This document discusses network security assessment and policies. It provides an overview of security trends seen in surveys, including many organizations experiencing security breaches. It then discusses starting an assessment from nothing, identifying assets, risks, threats, and how attacks may occur. The document outlines policies and procedures needed for security, including training and implementing tools for defense. It discusses principles like integrity, confidentiality and accountability. The policy process involves definition, implementation and compliance reporting. The implementation process assesses against policy, and then plans and makes fixes. Reasons for policy failure include lack of support, complexity and organizational politics.

1. BindView
BindView
BindView
BindView
BindView
BindView
Scott Blake
Mark Loveless
Day 2:
Morning
Starting from Nothing
Security Policies
Afternoon
Intrusion Detection

2. Overview
• Security and networks
• Assessment
– Understand the what, who, and how
• Technology and Policy
– Problem specifics change at internet
speed
– Ways of coping don’t

3. Security and Networks
• From 643 Respondents to the “2000
Computer Crime and Security Survey”
(CSI/FBI):
– 90% Detected security breaches
– 74% Acknowledged financial loss
– 25% Detected system penetration for outside the
organization
– 19% Reported 10 or more incidents

4. What the Statistics Mean
• We don’t really know the prevalence of
computer security breaches
• Low response rate to surveys
• Corps and Govn’ts won’t share information
• Successful attacks come from inside
• Actual financial losses are probably
overstated

5. The Latest Trends
• Old ideas get new life
– Yet Another DDoS Tool: Trinity
– More Viruses
• Alternative Streams
• Mobile Devices
– Web Page Hacks
• Front Page still insecure
• Database insecurities

6. Assessment
• Starting from Nothing
– Assets - What are you protecting?
– Risks - What can be wrong?
– Threat Vectors - Who might attack?
– Methods - How do they attack?

7. What are you protecting?
• Each component of the network
– Web servers
– Routers
– Accounting systems
– Mail Servers
– Modem Banks
• Don’t forget the data

8. What can be wrong?
• Poor software configuration
• Missing patches
• Bad passwords
• No logs
• No sysadmin attention

9. Who might attack you?
• Hackers
– A few talented people provide tools for
thousands of kids
– rootshell.com, insecure.org contain
hundreds of tools
– Opportunity targets
• Customers
– Themselves
– Through stolen/guessed passwords

10. Who might attack you? (2)
• Insiders
– Through malice
– Carelessness
– Overwork
• Competitors
– “Denial of Service” attacks make you look
bad
– Customer lists for marketing

11. How Outsiders Attack
• Look for known weaknesses
– Misconfigured Software
– Lots of sw has “more secure”
configuration which is not turned on out of
the box
– Outdated software with known problems
– Bad passwords

12. How outsiders attack (2)
• Scanning tools (SATAN, sscan)
– Make finding problems easy
• Exploit tools
– Make taking advantage of problems easy
• Stealth tools
– Make erasing logs easy

13. How insiders attack
• Exactly the same as outsiders
– Except that they are more effective

14. What to do about it?
• Policies and Procedures for Security
– What are you protecting?
– What's in place to protect it?
• Training and knowledge throughout the
organization
– Do system managers know that security is
a priority?
– Do they have the skills and training to
execute?

15. What to do about it?
• Design for Defense
– Separation of Responsibility
– Least Privilege Required
• Tools
– Software to Implement

16. Governing Principles
• Integrity
– Strong internal controls on security of the applications and
data
• Confidentiality
– Strong security on user access and data transmissions
• Availability
– Failsafe components, error tolerance, internal availability
monitoring
• Accountability
– Full internal auditing, tie-ins to change control systems

17. The Policy Process
1. Policy Definition
2. Implementation 3. Compliance Reporting

18. The Policy Process
• High level security process
• Begins with policy definition
• Implementation forms a separate low
level process
• Compliance reporting summarizes
status viz-a-viz defined policy

19. The Implementation Process
1. Assess
2. Planning
(Reporting)
3. Fix

20. The Implementation Process
• Lower level IT process
• Assess against pre-defined policy
• Results inform remediation planning
• Implement fixes
• Repeat

21. Policies
• Know what you want to protect, and
why
– This lets you do cost benefit analysis
• Know who you want to protect it from
– This lets you design your defenses
• Know what to do
– Policies need to define actions

22. Policies
• Involve the Stakeholders
– Managers to focus on business case
– Technical staff to focus on what's possible,
effective
– Everyone to commit to goals

23. Why Do Policies Fail?
• Lack of stakeholder support
• Too much complexity
• Organizational politics

24. Organizational Politics
• Common Organization
– Centralized security body
– Distributed system administration
• Results in tensions, cross-purposes

25. Questions?

26. A Distributed Organization