1. Security Policies Paul Hogan Ward Solutions

2. Agenda 09:30 10:10 Security Policies 10:10 10:30 Veritas 10:30 10:45Break 10:45 11:55 Securing your Server 11:55 12:15 Sybari 12:1513:00

3. 1980 1990 Security Management – The Past 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current

4. 1980 1990 Security Management – Today 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets

5. Why Does Network Security Fail? Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

6. Understanding Components of IT Security Process Technology Implementation Documentation Operations Start with policy Build process Apply technology Start with policy Build process Apply technology Security Policy Model Policy

7. Implementing IT Security Compare each area to standards and best practices Security policy Documented procedures Operations What you must do What you say you do What you really do

8. Policy Drives Everything Regulatory Sources Policies Management Controls Organisational Controls Technical Controls ActivityProcessesProcedures Risk management Contingency planning Incident response Physical security Personnel security Certification/verification Access control ID & authentication Auditing Encryption Incident detection Networking Information classification Communications Acceptable use Perimeter security Incident response

9. Core Components Products, Tools, and Automation Consistent and Repeatable Skills, Roles, and Responsibilities Processes People Technology

10. Security Controls… The management, operational, and technical safeguards and countermeasures prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information…

11. What Are Information Security Policies? Management instructions (AKA directives) Formal ways to say “This is how we do it here" Tech talk: generalised requirements statements Not systems settings for firewalls & other gear More general than procedures & standards Unlike guidelines, policies are mandatory Unlike architectures, policies are product independent

12. Real World Cases… Where Policies Made A Big Difference Lazy government clerk fired for downloading pornography IT manager becomes consultant for former employer Joke list circulation causes sexual harassment suit Major newspaper notices rival gets scoop stories Virus hoax message floods computer manufacturer net Stolen disk drive causes severe public relations problem Revealed preference info causes dishonorable discharge

13. Top 10 Information Security Policies To Protect Your Organisation 6. Install latest patches on systems located on network periphery 7. Install and monitor intrusion detection systems 8. Turn-on minimum level of systems event logging 9.Assign explicit responsibility for information security tasks 10 Perform periodic risk assessments for critical systems

14. Top 10 Information Security Policies To Protect Your Organisation Against Cyber-Terrorism 1.Perform background checks for all workers 2. Maintain a low profile in the public's eyes 3. Wear a badge when inside company X offices 4. Update & test information systems contingency plans 5. Store critical production data securely at off- site location

15. The Issues with Policies Today Lack of resources Lack of authority Incomplete & out-of-date No official corporate-wide approval process Mergers & acquisitions Same topic covered in multiple documents Contradictions Un-enforceable

16. Inside Chernobyl’s I Block Control Room, 1985 Ineffective Controls April 25 @1300 hrs  Initial alerts and warnings about overload April 25 @1400 hrs.  Without following SOP, operators disconnect Emergency Core Cooling System  No manager approved continued operation April 26 @ 0100 hrs.  Emergency protection signals suppressed by operators April 26 @ 0119 hrs.  Excessive radioactivity ignored by operators April 26 @ 0123:48  Explosion occurs followed by second explosion Chernobyl’s Reactor 4, 1986 Deserted City of Pirpyat, Chernobyl in Background, 1987 Chernobyl Reactor 4 Sarcophagus, 1996 Chernobyl – April 25-26, 1986

17. Understanding Defense-in-Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, backup and restore strategy Data

18. Reasons To Have Awareness & Training Leverage the power of people to protect your organization Overcome natural impulses & trained politeness Provide substantive instructions instead of simply sensitization Untrained workers now in positions of great responsibility Information security is an unnatural act Create security mindset so workers can act the right way

19. Reasons To Have Awareness & Training Make it clear that info security is mandatory, not voluntary Force management to recognize that people are part of solution Technology is useless unless properly managed (patches) Make critical role of user crystal clear -- front line of defense!

20. A Final Consideration: Does Security Awareness Work? Consider… AA Flight 63 Paris – Miami (12/24/01)

21. Questions and Answers