1 policy types l program l issue specific l system l overall l most generic user policies should be...
TRANSCRIPT
![Page 1: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/1.jpg)
1
Policy Types Program Issue Specific System Overall Most Generic User Policies should be
publicized Internal Operations Policies should be kept
inside
![Page 2: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/2.jpg)
2
Security Models Lattice Based Models Non-Interference Models Access Rights Propagation Models Multilevel Data Models Integrity Models Miscellaneous Models
– Ntree– group authorization
![Page 3: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/3.jpg)
3
Application of Security Models Academic Corporate Federal
![Page 4: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/4.jpg)
4
Developing Policy with Security Models Internetworking may violate policies
– General Connectivity– Mobile Code
Incorporate General Models to Policy
![Page 5: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/5.jpg)
5
Tools For Risk Analysis Host Security Audits
» mis-configurations» insider threats» Access Controls
Software Audits» Code Audits
Network diagnostics and diagramming» tcpdump, snoop, scotty, snmp, etc.
Using “underground tools” to determine the vulnerability of your site
Uses multiple strategies for site protection
![Page 6: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/6.jpg)
6
Solutions Resulting from Risk Analysis Account Management
– Passwords– Automated account creation/deletion procedures
Education– Security Mailing Lists– References
Encryption– Authentication– Data Encryption
![Page 7: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/7.jpg)
7
Enforcement of Policy Modularize technology solution and make
the policy document technology-neutral Design technology so that it supports the
policy. (Not the other way around.) Enlist the support of management and legal
bodies for the policy Have the policy focus on intent rather than
details
![Page 8: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/8.jpg)
8
Amending Policy Create an annual review panel Consider the policy as a “Living Document” Educate at all levels
![Page 9: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/9.jpg)
9
Policy Breach Lock/Suspend Accounts Delete Accounts Reprimand user Formally reprimand user Remove the user Pursue the action legally
![Page 10: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/10.jpg)
10
Dealing with Law Enforcement Follow the guidelines for recording evidence Assess Damage and Remove Vulnerabilities
– “Cleanup and Containment” Notify superiors of your intent to cooperate
with Law Enforcement or other parties involved in incidents
![Page 11: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/11.jpg)
11
Pursuing and Prosecuting Pursue Incident if
» systems and assets are protected» backups exist» concentrated and frequent attack» incur financial damage» intruder can be contained and controlled» good monitors exist
Don’t Pursue incident if» No sufficient evidence» Site is not well protected» The willingness to prosecute doesn’t exist» Site is vulnerable to lawsuits » Resources unknown
![Page 12: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/12.jpg)
12
Policy for Gathering Evidence Document all details regarding an incident Vary monitoring techniques and times Establish post-incident operating procedures for
– system administrators– operators– users– decide how to handle compromised system(s)
Record details via logs– system events– time stamped actions taken by the attacker and
yourself– phone conversations - date,time, person, subject
![Page 13: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/13.jpg)
13
Maryland State Statutes Article 27. Crimes and Punishments
– Section 146 Unauthorized access to computers prohibited
![Page 14: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/14.jpg)
14
Federal Statutes Federal State Statutes that apply
– Title 15 Commerce and Trade– Title 17 Copyright– Title 18 Crimes and Criminal Procedures
Ch 5 Arson Ch 31 Embezzlement and Theft Ch 37 Espionage and Censorship Ch 47 Fraud and False Statements Ch 63 Mail Fraud Ch 65 Malicious Mischief Ch 101 Records and Reports Ch 105 Sabotage Ch 113 Stolen Property
![Page 15: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/15.jpg)
15
Federal Statutes Ch 119 Wire and Electronic Communications Interception
and Interception of Oral Communications Ch 206 Pen Registers and Trap and Trace Devices
![Page 16: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/16.jpg)
16
Federal Statutes– Title 42 The Public Health and Welfare
» Ch 21A Privacy Protection
– Title 47 Telegraphs, Telephones, and Radiotelegraphs
» Ch 5 Wire or Radio Communications
– Public Law 103-414 Communications Assistance for Law Enforcement Act
» Title I Interception of Digital and Other Communications
» Title II Amendments to Title 18 United States Code» Title III Amendments to the Communications Act of
1934
![Page 17: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/17.jpg)
17
Coordinating with other Bodies State - Federal Contacts Academia Network Service Providers
![Page 18: 1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f2e5503460f94c482aa/html5/thumbnails/18.jpg)
18
Legal/Policy References Spafford text Appendix RFC 1244