The first rule of network site security is easily stated: that which is not expressly permitted is prohibited. A security policy should deny access to all network resources and then add back access on a specific basis. Implemented in this way, a site security policy will not allow any inadvertent actions or procedures.

The goal in developing an official site policy on computer security is to define the organization's expectations for proper computer and network use and to define procedures to prevent and respond to security incidents. In order to do this, specific aspects of the organization must be considered and agreed upon by the policy-making group. For example, a military base may have very different security concerns from those of a university. Even departments within the same organization will have different requirements.

It is important to consider who will make the network site security policy. Policy creation must be a joint effort by a representative group of decision-makers, technical personnel, and day-to-day users from different levels within the organization. Decision-makers must have the power to enforce the policy; technical personnel will advise on the ramifications of the policy; and day-to-day users will have a say in how usable the policy is. A site security policy that is unusable, unimplementable, or unenforceable is worthless.

Developing a security policy comprises identifying the organizational assets, identifying the threats, assessing the risk, implementing the tools and technologies available to meet the risks, and developing a usage policy. In addition, an auditing procedure must be created that reviews network and server usage on a timely basis. A response should be in place before any violation or breakdown occurs as well. Finally, the policy should be communicated to everyone who uses the computer network, whether employee or contractor, and should be reviewed on a regular basis.

Identifying the organizational assets
The first step in creating a site security policy is creating a list of all the things that must be protected. The list must be easily and regularly updated, as most organizations add and subtract equipment all the time. Items to be considered include the following:

  • Hardware—CPUs, boards, keyboards, terminals, workstations, personal computers, printers, disk drives, communication lines, terminal servers, routers
  • Software—source programs, object programs, utilities, diagnostic programs, operating systems, communication programs
  • Data—during execution, stored on-line, archived off-line, backups, audit logs, databases, in transit over communication media
  • Documentation—on programs, hardware, systems, and local administrative procedures

Assessing the risk
While there is a great deal of publicity about intruders on computer networks, most surveys show that the loss from people within the organization is significantly greater. Risk analysis involves determining what must be protected, from what it must be protected, and how to protect it.

Possible risks to your network include the following:

  • Unauthorized access
  • Unavailable service, corruption of data, or a slowdown due to a virus
  • Disclosure of sensitive information, especially that which gives someone else a particular advantage, or theft of information such as credit card data

Once the list has been assembled, a scheme for weighing the risk against the importance of the resource should be developed. This will allow the site policy makers to determine how much effort should be spent protecting the resource. Some security experts advocate the proactive use of the very tools that hackers use in order to find system weaknesses. By discovering weaknesses before the fact, protective action can be implemented to fend off certain attacks. Perhaps the most famous of these tools is security analysis tool for auditing networks (SATAN), which is publicly available on many WWW sites.

Auditing and review
To help determine if there is a violation of a security policy, take advantage of the tools that are included in computers and networks. Most operating systems store numerous bits of information in log files. Examination of these log files on a regular basis is often the first line of defense in detecting unauthorized use of the system. Compare lists of currently logged in users and past login histories. Most users typically log in and out at roughly the same time each day. An account logged in outside the normal time for the account may be being used by an intruder.

In addition, accounting records can be used to determine usage patterns for the system; unusual accounting records may indicate unauthorized use of the system. System logging facilities, such as the UNIX "syslog" utility, should be checked for unusual error messages from system software. For example, a large number of failed login attempts in a short period of time may indicate someone trying to guess passwords.

Operating system commands that list currently executing processes can be used to detect users running programs they are not authorized to use, as well as to detect unauthorized programs that have been started by an intruder. By running various monitoring commands at different times throughout the day, a company makes it harder for intruders to predict when they can be detected.

While it may be exceptionally fortuitous that an administrator would catch a violator in their first act, by reviewing log files there is a very good chance for setting up procedures to identify them at a later date.

This story was excerpted from an Internet Security Tutorial published by the IEC. The IEC conducts a range of university and industry cooperative programs consisting of educational forums and workshops, research studies, publications, Web education, and management services. It can be reached at www.iec.org.