Chng 3: Chnh sch an ninh

Tng quan V chnh sch an ninh

What they cover Policy languages

V cc k thut
Types

Slide #4-1

Security Policy
Chnh sch phn chia h thng thnh 2 trng thi: Authorized (secure)
These are states the system can enter

Unauthorized (nonsecure)
If the system enters any of these states, its a security violation

Mt h thng an ton:
Starts in authorized state Never enters unauthorized state
Slide #4-2

Tnh bo mt
X set of entities, I information I has confidentiality property with respect to X if no x X can obtain information from I I can be disclosed to others Example:
X set of students I final exam answer key I is confidential with respect to X if students cannot obtain final exam answer key
Slide #4-3

Tnh ton vn
X set of entities, I information I has integrity property with respect to X if all x X trust information in I Types of integrity:
trust I, its conveyance and protection (data integrity) I information about origin of something or an identity (origin integrity, authentication) I resource: means resource functions as it should (assurance)
Slide #4-4

Tnh kh dng
X set of entities, I resource I has availability property with respect to X if all x X can access I Types of availability:
traditional: x gets access or not quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved

Slide #4-5

Cc kiu chnh sch

Chnh sch qun i (chnh quyn)
Policy primarily protecting confidentiality

Chnh sch thng mi

Policy primarily protecting integrity

Chnh sch bo mt
Policy protecting only confidentiality

Chnh sch ton vn

Policy protecting only integrity
Slide #4-6

Tnh ton vn trong giao dch

Bt u trng thi bn vng
Consistent defined by specification

Thc hin mt chui cc thao tc (transaction)

Actions cannot be interrupted If actions complete, system in consistent state If actions do not complete, system reverts to beginning (consistent) state
Slide #4-7

S tin cy
Ngi qun tr ci mt bn v li: 1. Trusts patch came from vendor, not tampered with in transit 2. Trusts vendor tested patch thoroughly 3. Trusts vendors test environment corresponds to local environment 4. Trusts patch is installed correctly
Slide #4-8

Tnh hung
Chnh sch ngn cm gian ln
Includes copying homework, with or without permission

Cc SV kha CNTT lm bi tp trn my tnh A qun khng bo v file bi tp ca mnh B sao chp Ai l ngi gian ln?
A, B, or both?
Slide #4-9

Answer Part 1
B gian ln
Policy forbids copying homework assignment Bill did it System entered unauthorized state (Bill having a copy of Annes assignment)

Nu khng pht biu r rng trong chnh sch an ninh, th l ngm nh

Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says so
Slide #4-10

Answer Part 2
A khng bo v file bi tp
Not required by security policy

A khng vi phm chnh sch an ninh Nu chnh sch yu cu SV phi bo v file bi tp, th A vi phm chnh sch an ninh

Slide #4-11

K thut
Cch thc hoc quy trnh lm cho chnh sch c hiu lc:
Access controls (like bits to prevent someone from reading a homework file) Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems

Slide #4-12

V d v chnh sch
Chnh sch an ninh cho mt trng H
Institution has multiple campuses, administered from central office Each campus has its own administration, and unique aspects and needs

Chnh sch s dng hp php Chnh sch cho h thng email

Slide #4-13

Chnh sch s dng hp php

Dng cho tng campus Mc tiu ca h thng my tnh
Cc mc ch c bn: Truy cp ti nguyn, trao i thng tin, tn trng quyn ring t, tn trng tnh ton vn ca h thng

K thut thc hin chnh sch: quy nh hnh chnh

Warnings Denial of computer access Disciplinary action up to and including expulsion

Thng bo chnh thc cho cng ng ngi dng

Slide #4-14

Chnh sch th in t
Dng cho ton trng Gm 3 phn
Summary Full policy Interpretation at the campus

Slide #4-15

Summary
Cnh bo email khng phi ring t
Can be read during normal system administration Can be forged, altered, and forwarded

Unusual because the policy alerts users to the threats

Usually, policies say how to prevent problems, but do not define the threats
Slide #4-16

Summary
Nhng g nn v khng nn lm
Think before you send Be courteous, respectful of others Dont interfere with others use of email

C th s dng cho mc ch c nhn, nhng hn ch

Slide #4-17

Uses of E-mail
C th gi nc danh
Exception: if it violates laws or other policies

Khng gy phin h cho ngi khc

No spam, letter bombs, e-mailed worms, etc.

Hn ch s dng cho mc ch c nhn

Cannot interfere with university business Such e-mail may be a university record subject to disclosure
Slide #4-18

Security of E-mail
Nh trng c th c
Wont go out of its way to do so Allowed for legitimate business purposes Allowed to keep e-mail robust, reliable

Cho php lu tr hoc ghi nh li

May be able to recover e-mail from end system (backed up, for example)
Slide #4-19

Implementation
Thm vo cc yu cu c th ca cc c s
Example: incidental personal use not allowed if it benefits a non-university organization Allows implementation to take into account differences between campuses

Procedures for inspecting, monitoring, disclosing e-mail contents Backups

Slide #4-20

Key Points
Chnh sch m t nhng g c php K thut iu khin vic cc chnh sch c p dng nh th no S tin cy lm nn tng cho cc vn an ninh

Slide #4-21