Security Policies CS 397 Computer Security and Information Assurance 1 Outline of Presentation • Introduction to Security Policy – Definitions, types, elements. • The necessity of a Security Policy. – Why its needed. • Example: Email Use Policy – Analysis and critique • Closing Comments 2 What is a Security Policy? • A security policy is a set of rules stating which actions are permitted and which are not. It is a statement that partitions the states of a system into a set of authorized or secure states and a set of unauthorized or non-secure states. – Can be informal or highly mathematical. • A secure system is a system that starts in an authorized state and cannot enter an unauthorized state. • A breach of security occurs when a system enters an unauthorized state. • We expect a trusted system to enforce the required security policies. 3 Elements of a Security Policy • A security policy considers all relevant aspects of confidentiality, integrity and availability. • Confidentiality policy: Identifies information leakage and controls information flow. • Integrity Policy: Identifies authorized ways in which information may be altered. Enforces separation of duties. • Availability policy: Describes what services must be provided. – For example, a browser may download pages but not Java applets. 4 Types of Security Policies • A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality. – Not worried about trusting the object as much as disclosing the object. • A commercial security policy is a security policy developed primarily to provide integrity. – Focuses on how much the object can be trusted. 5 Mechanism vs. Security Policy • • Mechanism should not be confused with policy. A security mechanism is an entity or procedure that enforces some part of a security policy. – MasterCard has the Site Data Protection (SDP) Program. (https://sdp.mastercardintl.com/) – Firewalls, access control, permissions, roles. – Logging facilities, such as syslog. – Spam and website filters, proxies. • Enforcement mechanisms may be technical or procedural. For example, a firewall may enforce certain rules, but part of the enforcement is the procedure to set up and maintain configurations. On the other side, tools that automatically log urls can be used to enforce policies like banning porn sites 6 Is it a Policy, a Standard or a Guideline? • A policy is typically a document that outlines specific requirements or rules that must be met. • – point-specific, covers a single area A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. • A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. • Effective security policies make frequent references to standards and guidelines that exist within an organization. 7 Real World Problems Caused By Missing Policies • At a local newspaper... – A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left. – A senior reporter left the newspaper, and shortly thereafter, the newspaper had trouble because the competition consistently picked-up on their exclusive stories (scoops). – An investigation of the logs revealed that the former employee had been consistently accessing their computer to get ideas for stories at his new employer. 8 Real World Problems Caused By Missing Policies (cont’d) • At a government agency... – A clerk spent a great deal of time surfing the Internet while on the job. Because there was no policy specifying what constituted excessive personal use, management could not discipline this employee. – Then management discovered that the clerk had downloaded a great deal of pornography. Using this as a reason, management fired him. – The clerk chose to appeal the termination with the Civil Service Board, claiming that he couldn't be fired because he had never been told that he couldn't download pornography. – After a Civil Service hearing, the Board ordered him to be reinstated with back pay. 9 Why An Organization Needs Security Policies • Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization • Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible. 2/26/2004 Polytechnic University - CS996 10 It’s All In The Details! • The computer security policy need to be detailed. The security policy such as “Computer systems are not to be used for personal use” needs to be explained. – What constitutes personal use could be interpreted differently. • A computer security policy should provide guidelines in specific topics such as management’s position on: – Downloading and viewing pornography. – Sending and forwarding jokes (or other non-essential business correspondence). – Viewing stock prices. – Sending and viewing personal e-mail. – Use of computer for on line shopping during break times. 11 Security Policy: Clear Understanding • A computer security policy gives users a clear understanding of allowed activities. • If an employee is dismissed for inappropriate actions, a computer security policy that has been communicated to computer users will save time in legal disputes. 12 Security Policy Basics • All security policies need to be written down. – Policies that exist in someone's head are not really policies. • When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. • New technology - make sure your security policies still make sense for your new infrastructure. • Evaluating new equipment - make sure that the new equipment can properly be configured to meet your security requirements. – if it can't, you may want to consider purchasing alternative products. 13 Where to Start? • The first issue revolves around the content and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs? • The most cost effective way is often to procure a set of pre-written policies, and then tailor them as necessary to meet specific cultural and functional needs. – Why re-invent the wheel and proceed down a more complex route than is really necessary? 15 Where to Get a Good Security Policy? • Good computer programs are copied from other good programs. • The skill of a programmer is not how effectively they can write code but how well they can incorporate the best routines of other programs to make a useful application. • A good security policy documents are not written but are copied from other security policy documents. 16 Formulate Your Own Computer Security Policy • The security requirements of computer systems owned and operated by one organization will almost certainly differ from the requirements of another organization. • It is therefore important that each organization formulates its own Computer Security Policy. 17 Need an Example Policy or Template? • • Use http://www.sans.org/resources/policies/ What is the SANS Institute? – The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. The SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. • • SANS has received permission to provide sanitized security policies from a large organization. They should form a good starting point if you need one of these policies. 18 Before looking into the sample security policies… • <angle brackets> should be replaced with the appropriate name from your organization. • The term “InfoSec” is used through out these documents to refer the team of people responsible for network and information security. Replace with the appropriate group name from your organization. • Any policy name that is in italics is a reference to a policy that is also available on the SANS site. 21 Example: Email Use Policy • Generally the company E-mail systems are a high risk area due to their constant availability to the outside world, and the risk is often two-fold. • Exposes company mail addresses and (mail) systems to potential attackers. • Number one entry point from which most of the malicious programs are entering the company. • E-mail systems are a potential way to leak company proprietary information, intentionally or accidentally (and software exists to flag such things). Also, because of the risk to company image. 22 Example: Email Use Policy (cont’d) • 1.0 Purpose – To prevent tarnishing the public image of <COMPANY NAME>. When email goes out from <COMPANY NAME> the general public will tend to view that message as an official policy statement from the <COMPANY NAME>. • 2.0 Scope – This policy covers appropriate use of any email sent from a <COMPANY NAME> email address and applies to all employees, vendors, and agents operating on behalf of <COMPANY NAME>. 23 Example: Email Use Policy (cont’d) • 3.0 Policy – 3.1 Prohibited Use. • The <COMPANY NAME> email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any <COMPANY NAME> employee should report the matter to their supervisor immediately. 24 Make An Addition to the Template! • Prohibited Use: – Using email for conducting personal business. – Using email for purposes of political lobbying or campaigning. – Violating copyright laws by inappropriately distributing protected works. – Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role. – The use of unauthorized e-mail software. 25 Don’t Slow Down Network Communications! • Make an addition to the template: – Prohibited Use: • Sending or forwarding chain letters. • Sending unsolicited messages to large groups except as required to conduct agency business. • Sending excessively large messages • Sending or forwarding email that is likely to contain computer viruses. 26 Non-<COMPANY NAME> Email Accounts for Confidential Info? • Make an addition to the template: – Individuals must not send, forward or receive confidential or sensitive <COMPANY NAME> information through non-<COMPANY NAME> email accounts. Examples of non<COMPANY NAME> email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and email provided by other Internet Service Providers (ISP). 27 Non-<COMPANY NAME> Mobile Devices for Confidential Info? • Make an addition to the template: – Individuals must not send, forward, receive or store confidential or sensitive <COMPANY NAME> information utilizing non-<COMPANY NAME> accredited mobile devices. Examples of mobile devices include, but are not limited to, Personal Data Assistants, two-way pagers and cellular telephones. 28 Example: Email Use Policy (cont’d) – 3.2 Personal Use. • Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. • Sending chain letters or joke emails from a <COMPANY NAME> email account is prohibited. • Virus or other malware warnings and mass mailings from <COMPANY NAME> shall be approved by <COMPANY NAME> VP Operations before sending. These restrictions also apply to the forwarding of mail received by a <COMPANY NAME> employee. 29 Example: Email Use Policy (cont’d) – 3.3 Monitoring • <COMPANY NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. <COMPANY NAME> may monitor messages without prior notice. <COMPANY NAME> is not obliged to monitor email messages. 30 Transmitted Information Needs To Be Safe! • Make an addition to the template: – All sensitive <COMPANY NAME> material transmitted over external networks must be encrypted. 31 Example: Email Use Policy (cont’d) • 4.0 Enforcement – Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 32 Doesn’t Handle Non-Employees • Need to change template: – 4.0 Enforcement • Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of <COMPANY NAME> Information Resources access privileges, civil, and criminal prosecution. – NOTE: Enforcement can also include both identification of the violation and a software needed to look for violations, spot checking email, etc. 33 Example: Email Use Policy • (cont’d) Term Definitions: – Email: The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook. – Forwarded email: Email resent from an internal network to an outside point. – Chain email or letter: Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed. – Sensitive information: Information is considered sensitive if it can be damaging to <COMPANY NAME> or its customers' reputation or market standing. – Virus warning: Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users. – Unauthorized Disclosure: The intentional or unintentional revealing of restricted information to people, both inside and outside <COMPANY NAME>, who do not have a need to know that information. 34 Example: Email Use Policy (cont’d) • 6.0 Revision History – Used when revisions are made in the duration of a security policy. 35 High-level to Low-level • Security policies begin from high level statements and flow down to lower level policies, which are more specific and detailed. Example: • High level: Confidential and classified company information shall be protected from release to unauthorized personnel. • Mid level: Classified information will only be accessible from internal network (company intranet) via a secure website. • Low level: The internal web-server will be running HTTPS (SSL) and be password-protected. The perimeter firewall will deny all access to the webserver from external hosts (outside the intranet) by blocking external traffic on port 443. • The firewall is an enforcement mechanism. The password protection is an enforcement mechanism as well. 47 Applicable Security Policies • In the previous example, a company can refer to the following security policies: – Firewall – which ports are allowed through. – Password – length of password, aging, allowed and required characters. – Intranet – who belongs on the intranet, how information is distributed… – Web server – its configuration, its permissions, and what type of information its allowed to contain (classification levels). 48