CEHv6 module 49 creating security policies

Trang 1

Creating Security Policies

Ethical Hacking Countermeasures Version 6

Module XLIXCreating Security Policies

Ethical Hacking and Countermeasures v6 Module XLIX: Creating Security Policies

Exam 312-50

Trang 2

In spite of the repeated warnings, some 34 percent of employees said that they are still clicking on malicious and unknown emails and another 6 percent of employees said that they are clicking on malicious attachments.

Trang 3

Module Objective

• Security Policies

• Key Elements of Security Policy

• Role of Security Policy

• Classification of Security Policy

• Configurations of Security Policy

• Types of Security Policies

• E-mail Security Policy

• Software Security Policy

• Points to Remember While Writing a Security Policy

This module will familiarizes you with:

Module Objective

This module will familiarizes you with:

 Security Policies

 Key Elements of Security Policy

 Role of Security Policy

 Classification of Security Policy

 Configurations of Security Policy

 Types of Security Policies

 Email Security Policy

 Software Security Policy

 Points to Remember While Writing a Security Policy

Trang 4

Module Flow

Security Policies E-mail Security Policy

Key Elements of Security Policy

Role of Security Policy

Classification of Security Policy

Configurations of Security Policy

Types of Security Policies

Software Security Policy

Points to Remember While Writing a Security Policy

Module Flow

Trang 5

Security Policies

Security policies are the foundation of the security infrastructure

A security policy is a document or set of documents that describes the security controls that will be implemented in the company at a high level

Without them, you cannot protect your company from possible lawsuits, lost revenue, bad publicity, and basic security attacks

• Reduce or eliminate legal liability to employees and third parties

• Protect confidential, proprietary information from theft, misuse, unauthorized disclosure, or modification

• Prevent waste of company computing resources

Policies are not technology specific and

do three things for a company:

 Security Policies

Security policies are the basis for securing your infrastructure Without them, you cannot protect your company from possible lawsuits, lost revenue, bad publicity, and basic security attacks A security policy defines the rules of safeguards, which reduce the risk of injury A security policy is a document with high-level security guidelines that are implemented in the company

A security policy maintains the integrity, confidentiality, reliability, and assets values It also provides protection for your company from threats such as information theft, natural and man-made disasters, damage, and technical failures In addition, it protects against cyber attacks, malicious threats from the Internet, transnational criminal activity, foreign intelligence activities, and terrorism

Policies are not technology specific and do three things for a company:

 Reduces or eliminates legal responsibility for employees and third parties

 Protects confidential information from theft, misuse, unauthorized uses, or modification

 Prevents waste of a company’s computing resources

Trang 6

Key Elements of Security Policy

Clear communication Brief and clear information Defined scope and applicability Enforceable by law Recognizes areas of responsibility Sufficient guidance

Top management involvement

 Key Elements of Security Policy

A security policy contains the following key elements:

 Clear Communication:

There should not be any communication gap and the communication must be clear The communication gap may lead to the creation of completely different sets of policies that may not

be feasible to the users

 Brief and Clear Information:

The clear information regarding the network policy must be given to the developers so that they can decide the network security approach

 Defined Scope and Applicability:

The scope identifies the possessions, which must be secluded by the network security policy The network policy addresses a wide range of issues, from physical security to personal security

 Enforceable by Law:

The network policy must be enforceable by law and impose penalties against policy breach Penalties for the violation must also be addressed during the creation of the network policy

 Recognizes Areas of Responsibility:

The network policy must recognize various responsibilities of the employees, organization, and third-party users

 Sufficient Guidance:

A good network policy must have proper references to other polices, which will help in guiding and redefining the scope and the objectives of the policy

 Top Management Involvement:

Involvement of the top managers is mandatory as the network policy ensures the conformity of the policy

Trang 7

Defining the Purpose and Goals

of Security Policy

• To maintain an outline for the management and administration of network security

• To reduce risks caused by:

• Illegal use of the system resource

• Loss of sensitive, confidential data, and potential property

• Differentiate the user’s access rights Purpose of Security Policy

• Protection of organization’s computing resources

• Elimination of strong legal liability from employees or third parties

• Ensuring customers’ integrity and preventing unauthorized modifications of the data

Goals of Security Policy

 Defining the Purpose and Goals of Security Policy

A good security policy must be able to:

 Prevent wasting or misusing organization resources, especially computing resources

 Eliminate strong legal liability from employees or third-party users

 Safeguard and protect valuable, confidential, or proprietary information from unauthorized access, or from revealing the data

 Ensure data availability and processing resources

 Ensure the confidentiality and integrity of the customer’s information and categorize the risk for the customer and the organization

 Ensure the integrity of the data processing operations and prevent them from unauthorized use

 Ensure the confidentiality of the customers and information, and prevent unauthorized disclosure

or use of information

The goals mentioned in the security policy ultimately safeguard an asset It is important to simultaneously determine the asset as well as the protection given to the asset It implies that concern must be there for corporate espionage, theft of potential property, eavesdropping, and damaging of files from the external attackers The most important concern is to determine the protection that is a crucial part of a security policy and needs to be determined earlyon

Besides that, protection also involves defining where and how consequences are to be monitored in the cases where there is violation While the specifics of the rebuttals can be left to the senior management, the basic security policy needs to define the methods by which protection can be implemented

Trang 8

Role of Security Policy

• How the users work together with their systems?

• How those systems should be configured?

• How to react when the system is attacked?

• When susceptibilities are found?

Provides set of protocols to the administrator on

Suggests the safety measures to be followed in an organization

 Role of Security Policy

Security policies play a vital role in the efficient workings of an organization They cannot be explained in

a few words, but they have been explained as follows:

 Security policies offer the rules and regulations that manage how the users interact with their systems and how those systems should be configured

 They provide certain steps on how to react when the system is attacked and vulnerabilities are found

 They suggest the kind of security to be implemented in an organization

 They put each individual in the organization on the same page Thus, each individual is subject to following the similar policy

Trang 9

User Policy

• Defines what kind of user is using the network

• Defines the limitations that are applied on users to secure the network

• Password Management Policy

• Protects the user account with a secure password

IT Policy

• Designed for IT department to keep the network secure and stable

• Following are the three different IT policies:

• Backup Policies

• Server configuration, patch update, and modification policies

• Firewall Policies

(cont’d)

General Policies

• Defines the responsibility for general business purposes

• The following are different general policies:

• High Level Program Policy

• Business Continuity Plans

• Crisis Management

• Disaster Recovery

Partner Policy

• Policy that is defined among a group of partners

(cont’d)

Issue Specific Policies

• Recognize specific areas of concern and describe the organization's status for top level management

• Involve revision and up gradation of policies from time to time, as changes in technology and related activities take place frequently

• Issue Statement

• Statement of the Organization's Position Components:

Trang 10

 Classification of Security Policy

Once the data is determined, a set of policies is developed to protect that data These policies can be categorized as a security policy Different types of security policies are discussed below:

User Policy

A user policy defines the kind of network user and computer equipment utilized in an organization It provides the restrictions for users to protect their network, such as how they can install programs on their computer, the type of programs that they can use, and how they can access data

A password management policy is one of the user policies

 Password Management Policy

As the name indicates, this policy protects the user account with a strong password It defines how often the users change their passwords and it gives the complexity rules related to the characters used in giving passwords

 Server Configuration and Modification Policies

Sever configuration and modification policies remove unneeded services, and determine what servers should use IDS and what should be done to update the system

1 High level program policy

2 Business continuity plans

 High Level Program Policy

The high level program policy defines the owners of this policy, who is handling the policy, the purpose and scope of that policy, and exceptions if any exist

 Business Continuity Plans

Business continuity plans deal with the features related to business Some of these plans include:

1 Crisis management

2 Disaster recovery

Trang 11

o Phone system recovery

o Emergency response plan

o Workplace recovery

 Partner Policy

A policy that is defined among a group of partners is called a partner policy

 Issue Specific Policies

The types of issue specific policies are as follows:

to the people handling or working with the physical assets must be monitored as well as analyzed frequently, and physical assets must be taken care of

 Personnel Security

Personnel security is based on maintaining the varying degree of the security of the confidential data; accounting for the number of employees handling it; the special security policies related to the handling of the assets; employee authentication, training, and their dismissal Specialists who are trained in handling different equipment must know how to initiate, use, and assess the performance of the assets

 Communications Security

Communications security is a crucial security policy where organizations need to communicate on

Trang 12

Administrative security implies managing the IT system management and includes additional activities like determining potential security policy issues on input/output controls, training and awareness, security certification, incident reporting, system configurations and change controls, and system documentation

 Risk Management

Risk management involves rating the IT resources in terms of potential threats and susceptibilities and planning the means for counterfeiting those risks Addressing these issues and determining who should perform these tasks should be completed periodically

 Contingency Planning

Contingency planning is a category of risk management where planning for the emergency actions has to be decided Emergency actions include power failure; system crashes; environmental catastrophes like drought, floods, and earthquakes Training should be provided to the employees

to handle such difficult situations The plans devised to handle the situations must be tested periodically, be upgraded, and there must be an authority to approve the contingency plans

 System Management Policy

A system management policy collectively includes security and system administration to develop

a final product, which is secure

Trang 13

Design of Security Policy

Guidelines should cover the following points as policy structure:

Detailed description of the policy issues

Description about the status of the policy

Applicability of the policy to the environment

Functionalities of those affected by the policy

Compatibility level of the policy is necessary

End-consequences of non-compliance

 Design of Security Policy

The security policy structure overviews the functionalities of security aspects This structure must contain:

 Description of the issue for which the policy is used

 Details regarding the status of the policy and the description about the domains where the policy has been applied

 The functionalities and the responsibilities of the employees involved in the policy

 The extent to which the policy is compatible with the organization’s standards

 Tasks and procedures involved in the policy and the ones which are forbidden to be involved

 All the end-consequences that have to be addressed if the policy is not compatible with the organizational standards

Thus, the security policy must contain all the information that is required for the successful implementation of the organizational work process

Trang 14

Contents of Security Policy

• This statement features the requirement of a system to implement security policies that include discipline security, safeguard security, procedural security, and assurance security

High level Security Requirements

• Focuses on security disciplines, safeguards, procedures, continuity of operations, and documentation

Policy Description based on requirement

• Defines the roles, responsibilities, and functions of a security policy

Security concept of operation

• Provides a computer system architecture allocation to each system of the program

Allocation of security enforcement to architecture elements

 Contents of Security Policy

There are four contents in the security policy, which are:

1 A high level of security

2 Policy description based on requirements

3 Security concept of operation

4 Security implementation to architecture elements

A High Level of Security

This statement features the requirement of a system to implement security policies There are four types

of requirements, which are:

 Discipline Security Requirements

This requirement includes various security policies like computer security, network security, communication security, personal security, information security, operation security, and physical security

 Safeguard Security Requirements

This feature mainly contains access control, audit, integrity, confidentiality, authenticity, recovery, non-repudiation, cryptography, identification, and authentication

 Procedural Security Requirements

This requirement mainly contains access policies, accountability, continuity of operations, and documentation

 Requirements of Assurance Security

This requirement includes certification and authorization packages and planning documents.Policy Descriptions Based on Requirement

This statement mainly focuses on security disciplines, safeguards, procedures, continuity of operations, and documentation Each portion of the policy defines how the system’s architecture elements enforce security

Concept of Security for the Operation

Trang 15

This concept mainly defines the roles, responsibilities, and functions of a security policy

It mainly focuses on the mission, communications, encryption, user policies, maintenance policies, virus protection policies, idle time management, shareware software policies, and public domains

Security Implementation to Architecture Elements

This policy provides a computer system architecture allocation to each system of the program

Trang 16

Configurations of Security Policy

• Provides a way to configure services that are installed and available depending on the server’s role and other features

Role-Based Service Configuration

• Designed to configure inbound ports using Windows Firewall

• Designed to configure the security feature of Internet Information Services (IIS)

Internet Information Service

 Configuration of Security Policy

Role-Based Service Configuration

The role-based configuration is used to develop services that are installed and are accessible depending on the roles of the server and other features It is intended to allow open ports and services depending on the functionality of the server and features of the client

This section is divided into subsections, which permits you to select server roles, services, client functions, and more The subsections encountered for the role-based service configuration section are as follows:

 Select server functionalities

 Select features of a client

 Select administration options

 Choose additional services

 Managing specific services

 Confirm service modifications

Network Security

This configuration is designed to configure inbound ports using Windows Firewall It is based on the server functionalities and client features The port selection is based on the ports and applications that use particular ports as shown in the following figure:

Trang 17

Registry Settings

Registry settings are intended to configure network communication protocols The security of the communication protocol is essential because the legacy Windows Operating System requiring protocols is vulnerable to brute force and man-in-the-middle attacks

The targeted key areas include:

 SMB security signatures

 LDAP signing

 Outbound authentication protocols

 Inbound authentication protocols

Audit Policy

The audit policy develops server auditing depending on the auditing objectives It can audit both successful and unsuccessful events This policy can configure object access events and audit the list of events

The following figure demonstrates the server auditing policy that audits both successful and unsuccessful events:

Internet Information Services

Internet Information Services is used to configure the security feature of Internet Information Services (IIS) The subsections of this section include:

 Selecting web service extensions for dynamic content

 Preventing anonymous users from accessing the content files

Trang 18

Implementing Security Policies

Implementation follows after building, revision, and updating of the security policy

Final version must be made available to all of the staff members in the organization

For effective implementation, there must be rotation of the job so that data must not be handled by few people

Proper security awareness program, cooperation, and coordination among employees is required

 Implementing Security Policies

Implementation of the security policy follows building, revising, and updating Proper modeling and outline of the policies must be drawn and suggestions from the stakeholders must be taken to directly correlate the policy with the interest of the organization After the policy is complete, the final version must be made available to all of the staff members in the organization to ensure proper training and understandability The policy must be available on demand, so it must be placed on the internal network and intranet For effective implementation, there must be a rotation of job roles so that different people handle the data so that the limitation of the security policy can be identified and the policy can be updated Company data is very critical so proper care must be taken so that it is not revealed to the public There must be proper security awareness program, cooperation, and coordination among employees

Trang 19

Types of Security Policies

Promiscuous Policy Permissive Policy Prudent Policy Paranoid Policy Acceptable-Use Policy User-Account Policy Remote-Access Policy Information-Protection Policy Firewall-Management Policy Special-Access Policy Network-Connection Policy Business-Partner Policy Other Important Policies

 Types of Security Policies

Security policies are the foundation of your security infrastructure These policies help to maintain confidentiality, availability, and integrity of information Some security policies are as follows:

Trang 20

• Good luck to your network administrator, you have our blessings

No Restrictions on Internet/Remote Access

Promiscuous Policy

 Promiscuous Policy

According to http://www.computeruser.com, “Promiscuous policy defines a policy of allowing everyones access from the Internet to an organization's internal network.” In this policy, there is no restriction on Internet access A user can access any site, download any application, and access a computer or a network remotely

It is useful in corporate business where people at branch offices and people who are traveling need to access organizational networks

Several malwares, viruses, and trojans are present on the Internet Due to free Internet access, these malwares can come as attachments without the user’s knowledge So, network administrators need to be more alert

Trang 21

Known dangerous services/attacks blocked

Policy begins wide open

Known holes plugged, known dangers stopped

Impossible to keep up with current exploits;

administrators always play catch-up

Permissive Policy

 Permissive Policy

In the permissive policy, several known dangerous services and attacks are blocked Unlike the promiscuous policy, some restrictions are present regarding Internet access In this policy, known holes are plugged and known dangers are stopped Because only known attacks and exploits are blocked, it is impossible for administrators to keep up with the current exploits The administrator always needs to play catch-up with new attacks and exploits

Trang 22

Provides maximum security while allowing known but necessary dangers

All services are blocked, nothing is allowed

Safe/necessary services are enabled individually

Nonessential services/procedures that cannot be made safe are not allowed

Trang 23

Paranoid Policy

Everything is forbidden

No Internet connection, or severely limited Internet usage

Users find ways around overly severe restrictions

 Paranoid Policy

In the paranoid policy, everything is forbidden There are strict restrictions on every usage of company computers, whether it is system usage or network usage There is no Internet connection, or there is severely limited Internet usage Due to these overly severe restrictions, users find ways around them

Trang 24

Acceptable-Use Policy

Should users read and copy files that are not their own but are accessible to them?

Should users modify files that they have write access to but are not their own?

Should users make copies of system configuration files (for example, /etc/passwd and SAM) for their own personal use or to provide to other people?

Should users be allowed to use rhosts files? Which entries are acceptable?

Should users be allowed to share accounts?

Should users have the ability to make copies of copyrighted software?

 Acceptable-Use Policy

The acceptable-use policy consists of some rules decided by the network and website owners This policy discusses and defines the proper use of computing resources It is generally written for businesses, website owners, and big corporations It is also related to information security It states the responsibilities of users to protect the information available in their accounts

This policy should answer the following questions:

 Should users read and copy files that are not their personal files but are accessible to them?

 Should users modify files that they have write access to but are not their own?

 Should users create copies of system configuration files (for example, /etc/passwd and SAM) for their personal use or for other people?

 Should users be allowed to use rhosts files? Which entries are acceptable?

 Should users be allowed to share accounts?

 Should users have the ability to make copies of the copyrighted software?

 Should users be allowed to distribute passwords and/or access codes?

Trang 25

User-Account Policy

Who has the authority to approve account requests?

Who (employees, spouses, children, company visitors, for instance) are allowed to use the computing resources?

May users have multiple accounts on a single system?

May users share accounts?

What are the users' rights and responsibilities?

When should an account be disabled and archived?

 User-Account Policy

The user-account policy is used to provide secure access to a system This policy can be applied to a single user or all users This policy outlines the requirement for accessing and maintaining the account on a system It is important for large websites where users have accounts on many systems For most of the sites, users have to read and sign an account policy

This policy should answer the following questions:

 Who has the authority to grant account requests?

 Who (employees, spouses, children, company visitors, for instance) are allowed to use computing resources?

 May users have multiple accounts on a single system?

 May users share accounts?

 What are the rights and responsibilities of the users?

 What are the password creation and expiration rules?

 What is the maximum number of failed logins allowed for user accounts?

 When should an account be disabled and archived?

Tiêu đề	Creating Security Policies
Trường học	EC-Council
Chuyên ngành	Security Policies
Thể loại	course module

Định dạng
Số trang	50
Dung lượng	1,54 MB