Information security professionals are charged with accomplishing a difficult and General Security Principles often thankless task – securing an organization ’ s data. and Practices It is difficult to judge when their efforts are successful, but failures are often placed in the spotlight. Chapter 3 Budgets Lecturer: Pei-yih Ting balance Legitimate business CIA goals needs of end users 1 2 Overview Common Security Principles � Information security is not new, many principles come from military and commercial practices � Common Security Principles even before computer appeared. � Security Policies � Many underlying principles guide the efforts of � Security Administration tools information security practitioners. � Physical Security � Technical measures like firewalls, intrusion � Personal Security detection systems and access controls are NOT a panacea for computer security. These technical controls must be supplemented with sound physical and personnel security practices. 3 4
Common Principles (cont ’ d) Common Principles (cont ’ d) � Least Privilege Principle � Separation of Privileges Principle � An individual should have only the minimum level of � No single person should have enough authority to access controls necessary to carry out job functions cause a critical event to happen � A common violation of this principle occurs because of � Many examples from outside of computing, e.g., administrator inattention two keys needed to launch a missile or open a vault, � Users are placed in groups whose functionalities are too broad two mechanics needed to repair an aircraft � Should create specific roles for the users responsible from � Tradeoff between security gained and manpower billing, issuing checks and authorizing payments required to achieve it � Another common violation occurs because of privilege creep � Users are granted new privileges when they change roles without revising existing privileges 5 6 Common Principles (cont ’ d) Defense in Depth Example � Defense in Depth Principle � Defenses should be like layered safe-nets � Effective perimeter protection methodology � Layers begin with points of access to a network and continue with cascading security at bottleneck points 7 8
Common Principles (cont ’ d) Security Policies � Goal is to have clearly defined security objectives to � Security through Obscurity � Design specific technical controls � In early days of computing, administrators depended upon secrecy about the security that was in place � Keep users informed of expected behavior � No longer very effective in most cases because � so much information is freely available (open source) � A security policy should be a written document � most fatal attacking events are launched by insiders � Available to all users of an organizational information � Examine a computer security setup through the eyes of system an intruder is a critical skill for security professional. It � Security policies range from single documents to is all too easy to view the system through the myopic multiple documents for specialized use or for eyes of the designer. specific groups of users � Security of a black-box vs. white-box device: public scrutiny on cryptographic algorithms, ex. AES � SANS templates: www.sans.org/resources/policies/ 9 10 Acceptable Use Policy (AUP) Backup Policy � Defines allowable uses of an organization ’ s � Data backups protect against corruption and loss information resources for managers, employees, of data vendors, partners and customers � To support the integrity and availability goals of � Must be specific enough to guide user activities but security flexible enough to cover unanticipated situations � Backup policy should answer key questions � Ex. Prohibition of peer-to-peer (P2P) S/Ws like Napster, � What data should be backed up and how? Kazaa, or eMule � Where should backups be stored? � Should answer key questions “ including, but not limited to ” � Who should have access? � What activities are acceptable? � How long should backups be retained? � What activities are clearly not acceptable? � How many times can backup media be reused? � Where can users get more information as needed? � What to do if violations are suspected or have occurred? � What are the consequences for violations? 11 12
Confidentiality Policy Data Retention Policy � Outlines procedures used to safeguard sensitive � Defines categories of data information � Different categories may have different protections under � Should cover all means of information dissemination the policy including telephone, print, verbal, and computer � For each category, defines minimum retention time � Questions include � Time may be mandated by law, regulation, or business � What data is confidential? needs, e.g., financial information related to taxes must � How should confidential information be handled? be retained for 7 years � What are the procedures to release confidential � For each category, defines maximum retention time information? � This time may also be mandated by law, regulation, or � What procedures should be followed if information is business needs released in violation of the policy? � Common in personal privacy areas, e.g., applicant ’ s data � Employees may be asked to sign nondisclosure agreements (NDA) 13 14 Implementing Security Policy Wireless Device Policy � Includes mobile phones, PDAs, palm computers � A major challenge for information security � Users often bring personal devices to the professionals workplace � Includes processes of developing and � Policy should define maintaining the policies themselves as well as � Types of equipment that can be purchased by the ensuring their acceptance and use within the organization organization � Type of personal equipment that may be brought into � Activities related to policy implementation are the facility often ongoing within an organization � Permissible activities � Approval authorities for exceptions 15 16
Developing Policies Building Consensus � Once consensus is reached among the � In any but the smallest organization, a team development committee, consensus must be approach should be employed spread throughout the organization ( “ selling ” � Include members from different departments or the policies) functional elements within the organization � IT, business unit, physical security, human resources, � Important because employees who are not on financial, and executive management board and disagree with the policy may choose � Commonly, a high-level list of business objectives to bypass the security policies, leaving the is first developed information system vulnerable � The second step is to determine the documents � Often the policies are promoted and advertised that must be written to achieve objectives by senior management � These steps are followed by documents drafts until consensus is achieved 17 18 Education Enforcement and Maintenance � Provide effective education and training � Policies should define responsibilities for programs custom-tailored to their role within the � Reporting violations organization for affected employees � Procedures when violations occur � Users should be aware of their responsibilities � Policies should be strictly and consistently enforced with regard to policies � Policy changes occur as companies and � Two types of training technologies change � Initial training is a one-time program early in an � Policies should contain provisions for modification employee ’ s tenure with company through maintenance procedures � Refresher training should be done periodically to � Common to have periodic reviews mandated � Remind employees of their responsibilities � Provide employees with updates of policies and technologies that affect their responsibilities 19 20
Security Administration Tools Administration Tools (cont ’ d) � Security matrices � Management tools that help with consistent � Used in development of security policies and application and enforcement of security policy implementation of particular procedures � Security checklists � Helps focus amount of attention paid to particular � Security professionals should review all checklists goals, guides effective utilization of security resources used in an organization for compliance with security Confidentiality Integrity Availability procedures � Security professionals may develop their customized Critical X X Importance checklists for security-specific tasks Moderate � Resources: Importance www.sans.org www.cert.org/tech_tips/usc20_full.html Low Importance X Figure 3.2 Sample security matrix for a case 21 22 Perimeter Protection/Access Physical Security Controls � Ensures that people cannot gain physical access � On the perimeter of a facility you can use to a facility where they can manipulate � Fences information resources � Lighting � Ensures that data resources are protected from � Motion detectors natural disasters such as fires and floods � Dogs � Many large organizations have separate � Patrols professionals for physical security � Remember the defense in depth principle � Three common categories of physical security � For example, use fences around the facility and issues biometrics for specific offices within a facility � Perimeter protection � Electronic emanations � Fire protection 23 24
Recommend
More recommend
