security policy critique

8/8/2019 Security Policy Critique

1/27

Policy Critique

Security Management: Assignment 2

Due Date 4th

November

Peter Davies B.Sc - 05004306

MSc Information Security & Computer Crime


2/27

University of Glamorgan Security Management Assignment 2

2

AbstractThis report will critically examine the strengths and weaknesses of the Birkbeck College

Security Policy, resulting in numerous recommendations to clarify the elements of the

policy that present weaknesses.

It will systematically critically address the approaches and standards related to the

implementation and management of security within an organisation, based on the

information taught and researched during the MSc Information Security and ComputerCrime course at the University of Glamorgan.


3/27


3

ContentsAbstract............................................................................................................................... 2

Contents .............................................................................................................................. 3Introduction......................................................................................................................... 4

Policy Analysis ................................................................................................................... 6

Policy Introduction.......................................................................................................... 6

General Policy................................................................................................................. 7Responsibilities of Systems Administrators ................................................................. 12

Responsibilities of Central Computing Services .......................................................... 15

Responsibilities of Users............................................................................................... 18Implementation of the Policy and Sanctions ................................................................ 18

Recommendations............................................................................................................. 19

Account management.................................................................................................... 19

Running Services .......................................................................................................... 19Personal Information Disposal...................................................................................... 19

Application Installation................................................................................................. 20

Maintaining Lists of Users............................................................................................ 20Password Policy............................................................................................................ 20

Data Storage & Recovery ............................................................................................. 21

Staff Time Off............................................................................................................... 21Policy Revisions............................................................................................................ 22

Policy Reviewing.......................................................................................................... 22

Network Monitoring ..................................................................................................... 22Administrative/Security Alerts ..................................................................................... 22

Virus Protection and Prevention Policy........................................................................ 22Additional Elements...................................................................................................... 23Formatting of the document.......................................................................................... 23

Conclusions....................................................................................................................... 24

Background Reading......................................................................................................... 26

White Papers & Reports................................................................................................ 26Websites........................................................................................................................ 26

Magazines ..................................................................................................................... 26

References......................................................................................................................... 27


4/27


4

IntroductionBefore we begin to analyse a security policy, we must first understand the purpose and

general goals.

In brief, a security policy is a series of published (publicly available) documents

describing the rules and procedures for dealing with the day-to-day management of

information. It is developed to inform users and management of the steps required to

protect an organisations assets.

It encompasses analysis of risks and threats, and then determining a strategy for what to

do if an incident occurs (incident management). The security policy is usuallyconstructed from several other policies such as the privacy policy, access policy and the

network policy. The SANS Institute1

lists over twenty such policies all of which

(depending on their relevance) could constitute an organisations policy.

Searching the World Wide Web for security policies returns quite a few hits. Most

Universities and Colleges will have a security policy (or at least rules and guidelines on

acceptable use of their network). An issue I wish to highlight is that an educationalestablishments security policy has to deal with the inherent complications that come with

such an organisations structure. It is therefore going to contain certain sections in the

policy that would not appear within a corporate organisations policy.

For example, an academic organisation has users that often study there from typically one

to five years. They also have little or no loyalty toward the organisation, with a largepercentage studying computer related subjects. A common concern to security personnel

is that the security policy introduces only diminutive fear of retribution, where users arelikely to attempt an attack because they know they wont be punished to the full extent.

It will be the responsibility of the Information Security Officer (ISO) to create and review

the organisations security policy, and they are also required to enforce these rules and

regulations through-out the organisation.

Kevin Mitnick, a well-known computer cracker and self-confessed social engineer,

describes that2:

Effective security controls are implemented by training employees with well-

documented policies and procedures. However, it is important to note thatsecurity policies, even if religiously followed by all employees, are not guaranteed

to prevent every social engineering attack. Rather, the reasonable goal is always

to mitigate the risk to an acceptable level.

His point is quite valid and confirmed by other authors such as a recent SANS Institute

White Paper3

on social engineering which states that in an aim to mitigate such risk, a

good defence should include but not be limited to:


5/27


5

Password policies Vulnerability assessments Data classification Acceptable use policy Background checks Termination process Incident response Physical security Security awareness training

The Request for Comments issue number 219610

(which replaced an older 1991

RFC1244) is a Site Security Handbook developed as a resource for the Internetcommunity.

Although not directly concerned with organisational security, the Site Security Handbook

provides a detailed explanation of the processes involved in creating a policy. In additionit provides guidance on how organisations should construct their security policies and

explains the three main characteristics of a good security policy:

1. it must be possible to implement through system administration procedures2. it must be enforceable with security tools3. it must clearly define the areas of responsibility for the users, administrators, and

management

Using these three main criteria and the suggestions from the SANS Institute White Paper,

I plan to assess the strengths and weaknesses of the Birkbeck College security policy.

Each section within the policy will be broken down and analysed. The points produced

from this analysis will then be summarised and recommendations made at the end of thereport.


6/27


6

Policy Analysis

Policy Introduction

As a general policy rule, the introduction must provide broad information about theorganisation, including a summary of the technologies that have been implemented. The

Birkbeck College policy contains exactly this, while being careful not to expose too muchtechnical information.

As this document is publicly available, it can be seen in two ways; as an information baseto clarify the organisations needs, or more seriously, as a fact sheet for an attacker who is

looking for vulnerability in the system.

The introduction of the Birkbeck College policy also describes the objectives they wishto achieve by writing and implementing their policy. They base their objectives around

the concept of authorisation, which is describing who is allowed to access what and inwhat manner

4.

This concept of authorisation is drawn from the CIA model, which has been developed

from a need for standardisation. Its three main sections that describe its acronym are5:

1. Confidentiality: protecting information from unauthorised access and disclosure2. Integrity: safeguarding the accuracy and completeness of information and

processing methods3. Availability: ensuring that information and services are available to authorised

users

The Birkbeck College policy openly admits that their own network is operated with a

minimum of restrictions. They correctly establish that this is a security risk and a result

from which is the development of the security policy.

My argument would be to try and avoid any form of admission of weakness. To

challenge this argument you are unavoidably required to highlight issues before you canattempt to rectify them (or at least control them) and as a result, Birkbeck College have

strengthened their policy.


7/27


7

General Policy

The general policy section is designed to cover all aspects of the organisations networkand applies to the all computers and users. The Birkbeck College policy states:

Every computer connected to the Birkbeck College network must be subject to formal

system administration.

With many organisations, the IT department is fearful of users plugging their own

computer equipment into the network. Introducing equipment that has not been checkedmeans that there is no control over the data that enters or leaves the network. A security

policy should always include a statement such as the one above.

Its also fair to say that even if the system has been checked, there could be more

subversive applications that have been missed. It might not be the correct place in a

policy to mention it, but there should be provision for physical (hardware) procedures toprevent such devices from being plugged into the network. For example, its possible to

lock a specific Ethernet socket to a given computers MAC address. As each MAC

address is unique to a given network interface card, it will be difficult (although not

impossible) to connect an unauthorised computer to the network.

Synopsis: Formal system administration of connected equipment is a strength of the

policy. The weakness in this statement is there are no checks implied and no formal

written consent procedure.

Responsibility for administration and security of computers should be assigned to a

suitably trained and technically competent member/s of staff.

This point makes clear assignment of the responsibility of the staff to administer and

apply security. It also clearly states that the members of staff responsible for such actionswill be technically competent or suitably trained.

The users should be aware that the administrators are competent at doing their job andhopefully will deter certain users who might consider disobeying the policy.

Synopsis: This is a strength of the policy assigning administration to the necessary

parties.

The staff assigned to the system administrator role must have adequate time in which to

undertake the maintenance of computers under their control.

Although slightly ambiguous, the users must be made aware that if maintenance were to

occur, the system administrator must be given as much time as they need to complete thetask at hand.


8/27


8

If the administrator takes any shortcuts in the action of repairing a system, for example

installing an operating system, it is probable that they could miss a core system patch (orservice pack). The resulting action could be the unknown introduction of a system

vulnerability.

The last thing a system administrator needs is hundreds of angry users pressuring himinto completing a task. So, having such a statement in the policy provides the

organisation and system administrator with a certain level of flexibility in the event of anincident.

Synopsis: This is strength of the policy providing it is further clarified by the

administrators duties.

Adequate provision of cover during sickness or holidays should be made where key

systems may be affected.

The phrase adequate may not be accurate enough to cover the possibility of multiplekey members of the administration team being off work at the same time. Provision needsto be in place to cover such an eventuality.

It must also be stated that there should not be a single member of staff responsible for

core organisational administration. Roles should be shared amongst staff, to cover for theeventuality that somebody is ill or on holiday. This degree of contingency will enable the

organisation to remain unaffected by unpredictable events such as staff illness.

Synopsis: This is a weakness of the policy see recommendations.

Access to any network connected computer must be via a logon process that identifiesand authenticates the user, except where read-only access is given to certain systems

(e.g. the Library Catalogue), or unprivileged access is normal and appropriate

safeguards are in place (e.g. Web browsers in kiosk mode, access to a contained

website).

This statement in the policy identifies the method of authentication the organisation uses.

By implication, as a user you must already be known to the organisation to have beenentered in the access control list (ACL).

With an educational establishment, users are authenticated at various stages during the

initial enrolment. For example, when the student arrives they are often authenticatedtwice, once when they have to join their course and then subsequently when they have to

prove who they are to pay their tuition fees (effectively when they become a student of

that establishment).

Only after you have enrolled at the department you belong to, and then at the College

itself, will you get your enrolment number. This enrolment number is then your


9/27


9

identification to access the computer network. This means that there is a paper-trail that

identifies your access to a computer all the way to the personal details you enrolled with.

A weakness of the above statement mentions that a system with unprivileged access

could have a browser running in kiosk mode. A simple search on keyboard commands

will give a user access to the unprivileged machine. From this point forward they coulddownload numerous applications that could potentially be used to mount an attack on the

rest of the network.

Synopsis: This is both a strength and weakness of the policy.

Any networked system which will be unused for extended periods (typically several days

or more) should be switched off.

This is a power-saving remark often stated by large organisations that wish to savemoney by asking for computer equipment to be turned off when not in use.

Sumir Karayi, CEO of an organisation called 1E discusses in a recent Computer Weeklyarticle6 that even if managing power consumption on a PC saves only a few tens of

pounds a year, a large company could begin to realise significant savings.

Having a computer turned off also provides a physical security barrier. As obvious as itmay seem, if the computer is off it cannot be used or affected by a computer attack.

Synopsis: This is a strength of the policy but requires further clarification. For example,

a server needs to remain active, but could be perceived as unused by non-technical staff.

Accounts which remain unused for five months should be disabled where possible.

Accounts used by system administrators should be cancelled immediately on departure of

member of staff.

No shared accounts will be created, except where absolutely necessary, and under the

condition that a list is kept of the users of the account, and that they are jointly

responsible for any action taken using the account.

Accounts should not be re-used, except where absolutely necessary, and under the

condition that a details are kept of the users of the account.

A successful user account management strategy can only be developed through an

understanding of the organisations operations. From this learned experience it will be

possible to determine whether a specific rule will work.

For example, the rule above stating that accounts which remain unused for five months

should be disabled has been agreed upon by the writers of this policy and therefore nowspecifically applies to Birkbeck College.


10/27


10

My main criticism of the rule is that it states the account shouldbe disabled which israther negative and less enforcing as accounts which remain unused for five months will

be disabled. It also fails to define how an account is classified as unused. For example,

if a researcher working part-time does not use their account for five months, does it mean

they will have their account deleted? Or disabled? An educational establishment will alsohave many users arriving each year, and often leaving at any point thereafter.

The other rules stated in the category of account management are mostly common sense.

A noteworthy shared accounts rule successfully imposes the responsibilities for

running such an account on the users. By maintaining a list of the users who control theshared account, you can apportion blame amongst all parties if it gets misused.

Synopsis: This is a strength of the policy although further recommendations have been

made regards shared account access.

Lists of users and their data (such as userids) must not be available to anonymous usersor, where possible, to other users and systems administrators.

What the Birkbeck College fails to mention in this statement is how the lists will be

managed. As part of the CIA model, confidentiality is a core requirement of the

organisations management of information. Deciding who can access what and how theywill access it should be clearly stated.

Synopsis: Despite my previous comment, this is a strength of the policy. Further

recommendations have been made at the end of the report.

Computers in open areas should be physically secured.

Computers in other areas should be accessible only by authorised persons, and security

imposed as appropriate.

Physically securing computer equipment is essential within an educational establishment

where you have hundreds of users sharing a single computer. The usual solution is to lock

the computers within secure cabinets that are attached to the desk units. The secondstatement seems to imply the securing of computers within areas such as lecture rooms,

or more generally, rooms that can be locked.

Having physical locks on devices and doors implies there should be a managementprocess for access control (i.e., distribution of keys). In my opinion, further clarification

is required to establish a mechanism for key management; this could be achieved though

a further document such as a Physical Security Policy.

Synopsis: This is a weakness of the policy requiring a further management process to

maintain the access to rooms and equipment.


11/27


11

Computers offering services external to the College (e.g. web, email, ftp etc), must be

authorised by School or CCS support staff.

Details of any networked system which is operating as a server (including file serving,

print serving, web serving, ftp serving, or applications server) must be given to CCSSystems staff or to School support staff in the cases of Schools responsible for

maintaining their own servers (e.g. Computer Science and Information Systems,

Crystallography, Economics and Statistics, Geography and the Library).

Most educational establishments will make statements as above, but unless there are

hardware or software tools (firewalls) in place to prevent such services running, it willnot prevent users from running them.

It is aimed at the departments within the organisation who may be running their owninternal systems.

The statements also seem to offer no retribution if a user failed to notify them of runningservices.

Synopsis: This is a strength of the policy although modification needs to be made to

include some form of retribution.

Access to equipment should be possible at all times (in the event of a report being

received by CCS or School support staff out of hours) unless precluded by Health and

Safety requirements.

In a similar vein to physically securing open area computers, the policy states that thesame secured computers must be accessible by support staff in the case of certainincidents.

Synopsis: This is a strength of the policy but again, this introduces a weakness that

requires a further management process to maintain the access to rooms and equipment.

Personal equipment may not be connected to the College network except where the

connection is made to a School or Departmental network with the written authorization

of the School/Dept System Administrator.

Connecting equipment to the network has technically been covered by formal systemadministration (policy point one). The only addition to the rule of connecting equipment

is that this mentions written authorisation from the system administrator.

Synopsis: This is a strength of the policy stating that written authorisation is required to

connect personal equipment. See recommendations.


12/27


12

Responsibilities of Systems Administrators

The following sections within the policy highlight the Systems Administrators mainresponsibilities to the College.

Users including systems administrators, should normally login with userids without

unnecessary (superuser) privileges. Privileged accounts should be used only for

systems administrative work and monitoring.

When undertaking systems work demanding privileged user status, administrators should

login in under their own account before assuming privileged status (to maintain audit

information).

This is a common computer security concern. The usual practice is to never allow a user

to login directly as the superuser (root on Linux systems) as this greatly increases the

possibility of security risks. Depending on the operating system, the solution is to login asa normal user and then perform any administrative tasks using the su or sudo commands.

Synopsis: This is a strength of the policy, maintaining an audit trail for system access.

Administrators must ensure that all software is properly licensed.

Administrators must ensure adequate backup procedures are in place.

Adequate virus protection software must be installed.

The above policy statements identify core requirements of the organisation. Each isrequired in maintaining the operation of the organisation. For example, the operating

systems and software installed on servers and desktops must be correctly licensed. Some

businesses are open to running unlicensed products due to the excessive costs involved,but academic establishments are entitled to substantial discounts to reduce such piracy.

Realistically, there should be a separate backup procedure outlined in a further policysuch as a Data Storage & Recovery Policy (see recommendations).

The same could be said of virus protection, having a separate policy describing theprocedures to manage a virus and malicious code database. This virus policy should also

consider the consequence if a virus, such as a worm, infects any one of the organisationsnetworks.

Synopsis: Each statement is fairly weak in what it is trying to describe. The first

statement is a massive weakness of the policy, as the administrator can only prevent

application installation by users if the security tools are available see the application

installation section in the recommendations. Another recommendation is to have a Virus

Protection and Prevention Policy to cover all departments.


13/27


13

Ensure that passwords are changed regularly and knowledge of the super-user password

should be restricted.

Most literature on security will recommend that passwords are changed on a regular

basis. This reduces the usage of the password to a set period of time and also thepassword being brute-force cracked (by the time it has been cracked, the system has

already forced the user to change it).

Synopsis: This is a weak statement of the policy see recommendations on introducing

password policies. Access to the super-user password is covered below.

Superuser and system administrator passwords should be passed to CCS or School/Dept

Computer staff for use in emergency.

As a precautionary measure, most organisations require that system administrator

passwords (that often control core systems) be backed up in some form. This backup canthen be used in an emergency, for example, if the administrator is unreachable.

Synopsis: This is a strength of the policy, maintaining operation given the possibility of

accidents. Although, this should remain part of the password policy where depending on

the risk of the password, control measures for accessing should be enforced (i.e., signed

by the academic board).

Logging, and in particular a record of logins on the computer, should be maintained for

one year.

Administrators must not amend any audit or system information which may be used aspart of an audit trail in cases of security breach.

All system access, whether successful or unsuccessful must be logged. The log should

only contain the records of incorrect passwords, making sure that successful passwordsare only logged as successful.

It should be common sense that in order to preserve an audit trail, the system

administrator must not tamper with it. This could generate complicated situations if theorganisation demands to have the system active, and in the process of rebuilding the

system, the audit trail is destroyed.

Synopsis: Maintaining an audit trail for an individual system for up to one year is a

strength of the policy. The main criticism of the second statement is it might not be

possible for a systems administrator to keep an audit, so the policy would need clarifying

to include possible exceptions.


14/27


14

If necessary to protect or maintain service, administrators will disconnect a system,

individual workstation, or software from the School.

The statement covers both the disconnection of hardware and software if it is deemeddangerous to the organisation.

Synopsis: This is an extremely broad and weak statement given the implications of its

actions. If a server was to be infected with a virus, the last thing an organisation needs is

for an overprotective systems administrator unplugging all of the equipment around it.

Monitor activity and/or record traffic on the network if appropriate, including periodic

intrusion detection testing either internally or by third party.

Monitoring of users is one of the main responsibilities of a system administrator. By

monitoring users behaviours and activities it is possible for them predict events such asbandwidth increase before it presents itself as a real problem.

The tools used to monitor traffic and generate reports, can often be used in forensic

analysis of network incidents. By recording a time frame of network activity, the system

administrator can replay (in a secure environment) the steps that caused an incident.

Synopsis: This statement is a weakness of the policy. The monitoring of activity needs

clarifying and possibly expanded further in a subsequent policy. See my

recommendations at the end of this document.

Ensure that adequate security (such as dial back) is utilized when connecting modems toallow remote management/troubleshooting.

Some remote management systems offer dial-back facilities, for example the user dials in

and is authenticated, and then the system disconnects the call and calls back on a pre-defined number.

Dial-back is useful since if someone were to successfully guess a username and

password, they are disconnected, and the system then calls back the actual user whosepassword was guessed, which would signify the password as being compromised.

Synopsis: This is a weakness of the policy. Remote Access Policies would need to beimplemented governing who and when could access the system. Necessary authentication

and logging would need to be in place to generate any form of useful audit trail.


15/27


15

Responsibilities of Central Computing Services

The following sections within the policy highlight the Central Computing Servicesresponsibilities as a department.

Liaise with external organizations (such as UCL Network Group and UKERNA) in the

development and maintenance of the network.

The process of sharing information between organisations is an essential networking tool.

By associating with businesses and organisations that deal directly with securityincidents, you place your organisation one step ahead of the latest threat.

Synopsis: This is a strength of the policy. Any facility for obtaining more information

about security issues will be an advantage to the organisation.

Inform system administrators of security information, hacking attempts, tools etc via anemail list.

The CCS is responsible for alerting the organisations systems administrators of the latest

security information via e-mail.

Providing cross departmental communication is usually quite effective, but it must be

agreed across all members that high priority information should be communicatedimmediately.

Synopsis: The statement is quite weak, although security alerts should be announced, e-

mail is not a reliable communication method. See recommendations for alerts.

Provide information and good practice guidelines.

Synopsis: As a policy statement this is quite ambiguous. The statement should describe

what exactly appears in the good practice guidelines or at least refer the reader to

another document. This statement does not contribute to the policy and therefore I would

classify it as a weakness.


16/27


16

Assist School/Dept Systems Administrator to correct a security or breach, especially

where the integrity of the network may be at risk, or it is affecting systems elsewhere.

The CCS will act as an independent department, yet it is responsible for overall networksecurity of the organisation. This statement suggests that despite any individually agreed

departmental policies; the CCS still needs to resume control over the actions of the other

departments, as inherently it is still responsible.

Synopsis: The statement is a strength of the policy. It demonstrates that CCS trust the

other departments in the organisation, and will provide support if required.

If necessary to protect and maintain service, disconnect a system, individual workstation,

software, School network or building from the wider College network.

This is a repetition of the system administrators responsibility although now on a largerscale. The statement implies CCS will do what they deem necessary to maintain service

across the network, even if the result is detrimental to another department.

Synopsis: The statement is a weakness of the policy, it needs to clarify the processes

involved before it takes action against another department.

Monitor activity on the network, including periodic intrusion detection testing either

internally or by third party. If during a scan an obvious weakness is found, CCS will

provide advice and assistance to the appropriate systems administrator. If no

administrator is available, depending on the nature of the loophole, the offending system

may be disconnected from the network.

Following the logical order of the document, the separate departments and the CCS will

be running intrusion detection systems simultaneously.

Synopsis: This is a weak statement and really should be broken down into separate

sections. The monitoring process needs clarifying further and should really be given its

own category within the security policy see recommendations on Monitoring Network

Activity.


17/27


17

Maintain central checking of malicious code, including of email passing through central

mail systems.

The CCS should really set a generic policy for all other networks to follow. For example,

if the CCS have a specific anti-virus policy in place, it would be logical that eachdepartment also follow suit and use the same procedures.

The likelihood is that the internet connection to the network will pass through the CCSdepartment, so technically each subsequent department will not require the same level of

protection that is automatically provided to the overall organisation. There would be no

point running a second virus scan on an e-mail that has already been scanned through thecentral mail system.

Synopsis: This is a weak statement. By implication of having and maintaining virus

protection, CCS will automatically be completing this action.

Maintain site licences of virus protection software.

Each server and client desktop will be required to have a valid virus protection license.

This is a requirement of the complete network, and has to include every department.

The CCS is to make sure each of the separate departments comply with whatever policy

is in place to deal with software licensing.

Synopsis: This is a strength of the policy. An organisation should be responsible for the

management and control of virus protection licenses.

Co-ordinate the development and maintenance of the security policy.

The CCS should be responsible for the maintenance and review of the security policy.

The document should be reviewed on a regular basis and signed off by various membersof the educational establishment academic board.

Synopsis: This is a weakness of the policy. It should really describe who is responsible

for management and review of the security policy. Review practices will be mentioned in

the recommendations.

Provide assistance in developing router-filtering rules if required.

The CCS should aid any department in the setting up of firewall rules. Given prior

authorisation CCS can grant access to certain services through the firewall.

Synopsis: This is a weak statement. The CCS should be responsible for enforcing router-

filtering rules and maintaining network integrity. They subsequently note that (at the time

of writing) there is no border level firewall, and no firewall policy.


18/27


18

Responsibilities of Users

The section dealing with the responsibility of users forms the basis for an Acceptable UsePolicy. This will aid the staff and management to discipline any users, using the AUP as a

reference. The organisation can claim that the user was made aware of the AUP andsubsequently anybody who violates the policy can be referred back to the document.

The Birkbeck College policy lists some of the main components that constitute an

Acceptable Use policy as:

User Authentication & Password File Storage Email Communication Network Use

Each of these sections lists a series of rules that users are expected to obey, and are notreally classified as responsibilities. The term users in this section applies to students,

staff and system administrators.

In synopsis, Birkbeck College openly admits that the lists of rules are not extensive, and

that other rules are implied and not directly stated. This, in itself, is a weakness of thissection of the policy.

A further weakness of this section is that the Birkbeck policy identifies other relevant

policies that users are required to be familiarise themselves with. It is unlikely that a userwill actively seek out the other documents, and as a result, simply listing them in this

section provides no useful information.

Implementation of the Policy and Sanctions

This section of the Birkbeck policy deals directly with disciplinary procedures.

It correctly assesses the responsibility for implementing the policy to be dealt with by the

Heads of Schools, Academic Services and Central Administration.

As a policy statement, its main weakness is in the explanation of the disciplinary

procedures. I would have thought that the policy and sanctions section would include

specific disciplinary actions for given infringements of the policy. This in my opinion

would strengthen the organisations stance in convincing a user that they must abide bythe guidelines and rules set out in the security policy.


19/27


19

Recommendations

Account management

In my opinion, I would prevent users from having shared accounts altogether. This thenreduces the likelihood that it could be compromised, and also reduces the workload of the

systems administrator.

For situations where a shared account is unavoidably required, my suggestion is to

introduce a time-limit on the account. This maintains a certain degree of control over theaccount, but at the expense of further administration when the account needs renewing.

Also, prior to disabling a users account, the administrator must obtain formal verification

(written) that the user no longer requires the account.

Users must also be aware that the primary user of a computer is considered to be theguardian of the equipment. So, if the machine they use is compromised, they aretechnically responsible. This though in practice could be difficult to implement, and by

the recommendations already outlined, if it cant be implemented, it probably shouldnt

be in the security policy.

Running ServicesThe policy states that any user wishing to run services such as Web, FTP or e-mail must

give details to the CCS department.

In my opinion this should be altered to read that any user wishing to run services must

obtain written authorisation from the CCS department. The responsibility formaintenance can then be passed onto the individuals wishing to run the service. This also

provides a useful control mechanism if there are no hardware or software firewalls inplace.

The statement should also then include some form of punishment if the CCS departmentdiscovers illegitimate running services. For example, peer-to-peer applications are

basically servers distributing large amounts of data across a network. There should be

adequate detail in the policy to cover such services (which is discussed further in these

recommendations).

Personal Information DisposalThere should be a personal information disposal and retention guidelines document or

section within the policy. It is the responsibility of the staff and users of the network to be

aware of security when disposing or storing of coursework.

For example, certain computer systems have temporary storage directories where a user

can put documents they are working on. If this directory is not cleaned after use,


20/27


20

another user using the same machine will have access to the same document after logging

on. In terms of plagiarism it will be both parties that will be disciplined, the first forhaving failed to sufficiently protect their work.

Application Installation

The administrators of the Birkbeck College network will need to employ the featuresavailable from software vendors to control and implement successful applicationinstallation.

For example, Microsoft provides a mechanism for controlling installation of applicationson individual computers through the use of Group Policies. Microsoft describes on

their website that it:7

allows you to centrally manage registry-based policy settings (Administrative

Templates), security settings, software installation, scripts, folder redirection,

Remote Installation Services, wireless settings, Internet Explorer, and other

components.

Using such a tool would prevent individual desktop users from installing unwanted or

more importantly, unlicensed software.

Maintaining Lists of UsersThe Birkbeck College security policy has no clearly defined process for managing lists of

users. They would be required to comply with the Data Protection Act and as a

suggestion I would create a sub-policy specifically to deal with this matter.

Another important issue is lists of Administrators and staff. Their phone number and e-

mail addresses should not be disclosed to any other users, so as to prevent needless phonecalls and reduce the risk of social engineering attacks.

Password PolicyLost passwords should be rectified by resetting the password and not retrieving the old

one. This will also require formal identification of the account holder. This will prevent

social engineering attacks aimed at obtaining authorisation through the administrationdepartment.

Another solution is to create accounts that expire or become disabled each academic year.

This would remove any unused accounts and reduce the risk of attackers using dormant

accounts. Actually deleting the accounts may be too extreme, so simply disabling theaccount and getting the user to physically re-authenticate with a department could be a

solution.

The SANS Institute has an example online Password Policy Template8

which contains

some general guidelines for maintaining passwords:


21/27


21

All system-level passwords (e.g., root, enable, NT admin, applicationadministration accounts, etc.) must be changed on at least a quarterly basis.

All production system-level passwords must be part of the InfoSec administeredglobal password management database.

All user-level passwords (e.g., email, web, desktop computer, etc.) must bechanged at least every six months. The recommended change interval is everyfour months.

User accounts that have system-level privileges granted through groupmemberships or programs such as sudo must have a unique password from all

other accounts held by that user.

Passwords must not be inserted into email messages or other forms of electroniccommunication.

Some of these points are valid, but depending on your type of business (such as a websitehosting provider) there are no other cost-effective means of providing clients with

authentication details (for example, sending new account information through e-mail).

Data Storage & Recovery

A complete new section should be generated for examining the processes involved inmaintaining a successful backup and archive system.

Organisations and users often get confused when discussing backup and archivingprocedures, so a policy specifically for describing the processes should be created. It

should include items like:

Daily incremental backups will be performed in the evening and stored on the

University Storage Area Network (SAN).

Weekly full tape backups will be made of the SAN and stored off site for a period

of 1 month

The policy or document responsible for the storage and recovery procedures must definewhat file-systems get backed up, how often, and which members of staff are responsible

for this maintenance.

Staff Time Off

As a general rule, the system administrators of a given department must not be allowed to

take the same holidays. If something was to go wrong, and all technical staff were away,how could the organisation continue business?

The same must also be stated that there should not be a single member of staffresponsible for core organisational administration. Roles should be shared amongst staff,

to cover for the eventuality that somebody is ill or on holiday.


22/27


22

Policy Revisions

As well as having the latest version stated on the title page, the document should containa complete new section called Revisions. This revisions section will list the dates and

times that the policy was modified. It should list next to each revision which member ofstaff performed the modification. This way there is an audit trail of who introduced whatchange and when.

Policy ReviewingThe introduction talked about the responsibility of the ISO to create and review the

organisations security policy. It is also the responsibility of the ISO to consult the userswho the policies affect before implementing any changes.

It must also be considered that any legacy systems inadvertently will be affected by any

policy implemented. The requirements of such systems need to be well thought-out

during the initial development of the policy.

Network Monitoring

A policy needs to clarify exactly what the system administrator will be monitoring. The

usual practice is to include such information in a privacy policy, explaining the extent towhich the users will have their privacy violated.

The policy should also make a clear note of the Intrusion Detection Systems and as aresult, how the computer network will be protected from malicious attacks.

Administrative/Security AlertsA system should be in place that categorizes security incidents and subsequently alerts

the necessary parties. This will require management of staff and system administrator

contact information.

It should also, depending on the severity of the alert, require that system administrators

directly communicate using the telephone to resolve the incident.

Virus Protection and Prevention Policy

Another SANS Institute policy document9 suggests that for successful virus protection

and prevention, the policy should demonstrate the baseline requirements for the use of

virus protection software. It should have separate guidelines on: reporting and containing virus infections defining levels of virus risk (i.e., worms, Trojans)

And suggests that the following points be discussed:

requirements for scanning email attachments a policy for the download and installation of public domain software the frequency of virus definitions


23/27


23

Additional ElementsThe current policy appears to be quite dated. The past few years have seen an increase in

mobile devices, and as a result, the system administrator must make provision for users

connecting to the network.

This though, instantly breaks one of the already established policy rules that no user canconnect personal equipment to the academic network. A solution is to implement a

separate wireless network, which has been secured against possible threats to the mainnetwork.

Another recommendation is to include (or exclude) the use of portable mass-storagedevices (such as USB memory sticks). Again, the current policy prohibits the use under

the personal equipment statement. But nowadays, the floppy disk is all but obsolete,

and applications are generating larger sized files.

So, if you allow mass-storage devices to be accessed through the computers USB port,

why not allow music devices like the Apple iPod? The issue here is that files as well asmusic can also be stored on an iPod. It is obvious that a clear policy would need to becreated to cover the use of such devices.

In terms of network usage, the policy should be updated to exclude and prohibit suchapplications as instant messaging and peer-to-peer file transfer applications. Both of

which can unnecessarily increase bandwidth generating adverse affects on the rest of the

network.

The Birkbeck policy does not state any goal to obtaining ISO 17799 or BS7799 status.

These standards are specifically related to developing a code of practice that the

business/organisation must adhere to. The ISOs role should be to guide the organisationtowards obtaining certification by one of the two standards.

Formatting of the document

My initial concern with the document was that it was missing definitions explaining anyacronyms, for example, the first page uses CCS which isnt explained until you deduce

that it is one of the three distinct groups mentioned on page two.

The Birkbeck College security policy shows no dates of when it was created, or when it

has been subsequently modified. For effective version control, a date of creation, date of

last modification and finally a revision number should be added to a title page.

The document should also have been proof read as there are several cases where the

structure of the stated rule makes no grammatical sense.

A useful authoritative approval would be to have the policy signed off by the Colleges

Academic Board. This make the document appear official in the eyes of the user.


24/27


24

ConclusionsAn ISOs job is to manage the flow of information entering and leaving an organisationto minimise loss or damage. This can only be achieved through initial development and

subsequent regular reviewing of the security policy.

The end of the document lists several policies that are technically pre-requisite to reading

the Birkbeck College network policy. In my opinion this should be part of the main

policies introduction, because everyone is expected to read these texts as well as the

policy document.

In my opinion, the construction of a security policy must follow a certain pattern. For

example, reading any document is in what could be classically defined as a serialfashion. You start from the beginning of the document and inevitably reach the end. In

my opinion the Birkbeck policy was constructed from the following three separate

sections, in the order listed below:

1. responsibilities of users the list of things users can and cannot do2. introduction and general policy statements3. job responsibilities for systems administrators and the CCS

The reason for this argument is that the Responsibilities of Users looks as if it was the

first list or statement made by Birkbeck before they had a policy document because itseeks to make clear what users must and must not do. It is also apparent that there are

many more positive statements such as must, compared to the earlier sections that use

the terminology should.

The policy should be written more like a demand upon users than a guideline telling theusers that they should perform a certain task. What ever is written must be positive, andinduce a sense of importance in the mind of the users.

One generally accepted approach to follow is suggested by Fites, et. al. [Fites 1989] and

subsequently summarised by the 1997 Site Security Handbook (RFC2196) that includesthe following steps10.

1. identify what you are trying to protect2. determine what you are trying to protect it from3. determine how likely the threats are4. implement measures which will protect your assets in a cost-effective manner5. review the process continuously and make improvements each time a weakness is

found

As previously stated, the Birkbeck College security policy shows no dates of when it wascreated, or when it has been subsequently modified. From inspection of the document

properties, it shows that the document was created (and last modified) on the 29th

January

2002. This shows that no apparent review of the security policy exists.


25/27


25

As a student studying Information Security and Computer Crime, I am concerned that alarge organisation such as a college has not subsequently reviewed their security policy.

It could be true that the document has stood its ground for 3 years, but in that time we

have had a surge in networked, wireless and mobile computers (see recommendations).

Another interesting issue is to ask if the document will ever be read or knowingly

accepted by the users or staff? It is the ISOs job to make sure they do, but whorealistically is going examine the contents of the policy?

A possible solution is to have all users sign a statement indicating that they have read,understood, and agreed to abide by the policy. On academic networks, I have often seen

the policy available as soon as you login to your account. But user ignorance means I

click the accept button without understanding the implications that I have just agreed to

abide by the policy, and subsequently be subjected to any of the disciplinary procedures.

If the user were to actually sit and read the many documents that constitute a policy, Ibelieve they may realise that the policy has unrealistic demands.

In my opinion, what makes users accept the policy without reading it is the need to

complete a task with the minimum of questions. Sometimes you have no choice but toagree to an organisations policy, as the consequences of not agreeing means you know

longer belong to the group. This is true of academic establishments. If you wish to

study at University, and use their facilities (which is quite often necessary to complete the

course), you are required to agree use the organisations policy.

With all my analysis of the strengths and weaknesses of the Birkbeck College security

policy, the only real sign that they work will come from actual implementation, whichshould highlight issues for review and modification.

I also believe that it doesnt matter how comprehensive a security policy is, the users willstill find it as an impediment to their daily duties. Any such complaints should be

highlighted during policy reviews and the policy document subsequently amended if

possible.


26/27


26

Background Reading

White Papers & ReportsASIS Online (2004) Chief Security Officer (CSO) Guideline

BarclaySimpson (2005)Information Security Market Report 2005CIO (2005)Incident Response: Response & Reporting Guidelines

Computer Security Institute (2005) CSI/FBI Computer Crime and Security Survey

Control Data (1999) Why Security Policies FailKroll (2004) Protecting Corporate Secrets

Websites

CSO Online (2005) The Resource for Security Executives [Online] CXO Media Inc

Available From: http://www.csoonline.com [Accessed 14th

October 2005]

Information Security Policy World (2005) Security Policies [Online] ISPSG, Available

From: http://www.information-security-policies-and-standards.com [Accessed 15th

October 2005]

SuperhighwaySafety (2001) Computer Misuse Act 1990 [Online] Crown copyright -

DfES and Becta, Available From:http://safety.ngfl.gov.uk/ukonline/document.php3?D=d10 [Accessed 15th October 2005]

Dolan, A., (2001) SANS Social Engineering Papers [Online] SANS Institute, Available

From: http://www.sans.org/rr/whitepapers/engineering/ [Accessed 30th

October]

Magazines

SC Magazine August (2005), Article: Policy Management

SC Magazine October (2005), Article: Risk Opinion


27/27


References

1Unknown, (2004) The SANS Security Policy Project[Online] SANS Institute. Available

From: http://www.sans.org/resources/policies/#template [Accessed 15th Oct 2005]

2 Mitnick, K. E., (2003) The Art of Deception [Book] Wiley. Chapter 16 [Page 260]

3Dolan, A., (2004) Social Engineering [Online] SANS Institute. Available From:

http://www.sans.org/resources/popular.php [Accessed 15th Oct 2005].

4Denning, D. E., (1999)Information Warfare and Security [Book] Addison Wesley. Part

1: Introduction [Page 41]

5Blyth, A & Kovacich, G.L., (2001) Information Assurance [Book] Springer. [Page 99]

6 Unknown, (2005) Who is winning the power game? [Online] Computer Weekly.

Available From:

http://www.computerweekly.com/Articles/Article.aspx?liArticleID=212113 [Accessed:1st November 2005]

7Unknown, (2000) Windows 2000 Group Policy [White Paper] Microsoft. Available

From:

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.

asp [Accessed: 2nd November 2005]

8

Unknown, (2001) Password Policy [Online] SANS Institute. Available From:http://www.sans.org/resources/policies/Password_Policy.pdf [Accessed: 3rd November2005]

9Guel, M. D., (2001) Policy Primer[Online] SANS Institute. Available From:

http://www.sans.org/resources/policies/Policy_Primer.pdf [Accessed: 3rd November2005]

10Fraser, B., (1997)RFC 2196 Site Security Handbook[Online] NWG. Available

From: http://www.faqs.org/rfcs/rfc2196.html [Accessed: 31 October 2005]

security policy critique

Documents