3. security policies and infrastructure

7/31/2019 3. Security Policies and Infrastructure

1/34

HIGHER COLLEGE OF TECHNOLOGY Department of Information Technology

Chapter 3

Security Policies and Infrastructure

Security policy is a definition of what it means to be secure for a system, organization

or other entity. For an organization, it addresses the constraints on behavior of its

members as well as constraints imposed on adversaries by mechanisms such as doors,

locks, keys and walls. For systems, the security policy addresses constraints on

functions and flow among them, constraints on access by external systems and

adversaries including programs and access to data by people.

Significance

If it is important to be secure, then it is important to be sure all of the security policy is

enforced by mechanisms that are strong enough. There are organized methodologies

and risk assessment strategies to assure completeness of security policies and assure

that they are completely enforced. In complex systems, such as information systems,

policies can be decomposed into sub-policies to facilitate the allocation of security

mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to

simply go directly to the sub-policies, which are essentially the rules of operation and

dispense with the top level policy. That gives the false sense that the rules of operation

address some overall definition of security when they do not. Because it is so difficult

to think clearly with completeness about security, rules of operation stated as "sub-

policies" with no "super-policy" usually turn out to be rambling ad-hoc rules that fail to

enforce anything with completeness. Consequently, a top level security policy is

essential to any serious security scheme and sub-policies and rules of operation are

meaningless without it.

ITNT 3112 Network Security and Auditing

Page 1
http://en.wikipedia.org/wiki/Systemhttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Ad-hochttp://en.wikipedia.org/wiki/Systemhttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Ad-hoc


2/34


What's in a name? We frequently hear people use the names "policy", "standard", and

"guideline" to refer to documents that fall within the policy infrastructure. So that those

who participate in this consensus process can communicate effectively, we'll use the

following definitions.

A policy is typically a document that outlines specific requirements or rules that must

be met. In the information/network security realm, policies are usually point-specific,

covering a single area. For example, an "Acceptable Use" policy would cover the

rules and regulations for appropriate use of the computing facilities.

A standard is typically collections of system-specific or procedural-specific

requirements that must be met by everyone. For example, you might have a standard

that describes how to harden a Windows NT workstation for placement on an external

(DMZ) network. People must follow this standard exactly if they wish to install a

Windows NT workstation on an external network segment.

Standards support consistency within a network. For example, a standard might specify

a limited number of operating systems to be supported in the organization, because it

would be impractical for the IT staff to support any operating system that a user

happened to select. Also, standards could apply to configuring devices, such as routers

(for example, having a standard routing protocol).

A guideline is typically a collection of system specific or procedural specific"suggestions" for best practice. They are not requirements to be met, but are strongly

recommended. Effective security policies make frequent references to standards and

guidelines that exist within an organization. Whereas standards tend to be mandatory

practices, guidelines tend to be suggestions. For example, a series of best practices

might constitute a security policys guidelines.


Page 2


3/34


Procedures:

To support consistency in the network, and as dictated by the previously mentioned

standards, a security policy might include a collection of procedures. These procedures

are very detailed documents providing step-by-step instructions for completing specific

tasks (such as steps for configuring port security on a Cisco Catalyst, switch).

Constructing a Comprehensive Network Security Policy

One of the main reasons security breaches occur within an organization is the lack of a

security policy or, if a security policy is in place, the lack of effectively communicatingthat security policy to all concerned. This section discusses the purpose of a security

policy, what should be addressed in that policy, how to maximize its effectiveness, and

how to create awareness and understanding of the policy.

Security Policy Fundamentals

A security policy is a continually changing document that dictates a set of guidelines

for network use. These guidelines complement organizational objectives by specifying

rules for how a network is used.

The main purpose of a security policy is to protect an organizations assets. An

organizations assets include more than just tangible items. Assets also entail such

things as intellectual property, processes and procedures, sensitive customer data, and

specific server functions (for example, e-mail or web functions). Aside from protecting

organizational assets, a security policy serves other purposes, such as the following:

Making employees aware of their obligations as far as security practices

Identifying specific security solutions required to meet the goals of the security

policy

Acting as a baseline for ongoing security monitoring


Page 3


4/34


One of the more well-known components of a security policy is an acceptable use

policy (AUP), also known as an Appropriate Use Policy. An AUP identifies what users

of a network are and are not allowed to do on the network.

For example, retrieving sports scores during working hours via an organizations

Internet connection might be deemed inappropriate by an AUP.

An organizations security policy applies to various categories of employees (such as

management, technical staff, and end users), a single document might be insufficient.

For example, managerial personnel might not be concerned with the technical

intricacies of a security policy. Technical personnel might be less concerned with why a

policy is in place. End users might be more likely to comply with the policy if they

understand the reasoning behind the rules.

Therefore, a security policy might be a collection of congruent, yet separate,

documents.

Security Policy Components

As previously mentioned, an organizations security policy typically is composed of

multiple documents, each targeting a specific audience. Figure below offers a high-level

overview of these complementary documents.

Figure - Components of a Security Policy


Page 4


5/34


Governing Policy

At a very high level, a governing policy addresses security concepts deemed important

to an organization. The governing policy is primarily targeted at managerial and

technical employees. Following are typical elements of a governing policy:

Identifying the issue addressed by the policy

Discussing the organizations view of the issue

Examining the relevance of the policy to the work environment

Explaining how employees are to comply with the policy

Enumerating appropriate activities, actions, and processes

Explaining the consequences of noncompliance

Technical Policies

Technical policies provide a more detailed treatment of an organizations security

policy, as opposed to the governing policy. Security and IT personnel are the intended

targets of these technical policies, and these personnel use these policies in performing

their day-to-day tasks. Typical components of technical policies include specific duties

of the security and IT staff in areas such as the following:

E-mail

Wireless networks

Remote access

End-User Policies

End-user policies address security issues and procedures relevant to end users. For

example, an end user might be asked to sign an acceptable use policy (AUP) for

Internet access. That AUP might state that Internet access is only for business purposes.

Then, if an end user is found using the Internet for personal reasons, he or she could

face the

consequences outlined in the governing policy.


Page 5


6/34


More-Detailed Documents

Because the governing policy, technical policies, and end-user policies each target a

relatively large population of personnel, they tend to be general in nature. However, a

comprehensive security policy requires a highly granular treatment of an organizations

procedures. Therefore, more-detailed documents, such as the following, are often

contained in a security policy:

Security Policy Responsibilities

The ultimate responsibility for an organizations security policy rests on the shoulders

of senior management (for example, the Chief Executive Officer [CEO]). However,

senior management typically oversees the development of a security policy, as opposed

to being intimately involved with the policys creation.

Senior security or IT personnel usually are directly involved with the creation of the

security policy. These individuals might create the policy themselves or delegate its

creation. Examples of senior security or IT personnel include

Chief Security Officer (CSO)

Chief Information Officer (CIO)

Chief Information Security Officer (CISO)

As soon as a security policy is created, the security and IT staff are responsible for

implementing it within the organizations network. End users are responsible for

complying with the security policy.


Page 6


7/34


Monitoring the Security Infrastructure

Introduction

Its not enough to just keep a security structure in place; you need to be watching your

security walls so that you can guard against attacks from within or from the outside. In

this topic, you will learn to monitor your security infrastructure so that you can detect

and respond to possible security breaches.

Scan for vulnerabilities.

Monitoring your security infrastructure is an ongoing job responsibility for a security

professional. You will need to perform a variety of tasks on a regular basis to ensure

that your security is not breached. One of these regular tasks is to periodically review

your system vulnerabilities, so that you can detect them before attackers do. Many

times, one of the first steps an attacker takes to break into a system is to scan the

system for vulnerabilities. It is critical to discover where the possible points of entry

are on your network and systems. Even if you have taken every precaution to harden

your network components and services, there will still be vulnerabilities that you may

not be aware of, but that you can be sure attackers will find. The best way to find thesevulnerabilities is to perform a scan yourself and patch the holes before the attackers find

them.

Ethical Hacking

Definition:

An ethical hack is a planned attempt to penetrate the security defenses of a system in

order to identify vulnerabilities. In an ethical hack, a white-hat hacker assumes the

mind-set of an attacker and attempts to breach security using any and all tools and

techniques an attacker might employ. Organizations often undertake an ethical hack as

the only way to truly reveal flaws in a systems defenses.


Page 7


8/34


The Hacking Process

Understanding the general steps of the hacking process will help you recognize attack

s in progress and stop them before they prevent damage.

Hacking Steps Description

Footprinting or profiling,the attacker chooses a target and begins to gather

information that is publicly or readily available. With basic tools, such as a web

browser and an Internet connection, an attacker can often determine the IP addresses of


Page 8


9/34


a companys DNS server; the range of addresses assigned to the company;names,email

addresses, and phone numbers of contacts within the company; and the companys

physical address. Attackers use dumpster diving, or searching through garbage to find

sensitive information in paper form. The names and titles of people within the

organization enable the attacker to begin social engineering to gain even more private

information. The HTML code of a companys web page can

provide information, such as IP addresses and names of web servers, operating system

versions, file paths, and names of developers or administrators.DNS servers are a

common footprinting target, because,if not properly secured, they can provide

a detailed map of an organizations entire network infrastructure.

Scanning

The second step is scanning an organizations infrastructure to see where

vulnerabilities might lie. In this step, the attacker may perform a ping sweep to

etermine which host IP addresses in the companys IP address range is active. The

attacker will scan the targets border routers, firewalls,web servers, and other systems

that are directly connected to the Internet to see which services are listening on which

ports and to determine the operating systems and manufacturers of each

system.Additionally,the attacker might begin a wardialing campaign to determine if

there are any vulnerabilities in the organizations PBX.The attacker might even try

wardriving:driving up to the company with a laptop and a wireless card to see if there

are any wireless access points to provide a way into the network.

Enumerating

During enumerating, the attacker will try to gain access to resources or other

information. The attacker can obtain these through social engineering, network sniffing,

dumpster diving, watching a user log in, hacking with tools like Legion, or searching

for credentials written down at user Workstations. If the attacker can obtain

a valid user name he can begin the process of cracking the users password.

Attacking


Page 9


10/34


Attacking is the last phase of the hack, in which the hackeracts openly to cause

damage or service disruption, or to steal or destroy sensitive information.

Security Utilities

Any security or network tool can be used for ethical or unethical purposes. To perform

an ethical hack, you will need to make use of the same tools employed by attackers.

Some tools are generally available by downloading them from the Internet, and some

must be purchased from vendors. Because tools and utilities are constantly changing, it

is important to continually research the available tools and their functions.

There are many different tools available for different security tasks, and some

have multiple uses.

Utility Type Typical Tools

Vulnerability scanning

MBSA,Nessus,SAINT,ISS,Internet Scanner, NMap,Security

Analyzer,LANGuard,Cybercop,Strobe Port Scanning Microsoft Port Reporter,

Superscan, ShieldsUP, NMap, Netcat, Pinger,

Password Scanning and Cracking

Crack, John the Ripper,Pandora,L0phtcrack, Snadboys Revelation,Pwdump

Exploits, Trojan horses, and other stress testers UDPFlood,Smbrelay,Netbus,

SubSeven, GetAdmin, Network Monitors, Sniffers and tracers

Microsoft Network Monitor,Ethereal,TCPDump, WinDump,WinPcap,Visual

Route,NeoTrace

Network and Security Administration

Webmin,Tripwire, Bastille, PuTTY, HiSecWeb, IIS, Lockdown

Types of Vulnerability Scans

A vulnerability scan is one of the first steps in either an attack or an ethical hack.

There are two main types of vulnerability scans, scans forgeneral vulnerabilities,

such as scans foropen ports, and application-specific scans, such as a password

crackagainst a particular operating system. You will use different scanning tools

depending upon the type of scan you wish to run.


Page 10


11/34


Note: There are a variety of specialized web-based scanning services, such as

Shields Up! from Gibson Research Corporation www.grc.com.

You can also consider registering with Security Event Aggregators, such as

www.dshield.org or www.mynetwatchman.com .They will also analyze your

.firewall logs and act as a fully automated abuse escalation/management system.

There are many different scanning tools available.

Scan Type Typical Tools Used

General vulnerabilities MBSA,Nessus,SAINT,and ISS Internet Scanner, NMap,

Security Analyzer, LANGuard, Cybercop

Man-in-the-middle vulnerabilities Smbrelay

Port vulnerabilities Microsoft Port Reporter, Superscan, ShieldsUP! NMap, Netcat

Password vulnerabilities John the Ripper,Pandora,L0phtcrack

Port Ranges

TCP and UDP ports are assigned in one of three ranges.

Well-known ports, from 0 to 1,023, are preassigned and used consistently by all

systems on the Internet.

Registered ports, from 1,024 to 49,151, are available to assign to individual

protocols and processes.

Dynamic or private ports, from 49,152 to 65,535, are assigned by operating

systems on an as-needed basis.

Hackers will target commonly used, well-known ports for attack, but may scan for

open registered or dynamic ports as well.

IANA

IANA, the Internet Assigned Numbers Authority, manages the registration of well

known ports, and also lists registered ports as a convenience. For a complete list

of TCP and UDP ports, see the IANA website at

www.iana.org/assignments/portnumbers.


Page 11


12/34


Vulnerable Ports

Some port numbers are particularly vulnerable to attackers.

How to Scan for Vulnerabilities

1. Install scanning software that is appropriate for the type of scan you want to perform.

2. Scan your system with the parameters that are appropriate for your environment.

3. If possible, scan your system from an external network as well, by using a web based

scanning tool.

4. Manually review your system audit logs as well as any logs created by the scanning

program.

5. If possible, install a tool to automate the process of reviewing and analyzing audit

logs.

6. If vulnerabilities are found, revisit your hardening procedures to harden your

operating systems and devices.

Intrusion Detection Systems (IDSs)


Page 12


13/34


An Intrusion Detection System (IDS)is a system that scans, audits, and monitors the

security infrastructure forsigns of attacks in progress.IDS software can also analyze

data and alert security administrators to potential infrastructure problems. An IDS can

comprise a variety of hardware sensors, intrusion detection software, and IDS

management software. Each implementation is unique, depending on the security needs

and the components chosen.


Page 13


14/34


Some Security Policies and Templates for different types of Security Policies

< Company Name >

Password Policy

1.0 Overview

Passwords are an important aspect of computer security. A poorly chosen password

may result in unauthorized access and/or exploitation of 's resources.

All users, including contractors and vendors with access to systems,

are responsible for taking the appropriate steps, as outlined below, to select and secure

their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords,

the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all personnel who have or are responsible for an

account (or any form of access that supports or requires a password) on any system that

resides at any facility, has access to the network,

or stores any non-public information.

4.0 Policy

4.1 General All system-level passwords (e.g., root, enable, Windows Administrator,

application administration accounts, etc.) must be changed on at least a

quarterly basis.

All production system-level passwords must be part of the InfoSec administered

global password management database.


Page 14


15/34


All user-level passwords (e.g., email, web, desktop computer, etc.) must be

changed at least every six months.

User accounts that have system-level privileges granted through group

memberships or programs such as "sudo" must have a unique password from allother accounts held by that user.

Where SNMP is used, the community strings must be defined as something

other than the standard defaults of "public," "private" and "system" and must be

different from the passwords used to log in interactively. A keyed hash must be

used where available (e.g., SNMPv2).

All user-level and system-level passwords must conform to the guidelines

described below.

4.2 Guidelines

A. General Password Construction Guidelines

All users at should be aware of how to select strong passwords.

Strong passwords have the following characteristics:

Contain at least three of the five following character classes:

Lower case characters

Upper case characters

Numbers

Punctuation

Special characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'/ etc)

Contain at least fifteen alphanumeric characters.

Weak passwords have the following characteristics:

The password contains less than fifteen characters

The password is a word found in a dictionary (English or foreign)

The password is a common usage word such as:

Names of family, pets, friends, co-workers, fantasy characters, etc.


Page 15


16/34


Computer terms and names, commands, sites, companies, hardware,

software.

The words "", "sanjose", "sanfran" or any derivation.

Birthdays and other personal information such as addresses and phonenumbers.

Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

Any of the above spelled backwards.

Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Try to create passwords that can be easily remembered. One way to do this is create a

password based on a

song title, affirmation, or other phrase. For example, the phrase might be: "This May Be

One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or

some other variation.

(NOTE: Do not use either of these examples as passwords!)

B. Password Protection Standards

Always use different passwords for accounts from other

non- access (e.g., personal ISP account, option trading, benefits, etc.).

Always use different passwords for various access needs

whenever possible.

For example, select one password for systems that use directory services (i.e.

LDAP, Active

Directory, etc.) for authentication and another for locally authenticated access.

Do not share passwords with anyone, including

administrative assistants or

secretaries. All passwords are to be treated as sensitive, confidential

information.

Passwords should never be written down or stored on-line without encryption.


Page 16


17/34


Do not reveal a password in email, chat, or other electronic communication.

Do not speak about a password in front of others.

Do not hint at the format of a password (e.g., "my family name")

Do not reveal a password on questionnaires or security forms

If someone demands a password, refer them to this document and direct them to

the Information

Security Department.

Always decline the use of the "Remember Password" feature of applications

(e.g., Eudora,

OutLook, Netscape Messenger).

If an account or password compromise is suspected, report the incident to the

Information Security

Department.

C. Application Development Standards

Application developers must ensure their programs contain the following security

precautions.

Shall support authentication of individual users, not groups.

Shall not store passwords in clear text or in any easily reversible form.

Shall provide for some sort of role management, such that one user can take

over the functions of another without having to know the other's password.

Shall support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval

wherever possible.

D. Use of Passwords and Passphrases for Remote Access Users

Access to the Networks via remote access is to be controlled using

either a one-time password authentication or a public/private key system with a strong

passphrase.


Page 17


18/34


E. Passphrases

Passphrases are generally used for public/private key authentication. A public/private

key system defines a mathematical relationship between the public key that is known by

all, and the private key, that is known only to the user. Without the passphrase to

"unlock" the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a

password and is, therefore, more secure. A passphrase is typically composed of multiple

words. Because of this, a passphrase is more secure against "dictionary attacks."

A good passphrase is relatively long and contains a combination of upper and lowercase

letters and numeric and punctuation characters.

An example of a good passphrase:

"The*?#>*@TrafficOnThe101Was*!#ThisMorning"

All of the rules above that apply to passwords apply to passphrases.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action,

up to and including termination of employment. Password cracking or guessing may be

performed on a periodic or random basis by the Information Security Department or its

delegates. If a password is guessed or cracked during these excersises, the user/owner

will be required to change it.

6.0 Terms and Definitions

Term Definition

Application Administration Account Any account that is for the administration of an

application (e.g., Oracle database administrator, ISSU administrator).

7.0 Revision History

Author - Date


Page 18


19/34


< Company Name >

Audit Vulnerability Scan Policy

1.0 Purpose

The purpose of this agreement is to set forth our agreement regarding network security

scanning offered by the to the .

shall utilize to

perform electronic scans of Clients networks and/or firewalls or on any system at.

Audits may be conducted to:

Ensure integrity, confidentiality and availability of information and resources

Investigate possible security incidents ensure conformance to security policies

Monitor user or system activity where appropriate.

2.0 Scope

This policy covers all computer and communication devices owned or operated by

. This policy also covers any computer and communications device

that are present on premises, but which may not be owned or

operated by . The will not

perform Denial of Service activities.

3.0 Policy

When requested, and for the purpose of performing an audit, consent to access needed

will be provided to members of . hereby provides its consent to allow of to


Page 19


20/34


access its networks and/or firewalls to the extent necessary to allow [Audit

organization] to perform the scans authorized in this agreement.

shall provide protocols, addressing information, and network connections sufficient for

to utilize the software to perform network scanning.

This access may include:

User level and/or system level access to any computing or communications

device

Access to information (electronic, hardcopy, etc.) that may be produced,

transmitted or stored on equipment or premises

Access to work areas (labs, offices, cubicles, storage areas, etc.)

Access to interactively monitor and log traffic on networks.

3.1 Network Control.

If Client does not control their network and/or Internet service is provided via a

second or third party, these parties are required to approve scanning in writing if

scanning is to occur outside of the LAN. By signing this

agreement, all involved parties acknowledge that they authorize of to use their service networks as a gateway for the conduct of

these tests during the dates and times specified.

3.2 Service Degradation and/or Interruption. Network performance and/or

availability may be affected by the network scanning. releases

of any and all liability for damages that may arise

from network availability restrictions caused by the network scanning,

unless such damages are the result s gross

negligence or intentional

misconduct.


Page 20


21/34


3.3 Client Point of Contact During the Scanning Period. shall

identify in writing a person to be available if the result Scanning Team has questions regarding data discovered or requires assistance.

3.4 Scanning period. and

Scanning Team shall identify in writing the allowable dates for the scan to take place.

4.0 Enforcement


up to and including termination of employment.


29 September 2003, updated to include National Association of State Auditors,

Comptrollers, and Treasurers; the National Association of Local Government Auditors;

the U.S. General Accounting Office; and U.S. Inspectors General Legal and Reporting

Considerations.


Page 21


22/34


Email Use Policy

1.0 Purpose

To prevent tarnishing the public image of When email goes out

from the general public will tend to view that message as an

official policy statement from the .

2.0 Scope

This policy covers appropriate use of any email sent from a email address and applies to all employees, vendors, and agents operating on behalf of

.

3.0 Policy

3.1 Prohibited Use.

The email system shall not to be used for the creation or

distribution of any disruptive or offensive messages, including offensive comments

about race, gender, hair color, disabilities, age, sexual orientation, pornography,

religious beliefs and practice, political beliefs, or national origin. Employees who

receive any emails with this content from any employee should

report the matter to their supervisor immediately.

3.2 Personal Use.

Using a reasonable amount of resources for personal emails isacceptable, but non-work related email shall be saved in a separate folder from work

related email. Sending chain letters or joke emails from a email

account is prohibited. Virus or other malware warnings and mass mailings from

shall be approved by VP Operations


Page 22


23/34


before sending. These restrictions also apply to the forwarding of mail received by a

employee.

3.3 Monitoring

employees shall have no expectation of privacy in anything they

store, send or receive on the companys email system. may

monitor messages without prior notice. is not obliged to

monitor email messages.

4.0 Enforcement



5.0 Definitions

Term Definition

Email The electronic transmission of information through a mail protocol such asSMTP or IMAP. Typical email clients include Eudora andMicrosoft Outlook.

Forwarded email Email resent from an internal network to an outside point.

Chain email or letter Email sent to successive people. Typically the body of the note

has direction to send out multiple copies of the note andpromises good luck or money if the direction is followed.

Sensitive information Information is considered sensitive if it can be damaging to or its customers' reputation or marketstanding.

Virus warning. Email containing warnings about virus or malware. Theoverwhelming majority of these emails turn out to be a hoax andcontain bogus information usually intent only on frightening ormisleading users.

Unauthorized Disclosure The intentional or unintentional revealing of restrictedinformation to people, both inside and outside , who do not have a need to know that information.



Page 23


24/34


Router Security Policy

1.0 Purpose

This document describes a required minimal security configuration for all routers and

switches connecting to a production network or used in a production capacity at or on

behalf of .

2.0 Scope

All routers and switches connected to production networks are

affected. Routers and switches within internal, secured labs are not affected. Routers

and switches within DMZ areas fall under the Internet DMZ Equipment Policy.

3.0 Policy

Every router must meet the following configuration standards:

1. No local user accounts are configured on the router. Routers must useTACACS+ for all user authentication.

2. The enable password on the router must be kept in a secure encrypted form. Therouter must have the enable password set to the current production router

password from the router's support organization.

3. Disallow the following:a. IP directed broadcasts

b. Incoming packets at the router sourced with invalid addresses such asRFC1918 address

c. TCP small servicesd. UDP small servicese. All source routingf. All web services running on router


Page 24


25/34


4. Use corporate standardized SNMP community strings.5. Access rules are to be added as business needs arise.6. The router must be included in the corporate enterprise management system

with a designated point of contact.7. Each router must have the following statement posted in clear view:

"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE ISPROHIBITED. You must have explicit permission to access or configure thisdevice. All activities performed on this device may be logged, and violations ofthis policy may result in disciplinary action, and may be reported to lawenforcement. There is no right to privacy on this device."

8. Telnet may never be used across any network to manage a router, unless thereis a secure tunnel protecting the entire communication path. SSH is the

preferred management protocol.

4.0 Enforcement



5.0 Definitions

Terms Definitions

Production Network he "production network" is the network used in the dailybusiness of . Any network connectedto the corporate backbone, either directly or indirectly,which lacks an intervening firewall device. Any networkwhose impairment would result in direct loss offunctionality to employees or impacttheir ability to do work.

Lab Network A "lab network" is defined as any network used for thepurposes of testing, demonstrations, training, etc. Anynetwork that is stand-alone or firewalled off from the

production network(s) and whose impairment will notcause direct loss to nor affect theproduction network.


2007-04-18

Added 3.0.8 Telnet


Page 25


26/34


Server Security Policy

1.0 Purpose

The purpose of this policy is to establish standards for the base configuration of internal

server equipment that is owned and/or operated by . Effective

implementation of this policy will minimize unauthorized access to proprietary information and technology.

2.0 Scope

This policy applies to server equipment owned and/or operated by ,

and to servers registered under any -owned internal network domain.

This policy is specifically for equipment on the internal network.

For secure configuration of equipment external to on the DMZ,

refer to the Internet DMZ Equipment Policy.

3.0 Policy

3.1 Ownership and Responsibilities

All internal servers deployed at must be owned by an operational

group that is responsible for system administration. Approved server configuration

guides must be established and maintained by each operational group, based on

business needs and approved by InfoSec. Operational groups should monitor

configuration compliance and implement an exception policy tailored to their

environment. Each operational group must establish a process for changing the

configuration guides, which includes review and approval by InfoSec.


Page 26


27/34


Servers must be registered within the corporate enterprise management system.

At a minimum, the following information is required to positively identify the

point of contact:

o

Server contact(s) and location, and a backup contacto Hardware and Operating System/Version

o Main functions and applications, if applicable

Information in the corporate enterprise management system must be kept up-to-

date.

Configuration changes for production servers must follow the appropriate

change management procedures.

3.2 General Configuration Guidelines

Operating System configuration should be in accordance with approved InfoSec

guidelines.

Services and applications that will not be used must be disabled where practical.

Access to services should be logged and/or protected through access-control

methods such as TCP Wrappers, if possible.

The most recent security patches must be installed on the system as soon as

practical, the only exception being when immediate application would interfere

with business requirements.

Trust relationships between systems are a security risk, and their use should be

avoided. Do not use a trust relationship when some other method of

communication will do.

Always use standard security principles of least required access to perform a

function.

Do not use root when a non-privileged account will do.

If a methodology for secure channel connection is available (i.e., technically

feasible), privileged access must be performed over secure channels, (e.g.,

encrypted network connections using SSH or IPSec).

Servers should be physically located in an access-controlled environment.


Page 27


28/34


Servers are specifically prohibited from operating from uncontrolled cubicle

areas.

3.3 Monitoring

All security-related events on critical or sensitive systems must be logged and

audit trails saved as follows:

o All security related logs will be kept online for a minimum of 1 week.

o Daily incremental tape backups will be retained for at least 1 month.

o Weekly full tape backups of logs will be retained for at least 1 month.

o Monthly full backups will be retained for a minimum of 2 years.

Security-related events will be reported to InfoSec, who will review logs and

report incidents to IT management. Corrective measures will be prescribed as

needed. Security-related events include, but are not limited to:

o Port-scan attacks

o Evidence of unauthorized access to privileged accounts

o Anomalous occurrences that are not related to specific applications on

the host.

3.4 Compliance

Audits will be performed on a regular basis by authorized organizations within

.

Audits will be managed by the internal audit group or InfoSec, in accordance

with the Audit Policy. InfoSec will filter findings not related to a specific

operational group and then present the findings to the appropriate support staff

for remediation or justification.

Every effort will be made to prevent audits from causing operational failures or

disruptions.

3.0 Enforcement


Page 28


29/34




5.0 Definitions

Term Definition

DMZ De-militariezed Zone. A network segment external to the corporateproduction network.

Server For purposes of this policy, a Server is defined as an internal Server. Desktop machines and Lab equipment are not relevant tothe scope of this policy.


Lab Anti-Virus Policy

1.0 Purpose

To establish requirements which must be met by all computers connected to lab networks to ensure effective virus detection and prevention.

2.0 Scope

This policy applies to all lab computers that are PC-based or utilize

PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop

computers, file/ftp/tftp/proxy servers, and any PC based lab equipment such as traffic

generators.

3.0 Policy

All PC-based lab computers must have 's

standard, supported anti-virus software installed and scheduled to run at regular

intervals. In addition, the anti-virus software and the virus pattern files must be kept up-

to-date. Virus-infected computers must be removed from the network until they are

verified as virus-free. Lab Admins/Lab Managers are responsible for creating

procedures that ensure anti-virus software is run at regular intervals, and computers are


Page 29


30/34


verified as virus-free. Any activities with the intention to create and/or distribute

malicious programs into 's networks (e.g., viruses, worms, Trojan

horses, e-mail bombs, etc.) are prohibited, in accordance with theAcceptable Use

Policy.

Refer to 'sAnti-Virus Recommended Processes to help prevent virus

problems.

Noted exceptions: Machines with operating systems other than those based on

Microsoft products are excepted at the current time.

4.0 Enforcement




Employee Internet Use Monitoring and Filtering Policy

1.0 Purpose

The purpose of this policy is to define standards for systems that monitor and limit web

use from any host within 's network. These standards are designed to

ensure employees use the Internet in a safe and responsible manner, and ensure that

employee web use can be monitored or researched during an incident.

2.0 ScopeThis policy applies to all employees, contractors, vendors and

agents with a -owned or personally-owned computer or workstation

connected to the network. This policy applies to all end user

initiated communications between s network and the Internet,

including web browsing, instant messaging, file transfer, file sharing, and other


Page 30


31/34


standard and proprietary protocols. Server to Server communications, such as SMTP

traffic, backups, automated data transfers or database communications are excluded

from this policy.

4.0 Policy

3.1 Web Site Monitoring

The Information Technology Department shall monitor Internet use from all computers

and devices connected to the corporate network. For all traffic the monitoring system

must record the source IP Address, the date, the time, the protocol, and the destination

site or server. Where possible, the system should record the User ID of the person or

account initiating the traffic. Internet Use records must be preserved for 180 days.

3.2 Access to Web Site Monitoring Reports

General trending and activity reports will be made available to any employee as needed

upon request to the Information Technology Department. Computer Security Incident

Response Team (CSIRT) members may access all reports and data if necessary to

respond to a security incident. Internet Use reports that identify specific users, sites,

teams, or devices will only be made available to associates outside the CSIRT upon

written or email request to Information Systems from a Human Resources

Representative.

3.3 Internet Use Filtering System

The Information Technology Department shall block access to Internet websites and

protocols that are deemed inappropriate for s corporate

environment. The following protocols and categories of websites should be blocked:

Adult/ Forbidden Explicit Material

Advertisements & Pop-Ups

Chat and Instant Messaging

Gambling

Hacking

Illegal Drugs

Intimate Apparel and Swimwear


Page 31


32/34


Peer to Peer File Sharing

Personals and Dating

Social Network Services

SPAM, Phishing and Fraud

Spyware

Tasteless and Offensive Content

Violence, Intolerance and Hate

Web Based Email

3.4 Internet Use Filtering Rule Changes

The Information Technology Department shall periodically review and recommend

changes to web and protocol filtering rules. Human Resources shall review these

recommendations and decide if any changes are to be made. Changes to web and

protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering

Policy.

3.5 Internet Use Filtering Exceptions

If a site is mis-categorized, employees may request the site be un-blocked by submittinga ticket to the Information Technology help desk. An IT employee will review the

request and un-block the site if it is mis-categorized.

Employees may access blocked sites with permission if appropriate and necessary for

business purposes. If an employee needs access to a site that is blocked and

appropriately categorized, they must submit a request to their Human Resources

representative. HR will present all approved exception requests to Information

Technology in writing or by email. Information Technology will unblock that site or

category for that associate only. Information Technology will track approved

exceptions and report on them upon request.

5.0 Enforcement


Page 32


33/34


The IT Security Officer will periodically review Internet use monitoring and filtering

systems and processes to ensure they are in compliance with this policy. Any employee

found to have violated this policy may be subject to disciplinary action, up to and

including termination of employment.

6.0 Definitions

Internet Filtering Using technology that monitors each instance of communication

between devices on the corporate network and the Internet and blocks traffic that

matches specific rules.

User ID User Name or other identifier used when an associate logs into the corporate

network.

IP Address Unique network address assigned to each device to allow it tocommunicate with other devices on the network or Internet.

SMTP Simple Mail Transfer Protocol. The Internet Protocol that facilitates theexchange of mail messages between Internet mail servers.

Peer to Peer File Sharing Services or protocols such as BitTorrent and Kazaa thatallow Internet connected hosts to make files available to or download files from otherhosts.

Social Networking Services Internet sites such as Myspace and Facebook that allowusers to post content, chat, and interact in online communities.

SPAM Unsolicited Internet Email. SPAM sites are websites link to from unsolicitedInternet mail messages.

Phishing attempting to fraudulently acquire sensitive information by masquerading asa trusted entity in an electronic communication.

Hacking Sites that provide content about breaking or subverting computer security

controls.


11/23/2007 Draft Completed, Kevin Bong


Page 33


34/34


********************
