Risks Associated with not following the Acceptable Use

advertisement

WEBSENSE DOCUMENT TITLE

Best Practices for

Implementing and Enforcing a

Web Acceptable Use Policy

CORPORATE INFORMATION SECURITY POLICIES

Best Practices for Implementing and Enforcing a Web Acceptable Use Policy

Page1

 This template is intended to provide sample content for a best-practices document describing Internet use risks, company policy, employee education, and technical controls.

 This template is intended to serve only as sample content and does not represent legal advice. Consult with your attorney for legal advice.

 Any portion of this template may be modified

Overview

An acceptable use policy (AUP) is a set of rules applied by the manager of a corporate network defining the ways in which the network site or system may be used. AUP policies are written to reduce the exposure to risks, such as data theft, malware infections, or potential legal liability from inappropriate Internet use by employees.

New employees are usually asked to sign an AUP before they are given access to the company’s information systems. An AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.

Purpose

The purpose of this document is to outline how to protect your organization against malware, data theft, and information system misuse.

Definition of Malware

Malware has become the greatest external threat to most hosts, causing damage and requiring extensive recovery efforts within most organizations. The following are the classic categories of malware:

Viruses. A virus self-replicates by inserting copies of itself into host programs or data files. Viruses are often triggered through user interaction, such as opening a file or running a program. Viruses can be divided into the following two subcategories: o Compiled Viruses. A compiled virus is executed by an operating system. Types of compiled viruses include file infector viruses, which attach themselves to executable programs; boot sector viruses, which infect the master boot records of hard drives or the boot sectors of removable media; and multipartite viruses, which combine the characteristics of file infector and boot sector viruses. o Interpreted Viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications’ macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS.

Worms. A worm is a self-replicating, self-contained program that usually executes itself without user intervention. Worms are divided into two categories:

CONFIDENTIAL

Best Practices for Implementing and Enforcing a Web Acceptable Use Policy

Page2 o Network Service Worms. A network service worm takes advantage of a vulnerability in a network service to propagate itself and infect other hosts. o Mass Mailing Worms. A mass mailing worm is similar to an email-borne virus but is self-contained, rather than infecting an existing file.

Trojan Horses. A Trojan horse is a self-contained, non-replicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.

Malicious Mobile Code. Malicious mobile code is software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the user’s explicit instruction. Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and VBScript.

Blended Attacks. A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of viruses and worms.

Definition of Misuse

Circumvention of Security

Using personal, company-owned, or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges should be prohibited. Knowingly taking any actions to bypass or circumvent security should also be prohibited.

Illegal Activities

No company-owned or company-provided computer systems should be knowingly used for activities that are considered illegal under local, state, federal, international, or other applicable laws. Such actions may include, but are not limited to, the following:

 Unauthorized Port Scanning

 Unauthorized Network Hacking

 Unauthorized Packet Sniffing

 Unauthorized Packet Spoofing

 Unauthorized Denial of Service

 Unauthorized Wireless Hacking

 Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system

 Acts of Terrorism

CONFIDENTIAL

Best Practices for Implementing and Enforcing a Web Acceptable Use Policy

Page3

 Identity Theft

 Improper handling or theft of data determined to be damaging by the company

 Spying

 Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material

 Downloading, storing, or distributing copyrighted material

The company should take all necessary steps to report and prosecute any violations of the AUP.

Risks Associated with not following the Acceptable Use Policy

Noncompliance with the Acceptable Use Policy can lead to disruption of business functions, loss of intellectual property, losses in business opportunities, and not being able to meet the Company’s stakeholder commitments.

Policy Development, Communication, and Enforcement

To protect the organization from malware and misuse on any of its information systems assets the following should be completed.

Acceptable Use Policy Development and Distribution

Utilize a template, like the one contained in this AUP kit and customize it to your company’s needs. Distribute the

AUP to all employees and have them sign the policy.

Awareness Training

Awareness Training is very important to an organization and security organization for a number of reasons.

Technology itself will not 100% defend an organization from security attacks this is the same for processes. The way to defend against common day threats and attacks is to make sure the end users of the systems understand how to safely use their systems, understand and identify the basics indicators of an attack and most importantly know what to do when they feel they are under attack or have been compromised. Knowing what to do when an end user feels they are under attack or have been compromised feeds the Incident Reporting and Response process which is highlighted below.

Threat and Risk Analysis

Threat and Risk Analysis is a process which is used to determine who would want to get access to an asset, what is the likelihood they can get access, and if they did what would be the impact. From the threat and risk analysis data proper controls can be put in place to protect the asset. The list of assets for an organization is long and includes the following:

 Data

 Systems

CONFIDENTIAL

Best Practices for Implementing and Enforcing a Web Acceptable Use Policy

Page4

During the analysis and proposal of controls the cost to secure an asset may be determined to be too expensive or cause too much business disruption. In these situations a risk escalation and acceptance process must be used.

The signing authority for accepting the risk must have the budget approval power to spend the same amount as the calculated loss. Example: If a manager can sign off and approve a $10,000 expense they can also accept a $10,000 risk.

Implementation of Technology Based Threat Countermeasures

In today’s interconnected world we lever people, process, and technology to overcome challenges. Technology is key because it enables security with controls otherwise we could not be able to achieve. Examples of this are using firewalls for isolation and segmentation, or using log forwarding with an event management system to identify and detect threats across the organization. Furthermore the implementation of technology based or driven countermeasures must be done using defense in depth. Defense in depth is the process of applying controls that create layers of control and detection points. Technology base threat countermeasures must be deployed providing proactive and reactive protection. An example to protect from a web or email channel compromise is using Websense Web and Email Secure Gateways (proactive) to protect the clients accessing the internet but also using DLP (reactive in nature because host compromise previously occurred) to identify and determine when data is leaving the company using the same web and email channel.

Security Intelligence and Monitoring

According to Q1 Labs “Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise.

The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.” There is also another form of security intelligence which is provided by external organizations that help monitor and notify security organizations of the next threat and potentially the next attack. This combined with what Q1 Labs states along with monitoring can help identify incidents before

(Threat and Risk Analysis) or after (Incident Reporting and Response) and security event takes place.

Incident Reporting and Response

All malware and misuse violations will be recorded and investigated on a case by case basis. Figure 1 shows a highlevel workflow as an example of how malware and misuse incidents could be escalated, investigated, and remediated.

Enforcement

The AUP should be enforced by the IT Manager and/or Executive Team. Violations could result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company should report such activities to the applicable authorities.

© 2012 We bsen se, Inc . Al l righ t s re serve d. Webse nse an d the We bsen se l og o are re gi stere d trade m ark s o f We bsen se , Inc . in th e U nite d St at es an d variou s c ountrie s. A ll o ther trade m ark s are the pro perty o f their re specti ve o wner s.

CONFIDENTIAL

Best Practices for Implementing and Enforcing a Web Acceptable Use Policy

Page5

Figure 1:

High-level Security Response Workflow

User

Security Responder

(Desktop)

Security Handler

(Security Operations)

Security Examiner

(Forensics)

Special Security

Examiner (Malware

Forensics)

Management

Detects Incident

Responds by gathering data and escalating

Detects Incident

Responds by gathering data and escalating

Responds to escalation

Determines

Criticality

Determines

Response

Team

Initiates

Response Team and Activities

Response Team

Member

Response Team

Member

(Optional)

Response Team

Member

Performs, Triage, Response, and Irradiation Duties

Completes

Awareness

Feedback

Completes

Awareness

Feedback

Closes Incident

CONFIDENTIAL

Download