Security Systems Engineering Policy Development PDF
Document Details
STI
Tags
Summary
This document provides an overview of security systems engineering policy development. It covers policy makers, audience classification, and related topics like cryptography and cryptanalysis. The document is geared towards a professional audience and provides detailed insights into security policy.
Full Transcript
IT1914 Security Systems Engineering Policy Development Security Policy It is the statement of responsible decision makers about the protection mechanism of a company’s crucial, physical, and information assets. Overall, it is a document that describes...
IT1914 Security Systems Engineering Policy Development Security Policy It is the statement of responsible decision makers about the protection mechanism of a company’s crucial, physical, and information assets. Overall, it is a document that describes a company’s security controls and activities. Security policy does not specify a technological solution. Instead, it specifies sets of intentions and conditions that will aid in protecting assets along with its proficiency to organize a business. In more depth, a security policy is a primary way in which administration prospects for security are translated into specific, measurable goals, as well as direct users to build, install, and maintain systems. Policy Makers Security policy development is a joint or collective operation of all entity of an organization that is affected by its rules. In general, security policies should not be developed by the IT team itself as it is a responsibility of everyone that has a stake in the security policy. During policy creating, the following entities should be involved in its development: Board – Company board members must render their advice to some form of a review of policies in response to the exceptional or abominable running condition of the business. IT Team – The members of this team usually are the biggest consumers of the policy information in any company because they develop standards around the usage of the computer system, especially security controls. Legal Team – This team ensures the legal points in the document and guides a particular point of appropriateness in the company. HR Team – This team typically obtains a certified certificate from each employee, in which they have read and understood the stipulated policy, as it deals with reward- and punishment-related issues of employees to implement discipline. Requirement Publication Gathering Proposal Approval Definition Policy Development Figure 1. Security policy development approach Policy Audience Security policy applies to all senior management, employees, stockholders, consultants, and service providers who use company assets. Therefore, the security policy must be readable, concise, and illustrated to be effectively understandable to its audience so that everyone adheres to the policies and fulfill their role. Audience IT Employees Management Legal Stockholders Department Figure 2. Security Policy for Audience 04 Handout 1 *Property of STI [email protected] Page 1 of 5 IT1914 Policy Classification Every organization typically has three (3) policies: first, it is drafted on paper; second, that is in employees’ minds; and third that it is implemented. The security policy is a part of the hierarchy of management control; it guides its audience what to do according to the stipulated terms and conditions of a company. The policy generally requires what must be done, not on how it should be done. Security policies could be informative, regulative, and advisory in a broad manner. Generally, these are subdivided into the following categories: Physical security – It mandates what protection should be wielded to safeguard the physical asset from both employees and management and applies to the prevail facilities, including doors, entry point, surveillance, and alarm. Personnel Management – They are supposed to tell their employees how to conduct or operate day-to-day business activities in a secure manner. For instance, password management and confidential information security apply to individual employees. Hardware and Software – It directs the administrator what type of technology to use and how network control should be configured and applied to the system and network administrators. Policy Audit Security documents are living documents. It needs to be updated at specific intervals in response to changing business and customer requirements. A successful security audit accomplishes the following: It compares the security policy with the actual practice in place. It determines the exposure to threats from the inside. It also determines the exposure of an organization from an outside attack. Policy Enforcement Enforcement of security policies ensures compliance with the principle and practices dictated by the company because policy procedure does not work if they are violated. Enforcement is arguably the most significant aspect of a company; it dissuades anyone from deliberately or accidentally violating policies rules. Policy Awareness Company employees are often perceived as a “soft” target to be compromised because they are the least predictable and easiest to exploit. Trusted employees either “disgruntle” or become framed to provide valuable information about a company. One of the most robust storage to combat this exposure of information by employees is education. A good security awareness program must be periodically performed and must include all the existing security policies that are mandated to be complied with by employees. These awareness programs should integrate communication and reminders to employees about what they should and shouldn’t reveal information to the outsiders. Security policy awareness training and education mitigate the threat of information leakage. These are the misconceptions about policy development: Without identifying the need Does not consider whether procedures are Without identifying who will take lead required responsibility Does not monitor or review the implemented Finalizes the policy without further study policy Does not consult with appropriate Does not gather information stakeholders Process Management There are eight (8) security processes to protect and manage data: Privileged Password Management – This process seeks to protect the most sensitive data. Within a large organization, which has requirements to keep customer or client data secure, there is often a limited number of people who have access to the data. This process is geared to provide short-term access to someone who would normally not have these permissions. 04 Handout 1 *Property of STI [email protected] Page 2 of 5 IT1914 Having a strong privileged password management process in place is a vital part of securing data. This is important for company performance. Sufficient levels of security can often be required by law depending on the nature of the data that is stored and the industry an organization operates within. Network Administrator Daily Tasks – This checklist aims to list a series of key daily tasks performed by network administrators and provide space for those tasks to be recorded. As a result, a network administrator would be able to run the checklist each day and cycle through the different tasks presented to cover the recurring basics. Network Security Audit Checklist – The network security audit checklist deals with hardware and software, training, and procedures. The risks of a system often down to both human and technical errors and particularly when both errors meet. For this reason, an audit must go beyond looking at a narrow focus or one (1) specific area; instead, s/he must try to capture the overview of all the risks inherent in the system. Firewall Audit Checklist – This process is thorough and covers a series of precautions. In every step, documenting activities is encouraged. From reviewing existing policies and assessing the physical security of the servers to deleting redundant rules from the rule-base, it is vital that changes are documented when executing process management. Positive process documentation results in better work and makes the life of the next person auditing the firewall significantly easier. Virtual Private Network (VPN) Configuration – In this process, a VPN is set up on a staff member’s laptop, which allows the staff member to connect to the office network remotely. Built into this process are the checks and balances which come from using a process to manage the setup. For example, as part of security protections, both the information technology (IT) and human resource (HR) departments would have recorded the information of who has remote access to office networks. This prevents risk exposure that otherwise could have been caused by poor communication practices. Apache Server Setup – The most popular server in the world is Apache. It caters different methods of setup by walking through alternative commands. E-mail Server Security – E-mail is one of the first ways anyone is going to try to get into a company. Fighting off phishing attacks and other malicious attempts to compromise security relies on both strong technical resilience and a high level of professional training. Penetration Testing – This involves testing systems security by trying to break into it. It is centered around trying to find vulnerabilities in a system and then attempting to sneak inside. The penetration testers’ goal is to see how much damage they have the potential to cause. Network Compliance Network compliance management enables the identification and correction of trends that could lead to business problems such as network instability and service interruption. Compliance becomes overwhelming for many IT shops because they don’t have a clear understanding of what various regulations require. Compliance is a moving target, so such tools must be updated with policies and continue to run after an audit proves successful to prevent compliance drift. At that point, the technologies are used to maintain an environment in a compliant state and provide documentation of the ongoing compliance. Network auditing and compliance tools use scanning and monitoring technologies to track access to critical devices and ensure actions comply with policies. The products collect data and maintain detailed records, sometimes in the format required by regulatory compliance demands. Network audit and compliance software, at times packaged in appliances, include components such as audit, compliance, and database servers. Audit servers run scans, while the compliance service analyzes and processes the scan results, and the database server stores raw and processed data. Compliance managers typically tap a Web-based console to view data collected and generate reports. How Does Network Compliance Protect You? There are many obstacles to achieving complete network compliance and security, including technology change, staffing, and skills shortages, and the need to accelerate business responsiveness. Operational network errors are frequently the consequence of configuration issues, which are a major source of network downtime, degraded performance, and gaps 04 Handout 1 *Property of STI [email protected] Page 3 of 5 IT1914 in the network security. Network compliance and security is imperative for ensuring quality service, meeting implementation and regulatory requirements, and managing risks. Cryptography Cryptography is the science of secret writing to keep the data secret and an important aspect when dealing with network security. “Crypto” means secret or hidden. Cryptanalysis, on the other hand, is the science or sometimes the art of breaking cryptosystems. Both terms are a subset of what is called “cryptology.” Cryptology refers to the study of codes, which involves both writing (cryptography) and solving (cryptanalysis) them. Cryptography is classified into symmetric cryptography, asymmetric cryptography, and hashing. Below are the description of these types. Symmetric key cryptography – It involves usage of one (1) secret key along with encryption and decryption algorithms which help in securing the contents of the message. The strength of symmetric key cryptography depends upon the number of key bits. It is relatively faster than asymmetric key cryptography. There arises a key distribution problem as the key has to be transferred from the sender to the receiver through a secure channel. Figure 3. Symmetric key cryptography Source: https://www.geeksforgeeks.org/cryptography-introduction-to-crypto-terminologies/ Asymmetric key cryptography – Also known as “public key cryptography,” it involves the usage of a public key along with the secret key. It solves the problem of key distribution as both parties use different keys for encryption or decryption. It is not feasible to use for decrypting bulk messages for it is very slow compared to symmetric key cryptography. Figure 4. Asymmetric key cryptography Source: https://www.geeksforgeeks.org/cryptography-introduction-to-crypto-terminologies/ Hashing – It involves taking the plain-text and converting it to a hash value of fixed size by a hash function. This process ensures the integrity of the message; the hash value on both the sender’s and the receiver’s side should match if the message is unaltered. 04 Handout 1 *Property of STI [email protected] Page 4 of 5 IT1914 Figure 5. Hashing Source: https://www.geeksforgeeks.org/cryptography-introduction-to-crypto-terminologies/ Cryptanalysis is the study of cipher text, ciphers, and cryptosystems to understand how they work as well as find and improve techniques for defeating or weakening threats. For example, cryptanalysts seek to decrypt cipher texts without knowledge of the plaintext source, encryption key, or the algorithm used to encrypt it. Cryptanalysts also target secure hashing, digital signatures, and other cryptographic algorithms. Figure 6. Cryptanalysis Source: https://www.geeksforgeeks.org/cryptography-introduction-to-crypto-terminologies/ Types of Attacks in Cryptanalysis 1.Classical Attack – It can be divided into mathematical analysis and brute force attacks. Brute force attacks run the encryption algorithm for all possible cases of the keys until these find a match. The encryption algorithm is treated as a black box. Analytical attacks are those attacks which focus on breaking the cryptosystem by analyzing the internal structure of the encryption algorithm. 2. Social Engineering Attack – It is something dependent on the human factor. Tricking someone into revealing their passwords to the attacker or allowing access to the restricted area comes under this attack. People should be cautious when revealing their passwords to any third party that is not trusted. 3. Implementation Attacks – A side-channel analysis can be used to obtain a secret key for this kind of attack. They are relevant in cases where the attacker can obtain physical access to the cryptosystem. _______________________________________________________________________________________ References: Alan. (2013, January 25). Why are processes important? [Web log post]. Retrieved from http://www.agiledge.com/process/why-are-processes-important on May 6, 2019 An Introduction to Cyber Security Policy. (n.d). In Infosec Resources. Retrieved from https://resources.infosecinstitute.com/cyber-security-policy-part-1/#gref on May 3, 2019 Caesar Cipher. (n.d).In Practical Cryptography. Retrieved from http://practicalcryptography.com/ciphers/caesar-cipher/ on May 6, 2019 Cryptography. (n.d). In Geeks for Geeks. Retrieved from https://www.geeksforgeeks.org/cryptography-introduction-to-crypto-terminologies/ on May 5, 2019 Dubie, D. (n.d). Network Auditing and Compliance Requires Education Planning. Guide to Network Auditing and Compliance. PC World. Retrieved from https://www.pcworld.com/article/144633/guide_network_auditing_compliance.html on May 5, 2019. Henshall, A. (2017, August 29). 8 IT security processes to protect and manage company data [Web log post]. Retrieved from https://www.process.st/it-security-processes/ on May 5, 2019 Kostopoulus, G.K. (2018). Cyberspace and Cybersecurity (2nd ed.). Boca Raton, FL: Taylor and Francis Group Network Compliance. (n.d). In Qual Network Society. Retrieved from http://it-network-security.co.uk/our-services/network-compliance/ on May 5, 2019 04 Handout 1 *Property of STI [email protected] Page 5 of 5