3. security policies and infrastructure
TRANSCRIPT
-
7/31/2019 3. Security Policies and Infrastructure
1/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Chapter 3
Security Policies and Infrastructure
Security policy is a definition of what it means to be secure for a system, organization
or other entity. For an organization, it addresses the constraints on behavior of its
members as well as constraints imposed on adversaries by mechanisms such as doors,
locks, keys and walls. For systems, the security policy addresses constraints on
functions and flow among them, constraints on access by external systems and
adversaries including programs and access to data by people.
Significance
If it is important to be secure, then it is important to be sure all of the security policy is
enforced by mechanisms that are strong enough. There are organized methodologies
and risk assessment strategies to assure completeness of security policies and assure
that they are completely enforced. In complex systems, such as information systems,
policies can be decomposed into sub-policies to facilitate the allocation of security
mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to
simply go directly to the sub-policies, which are essentially the rules of operation and
dispense with the top level policy. That gives the false sense that the rules of operation
address some overall definition of security when they do not. Because it is so difficult
to think clearly with completeness about security, rules of operation stated as "sub-
policies" with no "super-policy" usually turn out to be rambling ad-hoc rules that fail to
enforce anything with completeness. Consequently, a top level security policy is
essential to any serious security scheme and sub-policies and rules of operation are
meaningless without it.
ITNT 3112 Network Security and Auditing
Page 1
http://en.wikipedia.org/wiki/Systemhttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Ad-hochttp://en.wikipedia.org/wiki/Systemhttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Ad-hoc -
7/31/2019 3. Security Policies and Infrastructure
2/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
What's in a name? We frequently hear people use the names "policy", "standard", and
"guideline" to refer to documents that fall within the policy infrastructure. So that those
who participate in this consensus process can communicate effectively, we'll use the
following definitions.
A policy is typically a document that outlines specific requirements or rules that must
be met. In the information/network security realm, policies are usually point-specific,
covering a single area. For example, an "Acceptable Use" policy would cover the
rules and regulations for appropriate use of the computing facilities.
A standard is typically collections of system-specific or procedural-specific
requirements that must be met by everyone. For example, you might have a standard
that describes how to harden a Windows NT workstation for placement on an external
(DMZ) network. People must follow this standard exactly if they wish to install a
Windows NT workstation on an external network segment.
Standards support consistency within a network. For example, a standard might specify
a limited number of operating systems to be supported in the organization, because it
would be impractical for the IT staff to support any operating system that a user
happened to select. Also, standards could apply to configuring devices, such as routers
(for example, having a standard routing protocol).
A guideline is typically a collection of system specific or procedural specific"suggestions" for best practice. They are not requirements to be met, but are strongly
recommended. Effective security policies make frequent references to standards and
guidelines that exist within an organization. Whereas standards tend to be mandatory
practices, guidelines tend to be suggestions. For example, a series of best practices
might constitute a security policys guidelines.
ITNT 3112 Network Security and Auditing
Page 2
-
7/31/2019 3. Security Policies and Infrastructure
3/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Procedures:
To support consistency in the network, and as dictated by the previously mentioned
standards, a security policy might include a collection of procedures. These procedures
are very detailed documents providing step-by-step instructions for completing specific
tasks (such as steps for configuring port security on a Cisco Catalyst, switch).
Constructing a Comprehensive Network Security Policy
One of the main reasons security breaches occur within an organization is the lack of a
security policy or, if a security policy is in place, the lack of effectively communicatingthat security policy to all concerned. This section discusses the purpose of a security
policy, what should be addressed in that policy, how to maximize its effectiveness, and
how to create awareness and understanding of the policy.
Security Policy Fundamentals
A security policy is a continually changing document that dictates a set of guidelines
for network use. These guidelines complement organizational objectives by specifying
rules for how a network is used.
The main purpose of a security policy is to protect an organizations assets. An
organizations assets include more than just tangible items. Assets also entail such
things as intellectual property, processes and procedures, sensitive customer data, and
specific server functions (for example, e-mail or web functions). Aside from protecting
organizational assets, a security policy serves other purposes, such as the following:
Making employees aware of their obligations as far as security practices
Identifying specific security solutions required to meet the goals of the security
policy
Acting as a baseline for ongoing security monitoring
ITNT 3112 Network Security and Auditing
Page 3
-
7/31/2019 3. Security Policies and Infrastructure
4/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
One of the more well-known components of a security policy is an acceptable use
policy (AUP), also known as an Appropriate Use Policy. An AUP identifies what users
of a network are and are not allowed to do on the network.
For example, retrieving sports scores during working hours via an organizations
Internet connection might be deemed inappropriate by an AUP.
An organizations security policy applies to various categories of employees (such as
management, technical staff, and end users), a single document might be insufficient.
For example, managerial personnel might not be concerned with the technical
intricacies of a security policy. Technical personnel might be less concerned with why a
policy is in place. End users might be more likely to comply with the policy if they
understand the reasoning behind the rules.
Therefore, a security policy might be a collection of congruent, yet separate,
documents.
Security Policy Components
As previously mentioned, an organizations security policy typically is composed of
multiple documents, each targeting a specific audience. Figure below offers a high-level
overview of these complementary documents.
Figure - Components of a Security Policy
ITNT 3112 Network Security and Auditing
Page 4
-
7/31/2019 3. Security Policies and Infrastructure
5/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Governing Policy
At a very high level, a governing policy addresses security concepts deemed important
to an organization. The governing policy is primarily targeted at managerial and
technical employees. Following are typical elements of a governing policy:
Identifying the issue addressed by the policy
Discussing the organizations view of the issue
Examining the relevance of the policy to the work environment
Explaining how employees are to comply with the policy
Enumerating appropriate activities, actions, and processes
Explaining the consequences of noncompliance
Technical Policies
Technical policies provide a more detailed treatment of an organizations security
policy, as opposed to the governing policy. Security and IT personnel are the intended
targets of these technical policies, and these personnel use these policies in performing
their day-to-day tasks. Typical components of technical policies include specific duties
of the security and IT staff in areas such as the following:
E-mail
Wireless networks
Remote access
End-User Policies
End-user policies address security issues and procedures relevant to end users. For
example, an end user might be asked to sign an acceptable use policy (AUP) for
Internet access. That AUP might state that Internet access is only for business purposes.
Then, if an end user is found using the Internet for personal reasons, he or she could
face the
consequences outlined in the governing policy.
ITNT 3112 Network Security and Auditing
Page 5
-
7/31/2019 3. Security Policies and Infrastructure
6/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
More-Detailed Documents
Because the governing policy, technical policies, and end-user policies each target a
relatively large population of personnel, they tend to be general in nature. However, a
comprehensive security policy requires a highly granular treatment of an organizations
procedures. Therefore, more-detailed documents, such as the following, are often
contained in a security policy:
Security Policy Responsibilities
The ultimate responsibility for an organizations security policy rests on the shoulders
of senior management (for example, the Chief Executive Officer [CEO]). However,
senior management typically oversees the development of a security policy, as opposed
to being intimately involved with the policys creation.
Senior security or IT personnel usually are directly involved with the creation of the
security policy. These individuals might create the policy themselves or delegate its
creation. Examples of senior security or IT personnel include
Chief Security Officer (CSO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
As soon as a security policy is created, the security and IT staff are responsible for
implementing it within the organizations network. End users are responsible for
complying with the security policy.
ITNT 3112 Network Security and Auditing
Page 6
-
7/31/2019 3. Security Policies and Infrastructure
7/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Monitoring the Security Infrastructure
Introduction
Its not enough to just keep a security structure in place; you need to be watching your
security walls so that you can guard against attacks from within or from the outside. In
this topic, you will learn to monitor your security infrastructure so that you can detect
and respond to possible security breaches.
Scan for vulnerabilities.
Monitoring your security infrastructure is an ongoing job responsibility for a security
professional. You will need to perform a variety of tasks on a regular basis to ensure
that your security is not breached. One of these regular tasks is to periodically review
your system vulnerabilities, so that you can detect them before attackers do. Many
times, one of the first steps an attacker takes to break into a system is to scan the
system for vulnerabilities. It is critical to discover where the possible points of entry
are on your network and systems. Even if you have taken every precaution to harden
your network components and services, there will still be vulnerabilities that you may
not be aware of, but that you can be sure attackers will find. The best way to find thesevulnerabilities is to perform a scan yourself and patch the holes before the attackers find
them.
Ethical Hacking
Definition:
An ethical hack is a planned attempt to penetrate the security defenses of a system in
order to identify vulnerabilities. In an ethical hack, a white-hat hacker assumes the
mind-set of an attacker and attempts to breach security using any and all tools and
techniques an attacker might employ. Organizations often undertake an ethical hack as
the only way to truly reveal flaws in a systems defenses.
ITNT 3112 Network Security and Auditing
Page 7
-
7/31/2019 3. Security Policies and Infrastructure
8/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
The Hacking Process
Understanding the general steps of the hacking process will help you recognize attack
s in progress and stop them before they prevent damage.
Hacking Steps Description
Footprinting or profiling,the attacker chooses a target and begins to gather
information that is publicly or readily available. With basic tools, such as a web
browser and an Internet connection, an attacker can often determine the IP addresses of
ITNT 3112 Network Security and Auditing
Page 8
-
7/31/2019 3. Security Policies and Infrastructure
9/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
a companys DNS server; the range of addresses assigned to the company;names,email
addresses, and phone numbers of contacts within the company; and the companys
physical address. Attackers use dumpster diving, or searching through garbage to find
sensitive information in paper form. The names and titles of people within the
organization enable the attacker to begin social engineering to gain even more private
information. The HTML code of a companys web page can
provide information, such as IP addresses and names of web servers, operating system
versions, file paths, and names of developers or administrators.DNS servers are a
common footprinting target, because,if not properly secured, they can provide
a detailed map of an organizations entire network infrastructure.
Scanning
The second step is scanning an organizations infrastructure to see where
vulnerabilities might lie. In this step, the attacker may perform a ping sweep to
etermine which host IP addresses in the companys IP address range is active. The
attacker will scan the targets border routers, firewalls,web servers, and other systems
that are directly connected to the Internet to see which services are listening on which
ports and to determine the operating systems and manufacturers of each
system.Additionally,the attacker might begin a wardialing campaign to determine if
there are any vulnerabilities in the organizations PBX.The attacker might even try
wardriving:driving up to the company with a laptop and a wireless card to see if there
are any wireless access points to provide a way into the network.
Enumerating
During enumerating, the attacker will try to gain access to resources or other
information. The attacker can obtain these through social engineering, network sniffing,
dumpster diving, watching a user log in, hacking with tools like Legion, or searching
for credentials written down at user Workstations. If the attacker can obtain
a valid user name he can begin the process of cracking the users password.
Attacking
ITNT 3112 Network Security and Auditing
Page 9
-
7/31/2019 3. Security Policies and Infrastructure
10/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Attacking is the last phase of the hack, in which the hackeracts openly to cause
damage or service disruption, or to steal or destroy sensitive information.
Security Utilities
Any security or network tool can be used for ethical or unethical purposes. To perform
an ethical hack, you will need to make use of the same tools employed by attackers.
Some tools are generally available by downloading them from the Internet, and some
must be purchased from vendors. Because tools and utilities are constantly changing, it
is important to continually research the available tools and their functions.
There are many different tools available for different security tasks, and some
have multiple uses.
Utility Type Typical Tools
Vulnerability scanning
MBSA,Nessus,SAINT,ISS,Internet Scanner, NMap,Security
Analyzer,LANGuard,Cybercop,Strobe Port Scanning Microsoft Port Reporter,
Superscan, ShieldsUP, NMap, Netcat, Pinger,
Password Scanning and Cracking
Crack, John the Ripper,Pandora,L0phtcrack, Snadboys Revelation,Pwdump
Exploits, Trojan horses, and other stress testers UDPFlood,Smbrelay,Netbus,
SubSeven, GetAdmin, Network Monitors, Sniffers and tracers
Microsoft Network Monitor,Ethereal,TCPDump, WinDump,WinPcap,Visual
Route,NeoTrace
Network and Security Administration
Webmin,Tripwire, Bastille, PuTTY, HiSecWeb, IIS, Lockdown
Types of Vulnerability Scans
A vulnerability scan is one of the first steps in either an attack or an ethical hack.
There are two main types of vulnerability scans, scans forgeneral vulnerabilities,
such as scans foropen ports, and application-specific scans, such as a password
crackagainst a particular operating system. You will use different scanning tools
depending upon the type of scan you wish to run.
ITNT 3112 Network Security and Auditing
Page 10
-
7/31/2019 3. Security Policies and Infrastructure
11/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Note: There are a variety of specialized web-based scanning services, such as
Shields Up! from Gibson Research Corporation www.grc.com.
You can also consider registering with Security Event Aggregators, such as
www.dshield.org or www.mynetwatchman.com .They will also analyze your
.firewall logs and act as a fully automated abuse escalation/management system.
There are many different scanning tools available.
Scan Type Typical Tools Used
General vulnerabilities MBSA,Nessus,SAINT,and ISS Internet Scanner, NMap,
Security Analyzer, LANGuard, Cybercop
Man-in-the-middle vulnerabilities Smbrelay
Port vulnerabilities Microsoft Port Reporter, Superscan, ShieldsUP! NMap, Netcat
Password vulnerabilities John the Ripper,Pandora,L0phtcrack
Port Ranges
TCP and UDP ports are assigned in one of three ranges.
Well-known ports, from 0 to 1,023, are preassigned and used consistently by all
systems on the Internet.
Registered ports, from 1,024 to 49,151, are available to assign to individual
protocols and processes.
Dynamic or private ports, from 49,152 to 65,535, are assigned by operating
systems on an as-needed basis.
Hackers will target commonly used, well-known ports for attack, but may scan for
open registered or dynamic ports as well.
IANA
IANA, the Internet Assigned Numbers Authority, manages the registration of well
known ports, and also lists registered ports as a convenience. For a complete list
of TCP and UDP ports, see the IANA website at
www.iana.org/assignments/portnumbers.
ITNT 3112 Network Security and Auditing
Page 11
-
7/31/2019 3. Security Policies and Infrastructure
12/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Vulnerable Ports
Some port numbers are particularly vulnerable to attackers.
How to Scan for Vulnerabilities
1. Install scanning software that is appropriate for the type of scan you want to perform.
2. Scan your system with the parameters that are appropriate for your environment.
3. If possible, scan your system from an external network as well, by using a web based
scanning tool.
4. Manually review your system audit logs as well as any logs created by the scanning
program.
5. If possible, install a tool to automate the process of reviewing and analyzing audit
logs.
6. If vulnerabilities are found, revisit your hardening procedures to harden your
operating systems and devices.
Intrusion Detection Systems (IDSs)
ITNT 3112 Network Security and Auditing
Page 12
-
7/31/2019 3. Security Policies and Infrastructure
13/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
An Intrusion Detection System (IDS)is a system that scans, audits, and monitors the
security infrastructure forsigns of attacks in progress.IDS software can also analyze
data and alert security administrators to potential infrastructure problems. An IDS can
comprise a variety of hardware sensors, intrusion detection software, and IDS
management software. Each implementation is unique, depending on the security needs
and the components chosen.
ITNT 3112 Network Security and Auditing
Page 13
-
7/31/2019 3. Security Policies and Infrastructure
14/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Some Security Policies and Templates for different types of Security Policies
< Company Name >
Password Policy
1.0 Overview
Passwords are an important aspect of computer security. A poorly chosen password
may result in unauthorized access and/or exploitation of 's resources.
All users, including contractors and vendors with access to systems,
are responsible for taking the appropriate steps, as outlined below, to select and secure
their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords,
the protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an
account (or any form of access that supports or requires a password) on any system that
resides at any facility, has access to the network,
or stores any non-public information.
4.0 Policy
4.1 General All system-level passwords (e.g., root, enable, Windows Administrator,
application administration accounts, etc.) must be changed on at least a
quarterly basis.
All production system-level passwords must be part of the InfoSec administered
global password management database.
ITNT 3112 Network Security and Auditing
Page 14
-
7/31/2019 3. Security Policies and Infrastructure
15/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
All user-level passwords (e.g., email, web, desktop computer, etc.) must be
changed at least every six months.
User accounts that have system-level privileges granted through group
memberships or programs such as "sudo" must have a unique password from allother accounts held by that user.
Where SNMP is used, the community strings must be defined as something
other than the standard defaults of "public," "private" and "system" and must be
different from the passwords used to log in interactively. A keyed hash must be
used where available (e.g., SNMPv2).
All user-level and system-level passwords must conform to the guidelines
described below.
4.2 Guidelines
A. General Password Construction Guidelines
All users at should be aware of how to select strong passwords.
Strong passwords have the following characteristics:
Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
Punctuation
Special characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'/ etc)
Contain at least fifteen alphanumeric characters.
Weak passwords have the following characteristics:
The password contains less than fifteen characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, etc.
ITNT 3112 Network Security and Auditing
Page 15
-
7/31/2019 3. Security Policies and Infrastructure
16/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Computer terms and names, commands, sites, companies, hardware,
software.
The words "", "sanjose", "sanfran" or any derivation.
Birthdays and other personal information such as addresses and phonenumbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Try to create passwords that can be easily remembered. One way to do this is create a
password based on a
song title, affirmation, or other phrase. For example, the phrase might be: "This May Be
One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or
some other variation.
(NOTE: Do not use either of these examples as passwords!)
B. Password Protection Standards
Always use different passwords for accounts from other
non- access (e.g., personal ISP account, option trading, benefits, etc.).
Always use different passwords for various access needs
whenever possible.
For example, select one password for systems that use directory services (i.e.
LDAP, Active
Directory, etc.) for authentication and another for locally authenticated access.
Do not share passwords with anyone, including
administrative assistants or
secretaries. All passwords are to be treated as sensitive, confidential
information.
Passwords should never be written down or stored on-line without encryption.
ITNT 3112 Network Security and Auditing
Page 16
-
7/31/2019 3. Security Policies and Infrastructure
17/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Do not reveal a password in email, chat, or other electronic communication.
Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., "my family name")
Do not reveal a password on questionnaires or security forms
If someone demands a password, refer them to this document and direct them to
the Information
Security Department.
Always decline the use of the "Remember Password" feature of applications
(e.g., Eudora,
OutLook, Netscape Messenger).
If an account or password compromise is suspected, report the incident to the
Information Security
Department.
C. Application Development Standards
Application developers must ensure their programs contain the following security
precautions.
Shall support authentication of individual users, not groups.
Shall not store passwords in clear text or in any easily reversible form.
Shall provide for some sort of role management, such that one user can take
over the functions of another without having to know the other's password.
Shall support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval
wherever possible.
D. Use of Passwords and Passphrases for Remote Access Users
Access to the Networks via remote access is to be controlled using
either a one-time password authentication or a public/private key system with a strong
passphrase.
ITNT 3112 Network Security and Auditing
Page 17
-
7/31/2019 3. Security Policies and Infrastructure
18/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
E. Passphrases
Passphrases are generally used for public/private key authentication. A public/private
key system defines a mathematical relationship between the public key that is known by
all, and the private key, that is known only to the user. Without the passphrase to
"unlock" the private key, the user cannot gain access.
Passphrases are not the same as passwords. A passphrase is a longer version of a
password and is, therefore, more secure. A passphrase is typically composed of multiple
words. Because of this, a passphrase is more secure against "dictionary attacks."
A good passphrase is relatively long and contains a combination of upper and lowercase
letters and numeric and punctuation characters.
An example of a good passphrase:
"The*?#>*@TrafficOnThe101Was*!#ThisMorning"
All of the rules above that apply to passwords apply to passphrases.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment. Password cracking or guessing may be
performed on a periodic or random basis by the Information Security Department or its
delegates. If a password is guessed or cracked during these excersises, the user/owner
will be required to change it.
6.0 Terms and Definitions
Term Definition
Application Administration Account Any account that is for the administration of an
application (e.g., Oracle database administrator, ISSU administrator).
7.0 Revision History
Author - Date
ITNT 3112 Network Security and Auditing
Page 18
-
7/31/2019 3. Security Policies and Infrastructure
19/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
< Company Name >
Audit Vulnerability Scan Policy
1.0 Purpose
The purpose of this agreement is to set forth our agreement regarding network security
scanning offered by the to the .
shall utilize to
perform electronic scans of Clients networks and/or firewalls or on any system at.
Audits may be conducted to:
Ensure integrity, confidentiality and availability of information and resources
Investigate possible security incidents ensure conformance to security policies
Monitor user or system activity where appropriate.
2.0 Scope
This policy covers all computer and communication devices owned or operated by
. This policy also covers any computer and communications device
that are present on premises, but which may not be owned or
operated by . The will not
perform Denial of Service activities.
3.0 Policy
When requested, and for the purpose of performing an audit, consent to access needed
will be provided to members of . hereby provides its consent to allow of to
ITNT 3112 Network Security and Auditing
Page 19
-
7/31/2019 3. Security Policies and Infrastructure
20/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
access its networks and/or firewalls to the extent necessary to allow [Audit
organization] to perform the scans authorized in this agreement.
shall provide protocols, addressing information, and network connections sufficient for
to utilize the software to perform network scanning.
This access may include:
User level and/or system level access to any computing or communications
device
Access to information (electronic, hardcopy, etc.) that may be produced,
transmitted or stored on equipment or premises
Access to work areas (labs, offices, cubicles, storage areas, etc.)
Access to interactively monitor and log traffic on networks.
3.1 Network Control.
If Client does not control their network and/or Internet service is provided via a
second or third party, these parties are required to approve scanning in writing if
scanning is to occur outside of the LAN. By signing this
agreement, all involved parties acknowledge that they authorize of to use their service networks as a gateway for the conduct of
these tests during the dates and times specified.
3.2 Service Degradation and/or Interruption. Network performance and/or
availability may be affected by the network scanning. releases
of any and all liability for damages that may arise
from network availability restrictions caused by the network scanning,
unless such damages are the result s gross
negligence or intentional
misconduct.
ITNT 3112 Network Security and Auditing
Page 20
-
7/31/2019 3. Security Policies and Infrastructure
21/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
3.3 Client Point of Contact During the Scanning Period. shall
identify in writing a person to be available if the result Scanning Team has questions regarding data discovered or requires assistance.
3.4 Scanning period. and
Scanning Team shall identify in writing the allowable dates for the scan to take place.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Revision History
29 September 2003, updated to include National Association of State Auditors,
Comptrollers, and Treasurers; the National Association of Local Government Auditors;
the U.S. General Accounting Office; and U.S. Inspectors General Legal and Reporting
Considerations.
ITNT 3112 Network Security and Auditing
Page 21
-
7/31/2019 3. Security Policies and Infrastructure
22/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Email Use Policy
1.0 Purpose
To prevent tarnishing the public image of When email goes out
from the general public will tend to view that message as an
official policy statement from the .
2.0 Scope
This policy covers appropriate use of any email sent from a email address and applies to all employees, vendors, and agents operating on behalf of
.
3.0 Policy
3.1 Prohibited Use.
The email system shall not to be used for the creation or
distribution of any disruptive or offensive messages, including offensive comments
about race, gender, hair color, disabilities, age, sexual orientation, pornography,
religious beliefs and practice, political beliefs, or national origin. Employees who
receive any emails with this content from any employee should
report the matter to their supervisor immediately.
3.2 Personal Use.
Using a reasonable amount of resources for personal emails isacceptable, but non-work related email shall be saved in a separate folder from work
related email. Sending chain letters or joke emails from a email
account is prohibited. Virus or other malware warnings and mass mailings from
shall be approved by VP Operations
ITNT 3112 Network Security and Auditing
Page 22
-
7/31/2019 3. Security Policies and Infrastructure
23/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
before sending. These restrictions also apply to the forwarding of mail received by a
employee.
3.3 Monitoring
employees shall have no expectation of privacy in anything they
store, send or receive on the companys email system. may
monitor messages without prior notice. is not obliged to
monitor email messages.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Term Definition
Email The electronic transmission of information through a mail protocol such asSMTP or IMAP. Typical email clients include Eudora andMicrosoft Outlook.
Forwarded email Email resent from an internal network to an outside point.
Chain email or letter Email sent to successive people. Typically the body of the note
has direction to send out multiple copies of the note andpromises good luck or money if the direction is followed.
Sensitive information Information is considered sensitive if it can be damaging to or its customers' reputation or marketstanding.
Virus warning. Email containing warnings about virus or malware. Theoverwhelming majority of these emails turn out to be a hoax andcontain bogus information usually intent only on frightening ormisleading users.
Unauthorized Disclosure The intentional or unintentional revealing of restrictedinformation to people, both inside and outside , who do not have a need to know that information.
6.0 Revision History
ITNT 3112 Network Security and Auditing
Page 23
-
7/31/2019 3. Security Policies and Infrastructure
24/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Router Security Policy
1.0 Purpose
This document describes a required minimal security configuration for all routers and
switches connecting to a production network or used in a production capacity at or on
behalf of .
2.0 Scope
All routers and switches connected to production networks are
affected. Routers and switches within internal, secured labs are not affected. Routers
and switches within DMZ areas fall under the Internet DMZ Equipment Policy.
3.0 Policy
Every router must meet the following configuration standards:
1. No local user accounts are configured on the router. Routers must useTACACS+ for all user authentication.
2. The enable password on the router must be kept in a secure encrypted form. Therouter must have the enable password set to the current production router
password from the router's support organization.
3. Disallow the following:a. IP directed broadcasts
b. Incoming packets at the router sourced with invalid addresses such asRFC1918 address
c. TCP small servicesd. UDP small servicese. All source routingf. All web services running on router
ITNT 3112 Network Security and Auditing
Page 24
-
7/31/2019 3. Security Policies and Infrastructure
25/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
4. Use corporate standardized SNMP community strings.5. Access rules are to be added as business needs arise.6. The router must be included in the corporate enterprise management system
with a designated point of contact.7. Each router must have the following statement posted in clear view:
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE ISPROHIBITED. You must have explicit permission to access or configure thisdevice. All activities performed on this device may be logged, and violations ofthis policy may result in disciplinary action, and may be reported to lawenforcement. There is no right to privacy on this device."
8. Telnet may never be used across any network to manage a router, unless thereis a secure tunnel protecting the entire communication path. SSH is the
preferred management protocol.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Terms Definitions
Production Network he "production network" is the network used in the dailybusiness of . Any network connectedto the corporate backbone, either directly or indirectly,which lacks an intervening firewall device. Any networkwhose impairment would result in direct loss offunctionality to employees or impacttheir ability to do work.
Lab Network A "lab network" is defined as any network used for thepurposes of testing, demonstrations, training, etc. Anynetwork that is stand-alone or firewalled off from the
production network(s) and whose impairment will notcause direct loss to nor affect theproduction network.
6.0 Revision History
2007-04-18
Added 3.0.8 Telnet
ITNT 3112 Network Security and Auditing
Page 25
-
7/31/2019 3. Security Policies and Infrastructure
26/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Server Security Policy
1.0 Purpose
The purpose of this policy is to establish standards for the base configuration of internal
server equipment that is owned and/or operated by . Effective
implementation of this policy will minimize unauthorized access to proprietary information and technology.
2.0 Scope
This policy applies to server equipment owned and/or operated by ,
and to servers registered under any -owned internal network domain.
This policy is specifically for equipment on the internal network.
For secure configuration of equipment external to on the DMZ,
refer to the Internet DMZ Equipment Policy.
3.0 Policy
3.1 Ownership and Responsibilities
All internal servers deployed at must be owned by an operational
group that is responsible for system administration. Approved server configuration
guides must be established and maintained by each operational group, based on
business needs and approved by InfoSec. Operational groups should monitor
configuration compliance and implement an exception policy tailored to their
environment. Each operational group must establish a process for changing the
configuration guides, which includes review and approval by InfoSec.
ITNT 3112 Network Security and Auditing
Page 26
-
7/31/2019 3. Security Policies and Infrastructure
27/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Servers must be registered within the corporate enterprise management system.
At a minimum, the following information is required to positively identify the
point of contact:
o
Server contact(s) and location, and a backup contacto Hardware and Operating System/Version
o Main functions and applications, if applicable
Information in the corporate enterprise management system must be kept up-to-
date.
Configuration changes for production servers must follow the appropriate
change management procedures.
3.2 General Configuration Guidelines
Operating System configuration should be in accordance with approved InfoSec
guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control
methods such as TCP Wrappers, if possible.
The most recent security patches must be installed on the system as soon as
practical, the only exception being when immediate application would interfere
with business requirements.
Trust relationships between systems are a security risk, and their use should be
avoided. Do not use a trust relationship when some other method of
communication will do.
Always use standard security principles of least required access to perform a
function.
Do not use root when a non-privileged account will do.
If a methodology for secure channel connection is available (i.e., technically
feasible), privileged access must be performed over secure channels, (e.g.,
encrypted network connections using SSH or IPSec).
Servers should be physically located in an access-controlled environment.
ITNT 3112 Network Security and Auditing
Page 27
-
7/31/2019 3. Security Policies and Infrastructure
28/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Servers are specifically prohibited from operating from uncontrolled cubicle
areas.
3.3 Monitoring
All security-related events on critical or sensitive systems must be logged and
audit trails saved as follows:
o All security related logs will be kept online for a minimum of 1 week.
o Daily incremental tape backups will be retained for at least 1 month.
o Weekly full tape backups of logs will be retained for at least 1 month.
o Monthly full backups will be retained for a minimum of 2 years.
Security-related events will be reported to InfoSec, who will review logs and
report incidents to IT management. Corrective measures will be prescribed as
needed. Security-related events include, but are not limited to:
o Port-scan attacks
o Evidence of unauthorized access to privileged accounts
o Anomalous occurrences that are not related to specific applications on
the host.
3.4 Compliance
Audits will be performed on a regular basis by authorized organizations within
.
Audits will be managed by the internal audit group or InfoSec, in accordance
with the Audit Policy. InfoSec will filter findings not related to a specific
operational group and then present the findings to the appropriate support staff
for remediation or justification.
Every effort will be made to prevent audits from causing operational failures or
disruptions.
3.0 Enforcement
ITNT 3112 Network Security and Auditing
Page 28
-
7/31/2019 3. Security Policies and Infrastructure
29/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Term Definition
DMZ De-militariezed Zone. A network segment external to the corporateproduction network.
Server For purposes of this policy, a Server is defined as an internal Server. Desktop machines and Lab equipment are not relevant tothe scope of this policy.
6.0 Revision History
Lab Anti-Virus Policy
1.0 Purpose
To establish requirements which must be met by all computers connected to lab networks to ensure effective virus detection and prevention.
2.0 Scope
This policy applies to all lab computers that are PC-based or utilize
PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop
computers, file/ftp/tftp/proxy servers, and any PC based lab equipment such as traffic
generators.
3.0 Policy
All PC-based lab computers must have 's
standard, supported anti-virus software installed and scheduled to run at regular
intervals. In addition, the anti-virus software and the virus pattern files must be kept up-
to-date. Virus-infected computers must be removed from the network until they are
verified as virus-free. Lab Admins/Lab Managers are responsible for creating
procedures that ensure anti-virus software is run at regular intervals, and computers are
ITNT 3112 Network Security and Auditing
Page 29
-
7/31/2019 3. Security Policies and Infrastructure
30/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
verified as virus-free. Any activities with the intention to create and/or distribute
malicious programs into 's networks (e.g., viruses, worms, Trojan
horses, e-mail bombs, etc.) are prohibited, in accordance with theAcceptable Use
Policy.
Refer to 'sAnti-Virus Recommended Processes to help prevent virus
problems.
Noted exceptions: Machines with operating systems other than those based on
Microsoft products are excepted at the current time.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Revision History
Employee Internet Use Monitoring and Filtering Policy
1.0 Purpose
The purpose of this policy is to define standards for systems that monitor and limit web
use from any host within 's network. These standards are designed to
ensure employees use the Internet in a safe and responsible manner, and ensure that
employee web use can be monitored or researched during an incident.
2.0 ScopeThis policy applies to all employees, contractors, vendors and
agents with a -owned or personally-owned computer or workstation
connected to the network. This policy applies to all end user
initiated communications between s network and the Internet,
including web browsing, instant messaging, file transfer, file sharing, and other
ITNT 3112 Network Security and Auditing
Page 30
-
7/31/2019 3. Security Policies and Infrastructure
31/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
standard and proprietary protocols. Server to Server communications, such as SMTP
traffic, backups, automated data transfers or database communications are excluded
from this policy.
4.0 Policy
3.1 Web Site Monitoring
The Information Technology Department shall monitor Internet use from all computers
and devices connected to the corporate network. For all traffic the monitoring system
must record the source IP Address, the date, the time, the protocol, and the destination
site or server. Where possible, the system should record the User ID of the person or
account initiating the traffic. Internet Use records must be preserved for 180 days.
3.2 Access to Web Site Monitoring Reports
General trending and activity reports will be made available to any employee as needed
upon request to the Information Technology Department. Computer Security Incident
Response Team (CSIRT) members may access all reports and data if necessary to
respond to a security incident. Internet Use reports that identify specific users, sites,
teams, or devices will only be made available to associates outside the CSIRT upon
written or email request to Information Systems from a Human Resources
Representative.
3.3 Internet Use Filtering System
The Information Technology Department shall block access to Internet websites and
protocols that are deemed inappropriate for s corporate
environment. The following protocols and categories of websites should be blocked:
Adult/ Forbidden Explicit Material
Advertisements & Pop-Ups
Chat and Instant Messaging
Gambling
Hacking
Illegal Drugs
Intimate Apparel and Swimwear
ITNT 3112 Network Security and Auditing
Page 31
-
7/31/2019 3. Security Policies and Infrastructure
32/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
Peer to Peer File Sharing
Personals and Dating
Social Network Services
SPAM, Phishing and Fraud
Spyware
Tasteless and Offensive Content
Violence, Intolerance and Hate
Web Based Email
3.4 Internet Use Filtering Rule Changes
The Information Technology Department shall periodically review and recommend
changes to web and protocol filtering rules. Human Resources shall review these
recommendations and decide if any changes are to be made. Changes to web and
protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering
Policy.
3.5 Internet Use Filtering Exceptions
If a site is mis-categorized, employees may request the site be un-blocked by submittinga ticket to the Information Technology help desk. An IT employee will review the
request and un-block the site if it is mis-categorized.
Employees may access blocked sites with permission if appropriate and necessary for
business purposes. If an employee needs access to a site that is blocked and
appropriately categorized, they must submit a request to their Human Resources
representative. HR will present all approved exception requests to Information
Technology in writing or by email. Information Technology will unblock that site or
category for that associate only. Information Technology will track approved
exceptions and report on them upon request.
5.0 Enforcement
ITNT 3112 Network Security and Auditing
Page 32
-
7/31/2019 3. Security Policies and Infrastructure
33/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
The IT Security Officer will periodically review Internet use monitoring and filtering
systems and processes to ensure they are in compliance with this policy. Any employee
found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
6.0 Definitions
Internet Filtering Using technology that monitors each instance of communication
between devices on the corporate network and the Internet and blocks traffic that
matches specific rules.
User ID User Name or other identifier used when an associate logs into the corporate
network.
IP Address Unique network address assigned to each device to allow it tocommunicate with other devices on the network or Internet.
SMTP Simple Mail Transfer Protocol. The Internet Protocol that facilitates theexchange of mail messages between Internet mail servers.
Peer to Peer File Sharing Services or protocols such as BitTorrent and Kazaa thatallow Internet connected hosts to make files available to or download files from otherhosts.
Social Networking Services Internet sites such as Myspace and Facebook that allowusers to post content, chat, and interact in online communities.
SPAM Unsolicited Internet Email. SPAM sites are websites link to from unsolicitedInternet mail messages.
Phishing attempting to fraudulently acquire sensitive information by masquerading asa trusted entity in an electronic communication.
Hacking Sites that provide content about breaking or subverting computer security
controls.
7.0 Revision History
11/23/2007 Draft Completed, Kevin Bong
ITNT 3112 Network Security and Auditing
Page 33
-
7/31/2019 3. Security Policies and Infrastructure
34/34
HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology
********************
ITNT 3112 Network Security and Auditing