1. 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be kept inside

2. 2 Security Models l Lattice Based Models l Non-Interference Models l Access Rights Propagation Models l Multilevel Data Models l Integrity Models l Miscellaneous Models –Ntree –group authorization

3. 3 Application of Security Models l Academic l Corporate l Federal

4. 4 Developing Policy with Security Models l Internetworking may violate policies –General Connectivity –Mobile Code l Incorporate General Models to Policy

5. 5 Tools For Risk Analysis l Host Security Audits »mis-configurations »insider threats »Access Controls l Software Audits »Code Audits l Network diagnostics and diagramming »tcpdump, snoop, scotty, snmp, etc. l Using “underground tools” to determine the vulnerability of your site l Uses multiple strategies for site protection

6. 6 Solutions Resulting from Risk Analysis l Account Management –Passwords –Automated account creation/deletion procedures l Education –Security Mailing Lists –References l Encryption –Authentication –Data Encryption

7. 7 Enforcement of Policy l Modularize technology solution and make the policy document technology-neutral l Design technology so that it supports the policy. (Not the other way around.) l Enlist the support of management and legal bodies for the policy l Have the policy focus on intent rather than details

8. 8 Amending Policy l Create an annual review panel l Consider the policy as a “Living Document” l Educate at all levels

9. 9 Policy Breach l Lock/Suspend Accounts l Delete Accounts l Reprimand user l Formally reprimand user l Remove the user l Pursue the action legally

10. 10 Dealing with Law Enforcement l Follow the guidelines for recording evidence l Assess Damage and Remove Vulnerabilities –“Cleanup and Containment” l Notify superiors of your intent to cooperate with Law Enforcement or other parties involved in incidents

11. 11 Pursuing and Prosecuting l Pursue Incident if »systems and assets are protected »backups exist »concentrated and frequent attack »incur financial damage »intruder can be contained and controlled »good monitors exist l Don’t Pursue incident if »No sufficient evidence »Site is not well protected »The willingness to prosecute doesn’t exist »Site is vulnerable to lawsuits »Resources unknown

12. 12 Policy for Gathering Evidence l Document all details regarding an incident l Vary monitoring techniques and times l Establish post-incident operating procedures for –system administrators –operators –users –decide how to handle compromised system(s) l Record details via logs –system events –time stamped actions taken by the attacker and yourself –phone conversations - date,time, person, subject

13. 13 Maryland State Statutes l Article 27. Crimes and Punishments –Section 146 Unauthorized access to computers prohibited

14. 14 Federal Statutes l Federal State Statutes that apply –Title 15 Commerce and Trade –Title 17 Copyright –Title 18 Crimes and Criminal Procedures l Ch 5 Arson l Ch 31 Embezzlement and Theft l Ch 37 Espionage and Censorship l Ch 47 Fraud and False Statements l Ch 63 Mail Fraud l Ch 65 Malicious Mischief l Ch 101 Records and Reports l Ch 105 Sabotage l Ch 113 Stolen Property

15. 15 Federal Statutes l Ch 119 Wire and Electronic Communications Interception and Interception of Oral Communications l Ch 206 Pen Registers and Trap and Trace Devices

16. 16 Federal Statutes –Title 42 The Public Health and Welfare »Ch 21A Privacy Protection –Title 47 Telegraphs, Telephones, and Radiotelegraphs »Ch 5 Wire or Radio Communications –Public Law 103-414 Communications Assistance for Law Enforcement Act »Title I Interception of Digital and Other Communications »Title II Amendments to Title 18 United States Code »Title III Amendments to the Communications Act of 1934

17. 17 Coordinating with other Bodies l State - Federal Contacts l Academia l Network Service Providers

18. 18 Legal/Policy References l Spafford text Appendix l RFC 1244