1 policy types l program l issue specific l system l overall l most generic user policies should be...
TRANSCRIPT
1
Policy Types Program Issue Specific System Overall Most Generic User Policies should be
publicized Internal Operations Policies should be kept
inside
2
Security Models Lattice Based Models Non-Interference Models Access Rights Propagation Models Multilevel Data Models Integrity Models Miscellaneous Models
– Ntree– group authorization
3
Application of Security Models Academic Corporate Federal
4
Developing Policy with Security Models Internetworking may violate policies
– General Connectivity– Mobile Code
Incorporate General Models to Policy
5
Tools For Risk Analysis Host Security Audits
» mis-configurations» insider threats» Access Controls
Software Audits» Code Audits
Network diagnostics and diagramming» tcpdump, snoop, scotty, snmp, etc.
Using “underground tools” to determine the vulnerability of your site
Uses multiple strategies for site protection
6
Solutions Resulting from Risk Analysis Account Management
– Passwords– Automated account creation/deletion procedures
Education– Security Mailing Lists– References
Encryption– Authentication– Data Encryption
7
Enforcement of Policy Modularize technology solution and make
the policy document technology-neutral Design technology so that it supports the
policy. (Not the other way around.) Enlist the support of management and legal
bodies for the policy Have the policy focus on intent rather than
details
8
Amending Policy Create an annual review panel Consider the policy as a “Living Document” Educate at all levels
9
Policy Breach Lock/Suspend Accounts Delete Accounts Reprimand user Formally reprimand user Remove the user Pursue the action legally
10
Dealing with Law Enforcement Follow the guidelines for recording evidence Assess Damage and Remove Vulnerabilities
– “Cleanup and Containment” Notify superiors of your intent to cooperate
with Law Enforcement or other parties involved in incidents
11
Pursuing and Prosecuting Pursue Incident if
» systems and assets are protected» backups exist» concentrated and frequent attack» incur financial damage» intruder can be contained and controlled» good monitors exist
Don’t Pursue incident if» No sufficient evidence» Site is not well protected» The willingness to prosecute doesn’t exist» Site is vulnerable to lawsuits » Resources unknown
12
Policy for Gathering Evidence Document all details regarding an incident Vary monitoring techniques and times Establish post-incident operating procedures for
– system administrators– operators– users– decide how to handle compromised system(s)
Record details via logs– system events– time stamped actions taken by the attacker and
yourself– phone conversations - date,time, person, subject
13
Maryland State Statutes Article 27. Crimes and Punishments
– Section 146 Unauthorized access to computers prohibited
14
Federal Statutes Federal State Statutes that apply
– Title 15 Commerce and Trade– Title 17 Copyright– Title 18 Crimes and Criminal Procedures
Ch 5 Arson Ch 31 Embezzlement and Theft Ch 37 Espionage and Censorship Ch 47 Fraud and False Statements Ch 63 Mail Fraud Ch 65 Malicious Mischief Ch 101 Records and Reports Ch 105 Sabotage Ch 113 Stolen Property
15
Federal Statutes Ch 119 Wire and Electronic Communications Interception
and Interception of Oral Communications Ch 206 Pen Registers and Trap and Trace Devices
16
Federal Statutes– Title 42 The Public Health and Welfare
» Ch 21A Privacy Protection
– Title 47 Telegraphs, Telephones, and Radiotelegraphs
» Ch 5 Wire or Radio Communications
– Public Law 103-414 Communications Assistance for Law Enforcement Act
» Title I Interception of Digital and Other Communications
» Title II Amendments to Title 18 United States Code» Title III Amendments to the Communications Act of
1934
17
Coordinating with other Bodies State - Federal Contacts Academia Network Service Providers
18
Legal/Policy References Spafford text Appendix RFC 1244