Security Policies and Infrastructure

HIGHER COLLEGE OF TECHNOLOGY
Department of Information Technology
Chapter 3 Security Policies and Infrastructure
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people. Significance If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced. In complex systems, such as information systems, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to simply go directly to the sub-policies, which are essentially the rules of operation and dispense with the top level policy. That gives the false sense that the rules of operation address some overall definition of security when they do not. Because it is so difficult to think clearly with completeness about security, rules of operation stated as "subpolicies" with no "super-policy" usually turn out to be rambling ad-hoc rules that fail to enforce anything with completeness. Consequently, a top level security policy is essential to any serious security scheme and sub-policies and rules of operation are meaningless without it.
ITNT 3112
Network Security and Auditing
Page 1
What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities. A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment. Standards support consistency within a network. For example, a standard might specify a limited number of operating systems to be supported in the organization, because it would be impractical for the IT staff to support any operating system that a user happened to select. Also, standards could apply to configuring devices, such as routers (for example, having a standard routing protocol).
A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization. Whereas standards tend to be mandatory practices, guidelines tend to be suggestions. For example, a series of best practices might constitute a security policys guidelines.
ITNT 3112 Network Security and Auditing
Page 2
Procedures: To support consistency in the network, and as dictated by the previously mentioned standards, a security policy might include a collection of procedures. These procedures are very detailed documents providing step-by-step instructions for completing specific tasks (such as steps for configuring port security on a Cisco Catalyst, switch). Constructing a Comprehensive Network Security Policy One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating that security policy to all concerned. This section discusses the purpose of a security policy, what should be addressed in that policy, how to maximize its effectiveness, and how to create awareness and understanding of the policy.
Security Policy Fundamentals A security policy is a continually changing document that dictates a set of guidelines for network use. These guidelines complement organizational objectives by specifying rules for how a network is used. The main purpose of a security policy is to protect an organizations assets. An organizations assets include more than just tangible items. Assets also entail such things as intellectual property, processes and procedures, sensitive customer data, and specific server functions (for example, e-mail or web functions). Aside from protecting organizational assets, a security policy serves other purposes, such as the following: Making employees aware of their obligations as far as security practices Identifying specific security solutions required to meet the goals of the security policy Acting as a baseline for ongoing security monitoring
ITNT 3112
Page 3
One of the more well-known components of a security policy is an acceptable use policy (AUP), also known as an Appropriate Use Policy. An AUP identifies what users of a network are and are not allowed to do on the network. For example, retrieving sports scores during working hours via an organizations Internet connection might be deemed inappropriate by an AUP. An organizations security policy applies to various categories of employees (such as management, technical staff, and end users), a single document might be insufficient. For example, managerial personnel might not be concerned with the technical intricacies of a security policy. Technical personnel might be less concerned with why a policy is in place. End users might be more likely to comply with the policy if they understand the reasoning behind the rules. Therefore, a security policy might be a collection of congruent, yet separate, documents. Security Policy Components As previously mentioned, an organizations security policy typically is composed of multiple documents, each targeting a specific audience. Figure below offers a high-level overview of these complementary documents.
Figure - Components of a Security Policy
ITNT 3112
Page 4
Governing Policy At a very high level, a governing policy addresses security concepts deemed important to an organization. The governing policy is primarily targeted at managerial and technical employees. Following are typical elements of a governing policy: Identifying the issue addressed by the policy Discussing the organizations view of the issue Examining the relevance of the policy to the work environment Explaining how employees are to comply with the policy Enumerating appropriate activities, actions, and processes Explaining the consequences of noncompliance
Technical Policies Technical policies provide a more detailed treatment of an organizations security policy, as opposed to the governing policy. Security and IT personnel are the intended targets of these technical policies, and these personnel use these policies in performing their day-to-day tasks. Typical components of technical policies include specific duties of the security and IT staff in areas such as the following: E-mail Wireless networks Remote access
End-User Policies
End-user policies address security issues and procedures relevant to end users. For example, an end user might be asked to sign an acceptable use policy (AUP) for Internet access. That AUP might state that Internet access is only for business purposes. Then, if an end user is found using the Internet for personal reasons, he or she could face the consequences outlined in the governing policy.
ITNT 3112
Page 5
More-Detailed Documents
Because the governing policy, technical policies, and end-user policies each target a relatively large population of personnel, they tend to be general in nature. However, a comprehensive security policy requires a highly granular treatment of an organizations procedures. Therefore, more-detailed documents, such as the following, are often contained in a security policy:
Security Policy Responsibilities
The ultimate responsibility for an organizations security policy rests on the shoulders of senior management (for example, the Chief Executive Officer [CEO]). However, senior management typically oversees the development of a security policy, as opposed to being intimately involved with the policys creation. Senior security or IT personnel usually are directly involved with the creation of the security policy. These individuals might create the policy themselves or delegate its creation. Examples of senior security or IT personnel include Chief Security Officer (CSO) Chief Information Officer (CIO) Chief Information Security Officer (CISO) As soon as a security policy is created, the security and IT staff are responsible for implementing it within the organizations network. End users are responsible for complying with the security policy.
ITNT 3112
Page 6
Monitoring the Security Infrastructure
Introduction Its not enough to just keep a security structure in place; you need to be watching your security walls so that you can guard against attacks from within or from the outside. In this topic, you will learn to monitor your security infrastructure so that you can detect and respond to possible security breaches. Scan for vulnerabilities. Monitoring your security infrastructure is an ongoing job responsibility for a security professional. You will need to perform a variety of tasks on a regular basis to ensure that your security is not breached. One of these regular tasks is to periodically review your system vulnerabilities, so that you can detect them before attackers do. Many times, one of the first steps an attacker takes to break into a system is to scan the system for vulnerabilities. It is critical to discover where the possible points of entry are on your network and systems. Even if you have taken every precaution to harden your network components and services, there will still be vulnerabilities that you may not be aware of, but that you can be sure attackers will find. The best way to find these vulnerabilities is to perform a scan yourself and patch the holes before the attackers find them. Ethical Hacking Definition: An ethical hack is a planned attempt to penetrate the security defenses of a system in order to identify vulnerabilities. In an ethical hack, a white-hat hacker assumes the mind-set of an attacker and attempts to breach security using any and all tools and techniques an attacker might employ. Organizations often undertake an ethical hack as the only way to truly reveal flaws in a systems defenses.
ITNT 3112
Page 7
The Hacking Process Understanding the general steps of the hacking process will help you recognize attack s in progress and stop them before they prevent damage.
Hacking Steps Description Footprinting or profiling,the attacker chooses a target and begins to gather information that is publicly or readily available. With basic tools, such as a web browser and an Internet connection, an attacker can often determine the IP addresses of
ITNT 3112
Page 8
a companys DNS server; the range of addresses assigned to the company;names,email addresses, and phone numbers of contacts within the company; and the companys physical address. Attackers use dumpster diving, or searching through garbage to find sensitive information in paper form. The names and titles of people within the organization enable the attacker to begin social engineering to gain even more private information. The HTML code of a companys web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators.DNS servers are a common footprinting target, because,if not properly secured, they can provide a detailed map of an organizations entire network infrastructure. Scanning The second step is scanning an organizations infrastructure to see where vulnerabilities might lie. In this step, the attacker may perform a ping sweep to etermine which host IP addresses in the companys IP address range is active. The attacker will scan the targets border routers, firewalls,web servers, and other systems that are directly connected to the Internet to see which services are listening on which ports and to determine the operating systems and manufacturers of each system.Additionally,the attacker might begin a wardialing campaign to determine if there are any vulnerabilities in the organizations PBX.The attacker might even try wardriving:driving up to the company with a laptop and a wireless card to see if there are any wireless access points to provide a way into the network. Enumerating During enumerating, the attacker will try to gain access to resources or other information. The attacker can obtain these through social engineering, network sniffing, dumpster diving, watching a user log in, hacking with tools like Legion, or searching for credentials written down at user Workstations. If the attacker can obtain a valid user name he can begin the process of cracking the users password. Attacking
Page 9
Attacking is the last phase of the hack, in which the hacker acts openly to cause damage or service disruption, or to steal or destroy sensitive information. Security Utilities Any security or network tool can be used for ethical or unethical purposes. To perform an ethical hack, you will need to make use of the same tools employed by attackers. Some tools are generally available by downloading them from the Internet, and some must be purchased from vendors. Because tools and utilities are constantly changing, it is important to continually research the available tools and their functions. There are many different tools available for different security tasks, and some have multiple uses. Utility Type Typical Tools Vulnerability scanning MBSA,Nessus,SAINT,ISS,Internet Scanner, NMap,Security Analyzer,LANGuard,Cybercop,Strobe Port Scanning Microsoft Port Reporter, Superscan, ShieldsUP, NMap, Netcat, Pinger, Password Scanning and Cracking Crack, John the Ripper,Pandora,L0phtcrack, Snadboys Revelation,Pwdump Exploits, Trojan horses, and other stress testers UDPFlood,Smbrelay,Netbus, SubSeven, GetAdmin, Network Monitors, Sniffers and tracers Microsoft Network Monitor,Ethereal,TCPDump, WinDump,WinPcap,Visual Route,NeoTrace Network and Security Administration Webmin,Tripwire, Bastille, PuTTY, HiSecWeb, IIS, Lockdown Types of Vulnerability Scans A vulnerability scan is one of the first steps in either an attack or an ethical hack. There are two main types of vulnerability scans, scans for general vulnerabilities, such as scans for open ports, and application-specific scans, such as a password crack against a particular operating system. You will use different scanning tools depending upon the type of scan you wish to run.
Page 10
Note: There are a variety of specialized web-based scanning services, such as Shields Up! from Gibson Research Corporation www.grc.com. You can also consider registering with Security Event Aggregators, such as www.dshield.org or www.mynetwatchman.com .They will also analyze your .firewall logs and act as a fully automated abuse escalation/management system. There are many different scanning tools available. Scan Type Typical Tools Used General vulnerabilities MBSA,Nessus,SAINT,and ISS Internet Scanner, NMap, Security Analyzer, LANGuard, Cybercop Man-in-the-middle vulnerabilities Smbrelay Port vulnerabilities Microsoft Port Reporter, Superscan, ShieldsUP! NMap, Netcat Password vulnerabilities John the Ripper,Pandora,L0phtcrack Port Ranges TCP and UDP ports are assigned in one of three ranges. Well-known ports, from 0 to 1,023, are preassigned and used consistently by all systems on the Internet. Registered ports, from 1,024 to 49,151, are available to assign to individual protocols and processes. Dynamic or private ports, from 49,152 to 65,535, are assigned by operating systems on an as-needed basis. Hackers will target commonly used, well-known ports for attack, but may scan for open registered or dynamic ports as well. IANA IANA, the Internet Assigned Numbers Authority, manages the registration of well known ports, and also lists registered ports as a convenience. For a complete list of TCP and UDP ports, see the IANA website at www.iana.org/assignments/portnumbers.
ITNT 3112
Page 11
Vulnerable Ports Some port numbers are particularly vulnerable to attackers. How to Scan for Vulnerabilities 1. Install scanning software that is appropriate for the type of scan you want to perform. 2. Scan your system with the parameters that are appropriate for your environment. 3. If possible, scan your system from an external network as well, by using a web based scanning tool. 4. Manually review your system audit logs as well as any logs created by the scanning program. 5. If possible, install a tool to automate the process of reviewing and analyzing audit logs. 6. If vulnerabilities are found, revisit your hardening procedures to harden your operating systems and devices.
Intrusion Detection Systems (IDSs)
ITNT 3112
Page 12
An Intrusion Detection System (IDS)is a system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.IDS software can also analyze data and alert security administrators to potential infrastructure problems. An IDS can comprise a variety of hardware sensors, intrusion detection software, and IDS management software. Each implementation is unique, depending on the security needs and the components chosen.
ITNT 3112
Page 13
Some Security Policies and Templates for different types of Security Policies < Company Name > Password Policy 1.0 Overview Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of <Company Name>'s resources. All users, including contractors and vendors with access to <Company Name> systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 2.0 Purpose The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. 3.0 Scope The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any <Company Name> facility, has access to the <Company Name> network, or stores any non-public <Company Name> information. 4.0 Policy 4.1 General All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis. All production system-level passwords must be part of the InfoSec administered global password management database.
ITNT 3112
Page 14
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2). All user-level and system-level passwords must conform to the guidelines described below. 4.2 Guidelines A. General Password Construction Guidelines All users at <Company Name> should be aware of how to select strong passwords. Strong passwords have the following characteristics: Contain at least three of the five following character classes: Lower case characters Upper case characters Numbers Punctuation Special characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
Contain at least fifteen alphanumeric characters. Weak passwords have the following characteristics: The password contains less than fifteen characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc.
ITNT 3112
Page 15
Computer terms and names, commands, sites, companies, hardware, software. The words "<Company Name>", "sanjose", "sanfran" or any derivation. Birthdays and other personal information such as addresses and phone numbers. Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!) B. Password Protection Standards Always use different passwords for <Company Name> accounts from other non-<Company Name> access (e.g., personal ISP account, option trading, benefits, etc.). Always use different passwords for various <Company Name> access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access. Do not share <Company Name> passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential <Company Name> information. Passwords should never be written down or stored on-line without encryption.
Page 16
Do not reveal a password in email, chat, or other electronic communication. Do not speak about a password in front of others. Do not hint at the format of a password (e.g., "my family name") Do not reveal a password on questionnaires or security forms If someone demands a password, refer them to this document and direct them to the Information Security Department. Always decline the use of the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger). If an account or password compromise is suspected, report the incident to the Information Security Department. C. Application Development Standards Application developers must ensure their programs contain the following security precautions. Shall support authentication of individual users, not groups. Shall not store passwords in clear text or in any easily reversible form. Shall provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password. Shall support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval wherever possible. D. Use of Passwords and Passphrases for Remote Access Users Access to the <Company Name> Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.
ITNT 3112
Page 17
E. Passphrases Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access. Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks." A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning" All of the rules above that apply to passwords apply to passphrases. 5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Password cracking or guessing may be performed on a periodic or random basis by the Information Security Department or its delegates. If a password is guessed or cracked during these excersises, the user/owner will be required to change it. 6.0 Terms and Definitions Term Definition Application Administration Account Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator). 7.0 Revision History Author - Date
ITNT 3112
Page 18
< Company Name > Audit Vulnerability Scan Policy 1.0 Purpose The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the <Internal or External Audit Name> to the <Company Name>. <Internal or External Audit Name> shall utilize <Approved Name of Software> to perform electronic scans of Clients networks and/or firewalls or on any system at <Company Name>. Audits may be conducted to: Ensure integrity, confidentiality and availability of information and resources Investigate possible security incidents ensure conformance to <Company Name> security policies Monitor user or system activity where appropriate.
2.0 Scope This policy covers all computer and communication devices owned or operated by <Company Name>. This policy also covers any computer and communications device that are present on <Company Name> premises, but which may not be owned or operated by <Company Name>. perform Denial of Service activities. 3.0 Policy When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of <Internal or External Audit Name>. <Company Name> hereby provides its consent to allow of <Internal or External Audit Name> to The <Internal or External Audit Name> will not
ITNT 3112
Page 19
access its networks and/or firewalls to the extent necessary to allow [Audit organization] to perform the scans authorized in this agreement. <Company Name> shall provide protocols, addressing information, and network connections sufficient for <Internal or External Audit Name> to utilize the software to perform network scanning. This access may include: User level and/or system level access to any computing or communications device Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on <Company Name> equipment or premises Access to work areas (labs, offices, cubicles, storage areas, etc.) Access to interactively monitor and log traffic on <Company Name> networks.
3.1 Network Control. If Client does not control their network and/or Internet service is provided via a second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the <Company Names> LAN. By signing this agreement, all involved parties acknowledge that they authorize of these tests during the dates and times specified. 3.2 Service Degradation and/or Interruption. Network performance and/or <Company Name> releases <Internal or External Audit Name> to use their service networks as a gateway for the conduct of
availability may be affected by the network scanning.
<Internal or External Audit Name> of any and all liability for damages that may arise from network availability restrictions caused by the network scanning, unless such damages are the result <Internal or External Audit Name>s gross negligence or intentional misconduct.
ITNT 3112
Page 20
3.3 Client Point of Contact During the Scanning Period. <Company Name> shall identify in writing a person to be available if the result <Internal or External Audit Name> Scanning Team has questions regarding data discovered or requires assistance. 3.4 Scanning period. <Company Name> and <Internal or External Audit Name> Scanning Team shall identify in writing the allowable dates for the scan to take place.
4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Revision History 29 September 2003, updated to include National Association of State Auditors, Comptrollers, and Treasurers; the National Association of Local Government Auditors; the U.S. General Accounting Office; and U.S. Inspectors General Legal and Reporting Considerations.
ITNT 3112
Page 21
<COMPANY NAME> Email Use Policy 1.0 Purpose To prevent tarnishing the public image of <COMPANY NAME> When email goes out from <COMPANY NAME> the general public will tend to view that message as an official policy statement from the <COMPANY NAME>. 2.0 Scope This policy covers appropriate use of any email sent from a <COMPANY NAME> email address and applies to all employees, vendors, and agents operating on behalf of <COMPANY NAME>. 3.0 Policy 3.1 Prohibited Use. The <COMPANY NAME> email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any <COMPANY NAME> employee should report the matter to their supervisor immediately. 3.2 Personal Use. Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a <COMPANY NAME> email account is prohibited. Virus or other malware warnings and mass mailings from <COMPANY NAME> shall be approved by <COMPANY NAME> VP Operations
ITNT 3112
Page 22
before sending. These restrictions also apply to the forwarding of mail received by a <COMPANY NAME> employee. 3.3 Monitoring <COMPANY NAME> employees shall have no expectation of privacy in anything they store, send or receive on the companys email system. <COMPANY NAME> may monitor messages without prior notice. <COMPANY NAME> is not obliged to monitor email messages. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Definitions Term Definition Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook. Forwarded email Email resent from an internal network to an outside point. Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed. Sensitive information Information is considered sensitive if it can be damaging to <COMPANY NAME> or its customers' reputation or market standing. Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.
Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside <COMPANY NAME>, who do not have a need to know that information. 6.0 Revision History
ITNT 3112
Page 23
<COMPANY NAME> Router Security Policy
1.0 Purpose This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of <Company Name>. 2.0 Scope All routers and switches connected to <Company Name> production networks are affected. Routers and switches within internal, secured labs are not affected. Routers and switches within DMZ areas fall under the Internet DMZ Equipment Policy. 3.0 Policy Every router must meet the following configuration standards: 1. No local user accounts are configured on the router. Routers must use TACACS+ for all user authentication. 2. The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization. 3. Disallow the following: a. IP directed broadcasts b. Incoming packets at the router sourced with invalid addresses such as RFC1918 address c. TCP small services d. UDP small services e. All source routing f. All web services running on router
ITNT 3112
Page 24
4. Use corporate standardized SNMP community strings. 5. Access rules are to be added as business needs arise. 6. The router must be included in the corporate enterprise management system with a designated point of contact. 7. Each router must have the following statement posted in clear view: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device." 8. Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH is the preferred management protocol. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Definitions Terms Production Network Definitions he "production network" is the network used in the daily business of <Company Name>. Any network connected to the corporate backbone, either directly or indirectly, which lacks an intervening firewall device. Any network whose impairment would result in direct loss of functionality to <Company Name> employees or impact their ability to do work. A "lab network" is defined as any network used for the purposes of testing, demonstrations, training, etc. Any network that is stand-alone or firewalled off from the production network(s) and whose impairment will not cause direct loss to <Company Name> nor affect the production network.
Lab Network
6.0 Revision History 2007-04-18 Added 3.0.8 Telnet
ITNT 3112
Page 25
<COMPANY NAME> Server Security Policy 1.0 Purpose The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by <Company Name>. Effective implementation of this policy will minimize unauthorized access to <Company Name> proprietary information and technology. 2.0 Scope This policy applies to server equipment owned and/or operated by <Company Name>, and to servers registered under any <Company Name>-owned internal network domain. This policy is specifically for equipment on the internal <Company Name> network. For secure configuration of equipment external to <Company Name> on the DMZ, refer to the Internet DMZ Equipment Policy. 3.0 Policy 3.1 Ownership and Responsibilities All internal servers deployed at <Company Name> must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by InfoSec.
ITNT 3112
Page 26
Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: o Server contact(s) and location, and a backup contact o Hardware and Operating System/Version o Main functions and applications, if applicable
Information in the corporate enterprise management system must be kept up-todate. Configuration changes for production servers must follow the appropriate change management procedures.
3.2 General Configuration Guidelines Operating System configuration should be in accordance with approved InfoSec guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment.
ITNT 3112
Page 27
Servers are specifically prohibited from operating from uncontrolled cubicle areas.
3.3 Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: o All security related logs will be kept online for a minimum of 1 week. o Daily incremental tape backups will be retained for at least 1 month. o Weekly full tape backups of logs will be retained for at least 1 month. o Monthly full backups will be retained for a minimum of 2 years. Security-related events will be reported to InfoSec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: o Port-scan attacks o Evidence of unauthorized access to privileged accounts o Anomalous occurrences that are not related to specific applications on the host. 3.4 Compliance
Audits will be performed on a regular basis by authorized organizations within <Company Name>. Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit Policy. InfoSec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification.
Every effort will be made to prevent audits from causing operational failures or disruptions.
3.0 Enforcement
ITNT 3112
Page 28
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Definitions Term DMZ Definition De-militariezed Zone. A network segment external to the corporate production network.
Server For purposes of this policy, a Server is defined as an internal <Company Name> Server. Desktop machines and Lab equipment are not relevant to the scope of this policy. 6.0 Revision History Lab Anti-Virus Policy 1.0 Purpose To establish requirements which must be met by all computers connected to <Company Name> lab networks to ensure effective virus detection and prevention. 2.0 Scope This policy applies to all <Company Name> lab computers that are PC-based or utilize PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any PC based lab equipment such as traffic generators. 3.0 Policy All <Company Name> PC-based lab computers must have <Company Name>'s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept upto-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Lab Admins/Lab Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are
ITNT 3112
Page 29
verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into <Company Name>'s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy. Refer to <Company Name>'s Anti-Virus Recommended Processes to help prevent virus problems. Noted exceptions: Machines with operating systems other than those based on Microsoft products are excepted at the current time. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Revision History Employee Internet Use Monitoring and Filtering Policy
1.0 Purpose The purpose of this policy is to define standards for systems that monitor and limit web use from any host within <Company Name>'s network. These standards are designed to ensure employees use the Internet in a safe and responsible manner, and ensure that employee web use can be monitored or researched during an incident. 2.0 Scope This policy applies to all <Company Name> employees, contractors, vendors and agents with a <Company Name>-owned or personally-owned computer or workstation connected to the <Company Name> network. This policy applies to all end user initiated communications between <Company Name>s network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other
ITNT 3112
Page 30
standard and proprietary protocols. Server to Server communications, such as SMTP traffic, backups, automated data transfers or database communications are excluded from this policy. 4.0 Policy 3.1 Web Site Monitoring The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days. 3.2 Access to Web Site Monitoring Reports General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative. 3.3 Internet Use Filtering System The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for <Company Name>s corporate environment. The following protocols and categories of websites should be blocked:
Adult/ Forbidden Explicit Material Advertisements & Pop-Ups Chat and Instant Messaging Gambling Hacking Illegal Drugs Intimate Apparel and Swimwear
ITNT 3112
Page 31
Peer to Peer File Sharing Personals and Dating Social Network Services SPAM, Phishing and Fraud Spyware Tasteless and Offensive Content Violence, Intolerance and Hate Web Based Email
3.4 Internet Use Filtering Rule Changes The Information Technology Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.
3.5 Internet Use Filtering Exceptions If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is mis-categorized. Employees may access blocked sites with permission if appropriate and necessary for business purposes. representative. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources HR will present all approved exception requests to Information Information Technology will track approved Technology in writing or by email. Information Technology will unblock that site or category for that associate only. exceptions and report on them upon request. 5.0 Enforcement
ITNT 3112
Page 32
The IT Security Officer will periodically review Internet use monitoring and filtering systems and processes to ensure they are in compliance with this policy. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions Internet Filtering Using technology that monitors each instance of communication between devices on the corporate network and the Internet and blocks traffic that matches specific rules. User ID User Name or other identifier used when an associate logs into the corporate network. IP Address Unique network address assigned to each device to allow it to communicate with other devices on the network or Internet. SMTP Simple Mail Transfer Protocol. The Internet Protocol that facilitates the exchange of mail messages between Internet mail servers. Peer to Peer File Sharing Services or protocols such as BitTorrent and Kazaa that allow Internet connected hosts to make files available to or download files from other hosts. Social Networking Services Internet sites such as Myspace and Facebook that allow users to post content, chat, and interact in online communities. SPAM Unsolicited Internet Email. SPAM sites are websites link to from unsolicited Internet mail messages. Phishing attempting to fraudulently acquire sensitive information by masquerading as a trusted entity in an electronic communication. Hacking Sites that provide content about breaking or subverting computer security controls. 7.0 Revision History 11/23/2007 Draft Completed, Kevin Bong
ITNT 3112
Page 33
********************
ITNT 3112
Page 34

Security Policies and Infrastructure

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security Policies and Infrastructure

Încărcat de

Drepturi de autor:

Formate disponibile

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Chapter 3 Security Policies and Infrastructure

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Monitoring the Security Infrastructure

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Intrusion Detection Systems (IDSs)

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology

availability may be affected by the network scanning.

Network Security and Auditing

HIGHER COLLEGE OF TECHNOLOGY

Department of Information Technology