FIREWALLS & NETWORK SECURITY with Intrusion Detection …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755...

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 3 Security Policies,

Standards, and Planning

Learning Objectives

Upon completion of this material, you should be able to: – Define management‟s role in the development,

maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines

– Describe an information security blueprint, identify its major components, and explain how it is used to support a network security program

– Discuss how an organization institutionalizes policies, standards, and practices using education, training, and awareness programs

– Explain contingency planning and describe the relationships among incident response planning, disaster recovery planning, business continuity planning, and contingency planning

Slide 2 Firewalls & Network Security, 2nd ed. - Chapter 3

Introduction

To secure its network environment, organization must establish a functional and well-designed information security program

Information security program begins with creation or review of organization‟s information security policies, standards, and practices

Selection or creation of information security architecture and development and use of detailed information security blueprint will create plan for future success

Without policy, blueprints, and planning, organization‟s security needs will not be met


Information Security Policy, Standards,

and Practices

Management must consider policies as basis for all information security efforts

Policies direct how issues should be addressed and technologies used

Security policies are the least expensive control to execute but the most difficult to implement

Shaping policy is difficult because policy must: – Never conflict with laws

– Stand up in court, if challenged

– Be properly administered through dissemination and documented acceptance


Information Security Policy, Standards,

and Practices (continued)

For a policy to be considered effective and legally

enforceable:

Dissemination (distribution): organization must be

able to demonstrate that relevant policy has been

made readily available for review by employee

Review (reading): organization must be able to

demonstrate that it disseminated document in

intelligible form, including versions for illiterate,

non-English reading, and reading-impaired

employees


Information Security Policy, Standards

and Practices (continued)

For a policy to be considered effective and legally

enforceable: (continued)

Comprehension (understanding): organization

must be able to demonstrate that employees

understand requirements and content of policy

Compliance (agreement): organization must be

able to demonstrate that employees agree to

comply with policy through act or affirmation

Uniform enforcement: organization must be able

to demonstrate policy has been uniformly

enforced Slide 6 Firewalls & Network Security, 2nd ed. - Chapter 3

Definitions

Policy is set of guidelines or instructions an organization‟s senior management implements to regulate activities of members of organization who make decisions, take actions, and perform other duties

Policies are organizational laws

Standards, on the other hand, are more detailed statements of what must be done to comply with policy

Practices, procedures, and guidelines effectively explain how to comply with policy


Figure 3 -1 Policies, Standards, &

Practices


Enterprise Information Security Policy

(EISP)

EISP is also known as general security policy,

IT security policy, or information security policy

Sets strategic direction, scope, and tone for all

security efforts within the organization

Executive-level document, usually drafted by or

with CIO of the organization and usually 2 to 10

pages long



(EISP) (continued)

Typically addresses compliance in two areas:

– General compliance to ensure meeting

requirements to establish program and

responsibilities assigned therein to various

organizational components

– Use of specified penalties and disciplinary action



(EISP) Elements

Overview of corporate philosophy on security

Information on structure of information security

organization and individuals who fulfill the

information security role

Fully articulated security responsibilities that are

shared by all members of the organization

(employees, contractors, consultants, partners,

and visitors)

Fully articulated security responsibilities that are

unique to each role within the organization


Issue-Specific Security Policy (ISSP)

Guidelines needed to use various technologies and processes properly

The ISSP:

– Addresses specific areas of technology

– Requires frequent updates

– Contains issue statement on the organization‟s position on an issue

Three approaches:

– Create several independent ISSP documents

– Create a single comprehensive ISSP document

– Create a modular ISSP document


Components of An Effective ISSP

1. Statement of policy

a. Scope and applicability

b. Definition of technology

addressed

c. Responsibilities

2. Authorized access and usage

a. User access

b. Fair and responsible use

c. Protection of privacy

3. Prohibited usage

a. Disruptive use or misuse

b. Criminal use

c. Offensive or harassing materials

d. Copyrighted, licensed, or other

intellectual property

e. Other restrictions

4. Systems management

a. Management of stored

materials

b. Employer monitoring

c. Virus protection

d. Physical security

e. Encryption

5. Violations of policy

a. Procedures for reporting

violations

b. Penalties for violations

6. Policy review and modification

a. Scheduled review of policy and

procedures for modification

7. Limitations of liability

a. Statements of liability or

disclaimers


Systems-Specific Policy (SysSP)

SysSPs frequently codified as standards and procedures used when configuring or maintaining systems

SysSPs fall into two groups:

– Managerial guidance SysSPs: created by

management to guide implementation and

configuration of technology as well as to regulate

behavior of people in the organization

– Technical specifications SysSPs: technical policy

or set of configurations to implement managerial

policy


Systems-Specific Policy (SysSP)

(continued)

Technical SysSPs are further divided into:

– Access control lists (ACLs) consist of access control lists, matrices, and capability tables governing rights and privileges of a particular user to a particular system

– Configuration rule policies comprise specific configuration codes entered into security systems to guide execution of the system

Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 15

Policy Management

Policies are living documents that must be

managed and are constantly changing

Special considerations should be made for

organizations undergoing mergers, takeovers,

and partnerships

To remain viable, security policies must have:

– An individual responsible for reviews

– A schedule of reviews

– A specific policy issuance and revision date


Frameworks and Industry Standards

With general idea of vulnerabilities in IT systems,

security team develops security blueprint, which

is used to implement security program

Security blueprint is basis for design, selection,

and implementation of all security program

elements including policy implementation,

ongoing policy management, risk management

programs, education and training programs,

technological controls, and maintenance of

security program


Frameworks and Industry Standards

(continued)

Security framework is outline of overall

information security strategy and roadmap for

planned changes to the organization‟s

information security environment

Number of published information security

frameworks, including ones from government

sources

Because each information security environment

is unique, security team may need to modify or

adapt pieces from several frameworks


ISO 27000 Series

One of the most widely referenced security

models is Information Technology – Code of

Practice for Information Security Management,

originally published as British Standard 7799

This Code of Practice was adopted as

international standard ISO/IEC 17799 in 2000

and renumbered to ISO/IEC 27002 in 2007

Stated purpose of ISO/IEC 27002 is to “give

recommendations for information security

management for use by those who are

responsible for initiating, implementing, or

maintaining security in their organization” Slide 19 Firewalls & Network Security, 2nd ed. - Chapter 3

ISO 27000 Series Current and Planned

Standards


Figure 3-2 BS7799:2


NIST Security Models

Another approach available is described in documents available from csrc.nist.gov:

– SP 800-12: An Introduction to Computer Security: The NIST Handbook

– SP 800-14: Generally Accepted Security Principles and Practices for Securing Information Technology Systems

– SP 800-18 Rev 1: The Guide for Developing Security Plans for Federal Information Systems

– SP 800-26: Security Self-Assessment Guide for Information Technology Systems

– SP 800-30: Risk Management for Information Technology Systems


IETF Security Architecture

While no specific architecture is promoted through the Internet Engineering Task Force, Security Area Working Group acts as advisory board for protocols and areas developed and promoted through the Internet Society

RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed discussions on development and implementation

Chapters on such important topics as security policies, security technical architecture, security services, and security incident handling


Benchmarking and Best Practices

Benchmarking and best practices are reliable

methods used by some organizations to assess

security practices

Possible to gain information by benchmarking

and using best practices and thus work

backwards to effective design

Federal Agency Security Practices Site

(fasp.nist.gov) designed to provide best

practices for public agencies and is adapted

easily to private organizations


Figure 3-4 Spheres of Security


Design of Security Architecture

Defense in depth

– One of the foundations of security architectures is requirement to implement security in layers

– Requires that the organization establish sufficient security controls and safeguards so an intruder faces multiple layers of controls

Security perimeter

– Point at which an organization‟s security protection ends and the outside world begins

– Unfortunately, perimeter does not apply to internal attacks from employee threats or on-site physical threats


Security Education, Training, and

Awareness

As soon as policies exist, policies to implement security education, training, and awareness (SETA) should follow

SETA is a control measure designed to reduce accidental security breaches

Supplement general education and training programs to educate staff on information security

Security education and training builds on general knowledge that employees must possess to do their jobs, familiarizing them with the way to do their jobs securely


SETA Elements

SETA program consists of three elements: – Security education

– Security training

– Security awareness

Organization may not be capable or willing to undertake all elements but may outsource them

Purpose of SETA is to enhance security by: – Improving awareness of the need to protect

system resources

– Developing skills and knowledge so computer users can perform their jobs more securely

– Building in-depth knowledge, as needed, to design, implement, operate security programs


Table 3-6 Comparative SETA

Framework


Security Education

Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security

When formal education for appropriate individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education

A number of universities have formal coursework in information security

– (See, for example, http://infosec.kennesaw.edu)


Security Training

Involves providing members of the organization

with detailed information and hands-on

instruction designed to prepare them to perform

their duties securely

Management of information security can

develop customized in-house training or

outsource the training program


Security Awareness

One of the least frequently implemented but most beneficial programs is the security awareness program

Designed to keep information security at forefront of users‟ minds

Need not be complicated or expensive

If program is not actively implemented, employees begin to „tune out,‟ and the risk of employee accidents and failures increases


Continuity Strategies

Managers must provide strategic planning to assure continuous information systems availability when an attack occurs

Plans for events of this type are referred to in a number of ways:

– Business continuity plans (BCPs)

– Disaster recovery plans (DRPs)

– Incident response plans (IRPs)

– Contingency plans

Large organizations may have many types of plans and small organizations may have one simple plan, but most have inadequate planning


Contingency Planning

Contingency Planning (CP): – Incident response planning (IRP)

– Disaster recovery planning (DRP)

– Business continuity planning (BCP)

Primary functions of these three types: – IRP focuses on immediate response, but if attack

escalates or is disastrous, the process changes to disaster recovery and BCP

– DRP typically focuses on restoring operations at primary site after disasters occur, and, as such, is closely associated with BCP

– BCP occurs concurrently with DRP when damage is major or long term, requiring establishment of operations at alternate site


Figure 3-9 Contingency Planning

Timeline


Contingency Planning Team

Before any planning begins, a team has to plan the effort and prepare resulting documents

Champion: high-level manager to support, promote, and endorse findings of the project

Project manager: leads project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed

Team members: should be managers or their representatives from various communities of interest (business, IT, and information security)


Figure 3-10 Major Steps in

Contingency Planning


Business Impact Analysis

Begin with business impact analysis (BIA)

– If the attack succeeds, what do we do then?

CP team conducts BIA in the following stages:

– Threat attack identification

– Business unit analysis

– Attack success scenarios

– Potential damage assessment

– Subordinate plan classification


Threat Attack Identification and

Prioritization

Update threat list with latest developments and

add the attack profile

Attack profile is the detailed description of

activities during an attack

Must be developed for every serious threat the

organization faces

Used to determine the extent of damage that

could result to business unit if attack were

successful


Table 3-7 Attack Profile


Business Unit Analysis

Second major task within the BIA is analysis

and prioritization of business functions within

the organization

Identify functional areas of the organization and

prioritize them as to which are most vital

Focus on prioritized list of various functions that

the organization performs


Attack Success Scenario Development

Next, create series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with:

– Details on method of attack

– Indicators of attack

– Broad consequences

Attack success scenario details are added to attack profile, including best, worst, and most likely outcomes


Potential Damage Assessment

From previously developed attack success

scenarios, BIA planning team must estimate

cost of best, worst, and most likely cases

Costs include actions of response team

This final result is referred to as an attack

scenario end case


Subordinate Plan Classification

Once potential damage has been assessed, subordinate plan must be developed or identified

Subordinate plans will take into account identification of, reaction to, and recovery from each attack scenario

Each attack scenario end case is categorized as disastrous or not

Qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack


Incident Response Planning

Incident response planning covers identification of, classification of, and response to an incident

Incident is attack against an information asset that poses clear threat to the confidentiality, integrity, or availability of information resources

Attacks are only classified as incidents if they have the following characteristics: – Are directed against information assets

– Have a realistic chance of success

– Could threaten the confidentiality, integrity, or availability of information resources

IR is more reactive than proactive, with exception of planning and preparation of IR teams


Incident Planning

Predefined responses enable organization to react quickly and effectively to detected incident

This assumes the organization has an IR team and can detect the incident

IR team consists of those individuals needed to handle systems as incident takes place

IR consists of the following four phases:

– Planning

– Detection

– Reaction

– Recovery Slide 46 Firewalls & Network Security, 2nd ed. - Chapter 3

Incident or Disaster

When does an incident become a disaster?

– The organization is unable to mitigate the impact of an incident during the incident

– The level of damage or destruction is so severe that the organization is unable to quickly recover

Difference may be subtle

Up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response


Disaster Recovery Planning

Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster

Contingency planning team must decide which actions constitute disasters and which constitute incidents

When situations are classified as disasters, plans change as to how to respond; take action to secure the system‟s most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term

DRP strives to reestablish operations at the „primary‟ site


DRP Steps

There must be a clear establishment of priorities

There must be a clear delegation of roles and

responsibilities

Someone must initiate the alert roster and notify

key personnel

Someone must be tasked with the

documentation of the disaster

If and only if it is possible, some attempts must

be made to mitigate the impact of the disaster

on the operations of the organization


Crisis Management

Crisis management occurs during and after a disaster and focuses on the people involved and addressing the viability of the business

Crisis management team responsible for managing event from enterprise perspective by:

– Supporting personnel and families during crisis

– Determining impact on business operations and, if necessary, making disaster declaration

– Keeping public informed

– Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, media, other interested parties


Business Continuity Planning

Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations

If disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function

BCP is somewhat simpler than an IRP or DRP

Consists primarily of selecting continuity strategy and integrating off-site data storage and recovery functions into this strategy


Summary

To effectively secure networks, an organization

must establish functional, well-designed

information security program

Information security program creation requires

information security policies, standards, and

practices; an information security architecture;

and a detailed information security blueprint

Management must make policy the basis for all

information security planning, design, and

deployment in order to direct how issues are

addressed and how technologies are used


Summary (continued)

Policy must never conflict with laws but should

stand up in court if challenged

To be effective and legally enforceable, policy

must be disseminated, reviewed, understood,

complied with, and uniformly enforced

Information security team identifies

vulnerabilities and then develops security

blueprint that is used to implement security

program


Summary (continued)

Security framework is outline of steps to take to

design and implement information security

Purpose of security education, training, and

awareness (SETA) is to enhance security by

improving awareness of need to protect system

resources and teaching users to perform jobs

more securely, and to build knowledge to

design, implement, or operate security

programs


Summary (continued)

IT and InfoSec managers must assure

continuous availability of information systems

Achieved with various contingency plans:

incident response (IR), disaster recovery (DR),

business continuity (BC)

IR plan addresses identification, classification,

response, and recovery from incident

DR plan addresses preparation for and recovery

from disaster

BC plan ensures that critical business functions

continue if catastrophic event occurs Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 55

FIREWALLS & NETWORK SECURITY with Intrusion Detection …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755...

Documents

Transcript of FIREWALLS & NETWORK SECURITY with Intrusion Detection …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755...