part three Network security policy ************************* Network Security vs. Network Operations Many organizations separate their network security and network operations departments because their missions and pressures are somewhat different. While operations strives to make network resources available in as quick and efficient a method as possible, they might not have the time, resources, or training to analyze the security implications of all situations. Security personnel should have the resources and training to evaluate the organization’s needs, without the direct pressures of maintaining a production network. Note, I’m not saying that security personnel can ignore the pressures of running an efficient and reliable production network, only that their main objective is different. In a perfect world, balance would be struck by having a security staff with previous production experience to better understand their peers in operations, and the operations personnel would have sufficient training and management support for security to perform their jobs effectively, while complying with the security policy. ------------------------------ A Security Policy Is to Be Shared ********************* A security policy must be a formal written statement of company policy that has the full support of management and owners. A security policy must be easily disseminated to and scrutinized by users at all levels, operations staff, and managers as a set of security rules that covers all types of information technology, as well as the information stored and manipulated by that technology. To be effective, a security policy must be communicated to users in a clearly understandable form and acknowledged by them through a signed statement, indicating they have read, understand, and will abide by the policy. -------------------------- Acceptable Use Policy (AUP) *********************** An acceptable use policy (AUP) might logically be included as part of the final security policy. Because of the convergence of technologies, it’s common for AUPs to include telephone, copier, personal digital assistant (PDA), and pager, as well as fax activities. The AUP should spell out specifically what users can and cannot do on the various components that make up the network, including the type of activities and traffic allowed on the networks. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding, particularly if sanctions are imposed for failure to comply. For example, an AUP might list prohibited activities like “browsing and engaging in transactions on web auction sites.” The AUP could be explained at all employee orientation sessions and signed by each user. This agreement and training should be updated periodically as a refresher and definitely any, time a significant change is made. Unfortunately, it’s not uncommon for new employees to learn about new limitations on access to resources, such as Internet access for personal use only, to find the same information hasn’t been distributed to the existing employees. It’s particularly dysfunctional when the sanctions involved with a policy are implemented against employees who had no way of knowing they were violating a policy. Handled poorly, this can lead to mistrust, lack of support, and even refusal to use certain resources. ----------------- Network Operations and Network Security Training ************************* Networking employees at all levels will require additional training and sign-offs on those portions of the security policy that impact their jobs, but that aren’t covered in the AUP. Again, this should be handled proactively with enough detail that each employee understands their responsibilities and the limits of their authority. No one wants to learn that the configuration file they sent to Cisco TAC for help with a problem might cost them their job as a breach of the company security policy. ------------------ Who Should Help Create the Security Policy? ****************** For a security policy to be effective, it must have the acceptance and support of all levels of users within the organization. Especially important is that corporate management and ownership (board of directors) fully support the security policy process; otherwise, little chance exists that it will be successful. Also critical is that the resulting policy will eventually fit within the organization and its culture. In particular, a first security policy or a radical change in policy might require some transition time for people to learn and assimilate the new rules. The following people are representative of those who should typically be involved in the creation and review of security policy for a larger organization: • Company security administrator • Security incident response team representatives • IT technical staff representatives (network operations) • Administrators of organization business units • Representatives of the user groups • Responsible upper management • Corporate legal counsel (in some countries) The wide variety and sizes of businesses make it impossible to define a single list. The nature of the business and the level of and types of employee contracts and bargaining units might dictate some other attendees. Just because a security policy is necessary and reasonable doesn’t set aside a company’s requirements to negotiate changes in work rules. More than one organization has been required to rehire with back pay an employee terminated under a security policy rule because it conflicted with a bargaining agreement. Another group that should be represented is any internal auditors required by industry standards or governmental regulations. Because some policies dictate production of logs, backups, and documentation, it’s critical that those policies comply with any relevant laws, regulations, industry standards, or court orders. If the resulting policy statements are to reach the broadest possible acceptance, the group must be an appropriate mix of involved representatives (stakeholders) that can formulate a set of rules that balance the security requirements with the technical expertise available or obtainable. These policies must have an acceptable impact on the company business model, particularly in any areas perceived to create a competitive advantage. Finally, the budget and policy authority must be present to make sure these policies are supported throughout the organization and funded adequately during both good times and bad. If done properly, the policy should yield the highest level of appropriate security in the most cost-effective manner. -------------------- Assets and Threats ***************** Developing a security policy, as in any risk analysis, involves determining what needs to be protected, what it needs to be protected from, and how best to protect it. So the first things to do in the process are • Identify the assets • Identify the threats The process then involves examining all possible risks, ranking those risks by level of severity, and, finally, making cost-effective decisions on what you want to protect and to what extent. It makes no sense to spend more to protect something than its actual worth. ------------------- Identifying the Assets *************** When identifying the assets that need to be protected, some might be obvious, like valuable proprietary information such as product blueprints or designs, intellectual property, and the many hardware components that make up the network. Others might not be so obvious, though, and are often overlooked, such as the people using the systems. While the company doesn’t own the people, it could have invested in their skills and development over the years. Similarly, the company might rely heavily on those skills to meet its business objectives. Some users might have no readily identifiable replacements within the current workforce. The point is to list everything that could be impacted in any way by a security problem: • Hardware Servers, workstations, laptops, printers, scanners, FAX ------------------------------ units, routers, switches, firewalls, intrusion detection devices, wireless access points, IP telephones, palm-sized devices, pagers, projection systems, electronic white boards, and communication lines. Don’t forget devices that might be at telecommuters’ homes, such as DSL routers, printers, and so forth. The move to combine resources like printers and copiers should be acknowledged, even if not yet implemented. • Software User software licenses, custom and off-the-shelf enterprise ------------------ applications, virus protection software, network and workstation OSs, network device OS, network management applications, utilities of all types, diagnostic programs, and communication/FAX programs. • Data Financial records, business plans and strategies, customer and -------------- employee information, sales records (including credit card information), product designs and parts lists, inventories, production schedules, and customer and vendor contracts. Many of these could be parts of one or more databases, while others might be many individual documents in the system. Each type must be identified by its location during execution, where they’re stored online, where they’re archived offline, any backups, audit logs, and whether they’re ever transmitted over communication links. It isn’t uncommon to discover entire classes of strategic documents stored only on local hard drives. • People Users, administrators of all types, help desk people, and ---------------- hardware maintenance. • Documentation and licenses For OSs, applications, hardware, ------------------------------ systems, and administrative procedures. Don’t forget service agreements and warranties. • Supplies Paper, toner and ink cartridges, and batteries. ----------------- • WAN and Internet services Contracts and service agreements for ----------------------- communications links, web hosting services, and related contracted services of any kind. Because these services could be in negotiation for some time, be sure to include any works in progress. While not technically a network component and not appropriate for all companies, as previously mentioned, any company doing business over the Internet ought to consider its reputation and the trust relationships it’s developed as an asset. Any attack that damages this reputation could have serious implications for the future well being of that company and its stakeholders. ---------------------------- Identifying the Threats ******************** Once the assets to be protected are identified, it’s necessary to identify and assess the threats to those assets. As you saw earlier in this chapter, different names and levels of detail can be applied to these security threats, but, generally, they break down to the following: • Reconnaissance • Unauthorized access • Data manipulation • Denial of service The basic goal of security for each asset is to ensure availability, confidentiality, and integrity. Each threat should be examined to assess how it could impact the company assets. Each company can have different perceptions and assessments of the threats, which should be identified and addressed. ------------------------ STUDY TIP? Data manipulation is often included in unauthorized ----------------------- access threats, so keep that in mind if you are asked to identify only three threats. ------------------------------ Evaluating a Network Security Policy ********************* Just as the preceding section showed that different organizations can have different perceptions of threats and place different values on assets, the security policy reflects those differences. Most security studies agree that some of the key characteristics of a security policy should include the following: • It must be implementable through network administration technologies, by publishing rules and acceptable use policies, or other appropriate methods. • It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention isn’t technically or financially feasible. • It must clearly define the areas of responsibility for the users, administrators, and management. Maybe as important, it should clearly identify the limits of authority for each group under predictable circumstances. Any policy that has serious deficiencies in any of these characteristics stands a better- than-good chance of failing to meet the company objectives.
Posted on: Mon, 25 Aug 2014 07:49:26 +0000