Security Policies Paul Hogan Ward Solutions
Agenda 09:30 10:10 Security Policies 10:10 10:30 Veritas 10:30 10:45Break 10:45 11:55 Securing your Server 11:55 12:15 Sybari 12:1513:00
Security Management – The Past 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current
Security Management – Today 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets
Why Does Network Security Fail? Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Understanding Components of IT Security Process Technology Implementation Documentation Operations Start with policy Build process Apply technology Start with policy Build process Apply technology Security Policy Model Policy
Implementing IT Security Compare each area to standards and best practices Security policy Documented procedures Operations What you must do What you say you do What you really do
Policy Drives Everything Regulatory Sources Policies Management Controls Organisational Controls Technical Controls ActivityProcessesProcedures Risk management Contingency planning Incident response Physical security Personnel security Certification/verification Access control ID & authentication Auditing Encryption Incident detection Networking Information classification Communications Acceptable use Perimeter security Incident response
Core Components Products, Tools, and Automation Consistent and Repeatable Skills, Roles, and Responsibilities Processes People Technology
Security Controls… The management, operational, and technical safeguards and countermeasures prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information…
What Are Information Security Policies? Management instructions (AKA directives) Formal ways to say “This is how we do it here" Tech talk: generalised requirements statements Not systems settings for firewalls & other gear More general than procedures & standards Unlike guidelines, policies are mandatory Unlike architectures, policies are product independent
Real World Cases… Where Policies Made A Big Difference Lazy government clerk fired for downloading pornography IT manager becomes consultant for former employer Joke list circulation causes sexual harassment suit Major newspaper notices rival gets scoop stories Virus hoax message floods computer manufacturer net Stolen disk drive causes severe public relations problem Revealed preference info causes dishonorable discharge
Top 10 Information Security Policies To Protect Your Organisation 6. Install latest patches on systems located on network periphery 7. Install and monitor intrusion detection systems 8. Turn-on minimum level of systems event logging 9.Assign explicit responsibility for information security tasks 10 Perform periodic risk assessments for critical systems
Top 10 Information Security Policies To Protect Your Organisation Against Cyber-Terrorism 1.Perform background checks for all workers 2. Maintain a low profile in the public's eyes 3. Wear a badge when inside company X offices 4. Update & test information systems contingency plans 5. Store critical production data securely at off- site location
The Issues with Policies Today Lack of resources Lack of authority Incomplete & out-of-date No official corporate-wide approval process Mergers & acquisitions Same topic covered in multiple documents Contradictions Un-enforceable
Inside Chernobyl’s I Block Control Room, 1985 Ineffective Controls April hrs Initial alerts and warnings about overload April hrs. Without following SOP, operators disconnect Emergency Core Cooling System No manager approved continued operation April 0100 hrs. Emergency protection signals suppressed by operators April 0119 hrs. Excessive radioactivity ignored by operators April 0123:48 Explosion occurs followed by second explosion Chernobyl’s Reactor 4, 1986 Deserted City of Pirpyat, Chernobyl in Background, 1987 Chernobyl Reactor 4 Sarcophagus, 1996 Chernobyl – April 25-26, 1986
Understanding Defense-in-Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, backup and restore strategy Data
Reasons To Have Awareness & Training Leverage the power of people to protect your organization Overcome natural impulses & trained politeness Provide substantive instructions instead of simply sensitization Untrained workers now in positions of great responsibility Information security is an unnatural act Create security mindset so workers can act the right way
Reasons To Have Awareness & Training Make it clear that info security is mandatory, not voluntary Force management to recognize that people are part of solution Technology is useless unless properly managed (patches) Make critical role of user crystal clear -- front line of defense!
A Final Consideration: Does Security Awareness Work? Consider… AA Flight 63 Paris – Miami (12/24/01)
Questions and Answers