Systems Assurance Seminar
Systems Assurance Seminar CSE 583
Popular in Course
Popular in Computer Engineering
This 17 page Class Notes was uploaded by David Mayert on Wednesday October 21, 2015. The Class Notes belongs to CSE 583 at Syracuse University taught by Staff in Fall. Since its upload, it has received 38 views. For similar materials see /class/225564/cse-583-syracuse-university in Computer Engineering at Syracuse University.
Reviews for Systems Assurance Seminar
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 10/21/15
Security Policy CISCSE 583 What is a Security Policy o A document or documents outlining rules about who can do what to whom I entities actors objects I allowed actionsrelations I security configurationsprecautions I practices protection detection response How To De ne a Policy 0 Identify what you are trying to protect 0 Determine what you are trying to protect it from 0 Determine how likely the threats are 0 Implement measures which will protect your assets in a costeffective manner 0 Review the process continuously and make improvements each time a weakness is found Source M Fites et al Control and Security of Computer Information Systems Computer Science Press 1989 What Are You Trying to Protect 0 Your private company financial or research data I basis of competitive advantage 0 The integrity of your web server I critical to your business 0 Your users from outsiders and each other I reallife example elementary school children What are you Protecting From o What or whom o Vandalismdefaceme Theft nt special case of o Inadvertent 39ntegr39tY reveIation o Hackers terrorists industrial 0 Denial of service 39ona e o Integrity eSpl Q Hey those are just variations on confidentiality integrity and availability Determine How Likely the Threats Are 0 Risk assessment attack trees 0 Consider cost of security breach I direct cost of data damagedstolen I cost to repair I cost in reputation customer trust etc I cost depends on the use of the system c Prioritize risks by likelihood and cost Implement CostEffective Measures 0 Don t pay more for defense than it would cost you to fix it afterwards I Sometimes this can t be defined easily 0 This is the majority of what the document focuses on I but may or may not take the majority of the time in developing the policy 0 Specify P D R measures Review the Process o Are your initial definitions still correct 0 Do the relationships between subjects and objects still hold o Is the security policy being implemented properly audit 0 If a breach occurs review it and modify either the set of allowed actions or the security measures Notes on Policy 0 One document or many 0 Single large document holds everything but is cumbersome 0 Multiple small documents are easier to update and use but must be kept consistent Policy can also be Formally Speci ed 0 Define sets subjects 8 objects 0 actions A 0 Write down formal rules about when subject are allowed to act on objects leg Vs E S 0 60 a E A allowss o a iff true 2 no security owns o 2 ownership could include temporal relationships etc o The problem comes in the implementation a Why is Policy Important 0 Without it you have no framework to judge the security of the system I If the policy accurately reflects what you want I and the system faithfully implements the policy I then you re as secure as you want to be 0 Without a written policy you will not be secure 0 Security starts with policy definition Reallife Example 0 Organization acted 0 Thought that they as ISP for 40 could wave a magic school systems wand 0 Also maintained l firewall computers within l virus filter the systems SW amp I all done HVV o No desire to specify 0 Wanted to make POlle 0 security things secure 0 We walked away Example Policy Types o Acceptable 0 Email forwarding Encryption handling policy 0 Acceptable Use 0 Desktop security o AnalogISDN Lines Standards 0 AntiVirus Process sewer security a Audit Policy stafmdards o Dialin Access Policy VYD39IriEIeSS network 0 DMZ P Y Qualities of a Good Policy o Implementable enforceable 0 Easy to understand concise o Balanced between production and protection 0 Explains why policy is needed 0 Defines subjects objects relationships ac ons o Defines how violations will be handled The Most Common Policy AUP o A contract between the users of the system and the ownersproviders C Says what the users are allowed to use the system for and what they re not 0 Outlines rights ofprotections provided to the users 0 Describes penalty for violation 0 Did you know you signed one Procedures o Directions on how to comply with policy 0 Eg Policy might state that all desktop machines must use a standard configuration specified in a subdocument 0 Standard specifies configuration 0 Procedure tells how to configure and test system before installing 0 See handout for example audit policynote that it says nothing about procedure Network VS System Policies 0 Most security policies do not explicitly separate the two 0 Network policies firewall configuration DMZ rules running services protocols suppo ed 0 System policies password changing software installation configuration backup policy 0 AUP covers both k
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'