security policies
play

Security Policies CS461/ECE422 Computer Security I Fall 2009 -1 - PowerPoint PPT Presentation

Jan 10, 2024 •343 likes •764 views

Security Policies CS461/ECE422 Computer Security I Fall 2009 -1 Overview Natural language policies Example policies Implementation policies High level Low level -2 Reading Material Computer Security,

  1. Security Policies CS461/ECE422 Computer Security I Fall 2009 -1

  2. Overview • Natural language policies – Example policies • Implementation policies – High level – Low level -2

  3. Reading Material • Computer Security, – Introduction – Chapter 1.3 and 1.4 – Security Policies – Chapter 4 skipping 4.7 • SANS policy project – http://www.sans.org/resources/policies/ • Information Security Policies and Procedures , Thomas Peltier -3

  4. Motivation • Security Policies guides implementation – Reflects what one can assume about an organization – Who has access to which resources in what manner – Confidentiality, integrity, availability • Policy occurs at multiple levels – Policy-driven management -4

  5. Security Policy • Policy partitions system states into: – Authorized (secure) • These are states the system can enter – Unauthorized (nonsecure) • If the system enters any of these states, it’s a security violation – Same state may be secure in one organization and nonsecure in another • Secure system – Starts in authorized state, and never enters -5 unauthorized state

  6. Authorized System States S1 S3 S4 S2 -6

  7. Question • Policy disallows cheating – Includes copying homework, with or without permission • CS class has students do homework on computer • Anne forgets to read-protect her homework file • Bill copies it • Who cheated? – Anne, Bill, or both? -7

  8. Answer Part 1 • Bill cheated – Policy forbids copying homework assignment – Bill did it – System entered unauthorized state (Bill having a copy of Anne’s assignment) • If not explicit in computer security policy, certainly implicit – Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says so -8

  9. Answer Part #2 • Anne didn’t protect her homework – Not required by security policy • She didn’t breach security • If policy said students had to read-protect homework files, then Anne did breach security – She didn’t do this -9

  10. Mechanisms/Controls • Entity or procedure that enforces some part of the security policy – Access controls (like bits to prevent someone from reading a homework file) – Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems -10

  11. Hierarchy of Policies Organizational Policy Departmental Policy Department Standards CSIL-Linux10 Linux Lab SE Linux Umask settings Policy -11

  12. Types of Policies that Affect Information Security • Data protection • Privacy • Email • Hiring • Numerous others types of organizational policies with varying impact on information security -12

  13. Natural Language Security Policies • Targeting Humans – Written at different levels • To inform end users • To inform lawyers • To inform technicians • Users, owners, beneficiaries (customers) • As with all policies, should define purpose not mechanism – May have additional documents that define how policy maps to mechanism • Should be enduring – Don't want to update with each change to technology • Shows due diligence on part of the organization -13

  14. How to Write a Policy • Understand your environment – Risk Analysis (see next lecture) • Understand your industry – Look for “standards” from similar companies – Leverage others wisdom – Already proven with auditors/regulators • Gather the right set of people – Technical experts, person ultimately responsible, person who can make it happen – Not just the security policy “expert” -14

  15. Security Policy Contents • Purpose – Why are we trying to secure things • Identify protected resources • Who is responsible for protecting – What kind of protection? Degree but probably not precise mechanism. • Cover all cases • Realistic -15

  16. University of Illinois Information Security Policies • University of Illinois Information Security Policies – System wide policy; Identifies what, not how – http://www.obfs.uillinois.edu/manual/central_p/sec19-5.ht • CITES UIUC standards and guidelines – DNS - http://www.cites.uiuc.edu/dns/standards.html – FERPA - http://www.cites.uiuc.edu/edtech/development_aids/ferpa/ • CS Department policies – https://agora.cs.illinois.edu/display/tsg/Policies -16

  17. Example Privacy policies • Busey Bank - http://busey.com/ – Financial Privacy Policy • Targets handling of personal non-public data • Clarifies what data is protected • Who the data is shared with -17

  18. Poorly Written Policies • Cars.gov – Had following in click-through policy for dealers • This application provides access to the [Department of Transportation] DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the U.S. Government. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed... to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. • According to EFF – http://www.eff.org/deeplinks/2009/08/cars-gov -18

  19. Example Acceptable Use Policy • IEEE Email Acceptable Use Policy – http://eleccomm.ieee.org/email-aup.shtml – Inform user of what he can do with IEEE email – Inform user of what IEEE will provide • Does not accept responsibility of actions resulting from user email • Does not guarantee privacy of IEEE computers and networks – Examples of acceptable and unacceptable use -19

  20. Policy Models • Abstract description of a policy or class of policies • Types of policies – Military (governmental) security policy • Policy primarily protecting confidentiality – Commercial security policy • Policy primarily protecting integrity – Confidentiality policy • Policy protecting only confidentiality – Integrity policy • Policy protecting only integrity – Service Level Agreements • Availability agreements -20

  21. Policy Languages • Express security policies in a precise way • A continuum of policy languages – English Policies • May be legally precise. Used as basis for legal action. • May be written imprecisely just to give real users a sense of the policy – High-level languages • Policy constraints expressed abstractly – Low-level languages • Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system -21

  22. High-Level Policy Languages • Constraints expressed independent of enforcement mechanism • Constraints restrict entities, actions • Constraints expressed unambiguously – Requires a precise language, usually a mathematical, logical, or programming-like language • Examples – Java constraint language – described in CS:A&S – DTEL type enforcement language – WS-Policy – SAML http://en.wikipedia.org/wiki/SAML – IETF Policy models ftp://ftp.rfc-editor.org/in-notes/rfc3585.txt -22

  23. IETF Policy Model • Separate policy decision making from enforcement Formal Policy Policy Policy Enforcement Decision Point (PEP) Point (PDP) -23

  24. DTEL – Domain Type Enforcement Language • Basis: access can be constrained by types • Combines elements of low-level, high-level policy languages – Implementation-level constructs express constraints in terms of language types – Constructs do not express arguments or inputs to specific system commands • Used in Sidewinder firewalls • Details of DTEL in http://citeseer.ist.psu.edu/cache/papers/cs/16179/http:zSzzS • Type enforcement policies resurfacing in SE Linux -24 Boebert, Kain 85

  25. Example • Goal: users cannot write to system binaries • Subjects in administrative domain can – User must authenticate to enter that domain • Subjects belong to domains: – d_user ordinary users – d_admin administrative users – d_login for login – d_daemon system daemons -25

  26. Types • Object types: – t_sysbin executable system files – t_readable readable files – t_writable writable files – t_dte data used by enforcement mechanisms – t_generic data generated from user processes • For example, treat these as partitions – In practice, files can be readable and writable; ignore this for the example -26

  27. Domain Representation • Sequence – First component is list of programs that start in the domain – Other components describe rights subject in domain has over objects of a type (crwd->t_writable) means subject can create, read, write, and list (search) any object of type t_writable -27

  28. d_daemon Domain domain d_daemon = (/sbin/init), (crwd->t_writable), (rd->t_generic, t_readable, t_dte), (rxd->t_sysbin), (auto->d_login); • Compromising subject in d_daemon domain does not enable attacker to alter system files – Subjects here have no write access • When /sbin/init invokes login program, login program transitions into d_login domain -28

  29. d_admin Domain domain d_admin = (/usr/bin/sh, /usr/bin/csh, /usr/bin/ksh), (crwxd->t_generic), (crwxd->t_readable, t_writable, t_dte, t_sysbin), (sigtstp->d_daemon); • sigtstp allows subjects to suspend processes in d_daemon domain • Admin users use a standard command interpreter -29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) & MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 2 Page 1 CS 236 Online Outline Security design principles Security policies Basic concepts Security

419 views • 12 slides
Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage

Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage

Updated (VO) Community Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 EGI security policies

319 views • 12 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by

More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by

More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by Khoo Yit Phang April 21, 2008 To Build Secure Systems... 1.What sort of security policies can and should w e demand of our system? 2.What mechanism

325 views • 15 slides
CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a

532 views • 41 slides
ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless

ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless

Dan Durkee, Executive VP\Partner\Network Engineer Connecting Point Computer Center 303 S Third St, Bismarck, ND 58504 ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless Encryption Where have we

1.68k views • 56 slides
NUTRITION AND FOOD SECURITY POLICIES AND PROGRAMS OF PAKISTAN

NUTRITION AND FOOD SECURITY POLICIES AND PROGRAMS OF PAKISTAN

NUTRITION AND FOOD SECURITY POLICIES AND PROGRAMS OF PAKISTAN - VISION 2025 Dr. Mubarik Ali Member (Food Security and Climate Change) Planning

265 views • 10 slides
Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley sds@tycho.nsa.gov Information Assurance Research Group National Security Agency (Slight modifications by David

542 views • 19 slides
Monitoring Security Policies Felix Klaedtke NEC Labs Europe Story so far . . . Which

Monitoring Security Policies Felix Klaedtke NEC Labs Europe Story so far . . . Which

Monitoring Security Policies Felix Klaedtke NEC Labs Europe Story so far . . . Which policies are enforceable ? Characterization for an abstract setting Enforcement via execution monitoring system allowed

1.03k views • 73 slides
Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage

Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage

Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Refreshing the security policy suite

399 views • 15 slides
An Ontology-based Approach to the Formalization of Information Security Policies Fernando Nufel

An Ontology-based Approach to the Formalization of Information Security Policies Fernando Nufel

An Ontology-based Approach to the Formalization of Information Security Policies An Ontology-based Approach to the Formalization of Information Security Policies Fernando Nufel do Amaral Carlos Bazlio Geiza Maria Hamazaki da Silva

878 views • 46 slides
Welcome to: Computer Science 457 Networking and the Internet Fall 2016 Indrajit Ray 1

Welcome to: Computer Science 457 Networking and the Internet Fall 2016 Indrajit Ray 1

Welcome to: Computer Science 457 Networking and the Internet Fall 2016 Indrajit Ray 1 Administrivia Website: http://www.cs.colostate.edu/~cs457 For both local and remote students Syllabus, Outline, Grading Policies Homework

771 views • 53 slides
DevOps A History in Configuration Management About me Senior Information Security Architect @

DevOps A History in Configuration Management About me Senior Information Security Architect @

DevOps A History in Configuration Management About me Senior Information Security Architect @ Epigen Technology Security nerd & avid lock picker Auditor, Analyst, Engineer Organizer / Volunteer various conferences Tech policy & tech

352 views • 24 slides
LHCOPN-LHCONE meeting Guest of HEPiX Fall 2017 meeting KEK Tsukuba, Japan 16 th October 2017

LHCOPN-LHCONE meeting Guest of HEPiX Fall 2017 meeting KEK Tsukuba, Japan 16 th October 2017

LHCOPN-LHCONE meeting Guest of HEPiX Fall 2017 meeting KEK Tsukuba, Japan 16 th October 2017 edoardo.martelli@cern.ch LHCOPN and LHCONE - Origin - Milestones - This meeting 2 First was LHCOPN First meeting on January 2005 at SARA, Amsterdam

390 views • 9 slides
Quantum Control on the Boundary Juan Manuel Prez-Pardo J.M. Prez-Pardo IbortFest 2018

Quantum Control on the Boundary Juan Manuel Prez-Pardo J.M. Prez-Pardo IbortFest 2018

IbortFest 2018 March 2018 ICMAT Quantum Control on the Boundary Juan Manuel Prez-Pardo J.M. Prez-Pardo IbortFest 2018 Outline Controllability of Quantum Systems Unbounded operators and self-adjointness Quantum Control on the boundary

436 views • 24 slides
Choosing The Right Agile Prabhat Sinha Methodology Shani Memfy For Your Drupal Project

Choosing The Right Agile Prabhat Sinha Methodology Shani Memfy For Your Drupal Project

Choosing The Right Agile Prabhat Sinha Methodology Shani Memfy For Your Drupal Project Speakers Prabhat Sinha Shani Memfy He has been managing product and Shes been managing product and project project since 8 years. After work

783 views • 39 slides
High Resolution Sequence Stratigraphy in the Shelfal part of Bengal Basin, India Pinaki Basu*,

High Resolution Sequence Stratigraphy in the Shelfal part of Bengal Basin, India Pinaki Basu*,

Oil and Gas Resources of India: Exploration and Production Opportunities and Challenges Geosciences Technology Workshop; Mumbai, India, 6-7 December 2017 Identification of Stratigraphic Play potential within Jalangi Formation using High

824 views • 25 slides
IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am I? Chris van Breda, CD, CISSP, EnCE Click to add subtitle 2 Theme for the 2006 conference Sharing Intelligence in Global Response working

894 views • 72 slides
CS 451 Software Engineering Winter Term Yuanfang Cai Room 104, University Crossings

CS 451 Software Engineering Winter Term Yuanfang Cai Room 104, University Crossings

CS 451 Software Engineering Winter Term Yuanfang Cai Room 104, University Crossings 215.895.0298 yfcai@cs.drexel.edu 1 Drexel University PROCESS MODEL A structured collection of practices Describe characteristics of effective process

519 views • 36 slides

More recommend