Intro to Computer Security - Security Policies

Introduction to Security Policies

  • Definition: A security policy outlines what is and what is not allowed in an organization's digital and physical environments.

  • Importance of Understanding Security Policies: Students generally encounter security policies (e.g., university policies regarding student accounts) that dictate acceptable behavior.

Types of Security Policies

  • University Security Policy:

    • Details students' permissible actions with their accounts.

    • Mandatory agreement upon admission, though not always thoroughly read.

  • Faculty Security Policy:

    • Similar to students, yet with additional requirements related to their accounts and access to sensitive data.

    • Inform about handling sensitive records—e.g., medical records.

Importance of Full Disk Encryption

  • Statement: Full disk encryption is essential, especially for devices containing sensitive information (e.g., university laptops).

  • Example Incident:

    • A Department of Veterans Affairs employee left a laptop containing unencrypted sensitive medical data in a car.

    • The laptop was stolen, compromising sensitive patient information, leading to a loss of trust from affected individuals.

  • Policy Enforcement:

    • Organizations often have requirements to enforce full disk encryption on devices taken off campus.

Structuring Security Policies

  • Policy Details: Clear and detailed policies are crucial for ensuring comprehensive security practices.

    • Example: A vague policy stating “everything should be secure” lacks specificity.

  • Procedure:

    • Identify prevalent threats.

    • Develop policies to mitigate these threats, facilitating a clearer understanding among stakeholders about security requirements.

Categories of Security Mechanisms

  • Technical (Logical) Security:

    • Software tools such as firewalls and intrusion detection systems (IDS).

    • Software signing to verify authenticity of applications and ensure they have not been tampered with (e.g., supply chain attacks).

  • Physical Security:

    • Locks on doors and controlled access to sensitive environments and data (e.g., locked filing cabinets for confidential records).

  • Administrative Rules:

    • Guidelines around data retention, handling confidential files before leaving the office.

Trust and Assurance in Security Practices

  • Concept of Trust:

    • As users of technological systems (e.g., cell phones), we inherently trust the manufacturers for security.

  • Assurance:

    • Assurance refers to the confidence in the effectiveness of security mechanisms rather than absolute trust.

    • Involves verifying that security policies and mechanisms are functioning correctly.

Assurance Process

  • Regulations: Industries, particularly government contractors, often require adherence to specific security assurance standards.

  • Specification: Clearly define what security measures should achieve.

  • Analysis and Proof:

    • While mathematical proofs are ideal for high assurance needs (like governmental systems), they are rarely used across industries due to complexity.

    • Analysis and proof verify that security mechanisms satisfy policies by checking design logic (Correctness), gathering evidence of control functionality (Confidence), applying formal models in high-security contexts (Mathematical Rigor), and confirming that the final product adheres to the design (Validation).

  • Implementation Validation: Ensure security mechanisms actively support policy adherence.

Security Development Lifecycle

  • Phases: Specification, Analysis, Design, Implementation.

    • Similar to software development cycles but specifically tailored for security implementations.

  • Continuous Monitoring: Security is not a set-it-and-forget-it process; consistent monitoring and updates are necessary to adapt to emerging threats (e.g., AI risks).

Defensive Depth in Security

  • Defensive Strategies: Acknowledging that breaches will occur and preparing layered defenses (defense in-depth strategy).

  • Example Case: The Sony hack highlighted failure in internal security measures after an initial breach.

  • Importance of Segmentation: Network segments should not be solely controlled by external firewalls; proper internal security mechanisms are essential.

Mechanisms to Implement

  • External Security:

    • Use of firewalls and intrusion detection/prevention systems (IDS/IPS).

  • Internal Security:

    • Network segmentation, host-level security measures, and strict authentication processes.

  • Data Security:

    • Encrypting data at rest and in transit to safeguard sensitive information against unauthorized access.

Conclusion: Principles to Remember in Security Management

  • Do not overload systems with policies only—implement layered security (defensive depth).

  • Always incorporate encryption for sensitive data to limit exposure risks.

  • Remember: Prevention is always preferred, but be prepared for breaches by employing comprehensive security practices and mechanisms.