Security policy and its implementation

1WUCM1

What is security?

• Security broadly means three things: – Confidentiality - information is not made

accessible to people who are not authorised to see it

– Integrity - information is protected from unauthorised modification and that it is complete and can be relied upon

– Availability - information is available when you need it

WUCM1 2

Security aspects

• Non-technical (e.g. physical) threats:– Fire– Flood, etc.– Staff absence– Not really a part of this unit, but …

• Not all security threats are malicious or intentional

• More information is lost by accident than stolen

WUCM1 3

Risk assessment

• Identify threats• For each threat, determine/estimate:– Probability of occurrence– Cost of event: value of data, lost business– Cost of prevention and/or recovery

• Where predicted loss is greater than predicted cost, you need to do something about it

WUCM1 4

Types of threat

• Illustration:– Alec is providing information for Bert– Charlie is someone who shouldn't have access to that

information• Interception – unauthorised access• Denial of service• Impersonation • Hijack• Repudiation

WUCM1 5

Malicious code

• Often a part of a security threat• Type of malicious code– Viruses– Worms– Trojan horses– Back doors

WUCM1 6

Web specific examples 1

• Web content with malicious intent, e.g.– Sexygirls.com, (Tiwana, 1999)– Download a custom "web viewer" that dials a long

distance ISP and connects – and displays images– Phone bill at the end of the month difficult to

contest

• Example of virus and Trojan downloads

WUCM1 7

Web specific examples 2

• IP or website spoofing– machine-machine trust violated– spoofed site usually to gather data:• credit card details• personal address or contact details

• Usually a close mock-up of the real website, e.g. for e-commerce

WUCM1 8

Web specific examples 3

• Denial of service, e.g.– DDoS attacks on Microsoft, Amazon, E-Bay, etc.– Attacks on Estonian systems 2007– Timed assault launched by a virus

• JavaScript security problems, e.g.– "Freilburg Attack"– Uses a 1x1 pixel wide invisible frame– JavaScript to scan PC and upload files– What files would be targeted?

WUCM1 9

Security policy 1• Identify in appropriate detail: – Protected items:

• What needs protection? • What type of protection does each item need?

– Authorisation:• Who needs authorisation? • What types of authorisation are needed?• Who authorises such access? • Normally based on roles, e.g.:

– General public– General employee of organisation – Employee with specific function - e.g. managerial – Updater – System administrator

WUCM1 10

Security policy 2

• Implementation of access control:– How to implement access control? – What monitoring of accesses is going to be done? – Who is going to refer to the logs?

• Management of changes:– How are new users to be added and old ones

deleted? – How are new items to be protected?

WUCM1 11

Security policy 3

• How are complaints and requests about the server and page content to be handled?

• How and when should the policy itself be updated? • How should the organisation react to security issues? • Who is allowed to speak to members of the press,

police, etc. in the event of questions or an incident?• How much information about a successful

penetration should be made public?

WUCM1 12

Policy architecture

• Security policy issues often split:– Privacy policy• e.g. http://privacy.yahoo.com/

– Acceptable use policy• e.g. http://www.ja.net/documents/use.html

– Site security policy• e.g. http://secinf.net/info/policy/AusCERT.html

– Web access policy• http://medlib.med.utah.edu/hug/basic/hugwebaccesspolicy.html

WUCM1 13

Implementation

• Costs of implementing security:– Need to be analysed– Compared with the predicted costs of not doing

anything• Business decision:

what security to implement?= what is cost-effective?

• Need a formal backup and recovery procedure to support security

WUCM1 14

After intrusion• Ascertain cause

– Pre-requisite for recovery action– Do we know how the attackers got in?– Were we let down by someone else's failing or our own

mistakes?• Assess damage

– How do you know what they accessed/changed?• Plan recovery

– Do you have a pre-prepared plan to implement?– What do you need to do to get your systems running normally

again?– What do you need to do to reassure/appease/reimburse your

customers/users?• Plan avoidance of repeat

– What do we need to do to prevent it happening again?

WUCM1 15

Types of protection

• Security is always a trade off against convenience

• There are four broad areas of concern:– Physical security– Operating system and platform security– Network security– User security and user awareness

WUCM1 16

Physical security

• Threat: with physical access to the computer, an attacker could:– Switch if off (pull the

plug)– Physically destroy data

(e.g. by applying hammer to disk)

– Gain privileged access via a console

– Introduce new software

• Response:– access controls– locks and keys– keep under observation

WUCM1 17

Platform security

• Threats:– Bugs in software– Known back doors– Unused/unnecessary

features– Accidental misuse

• Responses:– Monitor security alerts– Install patches– Make someone

responsible for this– Harden your operating

system:• Only mount essential

components.• Document need and

protection in security policy

WUCM1 18

Network security• Threats:

– Unauthorised access– Misuse by authorised

people– Excessive access– Denial of service

• Responses:– Firewalls, to filter the

packets that are permitted to reach the web server

– Network address translation schemes, to hide the internal network addresses

– Use of proxy servers to filter and moderate requests

– Security self tests (white hat intrusion)

WUCM1 19

User security• Threats:

– Many users are just too trusting

– Social engineering ("phishing") can push users to willingly break known safety rules, e.g.• "There is a problem with your

account. Please change your password to NowSafe and await further instructions..."

• "There is a problem with your account and we are unable to bill your credit card. Please enter your credit card number and expiry date in the spaces below and click the SUBMIT button."

• AOL reminder on every page about passwords

– Smooth-tongued callers

• Responses:– Well-defined company policies– Educate users on risks– Train users in good practice

• Role-play training helpful in establishing good employee habits

– Monitor users

WUCM1 20

Server configuration

• A web server can be set up to restrict access to its site(s)

• Restrictions can be applied to part of the site (called a "realm")

• There are two types of restriction:– Restrict access by identified users or groups of users– Restrict access by identified host or group of hosts

• Restrictions can be mixed– but be aware of errors hidden in complex solutions

WUCM1 21

Access by user

1. If the server receives request for a restricted URL, it sends back to the browser a challenge (stating the realm)

2. The browser invites its user to enter a username and password for the realm

3. Browser resubmits request with the credentials, i.e. username/password

4. Server checks – if OK, serve page; if not, back to step 2 or fail "unauthorised"

WUCM1 22

User authentication

• Two forms of authentication:– Basic – username and password in clear text – not

good unless hidden in a SSL transaction– Digest – uses an MD5 cryptographic checksum

and a random “nonce” value

• Browsers normally retain username and password for reuse when other challenges come from the same realm

WUCM1 23

Access by host

• Access restrictions by host can be specified by: – IP address (e.g. 204.255.230.13) – Domain name (e.g. port.ac.uk)

• Partial addresses/domains be used:– e.g. 204.255. can be used to specify a restriction

to all hosts whose IP address starts with 204.255. – e.g. ac.uk would specify a restriction for all hosts

from an academic UK domain

WUCM1 24

Cautions

• Browsers cache credentials– In memory for the session– On disc if so configured

WUCM1 25

More information

• The security tutorials listed at http://httpd.apache.org/docs/misc/tutorials.html

• The Apache documentation at http://httpd.apache.org/docs/

• The Computer Emergency Response Team (CERT) at http://www.cert.org

• Centre for the Protection of National Infrastructure (CPNI) http://www.cpni.gov.uk/

WUCM1 26

More information

• NetworkIce is a company dealing with network security software and services at http://advice.networkice.com/Advice/default.htm

• SecurityFocus, for discussion and news at http://www.securityfocus.com

WUCM1 27