2/26/2004
Konstantin Rozinov ( konstantin@rozinov.com
)
Yuliya Starobinets ( ystarobinets@yahoo.com
)
Polytechnic University - CS996 1

Outline of Presentation
• Introduction to Security Policy
– Definitions, types, elements.
• The necessity of a Security Policy.
– Why its needed.
• Example: Email Use Policy
– Analysis and critique
• Example: State of PA, ITB B.5
– Analysis and critique
• Closing Comments
2/26/2004 Polytechnic University - CS996 2

What is a Security Policy?
• A security policy is a set of rules stating which actions are permitted and which are not. It is a statement that partitions the states of a system into a set of authorized or secure states and a set of unauthorized or non-secure states.
– Can be informal or highly mathematical.
• A secure system is a system that starts in an authorized state and cannot enter an unauthorized state.
• A breach of security occurs when a system enters an unauthorized state.
• We expect a trusted system to enforce the required security policies.
2/26/2004 Polytechnic University - CS996 3

Elements of a Security Policy
• A security policy considers all relevant aspects of confidentiality, integrity and availability.
• Confidentiality policy: Identifies information leakage and controls information flow.
• Integrity Policy: Identifies authorized ways in which information may be altered. Enforces separation of duties.
• Availability policy: Describes what services must be provided.
– For example, a browser may download pages but not Java applets.
2/26/2004 Polytechnic University - CS996 4

Types of Security Policies
• A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality.
– Not worried about trusting the object as much as disclosing the object.
• A commercial security policy is a security policy developed primarily to provide integrity.
– Focuses on how much the object can be trusted.
2/26/2004 Polytechnic University - CS996 5

Mechanism vs. Security Policy
• Mechanism should not be confused with policy.
• A security mechanism is an entity or procedure that enforces some part of a security policy.
– MasterCard has the Site Data Protection (SDP) Program.
( https://sdp.mastercardintl.com/
)
– Firewalls, access control, permissions, roles.
– Logging facilities, such as syslog.
– Spam and website filters, proxies.
• Many policies are about how technology operates, others are about what people do.
• In either case, enforcement mechanisms may be technical or procedural. For example, a firewall may enforce certain rules, but part of the enforcement is the procedure to set up and maintain configurations. On the other side, tools that automatically log urls can be used to enforce policies like banning porn sites
2/26/2004 Polytechnic University - CS996 6

• A policy is typically a document that outlines specific requirements or rules that must be met.
– point-specific, covers a single area
• A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone.
• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended.
• Effective security policies make frequent references to standards and guidelines that exist within an organization.
2/26/2004 Polytechnic University - CS996 7

• At a local newspaper...
– A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left.
– A senior reporter left the newspaper, and shortly thereafter, the newspaper had trouble because the competition consistently picked-up on their exclusive stories (scoops).
– An investigation of the logs revealed that the former employee had been consistently accessing their computer to get ideas for stories at his new employer.
2/26/2004 Polytechnic University - CS996 8

(cont’d)
• At a government agency...
– A clerk spent a great deal of time surfing the Internet while on the job. Because there was no policy specifying what constituted excessive personal use, management could not discipline this employee.
– Then management discovered that the clerk had downloaded a great deal of pornography. Using this as a reason, management fired him.
– The clerk chose to appeal the termination with the Civil Service
Board, claiming that he couldn't be fired because he had never been told that he couldn't download pornography.
– After a Civil Service hearing, the Board ordered him to be reinstated with back pay.
2/26/2004 Polytechnic University - CS996 9

• Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization
• Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible.
2/26/2004 Polytechnic University - CS996 10

It’s All In The Details!
• The computer security policy need to be detailed . The security policy such as “Computer systems are not to be used for personal use” needs to be explained.
– What constitutes personal use could be interpreted differently.
• A computer security policy should provide guidelines in specific topics such as management’s position on:
– Downloading and viewing pornography.
– Sending and forwarding jokes (or other non-essential business correspondence).
– Viewing stock prices.
– Sending and viewing personal e-mail.
– Use of computer for on line shopping during break times.
2/26/2004 Polytechnic University - CS996 11

• A computer security policy gives users a clear understanding of allowed activities.
• If an employee is dismissed for inappropriate actions, a computer security policy that has been communicated to computer users will save time in legal disputes.
2/26/2004 Polytechnic University - CS996 12

Security Policy Basics
• All security policies need to be written down .
– Policies that exist in someone's head are not really policies.
• When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies.
• New technology - make sure your security policies still make sense for your new infrastructure.
• Evaluating new equipment - make sure that the new equipment can properly be configured to meet your security requirements.
– if it can't, you may want to consider purchasing alternative products.
2/26/2004 Polytechnic University - CS996 13

Policy Structure
• Dependent on company size and goals.
• One large document or several small ones?
– smaller documents are easier to maintain/update
• Some policies appropriate for every site, others are specific to certain environments.
14 2/26/2004 Polytechnic University - CS996

Where to Start?
• The first issue revolves around the content and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs?
• There are a number of possible routes available when creating the policies, ranging from off the shelf purchase, to carefully crafting every clause and sentence.
• The most cost effective way is often to procure a set of pre-written policies , and then tailor them as necessary to meet specific cultural and functional needs.
– Why re-invent the wheel and proceed down a more complex route than is really necessary?
2/26/2004 Polytechnic University - CS996 15

• Good computer programs are copied from other good programs.
• The skill of a programmer is not how effectively they can write code but how well they can incorporate the best routines of other programs to make a useful application.
• A good security policy documents are not written but are copied from other security policy documents.
2/26/2004 Polytechnic University - CS996 16

• The security requirements of computer systems owned and operated by one organization will almost certainly differ from the requirements of another organization.
• It is therefore important that each organization formulates its own Computer Security Policy.
17 2/26/2004 Polytechnic University - CS996

• Use http://www.sans.org/resources/policies/
• What is the SANS Institute?
– The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. The SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.
• SANS has received permission to provide sanitized security policies from a large organization.
• They should form a good starting point if you need one of these policies.
2/26/2004 Polytechnic University - CS996 18

Available policy templates:
2/26/2004 Polytechnic University - CS996 19

Available policy templates:
(cont’d)
2/26/2004 Polytechnic University - CS996 20

• <angle brackets> should be replaced with the appropriate name from your organization.
• The term “InfoSec” is used through out these documents to refer the team of people responsible for network and information security.
Replace with the appropriate group name from your organization.
• Any policy name that is in italics is a reference to a policy that is also available on the SANS site.
2/26/2004 Polytechnic University - CS996 21

Example: Email Use Policy
• Generally the company E-mail systems are a high risk area due to their constant availability to the outside world, and the risk is often two-fold.
• Exposes company mail addresses and (mail) systems to potential attackers.
• Number one entry point from which most of the malicious programs are entering the company.
• E-mail systems are a potential way to leak company proprietary information, intentionally or accidentally (and software exists to flag such things). Also, because of the risk to company image.
2/26/2004 Polytechnic University - CS996 22

Example: Email Use Policy
(cont’d)
• 1.0 Purpose
– To prevent tarnishing the public image of
<COMPANY NAME>. When email goes out from
<COMPANY NAME> the general public will tend to view that message as an official policy statement from the <COMPANY NAME>.
• 2.0 Scope
– This policy covers appropriate use of any email sent from a <COMPANY NAME> email address and applies to all employees, vendors, and agents operating on behalf of <COMPANY NAME>.
2/26/2004 Polytechnic University - CS996 23

Example: Email Use Policy
(cont’d)
• 3.0 Policy
– 3.1 Prohibited Use.
• The <COMPANY NAME> email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any <COMPANY NAME> employee should report the matter to their supervisor immediately.
2/26/2004 Polytechnic University - CS996 24

• Prohibited Use:
– Using email for conducting personal business.
– Using email for purposes of political lobbying or campaigning.
– Violating copyright laws by inappropriately distributing protected works.
– Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role.
– The use of unauthorized e-mail software.
2/26/2004 Polytechnic University - CS996 25

– Prohibited Use:
• Sending or forwarding chain letters.
• Sending unsolicited messages to large groups except as required to conduct agency business.
• Sending excessively large messages
• Sending or forwarding email that is likely to contain computer viruses.
2/26/2004 Polytechnic University - CS996 26

– Individuals must not send, forward or receive confidential or sensitive <COMPANY NAME> information through non-<COMPANY NAME> email accounts. Examples of non-
<COMPANY NAME> email accounts include, but are not limited to, Hotmail, Yahoo mail,
AOL mail, and email provided by other
Internet Service Providers (ISP).
2/26/2004 Polytechnic University - CS996 27

– Individuals must not send, forward, receive or store confidential or sensitive <COMPANY
NAME> information utilizing non-<COMPANY
NAME> accredited mobile devices. Examples of mobile devices include, but are not limited to, Personal Data Assistants, two-way pagers and cellular telephones.
2/26/2004 Polytechnic University - CS996 28

Example: Email Use Policy
(cont’d)
– 3.2 Personal Use.
• Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email.
• Sending chain letters or joke emails from a <COMPANY
NAME> email account is prohibited.
• Virus or other malware warnings and mass mailings from
<COMPANY NAME> shall be approved by <COMPANY
NAME> VP Operations before sending. These restrictions also apply to the forwarding of mail received by a
<COMPANY NAME> employee.
2/26/2004 Polytechnic University - CS996 29

Example: Email Use Policy
(cont’d)
– 3.3 Monitoring
• <COMPANY NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
<COMPANY NAME> may monitor messages without prior notice. <COMPANY NAME> is not obliged to monitor email messages.
2/26/2004 Polytechnic University - CS996 30

• Make an addition to the template:
– All sensitive <COMPANY NAME> material transmitted over external networks must be encrypted.
2/26/2004 Polytechnic University - CS996 31

Example: Email Use Policy
(cont’d)
4.0 Enforcement
– Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
2/26/2004 Polytechnic University - CS996 32

Doesn’t Handle Non-Employees
• Need to change template:
– 4.0 Enforcement
• Violation of this policy may result in disciplinary action which may include termination for employees and temporaries ; a termination of employment relations in the case of contractors or consultants ; dismissal for interns and volunteers ; or suspension or expulsion in the case of a student . Additionally, individuals are subject to loss of
<COMPANY NAME> Information Resources access privileges, civil, and criminal prosecution.
– NOTE: Enforcement can also include both identification of the violation and a software needed to look for violations, spot checking email, etc.
2/26/2004 Polytechnic University - CS996 33

Example: Email Use Policy
(cont’d)
• Term Definitions:
– Email: The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.
– Forwarded email: Email resent from an internal network to an outside point.
– Chain email or letter: Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
– Sensitive information: Information is considered sensitive if it can be damaging to <COMPANY NAME> or its customers' reputation or market standing.
– Virus warning: Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.
– Unauthorized Disclosure: The intentional or unintentional revealing of restricted information to people, both inside and outside <COMPANY
NAME>, who do not have a need to know that information.
2/26/2004 Polytechnic University - CS996 34

Example: Email Use Policy
(cont’d)
• 6.0 Revision History
– Used when revisions are made in the duration of a security policy.
2/26/2004 Polytechnic University - CS996 35

Example: State of PA, ITB B.5
• The state of Pennsylvania has an extensive security policy which every government website and application has to follow.
• It is updated via Information Technology
Bulletins ( ITBs ).
– ITB B.5 addresses technical standards to be applied by all agencies under the Governor’s jurisdiction to provide:
• adequate protection of confidential information (C, I)
• fast, easy implementation of e-government systems (A)
• flexibility for state government to conduct e-commerce. (A)
2/26/2004 Polytechnic University - CS996 36

Example: State of PA, ITB B.5
• ITB B.5:
– does not cover physical, network, and computer security.
– applicable to electronic transactions between the Executive
Agencies and one or more parties external to state government, including private citizens, political subdivisions and businesses.
– applicable to electronic internal transactions (between and within the Executive Agencies).
• i.e. Internal HR portal for government employees.
– Provides standards and procedures for privacy , authentication and security that protect the Commonwealth’s agencies, employees, businesses, and citizens.
2/26/2004 Polytechnic University - CS996 37

Example: State of PA, ITB B.5
• Risk Analysis summary:
1. Define the electronic government transaction.
– The agency will allow citizens to purchase a license online.
2. Identify the type of information necessary for the transaction.
– CC information required with e-license application.
3. Evaluate the consequences of a security breach.
– low impact , medium impact, or high impact.
4. Plot the security breach impact result on the Security
Assessment Matrix (a.k.a. Risk Level Matrix )
2/26/2004 Polytechnic University - CS996 38

Example: State of PA, ITB B.5
• Risk Analysis summary:
(cont’d)
5. Evaluate the security breach risk .
– The likelihood that someone will attempt to attack this.
– low risk, medium risk, or high risk.
6. Plot the security breach risk result on the Risk Level
Matrix.
– See next slide for diagram.
7. Review the results of the Risk Level Matrix.
8. Submit a Network Diagram.
– diagram of the application depicting data and application servers, firewalls, associated networks and application architecture.
2/26/2004 Polytechnic University - CS996 39

Example: State of PA, ITB B.5
• Risk Level Matrix:
2/26/2004 Polytechnic University - CS996 40

Example: State of PA, ITB B.5
• Impact Level Matrix definitions:
(and their security policies)
– Level A Transactions
• Little value if compromised.
• No additional security needed.
• Examples: information on public website, email addresses.
– Level B Transactions
• Moderate to high value if compromised.
• Use of SSL required (to provide C, I, A, and Non-repudiation), user of usernames and passwords, cookies.
• Examples: online credit card payments, usernames and passwords.
– Level C Transactions
• Extremely valuable information.
• Case-by-case approval of security mechanisms.
• Examples: JNET (network for criminal justice information), medical information, personal financial information.
2/26/2004 Polytechnic University - CS996 41

Example: State of PA, ITB B.5
• Risk Level Matrix definitions: (and their security policies)
– Level A: (low)
• Authentication: Cookies, User-ID, User-ID/Password (or NT Authentication on Intranet)
• Encryption: Secure Sockets Layer (SSL), when the transaction includes credit card or personal information
• Digital Certificate/Signature: Not Applicable
– Level B: (moderate)
• Authentication: Level A + (PIN/Smart Card) (NT Authentication on Intranet)
Certificate for Authentication.
• Encryption: Level A + Also Encrypt Business-Sensitive Information
(Sensitive, But Unclassified).
• Digital Certificate/Signature: Certificate Level (Citizen or resident) for authentication or signature use, if needed.
– Level C: (high)
• Authentication: Level B + Biometrics
• Encryption: Level B + encryption on all transactions
• Digital Certificate/Signature: Certificate Level (Business) for Authentication or Signature use, if needed.
2/26/2004 Polytechnic University - CS996 42

Example: State of PA, ITB B.5
Digital Certificates:
• Three levels of digital certificates are identified in the security policy. The level is an indicator of the amount of due diligence imposed to verify the identity of the certificate holder.
– Citizen/Resident: Simple Identification/Simple
Acceptance.
– Business: Simple Identification, plus additional criteria.
– High-Confidence: Similar to J-NET (i.e., Advanced
Identification/Birth Certificate/In-Person Verification).
2/26/2004 Polytechnic University - CS996 43

Example: State of PA, ITB B.5
• All SSL transactions shall be encrypted using
128-bit keys, instead of the standard 40-bit keys.
– Includes but not limited to:
• All credit card transactions
• All other information as deemed private, sensitive, or confidential by an agency's Chief Counsel (e.g., personal health, criminal justice, etc.)
– The policy will inform users of the 128-bit standard, and provide instructions or links on how to obtain a browser that supports 128-bit encryption.
2/26/2004 Polytechnic University - CS996 44

Example: State of PA, ITB B.5
• Security Policy Critique:
(Thanks to Professor Hery!)
– The security policy doesn’t state where the SSL channel terminates on the Agency side.
• It could terminate at the server containing the sensitive data.
• It could terminate at an intermediate gateway. (implicit trust in intranet)
• It could terminate at a web server that fetches the data from another machine. (implicit trust in intranet)
– This ambiguity may allow an internal intruder to compromise the confidentiality or integrity of the data.
2/26/2004 Polytechnic University - CS996 45

Example: State of PA, ITB B.5
• Security Policy Critique:
– How are credit cards processed?
• Is SSL used? Where in the chain is it used?
– Each major credit card issuer has its own standards and guidelines.
– More information is available in ITB B.8.
– The security policy clearly states that it does not cover physical, network, and computer security.
• So there is no information in this ITB about how to store the data on the machines.
• ITB B.7 (Encryption Standard for e-Government
Applications) has been rescinded.
2/26/2004 Polytechnic University - CS996 46

High-level to Low-level
• Security policies begin from high level statements and flow down to lower level policies, which are more specific and detailed.
Example:
• High level: Confidential and classified company information shall be protected from release to unauthorized personnel.
• Mid level: Classified information will only be accessible from internal network
(company intranet) via a secure website.
• Low level: The internal web-server will be running HTTPS (SSL) and be password-protected. The perimeter firewall will deny all access to the webserver from external hosts (outside the intranet) by blocking external traffic on port 443.
• The firewall is an enforcement mechanism . The password protection is an enforcement mechanism as well.
2/26/2004 Polytechnic University - CS996 47

Applicable Security Policies
• In the previous example, a company can refer to the following security policies:
– Firewall – which ports are allowed through.
– Password – length of password, aging, allowed and required characters.
– Intranet – who belongs on the intranet, how information is distributed…
– Web server – its configuration, its permissions, and what type of information its allowed to contain
(classification levels).
2/26/2004 Polytechnic University - CS996 48

Closing Comments
• Questions?
• See homework assignment on next slide.
2/26/2004 Polytechnic University - CS996 49

Homework Assignment
• Question #1:
What are some GENERAL things that should be taken into account when planning the security politics of a company/department?
(i.e. responsibilities, responses, documentation)
• Question #2:
What are the basic things that need to be explained to every employee about a security policy? At what point in their employment? Why? (List at least 4 things).
(i.e. how to handle delicate information)
2/26/2004 Polytechnic University - CS996 50

Homework Assignment
• Question #3:
Say you have an e-mail server that processes sensitive emails from important people. What kind of things should be put into the security policy for the email SERVER?
(this is not an EMAIL USER security policy)
2/26/2004 Polytechnic University - CS996 51