Security Policy - PowerPoint PPT Presentation

security policy l.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Policy PowerPoint Presentation
Security Policy

play fullscreen
1 / 25
Download Presentation
adele-harding
Views
Download Presentation

Security Policy

Presentation Transcript

  1. Security Policy

  2. Policy • Set of detailed rules as to what is allowed on the system and what is not allowed. • User Policy • System Policy • Network Policy • US Law • Trust

  3. Policy Making Formulations: • General “catch-all” policy • Specific asset-based policy • General policy, augmented with standards and guidelines Role: • Clarify what and why of protection • State responsibility for protection • Provide basis for interpreting and resolving conflicts • Retain validity over time

  4. Standards & Guidelines • Standards: • Codification of successful security practice • Platform-independent, enforceable • Change over time (slowly) • Guidelines: • Interpret standards for particular environment • May be violated if needed

  5. Building Policy • Assign an owner • Be positive • Motivate behavior • Allow for error • Include education • Place authority with responsibility • Pick basic philosophy • Paranoid • Prudent • Permissive • Promiscuous • Don’t depend on “impossible to break”

  6. Security Through Obscurity • If we don’t tell them, they won’t know (false) • Found by experimentation • Found through other references • Passed around by word of mouth • Often used as basis for ignoring risks • Local algorithm, unavailable sources - no real security

  7. Going Public • Vendor / CERT/CC • Other Administrators (Warning) • User community (Danger) • Internet community (Infectious Danger)

  8. User-level Policy • Authentication: Method, Protection, Disclosure • Importing software: Process, Safeguards, Location • File protection: Default, Variations • Equipment management: Process, Physical Security • Backups: How, When • Problem reporting: Who, How, Emergencies

  9. System-level Policy • Default configuration • Installed Software • Backups • Logging • Auditing • Updates • Principle servers or clients

  10. Network-level Policy • Supported services • Exported services: Authentication, Protection, Restriction • Imported services: Authentication, Protection, Privacy • Network security mechanisms

  11. US Law • General advice - not legal counsel • Before performing legal actions -- consult a lawyer! • Legal Options • Legal Hazards • Being the target of an investigation • General Tips • Civil Actions • Intellectual Property • Liability

  12. Legal Options • Think before you pursue legal action • Civil actions • Reasons to prosecute: • Filing insurance claim • Involved with privacy data • Avoid being an accessory to later break-ins • Avoid civil suit with punitive damages • Avoid liability from your users

  13. Legal Hazards • Computer-illiterate agents • Over-zealous compliance with search order • Attitude and behavior of investigators • Work loss • Problems from case • Problems with working relationships • Publicity loss • Seizure of equipment • Positive trend in enforcement community

  14. Being the Target • COOPERATE • Individual involvement: • Document level of authorized access • Limit level of seizure, prosecution • Officers will seize everything related to unauthorized use • Wait for return can be very long • Can challenge reasons for search • Involve legal help soonest!

  15. General Tips (1) • Replace welcome messages with warning messages • Put ownership or copyright notices on each source file • Be certain users are notified of usage policy • Notify all users on what may be monitored • Keep good backups in safe location • When you get suspicious, start a diary/journal of observations

  16. General Tips (2) • Define, in writing, authorization of each user and employee & have them sign it • Ensure employees return equipment on termination • Do not allow users to conduct their own investigations • Make contingency plans with lawyer and insurance • Identify qualified law enforcement at local, federal

  17. Lawsuits • Can sue anyone for any reasonable claim of damages or injury • Caveats: • Very expensive • Long delays • May not win • May not collect anything • Vast majority of actions -- settled out of court • CONSULT A LAWYER FIRST

  18. Intellectual Property • Copyright infringement • Expression of idea • Derivative work • Outside of fair use • Trademark violation • Use of registered words, symbols, phrases • Lack of credit • Patent concerns • Application of idea • Based on prior art • Prevents redundant application

  19. Liability • Personal liability • Corporate liability • Good security helps to limit liabilities

  20. Trust • Tools of computer security are resident on computers • Just as mutable as any other information on computers • Can we trust our computer? • Can we trust our software? • Can we trust our suppliers? • Can we trust our people? • Trust, but verify

  21. Trusting Our Computer • Hardware bugs • Hardware features • Peripheral bugs/features • Microcode problems

  22. Trusting Our Software • Operating system bugs and features • System software back-doors • Who wrote the software? • Who maintains the software? • Is GOTS / COTS trustworthy?

  23. Trusting Our Suppliers • Development process • Bugs • Testing • Configuration control • Distribution control • Hacker challenges

  24. Trusting Our People • Vendors • Consultants • Employees • System administrators • Response personnel

  25. Trust, but Verify • Trust with a suspicious attitude • Ask questions • Do background checks • Test code • Get written assurances • Anticipate problems and attacks