1

Review and Refine Security Policy and Procedures

Business Problem:

C-Bay Inc. a real-estate auction company just went public. Their servers have been down intermittently due to a possible security glitch. CEO of C-Bay has auditors, investors and stock holders questioning the Security of C-Bay networks. C-Bay customers are worried about their data privacy. The Head of IT has brought you on as part of a team to to review C-Bay’s Security Policy and make recommendations on how well it is implemented and provide recommendations for ongoing monitoring, bolt-down the network and educate C-Bay’s community about its security policy. If you complete these jobs to the Head of IT’s satisfaction, you will be hired as a full-time employee. To perform the task, you’re given C-Bay critical business requirements, excerpts of interviews, stakeholder meeting minutes, a sketch of problems the company has experienced in form of email chain, etc.

Student Task:

1. Conduct a review of C-Bay’s Security Policy (if one is available), detailing which areas need significant improvements.
2. Provide recommendations on how you will fix the areas that need improvement. Provide a work plan on how you will qualify your recommendation and implement them.

Note: We’ll keep students in sync—in fiction, at end of task, a security person or group reviews students’ recommended changes to the policy, recommendations, and work plan, gives out a revised version of each that students will work from in next tasks. So students leave this task with same security policy, recommendations, and work plan.

1-Refined Security Policy that addresses omissions, errors, contradictions, tenability – 8 hours

2. Recommendation on how the problem with the servers can be fixed, possibly.

3. Work plan to validate recommendations and implement them. This includes Educating the general audience. – 8 hours

1. Review the provided Security Policy in context of a defined company network looking for omissions, contradictions, tenability, and errors.

2. Refine the Security Policy based on findings

3. Make recommendations on how to address security problems at a company

4. Create a work plan to validate and implement these recommendations.

16 hours

Review and Refine Security Policy and Procedures

2

Perform Risk Analysis and Assessment based on the Security Policy and document exceptions

Necessary Input: Security Policy, Workplan, Recommendations from Task 1

Business Problem:

Current Enterprise Network Setup should be surveyed to find out the reason of the server outages. Shortcomings should be documented appropriately and reconciled with the implementation of the security policy. Prepare a Problem Area report and present to Management. Optionally – Possible solutions to fix the flaws in the Network Implementation may be documented and presented. Students will be provided with server logs, OS, apps, hardware information, etc.

Student Task:

1. Survey the network for causes of Server Outages

2. Prepare a Problem Report documenting the causes.

3. Optionally – Provide recommendation to bring Network Implementation close to the documented Security Policy, or the security policy closer to the business’ critical needs.

Possible shortcomings:

o      Firewall and router are consumer grade, not business grade

o      The security policy isn’t molded to critical business needs, e.g., There’s no remote access but it is critical to the business that employees access files, e.g., medical records, remotely

o      Unrealistic requirements in policy, e.g., 0% downtime

o      Exceptions leading to vulnerabilities, e.g., no remote access except for certain employees

Note: We’ll keep students in sync—in fiction, at end of task, a security person or group reviews students’ recommendations and problem report including any changes to the policy, and sends out revised versions of each, so students leave task with same problem report, recommendations for changes to business practices/network/security policy.

1a. Network Audit – 5 hours

1b. Documentation of Problem Report presenting causes of outages and shortcomings in Network as reconciled with Security Policy – 5 hours

2. Recommendations for changes to the Business Practices/Network, and/or Security Policy to align the Network Implementation with the Security Policy, and/or to align the Security Policy with critical business requirements and the network. – 5 hours

3. Presentation summarizing problem report and recommendations (each group will present to, and listen to, one other group’s report, as opposed to each group listening/presenting to all the other groups)

1. Survey implementation of the Security Policy

2. Document and report on areas in implementation that don’t follow Security Policy procedures

3. Provide high-level recommendations to align the requirements of the Security Policy with its implementation, and with critical business requirements and the physical network.

15 hours

Perform Risk Analysis and Assessment based on the Security Policy and document exceptions

3

Deliver a comprehensive set of items to review periodically in the Security Policy; monitor network and report/analyze results

Necessary Input: network logs, output from Tasks 1,2.

Business Problem:

Enterprise Monitoring to assure that Security Policy is enforced is a key element for the growth of an organization. Monitoring systems must change with changing business environment, therefore should be continually improved. This monitoring is not just limited to software, or data collection, it should also include asking employees how they are creating passwords, checking email, etc. Students shouldn’t just diagnose existing problems, they should plan for and try to preempt expected problems, both malicious and accidental, e.g., someone tripping over a cord and bringing down a server.

Student Task:

1. Based on diagnosed or expected problems, recommend monitoring procedures and schedule.

2. Document monitoring procedures and provide report templates to document monitoring results (for both periodic and incident reports).

3. Monitor network; analyze and report on results using appropriate templates.

Additional Notes on Scenario/Task:

“What Ifs”

We’ll first say to students: Given the system that currently exists, what do you monitor. Then, To enable us to have students address certain issues, we’ll give them some “what ifs”. We can give them a capacity change or changes to the baseline.

Example: C-Bay has been able to support 100 requests per second, but now it needs to double that capacity, so students need to change a network layer. Students need to look at implications for network hardware, software, security policy.

Monitoring for Improvement

Students should be recommending a monitoring policy that not only reacts to existing problems and preempts expected problems, but that also monitors with eye towards improving the performance of the system and the policy.

Change Management

This task should focus on change management and encourage upgrades to security policy, deployment, and monitoring procedures.

When there is a change in network, the security monitoring should take into account what changes have been made, and whether those changes require a change to policy or in security monitoring procedures

There is a difference between a security monitoring document and a security policy. Actual steps are in the security monitoring document. Changes to the security monitoring document don’t necessarily require a change to the security policy. For example, adding new servers will change the security monitoring document, but not the security policy. But changes in the layers, e.g., network, OS, application, sometimes require changes to the security policy.

Monitoring Tools:

Teaching them about what tools are available and how they can help monitor is important: Microsoft tool that summarizes logs: Microsoft Operations Manager, Farimba(sp?) (CEO Kim), Moonlight. Students could use monitoring software and evaluate the software.

Daily vs. Less Frequent Monitoring:

There should be some policy for doing analysis of raw data from key events, e.g., password changes, access to certain directories. In general you probably want to look at those things periodically rather than on a daily basis, in real time.

For daily, or hourly monitoring, students might go to CERT and see what is highlighted as an impending or current problem, e.g., NIMDA hit Europe first. Having a few hours notice was helpful.

Reaching Full Capacity

As part of this monitoring task, students should track when they’re going to reach full capacity and their current infrastructure needs to be upgraded.

1.Document monitoring procedures-5hrs

2.Create periodic and incidental report templates, e.g.,: daily, weekly, summary of trends, incident reports. The audience of reports is someone above learner in systems admin food chain. Templates must highlight most important findings—should have “at a glance” sections and what the section should contain (Potential report template categories: implications—long and short term, resolution, well-defined rating system to prioritize issues)

3. Completed periodic report documenting monitoring results and analysis (Students will do this using network logs)

a.                                                1. Document ongoing procedures to perform periodic audits of the Enterprise Network, including criteria for evaluating and prioritizing threat levels, and listing what steps need to be taken for each threat level

b.                                                 

c.                                                2. Prepare templates to document periodic and incident reports

3. Monitor network logs and prepare a periodic report recording and analyzing monitoring results

8 hours?

Deliver a comprehensive set of items to review periodically in the Security Policy; monitor network and report/analyze results

4

Black hat/white hat: Adopt hacker mindset/ Respond to hacker attack

o      Learners get email: “We’ve been hacked!” They receive server logs of the hack or are given access to actual VPN and need to counter the attack.

o      Or, students get instructions on how to participate in a White Hat/Black Hat contest: 2 people within a group could launch an attack on a network and the rest of the group would counter the attack, then reverse. They wouldn’t be allowed to launch any type of attack; they’d pick from a list of possible types of attacks.

§       Or this could be done with one group vs. another.

§       If lab time is an issue, we could break 30 into groups of 10, with 5 white hats, 5 black hats each

Possible Types of Attacks: Intrusion detection and denial of service

§       Wire tapping

§       Traffic analysis

§       IP spoofing

§       Sniffers

§       Disgruntled employees

§       Social engineering

§       Kids

§       Hard core hackers

§       Spammers

§       Denial of service attacks

§       Replaying attacks

o      For white/hat black hat: Participate in a discussion and/or write up an analysis of what they did right/wrong as both black hats/white hats. Discussion of what they would do differently should be included.

-or-

o      If students receive only logs, a step-by-step write up of how they would counter the attack

o      Also—recommended changes to the security monitoring procedures or policy, based on attack experience?

1. Recognize the common types of abnormal occurrences in the computing environment that need immediate action (e.g., 12 most common attacks)

2. Propose response/countermeasure.

3. Respond to an attack (taken from a list of common types) and evaluate the effectiveness of the response.

TBD

Respond to hacker attack

5

Educate and Raise Awareness of Security Policy/Procedures to General User Population

Business Problem:

An Enterprise is secure when its employees are aware of and continually looking for security risks. Education and training enhance employee’s awareness and ability to avoid and/or spot risks.

Student Task:

1.     Identify areas from the refined security policy that should be conveyed to the general population, e.g., social engineering risks, passwords--don’t use a yellow sticky on your computer, disgruntled former employee scenarios

2.     Prepare a presentation or FAQ that can be understood by and delivered to a general audience in a short period of time. Presentation should be compelling and engaging— it’s important to make people care about this—not just to tell them what to do/ not do and raise security consciousness, but to explain why it’s so important. Can use reverse psychology--start presentation with “This world is a safe place…” Or give them a worst case scenario: Imagine someone had your mortgage application…. Presentation should also prompt employees to report anomalous events

3.     TBD: Respond to individual employee inquiries re security policy or problems they are experiencing.

Additional Notes on Scenario/Tasks:

Suggested procedure for students:

Go through security policy, provide a common sense rationale for aspects of security policy that employees are likely to encounter and/or that have the most disastrous results if not followed, translate into English (from tech), categorize aspects and present in a clear, engaging, compelling way.

Help Desk Simulation

We can do a help desk simulation in addition to the presentation. Students will receive some queries that they have to deal with. Can be real-time or ellipsis. This simulation will be used to require students to address specific issues.

Collaborative vs. Individual Work

As a group, we can ask students to effectively educate general user population. We can then provide each student with fictional general user emails re security, and each student must respond to one or several emails. We won’t let students choose which emails to respond to.

Resources:
Kevin Mitnick’s research on social engineering

Ray has access to a software engineering rubric

Communication:

It is important to focus on communication in this task. We could suggest role playing —help desk/general user.

Education should contain the advice:

Don’t use a word that’s in the dictionary for your password.

1.  A report of key points that should be conveyed to the general population – 3 hours

2.  A presentation or FAQ to take the end user through the education. – 3 hours

3.  Possibly: Written responses to general user’s inquiries

1. Identify and document aspects of the Security Policy that should be conveyed to general audience

2. Develop a short, engaging, compelling presentation or FAQ to communicate these aspects to the general audience

3. Effectively respond to security related inquiries from general user population

6 hours

Educate and raise awareness about Security Policy to general user population

6

Document Procedures for Emergency Response

Business Problem:

While monitoring helps validate that Security Policy is enforced, the documented results from monitoring may lead to observation of patterns of abnormal activity. This can provide an early stage diagnosis of threats (can be malicious or accidental threats). It is crucial for an organization to be prepared with a set of actions to take when there is an emergency.

Student Task:

Identify the possible emergencies and prepare recognition conditions, a set of steps for each emergency to bring the business operations back to its original state, and expected outcomes for each set of procedures. All threats and attendant procedures that don’t take the systems back to their original state must be documented.

Additional Notes on Scenario/Task:

Re Emergency Response document: In some sense you’re creating a cookbook. You have recognition conditions for threats. Once threats are recognized, you have steps to take. Once you’ve taken steps, you have expected outcomes.

Re expected outcome section: Business needs to understand the expected outcome section, esp. for risk procedures that won’t fully restore systems to their original state. To mitigate risk, someone in upper management should be aware of the implications of these scenarios.

Output Sharing

Because all student groups might not choose to address the same emergencies, we should have groups give presentations or provide a master list after the fact, to share task outcomes.

Resource: CERT

Re procedures: Where relevant, should include steps like who to call, e.g., Do we know who to call at the IFC when a denial of service attack occurs?

1. Emergency Response document that, for a set of common security emergencies, documents (for each emergency):

§    recognition conditions

§    recovery steps

§    expected outcomes

Any case in which recovery is less than 100% reflects a flaw in the monitoring systems. But, it may not make business sense to address the flaw. All risks that don’t take the systems back to their original state must be documented. (Must explain why 100% recovery isn’t tenable?)

1. Be able to recognize common abnormal occurrences in Networks

2. Draft recovery steps for each of the most likely emergencies

3. Be aware of and document expected outcomes for each set of emergency procedures

4. For cases where 100% recovery isn’t possible, explain why

14 hours

Document Procedures for Emergency Response