1

Policy Types Program Issue Specific System Overall Most Generic User Policies should be

publicized Internal Operations Policies should be kept

inside

2

Security Models Lattice Based Models Non-Interference Models Access Rights Propagation Models Multilevel Data Models Integrity Models Miscellaneous Models

– Ntree– group authorization

3

Application of Security Models Academic Corporate Federal

4

Developing Policy with Security Models Internetworking may violate policies

– General Connectivity– Mobile Code

Incorporate General Models to Policy

5

Tools For Risk Analysis Host Security Audits

» mis-configurations» insider threats» Access Controls

Software Audits» Code Audits

Network diagnostics and diagramming» tcpdump, snoop, scotty, snmp, etc.

Using “underground tools” to determine the vulnerability of your site

Uses multiple strategies for site protection

6

Solutions Resulting from Risk Analysis Account Management

– Passwords– Automated account creation/deletion procedures

Education– Security Mailing Lists– References

Encryption– Authentication– Data Encryption

7

Enforcement of Policy Modularize technology solution and make

the policy document technology-neutral Design technology so that it supports the

policy. (Not the other way around.) Enlist the support of management and legal

bodies for the policy Have the policy focus on intent rather than

details

8

Amending Policy Create an annual review panel Consider the policy as a “Living Document” Educate at all levels

9

Policy Breach Lock/Suspend Accounts Delete Accounts Reprimand user Formally reprimand user Remove the user Pursue the action legally

10

Dealing with Law Enforcement Follow the guidelines for recording evidence Assess Damage and Remove Vulnerabilities

– “Cleanup and Containment” Notify superiors of your intent to cooperate

with Law Enforcement or other parties involved in incidents

11

Pursuing and Prosecuting Pursue Incident if

» systems and assets are protected» backups exist» concentrated and frequent attack» incur financial damage» intruder can be contained and controlled» good monitors exist

Don’t Pursue incident if» No sufficient evidence» Site is not well protected» The willingness to prosecute doesn’t exist» Site is vulnerable to lawsuits » Resources unknown

12

Policy for Gathering Evidence Document all details regarding an incident Vary monitoring techniques and times Establish post-incident operating procedures for

– system administrators– operators– users– decide how to handle compromised system(s)

Record details via logs– system events– time stamped actions taken by the attacker and

yourself– phone conversations - date,time, person, subject

13

Maryland State Statutes Article 27. Crimes and Punishments

– Section 146 Unauthorized access to computers prohibited

14

Federal Statutes Federal State Statutes that apply

– Title 15 Commerce and Trade– Title 17 Copyright– Title 18 Crimes and Criminal Procedures

Ch 5 Arson Ch 31 Embezzlement and Theft Ch 37 Espionage and Censorship Ch 47 Fraud and False Statements Ch 63 Mail Fraud Ch 65 Malicious Mischief Ch 101 Records and Reports Ch 105 Sabotage Ch 113 Stolen Property

15

Federal Statutes Ch 119 Wire and Electronic Communications Interception

and Interception of Oral Communications Ch 206 Pen Registers and Trap and Trace Devices

16

Federal Statutes– Title 42 The Public Health and Welfare

» Ch 21A Privacy Protection

– Title 47 Telegraphs, Telephones, and Radiotelegraphs

» Ch 5 Wire or Radio Communications

– Public Law 103-414 Communications Assistance for Law Enforcement Act

» Title I Interception of Digital and Other Communications

» Title II Amendments to Title 18 United States Code» Title III Amendments to the Communications Act of

1934

17

Coordinating with other Bodies State - Federal Contacts Academia Network Service Providers

18

Legal/Policy References Spafford text Appendix RFC 1244