Defining Security Policy and Procedures


A security policy is a set of rules and procedures that must be observed when working with protected information, covering all specific features of information processing within the organization. A security policy can not be standardized, as it must always take into account the information processing technologies utilized by the organization, as well as the organization's aims, security requirements and so on. However, a detailed description of all of the aspects of security policy development goes beyond the scope of this book and deserves a separate discussion (http://www.sans.org/newlook/resources/policies/policies.htm). Here, I will describe only those topics that require your attention when preparing an intrusion detection system.

The procedures involved in preparing an intrusion detection regime include actions necessary for supervising components of the corporate network while searching for traces and indications of an attack. This takes the following forms: monitoring, inspecting, auditing and consistency checking. Besides the above-listed actions, there are also a number of other techniques (Table 7.1) [Kochmar1-98].

Table 7.1. Actions Aimed at Intrusion Detection

Action

Description


Filtering

The investigation of data flow between controlled systems, filtering unauthorized or suspicious actions from this flow and blocking them

Probing

Initiating attempts to establish connections to controlled systems and generating various requests

Scanning

Periodical probing of controlled systems

Monitoring

Monitoring specific events within the controlled area (including network traffic, log files etc.)

Inspecting

Investigating information resources or processes within the controlled systems

Auditing

Systematically investigating log data within the controlled system to detect already-known or expected behavior

Integrity checking

Controlling the system for integrity and preventing critical files from being changed

Notifying

Notifying the security administrator in cases where specific security events are detected within the controlled system using one of the above-listed actions

For efficient intrusion detection, it is necessary to create the documents that will be listed later in this chapter. Based on my own practical experience, I know that not all organizations will be able or willing to create these documents. Quite often, information-security specialists working in organizations have neither the time nor the ability to conduct the time-consuming and tedious work of collecting the required information and filling blanks in the information structure of the organization. However, this work is worth doing. The documents necessary for efficient intrusion detection (sorted in the order of importance to the information structure of the organization) are listed below. If you have no time, or lack the required skills to do this yourself, then you can delegate the writing of these documents to qualified third-party professionals or organizations.

First, it is necessary to prepare a document containing descriptions of attacks and vulnerabilities that could be implemented or found in your corporate network. I will like especially to mention the fact that this list should include only those attacks and vulnerabilities that are applicable to your resources, equipment, and software. These attacks and vulnerabilities must be described in a separate document as well as in the so-called protection plan. Beside the description of security events, the protection plan can also include other important data on the protected corporate network. These events are defined in the course of the risk analysis process. Through the risk analysis, you will define the most probable threats and evaluate the chances of their occurrence. There are two approaches to risk evaluation. The first approach focuses on the level of ensuring information security (the most probable scenarios of the corporate-network operation). If the basic level is not sufficient (for example, in real-time scheduling systems, banking systems, etc.), the second approach is used. This approach implies detailed investigation of the data-processing technologies, hardware and software used for this purpose. The first approach generally considers a typical set of probable threats (virus attack, hardware failures, etc.). In the second case, a more detailed list of potential threats is compiled, based on the results of a detailed analysis of corporate-network activity. It is likely that some threats will be deleted from this final list of potential threats later. The core of such a document could be information from the various statistical reports mentioned in Chapter 2. Most likely, your network is not so unique that it does not have shared resources (for a Windows platform) or that it does not use RPC and sendmail (for Unix systems). Because of this, you can use the following reports as a basis for creating your documents: SANS [SANS1-02], X-Force [ISS2-02] or Riptech [Riptech1-02].

Another necessary document, known as a network map, must include an inventory of all hardware and software used within the corporate network. The information contained in this inventory must be compared to the actual state of the corporate network on a regular basis. In the event of authorized changes in software or hardware configuration, these changes must be incorporated into the network map, so that it is always up to date. In the event that unauthorized changes are detected, it is necessary immediately to start incident investigation procedures. The method for creating the network map will be covered in more detail later in this chapter.

The third document that you must develop when creating an intrusion detection infrastructure assigns roles, duties, privileges and responsibilities to system administrators, network administrators and security administrators. It also describes user rights and responsibilities, in order to organize the efficient management of all data systems and networks when detecting attack traces.

The next document describes the actions that must be performed in order to detect intrusions into your corporate network (see Table 7.1). This document must cover all aspects related to hardware, software and the activities of responsible employees, including the following:

  • The actions necessary to notify the proper individuals (network administrators, security administrators) in the event of the detection of security policy violations.

  • The tools used for intrusion detection and their operations. These tools were covered in Chapters 5 and 6. The order of their usage will be covered later.

  • The frequency of the operations intended to detect potential intrusions. For example, some tools must operate constantly (for example, network-level intrusion detection systems or host-level intrusion detection systems). Other tools need only to be used from time to time, although on a regular basis (for example, consistency checkers).

  • The roles, responsibilities and duties of the employees responsible for the implementation of the intrusion detection plan. You must specify, by whom, when and how each of the above-listed actions should be performed.

Beside this, you must also create a document regulating the routine procedures for checking and analyzing logged data in order to detect attack traces. Additionally, this document must describe procedures for diagnosing and revising hardware and software in manual mode rather than automatically (consequently, they will be harder to falsify for the intruder).

For each of the intrusion detection tools, you must create a document that specifies and describes the procedures and rules for its usage. These documents must define the following (for each tool):

  • Which resources (hosts, files, registry keys, network traffic, etc.) must be controlled

  • How information on the state of controlled resources must be created, stored, analyzed and protected

  • The frequency of running intrusion detection procedures (for example, in real-time mode or periodically on a regular basis)

  • The roles, duties and responsibilities of the personnel operating specific tools. Here you must define who uses the intrusion detection tools, when, and how

The next document should define conditions for testing attacked and compromised systems and data, using intrusion detection tools. It is strongly recommended that this testing be performed in an environment isolated from the production network. This isolation can be created using physical or logical separation - for example, using a firewall or special rules specified for network equipment (for example, by using VLAN).

Finally, your intrusion detection plan must also contain a document describing the procedures and tools to be used for correlating information on attacks (i.e., definitions of facts when an attack or security event that is registered by a part of your system relates to an attack or security event that is registered in another part of your system). This aspect has become of primary importance with the arrival of distributed and coordinated attacks.

Notice that, despite the fact that this book considers only some aspects of security policy, these must not contradict other security rules. In the course of developing the above-described documentation, you must constantly analyze this question and discuss it with other interested parties (but not too many). By doing so, you will be able to ensure that the created documents are:

  • Implementable within a reasonable time, while employing a reasonable amount of material resources

  • Compatible to existing security policy within your organization (this requirement is not only limited to information policy)

  • In line with the latest and most efficient intrusion detection technologies

  • In accordance to all local and international standards and laws

  • Able to provide a required level of legal protection for you and your organization in the event of difficulties

Revise your security policy (not limiting yourself to intrusion detection aspects) and its components periodically, including preliminary steps in intrusion detection, intrusion detection procedures and personnel training. In the course of such revisions, take into account all open sources of information, including information obtained from the vendor or manufacturer of the intrusion detection tools. These sources regularly inform the user community of new forms of attacks and vulnerabilities, trends in hacking technologies, methods of intrusion detection, and so on. The X-Force Security Alert mailing list is an example of this type of source. It is published by ISS and provides the latest information on recently detected vulnerabilities and attacks.

If your organization becomes the target of an attack that inflicts serious damage, revise the components of the intrusion detection plan to detect similar attacks and attempts at repeating these attacks quickly.




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net