MET CS 654 - Network and Software Security--Fall 2006
Download
Report
Transcript MET CS 654 - Network and Software Security--Fall 2006
Lecture 13
Copyright © 2015 Stuart Jacobs
1
InfoSec Policies Revisited
• ISO/IEC 27001 & 27002 discuss InfoSec governance policy as a
single document
• A single policy document typically results in a large document
• Size of organization will dictate:
– Single organizational InfoSec governance policy document or
– Multiple policy documents
•
Possible Typical Tier 1 policies:
Employment
Conflict of Interest
Performance management
Information Security
Workplace Security
Records Management
Copyright © 2015 Stuart Jacobs
Employee Standards of Conduct
Procurement and Contracts
Employee Discipline
Corporate Communications
Business Continuity Planning
2
Possible Tier 2 & Topic Specific InfoSec Policies
• Possible Typical Tier 2 policies:
Security Organization
Asset Classification and Control
Computer & Network Management
Electronic Communications
Compliance
Anti-Virus/Malware Policy
Personnel Security
Physical and Environmental Security
System Access Control
Business Continuity Planning
E-Mail Security
Acceptable Use of the Internet
Systems Dev. & Maintenance
• Topic Specific Policy
Internet Security
Information Protection
Information Classification
Mobile and Tele-computing/commuting
Application Access Control
Data and Software Exchange
Network Access Control
Information System Operations
User Access
Customer Access
Passwords and Authentication
Public Key Infrastructure and Digital Certs
Workstation and Laptop Security
PDA and ‘Smartphone” Security
Internet Accessible
System Security
Firewalls and Intrusion Detection-Prevention
Copyright © 2015 Stuart Jacobs
3
Recommended InfoSec Policies
• Advisable to limit number of InfoSec policy documents
• Organize these documents around related activity areas, for example:
– Human Resources and Personnel InfoSec Policy document
spanning:
•
•
•
•
•
•
Employment
Employee Standards of Conduct
Conflict of Interest
Employee Discipline
Personnel Security
Employee Security Training
– Legal and Financial InfoSec Policy document spanning:
•
•
•
•
•
•
Procurement and Contracts
Performance management
Information Security
Corporate Communications
Workplace Security
Records Management
Copyright © 2015 Stuart Jacobs
4
Recommended InfoSec Policies, continued
• General InfoSec Governance Policy document spanning:
Asset Classification and Control Physical and Environmental Security
Workstation and Laptop Security PDA and ‘Smartphone” Security
Business Continuity Planning
Compliance
Information Protection
Information Classification
Business Continuity Planning
Internal and External Auditing
• Information Technology and Operations InfoSec Policy document spanning:
System Access Control
E-Mail Security
Anti-Virus/Malware Policy
Electronic Communications
Mobile and Tele-commuting
Data and Software Exchange
Information System Operations
Customer Access
Passwords and Authentication
Firewalls and IDS-IPS
Copyright © 2015 Stuart Jacobs
Computer and Network Management
Systems Development and Maintenance
Acceptable Use of the Internet
Internet Security
Application Access Control
Network Access Control
Internet Accessible System Security
User Access
Public Key Infrastructure and Digital Certificates
5
Recommended InfoSec Policies, continued
• General InfoSec Governance Policy document spanning:
Asset Classification and Control
Workstation and Laptop Security
Business Continuity Planning
Information Protection
Business Continuity Planning
Physical and Environmental Security
PDA and ‘Smartphone” Security
Compliance
Information Classification
Internal and External Auditing
• IT and Operations InfoSec Policy document spanning:
Computer and Network Management System Access Control
Systems Dev. and Maintenance
E-Mail Security
Anti-Virus/Malware Policy
Acceptable Use of the Internet
Electronic Communications
Internet Security
Mobile and Tele-commuting
Application Access Control
Data and Software Exchange
Network Access Control
Information System Operations
Internet Accessible System Security
User Access
Customer Access
Passwords and Authentication
Firewalls and IDS-IPS
Public Key Infrastructure and Digital Certificates
Copyright © 2015 Stuart Jacobs
6
Not to be forgotten!
• All employees should have access to enterprise
InfoSec governance policy documents
• These documents state how:
– InfoSec governance is to be accomplished
– Allocates responsibilities to specific groups and suborganizations
• All enterprise employees should be briefed on the
enterprise InfoSec governance policies on an
annual basis
Copyright © 2015 Stuart Jacobs
7
InfoSec Policies Drive Operational Procedures
Human Resources (HR)
and
Personnel InfoSec Policy
Legal and Financial
InfoSec Policy
General InfoSec
Governance Policy
Copyright © 2015 Stuart Jacobs
HR and Personnel
InfoSec
Requirements
·
·
·
·
Employee Discipline Procedures
Employee Background Checks
HR PII Access Procedures
New Hire In-processing Procedures
Legal and
Financial InfoSec
Requirements
·
·
·
·
·
·
Statute & Regulation Analysis Procedures
InfoSec Liability Analysis Procedures
Procurement Security Procedures
Contracts InfoSec Clauses
Records Mgt. InfoSec Procedures
E-Funds & Cash Mgt. Security Procedures
·
·
·
·
·
·
·
·
·
·
·
·
·
·
Security Briefing Procedures
Security Training Procedures
Asset Classification Procedures
Asset Control Procedures
Business Continuity Procedures & Plans
CIRT Procedures & Plans
Mgt. InfoSec Oversight Team Procedures
Internal Audit Procedures
External Audit (Compliance) Procedures
Physical Security Procedures
Environmental Security Procedures
Information Classification Procedures
Mobile Device Usage Security Procedures
(National Industrial Security and FSO)
Procedures
CSO Security
Governance
Requirements
8
InfoSec Policies Drive Operational Procedures
IT Development InfoSec
Policies
Copyright © 2015 Stuart Jacobs
IT Development
InfoSec
Requirements
·
·
·
·
·
·
·
·
·
InfoSec Requirements Analysis Procedures
InfoSec Design Analysis Procedures
InfoSec Documentation Procedures
Security Code Review Procedures
Security Unit Testing Procedures
Security System Testing Procedures
Security Regression Testing Procedures
Security Acceptance Testing Procedures
Code Library Security Procedures
9
InfoSec Policies Drive Operational Procedures
Operations InfoSec
Governance Policy
Copyright © 2015 Stuart Jacobs
Operations
Security
Governance
Requirements
Network:
· Access Control OAM&P Security Procedures
· F/W, IPS, IDS OAM&P Security Procedures
· Device OAM&P Security Procedures
End Node:
· Op. System OAM&P Security Procedures
· Application OAM&P Security Procedures
· F/W, IPS, IDS OAM&P Security Procedures
· Anti-malware OAM&P Security Procedures
Services
· E-Mail OAM&P Security Procedures
· Directory Security Procedures
· SAN Security OAM&P Security Procedures
· Virtualization OAM&P Security Procedures
· PKI OAM&P Procedures
· Remote Authentication OAM&P Procedures
Activities
· Help Desk Security Procedures
· Production Readiness Security Procedures
· Internet Security Procedures
· Password and Security Token OAM&P Procedures
· Internal and External Audit Procedures
· Mgt. System Security Procedures
· Security Operations Center OAM&P Procedures
· Data & S/W Exchange Security Procedures
· Mobile & Tele-commuting Security Procedures
· Computer Incidence Response Team Procedures
· Disaster Recovery Security Procedures
10
Operational InfoSec Compliance
An Operational Security Compliance Program is:
• not your full security program
• a program that communicates, tracks/monitors how well
you are measuring to your compliance statements
Major Phases
Report, Monitor &
Improve
Policies, Standards &
Procedures
Requirements
Tools & Processes
Copyright © 2015 Stuart Jacobs
11
InfoSec Compliance Policies & Standards
• Organizational InfoSec Policies
•
•
•
•
•
Articulate security requirements
Should be ‘timeless”
Independent of technology (as much as possible)
Reviewed annually
Good “free” reference/source is the Sans Policy Project:
http://www.sans.org/resources/policies/
• Driving Standards & Legislation + Regulations
•
•
•
•
•
HIPAA (Health Insurance Portability and Accountability Act of 1996)
SOX (Sarbanes-Oxley Act of 2002)
PCI DSS (Payment Card Industry Data Security Standard)
PII Laws (now 46 states have enacted these laws)
FISMA (Federal Information Security Management Act of 2002)
Copyright © 2015 Stuart Jacobs
12
InfoSec Security Compliance Procedures
• Articulate security requirements
• More detailed, these procedures need to be followed by
operations personnel
• Technology or process specific
• Reviewed annually, or as technology changes
• Good “free” reference/source:
National Institute of Standards and Technologies (NIST)
http://csrc.nist.gov/publications/PubsSPs.html
Center for Internet Security (CIS) – Guides
http://www.cisecurity.org/)
Microsoft Developer Network (MSDN)
http://msdn.microsoft.com/en-us/library/ms998408.aspx)
Copyright © 2015 Stuart Jacobs
13
InfoSec Compliance Frameworks
• ISO 27001/27002
• Comprehensive security governance process including operational
compliance verification to policies and requirements
• Control Objectives for Information Technology (COBIT)
• set of best practices for IT management
• created by the Information Systems Audit and Control Association
(ISACA), and the IT Governance Institute (ITGI) in 1996
• Set of generally accepted measures, indicators, processes and best practices
for developing appropriate IT governance and control in a company.
• NIST
• FISMA Implementation Project
http://csrc.nist.gov/groups/SMA/fisma/index.html
• Provides guidance for:
• selecting appropriate security controls for information systems
• assessing security controls and determining security control
effectiveness
Copyright © 2015 Stuart Jacobs
14
Security Compliance Planning
• Identify what is critical
• Information the organization depends on
• Applications the organization depends on
• Understand the way data flows through the organization,
namely who and what touches the data when, where and
why
• Determine & Document
• Who:
roles & responsibilities
• What:
critical, non-critical?
• When: how often to run
• How:
to report, fix
Copyright © 2015 Stuart Jacobs
15
Security Compliance Tools & Checklists
• Better to automate as much compliance checking as possible
• Center for Internet Security (CIS) – Benchmark Tools
http://www.cisecurity.org/
• e.g., Nessus, SATAN, SAINT, Nmap, SEM, SIMs, PHLAK
• If you can’t automate, make it easy with checklists
• Easy to understand and applicable to specific technology or process
• NIST Available Checklists cover
·
Antivirus software
·
Applications servers
·
Configuration management software
·
Malware
·
Desktop applications
·
Desktop clients
·
Directory services
·
DNS servers
·
Email servers
·
Encryption software
·
Enterprise applications
·
General purpose servers
·
Handheld devices
·
Identity management
·
Database management systems
·
Network switches
·
Network routers
·
Multi-functional peripherals
·
Office application suites
·
Operating systems
·
Peripheral devices
·
Security servers
·
Firewalls
·
Virtualization software
·
Web browsers
·
Web servers
·
Wireless email
·
Wireless networks
• Security Checklist for Web Applications Architecture MSDN
http://msdn.microsoft.com/en-us/library/ms998408.aspx
• DoD Information Assurance Support Environment
http://iase.disa.mil/stigs/checklist/index.html
Copyright © 2015 Stuart Jacobs
16
National Checklist Program
• http://web.nvd.nist.gov/view/ncp/repository
• Very extensive coverage of:
– Specific products and versions
– Manufacturers
– Product categories
• “A checklist might include any of the following:
Configuration files that automatically set various security settings
(standard XML format such as that utilized in the SCAP,
executables, security templates that modify settings, and scripts);
Documentation (for example, a text file) that instructs the checklist
user how to interactively configure software to recommended
security settings;
Documentation explaining the recommended methods to securely
install and configure a device; and
Policy documents that set forth guidelines for such things as
auditing, authentication security (for example, passwords), and
perimeter security.” (http://csrc.nist.gov/groups/SNS/checklists/)
Copyright © 2015 Stuart Jacobs
17
Security Compliance Report, Monitor & Improve
• Reporting
• 1st run can be overwhelming, gets better over time.
• “Good, bad and the ugly”.
• “bad” items – a documented get well plan needed
• “ugly” items – exception process with justification,
approval and mandatory annual review/signoff. Ensure
risk rating is included!
• Monitoring
• Look for steady improvements.
• Trends analysis (early warnings or change in requirements?)
Copyright © 2015 Stuart Jacobs
18
Review 1
• Security is always about cost of security measures
vs. benefit of measures (degree of protection)
• Start with identifying business drivers (Laws,
Regulations, Competition, Technology, Criminal
activity, etc.)
• Security is just one part of overall business
management and quality assurance, have well
documented business processes and organizational
structure (such as ISO-9001, CMMI)
• Within general business processes include a well
thought out security governance program (such as
ISO-2701)
Copyright © 2015 Stuart Jacobs
19
Review 2
• Develop security policies spelling out:
– who (individuals and groups) are responsible for assets
(information, processes, elements, etc.)
– who is allowed to interact with assets
– Inventory assets, their value, the degree of control or
protection required
• Identify and define security requirements
– first high level then decompose into finer grained detailed
requirements
– Allocate requirements to systems, processes, people
• Prepare Vulnerability-Threat-Risk Analyses
– Vulnerability exposures and duration
– Threat agents, likely-probable attack vectors, damage levels
– Risk probabilities (qualitative, quantitative)
Copyright © 2015 Stuart Jacobs
20
Review 3
• Security services and example mechanisms
– Authentication
• Peer-Entity (Who/what sent or originated message or data)
– Asymmetric encryption
• Data-Origin (Where did message or data come from)
– Asymmetric or symmetric encryption, keyed hash
• User (What human subject is accessing asset or element)
– Factors (Have, Know, Biometric, Tokens)
– Authorization
• Access controls for assets (elements &information within elements)
– ACLs, Access bits, groups, roles, physical
• Access controls for communication between elements
– Packet Filter, DPI, proxies, media types (i.e., fiber)
• Access controls to communications infrastructures
– 802.1X, DHCP option 90, physical
Copyright © 2015 Stuart Jacobs
21
Review 4
• Security services and example mechanisms (cont.)
– Integrity (Information, Data)
• Lipner requirements
• Clark-Wilson security model
– Confidentiality
• Information at rest
– Symmetric encryption, access controls
• Information in transit
– Symmetric encryption by protocol layer (IPsec, TLS…, XML)
• Communications activity
– Specialized link level symmetric encryption & traffic padding
– Non-repudiation
• Of sender (digital signatures on sent/created information)
• Of receipt (digitally signed return receipts)
Copyright © 2015 Stuart Jacobs
22
Review 5
• Platform hardening
– Keep production separate from development
– Production Systems
•
•
•
•
•
•
Remove development tools & utilities
Require strong user authentication
Disable default accounts
Install anti-malware (virus, spyware, trojans, root-kits) tools
Enable logging and audit/review logs
Use configuration validation (i.e., tripwire, etc.)
– Development Systems
•
•
•
•
Require strong user authentication
Disable default accounts
Install anti-malware (virus, spyware, trojan horses, root-kits) tools
Enable logging and audit/review logs
Copyright © 2015 Stuart Jacobs
23
Review 6
• Network hardening
–
–
–
–
–
Sub-divide intranet into sub-LANs (subnets)
Deploy routers/firewalls at subnet boundaries
Only use securable wireless (WPA or 802.11i)
Control access at layer 2 (802.1X preferred)
Use DMZ with separate external and internal firewalls and
consider using:
• Intrusion Protection Systems
• Split DNS
• Application proxies for HTTP, FTP, Email
– Use IPsec ESP-nul instead of keyed MD5
(within TCP, SNMP, OSPF, BGP, NTP, etc.)
– Use IPsec IKE-ISAKMP for symmetric key management
– TLS, SSL, DTLS always encrypt
Copyright © 2015 Stuart Jacobs
24
Review 7
• Operations hardening
–
–
–
–
–
–
–
Have documented operations procedures
Do not share passwords/accounts
Use separate log systems (i.e., syslog)
Have business continuity plans (and test them)
Do regular backups, store off-site, test for restoration
Perform periodic compliancy reviews and audits
Preferable to use trained and certified in-house
personnel for vulnerability and penetration testing
• All operations activities need be consistent with,
and traceable back to, security policies and
security requirements
Copyright © 2015 Stuart Jacobs
25
Exam Preparation needs to include, but not limited to:
• Which security mechanisms/controls provide
which security services
• Various parts of IPsec, especially its modes and
transforms
• Limitations and capabilities of other network
security mechanisms/controls/protocols
• Security limitations of various application
frameworks
• Difference between security management and
managing security
• General concepts of risk management, analysis
and mitigation
• Platform hardening
Copyright © 2015 Stuart Jacobs
26
Questions???
Copyright © 2015 Stuart Jacobs
27