Results 1 to 8 of 8

Thread: Security Policy

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Post Security Policy

    Dear AO.

    This tutorial is all about creating a security policy. A security policy are the steps taken before you actually sit down infront of the Computers/networks you intend to secure. In order to secure anything, you must know what has to be done. I hope this tutorial comes in handy for people who actually setup security. This following tutorial is based on the security policies that our company uses in order to secure companies.


    Usefull information:

    1- Employee information is very critical and needs to be secured accordinglt. This information should be secured through packetfiltering and put under quarantine from the rest of the network.

    2- Information regarding taxes and such, must be backed up for atleast 10 years.

    3- Depending on how high the security is, it is wise to let only 1 party set it up, due to many different styles, ways, and signitures that are used. There is no such thing as global Security for all companies.

    4- There is no such thing as ready-to-use software, that is installed and secures a network. Very carefull security settings have to be made in order to secure data.

    5- An antivirus or a firewall on their own do not offer SECURITY! Downloading or buying a mcaffee antivirus, or installing a zonealarm firewall will not protect you if other security implementations have not been made. There is more to security than programms.

    6- Security does not mean allow everything, and take out what "might be a risk". Security is to allow nothing and to put in only what is really essential. (That means taking away comfort).



    Security Policy :

    In order to define and create a security policy, the first step is to make a communications analasys. This analasys helps define which resources and services exist, and how their communication is to be controlled within the company.

    This procedure is often marked with the bottom of empty coffee cups and crystal balls, as it is one of the most confusing policys to create.

    After a succesful communications analasys, a protection analasys is to be made. This analasys helps define what needs what kind of protection, and the loss in time, cost, material if security is breached.



    Communications Analasys:

    1) Which information may travel and/or be exchanged with which location? (eg. The office department should not allow data to be transfered to the sales department.)

    2) Which protocols is the data packets allowed to use in order to travel and upto which host is it allowed to goto? (The transfer protocol must be defined in order to maintain a basic security and is essential for firewalling.)

    3) Which resources are to be made available to which users and what access rights does each user get? (eg. Printers, data on removable devices, removable devices such as cd-roms, floppy drives, sound cards, modems, fax systems, network interfaces, and system resources.)

    4) which resources have to be available on which workstations? (It is very important to control which resources are available on which station, for example, the sales department should not have the same resources as a workstation in the office departments.)

    5) On which data does which user have what kind of access? (If there are many diff. users, it is not wise to specify all the permissions for each individual files, in this case the users will be put into groups, and specify the access rights to groups instead of users.

    6) Which external users, that have access to resources and data from the outside are there, and how is their access controlled? (It is important to have secure authentication modules for users. eg. How do i know that Mr. Smith on the other side of the connection is the person that he claims to be? This is also important for external companys that have access to the local data and resources. This kind of security policy must be present to maintain a basic security.)

    7) Which resources does the company offer to the outside? (eg. Different servers such as www, ftp, mail, news etc..., but also online banking, purchase of goods, or even dial in methods.)

    8) How much bandwidth is to be used for what kind of connections? (If this is present in the policy, it will simplify future upgrades and estimates.)

    9) Which tasks are present that require external services? (It is important to be able to administer the system at low cost, so wether the administration can be done from the customer side or the services side must be set in the policy to avoid high costs. It is advisable to show the customers how to maintain certain tasks by themselves. This also prevents 3rd parties services gaining access to the system.)

    10) What limits do the users accept for the security implentments, and what understanding can come from their sides? (This is based on the knowledge and understanding of each user. eg. Users must understand not to open email attachments if they are not 100% sure what the attachment is, rather than rely on software to guard this. Comfort can be replaced by understanding and knowledge.)

    11) Is on the net or on gateways any kind of filtering modules present for saved data? (eg. Virus control on gateways, or mail servers. Hostile code in html, java, and/or active X. Illegal or pornographic material. All this must be filtered out before it reaches the single workstations to keep the "net" clean and secure.)

    12) Which requests are available to the individual resources? Not every service in the company must be solely available. Therefor it is important to estimate the costs that arise if a service goes down.)


    Protection Analasys:

    1) Which users have access to which information? (Who is allowed to access what.)

    2) Which hosts have sensitive information? (It is not always wise to have 1 highly secured host on the net. This can be sometimes more expensive to have 1 high security host than 10 lower security hosts. Define the type of information and its importance for protection.)

    3) What different kind of security zones are present in the company? (This question is linked to points 1 & 2. Sensitive hosts can be put into different zones (security level groups). Define and create zones for the security policy.)

    4) What damage can occur if the security zones are breached? (This can easily be estimated if the security zones are clearly defined.)

    5) Upto what degree is the damage acceptable? (This question is linked to points 3 & 4.)

    6) Who might be a suspect to attack or hostile actions? (This is a very important issue, and makes perfect security almost impossible. Let us take a rather extreme example. Your company is the world market leader for phones, and is located in Germany. All other phone companies would be a suspect to any kind of hostile actions. They might breach your security and use your systems as an attack ground for other systems, or to get sensitive information from or through you. Even if you are a small company, other companies who are in the same branch can use you to access 3rd party systems and make you look responsible for any kind of attacks.)

    7) Which information might be of interest to outsiders? (This question verifys the zones and security levels that have been set in earlier points.)

    8) Which other risk factors are still open after our securing is complete? (This question can only be answered at the very end once all the security policys have been analysed to their full extend. IF THIS POINT IS NOT SATISFACTORY, THEN RESTART THE COMMUNICATIONS AND PROTECTION ANALASYS. iF THIS POINT IS SATISFACTORY, THEN MAKE IT OFFICIAL.)


    After the communications and protection analasys, you have enough information to start securing a company network or company computers. The forms below are an ecxample that i recomend you fill out, so you and the customer know whats actually going on, since the analasys are confusing for people who are not very computer security literate. I will fill them in only with example information, so you get the general idea of these forms. My example will be based on a company (this does not exist, its a fantasy company just to give examples of the meanings of these forms) which has 3 servers, and 10 workstations divided into 4 rooms. 1 room is where the servers are located, 2 rooms are for the normal company users, and the last room is for the general managers office. (Everythin i put into (brackets) is the example information.)


    1)
    Security of network components: State of rooms and physical access to systems.

    Current situation: (All rooms are open, and sometimes the rooms are empty. The computers in these rooms are not protected at all, no screen savers, no logon passwords.)
    To be situation:

    Tasks to be done: (Make sure that once the last user leaves the rooms, to lock the door behind them. Also use passwords before logging in to the computers, and/or user screensavers with passwords. Make sure to password protect BIOS, so the boot sequence cannot be changed.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)


    2)
    Security of network components: State of connections within the company and defined access.

    Current situation: (Any computer can login to any station or server without any means of authorization.)

    To be situation: (Every time a user remotely connects to any other host or server within the company, should be asked for authorization.)

    Tasks to be done: (Create user and/or group accounts on hosts and servers. Make sure that the users understand why this is being done. Make sure that there is a strong password policy in place. Make sure that every remote connect requires a username and a password.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)


    3)
    Extra security of network components: What protections measures are there for power failures.

    Current situation: (Every time the power fails, all the computers and servers go off loosing any unsaved information.)

    To be situation: (In case of a power failure, there should be enough time to save changes and power off the computers and servers. This can also be automated incase no users are there todo so.)

    Tasks to be done: (Provide UPS to all ciritical stations and servers + configure the automation process to save and power down if users are not at hand todo so manually.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)


    This one might be a bit exagerated, but dont forget that these forms are the ones we use at work. I have made this forms, knowing of the dangers that can accur to system downtime.

    4)
    Extra security of network components: What protections measures are there for fire outbreaks.

    Current situation: (If there is a fire, then everything will BURN :D )

    To be situation: ( Make sure that the computers and servers have enough ventilation, make sure that they are placed on hard surface (no carptets or magazines under or on top of the machinery), fire extinquishers in all the rooms that have computers.)

    Tasks to be done: ( Make sure that the computers and servers have enough ventilation, make sure that they are placed on hard surface (no carptets or magazines under or on top of the machinery), fire extinquishers in all the rooms that have computers.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)

    5)
    Extra security of network components: What backup policies are there, and how are the backups checked if they are useable.

    Current situation: ( Backups....whats dat :p )

    To be situation: (All work done on the computers have to be backed up daily, weekly, and monthly.)

    Tasks to be done: ( 2 choices here: 1 - make sure that every station/server has the possibility to backup direclty to cd, or zip. 2 - Put a backup server in the network that is only connected to the LAN during backup procedures.

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)


    6)
    Extra security of network components: What confirmation policies exist for software updates, patches, and security holes in software and harware.

    Current situation: (They still have ancient software with all their bugs and ****)

    To be situation: (All software must be upto date at all times, and must be secured against exploits.)

    Tasks to be done: (Update everything thats out of date, and also explain to the admin in charge how to stay upto date on everything.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)


    7)
    Extra security of network components: What protection is present against virii and other hostile code.

    Current situation: (Non what so ever)

    To be situation: (Since the users have no idea about this subject, you have to setup the system in a way that it will also include protection against user errors)

    Tasks to be done: (Install antivirus software on all the hosts/servers, and on the machine that gives access to the internet. Also disable in browsers any active X controls and if not needed, even java. Also diactivate http links that point to the local system.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)

    8)
    Documentation security of network components: What kind of logging policies are present.

    Current situation: (No loggin procedures have been done so far)

    To be situation: (Logging of what leaves the LAN to the internet and vice versa)

    Tasks to be done: (Make sure that the router logs traffic, as well as proxy logging.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)

    9)
    Extra security of network components: What state and what documentation is there for the present network cables/lines, plugs.

    Current situation: (All the wiring is in the open and spread all over the place. No one knows which cable on the hub leads where.)

    To be situation: (No wires or cabeling must be visible or accesible. Also label the cables on the hubs))

    Tasks to be done: (Make sure the cabels and wires are placed inside tubes and/or under special wire cases. Label all cabeling on the hubs, so you know which cable is connected where.)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)

    10)
    Extra security of network components: What kind of security tests have been done and how have they been done.

    Current situation: (Non so far)

    To be situation: (Make sure that security tests are performed, and make a schedule for future testing.)

    Tasks to be done: (Using ping, traceroute, ethereal, john, netstat, saint, nessus, nmap, netcat, and a few other tools try to find out as many weaknesses as you can and fix them. Also in this case if the customer wishes, let him get a 3rd party to test securirity)

    Date: (The date that what has been done so far is known)

    Responsible party or person: (Thats gonna be YOU ;) )

    Estimated costs, and time needed to complete: (Estimate how many people and how much time and equipment this will take, so the customer has an idea of what this whole thing is going to cost.)

    Done/confirmed: (Date and signiture from the customer that the "Tasks" have been accomplished.)



    These are our basic forms that we abide by when securing systems. Under the "estimated costs.....etc" you will see that i have always said to estimate this information. An example here would be : 2 people, everyone works for 4 hours, so you have 4 labour work hours. The material you put, and the time you need to get there and back again.

    Now then..... the analasys can be charged to the customer since it is a process that requires time and man power aswell. Note that i said "can" be charged. This is not a must, depending on your sales policy.

    I hope that this is a good guide for people who intent to sell security, and what they have to know and do.


    Good luck to all the security admins out there on AO.

    Cheers.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Although this is an excellent document, I don't believe it accurately describes a security policy. A true policy is a VERY high level document that simply outlines the management directives. For this reason, a security policy is usually written and approved by senior level management.

    What you are indicating here would fall more into the categories of either a standard, procedure, or guideline (it is a mix of all of them). Not that it is not important, because it is very important, but I just want to make sure everyone knows the difference. This is classic CISSP stuff.

  3. #3
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    you have to be careful. because usually the employee has to sign this. and i make a point never to sign anything unless i have read everything including the fine print. making something this detailed makes it hard to understand and conceive. a good post nonetheless
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Oh i know this is only a basic policy. I dont have the skills, nor the authority to actually post a senior level management policy. You see, here where i live the largest company around has no more than 40 - 50 stations in a LAN. So for smaller companies or for our area this basic policy is enough. By no means is this policy meant to be used on LARGE companies. Although i would love to get my hands on a much more advances policy. But these policies are very hard to come by, and are expensive. On the internet i have not found 1 complete advanced policy yet, as they all want money for it. Cheers anyways invictus on your comments. I agree with them whole heartedly

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I'm currently working on an enterprise policy. When I am done, I will post it in the Network Security Forum. It may be a little while but at least I can get some feedback from AO members. It should also be a good policy for people to modify for their needs. I will, of course, remove any identifying verbage as to our branch of Govt. ;-)
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    233
    wel lI have had to put together two different security policies for the past two companies I have worked for. One of the best resources I have found to date (for general high level overview with nice examples) is from SANS. Check out the link here:


    http://www.sans.org/resources/policies/




    El Diablo

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Originally posted here by instronics
    Oh i know this is only a basic policy. I dont have the skills, nor the authority to actually post a senior level management policy. You see, here where i live the largest company around has no more than 40 - 50 stations in a LAN. So for smaller companies or for our area this basic policy is enough. By no means is this policy meant to be used on LARGE companies. Although i would love to get my hands on a much more advances policy. But these policies are very hard to come by, and are expensive. On the internet i have not found 1 complete advanced policy yet, as they all want money for it. Cheers anyways invictus on your comments. I agree with them whole heartedly

    Cheers.
    Basically what I am saying is what you provided here is way too much detail for a policy. A policy is usually no more than a couple pages long when it is finished.

    What you have outlined is an excellent document for a creating a security standard. As you may or may not know there is a distinct difference between a standard and a policy.

    Don't get me wrong, I love what you have provided in this post, just wanted to correct the wording used. I work for a very large credit services organization, so I am blessed in the sense that I have access to some very well written policies as well as standards. I will try to post a sample of one of them once I get a chance to sanitize it, because as you know, these types of docs can be highly confidential.

  8. #8
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Thanks for your kind words invictus, i see what you mean. I hope to see one of your policies soon, knowing that this kind of information is hard to come by and highly confidential.

    The horse: I also hope to see yours.

    I find it interesting to see others bring up their policies, just to get an idea what people use around the globe. It may well differ from admin to admin, country to country etc...

    By the way EL_diablo...nice link you posted. Thanks alot.


    Cheers everyone
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •