Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

Similar presentations


Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies

2 CIT 380: Securing Computer SystemsSlide #2 Security Planning 1.Planning to address security needs. 2.Risk assessment. 3.Crafting policies to reflect risks and needs. 4.Implementing security. 5.Audit and incident response.

3 CIT 380: Securing Computer SystemsSlide #3 Which Aspects are Important: CIA?

4 CIT 380: Securing Computer SystemsSlide #4 Risk Assessment 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How well does each potential security solution mitigate those risks? 4.What other risks does the security solutions impose on me? 5.What costs and trade-offs do the security solutions create?

5 CIT 380: Securing Computer SystemsSlide #5 Identifying Assets Tangibles Computers Data Backups Printouts Software media HR records Intangibles Privacy Passwords Reputation Goodwill Performance

6 CIT 380: Securing Computer SystemsSlide #6 Identifying Risks Loss of key personnel Loss of key vendor or service provider Loss of power Loss of phone / network Theft of laptops, USB keys, backups Introduction of malware Hardware failure Software bugs Network attacks

7 CIT 380: Securing Computer SystemsSlide #7 Risk Analysis Notes Update your risks regularly –Business, technology changes alter risks. Too many risks to defend against. –Rank risks to decide which ones to mitigate. –Insure against some risks. –Accept other risks.

8 CIT 380: Securing Computer SystemsSlide #8 Cost-Benefit Analysis Cost of a Loss –Direct cost of lost hardware. –Cost of idle labor during outage. –Cost of time to recover. –Cost to reputation. Probability of a Loss –Insurance/power companies have some stats. –Records of past experience. Cost of Prevention –Remember that most risks cannot be eliminated.

9 CIT 380: Securing Computer SystemsSlide #9 Best Practices Risk Analysis is difficult and uncertain. Follow best practices or due care –Firewall require as insurance co. due care. –Update patches, anti-virus. –Organizations differ in what they need. Combine best practices + risk analysis.

10 CIT 380: Securing Computer SystemsSlide #10 Security Policy Security policy partitions system states into: –Authorized (secure) These are states the system is allowed to enter. –Unauthorized (nonsecure) If the system enters any of these states, it’s a security violation. Secure system –Starts in authorized state. –Never enters unauthorized state.

11 CIT 380: Securing Computer SystemsSlide #11 Role of Policy 1.Identifies what is being protected and why. 2.States responsibility for protection. 3.Provides ground on which to interpret and resolve later conflicts.

12 CIT 380: Securing Computer SystemsSlide #12 Policy vs. Mechanism Security Policy –Statement that divides system into authorized and unauthorized states. Mechanism –Entity or procedure that enforces some part of a security policy.

13 CIT 380: Securing Computer SystemsSlide #13 Dirty Politics Republican Senate staffers gained access to Democrat computer files 2002-2003. –Both parties share computer server. –2001 misconfiguration allowed access w/o pw. –Defence: "The bottom line here is that the technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk.” – Manuel Miranda

14 CIT 380: Securing Computer SystemsSlide #14 Developing a Policy Assign responsibility –Need to know who is responsible for protecting what, i.e. users for their own accounts. –Authority needs to accompany responsibility. Be positive –People respond better to do than don’t. Consider user needs –Privacy, protecting PII Need to educate users.

15 CIT 380: Securing Computer SystemsSlide #15 Security Perimeter Perimeter defines what is within your control. Historically –Within walls of building or fences of campus. –Within router that connects to ISP. Modern perimeters are more complex –Laptops, PDAs. –USB keys, CDs, DVDs, portable HDs. –Wireless networks. –Home PCs that connect to your network.

16 CIT 380: Securing Computer SystemsSlide #16 Defense in Depth Firewall/IDS protect perimeter. Perimeter security is not sufficient. –What if someone brings infected laptop to work? –What if home user bridges your net to Internet? Defense in Depth –Multiple, independent layers of protection. –Network firewall + personal firewall + IDS

17 CIT 380: Securing Computer SystemsSlide #17 Compliance Audits Your policy is great, but is it being followed? Audit your systems and personnel regularly. Audit failures may result from –Personnel shortcomings Insufficient education or overwork –Material shortcomings Insufficient resources or maintenance –Organizational shortcomings Lack of authority, conflicting responsibilities –Policy shortcomings Unforseen risks, missing or conflicting policies

18 CIT 380: Securing Computer SystemsSlide #18 Key Points Policy divides system into –Authorized (secure) states. –Unauthorized (insecure) states. Policy vs Mechanism –Policy: describes what security is. –Mechanism: how security policy is enforced. Written policy and enforced policy will differ. –Compliance audits look for those differences. Security Perimeter –Describes what is within your control. –Defense in depth: defend perimeter and inside.

19 CIT 380: Securing Computer SystemsSlide #19 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. 3.NKU, Acceptable Use Policy, http://it.nku.edu/pdf/AcceptableUsePolicy- rv51.pdf, 2002. http://it.nku.edu/pdf/AcceptableUsePolicy- rv51.pdf 4.SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/


Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies."

Similar presentations


Ads by Google