Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3602 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking Countermeasures Version 6 Module XLIX Creating Security Policies Ethical Hacking and Countermeasures v6 Module XLIX: Creating Security Policies Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3603 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://www.darkreading.com/  News Cisco Systems Inc. has released the report of a third-party study, which proves that in many businesses, remote users worldwide are engaged in an insecure manner. The survey was conducted with more than 2,000 participants, some of them work in IT and the remaining are the remote workers who use corporate computers. The survey found that users have the belief that Internet is safer now than the past year. This belief is leading remote users to break policy more often than they did in the prior year. Patrick Gray, senior security strategist at Cisco and former FBI investigator, said that the false sense of security of the remote users is improving. In Patrick Gray’s survey, more than 56 percent of people have agreed that the Internet is “safer” now compared with the last year. In spite of the repeated warnings, some 34 percent of employees said that they are still clicking on malicious and unknown emails and another 6 percent of employees said that they are clicking on malicious attachments . Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3604 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Security Policies • Key Elements of Security Policy • Role of Security Policy • Classification of Security Policy • Configurations of Security Policy • Types of Security Policies • E-mail Security Policy • Software Security Policy • Points to Remember While Writing a Security Policy This module will familiarizes you with: Module Objective This module will familiarizes you with:  Security Policies  Key Elements of Security Policy  Role of Security Policy  Classification of Security Policy  Configurations of Security Policy  Types of Security Policies  Email Security Policy  Software Security Policy  Points to Remember While Writing a Security Policy Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3605 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Security Policies E-mail Security Policy Key Elements of Security Policy Role of Security Policy Classification of Security Policy Configurations of Security Policy Types of Security Policies Software Security Policy Points to Remember While Writing a Security Policy Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3606 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Policies Security policies are the foundation of the security infrastructure A security policy is a document or set of documents that describes the security controls that will be implemented in the company at a high level Without them, you cannot protect your company from possible lawsuits, lost revenue, bad publicity, and basic security attacks • Reduce or eliminate legal liability to employees and third parties • Protect confidential, proprietary information from theft, misuse, unauthorized disclosure, or modification • Prevent waste of company computing resources Policies are not technology specific and do three things for a company:  Security Policies Security policies are the basis for securing your infrastructure. Without them, you cannot protect your company from possible lawsuits, lost revenue, bad publicity, and basic security attacks. A security policy defines the rules of safeguards, which reduce the risk of injury. A security policy is a document with high- level security guidelines that are implemented in the company. A security policy maintains the integrity, confidentiality, reliability, and assets values. It also provides protection for your company from threats such as information theft, natural and man-made disasters, damage, and technical failures. In addition, it protects against cyber attacks, malicious threats from the Internet, transnational criminal activity, foreign intelligence activities, and terrorism. Policies are not technology specific and do three things for a company:  Reduces or eliminates legal responsibility for employees and third parties  Protects confidential information from theft, misuse, unauthorized uses, or modification  Prevents waste of a company’s computing resources Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3607 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Elements of Security Policy Clear communication Brief and clear information Defined scope and applicability Enforceable by law Recognizes areas of responsibility Sufficient guidance Top management involvement  Key Elements of Security Policy A security policy contains the following key elements:  Clear Communication: There should not be any communication gap and the communication must be clear. The communication gap may lead to the creation of completely different sets of policies that may not be feasible to the users.  Brief and Clear Information: The clear information regarding the network policy must be given to the developers so that they can decide the network security approach.  Defined Scope and Applicability: The scope identifies the possessions, which must be secluded by the network security policy. The network policy addresses a wide range of issues, from physical security to personal security.  Enforceable by Law: The network policy must be enforceable by law and impose penalties against policy breach. Penalties for the violation must also be addressed during the creation of the network policy.  Recognizes Areas of Responsibility: The network policy must recognize various responsibilities of the employees, organization, and third-party users.  Sufficient Guidance: A good network policy must have proper references to other polices, which will help in guiding and redefining the scope and the objectives of the policy.  Top Management Involvement: Involvement of the top managers is mandatory as the network policy ensures the conformity of the policy. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3608 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defining the Purpose and Goals of Security Policy • To maintain an outline for the management and administration of network security • To reduce risks caused by: • Illegal use of the system resource • Loss of sensitive, confidential data, and potential property • Differentiate the user’s access rights Purpose of Security Policy • Protection of organization’s computing resources • Elimination of strong legal liability from employees or third parties • Ensuring customers’ integrity and preventing unauthorized modifications of the data Goals of Security Policy  Defining the Purpose and Goals of Security Policy A good security policy must be able to:  Prevent wasting or misusing organization resources, especially computing resources  Eliminate strong legal liability from employees or third-party users  Safeguard and protect valuable, confidential, or proprietary information from unauthorized access, or from revealing the data  Ensure data availability and processing resources  Ensure the confidentiality and integrity of the customer’s information and categorize the risk for the customer and the organization  Ensure the integrity of the data processing operations and prevent them from unauthorized use  Ensure the confidentiality of the customers and information, and prevent unauthorized disclosure or use of information The goals mentioned in the security policy ultimately safeguard an asset. It is important to simultaneously determine the asset as well as the protection given to the asset. It implies that concern must be there for corporate espionage, theft of potential property, eavesdropping, and damaging of files from the external attackers. The most important concern is to determine the protection that is a crucial part of a security policy and needs to be determined earlyon. Besides that, protection also involves defining where and how consequences are to be monitored in the cases where there is violation. While the specifics of the rebuttals can be left to the senior management, the basic security policy needs to define the methods by which protection can be implemented. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3609 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Security Policy • How the users work together with their systems? • How those systems should be configured? • How to react when the system is attacked? • When susceptibilities are found? Provides set of protocols to the administrator on Suggests the safety measures to be followed in an organization  Role of Security Policy Security policies play a vital role in the efficient workings of an organization. They cannot be explained in a few words, but they have been explained as follows:  Security policies offer the rules and regulations that manage how the users interact with their systems and how those systems should be configured  They provide certain steps on how to react when the system is attacked and vulnerabilities are found  They suggest the kind of security to be implemented in an organization  They put each individual in the organization on the same page. Thus, each individual is subject to following the similar policy Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3610 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of Security Policy User Policy • Defines what kind of user is using the network • Defines the limitations that are applied on users to secure the network • Password Management Policy • Protects the user account with a secure password IT Policy • Designed for IT department to keep the network secure and stable • Following are the three different IT policies: • Backup Policies • Server configuration, patch update, and modification policies • Firewall Policies EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of Security Policy (cont’d) General Policies • Defines the responsibility for general business purposes • The following are different general policies: • High Level Program Policy • Business Continuity Plans • Crisis Management • Disaster Recovery Partner Policy • Policy that is defined among a group of partners EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of Security Policy (cont’d) Issue Specific Policies • Recognize specific areas of concern and describe the organization's status for top level management • Involve revision and up gradation of policies from time to time, as changes in technology and related activities take place frequently • Issue Statement • Statement of the Organization's Position • Applicability • Roles and Responsibilities • Points of Contact • Physical security • Personnel Security • Communications Security • Administrative Security • Risk Management • System Management Components: Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Creating Security Policies Module XLIX Page | 3611 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Classification of Security Policy Once the data is determined, a set of policies is developed to protect that data. These policies can be categorized as a security policy. Different types of security policies are discussed below: User Policy A user policy defines the kind of network user and computer equipment utilized in an organization. It provides the restrictions for users to protect their network, such as how they can install programs on their computer, the type of programs that they can use, and how they can access data. A password management policy is one of the user policies.  Password Management Policy As the name indicates, this policy protects the user account with a strong password. It defines how often the users change their passwords and it gives the complexity rules related to the characters used in giving passwords. IT Policy An IT policy is designed for the IT department to secure the network. Some IT policies are: 1. Backup policies 2. Server configuration and modification policies 3. Firewall policies 4. General policies 5. Partner policies  Backup Policy A backup policy defines what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, and what programs are used to perform backups.  Server Configuration and Modification Policies Sever configuration and modification policies remove unneeded services, and determine what servers should use IDS and what should be done to update the system.  Firewall Policy A firewall policy defines which ports to allow, how to interface ports or how to manage ports, and who has access to the control console. General Policy A general policy defines responsibilities for general business purposes. This policy contains the following information: 1. High level program policy 2. Business continuity plans  High Level Program Policy The high level program policy defines the owners of this policy, who is handling the policy, the purpose and scope of that policy, and exceptions if any exist.  Business Continuity Plans Business continuity plans deal with the features related to business. Some of these plans include: 1. Crisis management 2. Disaster recovery