FIREWALLS & NETWORK SECURITY with Intrusion Detection …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755...
Transcript of FIREWALLS & NETWORK SECURITY with Intrusion Detection …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755...
FIREWALLS & NETWORK SECURITY with
Intrusion Detection and VPNs, 2nd ed.
Chapter 3 Security Policies,
Standards, and Planning
Learning Objectives
Upon completion of this material, you should be able to: – Define management‟s role in the development,
maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
– Describe an information security blueprint, identify its major components, and explain how it is used to support a network security program
– Discuss how an organization institutionalizes policies, standards, and practices using education, training, and awareness programs
– Explain contingency planning and describe the relationships among incident response planning, disaster recovery planning, business continuity planning, and contingency planning
Slide 2 Firewalls & Network Security, 2nd ed. - Chapter 3
Introduction
To secure its network environment, organization must establish a functional and well-designed information security program
Information security program begins with creation or review of organization‟s information security policies, standards, and practices
Selection or creation of information security architecture and development and use of detailed information security blueprint will create plan for future success
Without policy, blueprints, and planning, organization‟s security needs will not be met
Slide 3 Firewalls & Network Security, 2nd ed. - Chapter 3
Information Security Policy, Standards,
and Practices
Management must consider policies as basis for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are the least expensive control to execute but the most difficult to implement
Shaping policy is difficult because policy must: – Never conflict with laws
– Stand up in court, if challenged
– Be properly administered through dissemination and documented acceptance
Slide 4 Firewalls & Network Security, 2nd ed. - Chapter 3
Information Security Policy, Standards,
and Practices (continued)
For a policy to be considered effective and legally
enforceable:
Dissemination (distribution): organization must be
able to demonstrate that relevant policy has been
made readily available for review by employee
Review (reading): organization must be able to
demonstrate that it disseminated document in
intelligible form, including versions for illiterate,
non-English reading, and reading-impaired
employees
Slide 5 Firewalls & Network Security, 2nd ed. - Chapter 3
Information Security Policy, Standards
and Practices (continued)
For a policy to be considered effective and legally
enforceable: (continued)
Comprehension (understanding): organization
must be able to demonstrate that employees
understand requirements and content of policy
Compliance (agreement): organization must be
able to demonstrate that employees agree to
comply with policy through act or affirmation
Uniform enforcement: organization must be able
to demonstrate policy has been uniformly
enforced Slide 6 Firewalls & Network Security, 2nd ed. - Chapter 3
Definitions
Policy is set of guidelines or instructions an organization‟s senior management implements to regulate activities of members of organization who make decisions, take actions, and perform other duties
Policies are organizational laws
Standards, on the other hand, are more detailed statements of what must be done to comply with policy
Practices, procedures, and guidelines effectively explain how to comply with policy
Slide 7 Firewalls & Network Security, 2nd ed. - Chapter 3
Figure 3 -1 Policies, Standards, &
Practices
Slide 8 Firewalls & Network Security, 2nd ed. - Chapter 3
Enterprise Information Security Policy
(EISP)
EISP is also known as general security policy,
IT security policy, or information security policy
Sets strategic direction, scope, and tone for all
security efforts within the organization
Executive-level document, usually drafted by or
with CIO of the organization and usually 2 to 10
pages long
Slide 9 Firewalls & Network Security, 2nd ed. - Chapter 3
Enterprise Information Security Policy
(EISP) (continued)
Typically addresses compliance in two areas:
– General compliance to ensure meeting
requirements to establish program and
responsibilities assigned therein to various
organizational components
– Use of specified penalties and disciplinary action
Slide 10 Firewalls & Network Security, 2nd ed. - Chapter 3
Enterprise Information Security Policy
(EISP) Elements
Overview of corporate philosophy on security
Information on structure of information security
organization and individuals who fulfill the
information security role
Fully articulated security responsibilities that are
shared by all members of the organization
(employees, contractors, consultants, partners,
and visitors)
Fully articulated security responsibilities that are
unique to each role within the organization
Slide 11 Firewalls & Network Security, 2nd ed. - Chapter 3
Issue-Specific Security Policy (ISSP)
Guidelines needed to use various technologies and processes properly
The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains issue statement on the organization‟s position on an issue
Three approaches:
– Create several independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
Slide 12 Firewalls & Network Security, 2nd ed. - Chapter 3
Components of An Effective ISSP
1. Statement of policy
a. Scope and applicability
b. Definition of technology
addressed
c. Responsibilities
2. Authorized access and usage
a. User access
b. Fair and responsible use
c. Protection of privacy
3. Prohibited usage
a. Disruptive use or misuse
b. Criminal use
c. Offensive or harassing materials
d. Copyrighted, licensed, or other
intellectual property
e. Other restrictions
4. Systems management
a. Management of stored
materials
b. Employer monitoring
c. Virus protection
d. Physical security
e. Encryption
5. Violations of policy
a. Procedures for reporting
violations
b. Penalties for violations
6. Policy review and modification
a. Scheduled review of policy and
procedures for modification
7. Limitations of liability
a. Statements of liability or
disclaimers
Slide 13 Firewalls & Network Security, 2nd ed. - Chapter 3
Systems-Specific Policy (SysSP)
SysSPs frequently codified as standards and procedures used when configuring or maintaining systems
SysSPs fall into two groups:
– Managerial guidance SysSPs: created by
management to guide implementation and
configuration of technology as well as to regulate
behavior of people in the organization
– Technical specifications SysSPs: technical policy
or set of configurations to implement managerial
policy
Slide 14 Firewalls & Network Security, 2nd ed. - Chapter 3
Systems-Specific Policy (SysSP)
(continued)
Technical SysSPs are further divided into:
– Access control lists (ACLs) consist of access control lists, matrices, and capability tables governing rights and privileges of a particular user to a particular system
– Configuration rule policies comprise specific configuration codes entered into security systems to guide execution of the system
Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 15
Policy Management
Policies are living documents that must be
managed and are constantly changing
Special considerations should be made for
organizations undergoing mergers, takeovers,
and partnerships
To remain viable, security policies must have:
– An individual responsible for reviews
– A schedule of reviews
– A specific policy issuance and revision date
Slide 16 Firewalls & Network Security, 2nd ed. - Chapter 3
Frameworks and Industry Standards
With general idea of vulnerabilities in IT systems,
security team develops security blueprint, which
is used to implement security program
Security blueprint is basis for design, selection,
and implementation of all security program
elements including policy implementation,
ongoing policy management, risk management
programs, education and training programs,
technological controls, and maintenance of
security program
Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 17
Frameworks and Industry Standards
(continued)
Security framework is outline of overall
information security strategy and roadmap for
planned changes to the organization‟s
information security environment
Number of published information security
frameworks, including ones from government
sources
Because each information security environment
is unique, security team may need to modify or
adapt pieces from several frameworks
Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 18
ISO 27000 Series
One of the most widely referenced security
models is Information Technology – Code of
Practice for Information Security Management,
originally published as British Standard 7799
This Code of Practice was adopted as
international standard ISO/IEC 17799 in 2000
and renumbered to ISO/IEC 27002 in 2007
Stated purpose of ISO/IEC 27002 is to “give
recommendations for information security
management for use by those who are
responsible for initiating, implementing, or
maintaining security in their organization” Slide 19 Firewalls & Network Security, 2nd ed. - Chapter 3
ISO 27000 Series Current and Planned
Standards
Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 20
Figure 3-2 BS7799:2
Slide 21 Firewalls & Network Security, 2nd ed. - Chapter 3
NIST Security Models
Another approach available is described in documents available from csrc.nist.gov:
– SP 800-12: An Introduction to Computer Security: The NIST Handbook
– SP 800-14: Generally Accepted Security Principles and Practices for Securing Information Technology Systems
– SP 800-18 Rev 1: The Guide for Developing Security Plans for Federal Information Systems
– SP 800-26: Security Self-Assessment Guide for Information Technology Systems
– SP 800-30: Risk Management for Information Technology Systems
Slide 22 Firewalls & Network Security, 2nd ed. - Chapter 3
IETF Security Architecture
While no specific architecture is promoted through the Internet Engineering Task Force, Security Area Working Group acts as advisory board for protocols and areas developed and promoted through the Internet Society
RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed discussions on development and implementation
Chapters on such important topics as security policies, security technical architecture, security services, and security incident handling
Slide 23 Firewalls & Network Security, 2nd ed. - Chapter 3
Benchmarking and Best Practices
Benchmarking and best practices are reliable
methods used by some organizations to assess
security practices
Possible to gain information by benchmarking
and using best practices and thus work
backwards to effective design
Federal Agency Security Practices Site
(fasp.nist.gov) designed to provide best
practices for public agencies and is adapted
easily to private organizations
Slide 24 Firewalls & Network Security, 2nd ed. - Chapter 3
Figure 3-4 Spheres of Security
Slide 25 Firewalls & Network Security, 2nd ed. - Chapter 3
Design of Security Architecture
Defense in depth
– One of the foundations of security architectures is requirement to implement security in layers
– Requires that the organization establish sufficient security controls and safeguards so an intruder faces multiple layers of controls
Security perimeter
– Point at which an organization‟s security protection ends and the outside world begins
– Unfortunately, perimeter does not apply to internal attacks from employee threats or on-site physical threats
Slide 26 Firewalls & Network Security, 2nd ed. - Chapter 3
Security Education, Training, and
Awareness
As soon as policies exist, policies to implement security education, training, and awareness (SETA) should follow
SETA is a control measure designed to reduce accidental security breaches
Supplement general education and training programs to educate staff on information security
Security education and training builds on general knowledge that employees must possess to do their jobs, familiarizing them with the way to do their jobs securely
Slide 27 Firewalls & Network Security, 2nd ed. - Chapter 3
SETA Elements
SETA program consists of three elements: – Security education
– Security training
– Security awareness
Organization may not be capable or willing to undertake all elements but may outsource them
Purpose of SETA is to enhance security by: – Improving awareness of the need to protect
system resources
– Developing skills and knowledge so computer users can perform their jobs more securely
– Building in-depth knowledge, as needed, to design, implement, operate security programs
Slide 28 Firewalls & Network Security, 2nd ed. - Chapter 3
Table 3-6 Comparative SETA
Framework
Slide 29 Firewalls & Network Security, 2nd ed. - Chapter 3
Security Education
Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security
When formal education for appropriate individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education
A number of universities have formal coursework in information security
– (See, for example, http://infosec.kennesaw.edu)
Slide 30 Firewalls & Network Security, 2nd ed. - Chapter 3
Security Training
Involves providing members of the organization
with detailed information and hands-on
instruction designed to prepare them to perform
their duties securely
Management of information security can
develop customized in-house training or
outsource the training program
Slide 31 Firewalls & Network Security, 2nd ed. - Chapter 3
Security Awareness
One of the least frequently implemented but most beneficial programs is the security awareness program
Designed to keep information security at forefront of users‟ minds
Need not be complicated or expensive
If program is not actively implemented, employees begin to „tune out,‟ and the risk of employee accidents and failures increases
Slide 32 Firewalls & Network Security, 2nd ed. - Chapter 3
Continuity Strategies
Managers must provide strategic planning to assure continuous information systems availability when an attack occurs
Plans for events of this type are referred to in a number of ways:
– Business continuity plans (BCPs)
– Disaster recovery plans (DRPs)
– Incident response plans (IRPs)
– Contingency plans
Large organizations may have many types of plans and small organizations may have one simple plan, but most have inadequate planning
Slide 33 Firewalls & Network Security, 2nd ed. - Chapter 3
Contingency Planning
Contingency Planning (CP): – Incident response planning (IRP)
– Disaster recovery planning (DRP)
– Business continuity planning (BCP)
Primary functions of these three types: – IRP focuses on immediate response, but if attack
escalates or is disastrous, the process changes to disaster recovery and BCP
– DRP typically focuses on restoring operations at primary site after disasters occur, and, as such, is closely associated with BCP
– BCP occurs concurrently with DRP when damage is major or long term, requiring establishment of operations at alternate site
Slide 34 Firewalls & Network Security, 2nd ed. - Chapter 3
Figure 3-9 Contingency Planning
Timeline
Slide 35 Firewalls & Network Security, 2nd ed. - Chapter 3
Contingency Planning Team
Before any planning begins, a team has to plan the effort and prepare resulting documents
Champion: high-level manager to support, promote, and endorse findings of the project
Project manager: leads project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Team members: should be managers or their representatives from various communities of interest (business, IT, and information security)
Slide 36 Firewalls & Network Security, 2nd ed. - Chapter 3
Figure 3-10 Major Steps in
Contingency Planning
Slide 37 Firewalls & Network Security, 2nd ed. - Chapter 3
Business Impact Analysis
Begin with business impact analysis (BIA)
– If the attack succeeds, what do we do then?
CP team conducts BIA in the following stages:
– Threat attack identification
– Business unit analysis
– Attack success scenarios
– Potential damage assessment
– Subordinate plan classification
Slide 38 Firewalls & Network Security, 2nd ed. - Chapter 3
Threat Attack Identification and
Prioritization
Update threat list with latest developments and
add the attack profile
Attack profile is the detailed description of
activities during an attack
Must be developed for every serious threat the
organization faces
Used to determine the extent of damage that
could result to business unit if attack were
successful
Slide 39 Firewalls & Network Security, 2nd ed. - Chapter 3
Table 3-7 Attack Profile
Slide 40 Firewalls & Network Security, 2nd ed. - Chapter 3
Business Unit Analysis
Second major task within the BIA is analysis
and prioritization of business functions within
the organization
Identify functional areas of the organization and
prioritize them as to which are most vital
Focus on prioritized list of various functions that
the organization performs
Slide 41 Firewalls & Network Security, 2nd ed. - Chapter 3
Attack Success Scenario Development
Next, create series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with:
– Details on method of attack
– Indicators of attack
– Broad consequences
Attack success scenario details are added to attack profile, including best, worst, and most likely outcomes
Slide 42 Firewalls & Network Security, 2nd ed. - Chapter 3
Potential Damage Assessment
From previously developed attack success
scenarios, BIA planning team must estimate
cost of best, worst, and most likely cases
Costs include actions of response team
This final result is referred to as an attack
scenario end case
Slide 43 Firewalls & Network Security, 2nd ed. - Chapter 3
Subordinate Plan Classification
Once potential damage has been assessed, subordinate plan must be developed or identified
Subordinate plans will take into account identification of, reaction to, and recovery from each attack scenario
Each attack scenario end case is categorized as disastrous or not
Qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack
Slide 44 Firewalls & Network Security, 2nd ed. - Chapter 3
Incident Response Planning
Incident response planning covers identification of, classification of, and response to an incident
Incident is attack against an information asset that poses clear threat to the confidentiality, integrity, or availability of information resources
Attacks are only classified as incidents if they have the following characteristics: – Are directed against information assets
– Have a realistic chance of success
– Could threaten the confidentiality, integrity, or availability of information resources
IR is more reactive than proactive, with exception of planning and preparation of IR teams
Slide 45 Firewalls & Network Security, 2nd ed. - Chapter 3
Incident Planning
Predefined responses enable organization to react quickly and effectively to detected incident
This assumes the organization has an IR team and can detect the incident
IR team consists of those individuals needed to handle systems as incident takes place
IR consists of the following four phases:
– Planning
– Detection
– Reaction
– Recovery Slide 46 Firewalls & Network Security, 2nd ed. - Chapter 3
Incident or Disaster
When does an incident become a disaster?
– The organization is unable to mitigate the impact of an incident during the incident
– The level of damage or destruction is so severe that the organization is unable to quickly recover
Difference may be subtle
Up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
Slide 47 Firewalls & Network Security, 2nd ed. - Chapter 3
Disaster Recovery Planning
Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster
Contingency planning team must decide which actions constitute disasters and which constitute incidents
When situations are classified as disasters, plans change as to how to respond; take action to secure the system‟s most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term
DRP strives to reestablish operations at the „primary‟ site
Slide 48 Firewalls & Network Security, 2nd ed. - Chapter 3
DRP Steps
There must be a clear establishment of priorities
There must be a clear delegation of roles and
responsibilities
Someone must initiate the alert roster and notify
key personnel
Someone must be tasked with the
documentation of the disaster
If and only if it is possible, some attempts must
be made to mitigate the impact of the disaster
on the operations of the organization
Slide 49 Firewalls & Network Security, 2nd ed. - Chapter 3
Crisis Management
Crisis management occurs during and after a disaster and focuses on the people involved and addressing the viability of the business
Crisis management team responsible for managing event from enterprise perspective by:
– Supporting personnel and families during crisis
– Determining impact on business operations and, if necessary, making disaster declaration
– Keeping public informed
– Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, media, other interested parties
Slide 50 Firewalls & Network Security, 2nd ed. - Chapter 3
Business Continuity Planning
Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations
If disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
BCP is somewhat simpler than an IRP or DRP
Consists primarily of selecting continuity strategy and integrating off-site data storage and recovery functions into this strategy
Slide 51 Firewalls & Network Security, 2nd ed. - Chapter 3
Summary
To effectively secure networks, an organization
must establish functional, well-designed
information security program
Information security program creation requires
information security policies, standards, and
practices; an information security architecture;
and a detailed information security blueprint
Management must make policy the basis for all
information security planning, design, and
deployment in order to direct how issues are
addressed and how technologies are used
Slide 52 Firewalls & Network Security, 2nd ed. - Chapter 3
Summary (continued)
Policy must never conflict with laws but should
stand up in court if challenged
To be effective and legally enforceable, policy
must be disseminated, reviewed, understood,
complied with, and uniformly enforced
Information security team identifies
vulnerabilities and then develops security
blueprint that is used to implement security
program
Slide 53 Firewalls & Network Security, 2nd ed. - Chapter 3
Summary (continued)
Security framework is outline of steps to take to
design and implement information security
Purpose of security education, training, and
awareness (SETA) is to enhance security by
improving awareness of need to protect system
resources and teaching users to perform jobs
more securely, and to build knowledge to
design, implement, or operate security
programs
Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 54
Summary (continued)
IT and InfoSec managers must assure
continuous availability of information systems
Achieved with various contingency plans:
incident response (IR), disaster recovery (DR),
business continuity (BC)
IR plan addresses identification, classification,
response, and recovery from incident
DR plan addresses preparation for and recovery
from disaster
BC plan ensures that critical business functions
continue if catastrophic event occurs Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 55