Creating Security = Policies –=20 Lessons Learned
Mark Worthington
May 4, = 2001

Introduction

One of the core principles in = Information=20 Security is adherence to the organization’s security policy. = After=20 attending SANS training or other security classes we return to = work with=20 an eagerness to move forward with hardening servers, tightening = firewalls,=20 and implementing intrusion detection systems. As our first step, = of=20 course, we identify our need to comply with the existing security = policy.=20 So we begin our search to see if we even have a security = policy,=20 and end up dusting off an old notebook we found on a shelf = somewhere. What=20 we find may not even be applicable to our current environment, is = so=20 generic that it’s woefully incomplete, or has become totally = out of date.=20 What do we do next? This paper shows the reader some steps we have = taken=20 on our continuing journey towards a full set of security policies = and=20 procedures.

Revising the Policy

What do we do if the current = security policy is=20 incomplete or out of date? In our case I spoke with my Director = and shared=20 the vision with her of how important it was to update our current=20 Electronic Use Policy. She was quite receptive, already being = familiar=20 with the critical role played by such a document. It was clear = that the=20 current Electronic Use Policy would need to be significantly = revised and=20 enhanced to cover acceptable use of resources, greater levels of = security=20 awareness, and increased user involvement.

We needed to expand the scope of = what the=20 current policy covered, and to ensure that all 2500 employees knew = what=20 was in it. To accomplish that we would have to find an effective = way to=20 educate each person, and to verify that everyone knew what was = expected of=20 them in maintaining compliance. Rewriting the policy to cover = every=20 identified vulnerability, publishing it to users, and testing for=20 compliance seemed to present quite a daunting task, when what we = really=20 wanted to do was to get started making our environment more = secure. Where=20 do we start?

As it turned out we were able to = begin working=20 both issues concurrently. Implementing several server fixes would = not=20 violate any current policy, so we were able to begin hardening = certain=20 aspects of our enterprise even as we started updating our = documentation.=20

The Approach

Since the previous security policy = didn’t=20 address as broad a scope as what we need now, we decided to = temporarily=20 set aside the older document and begin to produce a new one. = Information=20 Systems had been charged with developing the original policy years = earlier, so after speaking with the Legal Department and Human = Resources I=20 simply began to write what came to mind. This became something of = a=20 free-form brain dump of concepts and ideas learned in the SANS = Security=20 Essentials curriculum and elsewhere. After a few rounds of this = core dump=20 I went back and began to refine the sections and wording. As time = allowed=20 I added to and modified different portions of the document, but = was unable=20 to devote full attention to it while balancing urgent work on all = our=20 other active projects.

An observation here: Whereas = security policies=20 must address the three foundational concepts of ensuring = confidentiality,=20 integrity, and availability, they are also designed to create end = user=20 awareness and participation. With this in mind it is logical to = include=20 other related matters in which we need user education. As we work = through=20 the process of creating security policies we will also focus on = areas that=20 may not seem to affect the "big three" security aspects directly, = but are=20 very important for the overall health of the organization. These = will=20 include acceptable use policies for the equipment, data, email, = Internet,=20 and others as needed. As we will see in a moment these can cause=20 significant liability problems if not handled carefully, and do = fit in=20 naturally with an instructional program on password selection, use = of=20 non-approved software, and social engineering.

During the writing process I was = eventually=20 able to go back and directly consult the SANS coursework where we = find=20 eight important topics that should be included in a good security=20 policy.

• Purpose = – the reason=20 and goals for the document=20
• Related = Documents – citing=20 other pertinent policies and procedures. These could include = specific=20 instructions for server administrators, network auditors, or end = users.=20 The policy paper I started writing tended to mix procedures in = with the=20 policies; those should be moved to other referenced documents = before the=20 policy is complete and ready to be reviewed, signed, and=20 implemented.=20
• Cancellation = – describing=20 which documents this supercedes=20
• Background = – a reflection=20 on the need for security policies=20
• Scope – = the range of issues=20 covered and to whom they apply=20
• Policy = Statement – SANS’=20 description says, "the statements should define actions that are = prudent, expedient, or advantageous to the organization." The = policies=20 must be realistic. It doesn’t help to declare that no = personal use of=20 computers will be allowed if that is not something that will be=20 enforced. An article from ComputerWorld as quoted by CNN=20 states=20
  • "Dallas attorney B. J. Thomas, = who=20 specializes in computer law, said that, as counsel for the = city of=20 Cleveland, Texas, her rule of thumb is that e-mail is a tool = like any=20 other. ‘Any policy can be violated by the use of another = tool as=20 well,’ Thomas said. ‘In municipal law, [the idea = is]: Don't have a=20 policy unless you can enforce it, and if you enforce it, = enforce it=20 uniformly.’"

An organization would probably = be better=20 off leaving out statements prohibiting personal use of email = or=20 Internet entirely if no one is expected to live by them, = rather than=20 to undermine the user community buy-in of the entire security = policy.=20 The policy also may not be legally enforceable due to = inconsistent=20 application of it, should a serious violation of some other = section=20 occur. Again, think things through carefully and be=20 realistic.

• Responsibility –=20 identifies which people are responsible for the various affected = areas=20 within the policy. Examples include the CIO, system = administrators, and=20 attorneys. It can also define the need to create specific = procedures for=20 implementation and enforcement of the policies, referencing the = Related=20 Documents mentioned above.
• Action – = specifies the=20 tasks to be done, and the timeframe in which they are to = occur.=20

Some of these sections I had = included, and=20 others need to be added still. It is definitely a work in=20 progress.

For further input I consulted an = excellent book=20 by Michael R. Overly called e-policy How to Develop = Computer,=20 E-Mail, and Internet Guidelines to Protect Your Company and Its=20 Assets. Mr. Overly very concisely covers numerous important = issues.=20 One suggestion is that the policy should state that "personal" = computers=20 and the data stored on them actually belong to the company, and = that=20 employees do not have an assumed right to expect privacy in what = they=20 create on the computer or send through an email system. The policy = also=20 needs to explain that the organization will be regularly or = randomly=20 monitoring network activity, including email, and that the purpose = of=20 users having secret passwords is not for their privacy, but to = provide=20 security for the company’s data. He even emphasizes the = importance of=20 maintaining the corporate culture in a way that does not belie = what is=20 expressly stated in the policy. In other words, if staff members = or=20 management speak or act in ways that suggest their computer work = or emails=20 are private it may weaken the company’s position if someone = were to file=20 an invasion of privacy lawsuit. By explicitly stating in the = policy that=20 the organization has the right to monitor emails and other network = traffic, and not undermining that understanding through subsequent = actions, an organization should be able to avoid privacy disputes. =

In the creation of all policy = documents be sure=20 to consult your attorney, the user community, human resources = department,=20 and perhaps the local bargaining unit as advised. Also, please = understand=20 that this paper in no way should be construed as providing legal = advice or=20 covering every pertinent issue.

Proactive = Monitoring

In addition to privacy issues, = there is also=20 the matter of "harmful material" entering the workplace. Items = such as=20 pornography or jokes in poor taste can create a hostile work = environment.=20 If someone in the office becomes offended by something they see or = hear as=20 a result of someone else’s email or Internet experience they = may file a=20 harassment lawsuit against the company. Filtering programs, from = companies=20 such as Surfcontrol and Websense, are available to block = URL’s, or to=20 monitor for combinations of words and phrasings within email = traffic=20 itself that might indicate offensive jokes and stories. =

The usage of email is an entire = issue in=20 itself. There are many ways email can be used to cause a company = great=20 distress in the event of a lawsuit, or can force expensive = discovery=20 processes to reconstruct an electronic "paper trail." Well-written = policies covering email classifications and retention are becoming = extremely advisable. Attorney Jim Bruce is quoted by = Infoworld on=20 cnn.com as saying "’If a company is sued, it is routine for = the other=20 party to ask the company to produce all their records [on the = subject],=20 including e-mail,’ Bruce says. ‘E-mail is a really = juicy target because it=20 can be searched by keyword.’"

Network and email filtering and = monitoring=20 technologies can be a very significant investment in time, = hardware,=20 software, and recurring maintenance costs for URL and other = updates, but=20 it is probably worth the expense. Compared to the potential legal=20 liability for failing to ensure a harassment-free workplace it = will likely=20 be a bargain well worth the cost.

The Downside

Using hardware and software = filtering tools are=20 good techniques a company can employ to protect its workers and = itself,=20 but there is further caution. If a company has such systems in = place, but=20 fails to act promptly and fairly on violations to the acceptable = use=20 policy, the organization can be held liable for failing to perform = due=20 diligence to remedy the situation. In other words, if you = don’t respond=20 quickly enough to document and enforce appropriate discipline for = any=20 violations you may still be held liable. It becomes, then, = extremely=20 important to properly implement and execute the policies and = procedures in=20 a way that provides maximum effect. This also emphasizes the = importance of=20 an organization adequately funding such an effort, including the = on-going=20 costs for personnel and their training in support of these=20 tools.

Whew! The more I studied on the = topic of=20 policies and their legal ramifications, the more I realized I had = no=20 desire to continue writing the stinkin’ things. I really = just wanted to=20 make the operating systems and network more secure.

Another Option

Somewhat overwhelmed and = discouraged I set this=20 project aside and resumed my other daily tasks, which of course = includes=20 reviewing security bulletins. In a recent release of the SANS = Newsbites I=20 found an ad declaring "Write Your Information Security Policies in = a Day!"=20 Hoping for the best I decided to contact Pentasafe to see what = they had to=20 offer. I was very impressed.

The link referenced in the = Newsbites article=20 took me to a page introducing Pentasafe’s VigilEnt Policy = Center (VPC),=20 which then led to subsequent links describing key features and = benefits.=20 The product apparently comes with pre-built security templates = written by=20 Charles Cresson Wood, an expert in the security field, and which = are=20 accessible through a wizard application that steps you through the = policy=20 creation process. According to their statements you can have a = draft=20 security policy prepared in about a day. That sounds good to=20 me.

A quick note: This paper is not = intended to be=20 a product review, but was created to share with the reader some of = the=20 steps and thought processes our organization is going through to = update=20 our security policies. I hold no stake in Pentasafe, and have not = even=20 seen a demonstration of VPC yet. I have requested one from the = vendor and=20 am looking forward to determining if this product will help = simplify our=20 task. If VPC works as well as claimed I plan to consider = incorporating it=20 into our environment, provided funding becomes available. We have = a=20 significant budget process to work through, so this may not be = feasible=20 right away. As I share with the reader some additional features = claimed=20 for this product, it should become apparent how they might prove = helpful=20 in the enterprise.

Publishing the = Policies

In addition to creating and editing = security=20 policies there must be an effective mechanism to distribute them = to the=20 user community. As mentioned earlier, we might have in place the = best=20 policies in the world, but if our users don’t know what they = are, and how=20 that impacts the way they perform their jobs, it will do little = good=20 towards accomplishing the goal of keeping our networks and data = secure.=20 User education is imperative, as is the ability to verify that = everyone=20 understands and has agreed to abide by the policies and practices. = PentaSafe’s VPC seems to provide a good solution to educate, = test, and=20 catalog user awareness.

According to the documentation VPC = allows=20 administrators, once they have worked through the automated policy = creation process, to publish the finished documents to a = company’s=20 intranet site. Rather than just hoping users will visit, read = dozens of=20 pages, and thereby become fully supportive, VPC goes further. The = product=20 is stated to provide a quiz mechanism to test and record user=20 participation in the on-line policy training program. Users log in = at=20 their convenience, or with prompting, and are then educated and = tested on=20 their knowledge of the company’s policies. A permanent = record of their=20 participation is stored, and remains available should an incident = of=20 violation arise later. Employees are protected by always having = on-line=20 access to the company’s policies in case they have = questions, and the=20 company is protected by being able to prove that it has performed = due=20 diligence in crafting policies and educating employees. It is=20 Win-Win.

Summary

PentaSafe’s VPC is certainly = not the only=20 method available for an organization to develop and implement = security=20 policies and procedures. It is entirely possible for a company to = create=20 its own policies from scratch, or to copy and paste some = boiler-plate=20 wording that might be provided by others as a service on the = Internet.=20 However, allocating sufficient internal staff time might not be a=20 cost-effective option, especially considering the potential legal=20 liability that is at stake. The proper skill set mix of writers,=20 attorneys, human resource specialists, technology experts, etc., = may not=20 even be available within local staff. Outsourcing a portion or the = entire=20 job may be an option for some. It is, of course, ultimately up to = each=20 organization to determine their best course of action to fill this = essential need.

Conclusion

As I noted at the beginning of this = paper I was=20 hoping to share with the reader some lessons we have learned. = Perhaps=20 trying to write all the policies and procedures ourselves is not = the best=20 way to go, hence our current interest in exploring VPC. We are not = yet=20 finished creating our documents, so we are actually still in the = thick of=20 it with you. It would have been nice to be on the other side, = encouraging=20 your progress along a well-worn trail. I wish we had the = definitive words=20 of wisdom for others heading down this path, but perhaps some of = the=20 issues discussed will help you explore a few options and to = determine what=20 works best for you.

Appendix A

As a reference I have included the = text of our=20 current work-in-progress. Be aware that this is only a draft = document and=20 in need of revision and review. Hopefully some ideas will = stimulate your=20 own thinking.

Acceptable Use = Policy

Security Policies = and Procedures=20 for <ORGANIZATION>

Background

The <ORGANIZATION> has set a = vision and=20 is progressing on a path into the future of enhanced constituent = support=20 and service by maintaining a secure and available network of = electronic=20 data systems. These systems are interconnected via high-speed = switches,=20 routers, and firewalls to allow appropriate access to = <ORGANIZATION>=20 information stored on multiple file servers and databases. The = goal is to=20 maintain all of these components, along with the backup devices = and=20 supported client PCs, in a manner consistent with industry best=20 practices.

Contained in this document are the = policies=20 that direct the processes and procedures by which <OUTSOURCING=20 VENDOR>, in partnership with the <ORGANIZATION>, strives = to=20 maintain a secure and available data enterprise. By employing = industry=20 best practices along with proprietary processes we are working to = provide=20 due diligence in our best efforts to maintain the confidentiality, = integrity, and availability of the <ORGANIZATION>’s = data resources.=20

This endeavor is truly a = partnership, in that=20 all parties involved have a significant stake and responsibility = to comply=20 with all agreed-upon policies and procedures to ensure the highest = possible level of security. A single weak link anywhere in the = chain, from=20 the largest server, to any individual user running an unauthorized = program, could compromise the integrity of confidential data or = create a=20 catastrophic loss. There are "hostile" applications that can = inadvertently=20 or deliberately be run on a PC and cause data destruction or = disruption of=20 service to others. Information Systems is constantly working to = harden=20 systems against such attacks, and to implement services to screen = out=20 hostile mobile code and viruses, but it is still up to each = individual=20 user to comply with all revisions of published policies and = procedures.=20 Risk assumed by one is shared by all.

The latest version of the=20 <ORGANIZATION>’s Acceptable Use Policy will always be = posted on the=20 <ORGANIZATION>’s Intranet site for quick = reference.

As all <ORGANIZATION> network = users=20 carefully follow operational and security guidelines we have a = good=20 opportunity to continue providing the best possible services to = the=20 employees, residents, and businesses of the=20 <ORGANIZATION>.

Scope

This document contains multiple = sections that=20 are in many ways inter-related. Several concepts, with Security = being=20 foremost, become threads that run through the entire document and = are=20 common to multiple areas of discipline. The overall objective, of = course,=20 is to guard the <ORGANIZATION>’s vital electronic data = resources=20 that contain confidential employee records, payroll information, = customer=20 information, and much more. All of these records are stored in = electronic=20 data systems and must be treated in a manner consistent with = current best=20 practices to ensure their confidentiality, integrity, and=20 availability.

This document strives to define = methodologies=20 to support the three essential principles for guarding electronic = data=20 systems:

• Confidentiality=20
• Integrity=20
• Availability =

Briefly describing each quality we=20 have

Confidentiality – Ensuring=20 that only authorized users can access confidential or sensitive=20 information. By precisely defining groups of users, and regularly = auditing=20 the accuracy and consistency of those groups, we can limit and = control who=20 has access to which data. Through a variety of policies, = practices, and=20 systems we work to ensure that only those who are authorized will = access=20 any given data resource.

Integrity – = Ensuring that data=20 has not been tampered with, either on the network or in storage. = Our goal=20 is to ensure that data integrity is maintained at all = levels.

Availability = – Data must be=20 available to those who are authorized to use it. Denial-of-Service = attacks=20 are becoming common, and our goal is to ensure that users can = access the=20 data they need.

Target Audience

The policies and procedures = described in this=20 document cover various groups of people. Some policies cover every = user of=20 the <ORGANIZATION>’s network and its resources, and = others apply to=20 specific groups who administer or manage the network. This is not=20 discriminatory, it is simply a function of roles and = responsibilities. The=20 identified groups are listed below.

• <ORGANIZATION> = Employees=20
• <OUTSOURCING VENDOR> = Employees=20
• <ORGANIZATION> Information = Systems=20 staff=20
  • Includes both <OUTSOURCING = VENDOR>=20 and <ORGANIZATION> Employees=20
  • Managers=20
  • Network Resources = Division=20
  • Server Support Division =
  • Desktop Support = Division=20
  • Data Center Operations = Division=20
  • Network Security = Division=20

• Each and every individual person = who uses=20 any portion of the network or its resources

Ownership of Network, PC, and Data=20 Resources

All hardware and software are the = property of=20 the <ORGANIZATION>. Although there are numerous "Personal = Computers"=20 provided for use by staff members they are owned by, are to be = used for=20 conducting business for, the <ORGANIZATION>.

Any computer or networking = hardware must=20 be approved through the formal Information Systems approval = process=20 before being connected anywhere on the network.=20

No software may be loaded on = or removed=20 from any <ORGANIZATION> computer unless it has been = approved=20 through the formal Information Systems approval=20 process.

Usage of Network, PC, and Data=20 Resources

Any person using the = <ORGANIZATION>=20 computer network or any of its components must agree to and abide = by all=20 parts of the Acceptable Use Policy.

No Privacy of Data

Detail here.

Privacy Rights = Waiver

Detail here.

Computer Usage = Monitoring

Detail here.

Network and/or email = Monitoring

Detail here.

Allowable Use of Computer=20 Systems

Detail here.

Formal Information Systems Approval = Process

Defined and explained = here.

Security

Security must be an integral thread = running=20 through every aspect of the enterprise. Just as physical security = for=20 employees has been provided with policies, guards, and metal = detectors we=20 must also provide for security of the <ORGANIZATION>’s = data using a=20 multi-layered approach.

Each PC user is entirely = responsible for his or=20 her own user ID and password. No one else should share these. = Every file=20 server and piece of networking equipment has its own mechanisms of = protection through access codes as well.

Security is everyone’s = business, and is an=20 on-going refinement process as situations change and new = vulnerabilities=20 develop. This section discusses several aspects that should be = universally=20 applied in addition to any other, more specific, policies that are = developed.

Several other sections within this = document=20 will address security again as it applies to specific=20 areas.

UserID’s and = Passwords

Individual user accounts and = passwords are used=20 to create security for the systems and data belonging to the=20 <ORGANIZATION>. As mentioned earlier, users should have no=20 expectation that anything they create, store, send, or receive on = a=20 computer or through the network is private; all data is the = property of=20 the <ORGANIZATION> and is subject to review at any time by=20 authorized personnel. The purpose of a UserID and password is to = create=20 security from unauthorized access to the = <ORGANIZATION>’s systems or=20 confidential data.

UserID Creation

The <ORGANIZATION> has a = standard method=20 for creating login names to servers, applications, databases, and = email.=20 The UserID consists of 8 characters. The first character is the = same as=20 that of the user’s first name. Appended next is that portion = of the user’s=20 last name that will fit within the 8 character field. If the last = name is=20 too long, it is truncated at syllable breaks to fit.

Since all UserIDs must be unique = throughout the=20 <ORGANIZATION> there will be instances where a "tiebreaker" = must be=20 used to keep similar names from resulting in the same 8 character = value.=20 We will insert a new character into the second position to create = unique=20 ID’s.

For example, if Mary Smith already = has MSMITH=20 and Marvin needs to be added, we will create his UserID as = MASMITH. When=20 Mellisa Smitherington is added later her UserID will become = MBSMITH, and=20 so on. By sequencing letters of the alphabet we are able to = accommodate=20 numerous such situations.

Password Length and = Complexity

Most user ID’s have been = assigned by a system=20 administrator to be used for each individual person to log into = the=20 network. In addition, there may exist other ID’s for users = to access=20 specific databases or applications. It is permissible to use the = same=20 password for each system or application a user = accesses.

In all cases each user is entirely = and=20 personally responsible to maintain the complexity and secrecy of = his or=20 her own password.

All passwords must consist = of

• At least 8 characters=20
• A combination of uppercase and = lowercase=20 letters=20
• Numbers=20
• Special symbols (~!@#, and so = on).=20

Remember, each password should have = all=20 of the above in it.

Please, it is important NOT = to=20 use

• Your login name=20
• Your dog or cat’s = name=20
• Anyone’s birthday=20
• Any single word found in any = dictionary in=20 any language

Yes, this sounds difficult, but any = of the=20 above passwords are easy to guess or crack by an attacker trying = to access=20 the system. Even if you think you don’t have access rights = to anything=20 important, you must still protect the secrecy and complexity of = your=20 password. If an attacker can get in using your account, he has a = foot in=20 the door and may be able to break further into the = network.

How then do you select a password = that you=20 don’t have to write down on a sticky note and attach to your = monitor?=20 (Please don’t ever do something like that! You might be = surprised, but=20 that is a very common way attackers get into systems.)

Remember, you must safeguard your = password at=20 all times, so if you need to write it down, put it into your = wallet or=20 purse where you keep your other valuables like a drivers license = or credit=20 card.

Do you think you could come up with = or remember=20 a password that fits those requirements? How about the one=20 here?

Il2satMoA!

It looks very difficult, but if you = are told=20 that it stands for "I love 2 shop at the Mall of America!" you = won’t have=20 any trouble remembering it. This is called a pass-phrase, and it = helps to=20 create a very complex password that is quite secure. Again, write = it down=20 but only store it with your valuables and don’t leave it = lying around.=20 Also, please don’t use this example since it has been shown=20 here.

Password Secrecy

Under normal circumstances no = password is to be=20 shared between people. If an instance arises where someone must = log into a=20 system to access another’s files, the owner of the login may = share the=20 password on a short, temporary basis to complete the needed work. = At the=20 earliest possible convenience the owner must create a new = password,=20 something unknown to others. If there is a reason for one person = to access=20 another’s files for longer than a few days, you should = contact the=20 helpdesk to request a change of access rights for your account.=20

Remember, you are entirely and = solely=20 responsible for any loss, damage, or misuse of data that may occur = by=20 anyone who logs on with your UserID and password. Keep your = UserID, and=20 especially your password secret.

Persons Exempt from the Password=20 Policy

No one! Some people find password = policies=20 annoying and inconvenient, but how embarrassing or damaging to the = <ORGANIZATION> would it be if the CEO or CTO’s PC and = network=20 accounts were hacked into and damage caused due to a weak = password. Let’s=20 all work together to ensure the security of the entire=20 network.

Password Rotation

Passwords must be changed regularly = to avoid=20 the possibility of them eventually being discovered and = compromised.=20 Therefore, each user must change his or her password at least once = every=20 six months. The password may be changed more often, but you can = not reuse=20 the same password within a three-month period.

Forgotten or Temporary Password=20 Assignments

Occasionally a user may forget his = or her=20 password. When that occurs they are to call the helpdesk to = request that a=20 new, temporary password be assigned. Helpdesk will comply by = scheduling or=20 having a technician put in a new short-term password. Neither the = helpdesk=20 person nor the technician is permitted to divulge the new password = to the=20 person calling. They must both hang up; helpdesk will look up the = user’s=20 name in the <ORGANIZATION> employee phone directory. They = will then=20 call that number and leave the new password on voicemail after = hearing the=20 intended person’s recorded message. By taking this small = extra step it=20 will help to reduce the likelihood that an attacker could = successfully=20 obtain a login by impersonating a valid user.

Password Cracking

Part of maintaining a security = policy is=20 ensuring that there are no weaknesses caused by failure of some = users to=20 follow policies and procedures. There will be times when certain=20 Information Systems personnel will test, or hire others to test, = various=20 portions of our enterprise to verify overall security. One test = will use=20 common tools to ensure that passwords are maintained with = sufficient=20 length and complexity as stated in the password policy. We will=20 deliberately and purposefully run tests in a manner that will = avoid=20 cracking passwords that are crafted properly. Passwords that do = not meet=20 ALL of the requirements will most likely be discovered during this = process.

This practice ensures privacy of = data for the=20 users who are helping contribute to the overall security of the=20 <ORGANIZATION>’s resources by following security = policies. Those=20 users whose passwords do not meet the proper standards will be = notified by=20 email to correct the situation.

It is expressly against policy for = anyone to=20 run any type of password cracking tool or network penetration = testing=20 without proper authorization. Only certain specific persons who = have=20 proper documents on file with the <ORGANIZATION> = Manager’s office=20 are permitted to initiate or permit such activities. Disciplinary = measures=20 will be taken against those who violate this policy.

Network Infrastructure

Background

Routers, switches, firewalls, as = well as=20 various Unix and NT servers, comprise vital services that make = possible=20 the <ORGANIZATION>’s extensive data network. = Management of these=20 components is delegated to different groups, but they all must = work=20 together in a secure, stable, and managed way to provide an = effective=20 network. Because some of these components exist in the more = vulnerable=20 perimeters of the network they necessarily must be hardened and = configured=20 appropriately.

Network Components

These components include

• Routers=20
• Switches=20
• Firewalls=20
• DNS Servers=20
• Proxy Servers=20
• Web Servers=20
• FTP Servers

Network Component = Passwords

Network components must be = configured with=20 passwords of the same type and complexity as described elsewhere = in this=20 document. Due to the critical nature of their functions they must = be=20 subject to more stringent policies, and therefore the passwords = are=20 managed as follows.

In keeping with the maxim to = provide defense in=20 depth, each infrastructure component located in or supporting the=20 perimeter networks must have a unique password. In other words, = the=20 external Internet router, firewall, proxy servers, mail servers, = DNS=20 servers, FTP servers, and all other DMZ servers must have = passwords=20 totally different from each other and from all others anywhere in = the=20 network. The reasoning behind this is that if an attacker is able = to=20 penetrate one level of security he will have to start over at each = new=20 device, not having captured "the keys to the kingdom" after = acquiring and=20 cracking one system’s password file. For the same reason, = only one or two=20 critical administrator accounts, also with unique passwords, = should ever=20 be stored on a system in the perimeter network.

Network Component Passwords – = Contingency=20 Access

Two sealed envelopes containing = passwords are=20 to be stored in a locked box in the office of the Information = Systems=20 Director. One envelope will contain the logins and passwords for = all=20 routers, switches, and CSU/DSU’s maintained by Information = Systems. The=20 other envelope will contain the passwords for the Unix servers and = all=20 databases. In the event that the appropriate Network Support or = Server=20 Administrators are not available in an emergency access to the = secured=20 envelopes can be provided by one of the following = people:

John Smith – Information = Systems=20 Director

Mary Jones – Departmental=20 Accountant

Judy Doe – Administrative=20 Assistant

Network Component Passwords – = Change=20 Cycle

Passwords on infrastructure = components must be=20 changed at the following times.

• At least once every three = months=20
• In the event that a password or = system=20 becomes compromised all infrastructure passwords are to be = changed as=20 soon as possible=20
• In the event that the sealed = envelopes=20 containing the passwords secured in the Director’s office = is opened for=20 any reason the passwords are to be changed

Prior to any passwords being = changed, a new=20 sealed envelope containing the new passwords will be placed in the = designated storage area in the I.S. Director’s office. The = effective date=20 of the new passwords is to be written on the outside of the = envelope,=20 along with the names of the supported equipment. Both the old and = new=20 envelopes are to be retained in the locked box until the next = round of=20 password changes, or until the next Security Audit Reporting Cycle = occurs,=20 whichever comes first. This will cover the unlikely contingency = that one=20 or more of the devices is overlooked in the password change = process.=20

Network Component Passwords -- = Assignment and=20 Responsibilities

Routers and LAN = Switches

All routers and LAN switches are = maintained and=20 supported by the Network Services group of Information Systems. = Login=20 passwords and privilege-level passwords are assigned and retained = as=20 confidential by two support persons.

Bob – Network Services = Manager

Fred – Network=20 Engineer

Public Safety = DSU/CSU’s

All DSU/CSU’s are maintained = and supported by=20 the Network Services group of Information Systems. Login passwords = and=20 privilege-level passwords are assigned and retained as = confidential by=20 three support persons.

Bob – Network Services = Manager

Fred – Network = Engineer

Marvin – VAX Support=20 Technician

Network Infrastructure Support=20 Servers

All Unix servers are administered = by the Data=20 Center Management Group. Root passwords are assigned and retained = as=20 confidential by three support persons:

Oscar – Data Center = Manager

Ralph – Senior Systems=20 Administrator

John – Unix Systems=20 Administrator

Servers

Background

All network operating systems are = subject to=20 problems that don’t become evident until they have been in = common use for=20 some time. Manufacturers periodically release service packs and = patches to=20 repair what has been found. Additionally, there are services and = features=20 that may be useful in certain, low risk environments, but for the = majority=20 of installations they create unreasonable security and operational = risks.=20 As various vulnerabilities are discovered by users and specialists = in the=20 networking field recommendations are made to make adjustments to = operating=20 systems to alleviate these problems.

New Server = Prerequisites

In light of the need for = remediation of=20 identified problems, and the severe security risks posed by = ignoring them,=20 no server will be permitted to be connected to the = <ORGANIZATION>’s=20 operational network until it has been sufficiently hardened. =

Procedures will be defined for each = unique=20 operating system to identify, document, and implement current best = practices for each platform, to include, minimally, Microsoft = Windows NT,=20 Windows 2000, Novell, Unix, and Linux. These procedures will = probably be=20 the most dynamically updated, as vulnerabilities are announced = almost=20 daily. Sources from which these procedures will be drawn are the = vendors=20 themselves, the SANS institute, and other reliable = sources.

Production Server Patch=20 Maintenance

A policy and procedure will be = developed to=20 allow quick dissemination of the current best practices for = servers to=20 ensure the production systems are kept in top condition. However, = no patch=20 or fix will be applied to any production system until it has been=20 carefully tested on the development servers to ensure that the = "cure"=20 isn’t worse than the disease.

Workstations

New Workstations

Because the <ORGANIZATION> = standard for=20 PC desktop operating systems is Windows NT Workstation they are = subject to=20 most of the same vulnerabilities experienced by NT Server. = Therefore, all=20 new workstations must be subject to the same policies and = procedures as=20 the servers to harden them. In addition, there are many = applications and=20 PC settings that can cause weaknesses in the integrity of the = desktop, and=20 even other systems on the <ORGANIZATION> network.

To create uniformity of setup and = to ensure=20 that known weaknesses have been resolved it will be necessary to = create a=20 standardized image of PC desktops. It is expected that Novell = Zenworks=20 will be employed to help the imaging and deployment of = standardized=20 setups.

…..

Backup Systems

……

Tape Rotation Schemes

Off Site Tape Storage

P & P’s for encrypting = data on tapes going=20 offsite

P & P’s for Tape Backups = performed on=20 Off-Site Servers

P & P’s for Tape Backups = performed by=20 Non-supported groups

Tape Integrity and Usability=20 Testing

It does no good to run regular = backups if=20 valid, useable data is not actually stored on the tapes. = Therefore, Backup=20 Policy requires that backup log files are checked daily. In = addition,=20 periodic testing will be done to ensure that a complete system and = data=20 restoration can be done. Spare servers will be made available by = the=20 <ORGANIZATION> to make this essential step = possible.

References:

1. SANS Institute, The. "Basic = Policy."=20 Track 1: Security Essentials Book 1.1. Version 1.35 (2000): = pp.=20 5-12 and 5-13.

2. Op. cit.

3. Disabatino, Jennifer. "E-mail = probe triggers=20 firings." Computerworld. 11 July, 2000.
URL: http://www.cnn.com/2000/TECH/computing/07/11/email.firing.idg/in= dex.html=20

4. Overly, Michael R. = e-policy How to=20 Develop Computer, E-Mail, and Internet Guidelines to Protect Your = Company=20 and Its Assets New York: SciTech Publishing, Inc, = 1999.

5. Op. cit. 26.

6. Op. cit. 27.

7. Trombly, Maria. "Dow to fire up = to 40=20 employees over sexually explicit e-mails." Computerworld. = 24=20 August, 2000.
URL: http://www.cnn.com/2000/TECH/computing/08/24/dow.sex.firing.id= g/index.html=20

8. "If A Supervisor Engages In = Harassment, Is=20 The Employer Ultimately Responsible?"
URL: http://employment-law.freeadvice.com/sexual_harassment/supe= visor_employer.htm=20

9. Surfcontrol plc.
http://www.surfcontrol.com/=20

10. Websense Inc.
http://www.websense.com/ =

11. Steen, Margaret. "The legal = traps of=20 e-mail." Infoworld. 6 July, 1999.
URL: http://www.cnn.com/TECH/computing/9907/06/emailtrap.idg/index.html= =20

12. Overly, Michael R. = e-policy How=20 to Develop Computer, E-Mail, and Internet Guidelines to Protect = Your=20 Company and Its Assets New York: SciTech Publishing, Inc, = 1999.=20 36.

13. SANS Institute, The. "SANS = Newsbites Vol. 3=20 Num. 18." 2 May, 2001.

14. PentaSafe Security = Technologies, Inc.=20
http://www.pentasafe.com/=20

15. http://www.= pentasafe.com/products/policyoverview.htm=20

16. http://www.pentasafe.= com/products/vspm.htm=20

to top of page |=20 to = Security=20 Policy Issues | to = Reading=20 Room Home