Ce hv6 module 49 creating security policies

Ethical Hacking
C tCountermeasures
Version 6
Mod le XLIXModule XLIX
Creating Security Policies

News
EC-Council
Copyright © byEC-CouncilAll Rights Reserved.
Reproduction is Strictly Prohibited
Source: http://www.darkreading.com/

Module Objective
This module will familiarizes you with:
• Security Policies
• Key Elements of Security Policy
• Role of Security Policy
• Classification of Security Policy
• Configurations of Security Policy
• Types of Security Policies
E mail Security Policy• E-mail Security Policy
• Software Security Policy
• Points to Remember While Writing a Security Policy
EC-Council

Module Flow
Classification of Security
Security Policies E-mail Security Policy
Classification of Security
Policy
Key Elements of Security
P li
Configurations of Security
P li
Software Security Policy
Policy Policy
Role of Security Policy Types of Security Policies
Points to Remember
While Writing a Security
Polic
EC-Council
Policy

Security Policies
Security policies are the foundation of the security infrastructurey p y
A security policy is a document or set of documents that describes the security
controls that will be implemented in the company at a high levelp p y g
Without them, you cannot protect your company from possible lawsuits, lost
revenue, bad publicity, and basic security attacks
Policies are not technology specific and
do three things for a company:
• Reduce or eliminate legal liability to employees and third
parties
• Protect confidential, proprietary information from theft,
h d d l d f
EC-Council
misuse, unauthorized disclosure, or modification
• Prevent waste of company computing resources

Key Elements of Security Policy
Clear communication
Brief and clear information
Defined scope and applicability
Enforceable by lawEnforceable by law
Recognizes areas of responsibility
Sufficient guidance
Top management involvement
EC-Council

Defining the Purpose and Goals
of Security Policyof Security Policy
Purpose of Security Policy
• To maintain an outline for the management and
administration of network security
p y y
• To reduce risks caused by:
• Illegal use of the system resource
• Loss of sensitive, confidential data, and potential property
• Differentiate the user’s access rights
Goals of Security Policy
• Protection of organization’s computing resources
• Elimination of strong legal liability from employees or third
parties
EC-Council
• Ensuring customers’ integrity and preventing unauthorized
modifications of the data

Role of Security Policy
Suggests the safety measures to be followed in anSuggests the safety measures to be followed in an
organization
Provides set of protocols to the
administrator on
• How the users work together with their systems?
• How those systems should be configured?
H t t h th t i tt k d?• How to react when the system is attacked?
• When susceptibilities are found?
EC-Council

Classification of Security Policy
User PolicyUser Policy
• Defines what kind of user is using the network
• Defines the limitations that are applied on users to secure the
network
• Password Management Policy
• Protects the user account with a secure password
IT Policy
D i d f IT d t t t k th t k d t bl• Designed for IT department to keep the network secure and stable
• Following are the three different IT policies:
• Backup Policies
• Server configuration, patch update, and modification policies
Fi ll P li i
EC-Council
• Firewall Policies

(cont’d)(cont d)
General PoliciesGeneral Policies
• Defines the responsibility for general business purposes
• The following are different general policies:
• High Level Program Policy
B i C i i Pl• Business Continuity Plans
• Crisis Management
• Disaster Recovery
P t P liPartner Policy
• Policy that is defined among a group of partners
EC-Council

(cont’d)(cont d)
Issue Specific Policies
• Recognize specific areas of concern and describe the organization's status for top level
management
• Involve revision and up gradation of policies from time to time, as changes in
technology and related activities take place frequentlygy p q y
I St t t
Components:
• Issue Statement
• Statement of the Organization's Position
• Applicability
• Roles and Responsibilities
• Points of Contact• Points of Contact
• Physical security
• Personnel Security
• Communications Security
• Administrative Security
EC-Council
y
• Risk Management
• System Management

Design of Security Policy
Guidelines should cover the following points as policy
structure:structure:
Detailed description of the policy issues
Description about the status of the policy
A li bili f h li h iApplicability of the policy to the environment
Functionalities of those affected by the policy
Compatibility level of the policy is necessary
EC-Council
End-consequences of non-compliance

Contents of Security Policy
High level Security Requirements
• This statement features the requirement of a system to implement security
policies that include discipline security, safeguard security, procedural
security, and assurance security
• Focuses on security disciplines, safeguards, procedures, continuity of
operations, and documentation
Policy Description based on requirement
operations, and documentation
D fi h l ibili i d f i f i li
Security concept of operation
• Defines the roles, responsibilities, and functions of a security policy
Allocation of security enforcement to architecture
elements
EC-Council
• Provides a computer system architecture allocation to each system of the
program

Configurations of Security Policy
Provides a way to configure services that are installed and available depending on
Role-Based Service Configuration
• Provides a way to configure services that are installed and available depending on
the server’s role and other features
Network Security
• Designed to configure inbound ports using Windows Firewall
Registry Settings
• Designed to configure protocols used to communicate with computers on the
network
Audit Policy
• Designed to configure the auditing of the server based on auditing objectives
Audit Policy
Internet Information Service
EC-Council
• Designed to configure the security feature of Internet Information Services (IIS)
Internet Information Service

Implementing Security Policies
Implementation follows after building, revision, and updating ofImplementation follows after building, revision, and updating of
the security policy
Final version must be made available to all of the staff members in
the organization
For effective implementation, there must be rotation of the job so
that data must not be handled by few people
Proper security awareness program, cooperation, and coordination
EC-Council
p y p g , p ,
among employees is required

Types of Security Policies
Promiscuous Policy
Permissive Policy
Prudent Policy
Paranoid Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
Firewall-Management Policy
Special-Access Policy
Network-Connection Policy
Business-Partner Policy
O h I P li i
EC-Council
Other Important Policies

Promiscuous Policy
No Restrictions on Internet/Remote
d l k k d i i h
No Restrictions on Internet/Remote
Access
• Good luck to your network administrator, you have our
blessings...
EC-Council

Permissive Policy
K d i / k bl k dKnown dangerous services/attacks blocked
Policy begins wide open
Known holes plugged, known dangers stopped
Impossible to keep up with current exploits;
administrators always play catch-up
EC-Council

Prudent Policy
Provides maximum security while allowing known buty g
necessary dangers
All services are blocked nothing is allowedAll services are blocked, nothing is allowed
Safe/necessary services are enabled individuallySafe/necessary services are enabled individually
Nonessential services/procedures that cannot be made safe
are not allowed
Everything is logged
EC-Council
Everything is logged

Paranoid Policy
No Internet Users find ways
Everything is
forbidden
No Internet
connection, or
severely limited
I t t
Users find ways
around overly
severe
t i tiInternet usage restrictions
EC-Council

Acceptable-Use Policy
Should users read and copy files that are not their own but are accessible to them?
Should users modify files that they have write access to but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd and SAM)
for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
Should users be allowed to share accounts?
EC-Council
Should users have the ability to make copies of copyrighted software?

User-Account Policy
Who has the authority to approve account requests?y pp q
Who (employees, spouses, children, company visitors, for
instance) are allowed to use the computing resources?
May users have multiple accounts on a single system?
May users share accounts?
What are the users' rights and responsibilities?
EC-Council
When should an account be disabled and archived?

Remote-Access Policy
Who is allowed to have remote access?
What specific methods (such as cable modem/DSL or dial-up)
does the company support?p y pp
Are dial-out modems allowed on the internal network?
Are there any extra requirements, such as mandatory anti-virus
and security software, on the remote system?
May other members of a household use the company network?
EC-Council
Do any restrictions exist on what data may be accessed remotely?

Information-Protection Policy
What are the sensitivity levels of information?What are the sensitivity levels of information?
Who may have access to sensitive information?Who may have access to sensitive information?
How is sensitive information stored and transmitted?How is sensitive information stored and transmitted?
What levels of sensitive information may be printed in publicW at eve s o se s t ve o at o ay be p ted pub c
printers?
How should sensitive information be deleted from storage media
EC-Council
How should sensitive information be deleted from storage media
(paper shredding, scrubbing hard drives, and degaussing disks)?

Firewall-Management Policy
Who has access to the firewall systems?Who has access to the firewall systems?
Who should receive requests to make a change to the firewallq g
configuration?
Who may approve requests to make a change to the firewally pp q g
configuration?
Wh h fi ll fi i l d li ?Who may see the firewall configuration rules and access lists?
EC-Council
How often should the firewall configuration be reviewed?

Special-Access Policy
Who should receive requests for special access?Who should receive requests for special access?
Who may approve requests for special access?Who may approve requests for special access?
What are the password rules for special access accounts?What are the password rules for special-access accounts?
H ft d h d?How often are passwords changed?
What are the reasons or situations that would lead to revocation of
EC-Council
What are the reasons or situations that would lead to revocation of
special-access privileges?

Network-Connection Policy
Who may install new resources on the network?Who may install new resources on the network?
Who must approve the installation of new devices?Who must approve the installation of new devices?
Who must be notified that new devices are being added to theg
network?
Wh h ld d t t k h ?Who should document network changes?
Are there any security requirements for the new devices being
EC-Council
Are there any security requirements for the new devices being
added to the network?

Business-Partner Policy
Is it mandatory for a company required toy p y q
have a written security policy?
Should each company have a firewall or other
perimeter security device?
How will one communicate (virtual private
networking [VPN] over the Internet, leased
line, and so forth)?, )
How will access to the partner's resources be
EC-Council
requested?

Other Important Policies
A wireless network policy, which helps to secure wireless
networks, includes which devices are allowed to be connected,
what security measures should be followed, and so forth
A lab policy discusses how to protect the internal network from
the insecurities of a test lab
The best option is to keep the test lab on a completely separate
Internet connection and without connecting it in any way to the
internal corporate network
EC-Council

Policy Statements
The policy is really only as good as the policy statements that it contains. Policy
statements must be written in a very clear and formal style
Good examples of policy statements are:
statements must be written in a very clear and formal style
• All computers must have antivirus protection activated to provide real-
time, continuous protection
• All servers must be configured with the minimum of services to perform
their designated functionstheir designated functions
• All access to data will be based on a valid business need and subject to a
formal approval process
• All computer software must always be purchased by the IT department in
accordance with the organization’s procurement policyaccordance with the organization s procurement policy
• A copy of the backup and restoration media must be kept with the off-site
backups
• While using the Internet, no person is allowed to abuse, defame, stalk,
harass or threaten any other person or violate local or international legal
EC-Council
harass, or threaten any other person or violate local or international legal
rights

Basic Document Set of Information
Security Policiesy
EC-Council

E-mail Security Policy
An e mail security policy is created to govern the proper usage ofAn e-mail security policy is created to govern the proper usage of
corporate e-mail
Things that should be in an email
security policy:
• Define prohibited use
• If personal use is allowed, it needs to be defined
• Employees should know if their emails are reviewed
and/or archivedand/or archived
• What types of email should be kept and how long
• When to encrypt email
• Consequences of violating email security policy
EC-Council

Best Practices for Creating E-mail
Security PoliciesSecurity Policies
Employees should know the rights granted to them byEmployees should know the rights granted to them by
organization in respect of privacy in personal e-mails
transmitted across the organization’s system and network
Employees should not open an e-mail or attached files without
ensuring that the content appears to be genuine
Conditional and sensitive information should not be
transmitted by e-mail, unless it is secured by encryption or any
other secure techniquesother secure techniques
Employees should be familiar with general good e-mail policies
such as, the need to save, store file e-mail with business
EC-Council
contents same as storage of letters, and other traditional e-
mails

User Identification and Passwords
PolicyPolicy
Each user is allocated an individual user name and password
Requests for new computer accounts and for termination of
existing computer accounts must be formally authorized to the
IT Help Desk/relevant IT resource by the relevant manager
Staff must notify the IT Help Desk/relevant IT resource when
moving to a new position or location within "Company Name“
Line management must notify staff about changes, that might
EC-Council
g y g , g
affect security

User Identification and Passwords
Policy (cont’d)Policy (cont d)
All user accounts should have the
following password settings:
• Minimum password length of 8 characters
• A combination of alpha, numeric, and punctuation
should be usedshould be used
• Users are forced to change their passwords every
(insert number) days
• Users cannot repeat passwords
A t l k d ft (i t b ) i t• Accounts are locked after (insert number) incorrect
login attempts
EC-Council

Software Security Policy
Software must not be copied removed or transferred to anySoftware must not be copied, removed, or transferred to any
third party or non- organizational equipment
Only software that has been authorized by the IT Department
must be used on PCs and notebook computers connected to
the "Company Name" IT network
Downloading of any executable files (.exe) or software from
the Internet must be prohibited without written authorization
from the IT Department/relevant IT resourcefrom the IT Department/relevant IT resource
Regular reviews of desktop software should be undertaken
and the presence of unauthorized software should be
EC-Council
and the presence of unauthorized software should be
investigated

Software Licence Policy
Copyright stipulations governing vendor-supplied software
must be observed at all times
Software that is acquired on a trial basis must be used inSoftware that is acquired on a trial basis must be used in
accordance with the vendor's copyright instructions
All software developed within Company is the property of the
Company and must not be copied or distributed without prior
written authorization from the IT Department
EC-Council

Points to Remember While
Writing a Security PolicyWriting a Security Policy
Designing the best possible Security Policy for the network
Stakeholders of the organization must aid the security
professional in steering policy developmentprofessional in steering policy development
P li d l t t b d i d d d ti lPolicy development must be devised and processed entirely
by the security professional and it should be expanded only
with the stakeholders’ input
EC-Council

S l P li iSample Policies
EC-Council

Remote Access Policy
EC-Council
Source: http://www.watchguard.com/

Wireless Security Policy
EC-Council

Wireless Security Policy (cont’d)
EC-Council

E-mail Security Policy
EC-Council

E-mail and Internet Usage
PoliciesPolicies
EC-Council

Personal Computer Acceptable
Use PolicyUse Policy
EC-Council

Firewall Management policy
EC-Council
Source: http://www.state.tn.us/

Internet Acceptable Use Policy
EC-Council
Source: http://www.ruskwig.com/

User Identification and Password
PolicyPolicy
EC-Council
Source: http://www.enterprise-ireland.com/

Software Licence Policy
EC-Council
Source: http://www.enterprise-ireland.com/

Summary
Security Policy is a set of objectives and rules of behavior for users and
d i i t tadministrators
Prudent Policy provides maximum security while allowing known but necessary
dangersg
Security Policy suggests the safety measures to be followed in an organization
Security Policy Implementation follows after building, revision, and updating of
the security policy
A wireless network policy helps to secure wireless networks, including which
devices are allowed to be connected, what security measures should be followed
A il i li i d h f
EC-Council
An e-mail security policy is created to govern the proper usage of corporate e-
mail

EC-Council

Ce hv6 module 49 creating security policies

More Related Content

What's hot (19)

Similar to Ce hv6 module 49 creating security policies (20)

More from Vi Tính Hoàng Nam (20)

Recently uploaded (20)

Ce hv6 module 49 creating security policies