Network Security Policy in the Work Place

Download Report

Transcript Network Security Policy in the Work Place

Network Security Policy
in the Work Place
By: Joshua Cormas
Network Security Policy in the Work
Place
• Brief overview:
– Explain how companies control the risks
– List the different types of security policies
– Describe training and awareness to provide
increased security in the work place
– Real life examples
Net. Security in Work Place
• The most important concept in information security
and networks is risk. There can be many different
types of risk that are encountered in an organization.
• Some risks are small and easily managed, while other
risks can threaten the existence of a business.
• These risks were once taken lightly, but today they
are viewed as avenues through which an attacker can
cripple a business.
Net. Security in Work Place
• Many of these of approaches can be applied
to information security in general, however I
will be focusing on the network security
aspects.
Net. Security in Work Place
• Most organizations utilize a multifaceted approach.
– First, they work to control risk through management
techniques.
– Second, they develop a policy that reflects the
organization’s needs and operation. The network security
policy defines what the organization needs to protect and
how they will do so.
– The third approach is awareness and training on the
policies. Similar to how users must be instructed on how to
use specific software or hardware, they also must be told
network policies to maintain a secure network and
business.
Net. Security in Work Place
• Controlling Risk
– Threat: a type of action that has the potential to
cause harm to a computer network.
– Threat agent: a person or element that has power
to carry out a threat.
– Vulnerability: a flaw or weakness in a company’s
network security (ex: authentication methods,
back door, etc.)
– Risk: likelihood that the threat agent will exploit
the vulnerability
Net. Security in Work Place
• Some classifications of network security risks…
• 1. Compliance – Following a regulation or
standard on a network.
• 2. Strategic – Action that affects long-term
goals of organization, such as unauthorized
access to intellectual property on a company
database.
• 3. Technical – Events that affect network
systems, such as DDoS or SQL injection
Net. Security in Work Place
• Three strategies for controlling risks in an
organization…
– 1. Privilege Management: process of assigning and
revoking privileges to users on a network
– 2. Change Management: methodology for making
modifications and keeping track of changes, such
as new servers or routers being introduced to a
network.
– 3. Incident Management: framework and
functions required to enable incident response
Net. Security in Work Place
• Another way of reducing risks is through a
network security policy.
• A security policy is a document that outlines
the protections that should be enacted to
ensure that the organization’s network
stability and assets face minimal risks.
• Defines how an organization plans to protect
the company’s network.
Net. Security in Work Place
• The primary purpose of a network security
policy is to inform users and staff the
requirements for protecting various assets.
• These assets take many forms, including
passwords, documents, or even servers.
• These policies also lay guidelines for acquiring,
configuring, and auditing computer systems
and networks.
Net. Security in Work Place
• Things companies consider when creating a
network security policy include…
• 1. What do you have on the network that others
want?
• 2. What processes, data, or information systems are
critical to your organization?
• 3. What would stop your company from functioning?
Net. Security in Work Place
• The answers to these questions identify
network assets in a wide range.
– Including critical databases
– Vital applications
– Personal data
– Shared network storage
– E-mail servers
– Web servers
Net. Security in Work Place
• Network security policies must consider all
entities that deal with your network.
• Not only employees, but end users and anyone
who has confidential data on your networks.
• Employees are considered potential threats in
security policies.
– However, the policies must be implemented so that
employees are still able to complete their jobs
without being overly burdened by security measures.
Net. Security in Work Place
• In network security policies, users can be
organized into two audiences.
– Internal audience: managers/executives,
departments, technical staff, end users
– External audience: partners, customers, suppliers,
consultants
Net. Security in Work Place
• Network Security Policy Components
• This structure of a corporate policy is aimed at effectively
meeting the needs of all audiences on the network.
– Governing Policy: Policy is a high-level treatment of security concepts
that are important to the company. Managers and technical staff are
the intended audience. This policy section controls all security-related
interaction among business units and supporting departments in the
company.
– End User Policy: This document covers all security topics important to
end users. This policy answers the “what”, “who”, “when” and
“where” network security policy questions for end users.
– Technical Policies: Security staff members use technical policies as
they carry out their security responsibilities for the network or system.
These policies are more detailed than the others, and are system or
issue specific.
Net. Security in Work Place
• Network security staff members use the technical
policies in the conduct of their daily
responsibilities.
– Acceptable use policy: Defines the acceptable use of
computing services and networks, and security
measures employees should take.
• IUP has an acceptable use policy for all users on their
networks.
– Audit Policy: Use to conduct audits and risk
assessments, investigate incidents, ensure adherence
to security policies, monitor user and system activity
when needed.
Net. Security in Work Place
- Global Web Server Policy: defines the standards that
are required by all web hosts on the network.
- E-mail Policies: defines standards to prevent
tarnishing the public image of the organization,
restrict automatic e-mail forwarding to external
destinations without prior approval, spam policies
- Remote Access Policies: defines the standards for
connecting to the network from any host or network
external to the organization
Net. Security in Work Place
- VPN Security Policy: defines requirements for
remote-access IP security (Ipsec) or Layer 2 Tunneling
Protocol VPN connections to the organization
network
- Application Service Provider Policy: defines the
minimum security criteria that an ASP must execute
before the organization uses their services on a
project
- Database Credential Policy: defines the minimum
requirements for securely storing and retrieving
database username / passwords
Net. Security in Work Place
• Inter-process Communications Policy: defines the
security requirements that ay two or more processes
must meet when they communicate with each other
using a network socket or operating system socket
• Source Code Protection Policy: establishes minimum
security requirements for managing product source
code
• Extranet Policy: defines requirement that thirdparty organizations that need access to the
organization networks must sign a third-party
connection agreement
Net. Security in Work Place
- Requirements for Network Access Policy: defines the
standards and requirements for any device that requires
connectivity to the internal network
- Network Access Standards: defines the standards for secure
physical port access for all wired and wireless network data
ports
- Router and Switch Security Policy: defines the minimal
security configuration standards for routers and switches
inside a company production network
- Server Security Policy: defines the security configuration
standards for servers inside a company production network or
used in production capacity
Net. Security in Work Place
- Wireless Policy: defines standards for wireless
systems that are used to connect to the organization
networks
- Electronic Communication Policy: defines standards
for the retention of e-mail and instant messaging
• There are many more policies to consider
when an organization develops a network
security policy document. These serve as a
general base for this document.
Net. Security in Work Place
• Policies are important, but are useless if staff
doesn’t understand and implement them.
• Technical and administrative controls can all
be defeated without participation of the enduser community.
– To get end users (accountants, administration,
etc.) to think about security policies, the company
must train and regularly remind them about
security.
Net. Security in Work Place
• Another important aspect of network security,
is the physical security that protects hardware,
such as servers and other computer
equipment.
• One method of protecting the physical assets
of a network is to centralize network servers in
one area.
– Access to the area would require authentication of
some sort, such as an ID badge.
Net. Security in Work Place
Net. Security in Work Place
• Another key component to the physical
security of a network is surveillance.
• Outside of a physical network asset, there
should be cameras monitoring to see who
enters and attempts to access the location.
• This will enable a company or organization to
detect when someone enters a sensitive
location, as well as evidence in the result of an
attack.
Net. Security in Work Place
• Network encryption is another key factor.
• Sometimes called “network level encryption”,
is a network security process that applies
crypto services at the network transfer layer.
• Using existing network services and
application software, network encryption is
invisible to the end users and operates
independently of any other encryption
processes used.
Net. Security in Work Place
• Businesses and organizations can utilize network
encryption methods to ensure communications
between local networks are confidential.
• One popular form of network encryption is Ipsec,
otherwise known as Internet Protocol Security.
– It includes a set of cryptographic tools to protect
communications, encrypting each IP packet going
between network systems.
– This includes communication through the router or
the client.
Net. Security in Work Place
• Network encryption products and services are
offered by a number of companies, such as
Cisco, Motorola, and Oracle.
Net. Security in Work Place
• Companies and organizations should always
have some form of a data back up, so that all
is not lost in the result of a network takedown or attack.
– A nightly data back up held on a separate server is
a good method.
– IUP utilizes a nightly server back up onto an
external server. This backs up e-mails and
documents on IUP computers for recovery if
needed.
Net. Security in Work Place
• Security policies also need to be revised over
time.
• With new technologies being released every year,
it’s important that network security policies are
also updated.
• Policies should be updated to reflect any changes
that are made in the company, to keep the work
environment secure and operating efficiently.
– Ex: New server created, management, authorization,
access
Net. Security in Work Place
• Depending on work atmosphere and deadlines,
technical staff tend to focus on performance such as
increasing throughput, rather than “secure”
performance.
• Therefore, leadership must develop a nonintrusive
program that keeps everyone aware of security and
how to work to maintain the security of their
networks and data.
• 3 key components of this type of implementation is
awareness, training, and education.
Net. Security in Work Place
• There are many past examples of network
security being breached in a business or
organization.
– According to zdnet.com, a technology news website, nearly half
of all companies globally have been hit with a Distributed Denial
of Service (DDoS) attack in the past year.
– A DDoS attack attempts to overload a company system – such as
a web server, by sending so many communication requests that
legitimate traffic cannot get through.
– While annoying, sometimes a DDoS attack can be a cover for a
bigger crime. It was recently revealed that organized crime
groups can use a DDoS attack against a company (such as a
bank), to divert the attention of the security team while
criminals plunder accounts using stolen credentials.
Net. Security in Work Place
• Another major recent security breach occurred in
December 2013, on Target’s network.
– It’s speculated that this massive data breach may have resulted
partly from the retailer’s failure to segregate systems handling
sensitive payment card data from the rest of the network.
– Sources close to the investigation said the attackers first gained
access to Target’s network with a username and password
stolen from a Mechanical Services company.
– The attackers leveraged the access provided by the Mechanics
company to move about undetected on Target’s network and
upload malware programs on the company’s systems.
• This incident could have been avoided with proper network
security auditing and planning measures. This is one of the
many examples of how important network security policy can
be in businesses and organizations.
Net. Security in Work Place
• In 2014 Sony suffered a massive security breach.
• Hackers erased data from its systems, and stole
and released to the public, pre-release movies,
private information and sensitive documents.
• Origin of the attack is not positive, but some
speculate it was the result of an external network
attack.
• Sony’s network security was insufficient and it led
to serious consequences for the company.
Net. Security in Work Place
• https://www.youtube.com/watch?v=r1czEe8z
TCU
Sources
• Ciampa, Mark D. Security+ Guide To Network Security Fundamentals.
Boston, Mass.: Thomson/Course Technology, 2005. Print.
• "Network Security Concepts and Policies." Security Policies. Cisco, 25 June
2014. Web. 30 Mar. 2015.
• Knoll, KARE-TV Jay. "Target Poised to Settle Breach for $10 Million." USA
Today. Gannett, 19 Mar. 2015. Web. 30 Mar. 2015.
• "Worst Security Breaches of the Year 2014: Sony Tops the List." Network
World. Network World, 18 Dec. 2014. Web. 30 Mar. 2015.
• "Nearly Half of Companies Hit with DDoS Attacks in the Last Year |
ZDNet."ZDNet. Zdnet.com, 30 June 2014. Web. 30 Mar. 2015.