1

DATA SECURITY
Establishing and Maintaining a
Security Policy
 Today outline
2

 Administrative Security
 Overall Planning and Administration
 Day-to-Day Administration
 Separation of Duties
 Introduction
3

 Secure system planning and administration is

the human side of computer security.

 Even in a highly trusted system, security isn't

automatic.

 Administrators need a written guideline,

spelled out beforehand, that clearly outlines
what steps to take and what procedures to
follow in the pursuit of security

 The security policy is a living document that

must be examined and updated regularly
4

 Training users, administrating

passwords, backing up system-critical
files, setting up and tuning firewalls and
intrusion detection systems, and
examining audit logs: these are some of
the many ways that a system's abstract
security policy
 Administrative Security
5
 Administrative security falls into three general
categories:
 Overall security planning and administration
 This category includes working with management to set a
security policy for your organization, publicizing it and
gaining management support for it, performing risk
analysis and disaster planning, monitoring employees,
training users, answering their questions, and so on.
 Day-to-day security administration
 This category includes creating accounts and assigning
security profiles for users for example, their initial
passwords, their password controls), their login controls
(e.g., what hours they can log in), making sure there
aren't security holes in your system, and so on.
 Day-to-day system administration
 This category includes keeping the system running, doing
daily backups, trolling for breaches, and testing the
condition of hardware and software used to sustain
operations in times of stress or attack
 Overall Planning and
6
Administration
 Analyzing Costs and Risks
 Planning for Disaster
 Setting Security Rules for
Employees
 Training Users
 Analyzing Costs and
7
Risks
 Risk analysis is a procedure used to estimate
potential losses that may result from system
vulnerabilities and to quantify the damage that
may result if certain threats occur
 ultimate goal of risk analysis is to select cost-
effective safeguards that reduce risks to an
acceptable level
 risk analysis is a way to figure out how
important your system is, and how far you're
willing to going terms of equipment, people,
and budget to protect it.
8

 Standard risk analysis involves looking at your

tangible assets for example, your buildings,
computers, and other equipment and determining
how to protect them
 When you're evaluating your organization's
information asset and considering whether and how
to protect it, you'll have a number of important
questions to ask:
 What information do you have, and how
important is it?
 How vulnerable is the information?
 What is the cost of losing or compromising the
information?
 What is the cost of protecting the information?
 Who are you going to call?
 Planning for Disaster
9

 One of the most important things you can do to protect

your organization from disaster is to plan for that
disaster.
 A disaster recovery plan is a plan for keeping your
computer equipment and information available in case
of an emergency
 Your organization's disaster recovery plan will involve
such activities :
 backing up data for storage
 arranging for the use of other computer facilities or
equipment in case of an emergency
 Such arrangements may be informal (for example, you might
make a reciprocal agreement with another department or
organization to use each others' equipment if a disaster
occurs), or they may be formal (for example, you might prepare
a separate emergency site or contract with an organization that
handles disaster preparedness
10

 Emergency sites are usually characterized

as :
 cold,
 are
emergency facilities containing air
conditioning and cabling, but no computers
 Hot
 are
emergency facilities containing computers,
backup data that works
 Warm
ahybrid, are sites in which computers and
equipment are preinstalled,
 Setting Security Rules for
11
Employees
 sensible about who you hire
 what computer resources you let them
use,
 what you do when they leave your
organization
 Training Users
12

 The users in your organization have to take

some responsibility for security
 Teach your users how to use the hardware
and software,
 be sure they understand your organization's
security policy
 and impress upon them the importance of
observing good security practices
 Most important, be sure they know how to
recognize security problems and what to do
if they occur
 Day-to-Day System
13
Administration
 Day-to-day system administration
encompasses many activities, but most focus
on keeping your computers and networks
running smoothly by maintaining equipment,
making sure there's sufficient space on the
system disks, and protecting the system and
its software from damage
 Performing Backups
 Hardware and Software Security Tools

 Performing a Security Audit

 Performing Backup
14

 Backups of your system and all the data stored on your system are
absolutely essential if you expect to be able to recover from a disaster
 In a PC environment, many system administrators discover that critical
documents on a user's machine often disappear when a disk fails They
can help protect against this by providing personal folders in common
space on a server.
 Some backup rules:
 Encrypt your backups if they contain sensitive data.
 Keep extra backups off-site in a locked, fireproof location. You don't want a
fire, lightning, or some other disaster to wipe out your system and your
backups at the same time.
 Secure your backup tapes or disks in locked areas
 Verify your backups. Check periodically to make sure they've been produced
correctly and haven't been damaged in any way
 Be sure to delete all data by overwriting what's there; don't just reinitialize
your tapes or disks
 If you're throwing backups away, destroy the media first (by burning,
crushing, or shredding.)
 Consider buying an automatic backup program that runs full or incremental
backups (without your intervention) every night
 Hardware and Software
15
Security Tools
 firewall tool, network incursion
 An intrusion detection system (IDS), listens to the circuit, taking note if
any unusual activity is taking place a certain user that constantly
connects to a little used disk drive may be storing information there,
either for later theft, or perhaps to be used as a tool in a future incursion.
Intrusion detection systems usually have large libraries of attack
signatures, that is, lists of the steps attackers typically take or have taken
in the past to accomplish some attack. If the pattern of these attacks is
repeated in a system being monitored by the IDS, the IDS will likely stop
the transaction if it can, and place a page or call to an administrator
informing of the attempted attack.
 A honeypot, sometimes called a honeynet, is a decoy. It is usually placed
in an unprotected portion of the network as a lure to attackers. While
unauthorized users are checking out the honeypot, their movements are
recorded. This helps further develop the library of attack signatures.
 Penetration testing, or pentesting is a programmed, usually automated
series of attacks that administrators carry out on their own network. The
purpose of pentesting is to locate overlooked vulnerabilities
 Performing a Security
16
Audit
 A security audit is a search through your system for security problems and
vulnerabilities
 Check your system files and any system logs or audit reports your system
produces for dangerous situations or clues to suspicious activity. These
might include:
 Accounts without passwords
 Accounts with easily guessed passwords
 Group accounts
 Dormant accounts
 These include accounts of users who have left your organization, have gone on vacation, or
have moved to a different group or system.
 New accounts
 Be sure these are accounts you have assigned and not accounts that an intruder has
created.
 Default accounts
 Many operating systems create "Everybody" or "Guest" or even "Administrator" accounts
automatically
 Recent changes in file protection
 Suspicious user activity
 Basically, this means that a user (or someone using that user's account) is acting in an
unexpected way for example, someone logs in from a number of different terminals, logs in
at odd times of the day or the week, runs protected system programs, transmits or dials out
an unusual amount, uses new networks
 Separation of Duties
17

 Separation of duties is the principle that it's better to

assign pieces of security-related tasks to several specific
individuals
 This principle is related to another important security
principle, that of least privilege, the idea that the users
and the processes in a system should have the least
number of privileges and for the shortest amount of
time needed to do their work
 In highly secure systems, as many as three distinct,
complementary administrative functions, or roles, may
be required: a system administrator, a security
administrator (sometimes called an Information System
Security Officer or ISSO), and an operator.
 Typical system
administrator/operator functions
18
include:
 Installing system software
 Starting up and shutting down the
servers in the system
 Adding and removing system users
 Performing backup and recovery
 Handling and servicing printers
 Typical security administrator
functions include:
19

 Setting user clearances, initial passwords,

and other security characteristics for new
users, and changing security profiles for
existing users
 Setting or changing file sensitivity labels
 Setting security characteristics of devices
and communications channels
 Reviewing audit data
20

 the operator may perform some of the

more mundane system administrator
duties, such as doing backups