A note from Stephen Northcutt: I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your
Trang 1Basic Security Policy
Carol Kramer SANS Institute Randy Marchany Virginia Tech Computing Center Stephen Northcutt SANS Institute
John Ritter Intecs International, Inc
Matt Scarborough IC Arrigo Triulzi Albourne Parners, Ltd
EDITED BY: Carol Kramer, Stephen Northcutt, Fred Kerby
If you have corrections or additions or would like to be involved in enhancing this project, please send email to: giactc@sans.org
Trang 2A note from Stephen Northcutt:
I never cease to be amazed by the fact that you can’t take a class in Information Security without
being told to do this or that in accordance with “your security policy”, but nobody ever explains
what the policy is let alone how to write or evaluate it
That is why we undertook this research and education project into basic security policy We hope you will find this module useful and that you will participate in its evolution Consensus is
a powerful tool We need the ideas and criticisms from the information security community in order to make this The Roadmap for usable, effective policy
Thank you!
Stephen Northcutt
Trang 3CONTENTS
1 PREFACE
2 DEFINING SECURITY POLICY
3 USING SECURITY POLICY TO MANAGE RISK
4 IDENTIFYING SECURITY POLICY
5 SECURITY POLICY WORKSHEET
6 EVALUATING SECURITY POLICY
7 ISSUE-SPECIFIC SECURITY POLICY
7.6 Personal Data Assistants
8 WRITING A PERSONAL SECURITY POLICY
9 EXERCISES
APPENDIX A - Policy Templates
APPENDIX B - Sample Non-Disclosure Agreement APPENDIX C – References
Trang 41 PREFACE
Security policy protects both people and information
Safeguarding information is challenging when records are created and stored on
computers We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and
destruction Security breaches are inevitable Crucial decisions and defensive action must be prompt and precise
A security policy establishes what must be done to protect information stored on
computers A well-written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated
An effective security policy also protects people Anyone who makes decisions or takes action in a situation where information is at risk incurs personal risk as well A security policy allows people to take necessary actions without fear of reprisal Security policy compels the safeguarding of information, while it eliminates, or at least reduces,
personal liability for employees
Please take a minute and turn to the back of this book and examine the non-disclosure agreement in Appendix A
This is one of two examples in the book that is not written in plain English This legal document is based on the actual non-disclosure agreement that GIAC uses when
disclosing proprietary information Despite the lawyer language of the document, it doesn’t take long to see that the purpose of this is to protect information It carefully spells out the procedures, the who, what, where, when and how for the case where an organization has sensitive information that it is going to disclose to an individual As
we learn more about policies, we will find that many aspects of a policy can be found in
a document like this In fact, an organization’s policy might reference a document like this For instance, an organization may have a policy that says, "sensitive information shall only be released to individuals who have signed a non-disclosure agreement that
is on file with the corporate legal office" Now that we have an example of a policy that protects information, I would like to show an example of a policy that protected an individual - in this case, me
Sinking a Warship
I was scanning our entire Navy lab, one subnet at a time (the recommended approach), fixing problems as I found them I was running the scanner on low power when I hit a network and received a phone call from a friend "Stephen, the net is down, we think you killed it"
Trang 5"It" was a mock up of a real Navy warship All of the communications on the model were the same as the one on the real ship When its networking hardware received a packet (from me)
on a certain port, it died Its FDDI ring came to a complete stop
The people in this little lab were furious with me They formed an investigative panel and called me in I could see by the grim looks all around the table that this was not going to be pleasant The sparks flew; one fellow in particular wanted to do me harm He continues to be angry with me to this day! Finally someone asked whether could happen in real life The answer was “yes” The next question was, “then shouldn’t we get it fixed”?
The point is, my network scan made these people angry enough that my job would have been in jeopardy if I’d not had my ducks in a row I’d received permission to run the scan prior
to doing so So should you!
Trang 6
2 DEFINING SECURITY POLICY
A policy is a guideline or directive which indicates a conscious decision to follow a path towards
an objective defined in the policy Often a policy may institute, empower resources, or direct action by providing procedures or actions to be carried out With that in mind, this course will attempt to provide guidance towards the goal of developing a Basic Security Policy for an
organization, or better defining the existing one The policy itself should be both effective and realistic with achievable security goals
Without a security policy, any organization can be left exposed to the world In order to
determine your policy needs, a risk assessment must first be conducted This may require an organization to define levels of sensitivity with regard to information, processes, procedures, and systems
The security policy should seek a balance between “Access” and “Security” Of these two points
“Access” pertains to performance and ease of use, while “Security” focuses on integrity,
availability, and safety This does not just apply to the computer or network itself, but to the organization as a whole
During this presentation three references to policy types will be made It may be inferred that the
policy being described when not specified is that of a program policy Issue-specific polices will
be covered as well, while mentioning of system-specific policies may be brought out as well Let’s define these policy types before we get started:
Program Policy: This high-level policy sets the overall tone of an organization’s security
approach Typically guidance is provided with this policy to enact the other types of policies and who is responsible This policy may provide direction for compliance with industry standards such as ISO, QS, BS, AS, etc
Issue-Specific Policy: These policies are intended to address specific needs within an
organization This may include password procedures, Internet usage guidelines, etc, This is not
as broad a policy category as the program policy; however, it is broader than the system-specific policy
System-Specific Policy: For a given organization there may be several systems that perform
various functions, where the use of one policy governing all of them may not be appropriate It may be necessary to develop a policy directed toward each system individually This is a system-specific policy
A good security policy will take into account risks, vulnerabilities, and provide comprehensive coverage of an organization’s infrastructure Various security standards have been developed over the years (C2, BS 7799, ISO 17799) which may or may not be applicable to a given
organization While standards can provide an excellent point of departure for defining your organization’s policy, if a policy does not directly relate to an organization’s realistic needs and requirements the policy will fail at the risk of exposing the organization as though a policy were absent Security Policy should always be commensurate with actual measured risks
Policy definition in the realm of security for the Internet Age has gained importance on the world stage The United Kingdom took a lead in the development of recognized security standards and through the British Standards Institute sponsored the creation of
Trang 7the British Standard Code of Practice for Information Security Management (BS 7799) The intention was to provide a means for ensuring customers that business were
providing secure services and that information was handled in a secure manner This standard was published in December 1, 2000 as an international standard (ISO/IEC 17799)
ISO/IEC 17799 provides well over 125 security guidelines that are divided into 10 major headings These headings enable identification of security controls in a manner, which will be appropriate for a given organization ISO/IEC 17799 provides security controls for computers and networks, as well as guidance on security policies, staff security awareness, business continuity planning, and legal requirements In all, nearly 500 controls and elements of best practice are presented in ISO/IEC 17799
As with any standard recognition, auditing teams and assessments are required to determine eligibility for registration ISO/IEC 17799 is a defining standard of security controls that should be investigated and reviewed thoroughly before incorporation into
a business plan or operating procedure
Each organization may work differently as it relates to policies and how they are
developed The process of defining “policy” can be approached in much the same
format as defining an actual policy
PROBLEM: All security and technical classes talk about the necessity of basing
procedures on a good security policy We need to understand what is meant by policy;
there are many conflicting definitions
ACTION: Identify how your organization defines policy
Step 1: Get a copy of your organization’s Policy Development Guide
Ideally, the guide will describe what topics to include in the policy document Typical sections can include:
Purpose - the reason for the policy
Related documents – lists any documents (or other policy) that affect the contents
of this policy
Cancellation - identifies any existing policy that is cancelled when this policy
becomes effective
Background - provides amplifying information on the need for the policy
Scope - states the range of coverage for the policy (to whom or what does the
policy apply?)
Policy statement - identifies the actual guiding principles or what is to be done
The statements are designed to influence and determine decisions and actions within the scope of coverage The statements should be prudent, expedient, and/or
advantageous to the organization
Action - specifies what actions are necessary and when they are to be
Trang 8accomplished
Responsibility - states who is responsible for what Subsections might identify
who will develop additional detailed guidance and when the policy will be reviewed and updated
Step 2: Determine who can sign the policy
If you are part of a Department of Defense organization, the authority may be reserved for the senior military officer In other cases, it may be a senior vice president or a CIO
or other manager In any case, the policy must be signed by someone with sufficient authority and credibility that it is accepted by members of the organization to which it applies
Step 3: Identify the process used to get policy drafted, signed, and
implemented in your organization
Once you’ve identified what should be in the policy and who will sign it, you need to identify the folks who will help develop and review the policy before you submit it for signature Typical participants (in addition to the security staff) can include members
of the legal and human resources staff, as well as a representative from one or more collective bargaining units
Coaching Football
Think of a football game Picture the coach at practice sessions, in the locker room before the game What is the coach doing? He is presenting, refining and reworking a plan for winning the game, a plan that’s practiced over and over until it’s perfect! We can see team captains and players referring to the plan before each play What does a game plan have to do with a computer security policy? The game plan is actually a policy on how to win the game The team that identifies its capabilities and limitations, along with the capabilities and limitations of its opponents, will devise the
best plan and the best chance of winning if they follow it
Trang 93 USING SECURITY POLICY TO MANAGE RISK
PROBLEM: The only secure computer is one that is not connected to a network and is
powered off Use of computers to process information has associated risks You need a methodology to validate that the organization is responsible and accountable for
managing that risk
ACTION: Learn how to manage risks related to your job
Step 1: Identify risks
Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances This will provide insight into the risks that you face Examples of some things that can pose risks include: using the Internet, not using anti-virus software on desktop computers, permitting
customers/suppliers/partners to bypass the protection afforded by your firewall,
permitting personal use of corporate computers and networks
Step 2: Communicate your findings
Identifying risks is necessary, but not sufficient Decision-makers need to know what the risks are, as well as options for managing those risks Be sure you have adequately communicated the situation in writing to folks who can make a difference
Step 3: Update the security policy as needed
If there is no written policy in place, write it and get it signed by upper level
management A well-written policy, signed by top executives, will identify the
corporation’s values and demonstrate that senior management supports the
information security activities required by the policy
Step 4: Develop and refine methods to measure compliance with the policy
If you cannot measure compliance (conformance), the policy is unenforceable
Where is it written…?
The decisions we make must stand the test of reasonableness: given the situation, could a
reasonable person be expected to make the same decision? It’s amazing to hear people who have been practicing computer security for more than a decade, ask, “What instruction requires that
we do it that way? (or at all)" Having a written and dated policy signed by upper management can help move these folks to where they need to be
Trang 104 IDENTIFYING SECURITY POLICY
PROBLEM: My organization doesn’t seem to have a security policy
ACTION: Identify what your organization does have, and try to make it better Your actions may include lobbying to create or expand current policy
Step 1: Recognize that a policy can exist on different levels
Unless you are at the top of the organizational hierarchy, there is likely to be a part of the organization above your level that issues policy that you are expected to implement
A common hierarchy for policy in an organization might look like this:
Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of
high-level documents that provide a direction or thrust to be implemented at lower levels in the enterprise
Division-wide Policy: typically consists of an amplification of enterprise-wide
policy as well as implementation guidance This level might apply to a particular
region of a national corporation
Local Policy: contains information specific to the local organization or corporate
element
Issue-Specific Policy: policy related to specific issues, e.g firewall or anti-virus
policy
Security Procedures and Checklists: local Standard Operating Procedures (SOPs);
derived from security policy
Security policy may exist on some levels and not on others Documents interact and support one another, and generally contain many of the same elements In a typical organization, policy written to implement higher-level directives may not relieve
(waive) any of the requirements or conditions stipulated at a higher level Security policy must always be in accordance with local, state, and federal computer crime laws
Step 2: Collect and organize the applicable written, dated, and signed policy documents
Now that you understand the policy hierarchy, you can collect policy documents
available at several levels in the organization A security policy usually exists (and is enforced to some extent) even if it is not written down When you find instances of unwritten policy, note them as areas for improvement Putting the policy in writing prevents misunderstandings and promotes right actions Encourage your management
to articulate security policy in writing
Step 3: Assemble existing procedures for inclusion in the policy review
In the process of collecting policy documents, you may find procedures (perhaps issue
Trang 11specific) that do not appear to be the result of any specific policy If so, note them for inclusion in the policy review (discussed next)
Trang 125 POLICY WORKSHEET
Procedures are derived from policies A procedure can be used to identify and define the parent policy, even if the policy is not written and signed
ACTION: List procedures for which you need to document the policy Make notes
on the who, what, when, and where
Sample worksheet:
Step 1: Who does the procedure? Why?
The network administrator rolls out
anti-virus updates to local desktops To protect against virus infections Certain administrative rights are needed to
configure the push to users’ local drives
Step 2: What is the procedure? Why?
Definitions are unpacked, and placed in a
shared directory Login scripts download
the files, apply the update, and reboot the
machines Machine names are flagged in
the database as having been updated
Automate the process; create an exception list
Step 3: When is the procedure done? Why?
The procedure is done weekly To keep up to date with the latest virus
attacks Our vendor rolls out new definitions every Thursday
Step 4: Where is the procedure done? Why?
The procedure is done from any
administrative workstation The procedure
is applied to all desktops running Windows
9x at location XXXX
No special location is required to apply the procedure All desktops need to have the most current updates
Step 5: Looking at the notes from both columns, the policy becomes clear The
description identifies the threat (virus infection) and provides for safeguards
Sample policy derived from procedures outlined in the example above:
To ensure all desktops running Windows 9x are protected from viruses with the most recent updates, the network administrator at each location will apply the latest virus definition updates biweekly Although the process can be automated, checks must be put in place to ensure the updates have been applied successfully
Trang 136 EVALUATING SECURITY POLICY
PROBLEM: Your organization has a written security policy, but it is confusing,
difficult to follow, or doesn’t address one or more significant risk areas
ACTION: Identify policy attributes that need improvement and prepare draft
revisions
Step 1: Verify that the security policies contain the most common elements
Look for the following elements, and note what is missing
Purpose
Security policy usually contains a statement, often at the beginning, describing the
reason the policy is being established, and any associated goals
Identifies the actual guiding principles or what is to be done The statement(s) are
designed to influence and determine decisions and actions within the scope of coverage The statements should define actions that are prudent, expedient, or advantageous to the organization
Responsibility
The security policy document states who is responsible for what Typical positions that might be addressed include the head of the corporation, the CIO, people in the legal department or in human resources, system administrators, and information security officers Subsections might identify how additional detailed guidance will be
developed and provided, as well as the frequency of policy review Methods or
techniques for measuring compliance may also be included in this section (as well as
Trang 14identifying parties responsible for the audit)
Action
This section specifies what actions are necessary and when they are to be accomplished
It may identify the time frame in which additional guidance (mentioned above) will be forthcoming Hopefully the policy meets the criteria stated above, but there may be a need for a waiver process This is one logical place to identify that process as well as the time frame for policy review (and by whom)
Note that not all sections are required If your search for a Policy Development Guide was successful, consult it to determine required sections If there is no written guide, use the above template and check with other folks who have been successful in getting other policy signed and implemented
Step 2: Examine the security policy to see if it is clear
One simple way to test for clarity is to have one of the individuals identified as being responsible determine whether he or she understands the responsibility
Step 3: Examine the security policy to see if it is concise
A specific policy topic (e.g., anti-virus signature updates) shouldn’t exceed two pages Many organizations limit them to one page
Step 4: Examine the policy to see if it is realistic
Security policy shouldn’t require people to try to implement things that can’t be
implemented
Government Policy
People in the United States government create some of the worst security policy in the world They spend taxpayer money contracting for huge notebooks of overly long, poorly written, non- specific prose The policy documents are so large that they cannot be updated without generating
a massive review cycle They often require people to implement things that are not possible to implement Here is a brief example:
“The head of a Federal agency may employ standards for the cost effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards
promulgated by the Secretary of Commerce, if such standards contain, at a
minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce.”
How many times did you have to read this example of government policy before you understood what it said?
Or are you still trying?
Trang 15Step 5: Examine the policy to see if it provides sufficient guidance that a
specific procedure can be developed from it
Policies address what is to be done and why Procedures specify how things are done and are how policy ultimately gets implemented For example, if you have an Internet connection policy, you should be able to create procedures that allow you to configure your firewall from it Procedures are also the basis for written checklists Writing
guidelines or checklists is work, and people often do not wish to be bothered
documenting procedures Many organizations have one or two employees proficient in configuring systems, firewalls and routers They often claim to be "too busy" to develop written procedures But what happens when they aren’t there?
The Bomb:
Deak Parsons was a Captain in the Navy and an Ordnance specialist He was assigned
to the Manhattan Project during World War II He put the first production atomic bomb
together but not in a lab or armory He put it together in the bomb bay of the B-29 airplane that dropped the first atomic bomb He assembled it at 29,000 feet over the Pacific Ocean on the way to Japan
Parsons had one assistant who read to him a seven-step checklist The checklist was a kind of policy on how to do the job The procedure was very stressful and risky, but it was
something he could almost do blindfolded, because of the checklist
Good policy will reduce both stress and risk, just like the checklist did If you don’t have a policy (or checklist), you’ve got a time bomb on you hands waiting to go BOOM!
Step 6: Examine the policy to see if it is consistent with higher-level policy and guidance
If you discover any discrepancies between the policy you are reviewing and level policy, note them, as you will need to resolve them for the policy to be meaningful Security policy must also be in accordance with local, state, and federal computer crime laws Again, note any contradictions you discover so you can get the policy corrected
higher-Step 7: Examine the policy to see if it is forward looking
Security policy should be open to change based on new risks and vulnerabilities,
especially following an incident It should not be hardware- or software-specific
Step 8: Examine the policy for provisions to keep it current
Security policy should be reviewed regularly Revisions in implementation should reflect lessons learned from recent incidents and new threats to the organization’s
security See “Action” above
Step 9: Check to see if the security policy is readily available
The Policy Development Guide may provide information regarding responsibility for publishing and making available specific policy documents Security policy should be incorporated in employee handbooks and posted for reference It must be required reading as part of the new employee orientation process
Trang 177 ISSUE-SPECIFIC SECURITY POLICY
Issue-specific policies may often be brief and to the point The following examples of issue-specific security policy steps contain information and ideas you may find valuable
for your organization
Issue-Specific Policy #7.1: ANTI-VIRUS
PROBLEM: Normal day-to-day work encompasses email, Internet connections,
installing new software, and taking work home at the end of the day and bringing it back in the morning All these practices allow the introduction of viruses
ACTION: Develop an anti-virus policy
Step 1: Select the scope of the policy
An anti-virus policy serves as an umbrella for a set of procedures The policy should address how to select software products, what to do when a virus is detected, how to limit the possible entry paths, how to contain the damage to infected systems, and how
to deploy the software to ensure desktop coverage
Step 2: Layer your defenses
In addition to desktop software, consider including procedures in the policy to scan for viruses and other malicious code on the file servers, mail servers, firewalls and other machines that see traffic from the Internet to internal machines
Step 3: Identify responsibilities
Make sure that persons responsible for keeping the signatures updated understand that
If workers transport files from the office to home and back again, the anti-virus strategy should take this into account and advise them that they are responsible for scanning files introduced in any way that bypasses protection provided by the corporation
Step 4: Measure the effectiveness
Every anti-virus policy should require reporting of viruses; that is the only way to
gauge the extent of problems However, people seldom report viruses Reporting takes time, and may indicate failure to follow policy Consider using anti-virus products that report automatically
Issue-Specific Policy #7.2: PASSWORD ASSESSMENT
PROBLEM: Password assessment is necessary to maintain the protection of
information, but the procedure may appear to be illegitimate People have been
prosecuted for assessing (cracking) passwords, when they claimed they were just doing their job
Trang 18ACTION: Develop a password assessment policy
Step 1: Identify the risk
The early history of hacking was mostly an exercise in password guessing This is still a popular technique Consider how many Windows NT systems have been compromised via the one-two punch of null sessioning and password guessing Even better than guessing is password cracking Once intruders have the password file, they can attack off line There are a variety of techniques to acquire the password file for both Unix and
NT systems To make both acquisition and cracking of password files more difficult for attackers, define minimum standards for passwords The security policy should specify procedures for formulating passwords, such as requiring eight characters, and avoiding the use of dictionary words by inserting a non A-Z character in the string It should also define procedures for maintaining the security of password files as described in Step 2
Step 2: Enumerate the countermeasures
The policy should employ procedures for configuring systems to make it more difficult for the attacker to access the password file in the first place These include shadow passwords for Unix, and disabling null sessions for NT
Step 3: Enable administrators to legally assess password strength
The policy should enforce password protection by providing for the use of systems tools that filter passwords and tools that crack them the same cracking tools that attackers use Identify conditions under which password assessment is permitted and
encouraged If you plan to use password cracking yourself, be sure you have written
authorization – either unequivocal policy, or a separate authorization from top management
Step 4: Escrow passwords for use during incidents
Incident handlers and system administrators may need to access privileged passwords The policy should provide for a procedure to store critical systems passwords in a
sealed envelope in a secure container
Case in Point!
Randall Schwartz
Randall L Schwartz is a well-known security consultant, respected for his contributions
to the Perl programming language through two books and long-time participation in the Perl newsgroups
While he was working as a consultant at an Intel Corporation facility in Beaverton, Oregon, he ran a program called “crack” to test the strength of passwords at another division of Intel where he had previously worked His actions were not covered by a specific written policy
Mr Schwartz was charged with (1) altering a computer and a computer network without authorization; (2) using a computer and computer network for the purpose of committing a theft; (3) committing theft of individual passwords
In late July 1995, a jury convicted Randall Schwartz of three felony counts under
Trang 19Oregon’s Computer Crime Law His sentence included five years of probation, 480 hours of community service, 90 days of deferred jail time, and $68,000 of restitution to Intel By the end
of 1995, his legal bill exceeded $170,000 Eventually, due to exemplary compliance with the terms of probation, the judge converted the deferred jail time to suspended jail time
This story is told in more detail, and insights on some important computer policy issues are offered at http://www.lightlink.com/spacenka/fors/ The excerpt above is taken from that site
Issue-Specific Policy #7.3: BACKUPS
If you had a complete system failure tomorrow morning, how quickly could you restore operations?
PROBLEM: It is critically important to make copies of ongoing work and stored
information, but making backups is a sporadic practice A lot of work doesn’t get backed up
ACTION: Develop a backup policy
Step 1: Identify backups as critical to the organization’s survival
It costs a lot of money to create data and manage information, but users and
organizations often don’t take backups seriously The policy should stress the need for being able to stay in business A well-written document will provide for backups of all data If the information was sufficiently important to gather in the first place, it must be backed up until such time as a conscious decision is made that the organization no
longer needs the information
Step 2: Empower system administrators to succeed
Identify where the data is to be stored for scheduled backups Some organizations specify that ALL data is to be stored on the servers It sure makes doing a backup much
simpler than having the data located on multiple desktops The policy should specify
how backups are created, stored, and tested Some organizations are very casual with their media and don’t protect it It is not uncommon to see backup tapes sitting on the computer Full backups include password files and other sensitive data, and should be stored off site Off site data storage can be as simple as keeping it in another building,
or as elaborate as storing backed-up data in another country
Step 3: Provide for exceptions to the norm
If the organization uses corporate servers and generally requires all employees to store data there, there may be cases where it is difficult to get personnel to keep their data on the server The policy must make provisions for such exceptions One organization addresses this making backup part of performance assessment and by including a statement of responsibility in the employee’s annual performance plan If the employee does not keep the data on the server, the employee is personally responsible for backing