Download presentation
Presentation is loading. Please wait.
Published byElaine Hardy Modified over 9 years ago
1
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be kept inside
2
2 Security Models l Lattice Based Models l Non-Interference Models l Access Rights Propagation Models l Multilevel Data Models l Integrity Models l Miscellaneous Models –Ntree –group authorization
3
3 Application of Security Models l Academic l Corporate l Federal
4
4 Developing Policy with Security Models l Internetworking may violate policies –General Connectivity –Mobile Code l Incorporate General Models to Policy
5
5 Tools For Risk Analysis l Host Security Audits »mis-configurations »insider threats »Access Controls l Software Audits »Code Audits l Network diagnostics and diagramming »tcpdump, snoop, scotty, snmp, etc. l Using “underground tools” to determine the vulnerability of your site l Uses multiple strategies for site protection
6
6 Solutions Resulting from Risk Analysis l Account Management –Passwords –Automated account creation/deletion procedures l Education –Security Mailing Lists –References l Encryption –Authentication –Data Encryption
7
7 Enforcement of Policy l Modularize technology solution and make the policy document technology-neutral l Design technology so that it supports the policy. (Not the other way around.) l Enlist the support of management and legal bodies for the policy l Have the policy focus on intent rather than details
8
8 Amending Policy l Create an annual review panel l Consider the policy as a “Living Document” l Educate at all levels
9
9 Policy Breach l Lock/Suspend Accounts l Delete Accounts l Reprimand user l Formally reprimand user l Remove the user l Pursue the action legally
10
10 Dealing with Law Enforcement l Follow the guidelines for recording evidence l Assess Damage and Remove Vulnerabilities –“Cleanup and Containment” l Notify superiors of your intent to cooperate with Law Enforcement or other parties involved in incidents
11
11 Pursuing and Prosecuting l Pursue Incident if »systems and assets are protected »backups exist »concentrated and frequent attack »incur financial damage »intruder can be contained and controlled »good monitors exist l Don’t Pursue incident if »No sufficient evidence »Site is not well protected »The willingness to prosecute doesn’t exist »Site is vulnerable to lawsuits »Resources unknown
12
12 Policy for Gathering Evidence l Document all details regarding an incident l Vary monitoring techniques and times l Establish post-incident operating procedures for –system administrators –operators –users –decide how to handle compromised system(s) l Record details via logs –system events –time stamped actions taken by the attacker and yourself –phone conversations - date,time, person, subject
13
13 Maryland State Statutes l Article 27. Crimes and Punishments –Section 146 Unauthorized access to computers prohibited
14
14 Federal Statutes l Federal State Statutes that apply –Title 15 Commerce and Trade –Title 17 Copyright –Title 18 Crimes and Criminal Procedures l Ch 5 Arson l Ch 31 Embezzlement and Theft l Ch 37 Espionage and Censorship l Ch 47 Fraud and False Statements l Ch 63 Mail Fraud l Ch 65 Malicious Mischief l Ch 101 Records and Reports l Ch 105 Sabotage l Ch 113 Stolen Property
15
15 Federal Statutes l Ch 119 Wire and Electronic Communications Interception and Interception of Oral Communications l Ch 206 Pen Registers and Trap and Trace Devices
16
16 Federal Statutes –Title 42 The Public Health and Welfare »Ch 21A Privacy Protection –Title 47 Telegraphs, Telephones, and Radiotelegraphs »Ch 5 Wire or Radio Communications –Public Law 103-414 Communications Assistance for Law Enforcement Act »Title I Interception of Digital and Other Communications »Title II Amendments to Title 18 United States Code »Title III Amendments to the Communications Act of 1934
17
17 Coordinating with other Bodies l State - Federal Contacts l Academia l Network Service Providers
18
18 Legal/Policy References l Spafford text Appendix l RFC 1244
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.