1 / 28

Information Technology Security Policy

Wee Yeh, Tan Unix Administrator School of Computing National University of Singapore. Information Technology Security Policy. Contents. Introduction to IT Security Policy What is a Security Policy? Security Objective Why do we need it? Model of Security Policies

cale
Download Presentation

Information Technology Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wee Yeh, Tan Unix Administrator School of Computing National University of Singapore Information Technology Security Policy

  2. Contents • Introduction to IT Security Policy • What is a Security Policy? • Security Objective • Why do we need it? • Model of Security Policies • Security Policy in practice • Special

  3. What is a Security Policy An IT Security Policyis a set of practices and procedures that • reduce the likelihood of an attack or an incident • in event of an incident, minimise the damage Such a policy will (hopefully) influence • behaviour, procedures of operations and actions • future decisions taken

  4. Security Objectives • Confidentiality. Information is only accessible to those who are authorized. • Integrity. Information is protected against unauthorized modification. • Availability. Information is available when it is needed.

  5. Why do we need it? • It involves the higher management • It's a great way to get one's ass covered • It's a good thing to show your clients (just like ISO9002)

  6. Why do we really need it?? • They are a great benchmarking mechanism • They ensure consistency • They are great as a reference • They define acceptable use • They give security staff the backing of the higher management • enough??

  7. Contents • Introduction to IT Security Policy • Model of Security Policies • Lattice Model of Access Security • Bell-LaPadula Confidentiality Model • Biba's Integrity Model • Clark & Wilson Model • Chinese Wall Security Model • Security Policy in Practice • Special

  8. Lattice Model of Access Security A general model that provides a graphical representation of access control. • Captures relationship between subordinates and departments. • Transitive relationship allows superiors more access.

  9. Bell-LaPadula (BLP)Confidentiality Model BLP preventsinformationflowingdownwards from a high-security level to a low-security level hence ensuring confidentiality. Suppose C is a security class function and  denotes an order, • simple security property (ss-property): A subject s may have read access to an object o only if C(o) C(s). • *-property: A subject s who has read access to an object o may have write access to object p only if C(o) C(p).

  10. BLP: How it works... Assume that [a-i] denotes the security classification of both subjects & objects. • An object o has clearance C(o) = g. • Any subject s with clearance C(s) g has read access. • A subject s' s.t. C(s')=c may only write with clearance g,c or a about object o. • Anyone notice anything weird yet??

  11. Biba Integrity Model The Biba model addresses Integrity using a mechanism that is very similar to BLP. Suppose I is an integrity class function and  denotes an order, • simple security property (ss-property): A subject s can modify an object o only if I(s)  I(o). • *-property: A subject s who has read access to an object o with integrity level I(o), s can have write access to object p only if I(o)  I(p).

  12. Clark & Wilson Model • addresses security requirements of commercial applications • prevents unauthorized modification of data, fraud and errors. • Integrity is divided into: • Internal consistency: properties of the internal state of a system that can be enforced by a computer • External consistency: relations of internal state of a system to the real world that cannot be enforced by a computer. • Mechanisms to enforce integrity are: • Well-formed transactions: data items can be manipulated only by a specific set of programs • Separation of duties: users have to collaborate to manipulate data or to collude to penetrate the security system.

  13. Clark & Wilson: Example Consider purchasing a computer system. • A purchasing clerk creates a Purchase Order and sends a copy to the vendor, cc to receiving department. • The receiving department receives the goods from the vendor, checks that everything is in order to the PO and signs the delivery form. The delivery form and PO is sent to the accounting department. • Vendor sends invoice to accounts. Clerk at accounts compares invoice with delivery form and sends payment.

  14. Clark & Wilson: Notes • Subjects have to be identified & authenticated. • Objects can be manipulated only by a restricted set of programs. • Subjects can only execute a restricted set of programs. • A proper audit log has to be maintained. • The system has to be certified to work properly.

  15. Chinese Wall Model The Chinese Wall model was proplsed by Brewer & Nash in a consultancy business where analysts have to make sure that no conflict of interest arises when they are dealing with different clients. Rule: There must be no information flow that causes a conflict of interest. Access is granted only if object requested belongs to: • a company dataset already held by the user; or • an entirely different conflict of interest class.

  16. Chinese Wall: Example • Consider 3 sectors: Tech, Pharma, and Banking. • Tech = {Microsoft, Sun, HP, IBM, Redhat} • Pharma = {Glaxo, Roche, Pfizer} • Banking = {Citicorp, Deutche Bank, HSBC, SC} • Any consultant can only choose up to one company from each set. • What if Glaxo decides to branch into banking?

  17. Contents • Introduction to IT Security Policy • Model of Security Policies • Security Policy in practice • Creating the correct environment • Designing the policies • Elements of a Security Policy • A Sample Security Policy • Implementing the policies • Usable policies? • Special

  18. Creating the correct environment • Support from Management • Organizational Structure • grants security clearances • technical support team • emergency response team • system/security auditors • Financial Support/commitment • Security budget is usually the first to be cut!!! • An Organization Culture promoting better security

  19. Designing the Policies Factors affecting your decision • What is the security objective? • What are the operations of your organization? • What assets you are protecting? • What is the cost of the IT asset you are protecting? • What/who are you protecting against? • How much is your organization willing to invest?

  20. Elements of a Security Policy A security policy should contain: • The value of information & the organization's commitment to information security • The classification system • Accountabilities, authority and responsibilities each (class of) affected personnel in their respective area of operations • A list of important security-related contacts • Conditions/Scope of policy review.

  21. A Sample Security Policy • Objective: To protect foobar organisation's Engineering systems against • Information leakage • Unauthorized modification from external sources • Scope: • Physical placement of Engineering computers and network equipment (including cables) • Control all accesses to both wired & wireless network and connected systems

  22. Sample Policy (2) • Applicability: • All equipment connected to the Engineering network • All personnels who have access to such equipment. • Classification: • Machines are classified either as secure or insecure. • Secured Classification does not span across departments. • Network Segmentation • All secure machines must be physically located where access is restricted. • All insecure machines may only connect to a secure machine through the company's firewall. • Wireless connections are insecure.

  23. Sample Policy (3) • Policies • All communications between secure & insecure machines must be properly encrypted. • Secure machines can only provide the following services unless otherwise stated. • ssh2 (between secure/insecure) • file/print-sharing (within secure segment) • All machines must be patched at least once a week. • Enforcement • Firewall will block all connections between secure/insecure except ssh • Port/security scanning will be done daily.

  24. Technology Support Filtering tools: firewalls, virus scanners, virus walls. Auditing facilities: centralized loghost, logwatchers, NFR IDS: tripwire, snort Security Scanners: netsaint, nessus, nmap, ... Implementing the Policies Human Support: • User Involvement in decision making • User Education • Focus on managers • Honesty with staff • Encouragements • Discouragements • User agreements/ Acceptable Use Policies

  25. Usable Security Policy? Whether a security policy is successful depends on whether it: • can be properly implemented (thru use of technology or human auditing or practices, etc) • matches the risk profile of the organization & asset • has a clear objective, a proper execution plan and is clearly communicated to the affected parties. • clearly state the responsibilities and limitations of each party, lists important contacts when extra-ordinary events occur. • gains the support of all parties involved • provides for future changes without being overly disruptive Be prepared to constantly review your policies!!!

  26. Contents • Introduction to IT Security Policy • Model of Security Policies • Security Policy in practice • Special • A case study of (part of) the School of Computing's security policy • A cracking demonstration

  27. Cracking Steps in Cracking • Footprinting • Scanning • Enumeration • Cracking

  28. References • Security Related Websites • http://www.securityfocus.com • http://www.cert.org • http://cve.mitre.org • http://www.phrack.org • http://www.rootshell.com • http://www.insecure.org • http://www.iss.net • http://www.security.org.sg

More Related