security planning and policy.docx
- 文档编号:7672915
- 上传时间:2023-01-25
- 格式:DOCX
- 页数:14
- 大小:319.01KB
security planning and policy.docx
《security planning and policy.docx》由会员分享,可在线阅读,更多相关《security planning and policy.docx(14页珍藏版)》请在冰豆网上搜索。
securityplanningandpolicy
Securityplanningandpolicy
Overview
Securityriskscannotbeeliminatedorpreventedcompletely.However,effectiveriskmanagementandassessmentcansignificantlyminimizetheexistingsecurityrisks.Anacceptablelevelofriskdependsonhowmuchriskthebusinessiswillingtoassume.Asecuritypolicyisanimportantcomponentindecidinghowthisriskismanaged.Asecuritypolicyisaformalstatementoftherulesbywhichpeoplewhoaregivenaccesstoanorganization’stechnologyandinformationassetsmustabide.Asecuritypolicycanbeassimpleasanacceptableusepolicyfornetworkresourcesoritcanbeseveralhundredpagesinlengthanddetaileveryelementofconnectivityandassociatedpolicies.
Routerscansupportalargenumberofnetworkservicesthatallowusersandhostprocessestoconnecttothenetwork.Someoftheseservicescanberestrictedordisabled,improvingsecuritywithoutaffectingtheoperationaluseofthenetwork.Forsecuritypurposes,itshouldbeacommonpracticefornetworkdevicestoonlysupportthetrafficandprotocolsthenetworkneeds.
Thesecuritywheel
Mostsecurityincidentsoccurbecausesystemadministratorsdonotimplementavailablecountermeasures,andhackersordisgruntledemployeesexploittheoversight.Therefore,theissueisnotjustoneofconfirmingthatatechnicalvulnerabilityexistsandfindingacountermeasurethatworks,itisalsocriticaltoverifythatthecountermeasureisinplaceandworkingproperly.ThisiswheretheSecurityWheel,acontinuousprocess,isaneffectiveapproach.
TheSecurityWheelpromotesretestingandreapplyingupdatedsecuritymeasuresonacontinuousbasis.
TobegintheSecurityWheelprocess,firstdevelopasecuritypolicythatenablestheapplicationofsecuritymeasures.Asecuritypolicyneedstoaccomplishthefollowingtasks:
∙Identifythesecurityobjectivesoftheorganization.
∙Documenttheresourcestobeprotected.
∙Identifythenetworkinfrastructurewithcurrentmapsandinventories.
∙Identifythecriticalresourcesthatneedtobeprotected,suchasresearchanddevelopment,finance,andhumanresources.Thisiscalledariskanalysis.
Afterthesecuritypolicyisdeveloped,makeitthehubuponwhichthefourstepsoftheSecurityWheelarebased.Thestepsaresecure,monitor,test,andimprove.
Secure
Securethenetworkbyapplyingthesecuritypolicyandimplementingthefollowingsecuritysolutions:
∙ThreatDefense
oStatefulInspectionandpacketfiltering–Filternetworktraffictoallowonlyvalidtrafficandservices.
oIntrusionPreventionSystems–Inlineintrusiondetectionsystems(IDS),whichisbettertermedintrusionpreventionsystems(IPS),canbedeployedatthenetworkandhostleveltoactivelystopmalicioustraffic.
oVulnerabilitypatching–Applyfixesormeasurestostoptheexploitationofknownvulnerabilities.Thisincludesturningoffservicesthatarenotneededoneverysystem.Thefewerservicesthatareenabled,theharderitisforhackerstogainaccess.
∙SecureConnectivity
oVirtualPrivateNetworks(VPNs)–Hidetrafficcontenttopreventunwanteddisclosuretounauthorizedormaliciousindividuals.
∙TrustandIdentity
oAuthentication–Giveaccesstoauthorizedusersonly.Oneexampleofthisisusingone-timepasswords.
oPolicyenforcement–Assureusersandenddevicesareincompliancewiththecorporatepolicy.
Monitor
Monitoringsecurityinvolvesbothactiveandpassivemethodsofdetectingsecurityviolations.Themostcommonlyusedactivemethodistoaudithost-levellogfiles.Mostoperatingsystemsincludeauditingfunctionality.Systemadministratorsforeveryhostonthenetworkmustturntheseonandtakethetimetocheckandinterpretthelogfileentries.
Passivemethodsincludeusingintrusiondetectionsystem(IDS)devicestoautomaticallydetectintrusion.Thismethodrequiresonlyasmallnumberofnetworksecurityadministratorsformonitoring.Thesesystemscandetectsecurityviolationsinrealtimeandcanbeconfiguredtoautomaticallyrespondbeforeanintruderdoesanydamage.
AnaddedbenefitofnetworkmonitoringistheverificationthatthesecuritydevicesimplementedinStep1oftheSecurityWheelhavebeenconfiguredandareworkingproperly.
Test
InthetestingphaseoftheSecurityWheel,thesecurityofthenetworkisproactivelytested.Specifically,thefunctionalityofthesecuritysolutionsimplementedinStep1andthesystemauditingandintrusiondetectionmethodsimplementedinStep2mustbeassured.VulnerabilityassessmenttoolssuchasSATAN,Nessus,orNMAPareusefulforperiodicallytestingthenetworksecuritymeasuresatthenetworkandhostlevel.
Improve
TheimprovementphaseoftheSecurityWheelinvolvesanalyzingthedatacollectedduringthemonitoringandtestingphases,anddevelopingandimplementingimprovementmechanismsthatfeedintothesecuritypolicyandthesecuringphaseinStep1.Tokeepanetworkassecureaspossible,thecycleoftheSecurityWheelmustbecontinuallyrepeated,becausenewnetworkvulnerabilitiesandrisksarecreatedeveryday.
Withtheinformationcollectedfromthemonitoringandtestingphases,intrusiondetectionsystemscanbeusedtoimplementimprovementstothesecurity.Thesecuritypolicyshouldbeadjustedasnewsecurityvulnerabilitiesandrisksarediscovered
Networksecuritypolicy
Securitypoliciesareworththetimeandeffortneededtodevelopthem.Asecuritypolicybenefitsacompanyinthefollowingway:
∙Itprovidesaprocesstoauditexistingnetworksecurity.
∙Itprovidesageneralsecurityframeworkforimplementingnetworksecurity.
∙Itdefineswhichbehaviorisandisnotallowed.
∙Itoftenhelpsdeterminewhichtoolsandproceduresareneededfortheorganization.
∙Ithelpscommunicateconsensusamongagroupofkeydecisionmakersanddefinestheresponsibilitiesofusersandadministrators.
∙Itdefinesaprocessforhandlingnetworksecurityincidents.
∙Itenablesglobalsecurityimplementationandenforcement.
∙Itcreatesabasisforlegalactionifnecessary.
Computersecurityisnowanenterprise-wideissueandcomputingsitesareexpectedtoconformtothenetworksecuritypolicy.
DevelopingaSecurityPolicy
AsecuritypolicycanbeassimpleasabriefAcceptableUsePolicyfornetworkresources,orcanbeseveralhundredpageslonganddetaileveryelementofconnectivityandassociatedpolicies.Althoughsomewhatnarrowinscope,RFC2196suitablydefinesasecuritypolicyasfollows:
"Asecuritypolicyisaformalstatementoftherulesbywhichpeoplewhoaregivenaccesstoanorganization'stechnologyandinformationassetsmustabide."
Itisimportanttounderstandthatnetworksecurityisanevolutionaryprocess.Nosingleproductcanmakeanorganizationsecure.Truenetworksecuritycomesfromacombinationofproductsandservices,combinedwithacomprehensivesecuritypolicyandacommitmenttoadheretothatpolicyfromthetopoftheorganizationdown.Infact,aproperlyimplementedsecuritypolicywithoutdedicatedsecurityhardwarecanbemoreeffectiveatmitigatingthethreattoenterpriseresourcesthanacomprehensivesecurityproductimplementationwithoutanassociatedpolicy.
Inorderforasecuritypolicytobeappropriateandeffective,itneedstohavetheacceptanceandsupportofalllevelsofemployeeswithintheorganization,includingthefollowing:
∙Sitesecurityadministrator.
∙Informationtechnologytechnicalstaff,suchasstafffromthecomputingcenter.
∙Administratorsoflargeusergroupswithintheorganization,suchasbusinessdivisionsoracomputersciencedepartmentwithinauniversity.
∙Securityincidentresponseteam.
∙Representativesoftheusergroupsaffectedbythesecuritypolicy.
∙Responsiblemanagement.
∙Legalcounsel,ifneeded.
Itisextremelyimportantthatmanagementfullysupportthesecuritypolicyprocess.Otherwise,thereislittlechancethattheprocesswillhavetheintendedimpact.
Aneffectivesecuritypolicyworkstoensurethatthenetworkassetsoftheorganizationareprotectedfromsabotageandfrominappropriateaccess,bothintentionalandaccidental.Allnetworksecurityfeaturesshouldbeconfiguredincompliancewiththeorganization'ssecuritypolicy.Ifasecuritypolicyisnotpresent,orifthepolicyisoutofdate,thepolicyshouldbecreatedorupdatedbeforedecidinghowtoconfiguresecurityonanydevices.
Figureillustratesthetraitsthatanysecuritypolicyshouldinclude.
DevelopingSecurityProcedures
Securityproceduresimplementsecuritypolicies.Proceduresdefineconfiguration,login,audit,andmaintenanceprocesses.Securityproceduresshouldbewrittenforendusers,networkadministrators,andsecurityadministrators.Securityproceduresshouldspecifyhowtohandleincidents.Theseproceduresshouldindicatewhattodoandwhotocontactifanintrusionisdetected.
Hostandserverbasedsecuritycomponentsandtechnologies
Itiscriticaltoprotectnetworkhosts,suchworkstationPCsandservers.Thesehostsneedtobesecuredastheyareaddedtothenetworkandupdatedwithsecuritypatchesastheybecomeavailable.Additionalstepscanbetakentosecurethesehosts.Anti-virus,firewall,andintrusiondetectionarevaluabletoolsthatcanbeusedtosecurenetworkhosts.Becausemanybusinessresourcesmaybecontainedonasinglefileserver,itisespeciallyimportantforserverstobeaccessibleandavailable.
DeviceHardening
Whenanewoperatingsystemisinstalledonacomputer,thesecuritysettingsareallsettothedefaultvalues.Inmostcasesthislevelofsecurityisinadequate.Therearesomesimplestepsthatshouldbetakenth
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- security planning and policy