Security policy and its implementation

1
Security policy and its implementation
2
What is security?

• Security broadly means three things
• Confidentiality - information is not made
  accessible to people who are not authorised to
  see it
• Integrity - information is protected from
  unauthorised modification and that it is complete
  and can be relied upon
• Availability - information is available when you
  need it

3
Security aspects

• Non-technical (e.g. physical) threats
• Fire
• Flood, etc.
• Staff absence
• Not really a part of this unit, but
• Not all security threats are malicious or
  intentional
• More information is lost by accident than stolen

4
Risk assessment

• Identify threats
• For each threat, determine/estimate
• Probability of occurrence
• Cost of event value of data, lost business
• Cost of prevention and/or recovery
• Where predicted loss is greater than predicted
  cost, you need to do something about it

5
Types of threat

• Illustration
• Alec is providing information for Bert
• Charlie is someone who shouldn't have access to
  that information
• Interception unauthorised access
• Denial of service
• Impersonation
• Hijack
• Repudiation

6
Malicious code

• Often a part of a security threat
• Type of malicious code
• Viruses
• Worms
• Trojan horses
• Back doors

7
Web specific examples 1

• Web content with malicious intent, e.g.
• Sexygirls.com, (Tiwana, 1999)
• Download a custom "web viewer" that dials a long
  distance ISP and connects and displays images
• Phone bill at the end of the month difficult to
  contest
• Example of virus and Trojan downloads

8
Web specific examples 2

• IP or website spoofing
• machine-machine trust violated
• spoofed site usually to gather data
• credit card details
• personal address or contact details
• Usually a close mock-up of the real website, e.g.
  for e-commerce

9
Web specific examples 3

• Denial of service, e.g.
• DDoS attacks on Microsoft, Amazon, E-Bay, etc.
• Attacks on Estonian systems 2007
• Timed assault launched by a virus
• JavaScript security problems, e.g.
• "Freilburg Attack"
• Uses a 1x1 pixel wide invisible frame
• JavaScript to scan PC and upload files
• What files would be targeted?

10
Security policy 1

• Identify in appropriate detail
• Protected items
• What needs protection?
• What type of protection does each item need?
• Authorisation
• Who needs authorisation?
• What types of authorisation are needed?
• Who authorises such access?
• Normally based on roles, e.g.
• General public
• General employee of organisation
• Employee with specific function - e.g. managerial
  
• Updater
• System administrator

11
Security policy 2

• Implementation of access control
• How to implement access control?
• What monitoring of accesses is going to be done?
  
• Who is going to refer to the logs?
• Management of changes
• How are new users to be added and old ones
  deleted?
• How are new items to be protected?

12
Security policy 3

• How are complaints and requests about the server
  and page content to be handled?
• How and when should the policy itself be updated?
  
• How should the organisation react to security
  issues?
• Who is allowed to speak to members of the press,
  police, etc. in the event of questions or an
  incident?
• How much information about a successful
  penetration should be made public?

13
Policy architecture

• Security policy issues often split
• Privacy policy
• e.g. http//privacy.yahoo.com/
• Acceptable use policy
• e.g. http//www.ja.net/documents/use.html
• Site security policy
• e.g. http//secinf.net/info/policy/AusCERT.html
• Web access policy
• http//medlib.med.utah.edu/hug/basic/hugwebaccessp
  olicy.html

14
Implementation

• Costs of implementing security
• Need to be analysed
• Compared with the predicted costs of not doing
  anything
• Business decisionwhat security to implement?
  what is cost-effective?
• Need a formal backup and recovery procedure to
  support security

15
After intrusion

• Ascertain cause
• Pre-requisite for recovery action
• Do we know how the attackers got in?
• Were we let down by someone else's failing or our
  own mistakes?
• Assess damage
• How do you know what they accessed/changed?
• Plan recovery
• Do you have a pre-prepared plan to implement?
• What do you need to do to get your systems
  running normally again?
• What do you need to do to reassure/appease/reimbur
  se your customers/users?
• Plan avoidance of repeat
• What do we need to do to prevent it happening
  again?

16
Types of protection

• Security is always a trade off against
  convenience
• There are four broad areas of concern
• Physical security
• Operating system and platform security
• Network security
• User security and user awareness

17
Physical security

• Threat with physical access to the computer, an
  attacker could
• Switch if off (pull the plug)
• Physically destroy data (e.g. by applying hammer
  to disk)
• Gain privileged access via a console
• Introduce new software

• Response
• access controls
• locks and keys
• keep under observation

18
Platform security

• Threats
• Bugs in software
• Known back doors
• Unused/unnecessary features
• Accidental misuse

• Responses
• Monitor security alerts
• Install patches
• Make someone responsible for this
• Harden your operating system
• Only mount essential components.
• Document need and protection in security policy

19
Network security

• Threats
• Unauthorised access
• Misuse by authorised people
• Excessive access
• Denial of service

• Responses
• Firewalls, to filter the packets that are
  permitted to reach the web server
• Network address translation schemes, to hide the
  internal network addresses
• Use of proxy servers to filter and moderate
  requests
• Security self tests (white hat intrusion)

20
User security

• Threats
• Many users are just too trusting
• Social engineering ("phishing") can push users to
  willingly break known safety rules, e.g.
• "There is a problem with your account. Please
  change your password to NowSafe and await further
  instructions..."
• "There is a problem with your account and we are
  unable to bill your credit card. Please enter
  your credit card number and expiry date in the
  spaces below and click the SUBMIT button."
• AOL reminder on every page about passwords
• Smooth-tongued callers

• Responses
• Well-defined company policies
• Educate users on risks
• Train users in good practice
• Role-play training helpful in establishing good
  employee habits
• Monitor users

21
Server configuration

• A web server can be set up to restrict access to
  its site(s)
• Restrictions can be applied to part of the site
  (called a "realm")
• There are two types of restriction
• Restrict access by identified users or groups of
  users
• Restrict access by identified host or group of
  hosts
• Restrictions can be mixed
• but be aware of errors hidden in complex solutions

22
Access by user

• If the server receives request for a restricted
  URL, it sends back to the browser a challenge
  (stating the realm)
• The browser invites its user to enter a username
  and password for the realm
• Browser resubmits request with the credentials,
  i.e. username/password
• Server checks if OK, serve page if not, back
  to step 2 or fail "unauthorised"

23
User authentication

• Two forms of authentication
• Basic username and password in clear text not
  good unless hidden in a SSL transaction
• Digest uses an MD5 cryptographic checksum and a
  random nonce value
• Browsers normally retain username and password
  for reuse when other challenges come from the
  same realm

24
Access by host

• Access restrictions by host can be specified by
• IP address (e.g. 204.255.230.13)
• Domain name (e.g. port.ac.uk)
• Partial addresses/domains be used
• e.g. 204.255. can be used to specify a
  restriction to all hosts whose IP address starts
  with 204.255.
• e.g. ac.uk would specify a restriction for all
  hosts from an academic UK domain

25
Cautions

• Browsers cache credentials
• In memory for the session
• On disc if so configured

26
More information

• The security tutorials listed at
  http//httpd.apache.org/docs/misc/tutorials.html
• The Apache documentation at http//httpd.apache.or
  g/docs/
• The Computer Emergency Response Team (CERT) at
  http//www.cert.org
• Centre for the Protection of National
  Infrastructure (CPNI) http//www.cpni.gov.uk/

27
More information

• NetworkIce is a company dealing with network
  security software and services at
  http//advice.networkice.com/Advice/default.htm
• SecurityFocus, for discussion and news at
  http//www.securityfocus.com