Security Policies
Paul Hogan
Ward Solutions
Agenda
09:30 10:10 Security Policies
10:10 10:30 Veritas
10:30 10:45 Break
10:45 11:55 Securing your Server
11:55 12:15 Sybari
12:15 13:00
1980 1990
Security Management – The Past
1st Generation:GATES, GUNS & GUARDSFocus on physical vulnerabilities and data confidentialityTools: locks, burglar alarms, mainframe securityWeakness: slow response, no protection from electronic threats
1st Generation:GATES, GUNS & GUARDSFocus on physical vulnerabilities and data confidentialityTools: locks, burglar alarms, mainframe securityWeakness: slow response, no protection from electronic threats
2nd Generation:TACTICAL SECURITY DEPLOYMENTSFocus on electronic vulnerabilities and intrusionTools: firewalls, anti-virus software & intrusion detection systemsWeakness: only protect from known electronic threats; not
current
2nd Generation:TACTICAL SECURITY DEPLOYMENTSFocus on electronic vulnerabilities and intrusionTools: firewalls, anti-virus software & intrusion detection systemsWeakness: only protect from known electronic threats; not
current
1980 1990
Security Management – Today
1st Generation:GATES, GUNS & GUARDSFocus on physical vulnerabilities and data confidentialityTools: locks, burglar alarms, mainframe securityWeakness: slow response, no protection from electronic threats
1st Generation:GATES, GUNS & GUARDSFocus on physical vulnerabilities and data confidentialityTools: locks, burglar alarms, mainframe securityWeakness: slow response, no protection from electronic threats
2nd Generation:TACTICAL SECURITY DEPLOYMENTSFocus on electronic vulnerabilities and intrusionTools: firewalls, anti-virus software & intrusion detection systemsWeakness: only protect from known electronic threats; not
current
2nd Generation:TACTICAL SECURITY DEPLOYMENTSFocus on electronic vulnerabilities and intrusionTools: firewalls, anti-virus software & intrusion detection systemsWeakness: only protect from known electronic threats; not
current
Next Generation:STRATEGIC SECURITY PROCESSESAssuring ComplianceManaging RiskSecuring Assets
Next Generation:STRATEGIC SECURITY PROCESSESAssuring ComplianceManaging RiskSecuring Assets
Why Does Network Security Fail?
Network security fails in several common areas, including:Network security fails in several common areas, including:
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Understanding Components of IT Security
ProcessProcess
TechnologyTechnology
ImplementationImplementation
DocumentationDocumentation
OperationsOperations
Start with policy
Build process
Apply technology
Start with policy
Build process
Apply technology
Security Policy Model
PolicyPolicy
Implementing IT Security
Compare each area to standards and best practicesCompare each area to standards and best practices
Security policySecurity policy Documented procedures
Documented procedures
OperationsOperations
What you must doWhat you must do What you say you doWhat you say you do What you really doWhat you really do
Policy Drives Everything
Regulatory Sources
Policies
Management ControlsManagement ControlsOrganisational Controls Technical ControlsTechnical Controls
Activity Processes Procedures
Risk managementContingency planning
Incident responsePhysical security
Personnel securityCertification/verification
Access controlID & authentication
AuditingEncryption
Incident detectionNetworking
Information classificationCommunicationsAcceptable use
Perimeter securityIncident response
Core Components
Products, Tools, Products, Tools, and Automationand Automation
Consistent andConsistent andRepeatableRepeatable
Skills, Roles, Skills, Roles, and Responsibilitiesand Responsibilities
ProcessesProcesses
PeoplePeopleTechnologyTechnology
What Are Information Security Policies?
Management instructions (AKA directives)
Formal ways to say “This is how we do it here"
Tech talk: generalised requirements statements
Not systems settings for firewalls & other gear
More general than procedures & standards
Unlike guidelines, policies are mandatory
Unlike architectures, policies are product independent
Real World Cases…Where Policies Made A Big Difference
Lazy government clerk fired for downloading pornography
IT manager becomes consultant for former employer
Joke list circulation causes sexual harassment suit
Major newspaper notices rival gets scoop stories
Virus hoax message floods computer manufacturer net
Stolen disk drive causes severe public relations problem
Revealed preference info causes dishonorable discharge
Top 10 Information Security Policies To Protect Your Organisation
6. Install latest patches on systems located on network periphery
7. Install and monitor intrusion detection systems
8. Turn-on minimum level of systems event logging
9. Assign explicit responsibility for
information security tasks
10 Perform periodic risk assessments
for critical systems
Top 10 Information Security Policies To Protect Your Organisation Against Cyber-Terrorism
1. Perform background checks for all workers
2. Maintain a low profile in the public's eyes
3. Wear a badge when inside company X offices
4. Update & test information systems contingency plans
5. Store critical production data securely at off-site location
The Issues with Policies Today
Lack of resources
Lack of authority
Incomplete & out-of-date
No official corporate-wide
approval process
Mergers & acquisitions
Same topic covered in multiple documents
Contradictions
Un-enforceable
Inside Chernobyl’s I Block Control Room, 1985
Ineffective Controls
April 25 @1300 hrs Initial alerts and warnings about overload
April 25 @1400 hrs. Without following SOP, operators
disconnect Emergency Core Cooling System
No manager approved continued operation
April 26 @ 0100 hrs. Emergency protection signals suppressed
by operatorsApril 26 @ 0119 hrs.
Excessive radioactivity ignored by operators
April 26 @ 0123:48 Explosion occurs followed by second
explosionChernobyl’s Reactor 4, 1986
Deserted City of Pirpyat, Chernobyl in Background, 1987
Chernobyl Reactor 4 Sarcophagus, 1996
Chernobyl – April 25-26, 1986Chernobyl – April 25-26, 1986
Understanding Defense-in-Depth
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, security update management, antivirus updates, auditing
Host
Network segments, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, backup and restore strategy
Data
Reasons To Have Awareness & Training
Make it clear that info security is mandatory, not voluntary
Force management to recognize that people are part of solution
Technology is useless unless properly managed (patches)
Make critical role of user crystal clear -- front line of defense!
A Final Consideration: Does Security Awareness Work?A Final Consideration: Does Security Awareness Work?
Consider… AA Flight 63 Paris – Miami (12/24/01)Consider… AA Flight 63 Paris – Miami (12/24/01)
Questions and Answers