Transcription
FIREWALLS & NETWORK SECURITY withIntrusion Detection and VPNs, 2nd ed.Chapter 3Security Policies,Standards, and Planning
Learning Objectives Upon completion of this material, you should beable to:– Define management‟s role in the development,maintenance, and enforcement of informationsecurity policy, standards, practices, procedures, andguidelines– Describe an information security blueprint, identify itsmajor components, and explain how it is used tosupport a network security program– Discuss how an organization institutionalizes policies,standards, and practices using education, training,and awareness programs– Explain contingency planning and describe therelationships among incident response planning,disaster recovery planning, business continuityplanning, and contingency planningFirewalls & Network Security, 2nd ed. - Chapter 3Slide 2
Introduction To secure its network environment, organizationmust establish a functional and well-designedinformation security program Information security program begins withcreation or review of organization‟s informationsecurity policies, standards, and practices Selection or creation of information securityarchitecture and development and use ofdetailed information security blueprint will createplan for future success Without policy, blueprints, and planning,organization‟s security needs will not be metFirewalls & Network Security, 2nd ed. - Chapter 3Slide 3
Information Security Policy, Standards,and Practices Management must consider policies as basis forall information security efforts Policies direct how issues should be addressedand technologies used Security policies are the least expensive controlto execute but the most difficult to implement Shaping policy is difficult because policy must:– Never conflict with laws– Stand up in court, if challenged– Be properly administered through disseminationand documented acceptanceFirewalls & Network Security, 2nd ed. - Chapter 3Slide 4
Information Security Policy, Standards,and Practices (continued)For a policy to be considered effective and legallyenforceable: Dissemination (distribution): organization must beable to demonstrate that relevant policy has beenmade readily available for review by employee Review (reading): organization must be able todemonstrate that it disseminated document inintelligible form, including versions for illiterate,non-English reading, and reading-impairedemployeesFirewalls & Network Security, 2nd ed. - Chapter 3Slide 5
Information Security Policy, Standardsand Practices (continued)For a policy to be considered effective and legallyenforceable: (continued) Comprehension (understanding): organizationmust be able to demonstrate that employeesunderstand requirements and content of policy Compliance (agreement): organization must beable to demonstrate that employees agree tocomply with policy through act or affirmation Uniform enforcement: organization must be ableto demonstrate policy has been uniformlyenforcedFirewalls & Network Security, 2nd ed. - Chapter 3Slide 6
Definitions Policy is set of guidelines or instructions anorganization‟s senior management implements toregulate activities of members of organizationwho make decisions, take actions, and performother duties Policies are organizational laws Standards, on the other hand, are more detailedstatements of what must be done to comply withpolicy Practices, procedures, and guidelines effectivelyexplain how to comply with policyFirewalls & Network Security, 2nd ed. - Chapter 3Slide 7
Figure 3 -1 Policies, Standards, &PracticesFirewalls & Network Security, 2nd ed. - Chapter 3Slide 8
Enterprise Information Security Policy(EISP) EISP is also known as general security policy,IT security policy, or information security policy Sets strategic direction, scope, and tone for allsecurity efforts within the organization Executive-level document, usually drafted by orwith CIO of the organization and usually 2 to 10pages longFirewalls & Network Security, 2nd ed. - Chapter 3Slide 9
Enterprise Information Security Policy(EISP) (continued) Typically addresses compliance in two areas:– General compliance to ensure meetingrequirements to establish program andresponsibilities assigned therein to variousorganizational components– Use of specified penalties and disciplinary actionFirewalls & Network Security, 2nd ed. - Chapter 3Slide 10
Enterprise Information Security Policy(EISP) Elements Overview of corporate philosophy on security Information on structure of information securityorganization and individuals who fulfill theinformation security role Fully articulated security responsibilities that areshared by all members of the organization(employees, contractors, consultants, partners,and visitors) Fully articulated security responsibilities that areunique to each role within the organizationFirewalls & Network Security, 2nd ed. - Chapter 3Slide 11
Issue-Specific Security Policy (ISSP) Guidelines needed to use various technologiesand processes properly The ISSP:– Addresses specific areas of technology– Requires frequent updates– Contains issue statement on the organization‟sposition on an issue Three approaches:– Create several independent ISSP documents– Create a single comprehensive ISSP document– Create a modular ISSP documentFirewalls & Network Security, 2nd ed. - Chapter 3Slide 12
Components of An Effective ISSP1. Statement of policya. Scope and applicabilityb. Definition of technologyaddressedc. Responsibilities2. Authorized access and usagea. User accessb. Fair and responsible usec. Protection of privacy3. Prohibited usagea. Disruptive use or misuseb. Criminal usec. Offensive or harassing materialsd. Copyrighted, licensed, or otherintellectual propertye. Other restrictionsFirewalls & Network Security, 2nd ed. - Chapter 34. Systems managementa. Management of storedmaterialsb. Employer monitoringc. Virus protectiond. Physical securitye. Encryption5. Violations of policya. Procedures for reportingviolationsb. Penalties for violations6. Policy review and modificationa. Scheduled review of policy andprocedures for modification7. Limitations of liabilitya. Statements of liability ordisclaimersSlide 13
Systems-Specific Policy (SysSP) SysSPs frequently codified as standards andprocedures used when configuring or maintainingsystems SysSPs fall into two groups:– Managerial guidance SysSPs: created bymanagement to guide implementation andconfiguration of technology as well as to regulatebehavior of people in the organization– Technical specifications SysSPs: technical policyor set of configurations to implement managerialpolicyFirewalls & Network Security, 2nd ed. - Chapter 3Slide 14
Systems-Specific Policy (SysSP)(continued) Technical SysSPs are further divided into:– Access control lists (ACLs) consist of accesscontrol lists, matrices, and capability tablesgoverning rights and privileges of a particularuser to a particular system– Configuration rule policies comprise specificconfiguration codes entered into securitysystems to guide execution of the systemFirewalls & Network Security, 2nd ed. - Chapter 3Slide 15
Policy Management Policies are living documents that must bemanaged and are constantly changing Special considerations should be made fororganizations undergoing mergers, takeovers,and partnerships To remain viable, security policies must have:– An individual responsible for reviews– A schedule of reviews– A specific policy issuance and revision dateFirewalls & Network Security, 2nd ed. - Chapter 3Slide 16
Frameworks and Industry Standards With general idea of vulnerabilities in IT systems,security team develops security blueprint, whichis used to implement security program Security blueprint is basis for design, selection,and implementation of all security programelements including policy implementation,ongoing policy management, risk managementprograms, education and training programs,technological controls, and maintenance ofsecurity programFirewalls & Network Security, 2nd ed. - Chapter 3Slide 17
Frameworks and Industry Standards(continued) Security framework is outline of overallinformation security strategy and roadmap forplanned changes to the organization‟sinformation security environment Number of published information securityframeworks, including ones from governmentsources Because each information security environmentis unique, security team may need to modify oradapt pieces from several frameworksFirewalls & Network Security, 2nd ed. - Chapter 3Slide 18
ISO 27000 Series One of the most widely referenced securitymodels is Information Technology – Code ofPractice for Information Security Management,originally published as British Standard 7799 This Code of Practice was adopted asinternational standard ISO/IEC 17799 in 2000and renumbered to ISO/IEC 27002 in 2007 Stated purpose of ISO/IEC 27002 is to “giverecommendations for information securitymanagement for use by those who areresponsible for initiating, implementing, ormaintaining security in their organization”Firewalls & Network Security, 2nd ed. - Chapter 3Slide 19
ISO 27000 Series Current and PlannedStandardsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 20
Figure 3-2 BS7799:2Firewalls & Network Security, 2nd ed. - Chapter 3Slide 21
NIST Security Models Another approach available is described indocuments available from csrc.nist.gov:– SP 800-12: An Introduction to Computer Security:The NIST Handbook– SP 800-14: Generally Accepted Security Principlesand Practices for Securing Information TechnologySystems– SP 800-18 Rev 1: The Guide for DevelopingSecurity Plans for Federal Information Systems– SP 800-26: Security Self-Assessment Guide forInformation Technology Systems– SP 800-30: Risk Management for InformationTechnology SystemsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 22
IETF Security Architecture While no specific architecture is promotedthrough the Internet Engineering Task Force,Security Area Working Group acts as advisoryboard for protocols and areas developed andpromoted through the Internet Society RFC 2196: Site Security Handbook provides anoverview of five basic areas of security withdetailed discussions on development andimplementation Chapters on such important topics as securitypolicies, security technical architecture, securityservices, and security incident handlingFirewalls & Network Security, 2nd ed. - Chapter 3Slide 23
Benchmarking and Best Practices Benchmarking and best practices are reliablemethods used by some organizations to assesssecurity practices Possible to gain information by benchmarkingand using best practices and thus workbackwards to effective design Federal Agency Security Practices Site(fasp.nist.gov) designed to provide bestpractices for public agencies and is adaptedeasily to private organizationsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 24
Figure 3-4 Spheres of SecurityFirewalls & Network Security, 2nd ed. - Chapter 3Slide 25
Design of Security Architecture Defense in depth– One of the foundations of security architecturesis requirement to implement security in layers– Requires that the organization establish sufficientsecurity controls and safeguards so an intruderfaces multiple layers of controls Security perimeter– Point at which an organization‟s securityprotection ends and the outside world begins– Unfortunately, perimeter does not apply tointernal attacks from employee threats or on-sitephysical threatsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 26
Security Education, Training, andAwareness As soon as policies exist, policies to implementsecurity education, training, and awareness(SETA) should follow SETA is a control measure designed to reduceaccidental security breaches Supplement general education and trainingprograms to educate staff on informationsecurity Security education and training builds ongeneral knowledge that employees mustpossess to do their jobs, familiarizing them withthe way to do their jobs securelyFirewalls & Network Security, 2nd ed. - Chapter 3Slide 27
SETA Elements SETA program consists of three elements:– Security education– Security training– Security awareness Organization may not be capable or willing toundertake all elements but may outsource them Purpose of SETA is to enhance security by:– Improving awareness of the need to protectsystem resources– Developing skills and knowledge so computerusers can perform their jobs more securely– Building in-depth knowledge, as needed, todesign, implement, operate security programsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 28
Table 3-6 Comparative SETAFrameworkFirewalls & Network Security, 2nd ed. - Chapter 3Slide 29
Security Education Everyone in an organization needs to be trainedand aware of information security, but not everymember of the organization needs a formaldegree or certificate in information security When formal education for appropriateindividuals in security is needed, an employeecan identify curriculum available from localinstitutions of higher learning or continuingeducation A number of universities have formalcoursework in information security– (See, for example, http://infosec.kennesaw.edu)Firewalls & Network Security, 2nd ed. - Chapter 3Slide 30
Security Training Involves providing members of the organizationwith detailed information and hands-oninstruction designed to prepare them to performtheir duties securely Management of information security candevelop customized in-house training oroutsource the training programFirewalls & Network Security, 2nd ed. - Chapter 3Slide 31
Security Awareness One of the least frequently implemented butmost beneficial programs is the securityawareness program Designed to keep information security atforefront of users‟ minds Need not be complicated or expensive If program is not actively implemented,employees begin to „tune out,‟ and the risk ofemployee accidents and failures increasesFirewalls & Network Security, 2nd ed. - Chapter 3Slide 32
Continuity Strategies Managers must provide strategic planning toassure continuous information systemsavailability when an attack occurs Plans for events of this type are referred to in anumber of ways:––––Business continuity plans (BCPs)Disaster recovery plans (DRPs)Incident response plans (IRPs)Contingency plans Large organizations may have many types ofplans and small organizations may have onesimple plan, but most have inadequate planningFirewalls & Network Security, 2nd ed. - Chapter 3Slide 33
Contingency Planning Contingency Planning (CP):– Incident response planning (IRP)– Disaster recovery planning (DRP)– Business continuity planning (BCP) Primary functions of these three types:– IRP focuses on immediate response, but if attackescalates or is disastrous, the process changesto disaster recovery and BCP– DRP typically focuses on restoring operations atprimary site after disasters occur, and, as such,is closely associated with BCP– BCP occurs concurrently with DRP whendamage is major or long term, requiringestablishment of operations at alternate siteFirewalls & Network Security, 2nd ed. - Chapter 3Slide 34
Figure 3-9 Contingency PlanningTimelineFirewalls & Network Security, 2nd ed. - Chapter 3Slide 35
Contingency Planning Team Before any planning begins, a team has to planthe effort and prepare resulting documents Champion: high-level manager to support,promote, and endorse findings of the project Project manager: leads project and makes surea sound project planning process is used, acomplete and useful project plan is developed,and project resources are prudently managed Team members: should be managers or theirrepresentatives from various communities ofinterest (business, IT, and information security)Firewalls & Network Security, 2nd ed. - Chapter 3Slide 36
Figure 3-10 Major Steps inContingency PlanningFirewalls & Network Security, 2nd ed. - Chapter 3Slide 37
Business Impact Analysis Begin with business impact analysis (BIA)– If the attack succeeds, what do we do then? CP team conducts BIA in the following stages:–––––Threat attack identificationBusiness unit analysisAttack success scenariosPotential damage assessmentSubordinate plan classificationFirewalls & Network Security, 2nd ed. - Chapter 3Slide 38
Threat Attack Identification andPrioritization Update threat list with latest developments andadd the attack profile Attack profile is the detailed description ofactivities during an attack Must be developed for every serious threat theorganization faces Used to determine the extent of damage thatcould result to business unit if attack weresuccessfulFirewalls & Network Security, 2nd ed. - Chapter 3Slide 39
Table 3-7 Attack ProfileFirewalls & Network Security, 2nd ed. - Chapter 3Slide 40
Business Unit Analysis Second major task within the BIA is analysisand prioritization of business functions withinthe organization Identify functional areas of the organization andprioritize them as to which are most vital Focus on prioritized list of various functions thatthe organization performsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 41
Attack Success Scenario Development Next, create series of scenarios depicting theimpact a successful attack from each threatcould have on each prioritized functional areawith:– Details on method of attack– Indicators of attack– Broad consequences Attack success scenario details are added toattack profile, including best, worst, and mostlikely outcomesFirewalls & Network Security, 2nd ed. - Chapter 3Slide 42
Potential Damage Assessment From previously developed attack successscenarios, BIA planning team must estimatecost of best, worst, and most likely cases Costs include actions of response team This final result is referred to as an attackscenario end caseFirewalls & Network Security, 2nd ed. - Chapter 3Slide 43
Subordinate Plan Classification Once potential damage has been assessed,subordinate plan must be developed oridentified Subordinate plans will take into accountidentification of, reaction to, and recovery fromeach attack scenario Each attack scenario end case is categorized asdisastrous or not Qualifying difference is whether or not anorganization is able to take effective actionduring the event to combat the effect of theattackFirewalls & Network Security, 2nd ed. - Chapter 3Slide 44
Incident Response Planning Incident response planning covers identificationof, classification of, and response to an incident Incident is attack against an information assetthat poses clear threat to the confidentiality,integrity, or availability of information resources Attacks are only classified as incidents if theyhave the following characteristics:– Are directed against information assets– Have a realistic chance of success– Could threaten the confidentiality, integrity, oravailability of information resources IR is more reactive than proactive, withexception of planning and preparation of IRteamsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 45
Incident Planning Predefined responses enable organization toreact quickly and effectively to detected incident This assumes the organization has an IR teamand can detect the incident IR team consists of those individuals needed tohandle systems as incident takes place IR consists of the following four ryFirewalls & Network Security, 2nd ed. - Chapter 3Slide 46
Incident or Disaster When does an incident become a disaster?– The organization is unable to mitigate the impactof an incident during the incident– The level of damage or destruction is so severethat the organization is unable to quickly recover Difference may be subtle Up to the organization to decide which incidentsare to be classified as disasters and thusreceive the appropriate level of responseFirewalls & Network Security, 2nd ed. - Chapter 3Slide 47
Disaster Recovery Planning Disaster recovery planning (DRP) is planningthe preparation for and recovery from a disaster Contingency planning team must decide whichactions constitute disasters and which constituteincidents When situations are classified as disasters,plans change as to how to respond; take actionto secure the system‟s most valuable assets topreserve value for the longer term even at therisk of more disruption in the immediate term DRP strives to reestablish operations at the„primary‟ siteFirewalls & Network Security, 2nd ed. - Chapter 3Slide 48
DRP Steps There must be a clear establishment of priorities There must be a clear delegation of roles andresponsibilities Someone must initiate the alert roster and notifykey personnel Someone must be tasked with thedocumentation of the disaster If and only if it is possible, some attempts mustbe made to mitigate the impact of the disasteron the operations of the organizationFirewalls & Network Security, 2nd ed. - Chapter 3Slide 49
Crisis Management Crisis management occurs during and after adisaster and focuses on the people involved andaddressing the viability of the business Crisis management team responsible formanaging event from enterprise perspective by:– Supporting personnel and families during crisis– Determining impact on business operations and,if necessary, making disaster declaration– Keeping public informed– Communicating with major customers, suppliers,partners, regulatory agencies, industryorganizations, media, other interested partiesFirewalls & Network Security, 2nd ed. - Chapter 3Slide 50
Business Continuity Planning Business continuity planning outlinesreestablishment of critical business operationsduring a disaster that impacts operations If disaster has rendered the business unusablefor continued operations, there must be a planto allow the business to continue to function BCP is somewhat simpler than an IRP or DRP Consists primarily of selecting continuitystrategy and integrating off-site data storageand recovery functions into this strategyFirewalls & Network Security, 2nd ed. - Chapter 3Slide 51
Summary To effectively secure networks, an organizationmust establish functional, well-designedinformation security program Information security program creation requiresinformation security policies, standards, andpractices; an information security architecture;and a detailed information security blueprint Management must make policy the basis for allinformation security planning, design, anddeployment in order to direct how issues areaddressed and how technologies are usedFirewalls & Network Security, 2nd ed. - Chapter 3Slide 52
Summary (continued) Policy must never conflict with laws but shouldstand up in court if challenged To be effective and legally enforceable, policymust be disseminated, reviewed, understood,complied with, and uniformly enforced Information security team identifiesvulnerabilities and then develops securityblueprint that is used to implement securityprogramFirewalls & Network Security, 2nd ed. - Chapter 3Slide 53
Summary (continued) Security framework is outline of steps to take todesign and implement information security Purpose of security education, training, andawareness (SETA) is to enhance security byimproving awareness of need to protect systemresources and teaching users to perform jobsmore securely, and to build knowledge todesign, implement, or operate securityprogramsFirewalls & Network Security, 2nd ed. - Chapter 3Slide 54
Summary (continued) IT and InfoSec managers must assurecontinuous availability of information systems Achieved with various contingency plans:incident response (IR), disaster recovery (DR),business continuity (BC) IR plan addresses identification, classification,response, and recovery from incident DR plan addresses preparation for and recoveryfrom disaster BC plan ensures that critical business functionscontinue if catastrophic event occursFirewalls & Network Security, 2nd ed. - Chapter 3Slide 55
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed. Chapter 3 Security Policies, Standards, and Planning . Learning Objectives Upon completion of this material, you should be . Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 28 . Table 3-6 Comparative SETA Framework
