Embed Size (px)
DESCRIPTION
Wee Yeh, Tan Unix Administrator School of Computing National University of Singapore. Information Technology Security Policy. Contents. Introduction to IT Security Policy What is a Security Policy? Security Objective Why do we need it? Model of Security Policies - PowerPoint PPT Presentation
Citation preview
Information Technology Security Policy
Wee Yeh, TanUnix Administrator
School of ComputingNational University of Singapore
Contents
● Introduction to IT Security Policy– What is a Security Policy?
– Security Objective
– Why do we need it?● Model of Security Policies● Security Policy in practice● Special
What is a Security Policy
An IT Security Policy is a set of practices and procedures that – reduce the likelihood of an attack or an incident
– in event of an incident, minimise the damage
Such a policy will (hopefully) influence– behaviour, procedures of operations and actions
– future decisions taken
Security Objectives
● Confidentiality. Information is only accessible to those who are authorized.
● Integrity. Information is protected against unauthorized modification.
● Availability. Information is available when it is needed.
Why do we need it?
● It involves the higher management● It's a great way to get one's ass covered● It's a good thing to show your clients (just like ISO9002)
Why do we really need it??
● They are a great benchmarking mechanism● They ensure consistency● They are great as a reference● They define acceptable use● They give security staff the backing of the higher
management● enough??
Contents
✔ Introduction to IT Security Policy● Model of Security Policies
– Lattice Model of Access Security
– Bell-LaPadula Confidentiality Model
– Biba's Integrity Model
– Clark & Wilson Model
– Chinese Wall Security Model● Security Policy in Practice● Special
Lattice Model of Access Security
A general model that provides a graphical representation of access control.
● Captures relationship between subordinates and departments.
● Transitive relationship allows superiors more access.
a
db
f
i
g
c
he
Bell-LaPadula (BLP)Confidentiality Model
BLP prevents information flowing downwards from a high-security level to a low-security level hence ensuring confidentiality.
Suppose C is a security class function and denotes an order,● simple security property (ss-property):
A subject s may have read access to an object o only if C(o) C(s).
● *-property:
A subject s who has read access to an object o may have write access to object p only if C(o) C(p).
BLP: How it works...
Assume that [a-i] denotes the security classification of both subjects & objects.
● An object o has clearance C(o) = g.● Any subject s with clearance C(s) g
has read access.● A subject s' s.t. C(s')=c may only
write with clearance g,c or a about object o.
● Anyone notice anything weird yet??
a
db
f
i
g
c
he
Biba Integrity Model
The Biba model addresses Integrity using a mechanism that is very similar to BLP.
Suppose I is an integrity class function and denotes an order,● simple security property (ss-property):
A subject s can modify an object o only if I(s) I(o).● *-property:
A subject s who has read access to an object o with integrity level I(o), s can have write access to object p only if I(o) I(p).
Clark & Wilson Model
● addresses security requirements of commercial applications● prevents unauthorized modification of data, fraud and errors.● Integrity is divided into:
– Internal consistency: properties of the internal state of a system that can be enforced by a computer
– External consistency: relations of internal state of a system to the real world that cannot be enforced by a computer.
● Mechanisms to enforce integrity are:– Well-formed transactions: data items can be manipulated
only by a specific set of programs
– Separation of duties: users have to collaborate to manipulate data or to collude to penetrate the security system.
Clark & Wilson: Example
Consider purchasing a computer system.
0) A purchasing clerk creates a Purchase Order and sends a copy to the vendor, cc to receiving department.
1) The receiving department receives the goods from the vendor, checks that everything is in order to the PO and signs the delivery form. The delivery form and PO is sent to the accounting department.
2) Vendor sends invoice to accounts. Clerk at accounts compares invoice with delivery form and sends payment.
Clark & Wilson: Notes
● Subjects have to be identified & authenticated.● Objects can be manipulated only by a restricted set of
programs.● Subjects can only execute a restricted set of programs.● A proper audit log has to be maintained.● The system has to be certified to work properly.
Chinese Wall Model
The Chinese Wall model was proplsed by Brewer & Nash in a consultancy business where analysts have to make sure that no conflict of interest arises when they are dealing with different clients.
Rule: There must be no information flow that causes a conflict of interest.
Access is granted only if object requested belongs to:– a company dataset already held by the user; or
– an entirely different conflict of interest class.
Chinese Wall: Example
● Consider 3 sectors: Tech, Pharma, and Banking.– Tech = {Microsoft, Sun, HP, IBM, Redhat}
– Pharma = {Glaxo, Roche, Pfizer}
– Banking = {Citicorp, Deutche Bank, HSBC, SC}● Any consultant can only choose up to one company from
each set.● What if Glaxo decides to branch into banking?
Contents
✔ Introduction to IT Security Policy✔ Model of Security Policies● Security Policy in practice
– Creating the correct environment
– Designing the policies
– Elements of a Security Policy
– A Sample Security Policy
– Implementing the policies
– Usable policies?● Special
Creating the correct environment
● Support from Management● Organizational Structure
– grants security clearances
– technical support team
– emergency response team
– system/security auditors● Financial Support/commitment
– Security budget is usually the first to be cut!!!● An Organization Culture promoting better security
Designing the Policies
Factors affecting your decision– What is the security objective?
– What are the operations of your organization?
– What assets you are protecting?
– What is the cost of the IT asset you are protecting?
– What/who are you protecting against?
– How much is your organization willing to invest?
Elements of a Security Policy
A security policy should contain:● The value of information & the organization's commitment to
information security● The classification system● Accountabilities, authority and responsibilities each (class of)
affected personnel in their respective area of operations● A list of important security-related contacts● Conditions/Scope of policy review.
A Sample Security Policy
● Objective:
To protect foobar organisation's Engineering systems against● Information leakage● Unauthorized modification from external sources
● Scope:– Physical placement of Engineering computers and network
equipment (including cables)
– Control all accesses to both wired & wireless network and connected systems
Sample Policy (2)● Applicability:
– All equipment connected to the Engineering network
– All personnels who have access to such equipment.● Classification:
– Machines are classified either as secure or insecure.
– Secured Classification does not span across departments.● Network Segmentation
– All secure machines must be physically located where access is restricted.
– All insecure machines may only connect to a secure machine through the company's firewall.
– Wireless connections are insecure.
Sample Policy (3)
● Policies– All communications between secure & insecure machines must
be properly encrypted.
– Secure machines can only provide the following services unless otherwise stated.
● ssh2 (between secure/insecure)● file/print-sharing (within secure segment)
– All machines must be patched at least once a week.● Enforcement
– Firewall will block all connections between secure/insecure except ssh
– Port/security scanning will be done daily.
Implementing the Policies
Human Support:● User Involvement in
decision making● User Education● Focus on managers● Honesty with staff● Encouragements● Discouragements● User agreements/
Acceptable Use Policies
Technology Support● Filtering tools: firewalls,
virus scanners, virus walls.● Auditing facilities:
centralized loghost, logwatchers, NFR
● IDS: tripwire, snort● Security Scanners:
netsaint, nessus, nmap, ...
Usable Security Policy?
Whether a security policy is successful depends on whether it:– can be properly implemented (thru use of technology or human
auditing or practices, etc)
– matches the risk profile of the organization & asset
– has a clear objective, a proper execution plan and is clearly communicated to the affected parties.
– clearly state the responsibilities and limitations of each party, lists important contacts when extra-ordinary events occur.
– gains the support of all parties involved
– provides for future changes without being overly disruptive
Be prepared to constantly review your policies!!!
Contents
✔ Introduction to IT Security Policy✔ Model of Security Policies✔ Security Policy in practice● Special
– A case study of (part of) the School of Computing's security policy
– A cracking demonstration
Cracking
Steps in Cracking
1. Footprinting
2. Scanning
3. Enumeration
4. Cracking
References
● Security Related Websites– http://www.securityfocus.com
– http://www.cert.org
– http://cve.mitre.org
– http://www.phrack.org
– http://www.rootshell.com
– http://www.insecure.org
– http://www.iss.net
– http://www.security.org.sg
![PHYSICAL SECURITY & ENVIRONMENTAL SECURITY · Physical Security & Environmental Security Policy and Procedures Title [company name] Physical Security & Environmental Security Policy](https://img.pdfslide.us/doc/110x75/5b5559c77f8b9ac5358b71e4/physical-security-environmental-security-physical-security-environmental.jpg)
