Site and Infrastructure Security Policy
A site and infrastructure security policy outlines security in regards to the
office, building, or buildings in which the company functions, and the
computing and network infrastructure it uses. The business site provides
the first physical perimeter for the organization, as well as the first
focus for security. The computing infrastructure includes desktop systems,
servers, network equipment such as routers and firewalls, and other
computing resources used within the organization. The procedures and
methods applied to these systems, the environment in which they exist, and
their use constitute the site and infrastructure security policy.
Facilities and Physical Security
Considerations
In this inter-networked age, many people often associate
security with the more virtual aspects—network, operating system and
application security, the underground, crackers, and all of the media-hyped
fear, uncertainty, and doubt that surrounds these aspects. Prior to this time,
the term security conjured images of armed
guards or large, burly men posted by each door. Physical security is a
large component of any security policy, and rightfully so. The front door
is the most easily utilized point of attack.
The site and infrastructure security policy should outline
the methods used to provide and control physical access to the building and
the conditions under which access
is granted. Important elements are
·
Methods of physical access
·
Procedures by which access is granted, modified, or denied
·
Access restrictions based on employee status
·
Hours of operation
·
Points of contact for access
·
Procedures for incident handling and escalation levels
Physical access methods
describe the actual means of
accessing the facility, offices, labs, or other areas.
These are often a lock and key, proximity cards, or biometric methods.
Consideration should also be given to guidelines for the appropriate use
and handling of the keys. The procedures used to obtain keys/cards and by
which access is granted or modified should be outlined clearly, as it is
often a point of confusion for both new and long-time employees. Equally
important is a list of the people and departments to whom an employee must
go to gain access to the business site—filling out forms or asking approval
becomes futile if the person to whom these request should be addressed is unknown.
Many organizations distinguish between full-time,
part-time, and contract employees and limit facility access based on these
categories. Along with the hours of operation, the site security policy
should specify any restrictions for special employees during and outside of
regular working hours. Related to the segmentation of employees, the
segmentation of the facility is also common. Labs, offices, and storage
areas often merit access restrictions in order to prevent unauthorized
entry.
Should an incident occur, the procedures for incident
handling are vital to the security of an organization, as well as the
safety of the employees. Incidents vary in nature, from unauthorized
visitors and broken access methods to the removal of employees. Many
organizations have security personnel to assist in
these matters and suggested methods to react to specific situations.
Defined escalation levels help an employee understand incident seriousness
and to decide when is the appropriate time to notify external support, such
as local law enforcement and legal counsel.
Company Z has installed and uses proximity-based card
readers at all external entrances, lab doors, storage closets, and key
financial offices for access control.
The administration has defined the following security policy that regulates access into
the facility:
·
During weekday business hours—between 8 a.m. and 6 p.m.—card
access is not required for full-time and part-time employees.
·
Contract employees are required to sign in with the
receptionist.
·
All external doors are locked outside of normal business
hours, and card access is required for full-time and part-time employees.
·
Contract employees are restricted from access outside of
normal business hours unless specialized access forms are filled
out and approved by the hiring manager.
·
Access to restricted labs, storage areas, and financial
offices is gained via specialized access forms and management approval.
·
Access cards are obtained at the security office after the
hiring manager approves access forms.
·
Misplaced or stolen access cards must be reported immediately
to security.
·
Access cards should be
kept on the person at all times; cards should not be loaned to anyone or
left unsecured.
The following security policy for incident response is
also provided to employees:
In order to ensure safety and
security within the Company Z facility, employees should read and
understand the following guidelines for dealing with incidents:
·
In the event of an unauthorized visitor, the employee should
immediately notify the security department and request assistance for removal of the visitor.
·
Should the visitor be witnessed committing an act of larceny,
attack, or destruction of property, notify the security department, and
they will then contact the appropriate authorities.
·
All witnesses should provide the security department with an
affidavit indicating their presence and the details of the incident, and
should be available for further questioning by security and the appropriate
authorities.
·
All doors, locks, and access methods that are non-functional
should be reported to the security department. Security will coordinate
with maintenance to fix the
broken equipment.
·
Managers should be notified when an employee is involved with
a breach of security.
·
Employees should not handle these situations alone, but
instead should notify security and allow the security staff to control the
situation.
This example demonstrates important aspects of a site and
infrastructure security policy. Constraints on physical
access are defined, including the actual methods that employees use to
enter the facility and the differentiation between employee types. The
processes and procedures used to control access and to acquire the
appropriate privileges are outlined, including the identification of the
responsible individuals. The response guidelines for any incidents are
clearly outlined with the safety of the employee in mind. Individuals
trained to handle incidents of this nature are identified and involved in
each response method.
Infrastructure and Computing Environment
The following aspects of security are commonly considered when creating a security policy for the
infrastructure and computing environment:
·
Physical access to computer systems and facilities
·
Security considerations for laptop computers and PDAs
·
Voice and data network security
·
Remote network access to computer systems and resources
·
Security monitoring and auditing
·
Authentication and access control
Physical Access to Computer Systems and
Facilities
The computer systems used throughout an organization can be categorized into the following
classes:
·
Public terminals
·
Desktop systems
·
Server systems
Each of these classes of systems can be addressed
individually within the site and infrastructure security policy.
Public Terminals
As with the building and facilities, control of physical
access to the computing environment is an important component to its
security. Once someone is inside a building, finding an unoccupied terminal or computer system is often easily
accomplished. Without a policy for protecting these systems, unauthorized
users can gain access to important and private resources, information, and
files. Computer terminals in publicly accessible areas should be controlled
carefully by limiting access to network facilities and resources, and
establishing usage policies for employees and guests.
Returning to the hypothetical case, Company Z has an open
atrium area that contains several terminals accessible to employees and
visitors. The following security policy, which provides regulations for the
use of these public terminals, is posted in plain view:
|
Rules and Restrictions for Public Terminal Usage
|
|
·
Visitors must see reception in order to receive a guest account.
·
Guest accounts are capable of accessing the Internet only.
·
No Internal systems or resources are available via guest
logins.
·
Guest accounts are automatically logged out after 15
minutes of idle time.
·
Employees should log out before leaving the terminal.
·
Please report all malfunctioning systems to the IT
department.
|
|
Administrative Policies for Public Terminals
|
|
·
Public terminals are secured to the desktops via anti-theft
alarm devices and cable locks.
·
All systems configured for public use are on a
restricted-access network.
·
Systems are configured with guest accounts that have no
access to company resources or systems.
·
Guest accounts are automatically logged out after a
specified amount of idle time.
·
Guest accounts should be set to expire when no longer
needed, based on the requirements of the guest.
·
Publicly accessible systems should allow no access to
internal systems or resources.
·
Publicly accessible UNIX systems should be configured with
a minimal set of utilities, have no network services running, and provide
a restricted and inescapable shell to guests; the account should be removed when the visitor leaves
the premises.
·
Publicly accessible Windows systems should not be domain
members and guest accounts should have only the local user-group
privileges.
·
Menus and commands should also be configured to allow
access only to the appropriate Web browser program on the system and no
other applications.
|
Public terminals are often presented to accommodate the
network needs of visiting employees, vendors, and business partners. These
terminals require special consideration for security and posted regulations
for their use in order to protect the computing infrastructure. The
Company Z policy distinguishes between visitors and employees who use the
terminals and presents sig nificantly more restrictions to the visitors.
The administrators of these systems also have a security policy that
outlines the measures used to configure the systems. This ensures that all
publicly accessible systems are configured alike and helps ensure a known
level of security.
Desktop and Server Systems
Public terminals are not the only systems that require
guidelines. Desktop systems often have the most lax security because
individual employees often administer
their own machines or have special privilege and access to their respective
system. It is often infeasible for the Information Technology staff to
administer all desktop workstations, therefore the development of a
security policy that governs their creation and use is very important. The
site and infrastructure security policy for desktop systems establishes the
standards used to create them, including operating systems, applications,
and utilities. The security constraints generally consist of configuration
information by which administrators can replicate the desktop system at a
known level of security. The policies also present the guidelines for
the desktop system's interaction with servers and the network.
The security policy for desktop users is discussed later in
the chapter.
Given the understanding that desktop systems are likely to
be uncontrolled by the IT staff, effective infrastructure policies attempt
to minimize the amount of data, applications, and other information that
remains on the desktop system. This enhances both the security and
availability of information within the organization. Many companies
centralize storage of user data and applications to a single server or set of
servers. In the event of a failure of a desktop, the effort required to
make it functional again is minimized—all of the essential and important
data is on the server and does
not become lost or require significant time and effort to restore.
Server systems become a focal point as they have the
responsibility to reliably store and provide access to shared data, private
user information, applications, and services for the
organization.
A server security policy should encompass the following
components:
·
Service configuration
·
Shared data permissions and access control
·
User private data permissions and access control
·
Backup and restoration procedures
·
Incident response
The service configuration entails the initial method used
to secure the server. Most operating systems provide a vast array of
potential services and capabilities, not all of which are needed or desired
by the organization. Each of these services has its own security
ramifications, which should be considered when enabling or disabling it.
The decision to allow a service is often an issue of cost versus risk
analysis. If the service provides a required function that has inherent security risks, the administrators
should determine if there are suitable replacements for the service. If any
substitutes are available, the cost and effort required to implement them
should be weighed against the security risks and cost of the original. It is important to document within the security policy
the foundation for decisions and to identify the known security risks
accepted by the organization. Also related is the maintenance of the
software and operating systems running on the servers—security measures
should be updated frequently, as new vulnerabilities are discovered.
Updates should be applied and monitored. The people writing the security
policy probably will not always be employed at the organization, therefore
knowing the background of a decision is important to the future maintainers
of the security
policy.
Company Z's Server Security Policy is as follows:
·
Servers should be configured to support only the required
services and to disable unnecessary software and services in order to
minimize security risks.
·
Server systems should be physically secured, allowing only
administrative access.
·
Server operating systems and software should be updated when
new vulnerabilities and subsequent patches are released.
·
In the event of incidents such as hardware failure, system
compromise, or other attacks, the server should be removed from the network
and left in its current state in order to allow effective
forensics work.
·
A contingency plan should be created and followed to recover
from disasters. For in-depth information on their content and creation, see
the Disaster Recovery Journal sample recovery plans at http://www.drj.com/new2dr/samples.htm.
To focus on security policies instead of system
configuration, the Company Z Server Security Policy leaves out most of the
technical details related to the secure lockdown of servers and operating
systems. The standards of configuration, access, and maintenance are
important components that should be incorporated into the policy. Incident
response for servers is reasonably complex; in order to avoid damaging
potential evidence after an attack is discovered, the system should be left
intact for security analysis and forensics work.
Shared data is often the primary purpose of a server,
allowing employees to access common files, applications, and other data.
Server operating systems generally support multiple methods to provide
multiuser access to data. When establishing the infrastructure security
policy, the technical details surrounding shared data should be clearly
outlined.
The Site and Infrastructure Security Policy for Company Z
establishes the following criteria for shared data on servers:
·
No data sharing should be initialized via the
"Everyone" group on Windows servers or "World"
read/write access on UNIX systems.
·
Access by the "Everyone" group and
"World" read/write permissions should be removed or disabled from
the shared data.
·
Global or common access to all employees should be controlled
via membership in the specially created "Employees" group on the
servers.
·
When needed, smaller privilege groups should be created and
shared data coordinated with those groups to meet the access control requirements
for a user.
Company Z's policy emphasizes a strict level of security
for shared data. It identifies and distinguishes between unconditionally
shared data and the true need for shared data. Data is shared only between
employees, and security control is exercised to ensure that only authorized
individuals have access to it. In this model, access control is achieved
via membership in various user groups, and permission is adjusted accordingly.
User private data includes a user's respective
"home" directories or the areas in which his personal files are
stored. Because these files are also often kept on the server, it is
important to outline the level of security the user can expect, as well as
the method by which it is provided.
Company Z details this security policy for user home
directories and private storage areas:
·
Server-based user home directories are provided for the
storage of private and personal data.
·
On Windows servers, the permissions should be set to allow
the respective user full read and write permissions for a directory, and
also to allow the system backup process to access the data when backing up
the storage system.
·
No other users should have access to any home directory aside
from their own.
·
Users are encouraged to use their server-based directories
for data storage in order to provide security and to facilitate the simple
recovery of data in the event of an incident.
Employees often store personal and sensitive information on their
systems as work and personal life cannot be completely segregated. In order
to provide data security and to avoid data loss in the event of a desktop
system, users at Company Z are encouraged to store their data on the
servers and are provided a high degree of protection from prying eyes.
Backup and restoration procedures serve many functions in
an organization. These include protection of data in the event of a
catastrophic incident, restoration of accidentally removed files, and
provision of general infrastructure reliability. Backup data is often used
in the forensics of security incidents to assess the reliability of
data—data altered by an attacker can often be detected by a comparison
between it and the version that is on the backup media. The physical
storage of the media on which the backups are done is also important to
security. Many organizations use special offsite storage organizations to
assure that the backups are securely stored.
Company Z's security considerations for system backups
include
·
All backups are to be stored in a locked storage area prior to offsite
storage.
·
Weekly backups are moved into offsite storage via a storage
company representative at a scheduled pickup time.
·
Backups consist of one full system backup, per system, per
week with nightly incremental backups of all modified data.
·
Use of backup and restoration applications should be
restricted to authorized administrators only.
·
In the event of a disaster, hardware failure, or other event
that results in the loss of data, the employee should notify the IT staff.
·
Information will be restored from the last full archive with
the incremental changes layered over, up to the time of the event.
Backups provide a level of reliability and security to the
information stored and used within the organization. The security policy
specifies the method for backups, recovery during incidents, and privileges
required to access the information. The physical security of the backup
data is also emphasized in order to create a comprehensive policy that
effectively protects the organization.
Incident response takes on
several meanings, but can be summarized as the best course of action in the
event of anomalous circumstances. For the purposes of this discussion, the
actual circumstances are not as important as the reaction to them. Security
policies provide key benefits in the area of incident response by
identifying and organizing information vital to a safe reaction. Security
policies should include the suggested methods to react to incidents and
pertinent contact information. The primary goal of incident-response
guidelines is to avoid the knee-jerk, emotionally motivated responses that
often happen quickly and without careful analysis. By having a step-by-step
approach to handling incidents already in hand—including the proper steps
to identify, control, and resolve issues—those involved can react safely.
Physical Security Considerations for Laptop
Computers and PDAs
As technology advances, we see the creation of new, smaller, and
more powerful computing devices. In light of the prevalence of
telecommuters and remote offices, and the frequency of business travel,
these small computing devices such as laptops and PDAs require special
security considerations. The theft and misuse of these devices present a
high risk to the infrastructure of an organization, as they often function
with the same level of access as their larger and less portable cousins.
Many of these portable computers
have special security methods that allow the user to protect the device and
the information they store on it. The company policies that govern the use
of laptops and PDAs should require putting these capabilities to use.
Company Z has established a set of Security Policy
Considerations for Laptops and PDAs. These physical and configuration
considerations include
·
Laptops and PDAs should be configured to support power-on
passwords if possible, in order to protect against unauthorized use if
stolen.
·
Users should log out and power off the system when not in use,
instead of putting the system into standby mode. This prevents unauthorized
users from impersonating you, should they gain access to
the system.
·
Private and sensitive data should be protected via encryption
and passwords, if possible.
·
Users should use different passwords on all of their portable
and non-portable systems to defend against compromise of multiple systems
via a stolen password.
·
When temporarily leaving your workspace, care should be taken
to either lock the system via a password-protected screensaver or log out completely.
·
Laptops and PDAs should be physically secured by a locked
cable, tether, or other security device at all times.
·
If no security method is available, the system should be
locked in a cabinet drawer or other secured storage area when not in use.
Voice and Data Network Security
The network is the lifeline for the computing infrastructure. The phone
system that provides voice communications forms a network of interconnected
phones. Desktops connect to servers and the greater Internet via the local
area network. Customers, partners, and employees contact the company
via the network. The majority of internal communication likely occurs via
the voice and data networks. Security policies should attend to the
security of network communication. By addressing the risks and defenses
against them, the networks can function more securely.
The phone system within an organization often crosses the
boundaries of voice and data communications. The desktop computer can
interact with modern phone systems to retrieve voice mail, leave messages
for others, and administer the system. As with the previous areas of
concern, physical access should controlled. The operational
constraints—such as Personal Identification Numbers (PIN) for users—and
standard configurations should provide a more secure environment. An often
forgotten security aspect of the phone system is the provision of remote dial-in capabilities that support
both phone system administration and network access.
Several concerns for the phone system are outlined in this
Company Z security policy:
·
Physical access to the phone system hardware and system
configuration terminals is restricted to phone administrators and phone company personnel.
·
The phone system hardware should exist in a secured area that
requires specialized access methods via keys or electronic cards.
·
Default PINs for new users should be randomly chosen.
·
When establishing a voice mail account, avoid using PINs that
can be easily guessed, such as an extension number, the surname of the
user, or other identifiable information.
·
Dial-in modems used for administration of the phone system
should be protected with passwords.
·
Network access via dial-in modems should be authenticated and
logged via a centralized authentication
and reporting system.
·
Modems meant for dial-in should be programmed to prevent
dial-out capabilities.
·
Installation of new modems should be coordinated through the
phone and IT group in order to provide the necessary security and network
infrastructure to maintain security.
·
Phone line audits should occur regularly to verify the
functionality of existing modems and to identify unauthorized modems.
This security policy addresses the phone system rather
extensively. A comprehensive security policy takes into consideration all
aspects of an organization and does not focus only on the computing environment.
All aspects of security in an organization are related; a breakdown in the
security of one area provides access despite the security measures of
another. A weakness in the phone system security policy might allow an
unauthorized intruder to access system and network resources even if other
system and network security
measures are in place.
The data network should be extended the same security
features as the voice network. Network and telecommunications hardware such
as routers, switches, and network lines (ISDN, DSL, T1, and so on) should
be physically secured to avoid accidental or intentional disruption of
network services. Beyond the physical aspects, the network requires a high
degree of security and diligence to maintain that
level. The first tier of protection is generally a firewall at the Internet
access point (as you learned in Chapter 10, "Firewalls" ). The
specific firewall rules and filters should be defined based on the network
access needs of the organization. A reasonably safe, but somewhat
restrictive, guideline is the exception method. This dictates a global rule
to deny access to everything first, and then makes exceptions for those
network services deemed necessary.
After the firewall, network architecture and organization
should also be considered to protect and isolate information as it travels
on the network wire. The network hardware must be protected from network
attacks and unauthorized configuration attempts.
Company Z has a diverse network that separates servers
from the normal desktop computing network. The Internet access point is
protected by a firewall. The data
network portion of its security policy reads as follows:
·
Firewalls are used to protect the internal networks in a
restrictive fashion.
·
Filtering and rules on the firewall support
outgoing connections from employees so as not to restrict their ability to
use the Internet.
·
Filtering and rules on the firewall allow only incoming
connections to the company Web server, mail servers, and name servers
(DNS).
·
The customer support network exists on a different network
number and interface than the administrative and corporate network, and
with fewer restrictions in order to support the required services of that
organization.
·
All access to network equipment, where supported, shall be
protected via non-default passwords.
·
Managed network equipment, including firewalls, routers,
switches, modems, and other communication devices, are configured to allow
administrative access from only a small number of administrative systems,
in order to protect them from
unauthorized configuration changes.
·
All configuration changes to network equipment must be logged
for reference.
·
In the event of network attacks, the network administrators
should notify the corporate security department, in case legal
intervention is required.
·
Network equipment should be configured to enable only those
protocols in use by the organization, disabling all other features.
·
Response to incidents should occur in the following manner:
1. Attempt
to identify the cause.
2. In
the event of network disruption and loss of service from attack, network
administrators should attempt to identify the source of the attack.
Firewall rules should be modified to control the effects, if possible.
3. Restore
service to the company as quickly
as possible while attempting to preserve evidence of the issue.
4. Upon
resolution of an incident, incident forms should be filled out and
submitted to the manager of the network group.
5. Analysis
of the incident should be discussed in a group meeting to identify
weaknesses in the organization and help prevent future issues.
·
To protect against equipment failure, spare network hardware
should be available.
·
To facilitate ease of replacement and security of the
configuration of network equipment, the configuration information should be
maintained on the administrative servers.
·
Where possible, network equipment should be configured to
boot and download its configuration from the administrative servers, in
order to preserve the
integrity and reliability of the configuration.
·
Network equipment that is not managed via SNMP should have that
protocol disabled. The SNMP (Simple Network Management Protocol) allows
administrators to see and modify the settings and configuration for a
device with little or no authentication and access control.
·
If using SNMP for management of the device, SNMP access
should be restricted to administrative servers.
Network equipment presents a complex set of security
requirements that should be outlined in the security policy. This allows
for a safe installation and a maintained degree of security. The security
policy incorporates physical orientation and configuration to defend
against unauthorized access and management of the device. Authentication
and access restrictions are implemented, as well as reliability in the
configuration methods. The services provided by the equipment are tailored
to the needs of the organization, allowing a known set of security concerns
to be identified
and resolved.
Remote Network Access
Remote network access is a convenience that allows employees to
do their daily work, regardless of their location. This functionality
requires an extension of the network security policy discussed above,
focused on the methods and use of remote access. Remote access can be
provided via Virtual Private Networks and the previously mentioned dial-in
modems. The provision of these capabilities often conflicts with the
security policy for the network because the policy generally seeks to keep
outsiders from accessing internal information and resources.
Here is Company Z's Remote Access Security Policy:
·
The company provides remote access capabilities via a Virtual
Private Network solution that supports remote dial-in Internet service
providers and broadband cable-modem users.
·
Configuration of the VPN hardware and software follows the
security policy set forth for other network equipment.
·
Users requiring remote access capabilities must receive
approval from their manager and the IT department and fill out
the required forms before remote access is provided.
·
Remote access is authenticated via passwords, security tokens, or single-use passwords.
·
Remote access passwords should follow the security policy
guidelines for authentication.
·
Remote access software, configuration, and account
information is to be used only by the employee for whom it is intended.
·
If access by multiple remote machines is required, this
should be indicated on the Remote Access Form.
·
Remote access should be used only when required and not left
unattended by the employee.
·
Acceptable use of this resource is outlined in the User
Security Policy.
Remote access is a subfunction that inherits security
policy guidelines from several areas. The administration and configuration
of the VPN falls under the Company Z's Network Devices Policy, whereas the
authentication and use of the VPN by employees is governed by the
Authentication and User policies, discussed later in the chapter.
As you can see, a comprehensive security policy is very
easily scaled to meet new requirements and functionality within an
organization. The effort expended in the early development stages of the
security policy or policies simplifies its extension greatly.
Security Monitoring and Auditing
Central to a comprehensive security
policy, and the components that unify procedures and response, is the
discussion of monitoring and auditing. Security
monitoring verifies the configuration guidelines and technical
requirements outlined in the security policies. Security
auditing entails a consistent set of practices that enforce the
security policies set forth for the organization.
Monitoring is the policy action that becomes part of the
ongoing standard security process in the company. The
installation of a firewall is one element of the security monitoring
system—it focuses on the network access points. Other aspects of monitoring
are the use of security cameras, anti-virus software, server disk quotas,
intrusion detection devices, and network management software. The
monitoring component of a security policy enhances the security in an
organization by validating the other elements in the policy, ensuring their
existence and correctness.
Monitoring capabilities also affect the safety and effectiveness of incident
responses. It provides evidence for legal issues and an informative basis
for post-mortem analysis of incidents. This analysis is very useful to
assist in prevention and understanding of problems.
Finally, security monitoring provides the capability for
the organization to recover from incidents by providing in-depth
information about it. Network attacks can be monitored and defended
against, spurious hardware failures can be traced and rectified and the
actions of unauthorized intruders can be watched and recorded.
The monitoring methods for a server, network, or other
computer equipment are often those that gather and analyze statistics. The
statistics gathered provide the reference point for normal
operation and for that which is abnormal. This information is often
gathered by hand, or eye, in the case of security cameras and monitoring.
The level to which the monitoring is automated increases its effectiveness.
To allay the fears that this task is incredibly difficult, it is important
to note that many operating systems and software have the capabilities to
perform a large portion of the monitoring and auditing functionality—the
features simply need to be enabled. Authentication policies including the
identification of password criteria, the use of password aging, and keeping
a password history to avoid repetition are enforced by common features in
most operating systems. Access control methods and auditing capabilities are
inherent parts of server operating systems. Network management protocols
allow for special alerts and notices to be sent under special conditions.
An example is SNMP, which can be configured to notify administrators when
special events occur. SNMP has weak security and should be investigated
prior to its implementation, and is mentioned here due to its wide use. An
alarm company, monitors the alarm system, and the proper authorities are
notified automatically when it is set off.
Company Z's Security Monitoring Policy reads
·
Closed-circuit television cameras are installed throughout
the organization and at entry/exit points.
·
This video information is recorded and monitored by the
security group.
·
Network equipment management and monitoring occurs via
automated management software that notifies administrators via pager in the
event of anomalous issues.
·
Anti-virus software monitors all programs, documents, and
email messages for viruses and automatically cleans discovered viruses.
·
Users and administrators are automatically notified via email
when a virus is discovered.
·
All servers are monitored via monitoring programs and
built-in functionality that complies with the established security policy.
Auditing ensures that the
security policy is in place and followed. The measures used to audit include the services of contract security firms
to analyze the an organization's networks, systems, and policies—often
unbeknownst to the employees. Other forms of auditing include random and
frequent verification of the policies by administrators or special internal
teams designed for such tasks. The reference to auditing in the security
policies of an organization also has a psychological affect that helps
foster greater security awareness and action. Employees are less likely to
adhere to security policies if they feel there is no enforcement. By
outlining the presence of auditing methods, without necessarily clarifying
the exact procedures, frequency, or schedule, an organization makes its
employees more aware of security issues. A greater emphasis on secure
thought and use is the natural result. Consider Company Z's Security Policy
for Enforcement and Auditing:
·
Periodic and random security audits will be performed on
servers and network equip ment to ensure proper configuration, diligent
updates and application of patches, and compliance with other security policy regulations.
·
These audits may be performed by internal staff or external
agencies with or without the knowledge of the administrators and users of the systems. (For some useful information about audits
and pitfalls to avoid, see the article "Audits from Hell" by
Carole Fennelly at http://www.sunworld.com/swol-02-1999/swol-02-security.html.)
·
Desktop systems and users will be audited for compliance with
the Site and Infrastructure Policy, with regard to configuration,
up-to-date software, and network services.
·
Audits of users for compliance with the Acceptable Use Policy
will also be conducted to assure the safety and security of the computing
environment.
Notification to employees of the audit policy enforces
compliance of security policies and also forewarns them of repercussions
for compliance failures. Administrators have the largest responsibility and
expend the most effort to enforce adherence to security policies. Audits
might seem forceful, but an environment with so many security components
requires dedication and diligence to maintain security.
Authentication and Access Control
Authentication and access control are two aspects of security in which administrators and
users must participate equally for any level of effectiveness to exist.
Security policies need to present the regulations and requirements clearly
and should help employees understand the seriousness of compliance.
Authentication policies establish the best practices and exact
implementations used to provide access to desktop systems, servers, and
local network resources, and from remote sites. There are well-known
methods to provide authentication and several guidelines that create a more
highly secure environment. The authentication issues addressed by the
security policy are important to most other areas covered within the
policy. Access control is related to authentication and is often used
simultaneously because the authentication of a user instantiates group
membership and provides access to resources.
Not surprisingly, authentication security involves the
implementation and use of various forms of authentication. Commonly used
means are passwords, Personal Identification Numbers (PINs), single-use
passwords, public-key encryption, proximity cards, smart cards, other
code-generation tokens, and biometric agents. The most commonly used authentication method
is the username/password combination. In comparison to other authentication methods, this is
also the most easily compromised—theft of passwords comes in many different
forms, often due to the individual's choice of password. People tend to
gravitate towards easily remembered words or phrases when selecting
passwords, such as names of family members, pets, hobbies, or other
interests. Unfortunately, attackers often easily guess these passwords. In
the quest to balance ease of use with high security, authentication
security policies help users create stronger passwords that might not be so
easily discerned. The policies also provide guidelines by which users can
increase the security of their daily work. The enforcement of these
guidelines often occurs as a feature of the operating system or programs
doing the authentication.
Authentication security policy also differentiates between
where and how authentication methods are used. Security requirements for
access to different systems, networks, or facilities often mandate the need
for each user to maintain several authentication methods. This is especially
true for computer and network administrators. Users are not the only group
governed by authentication policies. Administrators need to be even more
concerned with authentication security because they have and control access
to highly privileged accounts, systems, and resources. There are several guidelines for the handling and use
of passwords, also. These guidelines help to keep users continually
thinking of security in everything they do.
Company Z's Authentication Security Policy for users and
administrators includes these guidelines:
·
On systems where credentials are the username/password pair,
passwords should meet the following criteria:
o
Password should be at least eight characters.
o
They should be a combination of letters, numbers, and
extended or special characters.
o
The company will maintain a history of a user's last five
passwords to prevent repetition.
o
Passwords should be sufficiently different from any password
in the history to prevent patterns of easily obtained passwords.
o
Common dictionary words are not allowed.
o
Passwords will expire every 12
weeks, requiring the user to create a new one.
o
Passwords should be chosen carefully by avoiding family or
pet names, personal interests, or other information that can be linked and
easily identified.
·
Administrators must abide by the criteria set forth for
users, with the addition that their passwords will expire more frequently,
at six weeks.
·
Passwords for privileged accounts will change every four
weeks to provide higher safety because these accounts are shared amongst
several administrators.
·
Remote access will be granted using single-use passwords and
code-generating security tokens to prevent theft of user credentials.
·
All user accounts will have a password. Any user account
without a password will be disabled or have a random password generated for
it.
·
Newly created accounts will have randomly generated passwords
that expire upon first login, requiring the user
to set a new password.
·
Passwords should never be written down or stored on a
recoverable medium such as paper, sticky notes, or white-boards.
·
Users should never tell anyone their passwords.
·
Administrators will never ask users for their passwords. In
the event that someone does ask for the password, please report it
immediately to IT and the security group.
·
When automating tasks that require authentication, avoid
storing passwords clearly in data files. If possible, encrypt or hash the
password prior to storing it, in order to prevent the theft of the
passwords.
·
When using smart cards, proximity cards, or other hardware
token-based authentication methods, keep the device on your person at all
times, and do not let others borrow it.
·
When using public-key encryption methods for authentication,
private key information should be protected via file access restrictions or
storage on external devices such as smart cards.
·
When using encryption, private and secret keys can be escrowed by the administration to
protect the data from loss and to ensure that access is attainable when
required.
·
All authentications, whether successful or failures, are
logged by the system being accessed.
·
Systems should be configured to allow three failed login
attempts before account lock-out occurs.
·
In the event of login failure and account lock-out, internal
accounts should be configured to allow logins again after 30 minutes. The
use of permanent lock-outs are also supported by many operating systems.
These require an administrator to intervene and reopen the account. A
permanent lock-out can result in a denial of service condition if an
attacker attacks multiple accounts.
·
Remote access accounts should be disabled after three failed
login attempts, requiring administrative intervention for the reuse of the
account.
·
Administrators should implement login notices that are
displayed prior to login prompts. These notices should warn unauthorized
users that their actions are monitored and attempts to enter the system are
prohibited. Legal ramifications might result from continued use by unauthorized
personnel.
·
In the event of lost or stolen passwords and authentication
devices, IT should be notified immediately in order to disable access for that account and to begin the
creation of new access credentials.
·
Administrators should confirm the identity of users before
issuing new passwords. This can be done in person with the presentation of
a badge or photo ID, the use of a special recovery password, a personal
identification number, social security number, or other method that is
normally known only by the user and administrator.
As you can see, the use of authentication is serious
business. Users and administrators need to be made aware of the negative
effects of authentication misuse. To summarize, the important components of
authentication are
·
Teaching users and administrators to use authentication
methods securely through strong password creation, as well as to keep
passwords secure.
·
Authentication logging and monitoring.
·
Different authentication methods should be defined and used
for different applications to provide the highest level of security, instead of
standardizing on a single authentication method. For example, remote access
often merits a stronger authentication mechanism than internal server access does.
·
The importance of strict authentication security policies,
such as password expiration and selection criteria, to make attack and
compromise difficult.
Access control is the next related component to
authentication. Access control exists at several levels—network access,
data file access, and resource access. Network access is determined by
protocols, port numbers, source and destination systems, and networks.
Network access control is most likely maintained by the firewall, and these
policies were discussed earlier in the chapter. Data file and system
resource access control is accomplished via operating system functionality,
such as file permissions linked to user and group memberships. An access
control security policy presents the user with a set of best practices for
utilizing this functionality. Consider Company Z's Access Control Policy:
·
Network access control occurs via the firewall, which is
configured to allow Internet access for employees. If a required service is
blocked by the firewall, contact the IT or network administration group to discuss possible solutions.
·
Employees are granted access to global company computing
resources via their desktop login procedure.
·
Common file shares are automatically initialized at login
time. The user has rights to add to common areas, but not to remove files
or folders unless the user created them.
·
UNIX user accounts should be created with membership in the
Global users groups or equivalent (operating system dependent).
·
UNIX user accounts should have their own private group as the
default group member ship, which allows them to set permissions safely on
their files and directories.
·
Windows accounts should be members of the Domain Users group.
·
Home directories should be created to allow access only by
the owner of the directory.
·
The UNIX umask setting allows users to specify a default
permission level for newly created files. This should be set to create
files that disallow everyone else
to modify or execute them. (The default umask is generally 022, which
creates files with read and write permissions for the owner and read
permissions for the group and world.)
·
The UNIX SetUID/GID settings should be avoided unless
absolutely necessary.
·
The permissions of user resource settings including .login, .profile, and .rhosts should be secured against
unauthorized modification.
·
Users should contact the IT department if any uncertainty
exists when setting access control methods.
·
If unauthorized access to files, folders ,or other data is
suspected, notify the IT department for an investigation.
·
Automatic scans will execute on a regular basis to search for
unsafe access control settings on user files, folders, and applications.
·
The Windows NT and 2000 operating systems provide access to
everybody (via the special "Everybody" group) by default. This
group access should be removed and replaced with the Domain Users group, if access to all employees is to be
granted.
Note
The Windows NT and 2000 operating systems support a
slightly different access control mechanism than UNIX. The Windows
mechanism has the standard read, write and execute permissions like UNIX,
but also has several special attributes such as full-access and modify. The
full-access permission allows the individual to modify all of the
permissions, including change the permissions for others. This is often not
the desired effect, so in cases where the user requires only read, write,
and execute access, full-access should not be enabled. The modify attribute allows a user to make
changes to a file already in existence, but not to create new files or folders.
Access control policies can present useful technical
information to the users and promote security awareness. Noting the
technical details of access control mechanisms for the operating systems in use is
beneficial because the casual user is often unaware of their existence or
their use. The identification of contacts and procedures for access control
issues is used to help the user learn and utilize secure settings.
|