1. Introduction

Previous page
Table of content
Next page

  < Day Day Up > 


1. Introduction

This document provides guidance to system and network administrators on how to address security issues within the Internet community. It builds on the foundation provided in RFC 1244 and is the collective work of a number of contributing authors:

  • Jules P. Aronson (<aronson@nlm.nih.gov>)

  • Nevil Brownlee (<n.brownlee@auckland.ac.nz>)

  • Frank Byrum (<byrum@norfolk.infi.net>)

  • Joao Nuno Ferreira (<ferreira@rccn.net>)

  • Barbara Fraser (<byf@cert.org>)

  • Steve Glass (<glass@ftp.com>)

  • Erik Guttman (<erik.guttman@eng.sun.com>)

  • Tom Killalea (<tomk@nwnet.net>)

  • Klaus-Peter Kossakowski (<kossakowski@cert.dfn.de>)

  • Lorna Leone (<lorna@staff.singnet.com.sg>)

  • Edward P. Lewis (<Edward.P.Lewis.1@gsfc.nasa.gov>)

  • Gary Malkin (<gmalkin@xylogics.com>)

  • Russ Mundy (<mundy@tis.com>)

  • Philip J. Nesser (<pjnesser@martigny.ai.mit.edu>)

  • Michael S. Ramsey (<msr@interpath.net>)

In addition to the principal writers, a number of reviewers provided valuable comments:

  • Eric Luiijf (<luiijf@fel.tno.nl>)

  • Marijke Kaat (<marijke.kaat@sec.nl>)

  • Ray Plzak (<plzak@nic.mil>)

  • Han Pronk (<h.m.pronk@vka.nl>)

A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook, CICnet, for their vision, leadership, and effort in the creation of the first version of this handbook. It is the working group's sincere hope that this version will be as helpful to the community as the earlier one was.

1.1 Purpose of this Work

This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet (however, the information provided should also be useful to sites not yet connected to the Internet). This guide lists issues and factors that a site must consider when setting its policies. It makes a number of recommendations and provides discussions of relevant areas.

This guide is only a framework for setting security policies and procedures. In order to have an effective set of policies and procedures, a site will have to make many decisions, gain agreement, and then communicate and implement these policies.

1.2 Audience

The audience for this document is system and network administrators, and decision makers (typically "middle management") at sites. For brevity, we will use the term "administrator" throughout this document to refer to system and network administrators.

This document is not directed at programmers or those trying to create secure programs or systems. The focus of this document is on the policies and procedures that need to be in place to support the technical security features that a site may be implementing.

The primary audience for this work is sites that are members of the Internet community. However, this document should be useful to any site that allows communication with other sites. As a general guide to security policies, this document may also be useful to sites with isolated systems.

1.3 Definitions

For the purposes of this guide, a "site" is any organization that owns computers or network-related resources. These resources may include host computers that users use, routers, terminal servers, PCs, or other devices that have access to the Internet. A site may be an end user of Internet services or a service provider such as a mid-level network. However, most of the focus of this guide is on those end users of Internet services. We assume that the site has the ability to set policies and procedures for itself with the concurrence and support from those who actually own the resources. It will be assumed that sites that are parts of larger organizations will know when they need to consult, collaborate, or take recommendations from the larger entity.

The "Internet" is a collection of thousands of networks linked by a common set of technical protocols that make it possible for users of any one of the networks to communicate with or use the services located on any of the other networks (FYI4, RFC 1594).

The term "administrator" is used to cover all those people who are responsible for the day-to-day operation of system and network resources. This may be a number of individuals or an organization.

The term "security administrator" is used to cover all those responsible for the security of information and information technology. At some sites, this function may be combined with administrator; at others, this will be a separate position.

The term "decision maker" refers to the people who set or approve policy. These are often (but not always) the people who own the resources.

1.4 Related Work

The Site Security Handbook Working Group is working on a User's Guide to Internet Security. It will provide practical guidance to end users to help them protect their information and the resources they use.

1.5 Basic Approach

This guide is written to provide basic guidance in developing a security plan for your site. One generally accepted approach to follow is suggested by Fites et al. [1989] and includes the following steps:

  1. Identify what you are trying to protect.

  2. Determine what you are trying to protect it from.

  3. Determine how likely the threats are.

  4. Implement measures that will protect your assets in a cost-effective manner.

  5. Review the process continuously and make improvements each time a weakness is found.

Most of this document is focused on item 4 but the other steps cannot be avoided if an effective plan is to be established at your site. One old truism in security is that the cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. Cost in this context should be remembered to include losses expressed in real currency, reputation, trustworthiness, and other less-obvious measures. Without reasonable knowledge of what you are protecting and what the likely threats are, following this rule could be difficult.

1.6 Risk Assessment

1.6.1 General Discussion

One of the most important reasons for creating a computer security policy is to ensure that efforts spent on security yield cost-effective benefits. Although this may seem obvious, it is possible to be misled about where the effort is needed. As an example, there is a great deal of publicity about intruders on computers systems; yet most surveys of computer security show that, for most organizations, the actual loss from "insiders" is much greater.

Risk analysis involves determining what you need to protect, what you need to protect it from, and how to protect it. It is the process of examining all of your risks, then ranking those risks by level of severity. This process involves making cost-effective decisions on what you want to protect. As mentioned previously, you should probably not spend more to protect something than it is actually worth.

A full treatment of risk analysis is outside the scope of this document. Fites [1989] and Pfleeger [1989] provide introductions to this topic. However, there are two elements of a risk analysis that will be briefly covered in the next two sections:

  1. Identifying the assets

  2. Identifying the threats

For each asset, the basic goals of security are availability, confidentiality, and integrity. Each threat should be examined with an eye to how the threat could affect these areas.

1.6.2 Identifying the Assets

One step in a risk analysis is to identify all the things that need to be protected. Some things are obvious, such as valuable proprietary information, intellectual property, and all the various pieces of hardware; but some are overlooked, such as the people who actually use the systems. The essential point is to list all things that could be affected by a security problem.

One list of categories is suggested by Pfleeger [1989]; this list is adapted from that source:

  1. Hardware: CPUs, boards, keyboards, terminals, workstations, personal computers, printers, disk drives, communications lines, terminal servers, routers

  2. Software: Source programs, object programs, utilities, diagnostic programs, operating systems, communications programs

  3. Data: During execution, stored online, archived offline, backups, audit logs, databases, in transit over communications media

  4. People: Users, administrators, hardware maintainers

  5. Documentation: Programs, hardware, systems, local administrative procedures

  6. Supplies: Paper, forms, ribbons, magnetic media

1.6.3 Identifying the Threats

Once the assets requiring protection are identified, it is necessary to identify threats to those assets. The threats can then be examined to determine what potential for loss exists. It helps to consider what threats you are trying to protect your assets from. The following are classic threats that should be considered. Depending on your site, there will be more specific threats that should be identified and addressed.

  1. Unauthorized access to resources and information

  2. Unintended and unauthorized disclosure of information

  3. Denial of service


  < Day Day Up > 


Previous page
Table of content
Next page
Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Alan B. Sterneckert
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Absolute Beginner[ap]s Guide to Project Management
The .NET Developers Guide to Directory Services Programming
C & Data Structures (Charles River Media Computer Engineering)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy