Creating Security =
One of the core principles in = Information=20 Security is adherence to the organization’s security policy. = After=20 attending SANS training or other security classes we return to = work with=20 an eagerness to move forward with hardening servers, tightening = firewalls,=20 and implementing intrusion detection systems. As our first step, = of=20 course, we identify our need to comply with the existing security = policy.=20 So we begin our search to see if we even have a security = policy,=20 and end up dusting off an old notebook we found on a shelf = somewhere. What=20 we find may not even be applicable to our current environment, is = so=20 generic that it’s woefully incomplete, or has become totally = out of date.=20 What do we do next? This paper shows the reader some steps we have = taken=20 on our continuing journey towards a full set of security policies = and=20 procedures.
Revising the Policy
What do we do if the current = security policy is=20 incomplete or out of date? In our case I spoke with my Director = and shared=20 the vision with her of how important it was to update our current=20 Electronic Use Policy. She was quite receptive, already being = familiar=20 with the critical role played by such a document. It was clear = that the=20 current Electronic Use Policy would need to be significantly = revised and=20 enhanced to cover acceptable use of resources, greater levels of = security=20 awareness, and increased user involvement.
We needed to expand the scope of = what the=20 current policy covered, and to ensure that all 2500 employees knew = what=20 was in it. To accomplish that we would have to find an effective = way to=20 educate each person, and to verify that everyone knew what was = expected of=20 them in maintaining compliance. Rewriting the policy to cover = every=20 identified vulnerability, publishing it to users, and testing for=20 compliance seemed to present quite a daunting task, when what we = really=20 wanted to do was to get started making our environment more = secure. Where=20 do we start?
As it turned out we were able to = begin working=20 both issues concurrently. Implementing several server fixes would = not=20 violate any current policy, so we were able to begin hardening = certain=20 aspects of our enterprise even as we started updating our = documentation.=20
Since the previous security policy = didn’t=20 address as broad a scope as what we need now, we decided to = temporarily=20 set aside the older document and begin to produce a new one. = Information=20 Systems had been charged with developing the original policy years = earlier, so after speaking with the Legal Department and Human = Resources I=20 simply began to write what came to mind. This became something of = a=20 free-form brain dump of concepts and ideas learned in the SANS = Security=20 Essentials curriculum and elsewhere. After a few rounds of this = core dump=20 I went back and began to refine the sections and wording. As time = allowed=20 I added to and modified different portions of the document, but = was unable=20 to devote full attention to it while balancing urgent work on all = our=20 other active projects.
An observation here: Whereas = security policies=20 must address the three foundational concepts of ensuring = confidentiality,=20 integrity, and availability, they are also designed to create end = user=20 awareness and participation. With this in mind it is logical to = include=20 other related matters in which we need user education. As we work = through=20 the process of creating security policies we will also focus on = areas that=20 may not seem to affect the "big three" security aspects directly, = but are=20 very important for the overall health of the organization. These = will=20 include acceptable use policies for the equipment, data, email, = Internet,=20 and others as needed. As we will see in a moment these can cause=20 significant liability problems if not handled carefully, and do = fit in=20 naturally with an instructional program on password selection, use = of=20 non-approved software, and social engineering.
During the writing process I was = eventually=20 able to go back and directly consult the SANS coursework where we = find=20 eight important topics that should be included in a good security=20 policy.
Some of these sections I had = included, and=20 others need to be added still. It is definitely a work in=20 progress.
For further input I consulted an = excellent book=20 by Michael R. Overly called e-policy How to Develop = Computer,=20 E-Mail, and Internet Guidelines to Protect Your Company and Its=20 Assets. Mr. Overly very concisely covers numerous important = issues.=20 One suggestion is that the policy should state that "personal" = computers=20 and the data stored on them actually belong to the company, and = that=20 employees do not have an assumed right to expect privacy in what = they=20 create on the computer or send through an email system. The policy = also=20 needs to explain that the organization will be regularly or = randomly=20 monitoring network activity, including email, and that the purpose = of=20 users having secret passwords is not for their privacy, but to = provide=20 security for the company’s data. He even emphasizes the = importance of=20 maintaining the corporate culture in a way that does not belie = what is=20 expressly stated in the policy. In other words, if staff members = or=20 management speak or act in ways that suggest their computer work = or emails=20 are private it may weaken the company’s position if someone = were to file=20 an invasion of privacy lawsuit. By explicitly stating in the = policy that=20 the organization has the right to monitor emails and other network = traffic, and not undermining that understanding through subsequent = actions, an organization should be able to avoid privacy disputes. =
In the creation of all policy = documents be sure=20 to consult your attorney, the user community, human resources = department,=20 and perhaps the local bargaining unit as advised. Also, please = understand=20 that this paper in no way should be construed as providing legal = advice or=20 covering every pertinent issue.
Proactive = Monitoring
In addition to privacy issues, = there is also=20 the matter of "harmful material" entering the workplace. Items = such as=20 pornography or jokes in poor taste can create a hostile work = environment.=20 If someone in the office becomes offended by something they see or = hear as=20 a result of someone else’s email or Internet experience they = may file a=20 harassment lawsuit against the company. Filtering programs, from = companies=20 such as Surfcontrol and Websense, are available to block = URL’s, or to=20 monitor for combinations of words and phrasings within email = traffic=20 itself that might indicate offensive jokes and stories. =
The usage of email is an entire = issue in=20 itself. There are many ways email can be used to cause a company = great=20 distress in the event of a lawsuit, or can force expensive = discovery=20 processes to reconstruct an electronic "paper trail." Well-written = policies covering email classifications and retention are becoming = extremely advisable. Attorney Jim Bruce is quoted by = Infoworld on=20 cnn.com as saying "’If a company is sued, it is routine for = the other=20 party to ask the company to produce all their records [on the = subject],=20 including e-mail,’ Bruce says. ‘E-mail is a really = juicy target because it=20 can be searched by keyword.’"
Network and email filtering and = monitoring=20 technologies can be a very significant investment in time, = hardware,=20 software, and recurring maintenance costs for URL and other = updates, but=20 it is probably worth the expense. Compared to the potential legal=20 liability for failing to ensure a harassment-free workplace it = will likely=20 be a bargain well worth the cost.
Using hardware and software = filtering tools are=20 good techniques a company can employ to protect its workers and = itself,=20 but there is further caution. If a company has such systems in = place, but=20 fails to act promptly and fairly on violations to the acceptable = use=20 policy, the organization can be held liable for failing to perform = due=20 diligence to remedy the situation. In other words, if you = don’t respond=20 quickly enough to document and enforce appropriate discipline for = any=20 violations you may still be held liable. It becomes, then, = extremely=20 important to properly implement and execute the policies and = procedures in=20 a way that provides maximum effect. This also emphasizes the = importance of=20 an organization adequately funding such an effort, including the = on-going=20 costs for personnel and their training in support of these=20 tools.
Whew! The more I studied on the = topic of=20 policies and their legal ramifications, the more I realized I had = no=20 desire to continue writing the stinkin’ things. I really = just wanted to=20 make the operating systems and network more secure.
Somewhat overwhelmed and = discouraged I set this=20 project aside and resumed my other daily tasks, which of course = includes=20 reviewing security bulletins. In a recent release of the SANS = Newsbites I=20 found an ad declaring "Write Your Information Security Policies in = a Day!"=20 Hoping for the best I decided to contact Pentasafe to see what = they had to=20 offer. I was very impressed.
The link referenced in the = Newsbites article=20 took me to a page introducing Pentasafe’s VigilEnt Policy = Center (VPC),=20 which then led to subsequent links describing key features and = benefits.=20 The product apparently comes with pre-built security templates = written by=20 Charles Cresson Wood, an expert in the security field, and which = are=20 accessible through a wizard application that steps you through the = policy=20 creation process. According to their statements you can have a = draft=20 security policy prepared in about a day. That sounds good to=20 me.
A quick note: This paper is not = intended to be=20 a product review, but was created to share with the reader some of = the=20 steps and thought processes our organization is going through to = update=20 our security policies. I hold no stake in Pentasafe, and have not = even=20 seen a demonstration of VPC yet. I have requested one from the = vendor and=20 am looking forward to determining if this product will help = simplify our=20 task. If VPC works as well as claimed I plan to consider = incorporating it=20 into our environment, provided funding becomes available. We have = a=20 significant budget process to work through, so this may not be = feasible=20 right away. As I share with the reader some additional features = claimed=20 for this product, it should become apparent how they might prove = helpful=20 in the enterprise.
Publishing the = Policies
In addition to creating and editing = security=20 policies there must be an effective mechanism to distribute them = to the=20 user community. As mentioned earlier, we might have in place the = best=20 policies in the world, but if our users don’t know what they = are, and how=20 that impacts the way they perform their jobs, it will do little = good=20 towards accomplishing the goal of keeping our networks and data = secure.=20 User education is imperative, as is the ability to verify that = everyone=20 understands and has agreed to abide by the policies and practices. = PentaSafe’s VPC seems to provide a good solution to educate, = test, and=20 catalog user awareness.
According to the documentation VPC = allows=20 administrators, once they have worked through the automated policy = creation process, to publish the finished documents to a = company’s=20 intranet site. Rather than just hoping users will visit, read = dozens of=20 pages, and thereby become fully supportive, VPC goes further. The = product=20 is stated to provide a quiz mechanism to test and record user=20 participation in the on-line policy training program. Users log in = at=20 their convenience, or with prompting, and are then educated and = tested on=20 their knowledge of the company’s policies. A permanent = record of their=20 participation is stored, and remains available should an incident = of=20 violation arise later. Employees are protected by always having = on-line=20 access to the company’s policies in case they have = questions, and the=20 company is protected by being able to prove that it has performed = due=20 diligence in crafting policies and educating employees. It is=20 Win-Win.
PentaSafe’s VPC is certainly = not the only=20 method available for an organization to develop and implement = security=20 policies and procedures. It is entirely possible for a company to = create=20 its own policies from scratch, or to copy and paste some = boiler-plate=20 wording that might be provided by others as a service on the = Internet.=20 However, allocating sufficient internal staff time might not be a=20 cost-effective option, especially considering the potential legal=20 liability that is at stake. The proper skill set mix of writers,=20 attorneys, human resource specialists, technology experts, etc., = may not=20 even be available within local staff. Outsourcing a portion or the = entire=20 job may be an option for some. It is, of course, ultimately up to = each=20 organization to determine their best course of action to fill this = essential need.
As I noted at the beginning of this = paper I was=20 hoping to share with the reader some lessons we have learned. = Perhaps=20 trying to write all the policies and procedures ourselves is not = the best=20 way to go, hence our current interest in exploring VPC. We are not = yet=20 finished creating our documents, so we are actually still in the = thick of=20 it with you. It would have been nice to be on the other side, = encouraging=20 your progress along a well-worn trail. I wish we had the = definitive words=20 of wisdom for others heading down this path, but perhaps some of = the=20 issues discussed will help you explore a few options and to = determine what=20 works best for you.
As a reference I have included the = text of our=20 current work-in-progress. Be aware that this is only a draft = document and=20 in need of revision and review. Hopefully some ideas will = stimulate your=20 own thinking.
Acceptable Use = Policy
Security Policies = and Procedures=20 for <ORGANIZATION>
The <ORGANIZATION> has set a = vision and=20 is progressing on a path into the future of enhanced constituent = support=20 and service by maintaining a secure and available network of = electronic=20 data systems. These systems are interconnected via high-speed = switches,=20 routers, and firewalls to allow appropriate access to = <ORGANIZATION>=20 information stored on multiple file servers and databases. The = goal is to=20 maintain all of these components, along with the backup devices = and=20 supported client PCs, in a manner consistent with industry best=20 practices.
Contained in this document are the = policies=20 that direct the processes and procedures by which <OUTSOURCING=20 VENDOR>, in partnership with the <ORGANIZATION>, strives = to=20 maintain a secure and available data enterprise. By employing = industry=20 best practices along with proprietary processes we are working to = provide=20 due diligence in our best efforts to maintain the confidentiality, = integrity, and availability of the <ORGANIZATION>’s = data resources.=20
This endeavor is truly a = partnership, in that=20 all parties involved have a significant stake and responsibility = to comply=20 with all agreed-upon policies and procedures to ensure the highest = possible level of security. A single weak link anywhere in the = chain, from=20 the largest server, to any individual user running an unauthorized = program, could compromise the integrity of confidential data or = create a=20 catastrophic loss. There are "hostile" applications that can = inadvertently=20 or deliberately be run on a PC and cause data destruction or = disruption of=20 service to others. Information Systems is constantly working to = harden=20 systems against such attacks, and to implement services to screen = out=20 hostile mobile code and viruses, but it is still up to each = individual=20 user to comply with all revisions of published policies and = procedures.=20 Risk assumed by one is shared by all.
The latest version of the=20 <ORGANIZATION>’s Acceptable Use Policy will always be = posted on the=20 <ORGANIZATION>’s Intranet site for quick = reference.
As all <ORGANIZATION> network = users=20 carefully follow operational and security guidelines we have a = good=20 opportunity to continue providing the best possible services to = the=20 employees, residents, and businesses of the=20 <ORGANIZATION>.
This document contains multiple = sections that=20 are in many ways inter-related. Several concepts, with Security = being=20 foremost, become threads that run through the entire document and = are=20 common to multiple areas of discipline. The overall objective, of = course,=20 is to guard the <ORGANIZATION>’s vital electronic data = resources=20 that contain confidential employee records, payroll information, = customer=20 information, and much more. All of these records are stored in = electronic=20 data systems and must be treated in a manner consistent with = current best=20 practices to ensure their confidentiality, integrity, and=20 availability.
This document strives to define = methodologies=20 to support the three essential principles for guarding electronic = data=20 systems:
Briefly describing each quality we=20 have
Confidentiality – Ensuring=20 that only authorized users can access confidential or sensitive=20 information. By precisely defining groups of users, and regularly = auditing=20 the accuracy and consistency of those groups, we can limit and = control who=20 has access to which data. Through a variety of policies, = practices, and=20 systems we work to ensure that only those who are authorized will = access=20 any given data resource.
Integrity – = Ensuring that data=20 has not been tampered with, either on the network or in storage. = Our goal=20 is to ensure that data integrity is maintained at all = levels.
Availability = – Data must be=20 available to those who are authorized to use it. Denial-of-Service = attacks=20 are becoming common, and our goal is to ensure that users can = access the=20 data they need.
The policies and procedures = described in this=20 document cover various groups of people. Some policies cover every = user of=20 the <ORGANIZATION>’s network and its resources, and = others apply to=20 specific groups who administer or manage the network. This is not=20 discriminatory, it is simply a function of roles and = responsibilities. The=20 identified groups are listed below.
Ownership of Network, PC, and Data=20 Resources
All hardware and software are the = property of=20 the <ORGANIZATION>. Although there are numerous "Personal = Computers"=20 provided for use by staff members they are owned by, are to be = used for=20 conducting business for, the <ORGANIZATION>.
Usage of Network, PC, and Data=20 Resources
Any person using the = <ORGANIZATION>=20 computer network or any of its components must agree to and abide = by all=20 parts of the Acceptable Use Policy.
No Privacy of Data
Privacy Rights = Waiver
Computer Usage = Monitoring
Network and/or email = Monitoring
Allowable Use of Computer=20 Systems
Formal Information Systems Approval = Process
Defined and explained = here.
Security must be an integral thread = running=20 through every aspect of the enterprise. Just as physical security = for=20 employees has been provided with policies, guards, and metal = detectors we=20 must also provide for security of the <ORGANIZATION>’s = data using a=20 multi-layered approach.
Each PC user is entirely = responsible for his or=20 her own user ID and password. No one else should share these. = Every file=20 server and piece of networking equipment has its own mechanisms of = protection through access codes as well.
Security is everyone’s = business, and is an=20 on-going refinement process as situations change and new = vulnerabilities=20 develop. This section discusses several aspects that should be = universally=20 applied in addition to any other, more specific, policies that are = developed.
Several other sections within this = document=20 will address security again as it applies to specific=20 areas.
UserID’s and = Passwords
Individual user accounts and = passwords are used=20 to create security for the systems and data belonging to the=20 <ORGANIZATION>. As mentioned earlier, users should have no=20 expectation that anything they create, store, send, or receive on = a=20 computer or through the network is private; all data is the = property of=20 the <ORGANIZATION> and is subject to review at any time by=20 authorized personnel. The purpose of a UserID and password is to = create=20 security from unauthorized access to the = <ORGANIZATION>’s systems or=20 confidential data.
The <ORGANIZATION> has a = standard method=20 for creating login names to servers, applications, databases, and = email.=20 The UserID consists of 8 characters. The first character is the = same as=20 that of the user’s first name. Appended next is that portion = of the user’s=20 last name that will fit within the 8 character field. If the last = name is=20 too long, it is truncated at syllable breaks to fit.
Since all UserIDs must be unique = throughout the=20 <ORGANIZATION> there will be instances where a "tiebreaker" = must be=20 used to keep similar names from resulting in the same 8 character = value.=20 We will insert a new character into the second position to create = unique=20 ID’s.
For example, if Mary Smith already = has MSMITH=20 and Marvin needs to be added, we will create his UserID as = MASMITH. When=20 Mellisa Smitherington is added later her UserID will become = MBSMITH, and=20 so on. By sequencing letters of the alphabet we are able to = accommodate=20 numerous such situations.
Password Length and = Complexity
Most user ID’s have been = assigned by a system=20 administrator to be used for each individual person to log into = the=20 network. In addition, there may exist other ID’s for users = to access=20 specific databases or applications. It is permissible to use the = same=20 password for each system or application a user = accesses.
In all cases each user is entirely = and=20 personally responsible to maintain the complexity and secrecy of = his or=20 her own password.
All passwords must consist = of
Remember, each password should have = all=20 of the above in it.
Please, it is important NOT = to=20 use
Yes, this sounds difficult, but any = of the=20 above passwords are easy to guess or crack by an attacker trying = to access=20 the system. Even if you think you don’t have access rights = to anything=20 important, you must still protect the secrecy and complexity of = your=20 password. If an attacker can get in using your account, he has a = foot in=20 the door and may be able to break further into the = network.
How then do you select a password = that you=20 don’t have to write down on a sticky note and attach to your = monitor?=20 (Please don’t ever do something like that! You might be = surprised, but=20 that is a very common way attackers get into systems.)
Remember, you must safeguard your = password at=20 all times, so if you need to write it down, put it into your = wallet or=20 purse where you keep your other valuables like a drivers license = or credit=20 card.
Do you think you could come up with = or remember=20 a password that fits those requirements? How about the one=20 here?