national process, set of activities, general tasks, and a management structure
It certify and recognize systems which maintain information assurance and security posture of a system
This process accomplishes the requirements of documented security
Accredited security posture is maintained all through the system life cycle
The process comprises existing system certifications and product evaluations
Process users must arrange the process with their program strategies and incorporate the activities into their enterprise system life cycle
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy (cont’d)
Agreement between the IS program manager, Designated Approving Authority (DAA), certification agent (certifier), and user representative is the main aspect to NIACAP
Critical schedule, budget, security, functionality, and performance issues are determined by these individuals
System Security Authorization Agreement (SSAA) contains the documentation of NIACAP agreements
The results of Certification and Accreditation (C&A) are documented using SSAA
The objective is to use the SSAA to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance
Personnel security policies include the safety measures to be taken regarding company employees
It also concerns about the individuals visiting the place for business purposes
• Ensure trustworthiness of the people in the posts who require access to official information
• Protect the official information before granting them access
• Provide the terms and conditions to the employee accessing the official information
Manager should implement the personnel security policies to:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance (cont’d)
Elements of personnel security:
• It is a pre-employment check while recruiting employees which involves the employees background check
• This is done as the employee is given access to the official information• While recruiting employee for a permanent staff position, he must be
checked for:• Satisfactory character referees• Accuracy of the curriculum vitae and qualifications
• Before appointing an employee verify his identity and character through referees and request a criminal background check report from police
• Similarly, Employee being recruited for a temporary staff position can be checked through an agency
Personal Screening:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance (cont’d)
• The authority given to access official information• Chief executives should grant access to the permanent staff to access
official information after verifying their credentials through:• Pre-employment checks• Periodic reviews• Approval procedures• Sound terms & conditions of the employment
• Avoid granting access to the most sensitive sites as there are chances of indirect exposure by staff or visitors
• Access granted individuals must be issued a pass or access or identity card• A basic check can be done further after the pre-employment check, about
staff or contractors who needs a frequent access to sensitive sites
Granting access:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Access control policy is a permission for a user to perform a set of actions on set of resources
Administrative security practices describe the resources needed to achieve risk management
Backup Policy describes the frequency of information backups and moving them to off-site storage
Audit trails maintain a record of system activities like computer events, applications, or user activities
Documentation policy determines the requirements for documentation like networks and servers
Information security policies strengthens the security of information resources
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited