why so many security policies utterly security...

© 2001 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1

Security Policies?Security Policies?Ugh, just give me a firewall!Ugh, just give me a firewall!

Steve RileySteve RileyEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business and Technology UnitSecurity Business and Technology [email protected]@microsoft.comhttp://http://blogs.technet.com/sterileyblogs.technet.com/steriley

SEC 301SEC 301 Our time todayOur time today

Why so many security policies utterly Why so many security policies utterly failfail

What do you need all this for anyway?What do you need all this for anyway?

How to build good security policiesHow to build good security policies

Why SecurityWhy SecurityPolicies FailPolicies Fail

Policies have natural weaknessesPolicies have natural weaknesses

Security is a barrier to progressSecurity is a barrier to progress

Security is a learned behaviorSecurity is a learned behavior

Expect the unexpectedExpect the unexpected

ThereThere’’s no perfect mousetraps no perfect mousetrap

Four com m on pitfalls that lim it the Four com m on pitfalls that lim it the effectiveness of any security policyeffectiveness of any security policy

Security is a barrier to Security is a barrier to progressprogress

Protective measures are (by definition) Protective measures are (by definition) either obstacles or impediments to commerceeither obstacles or impediments to commerce

Typically add Typically add zerozero benefitbenefit

Sometimes mitigate specific threatsSometimes mitigate specific threats

Always reduce the ability to freely share Always reduce the ability to freely share informationinformation

Balance between security and disruption variesBalance between security and disruption varies

Human nature begets desire Human nature begets desire (more! faster!)(more! faster!)

Traffic lights exist for safety, but theyTraffic lights exist for safety, but they’’re re just annoying at vacant intersectionsjust annoying at vacant intersections

At some point our patience runs outAt some point our patience runs out

Network users experience the same limitNetwork users experience the same limitNo perceived benefit in complianceNo perceived benefit in compliance

Disparate compliance Disparate compliance security breachsecurity breach



Security is a learned behaviorSecurity is a learned behavior

SelfSelf--preservation is instinctual; security preservation is instinctual; security isnisn’’tt

HigherHigher--level function requiring initial learning level function requiring initial learning and occasional reinforcementand occasional reinforcement

Teach and preach the policy; tailor for audienceTeach and preach the policy; tailor for audience

InfosecInfosec procedures are often unintuitiveprocedures are often unintuitiveHow to recognize value of assets?How to recognize value of assets?

How to evaluate risks?How to evaluate risks?

How to estimate costs of compromise?How to estimate costs of compromise?

““This is a stupid policyThis is a stupid policy””

Applies to management, tooApplies to management, tooWant commitment and funding? Better justify each Want commitment and funding? Better justify each component of the policycomponent of the policy

Expect the unexpectedExpect the unexpected

Processes designed for global Processes designed for global enterprises will process transactions enterprises will process transactions at all hours for many usersat all hours for many users

As complexity of procedures increases, As complexity of procedures increases, so does the chance they will failso does the chance they will fail

Expect failures and disastersExpect failures and disasters—— look look for signsfor signs

Keep skills currentKeep skills current

Prepare, plan, practicePrepare, plan, practice

Weeds out faults and loopholes before Weeds out faults and loopholes before theythey’’re exploitedre exploited



ThereThere’’s no perfect mousetraps no perfect mousetrap

You can never be finishedYou can never be finished

Securing is onSecuring is on--goinggoing

Technology changesTechnology changes

Systems become outdated, fail, lose Systems become outdated, fail, lose effectivenesseffectiveness

Threats always existThreats always exist

And morph as attackers practice and And morph as attackers practice and improveimprove

Policies and processes require regular Policies and processes require regular maintenancemaintenance

The The realreal threatsthreats

Penetration of your network is unlikely, Penetration of your network is unlikely, media histrionics notwithstandingmedia histrionics notwithstandingComplete protection might be a budget wasterComplete protection might be a budget waster

Real threat often from withinReal threat often from withinMore commonly: nonMore commonly: non--malicious damage from human malicious damage from human error, denial of service, accidental disclosureerror, denial of service, accidental disclosureAmount of protection based on asset valueAmount of protection based on asset value

Overt policy violations come from Overt policy violations come from ““borderlineborderline”” hackers tempted by unsecured hackers tempted by unsecured assets or complacent monitoring and assets or complacent monitoring and enforcementenforcement

Policy must project image of value on assetsPolicy must project image of value on assets

What hurts retailWhat hurts retail—— petty theft or vault petty theft or vault cracking?cracking?

Where policies break downWhere policies break down

Key under the doormatKey under the doormat

ItIt’’s John Q. Publics John Q. Public’’s fault!s fault!

Burned by the backlogBurned by the backlog

Three vignettes that illustrateThree vignettes that illustratefailures of typical security policiesfailures of typical security policies

Key under the doormat: Key under the doormat: analysisanalysis

PolicyPolicy’’s authors failed to consider its s authors failed to consider its impact on workflowimpact on workflow

Should have involved the usersShould have involved the users

Security department was unable (or Security department was unable (or unwilling) to note the policy was unwilling) to note the policy was thwartedthwarted

Proper auditing and followProper auditing and follow--up would have up would have revealedrevealed

Possibly resulting in a new policyPossibly resulting in a new policy

Key under the doormat: Key under the doormat: outcomeoutcome

Expensive equipment was lostExpensive equipment was lost

Employees, managers, and the security Employees, managers, and the security morale were negatively affectedmorale were negatively affected

A thief is at largeA thief is at large

The costly measures provided no The costly measures provided no security valuesecurity value

The security policy caused the loss The security policy caused the loss because it was inconvenient and easily because it was inconvenient and easily circumventedcircumvented



ItIt’’s John Q. Publics John Q. Public’’s fault: s fault: analysisanalysis

Failed to evaluate viability or Failed to evaluate viability or effectiveness in business cycleeffectiveness in business cycle

Signatures are arbitrary and donSignatures are arbitrary and don’’t identify t identify usersusers

Risks of granting access not communicated to Risks of granting access not communicated to VPsVPs

Security services must always communicate value, Security services must always communicate value, risks, and protective measuresrisks, and protective measures

Security department should have known blank Security department should have known blank signed forms were circulatingsigned forms were circulating

Needed assurance spotNeeded assurance spot--checks, would havechecks, would have——Revealed VP ignorance of user accountsRevealed VP ignorance of user accounts

Led to new policy or buyLed to new policy or buy--in of existing modelin of existing model

ItIt’’s John Q. Publics John Q. Public’’s fault: s fault: outcomeoutcome

Proprietary information was Proprietary information was compromisedcompromised

Loss of reputation from public Loss of reputation from public disclosuredisclosure

A hacker is at largeA hacker is at large

Burned by the backlog: Burned by the backlog: analysisanalysis

Management didnManagement didn’’t understand importance t understand importance of servers or ramifications of of servers or ramifications of business lossbusiness loss

And it was the security groupAnd it was the security group’’s faults fault……

Computer room staff didnComputer room staff didn’’t know about t know about unprotected assetsunprotected assets

ItIt’’s their fault here, toos their fault here, too

Knowledge would have also fixed backKnowledge would have also fixed back--upsups

Its placement certainly sends the Its placement certainly sends the wrong messagewrong message

Its value is about that of toilet paperIts value is about that of toilet paper

And will be treated as such by operatorsAnd will be treated as such by operators

Burned by the backlog: Burned by the backlog: outcomeoutcome

Customers demand refunds and/or defect Customers demand refunds and/or defect to competitionto competition

Proprietary information was Proprietary information was compromisedcompromised

Building and property were damagedBuilding and property were damaged

Business was lost because of fire and Business was lost because of fire and cleanupcleanup

Company was finedCompany was fined



Why Do You NeedWhy Do You NeedSecurity Policies?Security Policies?

DonDon’’t let this happen to yout let this happen to you

A government agencyA government agency

A law firmA law firm

An oil companyAn oil company

A local newspaperA local newspaper

A A midwestmidwest (US) manufacturing company(US) manufacturing company

A west coast (US) manufacturing A west coast (US) manufacturing companycompany

A major online service companyA major online service company

Bad practices spreadBad practices spreadWhy you need policiesWhy you need policiesIf I just open a bunch of ports in the firewall m y app will

work.

I think I will wedge the

com puter room door open. M uch

easier.

They have blocked m y favorite W eb site. Lucky I have a

m odem .

I think I will use m y first nam e as a password.

Say, we run a network too. How do you configure your firewalls?

W hy do we need the door

locked?

Hey, nice m odem . W hat's the num ber of that line?

I can never think of a good password. W hat do you use?

People vs. machinesPeople vs. machines

How do people perceive risk?How do people perceive risk?

How do people handle exceptions?How do people handle exceptions?

Why do people trust computers?Why do people trust computers?

Why do we think people can make intelligent Why do we think people can make intelligent security decisions?security decisions?

Are there malicious insiders?Are there malicious insiders?

Why are people vulnerable to social Why are people vulnerable to social engineering?engineering?

Six problem s that show the inherent Six problem s that show the inherent conflict between carbon and siliconconflict between carbon and silicon

Poor perceivers of riskPoor perceivers of risk

Overestimate risk for things that areOverestimate risk for things that are

Out of their controlOut of their control

Sensationalized in the mediaSensationalized in the media

Underestimate risk for things that areUnderestimate risk for things that are

MundaneMundane

OrdinaryOrdinary



Dam n, this new W hyte Rycealbum kicks!

Hell not again…we gottafix that stupid alarm

George’llshut it off when he looks up, he always does

Awkward exception Awkward exception handlnighandlnig

Computer mistakes are rare; people Computer mistakes are rare; people dondon’’t know how to deal with themt know how to deal with them

Sometimes we just ignore or disable the Sometimes we just ignore or disable the alarmalarm

Attackers take advantage of mistakesAttackers take advantage of mistakes

Drills ensure people know what to doDrills ensure people know what to do

““This computer never makes mistakes, This computer never makes mistakes, so you must be lyingso you must be lying””



Trusting the computerTrusting the computer

People donPeople don’’t sign or encrypt stufft sign or encrypt stuff……software does!software does!

Necessary to securely transfer human Necessary to securely transfer human volition to computer actionvolition to computer action

Volition can be forgedVolition can be forged…… make the make the computer liecomputer lie

Trojan horse feeds malicious document Trojan horse feeds malicious document into signing system when key is opened to into signing system when key is opened to sign something elsesign something else

Making security decisionsMaking security decisions

People want securityPeople want security……

…… but they donbut they don’’t want to see it workingt want to see it working

And will disable or circumvent it if And will disable or circumvent it if it gets in the way of workit gets in the way of work

Yet good security relies on Yet good security relies on interactioninteraction

Checking the name on a digital Checking the name on a digital certificatecertificate

The allure of email worms with sexy The allure of email worms with sexy subject linessubject lines

JavaScript warning dialogsJavaScript warning dialogs



Malicious insidersMalicious insiders

Implicitly trustedImplicitly trusted

Digital world is rife with insider Digital world is rife with insider knowledgeknowledge

Authors of security programsAuthors of security programs

Installers of firewallsInstallers of firewalls

AuditorsAuditors

Hire honest peopleHire honest people

Integrity screeningIntegrity screening

Diffuse trustDiffuse trust

Public code reviewsPublic code reviews

Social engineeringSocial engineering

Persuade someone to do what you wantPersuade someone to do what you want

But not wildly outside their normal But not wildly outside their normal behaviorsbehaviors

Bypasses all controlsBypasses all controls

Targets peopleTargets people

People are helpfulPeople are helpful

People just want to get their jobs donePeople just want to get their jobs done

Plausibility + dread + novelty = Plausibility + dread + novelty = compromisecompromise

Why are people so dangerous?Why are people so dangerous?

Very vulnerable to mistakes and Very vulnerable to mistakes and manipulationmanipulation

Not good at estimating riskNot good at estimating risk

Often too willing to extend trustOften too willing to extend trust

Duped by pleas for helpDuped by pleas for help—— itit’’s our s our natural desire to want to be helpfulnatural desire to want to be helpful

And can undermine all technical And can undermine all technical countermeasurescountermeasures

Often the weakest part Often the weakest part should be should be accorded accorded moremore scrutiny!scrutiny!



How to hack peopleHow to hack people

Diffusion of responsibilityDiffusion of responsibility““The The veepveep says you wonsays you won’’t bear any responsibilityt bear any responsibility… ”… ”

Chance for ingratiationChance for ingratiation““Look at what you might get out of this!Look at what you might get out of this!””

Trust relationshipsTrust relationships““HeHe’’s a good guy, I think I can trust hims a good guy, I think I can trust him””

M oral dutyM oral duty““You must help me! ArenYou must help me! Aren’’t you so mad about this?t you so mad about this?””

How to hack peopleHow to hack people

GuiltGuilt““What, you donWhat, you don’’t want to help me?t want to help me?””

IdentificationIdentification““You and I are really two of a kind, huh?You and I are really two of a kind, huh?””

Desire to be helpfulDesire to be helpful““Would you help me here, please?Would you help me here, please?””

CooperationCooperation““LetLet’’s work together. We can do so much.s work together. We can do so much.””

The help deskThe help desk

People are naturally helpfulPeople are naturally helpful

Its function is to helpIts function is to help—— to provide to provide answersanswers

Like all customer serviceLike all customer service

Generally not trained to question the Generally not trained to question the validity of each callvalidity of each call

MinimallyMinimally--educated about securityeducated about security

DonDon’’t get paid mucht get paid much

Objective: move on to next callObjective: move on to next call

How To Build GoodHow To Build GoodSecurity PoliciesSecurity Policies

Don’t encourage bad behavior! Don’t encourage bad behavior!



How do you win?How do you win?

Remember, thereRemember, there’’s no perfect mousetraps no perfect mousetrap

Plan for the natural weaknesses of Plan for the natural weaknesses of security policysecurity policy

Educate users in policy, enforcement, Educate users in policy, enforcement, and the value of assetsand the value of assets

Perform regular health checks on the Perform regular health checks on the enforcement operationsenforcement operations

Make corrections when neededMake corrections when needed

A good policyA good policy

Enables management to make a statement about Enables management to make a statement about the value of information to the businessthe value of information to the business

Permits actions that would otherwise Permits actions that would otherwise backfirebackfire

Monitoring traffic is illegal in some countriesMonitoring traffic is illegal in some countries

UnlessUnless there exists a policy stating that there exists a policy stating that monitoring is likely to occurmonitoring is likely to occur

Note the policy doesnNote the policy doesn’’t have to be discoverablet have to be discoverable……

Informs workers of their information Informs workers of their information protection dutiesprotection duties

What they can and cannot do with it allWhat they can and cannot do with it all

A good policyA good policyDefines how employees are permitted toDefines how employees are permitted to——

Represent the organization and what they may Represent the organization and what they may disclosediscloseUse organizational computer resources for Use organizational computer resources for personal purposespersonal purposes

Clearly defines protective measuresClearly defines protective measuresThe policy might be a decisive factor in a court The policy might be a decisive factor in a court of lawof lawShow how you took steps to protect your Show how you took steps to protect your intellectual propertyintellectual property

Enumerates acceptable and unacceptable Enumerates acceptable and unacceptable behaviorbehavior

Lists penalties for violations, up to and Lists penalties for violations, up to and including terminationincluding terminationProvides the legal foundation for making such Provides the legal foundation for making such decisionsdecisions

Policy elementsPolicy elements

Account setup and maintenanceAccount setup and maintenance

Password change policyPassword change policy

Help desk proceduresHelp desk procedures

Access privilegesAccess privileges

ViolationsViolations

User IDsUser IDs

Privacy policyPrivacy policy

Paper documentsPaper documents

Controlled accessControlled access

Information disseminationInformation dissemination

System hidingSystem hiding

The policy drives all other The policy drives all other decisionsdecisions

Operations

Process

Im plem entation

Docum entation

Technology

PolicyPolicy

Review

Audit

Refine

The security lifecycleThe security lifecycle

PolicyPolicy

The The discoverydiscovery phasephase

Identify threats and risksIdentify threats and risks

Determine assets to be protectedDetermine assets to be protected

Develop enforcement strategy; dictates Develop enforcement strategy; dictates technologies, resources, tactics, and trainingtechnologies, resources, tactics, and training

EnforcementEnforcement

The The actionaction phasephase

Everything gets tested here and either survives Everything gets tested here and either survives or decaysor decays

Includes operational life and executionIncludes operational life and execution

AssuranceAssurance

The The proofproof phasephase

Evaluate policy, strategy, and effectivenessEvaluate policy, strategy, and effectiveness

Analyze failures and feed back into policyAnalyze failures and feed back into policy



Policy: Policy: Determine its impactDetermine its impact

Security is inconvenientSecurity is inconvenientRecognize and respect securityRecognize and respect security’’s disruptions disruption

Build Build ““user impactuser impact”” into design; invite into design; invite discussiondiscussion

Avoid excessive complexityAvoid excessive complexityUse tools that are already tested and provenUse tools that are already tested and proven

Controls costs; lessens chances of attackControls costs; lessens chances of attack

To prosecute or not?To prosecute or not?Decide in advance how far to goDecide in advance how far to go

If yes: know what evidence to collect and train If yes: know what evidence to collect and train staffstaff

Make the punishment fit the crimeMake the punishment fit the crimeOften reprimands are sufficientOften reprimands are sufficient

But what about the person who hacks the payroll?But what about the person who hacks the payroll?

Enforcement:Enforcement: Be visibleBe visibleMake security overtMake security overt

Badges have huge psychological effectsBadges have huge psychological effects

Remind constantlyRemind constantlyInclude reminders of information valueInclude reminders of information value

Emergency serviceEmergency serviceDrill the troopsDrill the troops

Know where legitimate users typically workKnow where legitimate users typically work

Empower the enforcersEmpower the enforcersTraining, training, trainingTraining, training, training

Frequent and shortFrequent and short

Know your environmentKnow your environmentWhatWhat’’s normals normal—— people, jobs, trafficpeople, jobs, traffic

Walk in your userWalk in your user’’s shoess shoesHelps you avoid mistakes!Helps you avoid mistakes!

Painless enforcement Assurance: Assurance: Learn and refineLearn and refine

Expect failureExpect failure

Conduct regular audits to detect leaks and flawsConduct regular audits to detect leaks and flaws

Audit at a level representative of risks you Audit at a level representative of risks you faceface

Audit user IDs to ensure theyAudit user IDs to ensure they’’re still activere still active

Break into your houseBreak into your house

Try to thwart your own policiesTry to thwart your own policies

See whether users and security staff can gain See whether users and security staff can gain access in other ways (social engineering)access in other ways (social engineering)

Learn from your mistakesLearn from your mistakes

Empower auditors with authority and process to Empower auditors with authority and process to affect change and make the policy betteraffect change and make the policy better

User educationUser education

Security management campaignSecurity management campaign

Periodic refreshersPeriodic refreshers

NewslettersNewsletters

Group meetingsGroup meetings

ScreensaversScreensavers

Signatures on acceptable use policiesSignatures on acceptable use policies

Shredders and bulk erasersShredders and bulk erasers

Updated erasersUpdated erasers—— old ones are too weakold ones are too weak

Consider: the band sawConsider: the band saw

Regular auditsRegular audits

Security awarenessSecurity awareness

Know what has valueKnow what has valueWhat to do if you suddenly lost all What to do if you suddenly lost all access?access?

Friends arenFriends aren’’t always friendst always friendsDonDon’’t allow trust to be exploitedt allow trust to be exploited

OverOver--thethe--phone friendships lack trustphone friendships lack trust

Passwords are personalPasswords are personalAnd always undervaluedAnd always undervalued

Uniforms are cheapUniforms are cheap

Mutually authenticate when your bank Mutually authenticate when your bank calls you!calls you!



Ongoing remindersOngoing reminders

Regular reminders to keep people awareRegular reminders to keep people awareOne training session wonOne training session won’’t last forevert last forever

Police departments do this continuallyPolice departments do this continually

Be creativeBe creativeDonDon’’t become yet another source of noise t become yet another source of noise to be ignoredto be ignored

Make the policy itself available Make the policy itself available easilyeasily

Post on a web serverPost on a web server

Provide simple searching and navigationProvide simple searching and navigation

Keep it current!Keep it current!

Make the help desk betterMake the help desk better

Help staff learn to recognize attacksHelp staff learn to recognize attacks

Refusal by caller to give contact Refusal by caller to give contact informationinformation

RushingRushing

NameName--droppingdropping

IntimidationIntimidation

MisspellingsMisspellings

Odd questionsOdd questions

Know when to say Know when to say ““nono””

Needs backing of managementNeeds backing of management

So What To Do Now?So What To Do Now?

Learn moreLearn more

Information Security Policies Made Easy, 9/eby Charles Cresson Woodhttp://http://www.informationshield.comwww.informationshield.com

Information Security Policy WorldInformation Security Policy Worldhttp://www.informationhttp://www.information--securitysecurity--policiespolicies--andand--standards.comstandards.com

SANS Security Policy Projecthttp://http://www.sans.orgwww.sans.org/resources/policies//resources/policies/

Site Security HandbookSite Security Handbookhttp://www.ietf.org/rfc/rfc2196.txthttp://www.ietf.org/rfc/rfc2196.txt

Steve RileySteve Rileysteve.riley@ m icrosoft.comsteve.riley@ m icrosoft.com

http://http://blogs.technet.com /sterileyblogs.technet.com /steriley

©© 2005 M icrosoft Corporation. All rights reserved.2005 M icrosoft Corporation. All rights reserved.This presentation is for inform ational purposes only. M icrosoft This presentation is for inform ational purposes only. M icrosoft m akes no warranties, express or im plied, in this sum m ary.m akes no warranties, express or im plied, in this sum m ary.

why so many security policies utterly security...

Documents