Site and Infrastructure Security Policy
A site and infrastructure security policy outlines security in regards to the office, building, or buildings in which the company functions, and the computing and network infrastructure it uses. The business site provides the first physical perimeter for the organization, as well as the first focus for security. The computing infrastructure includes desktop systems, servers, network equipment such as routers and firewalls, and other computing resources used within the organization. The procedures and methods applied to these systems, the environment in which they exist, and their use constitute the site and infrastructure security policy.
Facilities and Physical Security Considerations
In this inter-networked age, many people often associate security with the more virtual aspects network, operating system and application security, the underground, crackers, and all of the media-hyped fear, uncertainty, and doubt that surrounds these aspects. Prior to this time, the term security conjured images of armed guards or large, burly men posted by each door. Physical security is a large component of any security policy, and rightfully so. The front door is the most easily utilized point of attack.
The site and infrastructure security policy should outline the methods used to provide and control physical access to the building and the conditions under which access is granted. Important elements are
Methods of physical access
Procedures by which access is granted, modified, or denied
Access restrictions based on employee status
Hours of operation
Points of contact for access
Procedures for incident handling and escalation levels
Physical access methods describe the actual means of accessing the facility, offices, labs, or other areas. These are often a lock and key, proximity cards, or biometric methods. Consideration should also be given to guidelines for the appropriate use and handling of the keys. The procedures used to obtain keys/cards and by which access is granted or modified should be outlined clearly, as it is often a point of confusion for both new and long-time employees. Equally important is a list of the people and departments to whom an employee must go to gain access to the business site filling out forms or asking approval becomes futile if the person to whom these request should be addressed is unknown.
Many organizations distinguish between full-time, part-time, and contract employees and limit facility access based on these categories. Along with the hours of operation, the site security policy should specify any restrictions for special employees during and outside of regular working hours. Related to the segmentation of employees, the segmentation of the facility is also common. Labs, offices, and storage areas often merit access restrictions in order to prevent unauthorized entry.
Should an incident occur, the procedures for incident handling are vital to the security of an organization, as well as the safety of the employees. Incidents vary in nature, from unauthorized visitors and broken access methods to the removal of employees. Many organizations have security personnel to assist in these matters and suggested methods to react to specific situations. Defined escalation levels help an employee understand incident seriousness and to decide when is the appropriate time to notify external support, such as local law enforcement and legal counsel.
Company Z has installed and uses proximity-based card readers at all external entrances, lab doors, storage closets, and key financial offices for access control.
The administration has defined the following security policy that regulates access into the facility:
During weekday business hours between 8 a.m. and 6 p.m. card access is not required for full-time and part-time employees.
Contract employees are required to sign in with the receptionist.
All external doors are locked outside of normal business hours, and card access is required for full-time and part-time employees.
Contract employees are restricted from access outside of normal business hours unless specialized access forms are filled out and approved by the hiring manager.
Access to restricted labs, storage areas, and financial offices is gained via specialized access forms and management approval.
Access cards are obtained at the security office after the hiring manager approves access forms.
Misplaced or stolen access cards must be reported immediately to security.
Access cards should be kept on the person at all times; cards should not be loaned to anyone or left unsecured.
The following security policy for incident response is also provided to employees:
In order to ensure safety and security within the Company Z facility, employees should read and understand the following guidelines for dealing with incidents:
In the event of an unauthorized visitor, the employee should immediately notify the security department and request assistance for removal of the visitor.
Should the visitor be witnessed committing an act of larceny, attack, or destruction of property, notify the security department, and they will then contact the appropriate authorities.
All witnesses should provide the security department with an affidavit indicating their presence and the details of the incident, and should be available for further questioning by security and the appropriate authorities.
All doors, locks, and access methods that are non-functional should be reported to the security department. Security will coordinate with maintenance to fix the broken equipment.
Managers should be notified when an employee is involved with a breach of security.
Employees should not handle these situations alone, but instead should notify security and allow the security staff to control the situation.
This example demonstrates important aspects of a site and infrastructure security policy. Constraints on physical access are defined, including the actual methods that employees use to enter the facility and the differentiation between employee types. The processes and procedures used to control access and to acquire the appropriate privileges are outlined, including the identification of the responsible individuals. The response guidelines for any incidents are clearly outlined with the safety of the employee in mind. Individuals trained to handle incidents of this nature are identified and involved in each response method.
Infrastructure and Computing Environment
The following aspects of security are commonly considered when creating a security policy for the infrastructure and computing environment:
Physical access to computer systems and facilities
Security considerations for laptop computers and PDAs
Voice and data network security
Remote network access to computer systems and resources
Security monitoring and auditing
Authentication and access control
Physical Access to Computer Systems and Facilities
The computer systems used throughout an organization can be categorized into the following classes:
Each of these classes of systems can be addressed individually within the site and infrastructure security policy.
As with the building and facilities, control of physical access to the computing environment is an important component to its security. Once someone is inside a building, finding an unoccupied terminal or computer system is often easily accomplished. Without a policy for protecting these systems, unauthorized users can gain access to important and private resources, information, and files. Computer terminals in publicly accessible areas should be controlled carefully by limiting access to network facilities and resources, and establishing usage policies for employees and guests.
Returning to the hypothetical case, Company Z has an open atrium area that contains several terminals accessible to employees and visitors. The following security policy, which provides regulations for the use of these public terminals, is posted in plain view:
Rules and Restrictions for Public Terminal Usage
Visitors must see reception in order to receive a guest account.
Guest accounts are capable of accessing the Internet only.
No Internal systems or resources are available via guest logins.
Guest accounts are automatically logged out after 15 minutes of idle time.
Employees should log out before leaving the terminal.
Please report all malfunctioning systems to the IT department.
Administrative Policies for Public Terminals
Public terminals are secured to the desktops via anti-theft alarm devices and cable locks.
All systems configured for public use are on a restricted-access network.
Systems are configured with guest accounts that have no access to company resources or systems.
Guest accounts are automatically logged out after a specified amount of idle time.
Guest accounts should be set to expire when no longer needed, based on the requirements of the guest.
Publicly accessible systems should allow no access to internal systems or resources.
Publicly accessible UNIX systems should be configured with a minimal set of utilities, have no network services running, and provide a restricted and inescapable shell to guests; the account should be removed when the visitor leaves the premises.
Publicly accessible Windows systems should not be domain members and guest accounts should have only the local user-group privileges.
Menus and commands should also be configured to allow access only to the appropriate Web browser program on the system and no other applications.
Public terminals are often presented to accommodate the network needs of visiting employees, vendors, and business partners. These terminals require special consideration for security and posted regulations for their use in order to protect the computing infrastructure. The Company Z policy distinguishes between visitors and employees who use the terminals and presents sig nificantly more restrictions to the visitors. The administrators of these systems also have a security policy that outlines the measures used to configure the systems. This ensures that all publicly accessible systems are configured alike and helps ensure a known level of security.
Desktop and Server Systems
Public terminals are not the only systems that require guidelines. Desktop systems often have the most lax security because individual employees often administer their own machines or have special privilege and access to their respective system. It is often infeasible for the Information Technology staff to administer all desktop workstations, therefore the development of a security policy that governs their creation and use is very important. The site and infrastructure security policy for desktop systems establishes the standards used to create them, including operating systems, applications, and utilities. The security constraints generally consist of configuration information by which administrators can replicate the desktop system at a known level of security. The policies also present the guidelines for the desktop system's interaction with servers and the network.
The security policy for desktop users is discussed later in the chapter.
Given the understanding that desktop systems are likely to be uncontrolled by the IT staff, effective infrastructure policies attempt to minimize the amount of data, applications, and other information that remains on the desktop system. This enhances both the security and availability of information within the organization. Many companies centralize storage of user data and applications to a single server or set of servers. In the event of a failure of a desktop, the effort required to make it functional again is minimized all of the essential and important data is on the server and does not become lost or require significant time and effort to restore.
Server systems become a focal point as they have the responsibility to reliably store and provide access to shared data, private user information, applications, and services for the organization.
A server security policy should encompass the following components:
Shared data permissions and access control
User private data permissions and access control
Backup and restoration procedures
The service configuration entails the initial method used to secure the server. Most operating systems provide a vast array of potential services and capabilities, not all of which are needed or desired by the organization. Each of these services has its own security ramifications, which should be considered when enabling or disabling it. The decision to allow a service is often an issue of cost versus risk analysis. If the service provides a required function that has inherent security risks, the administrators should determine if there are suitable replacements for the service. If any substitutes are available, the cost and effort required to implement them should be weighed against the security risks and cost of the original. It is important to document within the security policy the foundation for decisions and to identify the known security risks accepted by the organization. Also related is the maintenance of the software and operating systems running on the servers security measures should be updated frequently, as new vulnerabilities are discovered. Updates should be applied and monitored. The people writing the security policy probably will not always be employed at the organization, therefore knowing the background of a decision is important to the future maintainers of the security policy.
Company Z's Server Security Policy is as follows:
Servers should be configured to support only the required services and to disable unnecessary software and services in order to minimize security risks.
Server systems should be physically secured, allowing only administrative access.
Server operating systems and software should be updated when new vulnerabilities and subsequent patches are released.
In the event of incidents such as hardware failure, system compromise, or other attacks, the server should be removed from the network and left in its current state in order to allow effective forensics work.
A contingency plan should be created and followed to recover from disasters. For in-depth information on their content and creation, see the Disaster Recovery Journal sample recovery plans at http://www.drj.com/new2dr/samples.htm.
To focus on security policies instead of system configuration, the Company Z Server Security Policy leaves out most of the technical details related to the secure lockdown of servers and operating systems. The standards of configuration, access, and maintenance are important components that should be incorporated into the policy. Incident response for servers is reasonably complex; in order to avoid damaging potential evidence after an attack is discovered, the system should be left intact for security analysis and forensics work.
Shared data is often the primary purpose of a server, allowing employees to access common files, applications, and other data. Server operating systems generally support multiple methods to provide multiuser access to data. When establishing the infrastructure security policy, the technical details surrounding shared data should be clearly outlined.
The Site and Infrastructure Security Policy for Company Z establishes the following criteria for shared data on servers:
No data sharing should be initialized via the "Everyone" group on Windows servers or "World" read/write access on UNIX systems.
Access by the "Everyone" group and "World" read/write permissions should be removed or disabled from the shared data.
Global or common access to all employees should be controlled via membership in the specially created "Employees" group on the servers.
When needed, smaller privilege groups should be created and shared data coordinated with those groups to meet the access control requirements for a user.
Company Z's policy emphasizes a strict level of security for shared data. It identifies and distinguishes between unconditionally shared data and the true need for shared data. Data is shared only between employees, and security control is exercised to ensure that only authorized individuals have access to it. In this model, access control is achieved via membership in various user groups, and permission is adjusted accordingly.
User private data includes a user's respective "home" directories or the areas in which his personal files are stored. Because these files are also often kept on the server, it is important to outline the level of security the user can expect, as well as the method by which it is provided.
Company Z details this security policy for user home directories and private storage areas:
Server-based user home directories are provided for the storage of private and personal data.
On Windows servers, the permissions should be set to allow the respective user full read and write permissions for a directory, and also to allow the system backup process to access the data when backing up the storage system.
No other users should have access to any home directory aside from their own.
Users are encouraged to use their server-based directories for data storage in order to provide security and to facilitate the simple recovery of data in the event of an incident.
Employees often store personal and sensitive information on their systems as work and personal life cannot be completely segregated. In order to provide data security and to avoid data loss in the event of a desktop system, users at Company Z are encouraged to store their data on the servers and are provided a high degree of protection from prying eyes.
Backup and restoration procedures serve many functions in an organization. These include protection of data in the event of a catastrophic incident, restoration of accidentally removed files, and provision of general infrastructure reliability. Backup data is often used in the forensics of security incidents to assess the reliability of data data altered by an attacker can often be detected by a comparison between it and the version that is on the backup media. The physical storage of the media on which the backups are done is also important to security. Many organizations use special offsite storage organizations to assure that the backups are securely stored.
Company Z's security considerations for system backups include
All backups are to be stored in a locked storage area prior to offsite storage.
Weekly backups are moved into offsite storage via a storage company representative at a scheduled pickup time.
Backups consist of one full system backup, per system, per week with nightly incremental backups of all modified data.
Use of backup and restoration applications should be restricted to authorized administrators only.
In the event of a disaster, hardware failure, or other event that results in the loss of data, the employee should notify the IT staff.
Information will be restored from the last full archive with the incremental changes layered over, up to the time of the event.
Backups provide a level of reliability and security to the information stored and used within the organization. The security policy specifies the method for backups, recovery during incidents, and privileges required to access the information. The physical security of the backup data is also emphasized in order to create a comprehensive policy that effectively protects the organization.
Incident response takes on several meanings, but can be summarized as the best course of action in the event of anomalous circumstances. For the purposes of this discussion, the actual circumstances are not as important as the reaction to them. Security policies provide key benefits in the area of incident response by identifying and organizing information vital to a safe reaction. Security policies should include the suggested methods to react to incidents and pertinent contact information. The primary goal of incident-response guidelines is to avoid the knee-jerk, emotionally motivated responses that often happen quickly and without careful analysis. By having a step-by-step approach to handling incidents already in hand including the proper steps to identify, control, and resolve issues those involved can react safely.
Physical Security Considerations for Laptop Computers and PDAs
As technology advances, we see the creation of new, smaller, and more powerful computing devices. In light of the prevalence of telecommuters and remote offices, and the frequency of business travel, these small computing devices such as laptops and PDAs require special security considerations. The theft and misuse of these devices present a high risk to the infrastructure of an organization, as they often function with the same level of access as their larger and less portable cousins. Many of these portable computers have special security methods that allow the user to protect the device and the information they store on it. The company policies that govern the use of laptops and PDAs should require putting these capabilities to use.
Company Z has established a set of Security Policy Considerations for Laptops and PDAs. These physical and configuration considerations include
Laptops and PDAs should be configured to support power-on passwords if possible, in order to protect against unauthorized use if stolen.
Users should log out and power off the system when not in use, instead of putting the system into standby mode. This prevents unauthorized users from impersonating you, should they gain access to the system.
Private and sensitive data should be protected via encryption and passwords, if possible.
Users should use different passwords on all of their portable and non-portable systems to defend against compromise of multiple systems via a stolen password.
When temporarily leaving your workspace, care should be taken to either lock the system via a password-protected screensaver or log out completely.
Laptops and PDAs should be physically secured by a locked cable, tether, or other security device at all times.
If no security method is available, the system should be locked in a cabinet drawer or other secured storage area when not in use.
Voice and Data Network Security
The network is the lifeline for the computing infrastructure. The phone system that provides voice communications forms a network of interconnected phones. Desktops connect to servers and the greater Internet via the local area network. Customers, partners, and employees contact the company via the network. The majority of internal communication likely occurs via the voice and data networks. Security policies should attend to the security of network communication. By addressing the risks and defenses against them, the networks can function more securely.
The phone system within an organization often crosses the boundaries of voice and data communications. The desktop computer can interact with modern phone systems to retrieve voice mail, leave messages for others, and administer the system. As with the previous areas of concern, physical access should controlled. The operational constraints such as Personal Identification Numbers (PIN) for users and standard configurations should provide a more secure environment. An often forgotten security aspect of the phone system is the provision of remote dial-in capabilities that support both phone system administration and network access.
Several concerns for the phone system are outlined in this Company Z security policy:
Physical access to the phone system hardware and system configuration terminals is restricted to phone administrators and phone company personnel.
The phone system hardware should exist in a secured area that requires specialized access methods via keys or electronic cards.
Default PINs for new users should be randomly chosen.
When establishing a voice mail account, avoid using PINs that can be easily guessed, such as an extension number, the surname of the user, or other identifiable information.
Dial-in modems used for administration of the phone system should be protected with passwords.
Network access via dial-in modems should be authenticated and logged via a centralized authentication and reporting system.
Modems meant for dial-in should be programmed to prevent dial-out capabilities.
Installation of new modems should be coordinated through the phone and IT group in order to provide the necessary security and network infrastructure to maintain security.
Phone line audits should occur regularly to verify the functionality of existing modems and to identify unauthorized modems.
This security policy addresses the phone system rather extensively. A comprehensive security policy takes into consideration all aspects of an organization and does not focus only on the computing environment. All aspects of security in an organization are related; a breakdown in the security of one area provides access despite the security measures of another. A weakness in the phone system security policy might allow an unauthorized intruder to access system and network resources even if other system and network security measures are in place.
The data network should be extended the same security features as the voice network. Network and telecommunications hardware such as routers, switches, and network lines (ISDN, DSL, T1, and so on) should be physically secured to avoid accidental or intentional disruption of network services. Beyond the physical aspects, the network requires a high degree of security and diligence to maintain that level. The first tier of protection is generally a firewall at the Internet access point (as you learned in Chapter 10, "Firewalls" ). The specific firewall rules and filters should be defined based on the network access needs of the organization. A reasonably safe, but somewhat restrictive, guideline is the exception method. This dictates a global rule to deny access to everything first, and then makes exceptions for those network services deemed necessary.
After the firewall, network architecture and organization should also be considered to protect and isolate information as it travels on the network wire. The network hardware must be protected from network attacks and unauthorized configuration attempts.
Company Z has a diverse network that separates servers from the normal desktop computing network. The Internet access point is protected by a firewall. The data network portion of its security policy reads as follows:
Firewalls are used to protect the internal networks in a restrictive fashion.
Filtering and rules on the firewall support outgoing connections from employees so as not to restrict their ability to use the Internet.
Filtering and rules on the firewall allow only incoming connections to the company Web server, mail servers, and name servers (DNS).
The customer support network exists on a different network number and interface than the administrative and corporate network, and with fewer restrictions in order to support the required services of that organization.
All access to network equipment, where supported, shall be protected via non-default passwords.
Managed network equipment, including firewalls, routers, switches, modems, and other communication devices, are configured to allow administrative access from only a small number of administrative systems, in order to protect them from unauthorized configuration changes.
All configuration changes to network equipment must be logged for reference.
In the event of network attacks, the network administrators should notify the corporate security department, in case legal intervention is required.
Network equipment should be configured to enable only those protocols in use by the organization, disabling all other features.
Response to incidents should occur in the following manner:
1. Attempt to identify the cause.
2. In the event of network disruption and loss of service from attack, network administrators should attempt to identify the source of the attack. Firewall rules should be modified to control the effects, if possible.
3. Restore service to the company as quickly as possible while attempting to preserve evidence of the issue.
4. Upon resolution of an incident, incident forms should be filled out and submitted to the manager of the network group.
5. Analysis of the incident should be discussed in a group meeting to identify weaknesses in the organization and help prevent future issues.
To protect against equipment failure, spare network hardware should be available.
To facilitate ease of replacement and security of the configuration of network equipment, the configuration information should be maintained on the administrative servers.
Where possible, network equipment should be configured to boot and download its configuration from the administrative servers, in order to preserve the integrity and reliability of the configuration.
Network equipment that is not managed via SNMP should have that protocol disabled. The SNMP (Simple Network Management Protocol) allows administrators to see and modify the settings and configuration for a device with little or no authentication and access control.
If using SNMP for management of the device, SNMP access should be restricted to administrative servers.
Network equipment presents a complex set of security requirements that should be outlined in the security policy. This allows for a safe installation and a maintained degree of security. The security policy incorporates physical orientation and configuration to defend against unauthorized access and management of the device. Authentication and access restrictions are implemented, as well as reliability in the configuration methods. The services provided by the equipment are tailored to the needs of the organization, allowing a known set of security concerns to be identified and resolved.
Remote Network Access
Remote network access is a convenience that allows employees to do their daily work, regardless of their location. This functionality requires an extension of the network security policy discussed above, focused on the methods and use of remote access. Remote access can be provided via Virtual Private Networks and the previously mentioned dial-in modems. The provision of these capabilities often conflicts with the security policy for the network because the policy generally seeks to keep outsiders from accessing internal information and resources.
Here is Company Z's Remote Access Security Policy:
The company provides remote access capabilities via a Virtual Private Network solution that supports remote dial-in Internet service providers and broadband cable-modem users.
Configuration of the VPN hardware and software follows the security policy set forth for other network equipment.
Users requiring remote access capabilities must receive approval from their manager and the IT department and fill out the required forms before remote access is provided.
Remote access is authenticated via passwords, security tokens, or single-use passwords.
Remote access passwords should follow the security policy guidelines for authentication.
Remote access software, configuration, and account information is to be used only by the employee for whom it is intended.
If access by multiple remote machines is required, this should be indicated on the Remote Access Form.
Remote access should be used only when required and not left unattended by the employee.
Acceptable use of this resource is outlined in the User Security Policy.
Remote access is a subfunction that inherits security policy guidelines from several areas. The administration and configuration of the VPN falls under the Company Z's Network Devices Policy, whereas the authentication and use of the VPN by employees is governed by the Authentication and User policies, discussed later in the chapter.
As you can see, a comprehensive security policy is very easily scaled to meet new requirements and functionality within an organization. The effort expended in the early development stages of the security policy or policies simplifies its extension greatly.
Security Monitoring and Auditing
Central to a comprehensive security policy, and the components that unify procedures and response, is the discussion of monitoring and auditing. Security monitoring verifies the configuration guidelines and technical requirements outlined in the security policies. Security auditing entails a consistent set of practices that enforce the security policies set forth for the organization.
Monitoring is the policy action that becomes part of the ongoing standard security process in the company. The installation of a firewall is one element of the security monitoring system it focuses on the network access points. Other aspects of monitoring are the use of security cameras, anti-virus software, server disk quotas, intrusion detection devices, and network management software. The monitoring component of a security policy enhances the security in an organization by validating the other elements in the policy, ensuring their existence and correctness.
Monitoring capabilities also affect the safety and effectiveness of incident responses. It provides evidence for legal issues and an informative basis for post-mortem analysis of incidents. This analysis is very useful to assist in prevention and understanding of problems.
Finally, security monitoring provides the capability for the organization to recover from incidents by providing in-depth information about it. Network attacks can be monitored and defended against, spurious hardware failures can be traced and rectified and the actions of unauthorized intruders can be watched and recorded.
The monitoring methods for a server, network, or other computer equipment are often those that gather and analyze statistics. The statistics gathered provide the reference point for normal operation and for that which is abnormal. This information is often gathered by hand, or eye, in the case of security cameras and monitoring. The level to which the monitoring is automated increases its effectiveness. To allay the fears that this task is incredibly difficult, it is important to note that many operating systems and software have the capabilities to perform a large portion of the monitoring and auditing functionality the features simply need to be enabled. Authentication policies including the identification of password criteria, the use of password aging, and keeping a password history to avoid repetition are enforced by common features in most operating systems. Access control methods and auditing capabilities are inherent parts of server operating systems. Network management protocols allow for special alerts and notices to be sent under special conditions. An example is SNMP, which can be configured to notify administrators when special events occur. SNMP has weak security and should be investigated prior to its implementation, and is mentioned here due to its wide use. An alarm company, monitors the alarm system, and the proper authorities are notified automatically when it is set off.
Company Z's Security Monitoring Policy reads
Closed-circuit television cameras are installed throughout the organization and at entry/exit points.
This video information is recorded and monitored by the security group.
Network equipment management and monitoring occurs via automated management software that notifies administrators via pager in the event of anomalous issues.
Anti-virus software monitors all programs, documents, and email messages for viruses and automatically cleans discovered viruses.
Users and administrators are automatically notified via email when a virus is discovered.
All servers are monitored via monitoring programs and built-in functionality that complies with the established security policy.
Auditing ensures that the security policy is in place and followed. The measures used to audit include the services of contract security firms to analyze the an organization's networks, systems, and policies often unbeknownst to the employees. Other forms of auditing include random and frequent verification of the policies by administrators or special internal teams designed for such tasks. The reference to auditing in the security policies of an organization also has a psychological affect that helps foster greater security awareness and action. Employees are less likely to adhere to security policies if they feel there is no enforcement. By outlining the presence of auditing methods, without necessarily clarifying the exact procedures, frequency, or schedule, an organization makes its employees more aware of security issues. A greater emphasis on secure thought and use is the natural result. Consider Company Z's Security Policy for Enforcement and Auditing:
Periodic and random security audits will be performed on servers and network equip ment to ensure proper configuration, diligent updates and application of patches, and compliance with other security policy regulations.
These audits may be performed by internal staff or external agencies with or without the knowledge of the administrators and users of the systems. (For some useful information about audits and pitfalls to avoid, see the article "Audits from Hell" by Carole Fennelly at http://www.sunworld.com/swol-02-1999/swol-02-security.html.)
Desktop systems and users will be audited for compliance with the Site and Infrastructure Policy, with regard to configuration, up-to-date software, and network services.
Audits of users for compliance with the Acceptable Use Policy will also be conducted to assure the safety and security of the computing environment.
Notification to employees of the audit policy enforces compliance of security policies and also forewarns them of repercussions for compliance failures. Administrators have the largest responsibility and expend the most effort to enforce adherence to security policies. Audits might seem forceful, but an environment with so many security components requires dedication and diligence to maintain security.
Authentication and Access Control
Authentication and access control are two aspects of security in which administrators and users must participate equally for any level of effectiveness to exist. Security policies need to present the regulations and requirements clearly and should help employees understand the seriousness of compliance. Authentication policies establish the best practices and exact implementations used to provide access to desktop systems, servers, and local network resources, and from remote sites. There are well-known methods to provide authentication and several guidelines that create a more highly secure environment. The authentication issues addressed by the security policy are important to most other areas covered within the policy. Access control is related to authentication and is often used simultaneously because the authentication of a user instantiates group membership and provides access to resources.
Not surprisingly, authentication security involves the implementation and use of various forms of authentication. Commonly used means are passwords, Personal Identification Numbers (PINs), single-use passwords, public-key encryption, proximity cards, smart cards, other code-generation tokens, and biometric agents. The most commonly used authentication method is the username/password combination. In comparison to other authentication methods, this is also the most easily compromised theft of passwords comes in many different forms, often due to the individual's choice of password. People tend to gravitate towards easily remembered words or phrases when selecting passwords, such as names of family members, pets, hobbies, or other interests. Unfortunately, attackers often easily guess these passwords. In the quest to balance ease of use with high security, authentication security policies help users create stronger passwords that might not be so easily discerned. The policies also provide guidelines by which users can increase the security of their daily work. The enforcement of these guidelines often occurs as a feature of the operating system or programs doing the authentication.
Authentication security policy also differentiates between where and how authentication methods are used. Security requirements for access to different systems, networks, or facilities often mandate the need for each user to maintain several authentication methods. This is especially true for computer and network administrators. Users are not the only group governed by authentication policies. Administrators need to be even more concerned with authentication security because they have and control access to highly privileged accounts, systems, and resources. There are several guidelines for the handling and use of passwords, also. These guidelines help to keep users continually thinking of security in everything they do.
Company Z's Authentication Security Policy for users and administrators includes these guidelines:
On systems where credentials are the username/password pair, passwords should meet the following criteria:
o Password should be at least eight characters.
o They should be a combination of letters, numbers, and extended or special characters.
o The company will maintain a history of a user's last five passwords to prevent repetition.
o Passwords should be sufficiently different from any password in the history to prevent patterns of easily obtained passwords.
o Common dictionary words are not allowed.
o Passwords will expire every 12 weeks, requiring the user to create a new one.
o Passwords should be chosen carefully by avoiding family or pet names, personal interests, or other information that can be linked and easily identified.
Administrators must abide by the criteria set forth for users, with the addition that their passwords will expire more frequently, at six weeks.
Passwords for privileged accounts will change every four weeks to provide higher safety because these accounts are shared amongst several administrators.
Remote access will be granted using single-use passwords and code-generating security tokens to prevent theft of user credentials.
All user accounts will have a password. Any user account without a password will be disabled or have a random password generated for it.
Newly created accounts will have randomly generated passwords that expire upon first login, requiring the user to set a new password.
Passwords should never be written down or stored on a recoverable medium such as paper, sticky notes, or white-boards.
Users should never tell anyone their passwords.
Administrators will never ask users for their passwords. In the event that someone does ask for the password, please report it immediately to IT and the security group.
When automating tasks that require authentication, avoid storing passwords clearly in data files. If possible, encrypt or hash the password prior to storing it, in order to prevent the theft of the passwords.
When using smart cards, proximity cards, or other hardware token-based authentication methods, keep the device on your person at all times, and do not let others borrow it.
When using public-key encryption methods for authentication, private key information should be protected via file access restrictions or storage on external devices such as smart cards.
When using encryption, private and secret keys can be escrowed by the administration to protect the data from loss and to ensure that access is attainable when required.
All authentications, whether successful or failures, are logged by the system being accessed.
Systems should be configured to allow three failed login attempts before account lock-out occurs.
In the event of login failure and account lock-out, internal accounts should be configured to allow logins again after 30 minutes. The use of permanent lock-outs are also supported by many operating systems. These require an administrator to intervene and reopen the account. A permanent lock-out can result in a denial of service condition if an attacker attacks multiple accounts.
Remote access accounts should be disabled after three failed login attempts, requiring administrative intervention for the reuse of the account.
Administrators should implement login notices that are displayed prior to login prompts. These notices should warn unauthorized users that their actions are monitored and attempts to enter the system are prohibited. Legal ramifications might result from continued use by unauthorized personnel.
In the event of lost or stolen passwords and authentication devices, IT should be notified immediately in order to disable access for that account and to begin the creation of new access credentials.
Administrators should confirm the identity of users before issuing new passwords. This can be done in person with the presentation of a badge or photo ID, the use of a special recovery password, a personal identification number, social security number, or other method that is normally known only by the user and administrator.
As you can see, the use of authentication is serious business. Users and administrators need to be made aware of the negative effects of authentication misuse. To summarize, the important components of authentication are
Teaching users and administrators to use authentication methods securely through strong password creation, as well as to keep passwords secure.
Authentication logging and monitoring.
Different authentication methods should be defined and used for different applications to provide the highest level of security, instead of standardizing on a single authentication method. For example, remote access often merits a stronger authentication mechanism than internal server access does.
The importance of strict authentication security policies, such as password expiration and selection criteria, to make attack and compromise difficult.
Access control is the next related component to authentication. Access control exists at several levels network access, data file access, and resource access. Network access is determined by protocols, port numbers, source and destination systems, and networks. Network access control is most likely maintained by the firewall, and these policies were discussed earlier in the chapter. Data file and system resource access control is accomplished via operating system functionality, such as file permissions linked to user and group memberships. An access control security policy presents the user with a set of best practices for utilizing this functionality. Consider Company Z's Access Control Policy:
Network access control occurs via the firewall, which is configured to allow Internet access for employees. If a required service is blocked by the firewall, contact the IT or network administration group to discuss possible solutions.
Employees are granted access to global company computing resources via their desktop login procedure.
Common file shares are automatically initialized at login time. The user has rights to add to common areas, but not to remove files or folders unless the user created them.
UNIX user accounts should be created with membership in the Global users groups or equivalent (operating system dependent).
UNIX user accounts should have their own private group as the default group member ship, which allows them to set permissions safely on their files and directories.
Windows accounts should be members of the Domain Users group.
Home directories should be created to allow access only by the owner of the directory.
The UNIX umask setting allows users to specify a default permission level for newly created files. This should be set to create files that disallow everyone else to modify or execute them. (The default umask is generally 022, which creates files with read and write permissions for the owner and read permissions for the group and world.)
The UNIX SetUID/GID settings should be avoided unless absolutely necessary.
The permissions of user resource settings including .login, .profile, and .rhosts should be secured against unauthorized modification.
Users should contact the IT department if any uncertainty exists when setting access control methods.
If unauthorized access to files, folders ,or other data is suspected, notify the IT department for an investigation.
Automatic scans will execute on a regular basis to search for unsafe access control settings on user files, folders, and applications.
The Windows NT and 2000 operating systems provide access to everybody (via the special "Everybody" group) by default. This group access should be removed and replaced with the Domain Users group, if access to all employees is to be granted.
The Windows NT and 2000 operating systems support a slightly different access control mechanism than UNIX. The Windows mechanism has the standard read, write and execute permissions like UNIX, but also has several special attributes such as full-access and modify. The full-access permission allows the individual to modify all of the permissions, including change the permissions for others. This is often not the desired effect, so in cases where the user requires only read, write, and execute access, full-access should not be enabled. The modify attribute allows a user to make changes to a file already in existence, but not to create new files or folders.
Access control policies can present useful technical information to the users and promote security awareness. Noting the technical details of access control mechanisms for the operating systems in use is beneficial because the casual user is often unaware of their existence or their use. The identification of contacts and procedures for access control issues is used to help the user learn and utilize secure settings.