Successful Security Infrastructure

8/6/2019 Successful Security Infrastructure

1/43

Section 3Section 3 - - PagePage 1 1Section 3Section 3 - - PagePage 1 1How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure

Section Three:Section Three:

Policies and ProceduresPolicies and ProceduresTrust ModelsTrust Models

Security Policy BasicsSecurity Policy Basics

Policy Design ProcessPolicy Design Process

Key Security PoliciesKey Security Policies

Key Security ProceduresKey Security Procedures


2/43


Security PoliciesSecurity Policies - - Why use them?Why use them?

Without security policies, you have no generalWithout security policies, you have no generalsecurity framework.security framework.

Policies define what behavior is and is not allowed.Policies define what behavior is and is not allowed.

Policies will often set the stage in terms of what toolsPolicies will often set the stage in terms of what toolsand procedures are needed for the organization.and procedures are needed for the organization.

Policies communicate consensus among a group of Policies communicate consensus among a group of governing people.governing people.

Computer security is now a global issue andComputer security is now a global issue andcomputing sites are expected to follow the goodcomputing sites are expected to follow the goodneighbor philosophy.neighbor philosophy.


3/43


Who and What to Trust Who and What to Trust

Trust is a major principle underlying the developmentTrust is a major principle underlying the developmentof security policies.of security policies.

Initial step is to determine who gets access.Initial step is to determine who gets access.use principle of least accessuse principle of least access

Deciding on level of trust is a delicate balancing act.Deciding on level of trust is a delicate balancing act.too muchtoo much - -> eventual security problems> eventual security problems

too littletoo little --> difficult to find and keep satisfied employees> difficult to find and keep satisfied employeesHow much should you trust resources?How much should you trust resources?

How much should you trust people?How much should you trust people?


4/43


Possible Trust ModelsPossible Trust Models

Trust everyone all of the timeTrust everyone all of the timeeasiest to enforce, but impracticaleasiest to enforce, but impracticalone bad apple can ruin the whole barrelone bad apple can ruin the whole barrel

Trust no one at no timeTrust no one at no timemost restrictive, but also impracticalmost restrictive, but also impracticalimpossible to find employees to work under such conditionsimpossible to find employees to work under such conditions

Trust some people some of the timeTrust some people some of the timeexercise caution in amount of trust placed in employeesexercise caution in amount of trust placed in employeesaccess is given out as neededaccess is given out as neededtechnical controls are needed to ensure trust is not violatedtechnical controls are needed to ensure trust is not violated


5/43









6/43


7/43


Who Should be Concerned?Who Should be Concerned?

UsersUsers - - policies will affect them the most.policies will affect them the most.

System support personnelSystem support personnel - - they will be required tothey will be required to

implement and support the policies.implement and support the policies.ManagersManagers - - concerned about protection of data andconcerned about protection of data andthe associated cost of the policy.the associated cost of the policy.

Business lawyers and auditorsBusiness lawyers and auditors - - are concerned aboutare concerned about

company reputation, responsibility tocompany reputation, responsibility toclients/customers.clients/customers.


8/43









9/43


The Policy Design ProcessThe Policy Design Process

Choose the policy development team.Choose the policy development team.

Designate a person or body to serve as the officialDesignate a person or body to serve as the official

policy interpreter.policy interpreter.Decide on the scope and goals of the policy.Decide on the scope and goals of the policy.

scope should be a statement about who is covered by thescope should be a statement about who is covered by thepolicy.policy.

Decide on how specific to make the policyDecide on how specific to make the policynot a detailed implementation plannot a detailed implementation plandont include facts which change frequentlydont include facts which change frequently


10/43

Section 3Section 3 - - PagePage 1010Section 3Section 3 - - PagePage 1010How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure

The Policy Design ProcessThe Policy Design Process

All people affected by the policy should be providedAll people affected by the policy should be providedan opportunity to review and comment on the policyan opportunity to review and comment on the policybefore it becomes official.before it becomes official.

very unrealistic for large organizationsvery unrealistic for large organizationsoften difficult to get the information out and ensure peopleoften difficult to get the information out and ensure peopleread it.read it.

Incorporate policy awareness as a part of employeeIncorporate policy awareness as a part of employee

orientation.orientation.Provide refresher overview course on policies once or Provide refresher overview course on policies once or twice a year.twice a year.


11/43


B asic RequirementsB asic Requirements

Policies must:Policies must:be implementable and enforceablebe implementable and enforceablebe concise and easy to understandbe concise and easy to understandbalance protection with productivitybalance protection with productivitybe updated regularly to reflect the evolution of the organizationbe updated regularly to reflect the evolution of the organization

Policies should:Policies should:state reasons why policy is neededstate reasons why policy is neededdescribe what is covered by the policiesdescribe what is covered by the policies - - whom, what, and wherewhom, what, and wheredefine contacts and responsibilities to outside agenciesdefine contacts and responsibilities to outside agenciesdiscuss how violations will be handleddiscuss how violations will be handled


12/43


Determining Level of ControlDetermining Level of Control

Security needs and culture play major role.Security needs and culture play major role.

Security policies M UST balance level of control withSecurity policies M UST balance level of control with

level of productivity.level of productivity.If policies are too restrictive, people will find ways toIf policies are too restrictive, people will find ways tocircumvent controls.circumvent controls.

Technical controls are not always possible.Technical controls are not always possible.

Must have management commitment on level of Must have management commitment on level of control.control.


13/43


Choosing A Policy StructureChoosing A Policy Structure

Dependent on company size and goals.Dependent on company size and goals.

One large document or several small ones?One large document or several small ones?

smaller documents are easier to maintain and updatesmaller documents are easier to maintain and updateSome policies appropriate for every site, others areSome policies appropriate for every site, others arespecific to certain environments.specific to certain environments.

Some key policies:Some key policies:

A cceptable Use A cceptable UseUser A ccountUser A ccountRemote A ccessRemote A ccessInformation ProtectionInformation Protection


14/43









15/43


The Acceptable Use PolicyThe Acceptable Use Policy

Discusses and defines the appropriate use of theDiscusses and defines the appropriate use of thecomputing resources.computing resources.

Users should be required to read and sign A U policyUsers should be required to read and sign A U policyas part of the account request process.as part of the account request process.

Many examples of A U policies can be found on:Many examples of A U policies can be found on:http://www.eff.org/pub/CAF/policies/ http://www.eff.org/pub/CAF/policies/


16/43


Some Elements of theSome Elements of the

Acceptable Use PolicyAcceptable Use PolicyShould state responsibility of users in terms of Should state responsibility of users in terms of protecting information stored on their accounts.protecting information stored on their accounts.

Should state if users can read and copy files that areShould state if users can read and copy files that arenot their own, but are accessible to them.not their own, but are accessible to them.

Should state if users can modify files that are not their Should state if users can modify files that are not their own, but for which they have write access.own, but for which they have write access.

Should state if users are allowed to make copies of Should state if users are allowed to make copies of systems configuration files (e.g.,systems configuration files (e.g., /etc/passwd /etc/passwd ) for ) for their personal use, or to provide to other people.their personal use, or to provide to other people.


17/43


Acceptable Use PolicyAcceptable Use Policy

Should state if users are allowed to useShould state if users are allowed to use .rho sts.rho sts filesfilesand what types of entries are acceptable.and what types of entries are acceptable.

Should state if users can share accounts.Should state if users can share accounts.Should state if users can make copies of copyrightedShould state if users can make copies of copyrightedsoftware?software?

Should state level of acceptable usage for electronicShould state level of acceptable usage for electronic

mail, Internet news and web access.mail, Internet news and web access.


18/43


User Account PolicyUser Account Policy

Outlines the requirements for requesting andOutlines the requirements for requesting andmaintaining an account on the systems.maintaining an account on the systems.

Very important for large sites where users typicallyVery important for large sites where users typicallyhave accounts on many systems.have accounts on many systems.

Some sites have users read and sign an AccountSome sites have users read and sign an AccountPolicy as part of the account request process.Policy as part of the account request process.

Example User Account Policies are also available onExample User Account Policies are also available onthe CAF archive along with the Acceptable Usethe CAF archive along with the Acceptable UsePolicies.Policies.

http://www.eff.org/pub/CAF/policies/ http://www.eff.org/pub/CAF/policies/


19/43


Elements of a User Account Elements of a User Account

PolicyPolicyShould state who has the authority to approveShould state who has the authority to approveaccount requests.account requests.

Should state who is allowed to use the resourcesShould state who is allowed to use the resources(e.g., employees or students only )(e.g., employees or students only )

Should state any citizenship/resident requirements.Should state any citizenship/resident requirements.

Should state if users are allowed to share accounts or Should state if users are allowed to share accounts or

if users are allowed to have multiple accounts on aif users are allowed to have multiple accounts on asingle host.single host.

Should state the users rights and responsibilities.Should state the users rights and responsibilities.


20/43


Elements of User Account PolicyElements of User Account Policy

Should state when the account should be disabledShould state when the account should be disabledand archived.and archived.

Should state how long the account can remainShould state how long the account can remaininactive before it is disabled.inactive before it is disabled.

Should state password construction and aging rules.Should state password construction and aging rules.


21/43


Remote Access PolicyRemote Access Policy

Outlines and defines acceptable methods of remotelyOutlines and defines acceptable methods of remotelyconnecting to the internal network.connecting to the internal network.

Essential in large organization where networks areEssential in large organization where networks aregeographically dispersed and even extend into thegeographically dispersed and even extend into thehomes.homes.

Should cover all available methods to remotelyShould cover all available methods to remotelyaccess internal resources:access internal resources:

dialdial--in (SLIP, PPP)in (SLIP, PPP)ISDN/Frame RelayISDN/Frame Relaytelnet access from Internettelnet access from InternetCable modemCable modem


22/43


Elements of Remote AccessElements of Remote Access

PolicyPolicyShould define who is allowed to have remote accessShould define who is allowed to have remote accesscapabilities.capabilities.

Should define what methods are allowed for remoteShould define what methods are allowed for remoteaccess.access.

Should discuss if dialShould discuss if dial- -out modems are allowed.out modems are allowed.

Should discuss who is allowed to have highShould discuss who is allowed to have high- -speedspeed

remote access such as ISDN, Frame Relay or cableremote access such as ISDN, Frame Relay or cablemodem.modem.what extra requirements are there?what extra requirements are there?can other members of household use network?can other members of household use network?


23/43


Elements of Remote AccessElements of Remote Access

PolicyPolicyShould discuss any restrictions on data that can beShould discuss any restrictions on data that can beaccessed remotely.accessed remotely.

If partners connections are commonplace, shouldIf partners connections are commonplace, shoulddiscuss requirements and methods.discuss requirements and methods.


24/43


Information Protection PolicyInformation Protection Policy

Provides guidelines to users on the processing,Provides guidelines to users on the processing,storage and transmission of sensitive information.storage and transmission of sensitive information.

Main goal is to ensure information is appropriatelyMain goal is to ensure information is appropriatelyprotected from modification or disclosure.protected from modification or disclosure.

May be appropriate to have new employees signMay be appropriate to have new employees signpolicy as part of their initial orientation.policy as part of their initial orientation.

Should define sensitivity levels of information.Should define sensitivity levels of information.


25/43


K ey Elements of K ey Elements of Information Protection Policy

Information Protection PolicyShould define who can have access to sensitiveShould define who can have access to sensitiveinformation.information.

special circumstancesspecial circumstancesnonnon--disclosure agreementsdisclosure agreements

Should define how sensitive information is to beShould define how sensitive information is to bestored and transmitted (encrypted, archive files,stored and transmitted (encrypted, archive files,uuencoded, etc ).uuencoded, etc ).

Should define on which systems sensitive informationShould define on which systems sensitive informationcan be stored.can be stored.

Should discuss what levels of sensitive informationShould discuss what levels of sensitive informationcan be printed on physically insecure printers.can be printed on physically insecure printers.


26/43


K ey Elements of K ey Elements of Information Protection Policy

Information Protection PolicyShould define how sensitive information is removedShould define how sensitive information is removedfrom systems and storage devices.from systems and storage devices.

degaussing of storage mediadegaussing of storage mediascrubbing of hard drivesscrubbing of hard drivesshredding of hardcopy outputshredding of hardcopy output

Should discuss any default file and directoryShould discuss any default file and directorypermissions defined in systempermissions defined in system- -wide configurationwide configuration

files.files.


27/43


F irewall Management PolicyF irewall Management Policy

Describes how firewall hardware and software isDescribes how firewall hardware and software ismanaged and how changes are requested andmanaged and how changes are requested andapproved.approved.

Should discuss who can obtain privileged access toShould discuss who can obtain privileged access tofirewall systems.firewall systems.

Should discuss the procedure to request a firewallShould discuss the procedure to request a firewallconfiguration change and how the request is approved.configuration change and how the request is approved.

Should discuss who is allowed to obtain informationShould discuss who is allowed to obtain informationregarding the firewall configuration and access lists.regarding the firewall configuration and access lists.

Should discuss review cycles for firewall systemShould discuss review cycles for firewall systemconfigurations.configurations.


28/43


Special Access PolicySpecial Access Policy

Defines requirements for requesting and usingDefines requirements for requesting and usingspecial systems accounts (root, bkup, ).special systems accounts (root, bkup, ).

Should discuss how users can obtain special access.Should discuss how users can obtain special access.Should discuss how special access accounts areShould discuss how special access accounts areaudited.audited.

Should discuss how passwords for special accessShould discuss how passwords for special access

accounts are set and how often they are changed.accounts are set and how often they are changed.Should discuss reasons why special access isShould discuss reasons why special access isrevoked.revoked.


29/43


N etwork Connection PolicyN etwork Connection Policy

Defines requirements for adding new devices to theDefines requirements for adding new devices to thenetwork.network.

Well suited for sites with multiple support teams.Well suited for sites with multiple support teams.Important for sites which are not behind a firewall.Important for sites which are not behind a firewall.

Should discuss:Should discuss:who can install new resources on networkwho can install new resources on network

what approval and notification must be donewhat approval and notification must be donehow changes are documentedhow changes are documentedwhat are the security requirementswhat are the security requirementshow unsecured devices are treatedhow unsecured devices are treated


30/43


O ther Important PoliciesO ther Important Policies

Policy which addresses forwarding of email to offsitePolicy which addresses forwarding of email to offsiteaddresses.addresses.

Policy which addresses wireless networks.Policy which addresses wireless networks.Policy which addresses baseline lab securityPolicy which addresses baseline lab securitystandards.standards.

Policy which addresses baseline router configurationPolicy which addresses baseline router configuration

parameters.parameters.


31/43









32/43


Security ProceduresSecurity Procedures

Policies only define "what" is to be protected.Policies only define "what" is to be protected.Procedures define "how" to protect resources and areProcedures define "how" to protect resources and arethe mechanisms to enforce policy.the mechanisms to enforce policy.

Procedures define detailed actions to take for specificProcedures define detailed actions to take for specificincidents.incidents.

Procedures provide a quick reference in times of Procedures provide a quick reference in times of crisis.crisis.

Procedures help eliminate the problem of a singleProcedures help eliminate the problem of a singlepoint of failure (e.g., an employee suddenly leaves or point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis ).is unavailable in a time of crisis ).


33/43


Configuration Management Configuration Management

ProcedureProcedureDefines how new hardware/software is tested andDefines how new hardware/software is tested andinstalled.installed.

Defines how hardware/software changes areDefines how hardware/software changes aredocumented.documented.

Defines who must be informed when hardware andDefines who must be informed when hardware andsoftware changes occur.software changes occur.

Defines who has authority to make hardware andDefines who has authority to make hardware andsoftware configuration changes.software configuration changes.


34/43


Data B ackup and O ff Data B ackup and O ff--site Storagesite Storage

ProceduresProceduresDefines which file systems are backed up.Defines which file systems are backed up.

Defines how often backups are performed.Defines how often backups are performed.

Defines how often storage media is rotated.Defines how often storage media is rotated.

Defines how often backups are stored off Defines how often backups are stored off- -site.site.

Defines how storage media is labeled andDefines how storage media is labeled anddocumented.documented.


35/43


Security Incident EscalationSecurity Incident Escalation

ProcedureProcedureA "cookbook" procedure for frontline supportA "cookbook" procedure for frontline supportpersonnel.personnel.

Defines who to call and when.Defines who to call and when.Defines initial steps to take.Defines initial steps to take.

Defines initial information to record.Defines initial information to record.


36/43


37/43


Disaster Planning and ResponseDisaster Planning and Response

A disaster is a large scale event which affects major A disaster is a large scale event which affects major portions of an organization.portions of an organization.

a major earthquake, flood, hurricane, or tornadoa major earthquake, flood, hurricane, or tornadoa major power outage lasting > 48 hoursa major power outage lasting > 48 hoursdestruction of building structuresdestruction of building structures

Main goal of plan is to outline tasks to keep criticalMain goal of plan is to outline tasks to keep criticalresources running and to minimize impact of disaster.resources running and to minimize impact of disaster.

Ensure critical information needed for disaster Ensure critical information needed for disaster response is kept off response is kept off- -site and easily accessible after site and easily accessible after the onset of a disaster.the onset of a disaster.


38/43


Disaster Planning and ResponseDisaster Planning and Response

Plan should outline several operating modes basedPlan should outline several operating modes basedon level of damage to resources.on level of damage to resources.

Determine the need for hot or cold sites.Determine the need for hot or cold sites.Disaster preparedness drills should be conductedDisaster preparedness drills should be conductedseveral times a year.several times a year.


39/43


Resources F or SecurityResources F or Security

Policies and ProceduresPolicies and ProceduresRFC2196RFC2196 - - The Site Security Procedures HandbookThe Site Security Procedures Handbook

obsoletes rfc1244 as of 9/97.obsoletes rfc1244 as of 9/97.http://ds.internic.net/rfc/rfc2196.txt http://ds.internic.net/rfc/rfc2196.txt

Some useful Web sites:Some useful Web sites:http://www.gatech.edu/itis/policy/usage/contents.html http://www.gatech.edu/itis/policy/usage/contents.html http://csrc.ncsl.nist.gov/secplcy/ http://csrc.ncsl.nist.gov/secplcy/


40/43


Section Three RecapSection Three Recap

Ensure policies and procedures are provided toEnsure policies and procedures are provided tomanagers, users and support staff.managers, users and support staff.

Ensure polices are in line with the security philosophyEnsure polices are in line with the security philosophyand any regulations the organization is required toand any regulations the organization is required tofollow.follow.

Ensure policies are reviewed on a regular basis andEnsure policies are reviewed on a regular basis andare updated as necessary.are updated as necessary.

Ensure sufficient training is provided on a regular Ensure sufficient training is provided on a regular basis.basis.


41/43


Section Three RecapSection Three Recap

Important policies every site should have:Important policies every site should have:A cceptable Use Policy A cceptable Use PolicyRemote A ccess PolicyRemote A ccess PolicyInformation Protection PolicyInformation Protection PolicyFirewall Management PolicyFirewall Management Policy

Important Procedures every site should have:Important Procedures every site should have:Configuration Management ProcedureConfiguration Management Procedure

Data Backup and Off Data Backup and Off- -site Storagesite StorageIncident Handling ProcedureIncident Handling ProcedureDisaster Recovery ProcedureDisaster Recovery Procedure


42/43


End of Section ThreeEnd of Section Three

Class ExerciseClass Exercise

&&

QuestionsQuestions


43/43

Section 3Section 3 PagePage 4343Section 3Section 3 PagePage 4343How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure

Class Exercise Three:Class Exercise Three:What is the trust model in use at your company?What is the trust model in use at your company?

How long does someone have to wait to get root or enable level access?How long does someone have to wait to get root or enable level access?

Describe your policy design process?Describe your policy design process?How many people are involved?How many people are involved?What is the approval process?What is the approval process?

What are the key policies in use are your site?What are the key policies in use are your site?Which key policies dont you have that you would like to have?Which key policies dont you have that you would like to have?

How do you inform the user community about a new policy?How do you inform the user community about a new policy?Do you feel users read and understand the polices?Do you feel users read and understand the polices?

Successful Security Infrastructure

Documents

Transcript of Successful Security Infrastructure