270 likes | 444 Views
Security policy and its implementation. What is security?. Security broadly means three things: Confidentiality - information is not made accessible to people who are not authorised to see it
E N D
What is security? • Security broadly means three things: • Confidentiality - information is not made accessible to people who are not authorised to see it • Integrity - information is protected from unauthorised modification and that it is complete and can be relied upon • Availability - information is available when you need it WUCM1
Security aspects • Non-technical (e.g. physical) threats: • Fire • Flood, etc. • Staff absence • Not really a part of this unit, but … • Not all security threats are malicious or intentional • More information is lost by accident than stolen WUCM1
Risk assessment • Identify threats • For each threat, determine/estimate: • Probability of occurrence • Cost of event: value of data, lost business • Cost of prevention and/or recovery • Where predicted loss is greater than predicted cost, you need to do something about it WUCM1
Types of threat • Illustration: • Alec is providing information for Bert • Charlie is someone who shouldn't have access to that information • Interception – unauthorised access • Denial of service • Impersonation • Hijack • Repudiation WUCM1
Malicious code • Often a part of a security threat • Type of malicious code • Viruses • Worms • Trojan horses • Back doors WUCM1
Web specific examples 1 • Web content with malicious intent, e.g. • Sexygirls.com, (Tiwana, 1999) • Download a custom "web viewer" that dials a long distance ISP and connects – and displays images • Phone bill at the end of the month difficult to contest • Example of virus and Trojan downloads WUCM1
Web specific examples 2 • IP or website spoofing • machine-machine trust violated • spoofed site usually to gather data: • credit card details • personal address or contact details • Usually a close mock-up of the real website, e.g. for e-commerce WUCM1
Web specific examples 3 • Denial of service, e.g. • DDoS attacks on Microsoft, Amazon, E-Bay, etc. • Attacks on Estonian systems 2007 • Timed assault launched by a virus • JavaScript security problems, e.g. • "Freilburg Attack" • Uses a 1x1 pixel wide invisible frame • JavaScript to scan PC and upload files • What files would be targeted? WUCM1
Security policy 1 • Identify in appropriate detail: • Protected items: • What needs protection? • What type of protection does each item need? • Authorisation: • Who needs authorisation? • What types of authorisation are needed? • Who authorises such access? • Normally based on roles, e.g.: • General public • General employee of organisation • Employee with specific function - e.g. managerial • Updater • System administrator WUCM1
Security policy 2 • Implementation of access control: • How to implement access control? • What monitoring of accesses is going to be done? • Who is going to refer to the logs? • Management of changes: • How are new users to be added and old ones deleted? • How are new items to be protected? WUCM1
Security policy 3 • How are complaints and requests about the server and page content to be handled? • How and when should the policy itself be updated? • How should the organisation react to security issues? • Who is allowed to speak to members of the press, police, etc. in the event of questions or an incident? • How much information about a successful penetration should be made public? WUCM1
Policy architecture • Security policy issues often split: • Privacy policy • e.g. http://privacy.yahoo.com/ • Acceptable use policy • e.g. http://www.ja.net/documents/use.html • Site security policy • e.g. http://secinf.net/info/policy/AusCERT.html • Web access policy • http://medlib.med.utah.edu/hug/basic/hugwebaccesspolicy.html WUCM1
Implementation • Costs of implementing security: • Need to be analysed • Compared with the predicted costs of not doing anything • Business decision:what security to implement?= what is cost-effective? • Need a formal backup and recovery procedure to support security WUCM1
After intrusion • Ascertain cause • Pre-requisite for recovery action • Do we know how the attackers got in? • Were we let down by someone else's failing or our own mistakes? • Assess damage • How do you know what they accessed/changed? • Plan recovery • Do you have a pre-prepared plan to implement? • What do you need to do to get your systems running normally again? • What do you need to do to reassure/appease/reimburse your customers/users? • Plan avoidance of repeat • What do we need to do to prevent it happening again? WUCM1
Types of protection • Security is always a trade off against convenience • There are four broad areas of concern: • Physical security • Operating system and platform security • Network security • User security and user awareness WUCM1
Physical security • Threat: with physical access to the computer, an attacker could: • Switch if off (pull the plug) • Physically destroy data (e.g. by applying hammer to disk) • Gain privileged access via a console • Introduce new software • Response: • access controls • locks and keys • keep under observation WUCM1
Platform security • Threats: • Bugs in software • Known back doors • Unused/unnecessary features • Accidental misuse • Responses: • Monitor security alerts • Install patches • Make someone responsible for this • Harden your operating system: • Only mount essential components. • Document need and protection in security policy WUCM1
Network security • Threats: • Unauthorised access • Misuse by authorised people • Excessive access • Denial of service • Responses: • Firewalls, to filter the packets that are permitted to reach the web server • Network address translation schemes, to hide the internal network addresses • Use of proxy servers to filter and moderate requests • Security self tests (white hat intrusion) WUCM1
User security • Threats: • Many users are just too trusting • Social engineering ("phishing") can push users to willingly break known safety rules, e.g. • "There is a problem with your account. Please change your password to NowSafe and await further instructions..." • "There is a problem with your account and we are unable to bill your credit card. Please enter your credit card number and expiry date in the spaces below and click the SUBMIT button." • AOL reminder on every page about passwords • Smooth-tongued callers • Responses: • Well-defined company policies • Educate users on risks • Train users in good practice • Role-play training helpful in establishing good employee habits • Monitor users WUCM1
Server configuration • A web server can be set up to restrict access to its site(s) • Restrictions can be applied to part of the site (called a "realm") • There are two types of restriction: • Restrict access by identified users or groups of users • Restrict access by identified host or group of hosts • Restrictions can be mixed • but be aware of errors hidden in complex solutions WUCM1
Access by user • If the server receives request for a restricted URL, it sends back to the browser a challenge (stating the realm) • The browser invites its user to enter a username and password for the realm • Browser resubmits request with the credentials, i.e. username/password • Server checks – if OK, serve page; if not, back to step 2 or fail "unauthorised" WUCM1
User authentication • Two forms of authentication: • Basic – username and password in clear text – not good unless hidden in a SSL transaction • Digest – uses an MD5 cryptographic checksum and a random “nonce” value • Browsers normally retain username and password for reuse when other challenges come from the same realm WUCM1
Access by host • Access restrictions by host can be specified by: • IP address (e.g. 204.255.230.13) • Domain name (e.g. port.ac.uk) • Partial addresses/domains be used: • e.g. 204.255. can be used to specify a restriction to all hosts whose IP address starts with 204.255. • e.g. ac.uk would specify a restriction for all hosts from an academic UK domain WUCM1
Cautions • Browsers cache credentials • In memory for the session • On disc if so configured WUCM1
More information • The security tutorials listed at http://httpd.apache.org/docs/misc/tutorials.html • The Apache documentation at http://httpd.apache.org/docs/ • The Computer Emergency Response Team (CERT) at http://www.cert.org • Centre for the Protection of National Infrastructure (CPNI) http://www.cpni.gov.uk/ WUCM1
More information • NetworkIce is a company dealing with network security software and services at http://advice.networkice.com/Advice/default.htm • SecurityFocus, for discussion and news at http://www.securityfocus.com WUCM1