Information Technology Security Policy - PowerPoint PPT Presentation

About This Presentation
Title:

Information Technology Security Policy

Description:

An IT Security Policy is a set of practices and procedures that. reduce the likelihood of an attack or an ... It's a great way to get one's ass covered ... – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: Information Technology Security Policy


1
Information Technology Security Policy
  • Wee Yeh, Tan
  • Unix Administrator
  • School of Computing
  • National University of Singapore

2
Contents
  • Introduction to IT Security Policy
  • What is a Security Policy?
  • Security Objective
  • Why do we need it?
  • Model of Security Policies
  • Security Policy in practice
  • Special

3
What is a Security Policy
  • An IT Security Policy is a set of practices and
    procedures that
  • reduce the likelihood of an attack or an incident
  • in event of an incident, minimise the damage
  • Such a policy will (hopefully) influence
  • behaviour, procedures of operations and actions
  • future decisions taken

4
Security Objectives
  • Confidentiality. Information is only accessible
    to those who are authorized.
  • Integrity. Information is protected against
    unauthorized modification.
  • Availability. Information is available when it is
    needed.

5
Why do we need it?
  • It involves the higher management
  • It's a great way to get one's ass covered
  • It's a good thing to show your clients (just like
    ISO9002)

6
Why do we really need it??
  • They are a great benchmarking mechanism
  • They ensure consistency
  • They are great as a reference
  • They define acceptable use
  • They give security staff the backing of the
    higher management
  • enough??

7
Contents
  • Introduction to IT Security Policy
  • Model of Security Policies
  • Lattice Model of Access Security
  • Bell-LaPadula Confidentiality Model
  • Biba's Integrity Model
  • Clark Wilson Model
  • Chinese Wall Security Model
  • Security Policy in Practice
  • Special

8
Lattice Model of Access Security
  • A general model that provides a graphical
    representation of access control.
  • Captures relationship between subordinates and
    departments.
  • Transitive relationship allows superiors more
    access.

9
Bell-LaPadula (BLP)Confidentiality Model
  • BLP prevents information flowing downwards from a
    high-security level to a low-security level hence
    ensuring confidentiality.
  • Suppose C is a security class function and ?
    denotes an order,
  • simple security property (ss-property)
  • A subject s may have read access to an object o
    only if C(o) ? C(s).
  • -property
  • A subject s who has read access to an object o
    may have write access to object p only if C(o) ?
    C(p).

10
BLP How it works...
  • Assume that a-i denotes the security
    classification of both subjects objects.
  • An object o has clearance C(o) g.
  • Any subject s with clearance C(s)? g has read
    access.
  • A subject s' s.t. C(s')c may only write with
    clearance g,c or a about object o.
  • Anyone notice anything weird yet??

11
Biba Integrity Model
  • The Biba model addresses Integrity using a
    mechanism that is very similar to BLP.
  • Suppose I is an integrity class function and ?
    denotes an order,
  • simple security property (ss-property)
  • A subject s can modify an object o only if I(s) ?
    I(o).
  • -property
  • A subject s who has read access to an object o
    with integrity level I(o), s can have write
    access to object p only if I(o) ? I(p).

12
Clark Wilson Model
  • addresses security requirements of commercial
    applications
  • prevents unauthorized modification of data, fraud
    and errors.
  • Integrity is divided into
  • Internal consistency properties of the internal
    state of a system that can be enforced by a
    computer
  • External consistency relations of internal state
    of a system to the real world that cannot be
    enforced by a computer.
  • Mechanisms to enforce integrity are
  • Well-formed transactions data items can be
    manipulated only by a specific set of programs
  • Separation of duties users have to collaborate
    to manipulate data or to collude to penetrate the
    security system.

13
Clark Wilson Example
  • Consider purchasing a computer system.
  • A purchasing clerk creates a Purchase Order and
    sends a copy to the vendor, cc to receiving
    department.
  • The receiving department receives the goods from
    the vendor, checks that everything is in order to
    the PO and signs the delivery form. The delivery
    form and PO is sent to the accounting department.
  • Vendor sends invoice to accounts. Clerk at
    accounts compares invoice with delivery form and
    sends payment.

14
Clark Wilson Notes
  • Subjects have to be identified authenticated.
  • Objects can be manipulated only by a restricted
    set of programs.
  • Subjects can only execute a restricted set of
    programs.
  • A proper audit log has to be maintained.
  • The system has to be certified to work properly.

15
Chinese Wall Model
  • The Chinese Wall model was proplsed by Brewer
    Nash in a consultancy business where analysts
    have to make sure that no conflict of interest
    arises when they are dealing with different
    clients.
  • Rule There must be no information flow that
    causes a conflict of interest.
  • Access is granted only if object requested
    belongs to
  • a company dataset already held by the user or
  • an entirely different conflict of interest class.

16
Chinese Wall Example
  • Consider 3 sectors Tech, Pharma, and Banking.
  • Tech Microsoft, Sun, HP, IBM, Redhat
  • Pharma Glaxo, Roche, Pfizer
  • Banking Citicorp, Deutche Bank, HSBC, SC
  • Any consultant can only choose up to one company
    from each set.
  • What if Glaxo decides to branch into banking?

17
Contents
  • Introduction to IT Security Policy
  • Model of Security Policies
  • Security Policy in practice
  • Creating the correct environment
  • Designing the policies
  • Elements of a Security Policy
  • A Sample Security Policy
  • Implementing the policies
  • Usable policies?
  • Special

18
Creating the correct environment
  • Support from Management
  • Organizational Structure
  • grants security clearances
  • technical support team
  • emergency response team
  • system/security auditors
  • Financial Support/commitment
  • Security budget is usually the first to be cut!!!
  • An Organization Culture promoting better security

19
Designing the Policies
  • Factors affecting your decision
  • What is the security objective?
  • What are the operations of your organization?
  • What assets you are protecting?
  • What is the cost of the IT asset you are
    protecting?
  • What/who are you protecting against?
  • How much is your organization willing to invest?

20
Elements of a Security Policy
  • A security policy should contain
  • The value of information the organization's
    commitment to information security
  • The classification system
  • Accountabilities, authority and responsibilities
    each (class of) affected personnel in their
    respective area of operations
  • A list of important security-related contacts
  • Conditions/Scope of policy review.

21
A Sample Security Policy
  • Objective
  • To protect foobar organisation's Engineering
    systems against
  • Information leakage
  • Unauthorized modification from external sources
  • Scope
  • Physical placement of Engineering computers and
    network equipment (including cables)
  • Control all accesses to both wired wireless
    network and connected systems

22
Sample Policy (2)
  • Applicability
  • All equipment connected to the Engineering
    network
  • All personnels who have access to such equipment.
  • Classification
  • Machines are classified either as secure or
    insecure.
  • Secured Classification does not span across
    departments.
  • Network Segmentation
  • All secure machines must be physically located
    where access is restricted.
  • All insecure machines may only connect to a
    secure machine through the company's firewall.
  • Wireless connections are insecure.

23
Sample Policy (3)
  • Policies
  • All communications between secure insecure
    machines must be properly encrypted.
  • Secure machines can only provide the following
    services unless otherwise stated.
  • ssh2 (between secure/insecure)
  • file/print-sharing (within secure segment)
  • All machines must be patched at least once a
    week.
  • Enforcement
  • Firewall will block all connections between
    secure/insecure except ssh
  • Port/security scanning will be done daily.

24
Implementing the Policies
  • Human Support
  • User Involvement in decision making
  • User Education
  • Focus on managers
  • Honesty with staff
  • Encouragements
  • Discouragements
  • User agreements/ Acceptable Use Policies
  • Technology Support
  • Filtering tools firewalls, virus scanners, virus
    walls.
  • Auditing facilities centralized loghost,
    logwatchers, NFR
  • IDS tripwire, snort
  • Security Scanners netsaint, nessus, nmap, ...

25
Usable Security Policy?
  • Whether a security policy is successful depends
    on whether it
  • can be properly implemented (thru use of
    technology or human auditing or practices, etc)
  • matches the risk profile of the organization
    asset
  • has a clear objective, a proper execution plan
    and is clearly communicated to the affected
    parties.
  • clearly state the responsibilities and
    limitations of each party, lists important
    contacts when extra-ordinary events occur.
  • gains the support of all parties involved
  • provides for future changes without being overly
    disruptive
  • Be prepared to constantly review your policies!!!

26
Contents
  • Introduction to IT Security Policy
  • Model of Security Policies
  • Security Policy in practice
  • Special
  • A case study of (part of) the School of
    Computing's security policy
  • A cracking demonstration

27
Cracking
  • Steps in Cracking
  • Footprinting
  • Scanning
  • Enumeration
  • Cracking

28
References
  • Security Related Websites
  • http//www.securityfocus.com
  • http//www.cert.org
  • http//cve.mitre.org
  • http//www.phrack.org
  • http//www.rootshell.com
  • http//www.insecure.org
  • http//www.iss.net
  • http//www.security.org.sg
Write a Comment
User Comments (0)
About PowerShow.com