why so many security policies utterly security...
Post on 21-May-2020
2 Views
Preview:
TRANSCRIPT
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
Security Policies?Security Policies?Ugh, just give me a firewall!Ugh, just give me a firewall!
Steve RileySteve RileyEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business and Technology UnitSecurity Business and Technology Unitsteve.riley@microsoft.comsteve.riley@microsoft.comhttp://http://blogs.technet.com/sterileyblogs.technet.com/steriley
SEC 301SEC 301 Our time todayOur time today
Why so many security policies utterly Why so many security policies utterly failfail
What do you need all this for anyway?What do you need all this for anyway?
How to build good security policiesHow to build good security policies
Why SecurityWhy SecurityPolicies FailPolicies Fail
Policies have natural weaknessesPolicies have natural weaknesses
Security is a barrier to progressSecurity is a barrier to progress
Security is a learned behaviorSecurity is a learned behavior
Expect the unexpectedExpect the unexpected
ThereThere’’s no perfect mousetraps no perfect mousetrap
Four com m on pitfalls that lim it the Four com m on pitfalls that lim it the effectiveness of any security policyeffectiveness of any security policy
Security is a barrier to Security is a barrier to progressprogress
Protective measures are (by definition) Protective measures are (by definition) either obstacles or impediments to commerceeither obstacles or impediments to commerce
Typically add Typically add zerozero benefitbenefit
Sometimes mitigate specific threatsSometimes mitigate specific threats
Always reduce the ability to freely share Always reduce the ability to freely share informationinformation
Balance between security and disruption variesBalance between security and disruption varies
Human nature begets desire Human nature begets desire (more! faster!)(more! faster!)
Traffic lights exist for safety, but theyTraffic lights exist for safety, but they’’re re just annoying at vacant intersectionsjust annoying at vacant intersections
At some point our patience runs outAt some point our patience runs out
Network users experience the same limitNetwork users experience the same limitNo perceived benefit in complianceNo perceived benefit in compliance
Disparate compliance Disparate compliance security breachsecurity breach
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2
Security is a learned behaviorSecurity is a learned behavior
SelfSelf--preservation is instinctual; security preservation is instinctual; security isnisn’’tt
HigherHigher--level function requiring initial learning level function requiring initial learning and occasional reinforcementand occasional reinforcement
Teach and preach the policy; tailor for audienceTeach and preach the policy; tailor for audience
InfosecInfosec procedures are often unintuitiveprocedures are often unintuitiveHow to recognize value of assets?How to recognize value of assets?
How to evaluate risks?How to evaluate risks?
How to estimate costs of compromise?How to estimate costs of compromise?
““This is a stupid policyThis is a stupid policy””
Applies to management, tooApplies to management, tooWant commitment and funding? Better justify each Want commitment and funding? Better justify each component of the policycomponent of the policy
Expect the unexpectedExpect the unexpected
Processes designed for global Processes designed for global enterprises will process transactions enterprises will process transactions at all hours for many usersat all hours for many users
As complexity of procedures increases, As complexity of procedures increases, so does the chance they will failso does the chance they will fail
Expect failures and disastersExpect failures and disasters—— look look for signsfor signs
Keep skills currentKeep skills current
Prepare, plan, practicePrepare, plan, practice
Weeds out faults and loopholes before Weeds out faults and loopholes before theythey’’re exploitedre exploited
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3
ThereThere’’s no perfect mousetraps no perfect mousetrap
You can never be finishedYou can never be finished
Securing is onSecuring is on--goinggoing
Technology changesTechnology changes
Systems become outdated, fail, lose Systems become outdated, fail, lose effectivenesseffectiveness
Threats always existThreats always exist
And morph as attackers practice and And morph as attackers practice and improveimprove
Policies and processes require regular Policies and processes require regular maintenancemaintenance
The The realreal threatsthreats
Penetration of your network is unlikely, Penetration of your network is unlikely, media histrionics notwithstandingmedia histrionics notwithstandingComplete protection might be a budget wasterComplete protection might be a budget waster
Real threat often from withinReal threat often from withinMore commonly: nonMore commonly: non--malicious damage from human malicious damage from human error, denial of service, accidental disclosureerror, denial of service, accidental disclosureAmount of protection based on asset valueAmount of protection based on asset value
Overt policy violations come from Overt policy violations come from ““borderlineborderline”” hackers tempted by unsecured hackers tempted by unsecured assets or complacent monitoring and assets or complacent monitoring and enforcementenforcement
Policy must project image of value on assetsPolicy must project image of value on assets
What hurts retailWhat hurts retail—— petty theft or vault petty theft or vault cracking?cracking?
Where policies break downWhere policies break down
Key under the doormatKey under the doormat
ItIt’’s John Q. Publics John Q. Public’’s fault!s fault!
Burned by the backlogBurned by the backlog
Three vignettes that illustrateThree vignettes that illustratefailures of typical security policiesfailures of typical security policies
Key under the doormat: Key under the doormat: analysisanalysis
PolicyPolicy’’s authors failed to consider its s authors failed to consider its impact on workflowimpact on workflow
Should have involved the usersShould have involved the users
Security department was unable (or Security department was unable (or unwilling) to note the policy was unwilling) to note the policy was thwartedthwarted
Proper auditing and followProper auditing and follow--up would have up would have revealedrevealed
Possibly resulting in a new policyPossibly resulting in a new policy
Key under the doormat: Key under the doormat: outcomeoutcome
Expensive equipment was lostExpensive equipment was lost
Employees, managers, and the security Employees, managers, and the security morale were negatively affectedmorale were negatively affected
A thief is at largeA thief is at large
The costly measures provided no The costly measures provided no security valuesecurity value
The security policy caused the loss The security policy caused the loss because it was inconvenient and easily because it was inconvenient and easily circumventedcircumvented
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4
ItIt’’s John Q. Publics John Q. Public’’s fault: s fault: analysisanalysis
Failed to evaluate viability or Failed to evaluate viability or effectiveness in business cycleeffectiveness in business cycle
Signatures are arbitrary and donSignatures are arbitrary and don’’t identify t identify usersusers
Risks of granting access not communicated to Risks of granting access not communicated to VPsVPs
Security services must always communicate value, Security services must always communicate value, risks, and protective measuresrisks, and protective measures
Security department should have known blank Security department should have known blank signed forms were circulatingsigned forms were circulating
Needed assurance spotNeeded assurance spot--checks, would havechecks, would have——Revealed VP ignorance of user accountsRevealed VP ignorance of user accounts
Led to new policy or buyLed to new policy or buy--in of existing modelin of existing model
ItIt’’s John Q. Publics John Q. Public’’s fault: s fault: outcomeoutcome
Proprietary information was Proprietary information was compromisedcompromised
Loss of reputation from public Loss of reputation from public disclosuredisclosure
A hacker is at largeA hacker is at large
Burned by the backlog: Burned by the backlog: analysisanalysis
Management didnManagement didn’’t understand importance t understand importance of servers or ramifications of of servers or ramifications of business lossbusiness loss
And it was the security groupAnd it was the security group’’s faults fault……
Computer room staff didnComputer room staff didn’’t know about t know about unprotected assetsunprotected assets
ItIt’’s their fault here, toos their fault here, too
Knowledge would have also fixed backKnowledge would have also fixed back--upsups
Its placement certainly sends the Its placement certainly sends the wrong messagewrong message
Its value is about that of toilet paperIts value is about that of toilet paper
And will be treated as such by operatorsAnd will be treated as such by operators
Burned by the backlog: Burned by the backlog: outcomeoutcome
Customers demand refunds and/or defect Customers demand refunds and/or defect to competitionto competition
Proprietary information was Proprietary information was compromisedcompromised
Building and property were damagedBuilding and property were damaged
Business was lost because of fire and Business was lost because of fire and cleanupcleanup
Company was finedCompany was fined
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5
Why Do You NeedWhy Do You NeedSecurity Policies?Security Policies?
DonDon’’t let this happen to yout let this happen to you
A government agencyA government agency
A law firmA law firm
An oil companyAn oil company
A local newspaperA local newspaper
A A midwestmidwest (US) manufacturing company(US) manufacturing company
A west coast (US) manufacturing A west coast (US) manufacturing companycompany
A major online service companyA major online service company
Bad practices spreadBad practices spreadWhy you need policiesWhy you need policiesIf I just open a bunch of ports in the firewall m y app will
work.
I think I will wedge the
com puter room door open. M uch
easier.
They have blocked m y favorite W eb site. Lucky I have a
m odem .
I think I will use m y first nam e as a password.
Say, we run a network too. How do you configure your firewalls?
W hy do we need the door
locked?
Hey, nice m odem . W hat's the num ber of that line?
I can never think of a good password. W hat do you use?
People vs. machinesPeople vs. machines
How do people perceive risk?How do people perceive risk?
How do people handle exceptions?How do people handle exceptions?
Why do people trust computers?Why do people trust computers?
Why do we think people can make intelligent Why do we think people can make intelligent security decisions?security decisions?
Are there malicious insiders?Are there malicious insiders?
Why are people vulnerable to social Why are people vulnerable to social engineering?engineering?
Six problem s that show the inherent Six problem s that show the inherent conflict between carbon and siliconconflict between carbon and silicon
Poor perceivers of riskPoor perceivers of risk
Overestimate risk for things that areOverestimate risk for things that are
Out of their controlOut of their control
Sensationalized in the mediaSensationalized in the media
Underestimate risk for things that areUnderestimate risk for things that are
MundaneMundane
OrdinaryOrdinary
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 6
Dam n, this new W hyte Rycealbum kicks!
Hell not again…we gottafix that stupid alarm
George’llshut it off when he looks up, he always does
Awkward exception Awkward exception handlnighandlnig
Computer mistakes are rare; people Computer mistakes are rare; people dondon’’t know how to deal with themt know how to deal with them
Sometimes we just ignore or disable the Sometimes we just ignore or disable the alarmalarm
Attackers take advantage of mistakesAttackers take advantage of mistakes
Drills ensure people know what to doDrills ensure people know what to do
““This computer never makes mistakes, This computer never makes mistakes, so you must be lyingso you must be lying””
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 7
Trusting the computerTrusting the computer
People donPeople don’’t sign or encrypt stufft sign or encrypt stuff……software does!software does!
Necessary to securely transfer human Necessary to securely transfer human volition to computer actionvolition to computer action
Volition can be forgedVolition can be forged…… make the make the computer liecomputer lie
Trojan horse feeds malicious document Trojan horse feeds malicious document into signing system when key is opened to into signing system when key is opened to sign something elsesign something else
Making security decisionsMaking security decisions
People want securityPeople want security……
…… but they donbut they don’’t want to see it workingt want to see it working
And will disable or circumvent it if And will disable or circumvent it if it gets in the way of workit gets in the way of work
Yet good security relies on Yet good security relies on interactioninteraction
Checking the name on a digital Checking the name on a digital certificatecertificate
The allure of email worms with sexy The allure of email worms with sexy subject linessubject lines
JavaScript warning dialogsJavaScript warning dialogs
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 8
Malicious insidersMalicious insiders
Implicitly trustedImplicitly trusted
Digital world is rife with insider Digital world is rife with insider knowledgeknowledge
Authors of security programsAuthors of security programs
Installers of firewallsInstallers of firewalls
AuditorsAuditors
Hire honest peopleHire honest people
Integrity screeningIntegrity screening
Diffuse trustDiffuse trust
Public code reviewsPublic code reviews
Social engineeringSocial engineering
Persuade someone to do what you wantPersuade someone to do what you want
But not wildly outside their normal But not wildly outside their normal behaviorsbehaviors
Bypasses all controlsBypasses all controls
Targets peopleTargets people
People are helpfulPeople are helpful
People just want to get their jobs donePeople just want to get their jobs done
Plausibility + dread + novelty = Plausibility + dread + novelty = compromisecompromise
Why are people so dangerous?Why are people so dangerous?
Very vulnerable to mistakes and Very vulnerable to mistakes and manipulationmanipulation
Not good at estimating riskNot good at estimating risk
Often too willing to extend trustOften too willing to extend trust
Duped by pleas for helpDuped by pleas for help—— itit’’s our s our natural desire to want to be helpfulnatural desire to want to be helpful
And can undermine all technical And can undermine all technical countermeasurescountermeasures
Often the weakest part Often the weakest part should be should be accorded accorded moremore scrutiny!scrutiny!
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 9
How to hack peopleHow to hack people
Diffusion of responsibilityDiffusion of responsibility““The The veepveep says you wonsays you won’’t bear any responsibilityt bear any responsibility… ”… ”
Chance for ingratiationChance for ingratiation““Look at what you might get out of this!Look at what you might get out of this!””
Trust relationshipsTrust relationships““HeHe’’s a good guy, I think I can trust hims a good guy, I think I can trust him””
M oral dutyM oral duty““You must help me! ArenYou must help me! Aren’’t you so mad about this?t you so mad about this?””
How to hack peopleHow to hack people
GuiltGuilt““What, you donWhat, you don’’t want to help me?t want to help me?””
IdentificationIdentification““You and I are really two of a kind, huh?You and I are really two of a kind, huh?””
Desire to be helpfulDesire to be helpful““Would you help me here, please?Would you help me here, please?””
CooperationCooperation““LetLet’’s work together. We can do so much.s work together. We can do so much.””
The help deskThe help desk
People are naturally helpfulPeople are naturally helpful
Its function is to helpIts function is to help—— to provide to provide answersanswers
Like all customer serviceLike all customer service
Generally not trained to question the Generally not trained to question the validity of each callvalidity of each call
MinimallyMinimally--educated about securityeducated about security
DonDon’’t get paid mucht get paid much
Objective: move on to next callObjective: move on to next call
How To Build GoodHow To Build GoodSecurity PoliciesSecurity Policies
Don’t encourage bad behavior! Don’t encourage bad behavior!
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10
How do you win?How do you win?
Remember, thereRemember, there’’s no perfect mousetraps no perfect mousetrap
Plan for the natural weaknesses of Plan for the natural weaknesses of security policysecurity policy
Educate users in policy, enforcement, Educate users in policy, enforcement, and the value of assetsand the value of assets
Perform regular health checks on the Perform regular health checks on the enforcement operationsenforcement operations
Make corrections when neededMake corrections when needed
A good policyA good policy
Enables management to make a statement about Enables management to make a statement about the value of information to the businessthe value of information to the business
Permits actions that would otherwise Permits actions that would otherwise backfirebackfire
Monitoring traffic is illegal in some countriesMonitoring traffic is illegal in some countries
UnlessUnless there exists a policy stating that there exists a policy stating that monitoring is likely to occurmonitoring is likely to occur
Note the policy doesnNote the policy doesn’’t have to be discoverablet have to be discoverable……
Informs workers of their information Informs workers of their information protection dutiesprotection duties
What they can and cannot do with it allWhat they can and cannot do with it all
A good policyA good policyDefines how employees are permitted toDefines how employees are permitted to——
Represent the organization and what they may Represent the organization and what they may disclosediscloseUse organizational computer resources for Use organizational computer resources for personal purposespersonal purposes
Clearly defines protective measuresClearly defines protective measuresThe policy might be a decisive factor in a court The policy might be a decisive factor in a court of lawof lawShow how you took steps to protect your Show how you took steps to protect your intellectual propertyintellectual property
Enumerates acceptable and unacceptable Enumerates acceptable and unacceptable behaviorbehavior
Lists penalties for violations, up to and Lists penalties for violations, up to and including terminationincluding terminationProvides the legal foundation for making such Provides the legal foundation for making such decisionsdecisions
Policy elementsPolicy elements
Account setup and maintenanceAccount setup and maintenance
Password change policyPassword change policy
Help desk proceduresHelp desk procedures
Access privilegesAccess privileges
ViolationsViolations
User IDsUser IDs
Privacy policyPrivacy policy
Paper documentsPaper documents
Controlled accessControlled access
Information disseminationInformation dissemination
System hidingSystem hiding
The policy drives all other The policy drives all other decisionsdecisions
Operations
Process
Im plem entation
Docum entation
Technology
PolicyPolicy
Review
Audit
Refine
The security lifecycleThe security lifecycle
PolicyPolicy
The The discoverydiscovery phasephase
Identify threats and risksIdentify threats and risks
Determine assets to be protectedDetermine assets to be protected
Develop enforcement strategy; dictates Develop enforcement strategy; dictates technologies, resources, tactics, and trainingtechnologies, resources, tactics, and training
EnforcementEnforcement
The The actionaction phasephase
Everything gets tested here and either survives Everything gets tested here and either survives or decaysor decays
Includes operational life and executionIncludes operational life and execution
AssuranceAssurance
The The proofproof phasephase
Evaluate policy, strategy, and effectivenessEvaluate policy, strategy, and effectiveness
Analyze failures and feed back into policyAnalyze failures and feed back into policy
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 11
Policy: Policy: Determine its impactDetermine its impact
Security is inconvenientSecurity is inconvenientRecognize and respect securityRecognize and respect security’’s disruptions disruption
Build Build ““user impactuser impact”” into design; invite into design; invite discussiondiscussion
Avoid excessive complexityAvoid excessive complexityUse tools that are already tested and provenUse tools that are already tested and proven
Controls costs; lessens chances of attackControls costs; lessens chances of attack
To prosecute or not?To prosecute or not?Decide in advance how far to goDecide in advance how far to go
If yes: know what evidence to collect and train If yes: know what evidence to collect and train staffstaff
Make the punishment fit the crimeMake the punishment fit the crimeOften reprimands are sufficientOften reprimands are sufficient
But what about the person who hacks the payroll?But what about the person who hacks the payroll?
Enforcement:Enforcement: Be visibleBe visibleMake security overtMake security overt
Badges have huge psychological effectsBadges have huge psychological effects
Remind constantlyRemind constantlyInclude reminders of information valueInclude reminders of information value
Emergency serviceEmergency serviceDrill the troopsDrill the troops
Know where legitimate users typically workKnow where legitimate users typically work
Empower the enforcersEmpower the enforcersTraining, training, trainingTraining, training, training
Frequent and shortFrequent and short
Know your environmentKnow your environmentWhatWhat’’s normals normal—— people, jobs, trafficpeople, jobs, traffic
Walk in your userWalk in your user’’s shoess shoesHelps you avoid mistakes!Helps you avoid mistakes!
Painless enforcement Assurance: Assurance: Learn and refineLearn and refine
Expect failureExpect failure
Conduct regular audits to detect leaks and flawsConduct regular audits to detect leaks and flaws
Audit at a level representative of risks you Audit at a level representative of risks you faceface
Audit user IDs to ensure theyAudit user IDs to ensure they’’re still activere still active
Break into your houseBreak into your house
Try to thwart your own policiesTry to thwart your own policies
See whether users and security staff can gain See whether users and security staff can gain access in other ways (social engineering)access in other ways (social engineering)
Learn from your mistakesLearn from your mistakes
Empower auditors with authority and process to Empower auditors with authority and process to affect change and make the policy betteraffect change and make the policy better
User educationUser education
Security management campaignSecurity management campaign
Periodic refreshersPeriodic refreshers
NewslettersNewsletters
Group meetingsGroup meetings
ScreensaversScreensavers
Signatures on acceptable use policiesSignatures on acceptable use policies
Shredders and bulk erasersShredders and bulk erasers
Updated erasersUpdated erasers—— old ones are too weakold ones are too weak
Consider: the band sawConsider: the band saw
Regular auditsRegular audits
Security awarenessSecurity awareness
Know what has valueKnow what has valueWhat to do if you suddenly lost all What to do if you suddenly lost all access?access?
Friends arenFriends aren’’t always friendst always friendsDonDon’’t allow trust to be exploitedt allow trust to be exploited
OverOver--thethe--phone friendships lack trustphone friendships lack trust
Passwords are personalPasswords are personalAnd always undervaluedAnd always undervalued
Uniforms are cheapUniforms are cheap
Mutually authenticate when your bank Mutually authenticate when your bank calls you!calls you!
© 2001 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 12
Ongoing remindersOngoing reminders
Regular reminders to keep people awareRegular reminders to keep people awareOne training session wonOne training session won’’t last forevert last forever
Police departments do this continuallyPolice departments do this continually
Be creativeBe creativeDonDon’’t become yet another source of noise t become yet another source of noise to be ignoredto be ignored
Make the policy itself available Make the policy itself available easilyeasily
Post on a web serverPost on a web server
Provide simple searching and navigationProvide simple searching and navigation
Keep it current!Keep it current!
Make the help desk betterMake the help desk better
Help staff learn to recognize attacksHelp staff learn to recognize attacks
Refusal by caller to give contact Refusal by caller to give contact informationinformation
RushingRushing
NameName--droppingdropping
IntimidationIntimidation
MisspellingsMisspellings
Odd questionsOdd questions
Know when to say Know when to say ““nono””
Needs backing of managementNeeds backing of management
So What To Do Now?So What To Do Now?
Learn moreLearn more
Information Security Policies Made Easy, 9/eby Charles Cresson Woodhttp://http://www.informationshield.comwww.informationshield.com
Information Security Policy WorldInformation Security Policy Worldhttp://www.informationhttp://www.information--securitysecurity--policiespolicies--andand--standards.comstandards.com
SANS Security Policy Projecthttp://http://www.sans.orgwww.sans.org/resources/policies//resources/policies/
Site Security HandbookSite Security Handbookhttp://www.ietf.org/rfc/rfc2196.txthttp://www.ietf.org/rfc/rfc2196.txt
Steve RileySteve Rileysteve.riley@ m icrosoft.comsteve.riley@ m icrosoft.com
http://http://blogs.technet.com /sterileyblogs.technet.com /steriley
©© 2005 M icrosoft Corporation. All rights reserved.2005 M icrosoft Corporation. All rights reserved.This presentation is for inform ational purposes only. M icrosoft This presentation is for inform ational purposes only. M icrosoft m akes no warranties, express or im plied, in this sum m ary.m akes no warranties, express or im plied, in this sum m ary.
top related