|
1.6 Risk Assessment<br><br>1.6.1 General Discussion<br><br> One of the most important reasons for creating a computer security<br> policy is to ensure that efforts spent on security yield cost<br> effective benefits. Although this may seem obvious, it is possible<br> to be mislead about where the effort is needed. As an example, there<br> is a great deal of publicity about intruders on computers systems;<br> yet most surveys of computer security show that, for most<br> organizations, the actual loss from "insiders" is much greater.<br><br> Risk analysis involves determining what you need to protect, what you<br> need to protect it from, and how to protect it. It is the process of<br> examining all of your risks, then ranking those risks by level of<br> severity. This process involves making cost-effective decisions on<br> what you want to protect. As mentioned above, you should probably<br> not spend more to protect something than it is actually worth.<br><br> A full treatment of risk analysis is outside the scope of this<br> document. [Fites 1989] and [Pfleeger 1989] provide introductions to<br> this topic. However, there are two elements of a risk analysis that<br> will be briefly covered in the next two sections:<br><br> (1) Identifying the assets<br> (2) Identifying the threats<br><br> For each asset, the basic goals of security are availability,<br> confidentiality, and integrity. Each threat should be examined with<br> an eye to how the threat could affect these areas.<br><br>1.6.2 Identifying the Assets<br><br> One step in a risk analysis is to identify all the things that need<br> to be protected. Some things are obvious, like valuable proprietary<br> information, intellectual property, and all the various pieces of<br> hardware; but, some are overlooked, such as the people who actually<br> use the systems. The essential point is to list all things that could<br> be affected by a security problem.<br><br> One list of categories is suggested by Pfleeger [Pfleeger 1989]; this<br> list is adapted from that source:<br><br> (1) Hardware: CPUs, boards, keyboards, terminals,<br> workstations, personal computers, printers, disk<br> drives, communication lines, terminal servers, routers.<br><br><br><br><br><br>Fraser, Ed. Informational [Page 5]<br> <br><br>RFC 2196 Site Security Handbook September 1997<br><br><br> (2) Software: source programs, object programs,<br> utilities, diagnostic programs, operating systems,<br> communication programs.<br><br> (3) Data: during execution, stored on-line, archived off-line,<br> backups, audit logs, databases, in transit over<br> communication media.<br><br> (4) People: users, administrators, hardware maintainers.<br><br> (5) Documentation: on programs, hardware, systems, local<br> administrative procedures.<br><br> (6) Supplies: paper, forms, ribbons, magnetic media.<br><br>1.6.3 Identifying the Threats<br><br> Once the assets requiring protection are identified, it is necessary<br> to identify threats to those assets. The threats can then be<br> examined to determine what potential for loss exists. It helps to<br> consider from what threats you are trying to protect your assets.<br> The following are classic threats that should be considered.<br> Depending on your site, there will be more specific threats that<br> should be identified and addressed.<br><br> (1) Unauthorized access to resources and/or information<br> (2) Unintented and/or unauthorized Disclosure of information<br> (3) Denial of service<br><br>2. Security Policies<br><br> Throughout this document there will be many references to policies.<br> Often these references will include recommendations for specific<br> policies. Rather than repeat guidance in how to create and<br> communicate such a policy, the reader should apply the advice<br> presented in this chapter when developing any policy recommended<br> later in this book.<br><br>2.1 What is a Security Policy and Why Have One?<br><br> The security-related decisions you make, or fail to make, as<br> administrator largely determines how secure or insecure your network<br> is, how much functionality your network offers, and how easy your<br> network is to use. However, you cannot make good decisions about<br> security without first determining what your security goals are.<br> Until you determine what your security goals are, you cannot make<br> effective use of any collection of security tools because you simply<br> will not know what to check for and what restrictions to impose.<br><br><br><br>Fraser, Ed. Informational [Page 6]<br> <br><br>RFC 2196 Site Security Handbook September 1997<br><br><br> For example, your goals will probably be very different from the<br> goals of a product vendor. Vendors are trying to make configuration<br> and operation of their products as simple as possible, which implies<br> that the default configurations will often be as open (i.e.,<br> insecure) as possible. While this does make it easier to install new<br> products, it also leaves access to those systems, and other systems<br> through them, open to any user who wanders by.<br><br> Your goals will be largely determined by the following key tradeoffs:<br><br> (1) services offered versus security provided -<br> Each service offered to users carries its own security risks.<br> For some services the risk outweighs the benefit of the service<br> and the administrator may choose to eliminate the service rather<br> than try to secure it.<br><br> (2) ease of use versus security -<br> The easiest system to use would allow access to any user and<br> require no passwords; that is, there would be no security.<br> Requiring passwords makes the system a little less convenient,<br> but more secure. Requiring device-generated one-time passwords<br> makes the system even more difficult to use, but much more<br> secure.<br><br> (3) cost of security versus risk of loss -<br> There are many different costs to security: monetary (i.e., the<br> cost of purchasing security hardware and software like firewalls<br> and one-time password generators), performance (i.e., encryption<br> and decryption take time), and ease of use (as mentioned above).<br> There are also many levels of risk: loss of privacy (i.e., the<br> reading of information by unauthorized individuals), loss of<br> data (i.e., the corruption or erasure of information), and the<br> loss of service (e.g., the filling of data storage space, usage<br> of computational resources, and denial of network access). Each<br> type of cost must be weighed against each type of loss.<br><br><br> Your goals should be communicated to all users, operations staff, and<br> managers through a set of security rules, called a "security policy."<br> We are using this term, rather than the narrower "computer security<br> policy" since the scope includes all types of information technology<br> and the information stored and manipulated by the technology.<br><br>2.1.1 Definition of a Security Policy<br><br> A security policy is a formal statement of the rules by which people<br> who are given access to an organization's technology and information<br> assets must abide.<br><br><br><br>Fraser, Ed. Informational [Page 7]<br> <br><br>RFC 2196 Site Security Handbook September 1997<br><br><br>2.1.2 Purposes of a Security Policy<br><br> The main purpose of a security policy is to inform users, staff and<br> managers of their obligatory requirements for protecting technology<br> and information assets. The policy should specify the mechanisms<br> through which these requirements can be met. Another purpose is to<br> provide a baseline from which to acquire, configure and audit<br> computer systems and networks for compliance with the policy.<br> Therefore an attempt to use a set of security tools in the absence of<br> at least an implied security policy is meaningless.<br><br> An Appropriate Use Policy (AUP) may also be part of a security<br> policy. It should spell out what users shall and shall not do on the<br> various components of the system, including the type of traffic<br> allowed on the networks. The AUP should be as explicit as possible<br> to avoid ambiguity or misunderstanding. For example, an AUP might<br> list any prohibited USENET newsgroups. (Note: Appropriate Use Policy<br> is referred to as Acceptable Use Policy by some sites.)<br><br>2.1.3 Who Should be Involved When Forming Policy?<br><br> In order for a security policy to be appropriate and effective, it<br> needs to have the acceptance and support of all levels of employees<br> within the organization. It is especially important that corporate<br> management fully support the security policy process otherwise there<br> is little chance that they will have the intended impact. The<br> following is a list of individuals who should be involved in the<br> creation and review of security policy documents:<br><br> (1) site security administrator<br> (2) information technology technical staff (e.g., staff from<br> computing center)<br> (3) administrators of large user groups within the organization<br> (e.g., business divisions, computer science department within a<br> university, etc.)<br> (4) security incident response team<br> (5) representatives of the user groups affected by the security<br> policy<br> (6) responsible management<br> (7) legal counsel (if appropriate)<br><br> The list above is representative of many organizations, but is not<br> necessarily comprehensive. The idea is to bring in representation<br> from key stakeholders, management who have budget and policy<br> authority, technical staff who know what can and cannot be supported,<br> and legal counsel who know the legal ramifications of various policy<br><br><br><br><br><br>Fraser, Ed. Informational [Page 8]<br> <br><br>RFC 2196 Site Security Handbook September 1997<br><br><br> choices. In some organizations, it may be appropriate to include EDP<br> audit personnel. Involving this group is important if resulting<br> policy statements are to reach the broadest possible acceptance. It<br> is also relevant to mention that the role of legal counsel will also<br> vary from country to country.<br><br>2.2 What Makes a Good Security Policy?<br><br> The characteristics of a good security policy are:<br><br> (1) It must be implementable through system administration<br> procedures, publishing of acceptable use guidelines, or other<br> appropriate methods.<br><br> (2) It must be enforcible with security tools, where appropriate,<br> and with sanctions, where actual prevention is not technically<br> feasible.<br><br> (3) It must clearly define the areas of responsibility for the<br> users, administrators, and management.<br><br> The components of a good security policy include:<br><br> (1) Computer Technology Purchasing Guidelines which specify<br> required, or preferred, security features. These should<br> supplement existing purchasing policies and guidelines.<br><br> (2) A Privacy Policy which defines reasonable expectations of<br> privacy regarding such issues as monitoring of electronic mail,<br> logging of keystrokes, and access to users' files.<br><br> (3) An Access Policy which defines access rights and privileges to<br> protect assets from loss or disclosure by specifying acceptable<br> use guidelines for users, operations staff, and management. It<br> should provide guidelines for external connections, data<br> communications, connecting devices to a network, and adding new<br> software to systems. It should also specify any required<br> notification messages (e.g., connect messages should provide<br> warnings about authorized usage and line monitoring, and not<br> simply say "Welcome").<br><br> (4) An Accountability Policy which defines the responsibilities of<br> users, operations staff, and management. It should specify an<br> audit capability, and provide incident handling guidelines<br> (i.e., what to do and who to contact if a possible intrusion is<br> detected).<br><br><br><br><br><br>Fraser, Ed. Informational [Page 9]<br> <br><br>RFC 2196 Site Security Handbook September 1997<br><br><br> (5) An Authentication Policy which establishes trust through an<br> effective password policy, and by setting guidelines for remote<br> location authentication and the use of authentication devices<br> (e.g., one-time passwords and the devices that generate them).<br><br> (6) An Availability statement which sets users' expectations for the<br> availability of resources. It should address redundancy and<br> recovery issues, as well as specify operating hours and<br> maintenance down-time periods. It should also include contact<br> information for reporting system and network failures.<br><br> (7) An Information Technology System & Network Maintenance Policy<br> which describes how both internal and external maintenance<br> people are allowed to handle and access technology. One<br> important topic to be addressed here is whether remote<br> maintenance is allowed and how such access is controlled.<br> Another area for consideration here is outsourcing and how it is<br> managed.<br><br> (8) A Violations Reporting Policy that indicates which types of<br> violations (e.g., privacy and security, internal and external)<br> must be reported and to whom the reports are made. A non-<br> threatening atmosphere and the possibility of anonymous<br> reporting will result in a greater probability that a violation<br> will be reported if it is detected.<br><br> (9) Supporting Information which provides users, staff, and<br> management with contact information for each type of policy<br> violation; guidelines on how to handle outside queries about a<br> security incident, or information which may be considered<br> confidential or proprietary; and cross-references to security<br> procedures and related information, such as company policies and<br> governmental laws and regulations.<br><br> There may be regulatory requirements that affect some aspects of your<br> security policy (e.g., line monitoring). The creators of the<br> security policy should consider seeking legal assistance in the<br> creation of the policy. At a minimum, the policy should be reviewed<br> by legal counsel.<br><br> |
|熊猫同学技术论坛|小黑屋|
网络工程师论坛
( 沪ICP备09076391 )
发表于 2003-8-25 19:46:09
提升卡
置顶卡
变色卡
显身卡
楼主