Creating and Maintaining a Security Policy

Vincent Danen

February 26, 2007

Perhaps one of the biggest issues facing companies is the lack of a security policy. This isn't as much of a problem with home users, but some of the same principles apply. A home user may not need to review their security policy every few months to ensure it still suits the business and work environment, but they should be aware of the issues that a good security policy addreses. After all, home data is just as important to the home user as corporate data is to the corporate user. This is more evident as computers become cheaper, highspeed internet connections become cheaper, and more people are connected to the internet for longer periods of time each day.

There have also been studies that show that the majority of unauthorized access to data comes internally, rather than externally. This, in itself, is not much of a problem in the home, but can be a serious problem in a work environment. Individuals who shouldn't have access to data, well, shouldn't have access to data. So it's important to remember that you don't only have to worry about external intruders, but internal intruders as well; employees seeing what they can get away with or into, or simply snooping where they have no business being.

So how does one determine a security policy? By keeping the following items in mind:

There is no way to secure your computer entirely. The only way to completely 100% secure a computer is to leave it turned off. Since that isn't really feasible, one must realize that by simply booting a computer into any operating system, you are taking the risk that someone will obtain access to it. How much access, and what they can do with it, is up to you. This means, as a user or sysadmin, you must be vigilant and keep an eye on what is happening on your system. Know that access to one machine can lead to access to others. So don't assume that if your system is behind one firewall, it cannot be access. Even if it is behind a dozen firewalls, never assume that it is entirely safe.

Know that you don't know everything. Technology changes daily, and it's hard enough for the "experts" to keep up with all of the changes. Don't think you're superman; you're not. There will always be something you don't know. Assume that the "bad guys" know it. There are so many vulnerable software programs out there, with new versions vulnerable to different things, or old ones not vulnerable to what new ones are, and so on. Although disclosure on a lot of software is pretty good, recognize that if the "white hats" are auditing software and letting vendors (and you) know about problems, the "black hards" are doing the exact same thing, without sharing that information. Recognize and plan for this.

What is not expressly permitted is forbidden. It is easier to give access to someone than it is to take it away. Many firewalls follow this exact principal: Block everything, then start to selectively allow what is needed. Don't work in the other direction, by allowing everything and then blocking what you think needs blocking. This is an awful way to engineer a firewall, and the concept applies to everything else as well. Most people should be able to do away with the old mentality of "that which is not expressly forbidden is permitted". If at all possible, utilize this approach... it may save you a lot of grief.

Your biggest problem will always be people. This is true of many things. If it weren't for malicious people, worms, viruses, and other threats wouldn't exist. Of course, without people, the targetted software wouldn't exist either. What we're referring to here is many things. People in your organization who deal with computers are one of the biggest threats to your systems security, whether they do it deliberately or not. For instance, one of the common security mistakes is weak passwords, so users will create impossible to guess passwords to circumvent this problem. However, these passwords may also be impossible to remember, so they end up being written on a sticky and stuck to a monitor or the underside of a keyboard. The easier to remember password would have been safer. Another possible scenario is that of social engineering. Many hackers have gotten unauthorized access to networks by posing as a contractor or user and calling companies, obtaining passwords and other sensitive information over the phone from unsuspecting, and naive, employees.

Finally, disgruntled employees are perhaps one of the biggest threats to your environment's security. A user with high access, such as one with access to sensitive information or proprietary information, or even root access on a server or ten, can cause no end of problems.

These may seem elementary to some, and common sense to others, but the fact that "to err is human" must be kept in mind when designing your security policy. The policy must be known by all individuals in the organization, and failure to follow it should be met with discipline. If an employee isn't discipline and thinks they can skirt the rules, then you have a really big problem. Users should also be made aware that passwords and other sensitive information should never be disclosed to anyone who doesn't have a good, and verifiable, reason for requesting it. Little things like this can help improve the overall security of your organization.

Verify installed software. When you are installing software on your system(s), verify that it hasn't been tampered with. Most authors provide md5sums for downloaded source packages, and many are creating detached GPG signatures for software. Verification of software packages prevent problems like trojaned openssh tarballs (not meaning to pick on the OpenSSH team here, merely illustrating that critical software can be trojaned). One should always attempt to verify distributed files via some means of authentication. If you download RPM packages, check to make sure the md5 and/or GPG signatures are intact. Auditing source code would be a great thing to do, but realistically, this likely won't happen unless you have excessive resources and/or a lot of spare time on your hands.

There may be other considerations for your security policy, but these will likely be site-specific. One thing to keep in mind is that a good security policy should be flexible enough to adopt for change. As technology changes, the security policy should as well. The laws in many countries have been severely out-paced by technology and are slowly beginning to catch up. Your security policy should be more adaptable, and more quickly, than many of these laws.

While this doesn't provide a specific template for designing a good security policy, it gives something of a framework, and items to consider for your policy. If you're looking for a specific template, you can review the SANS Security Policy Project. They have a number of resources and template policies that you can base your own security policy on, in a number of different scenarios and situations.