DRAFT DRAFT DRAFT DRAFT DRAFT Site Security Policy Handbook Outline 5-July-90 I. INTRODUCTION A. Background B. Purpose 1. Provide decision strategy 2. Offer practical measures and suggestions 3. Address real threats: a. Intrusions into single hosts, etc. b. Denial of service c. Fraud d. Malicious code, eg viruses 4. Cover general issues such as: a. Installation with security procedures b. Educate users on proper points-of-contact 5. Realize that many large sites may have already developed their own site specific security policies and procedures handbook. C. Scope 1. Use of handbook: a. For sites to set up security policies and procedures with recommendations from this handbook b. By using scenarios and issues raised in this handbook 2. Deal with Internet Security Policy a. Protect the Internet as a whole b. Not intended to be site specific 3. Not intended to tell how to protect databases, etc. 4. Provide practical guidelines and lessons learned 5. Handbook will not address in detail issues such as: a. risk assessment b. contingency plans D. Organization of Document 1. Six sections: a. Establishing official site policy on computer security b. Establishing procedures to prevent security problems c. Incident Handling d. Establishing post-incident procedures e. Appendices f. Annotated Bibliography II. Establishing official site policy on computer security: A. Brief Overview 1. Organization Goals 2. Who makes the policy? 3. Who is involved? 4. Responsibilities B. Risk Assessment 1. General discussion a. Don't spend more to protect something than the asset is worth 2. Possible problems a. Access points i. Network links ii. Dialups b. Misconfigured systems c. software bugs d. "Insider" threats e. .. and so forth .. 3. Threats a. Denial of service b. Unauthorized access c. Disclosure of information d. .. and so forth .. 4. Policy C. Define authorized access to computing resources. 1. Basic Assumptions: a. Connected to the Internet b. Inventory of networked components including PCs, servers, network devices, physical security c. Introduce problem areas/assets 2. Policy Issues: a. Who is authorized to grant access and approve usage? b. Who is it you're giving access to? i. Who gets system administrator privileges or passwords? c. What is the proper use of resources? i. Provide guidelines for acceptable use ii. Exception cases like tiger teams and "License to Hack" iii. Define limits to access and authority d. What to do with sensitive information? e. Proper use of copyrighted/licensed software? 3. Ethical Behavior 4. Users' Rights and Responsibilities 5. Rights and Responsibilities of System Administrators vs. Rights of Users a. Can an administrator monitor or read a user's files for any reason? Invasion of Privacy? b. Liabilities c. Do net administrators have the right to examine network or host traffic? D. What happens when policy is violated. 1. Define what to do when outsiders violate the access policy. 2. Define what to do when local users violate the access policy. a. What to do for insider intrusion, how to avoid libel and slander. 3. Define what to do when local users violate the access policy of a remote site. 4. Define contacts and responsibilities to outside organizations a. Who is authorized to make outside contacts? b. What are our obligations to those contacts? c. What are the responsibilities to our neighbors and other Internet sites? i. Ref Security Policy WG work on recommended Internet security policy d. Issues for incident handling procedures; see IV.C.4. E. Locking in or out. 1. "Protect and proceed" 2. "Pursue and prosecute" F. Publicizing the policy 1. Ensure policy is widely known and understood by ALL a. Meetings or handouts b. Don't forget higher management as well as 'troops' c. Should people 'sign off' that they understand? d. Make sure new employees see it 2. Making sure people understand policy can be later key to legal action if necessary III. Establishing procedures to prevent security problems: A. Overview 1. Policy identifies assets to protect 2. Risk assessment establishes what's cost-effective to protect 3. Controls should be chosen to protect assets in cost-effective way a. Many different ways to actually implement a policy; need to choose the right set of controls. b. Use common sense -- no use using elaborate schemes if poor passwords can still be used to break system 4. Use multiple strategies to protect assets: if one is breached, another comes into play. B. System security audits. 1. Organize scheduled drills 2. Test procedures C. Account management procedures. 1. Determine authorization of system or network use D. Password management procedures. 1. Determine authorization of system or network use E. Configuration management procedures. 1. Physical Security: a. Security boundary, Site boundary b. Definition of terms 2. Develop tools as preventative and reactive a. Inventory of tools 3. Standard versus non-standard configuration a. Non-standard systems can thwart attackers who exploit well known problems. e.g., use slightly different algorithm to encrypt passwords. b. Sometimes used in gateway (firewall) systems that protect 'interior' networks. (See III.I.1) c. However, can be hard to maintain i. Must be documented ii. Hard to upgrade software -- changes must be made iii. Specialized knowledge required F. Procedures to recognize unauthorized activity. 1. Regularly monitor systems 2. Tools that can be used a. Logging b. Monitoring tools c. Other tools? (wish list here) 3. Vary routine -- check different things so that intruder can't predict your actions G. Define actions to take when unauthorized activity is suspected. H. Communicating lessons learned. 1. Educate users a. Proper use of account/workstation b. Account/workstation management procedures c. Password management procedures i. Define how to compose a good password ii. Frequency to change d. How to determine account misuse i. Last login time/place ii. Command histories e. Problem reporting procedures 2. Educate Host Administrators a. Account management procedures i. Check "out of box" accounts, disable or give new passwords ii. Don't allow accounts without passwords iii. Shadow passwords iv. Keep track/lists of who has access to administrator accounts/passwords b. Configuration management procedures i. Check "out of box" configurations ii. Examine network services iii. Install bug fixes c. Recovery procedures - Backups d. Problem reporting procedures I. Resources to prevent security breaches 1. Concept of "Inter-net" and "Outer-net" - Circles of trust, "firewalls" of protection 2. Confidentiality a. Encryption (hardware and software) i. DES ii. crypt() b. Privacy enhanced mail 3. Origin authentication a. RSA public key 4. Information integrity a. Checksums 5. Limiting access a. Router packet filtering i. IP address ii. TCP/UDP port 6. Authentication systems a. Kerberos b. Smart cards - Pseudo random number generators 7. Books/lists/informational sources a. Security mailing lists b. Networking mailing lists c. CERT d. DDN Management bulletins e. System administration list f. Vendor specific system lists 8. Problem reporting tools 9. Auditing a. Verify security b. Verify software configurations c. Tools i. COPS 10. Communication among administrators 11. Secure operating systems 12. Obtaining fixes for known problems a. Trusted archive servers IV. Incident Handling A. Overview 1. Must have a plan to follow in case of an incident. 2. Order of discussion in this session suggests an order for a plan. 3. Possible goals for incident handling (suggested by Russell Brand). a. Maintain and restore data. b. Maintain and restore service. c. Figure out how it happened. d. Avoid escalation and further incidents e. Avoid negative publicity f. Find out who did it g. Punish the attackers B. Evaluation 1. Is it real? 2. Scope a. impact C. Possible types of notification 1. Explicit 2. Factual 3. Choice of language 4. Notification of: a. POC people (Technical, Administrative, Response Teams, Investigative, Legal, Vendors, Service providers) i. Which POCs are visible to whom b. Wider community (users) c. Other sites that might be affected 5. Public Relations - Press Releases a. Sensitivity issues b. Response team to get in touch? 6. Who needs to get involved? a. Response team b. Understanding between you and the NICs and NOCs. D. Response 1. What will you do? a. Restore control b. Relates to policy c. Which level of service is needed? d. Monitor activity e. Constrain or shut down system 2. Consider designating a 'single point of contact' a. Ideally person 'in charge' of handling incident, but not necessary. b. Provides consistent communication, contact with law enforcement c. If legal action later taken, a single person can represent the site in court E. Legal/Investigative 1. Establishing contacts with investigative agencies. a. Notification of site legal counsel. 2. Formal and Informal Legal Procedures a. Verification of Contact - FBI, Secret Service, DoD agency i. What to do when government gets involved (FBI, DoD, CIA, Local Police)? ii. What is liability when government (FBI, DoD, CIA, Local Police) gets involved, intervenes? b. Natural conflicts, i.e., Site wants to get back to business (and also wants to avoid negative publicity and risk losing business or funding), but investigative agency wants to collect evidence and catch the intruder. F. Documentation Logs 1. Collection and protection of evidence and information a. Log of events, actions, reactions b. Differentiating between facts, assumptions, and inferences c. Grabbing files for evidence i. Get evidence off-line ASAP ii. Restrict access to evidence (If legal action taken, you must prove evidence was not tampered with) d. Log all costs or time spent dealing with incident - may be necessary for later legal action V. Establishing post-incident procedures A. Removing vulnerabilities. 1. Cleanup 2. Follow up 3. Keep a Security log B. Capturing lessons learned. 1. Resources: a. Other security devices, methods b. Repository of books, lists, information sources c. Form a subgroup C. Upgrading policies and procedures 1. Establish mechanism for updating policies and procedures, tools 2. Problem reporting procedures VI. Appendices 1. Tool Lists 2. Legal Precedence 3. Court Cases 4. Laws 5. List of Job Descriptions 6. Glossary of Terms VII. Annotated Bibliography ---------------------------------------------