IT Security & Risk Management Policy For Computers By Hamid Reza Zamanian May 2007Course: RedHat Linux Networking and SecurityTeacher: Jalal HajigholamaliLocation: ISIRAN Institute, Tehran, Iran
IT Security & Risk Management By Hamid R Zamanian PrefaceI-III IT Security & Risk Management Policy is only to improve the prevention of your business from different types of data loss, Information leakage, ID theft and Attacks. In a quick view, IT Security is an expensive industry, so to avoid extra payments on this industry, you have to recognize the most convenience needs of your business to meet the right and suitable security solutions. But there is no guarantee in IT Security world and NO ONE can secure your business enough, even if by your real-time updates and patch advisory solutions. Because, in IT Security we have many effective factors such as Vulnerabilities, Human factor mistakes, Bugs, Natural disasters, etc… .
IT Security & Risk Management By Hamid R Zamanian PrefaceII-III IT Security is categorized by Devices and the type of Networks as the following: 1) Laptops & USB devices 2) Computers 3) Wi-Fi Network & devices 4) Mobile Network & devices 5) Router devices 6) Bluetooth 7) Phone Freak But this seminar is through Computers security regardless of station/server type, it also goes through administrators and end users security policy.
IT Security & Risk Management Security Policy Chart PrefaceIII-III
IT Security & Risk Management Physical & Security Computers Security Policy Architectural Location01 - 33 Physical & Security Architectural Location Server Location Client Location2.1) Physical & Security Architectural Location: According to Risk Management factors, you as a security administrator have to predict any kind of future natural disaster and out of controlled disaster which may happens to the server and client pc and as a preliminary action you should recognize the best safe places to locate your machines to prevent them from any harm. Also your should use security architectural designs to prevent your machines from hacking attacks.
IT Security & Risk Management Electrical & Noise Computers Security Policy Protection02 - 33 Electrical & Noise Protection Central UPS and/or &Noise Protection Backup Electricity Safe Cabling Generator2.2) Electrical & Noise Protection: 2.2.1) Central UPS and/or Backup Electricity Generator: You have to have alternative electricity supply for the moment of power failure to prevent the down time, also it is good to have a Backup Electricity Generator beside UPS, because UPS can help you for limited time 2.2.3) Noise Protection and Safe-Cabling: Electrical Interference/Noise is another problem you can face, so you should consider enough solutions by Safe-Cabling and convenient devices.
IT Security & Risk Management Computers Security Policy Data Loss Security03 - 33 Data Loss Security Server Client2.3) Data Loss: There are two type of Data Loss in IT Security: 1) Data Loss in the meaning of deletion of data. 2) Data Loss in the meaning of going through a 3 rd party wrong hand. In this section, we discuss about the first option and then we go through the Data Loss in the meaning of going through a 3 rd party wrong hand. Anti-Data Loss Policy (for Data remove) is divided to 2 categories by the type of machine. First it is through servers and then we talk about clients.
IT Security & Risk Management Computers Security Policy Data Loss Security04 - 33 Server Data Loss Backup Database Data Backup Restore HD Mirroring Location Backup Policy Policy Programs 2nd Server& Anti-Human Anti-Natural Official Settings Factors Disasters Regular Backup Backup 2.3.1) Server Data Loss Policy: - Server’s Backup Location : > Anti-Human Factor : a) No third party is allowed to access Data Backups, set Access Policy b) Encryption c) No access from outside or internet, but for exceptions special Key Certificate should be considered d) Spy-Cameras for the Backup Archive Office. e) RFID (Radio Frequency ID) for the allowed staff to access Data Backups
IT Security & Risk Management Computers Security Policy Data Loss Security05 - 33 - Server’s Backup Location : > Anti-Natural Disasters : a) Locate backups in a safe place, to prevent from flood, earthquake, thunder - Server’s Database Backup Policy : You have to consider a timetable for making regular Database Backups, because the most important part which plays role IT business is database. - Server’s Data Backup Policy : > Official Regular Backup : a) Consider a timetable for making regular Data Backups (None-Database) b) Consider an Official Codification System for marking Backups c) Encrypt Data Backups, make a list of backup official codes & key code d) Consider an Encryption key code Manager for any future Un-Encryption > Settings Backup : a) Consider a timetable for making regular Settings Backup b) Consider an Official Codification System for marking Settings Backups
IT Security & Risk Management Computers Security Policy Data Loss Security06 - 33 - Restore Programs : Although restore programs are great, they can not help you in the HD crash moments and these are considered only for none-crash data loss disasters. However, you should choose the best by evaluation. - HD Mirroring & 2nd Alternative Server : In risk management science we should predict any kind of future risk and we have to think of alternative choices for the our of controlled problems. So, as a result HD Mirroring for Hard Disk Crashes is a good alternative choice and 2 nd Alternative Server (Beside Domain forwarding n global use) s another alternative choice to prevent your business from down-time.
IT Security & Risk Management Computers Security Policy Data Loss Security07 - 33 Client Data Loss Regular Backup Backup Location Restore Backup Programs Time-table 2.3.2) Client Data Loss Policy: - Client’s Regular Backup : > Backup time-table : a) Consider a time-table for the client regular data & special settings backup. > Restore Programs : a) For the none-HD crash situation, Restore Programs should be considered. Client’s Data Backup Location : Although data backup from clients is not as important as server’s data backup but you have to consider a safe place for your client data backups storage.
IT Security & Risk Management Confidential Data Loss Computers Security Policy Security08 - 33 Another type of is Confidential Data Loss through a third party wrong hand, as a statistic in 3 categories of this type: 1) Data Loss at work: e.g.: Soft-Bank was hacked via keywords tech & Numeric matching and they have lost thousands of customers data and had to pay $14 million fine for those records. 2) Data Loss at plane/home: e.g.: Vendors Administration Co. lost 25.6 million confidential customer records via a stolen USB and paid $16 million as fine but now government put a $25.6 Billion fine for it. 3) Data Loss at Customer-Side: e.g.: Earnest & Young Co. lost 250,000 records via a fox person in there vendor www.hotel.com via e-mail to a 3 rd party wrong hand. Prevention methods against above harms: a) For the first example is to use File Content Filtering System. b) Staffs in critical position are not allowed to make personal backups, whether they are, they must use encryption methods & rights management. c) End-Point Analysis & Finger-Printing, Strong Job interview in critical job
IT Security & Risk Management OS, Application Computers Security Policy Data Security09 - 33 OS, App, Data Security Admin Users Data Global Local Global Local Global Local2.4) OS, Application and Data Security: In every IT Based Business or Organization there are three main security policies that should be assigned and all these three policies are against Human Factor Cyber-Crime activities regardless of the person, whether these activities are from your clients or a third party outside your company. By our division OS, Application and Data Security is categorized in 3 different levels: Security Policy for admin, Client and Data (none-db)
IT Security & Risk Management OS, Application Computers Security Policy Data Security10 - 33 Admin Global Local &Website Hosting Attacks .Web App Web servers 2.4.1) Security Policy for administrators: Generally there are two type of servers which are different in the type of users, attacks, applications and scale of there connection. By our division these two categories are Global Servers and Local Servers. Global Servers are those which are serving people via Internet and Extranets and Local Servers serve people via local networks.
IT Security & Risk Management OS, Application Computers Security Policy Data Security11 - 33 184.108.40.206) Global Servers Security Policy for admin: Global servers are always in danger more than local servers. The risk that they are always at, are Cyber-attacks, ID theft, Data Loss. Global &Website Hosting Attacks .Web App Web servers We separate admin security policies for global servers into three different levels: - Security Policy for Cyber-Attacks - Security Policy for websites and web applications. - Security Policy for hosting web servers.
IT Security & Risk Management OS, Application Computers Security Policy Data Security12 - 33 Attacks &Social Eng Pharming &Viruses Hacking FraudDoS Attacks Phish Attacks Attack Spywares Attempts Attempts 220.127.116.11.1) Attacks : We have different types of cyber-attacks that our servers are faced to, everyday. The only preliminary actions that we can take are Assessment, Prevention, Detection, Response and Vigilance which we may go through this seminar.
IT Security & Risk Management OS, Application Computers Security Policy Data Security13 - 33 Attack types are: a) DoS attacks. b) Social Engineering & Phishing attacks. c) Pharming attacks. d) Virus, Worms and Spyware attacks e) Hacking attempts f) Fraud attempts
IT Security & Risk Management OS, Application Computers Security Policy Data Security14 - 33 a) DoS attacks : DoS attacks This attack is to disturb web-based businesses by overwhelming maximum allowed number Problems Solutions of connections. - Problems: Full Connect H.DoS detect No Business S.DoS detect > Connection overflow Ping Limits > Stops your business > Harms your reputation > Financial Loss (if Financial Co.) > Extortion purpose probability - Solutions: > DoS detection & protection hardware > DoS detection & protection software > Ping request limits > HoneyPots
IT Security & Risk Management OS, Application Computers Security Policy Data Security15 - 33 &Social Eng b) Social Eng. & Phishing attacks : Phish Attacks This attack is used to trick people to ask them to act as phishers want. It is to deceive people Problems Solutions by making fake URLs & messages form a Co.. Money Anti-Phishing Laundry Public Alerts Scam Codified - Problems: Hack Communicates > Harms your reputation > Financial Loss (if Financial) > Int. Economic terrorism > Money Laundry increase > Internet safety decrease - Solutions: > Anti-Phishing Softwares; e.g.: Cyveillance Intelligence Center 3.0 > Business communication codification to avoid 3 rd party’s phishing > Public alerts about any phishing attacks arount and warnings
IT Security & Risk Management OS, Application Computers Security Policy Data Security16 - 33 Pharming c) Pharming attacks : Attack This attack is used to overwrite the DNS of a website to redirect its customers to hijack Problems Solutions their customer’s data for phishing purpose. DNS Authentic - Problems: Overwrite Site Verify > DNS Overwrite DNS Domain Hijacking Transfer pwd > DNS Hijacking > Harms your reputation > Financial Loss (if Financial Co.) > Extortion purpose probability - Solutions: > Authentic Site Verify via trusted sites > Domain transfer password assign > Domain transfer prohibition
IT Security & Risk Management OS, Application Computers Security Policy Data Security17 - 33 d) Virus, Super Worm attacks, Spywares : Pharming Attack These attacks are used to disturb your web based business & to disturb local networks Problems Solutions and to disturb programs & services job . Data Loss Anti-Virus Unexpected Anti-Spyware - Problems: Problems Transaction > Data Loss Info theft monitoring sys Public Alerts > Unexpected problems Patch Update > Info theft Limits on > Financial Loss .Execute perm > Grey Nets - Solutions: > Anti-Virus, Anti-Spyware > Transaction monitoring system > Patch updates, exec perm. limit > Public alerts
IT Security & Risk Management OS, Application Computers Security Policy Data Security18 - 33 e) Hacking attempts : Hacking Attempts These attack are used to intrude servers and PCs for illegal purpose to hijack critical info Problems Solutions like customers data, business plans, etc… . Intrusion H. threat detect Info Hijack S. threat detect - Problems: Zombie PC Firewall S. > Intrusion > Cyber-Criminal use Cyber-Crime Firewall H. > Info Hijacking > Form injection Usages Anti-Bruteforce .Form Inject Login fail limit > Zombie PC > Brute Force Brute Force S’ Permit limit Patch Advisory - Solutions: No Default > Threat detection hardware/software > No simple pwd No simple pwd > Firewall hardware/software > pwd Token Pwd Tokens SSL Certificate > Anti-Brute Force > SSL Certificate No SSH gcc > Login fail limit > No SSH gcc IDS > S’ permit limit > IDS SQL/DB Guard Sec. Scanner S. > Patch advisory > SQL/DB guard Sec. Scanner H. > No default pwd/setting > Sec. scanners
IT Security & Risk Management OS, Application Computers Security Policy Data Security19 - 33 Fraud f) Fraud attempts : Attempts These attacks are used to cheat admin and clients and used to earn illegal money via Problems Solutions Internet and info hijack for illegal purpose. Safety decrease Fraud Protect No Trust /Detect sofware Financial issue Social Eng. - Problems: Charge backs Prevent methods > Safety decrease Business stop Public Alerts > Not Trust > Financial issues > Charge backs > Business stop - Solutions: > Fraud detection & protection software > Public Alerts > Social Eng. Prevention methods
IT Security & Risk Management OS, Application Computers Security Policy Data Security20 - 33 Website & Web App. Process limit Service Web application Alerts Usage limits Security control 18.104.22.168.2) Website & Web application Security Policy for administrators: a) Process Limit Alert: This setting is to use for controlling client’s web application maximum process exceeding, to warn them and to send an alert to admin. b) Service Usage Limit: This setting is to use for controlling client’s web applications & shell codes and to limit their abilities to use some specific server services. c) Web Application Security Control: This policy is to use for controlling Web applications before running them on the server to prevent server from getting at risk, because some of web applications have bugs that lets remote shell from outside which can put our machines at risk.
IT Security & Risk Management OS, Application Computers Security Policy Data Security21 - 33 Hosting Web Servers FTP Security Service Web application Settings Security setting Security control 22.214.171.124.3) Hosting Servers Security Policy for administrators: a) FTP Security Setting: This setting is to use for limiting FTP executions to restrict this service for hacking purpose usage. b) Server Security Settings: These setting are to use for limiting web application in PHP, CGI, ASP, DO, CFM, etc …, to prevent server from being Hacked by its own clients via web shell applications. c) Privilege Settings: Privilege settings are to use for limiting unauthorized access from none- allowed groups and users. (see 126.96.36.199.3.3) d) Spam detect & protect policy: This common policy is to avoid tricky clients who intend to use server as a zombie PC for spamming purpose
IT Security & Risk Management OS, Application Computers Security Policy Data Security22 - 33 188.8.131.52.3.3) Hosting Server Privilege Security Policy for administrators: a) Websites Privilege Security Setting: a.1) Application Updates & Process limit control: Application updates are for those hosting companies which use a shared web application for all clients, so if the application faces a bug as it is shared between clients updates should be taken effect on time. Process limit control is for avoiding web applications to exceed their allowed process limit. a.2) Apache & PHP Privilege: Apache & PHP Privilege should not be root and these should be fully controlled, because many of hacking & intrusion reasons today are because of this factor. a.3) No SSH, No Telnet = No Backdoor : Nowadays one of the most important factors in intrusion is by ssh service clients who by mistake are hacked and could open server’s doors to intruders.
IT Security & Risk Management OS, Application Computers Security Policy Data Security23 - 33 b) SSH & VPN Security Setting: b.1) Source compile command limits : The users who use SSH should be limited for compiling course codes, because they compile and then if compiler is under root privilege and they have enough privilege to execute, then your server can be at a big risk. b.2) SSH group limits : You have to be careful about your SSH clients and before allowing them to use this service, you have to do enough evaluations and consider policies of “How to limit SSH user?” to prevent them from intrusion activities into unauthorized sections in your server. b.3) Service limits privacy : You have to know the relation between the client and the services which they use or they ask for and limit them for the services usages according to your business privacy & policy.
IT Security & Risk Management OS, Application Computers Security Policy Data Security24 - 33 Client Global Local&Agreement Forced Policy Settings 2.4.2) Security Policy for Clients: Security policy for clients is divided into two categories that one is to introduce our policy and ask their agreement; second is the forced settings that we take to limit them and prevent them from illegal activities via the services we have offered. However you should know that although your users accept your policy at first, there can be some tricky people among your clients who are waiting for a situation to access unauthorized services and data for illegal usage.
IT Security & Risk Management OS, Application Computers Security Policy Data Security25 - 33&Agreement PolicyCyber-Crime Confidential Messaging Privacy pwd rules& System Policy 184.108.40.206.1) Agreement & Policy : a.1) Cyber-Crime Privacy: Nowadays Cyber-Crime has been increased and you have to warn you users about not to involve in any kind of these activities via the services you offer them. The most common Cyber-Criminal activities today that you should prevent your client from getting involve in, are : > Selling drugs via Websites. > Phishing purpose sites > Warez forums and websites > Hacking activities > Child Porn sites
IT Security & Risk Management OS, Application Computers Security Policy Data Security26 - 33 a.2) Confidential & Password Policy: This agreement is to recommend some security points to your clients as an advice and warning to protect them from any future security problem that they may face, such as: > Using digits, uppercase, lowercase letters, symbol in their pwd > Keeping passwords in a safe place > Never respond to a suspicious message which asks for their info > They should always check the URL while they login a.3) Messaging Policy: This policy is to introduce your messaging system to your clients to protect them from any future phishing attempts by a third party. Also it is good to consider one of the followings: > Web based support board with message codification system > Support forum > Ticketing support system
IT Security & Risk Management OS, Application Computers Security Policy Data Security27 - 33 220.127.116.11.2) Forced Settings : b.1) Registration form & Account forced settings: These setting are out of client’s control and these are settled by administrators to decrease security risks. As a part of these policies, you may use the following options: > Java Script codes in registration forms to prevent clients from using simple passwords. > Account registration form’s Java script codes to avoid submitting fake info.. > Single write for some records: e.g. account name, secret questions > Profile last change details record. b.2) Threat & Accounts activity monitor: Although you consider security policies, client monitoring and vigilance are two factors that you should be care about.
IT Security & Risk Management OS, Application Computers Security Policy Data Security 28 - 33 Data Global Local Critical .Web App Data Source code2.4.3) Data Security Policy : In every IT based business, protection of source codes, business plans and customer records is the most important item that needs more attention from security policy advisors. By our divisions through importance of data and accessibility scale, we have divided them into two groups of Global and Local according to the server & network type. However we only go through global type in this section.
IT Security & Risk Management OS, Application Computers Security Policy Data Security29 - 33 18.104.22.168) Global Servers Data Security Policy : a.1) Critical Data Security Policy: a.1.1) Anti-ID theft: As ID theft is the most important cyber crime today, we have to consider some types of file content filtering systems to avoid critical data to go into the wrong hands. Anti-ID thefts: > Cyveillance Intelligence Center 3.0 a.1.1.1) Database Security: To protect your customer’s data from unauthorized changes & leaking, you have to consider some kinds of settings or tools. By our experience the following tools and methods can be useful: > Separate read & write connection password for database > Database write limits from third party’s IP or process id > Database guard software & hardware > Information Filtering system instead of content filtering sys.
IT Security & Risk Management OS, Application Computers Security Policy Data Security30 - 33 a.1.1.2) Data Encryption : Data Encryption is a good solution to protect your data even if it gets into the wrong hands, but your should know how to use this technology in the right way, for using this technology you should consider the following privacies: > Data Encryption by private keys, listing key names in data profile > Encryption key manager for any future un-encryption > Consider a safe place to store encrypted data and their keys separately. b.1) Web application source codes: Since special web application nowadays are much expensive and some of them too specific, business owners are really serious to protect the source code from getting into an unauthorized party. So the solution we offer, are by the followings: > Source code encryption > Local license key for the application or IP lock license key > Application security assessment to detect bugs
IT Security & Risk Management Security Logs & Computers Security Policy Finger-Printing 31 - 332.5) Security Logs, End Point Finger-Printing & Analysis : Although you monitor threats and take preliminary action to prevent your machines, sometimes the bad guys are ahead and that is out of your control. In these situation the only remaining help is using Finger-Printing methods to trace back the bad guys through their IPs, contacting the proxy servers, etc … . For these kinds of situations you have to set the following services and features for log storage: > Apache log storage in a none-default path in your server. > Set an automatic apache log archiving feature beside its regular mailing > Database access log storage in a none-default path in your server > Set an automatic db access log archiving feature beside its regular mailing For your information log default paths in Unix/Linux family are mentioned on the next page.