lundi 16 janvier 2017
Security policy
Security
policy is a definition of what it means to be secure for a system, organization
or other entity. For an organization, it addresses the constraints on behavior
of its members as well as constraints imposed on adversaries by mechanisms such
as doors, locks, keys and walls. For systems, the security policy addresses
constraints on functions and flow among them, constraints on access by external
systems and adversaries including programs and access to data by people.
Significance
If it is
important to be secure, then it is important to be sure all of the security
policy is enforced by mechanisms that are strong enough. There are many
organized methodologies and risk assessment strategies to assure completeness
of security policies and assure that they are completely enforced. In complex
systems, such as information systems, policies can be decomposed into
sub-policies to facilitate the allocation of security mechanisms to enforce
sub-policies. However, this practice has pitfalls. It is too easy to simply go
directly to the sub-policies, which are essentially the rules of operation and
dispense with the top level policy. That gives the false sense that the rules
of operation address some overall definition of security when they do not.
Because it is so difficult to think clearly with completeness about security,
rules of operation stated as "sub-policies" with no
"super-policy" usually turn out to be rambling rules that fail to
enforce anything with completeness. Consequently, a top-level security policy
is essential to any serious security scheme and sub-policies and rules of
operation are meaningless without it.
Network security policy
A network
security policy, or NSP,
is a generic document that outlines rules for computer network access, determines how policies are
enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is
usually several pages long and written by a committee. A security policy goes
far beyond the simple idea of "keep the bad guys out". It's a very
complex document, meant to govern data access, web-browsing habits,
use of passwords and encryption, email attachments
and more. It specifies these rules for individuals or groups of individuals
throughout the company.
Security policy should
keep the malicious users out and also exert control over potential risky users
within your organization. The first step in creating a policy is to understand
what information and services are available (and to which users), what the
potential is for damage and whether any protection is already in place to
prevent misuse.
In addition, the
security policy should dictate a hierarchy of access permissions; that is,
grant users access only to what is necessary for the completion of their work.
While writing the
security document can be a major undertaking, a good start can be achieved by
using a template. National Institute for Standards and Technology provides a security-policy guideline.
The policies could be
expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.
Network security
Network
security consists
of the policies and practices adopted to prevent and monitor unauthorized
access, misuse, modification, or denial of a computer network and
network-accessible resources. Network security involves the authorization of
access to data in a network, which is controlled by the network administrator.[citation
needed] Users choose or are assigned an ID and password or other
authenticating information that allows them access to information and programs
within their authority. Network security covers a variety of computer networks,
both public and private, that are used in everyday jobs; conducting
transactions and communications among businesses, government agencies and
individuals. Networks can be private, such as within a company, and others
which might be open to public access. Network security is involved in
organizations, enterprises, and other types of institutions. It does as its
title explains: It secures the network, as well as protecting and overseeing
operations being done. The most common and simple way of protecting a network
resource is by assigning it a unique name and a corresponding password.
Network
Security concepts
Network security starts
with authenticating, commonly with a username and a
password. Since this requires just one detail authenticating the user
name—i.e., the password—this is sometimes termed one-factor authentication.
With two-factor
authentication,
something the user 'has' is also used (e.g., a security token or 'dongle', an ATM card, or a mobile phone); and with three-factor
authentication, something the user 'is' is also used (e.g., a fingerprint or retinal
scan).Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users.[1] Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network. Anti-virus software or an intrusion prevention system (IPS)[2] help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network like wireshark traffic and may be logged for audit purposes and for later high-level analysis. Newer systems combining unsupervised machine learning with full network traffic analysis can detect active network attackers from malicious insiders or targeted external attackers that have compromised a user machine or account.[3]
Communication between two hosts using a network may be encrypted to maintain privacy.
Honeypots, essentially decoy network-accessible resources, may be deployed in a network as surveillance and early-warning tools, as the honeypots are not normally accessed for legitimate purposes. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis may be used to further tighten security of the actual network being protected by the honeypot. A honeypot can also direct an attacker's attention away from legitimate servers. A honeypot encourages attackers to spend their time and energy on the decoy server while distracting their attention from the data on the real server. Similar to a honeypot, a honeynet is a network set up with intentional vulnerabilities. Its purpose is also to invite attacks so that the attacker's methods can be studied and that information can be used to increase network security. A honeynet typically contains one or more honeypots.[4]
Security
management
Security management for
networks is different for all kinds of situations. A home or small office may
only require basic security while large businesses may require high-maintenance
and advanced software and hardware to prevent malicious attacks from hacking and spamming.
Types
of Attacks
Networks are subject to attacks from malicious sources. Attacks can be from two categories:
"Passive" when a network intruder intercepts data traveling through
the network, and "Active" in which an intruder initiates commands to
disrupt the network's normal operation or to conduct reconnaissance and lateral
movement to find and gain access to assets available via the network.[5]Types of attacks include:[6]
- Passive
- Network
- Wiretapping
- Port
scanner
- Idle
scan
- Active
- Denial-of-service
attack
- DNS
spoofing
- Man
in the middle
- ARP
poisoning
- VLAN
hopping
- Smurf
attack
- Buffer
overflow
- Heap
overflow
- Format
string attack
- SQL
injection
- Phishing
- Cross-site
scripting
- CSRF
- Cyber-attack
Job market
Cybersecurity is a
fast-growing field of IT concerned with reducing organizations' risk of hack or
data breach. According to research from the Enterprise Strategy Group, 46% of
organizations say that they have a "problematic shortage" of
cybersecurity skills in 2016, up from 28% in 2015. Commercial, government and
non-governmental organizations all employ cybersecurity professionals. The
fastest increases in demand for cybersecurity workers are in industries
managing increasing volumes of consumer data such as finance, health care, and
retail. However, the use of the term "cybersecurity" is more
prevalent in government job descriptions.
Typical cybersecurity job titles and descriptions include:
Student programs are also available to people interested in beginning a career in cybersecurity. Meanwhile, a flexible and effective option for information security professionals of all experience levels to keep studying is online security training, including webcasts.
Typical cybersecurity job titles and descriptions include:
Security
analyst
Analyzes and assesses vulnerabilities in the
infrastructure (software, hardware, networks), investigates using available
tools and countermeasures to remedy the detected vulnerabilities, and
recommends solutions and best practices. Analyzes and assesses damage to the
data/infrastructure as a result of security incidents, examines available
recovery tools and processes, and recommends solutions. Tests for compliance
with security policies and procedures. May assist in the creation,
implementation, and/or management of security solutions.
Security
engineer
Performs security monitoring, security and
data/logs analysis, and forensic analysis, to detect security incidents, and
mounts incident response. Investigates and utilizes new technologies and
processes to enhance security capabilities and implement improvements. May also
review code or perform other security engineering methodologies.
Security
architect
Designs a security system or major components
of a security system, and may head a security design team building a new
security system.
Security
administrator
Installs and manages organization-wide security
systems. May also take on some of the tasks of a security analyst in smaller
organizations.
Chief
Information Security Officer (CISO)
A high-level management position responsible
for the entire information security division/staff. The position may include
hands-on technical work.
Chief
Security Officer (CSO)
A high-level management position responsible
for the entire security division/staff. A newer position now deemed needed as
security risks grow.
Security
Consultant/Specialist/Intelligence
Broad titles that encompass any one or all of
the other roles/titles, tasked with protecting computers, networks, software,
data, and/or information systems against viruses, worms, spyware, malware,
intrusion detection, unauthorized access, denial-of-service attacks, and an
ever increasing list of attacks by hackers acting as individuals or as part of
organized crime or foreign governments.
Student programs are also available to people interested in beginning a career in cybersecurity. Meanwhile, a flexible and effective option for information security professionals of all experience levels to keep studying is online security training, including webcasts.
Modern warfare
Cybersecurity is becoming
increasingly important as more information and technology is being made
available on cyberspace. There is growing concern among governments that
cyberspace will become the next theatre of warfare. As Mark Clayton from the Christian
Science Monitor described in an article titled "The New Cyber Arms
Race":
In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the command and control of warships.
This has led to new terms such as cyberwarfare and cyberterrorism. More and more critical infrastructure is being controlled via computer programs that, while increasing efficiency, exposes new vulnerabilities. The test will be to see if governments and corporations that control critical systems such as energy, communications and other information will be able to prevent attacks before they occur. As Jay Cross, the chief scientist of the Internet Time Group, remarked, "Connectedness begets vulnerability."
In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the command and control of warships.
This has led to new terms such as cyberwarfare and cyberterrorism. More and more critical infrastructure is being controlled via computer programs that, while increasing efficiency, exposes new vulnerabilities. The test will be to see if governments and corporations that control critical systems such as energy, communications and other information will be able to prevent attacks before they occur. As Jay Cross, the chief scientist of the Internet Time Group, remarked, "Connectedness begets vulnerability."
National teams
Here are the main computer
emergency response teams around the world. Most countries have their own team
to protect network security.
Canada
On October 3, 2010, Public
Safety Canada unveiled Canada's Cyber Security Strategy, following a Speech
from the Throne commitment to boost the security of Canadian cyberspace. The
aim of the strategy is to strengthen Canada's "cyber systems and critical
infrastructure sectors, support economic growth and protect Canadians as they
connect to each other and to the world." Three main pillars define the
strategy: securing government systems, partnering to secure vital cyber systems
outside the federal government, and helping Canadians to be secure online. The
strategy involves multiple departments and agencies across the Government of
Canada. The Cyber Incident Management Framework for Canada outlines these
responsibilities, and provides a plan for coordinated response between
government and other partners in the event of a cyber incident. The Action Plan
2010–2015 for Canada's Cyber Security Strategy outlines the ongoing
implementation of the strategy.
Public Safety Canada's Canadian Cyber Incident Response Centre (CCIRC) is responsible for mitigating and responding to threats to Canada's critical infrastructure and cyber systems. The CCIRC provides support to mitigate cyber threats, technical support to respond and recover from targeted cyber attacks, and provides online tools for members of Canada's critical infrastructure sectors. The CCIRC posts regular cyber security bulletins on the Public Safety Canada website. The CCIRC also operates an online reporting tool where individuals and organizations can report a cyber incident. Canada's Cyber Security Strategy is part of a larger, integrated approach to critical infrastructure protection, and functions as a counterpart document to the National Strategy and Action Plan for Critical Infrastructure.
On September 27, 2010, Public Safety Canada partnered with STOP.THINK.CONNECT, a coalition of non-profit, private sector, and government organizations dedicated to informing the general public on how to protect themselves online. On February 4, 2014, the Government of Canada launched the Cyber Security Cooperation Program.The program is a $1.5 million five-year initiative aimed at improving Canada's cyber systems through grants and contributions to projects in support of this objective. Public Safety Canada aims to begin an evaluation of Canada's Cyber Security Strategy in early 2015. Public Safety Canada administers and routinely updates the GetCyberSafe portal for Canadian citizens, and carries out Cyber Security Awareness Month during October.
China
China's network security
and information technology leadership team was established February 27, 2014.
The leadership team is tasked with national security and long-term development
and co-ordination of major issues related to network security and information
technology. Economic, political, cultural, social and military fields as related
to network security and information technology strategy, planning and major
macroeconomic policy are being researched. The promotion of national network
security and information technology law are constantly under study for enhanced
national security capabilities.
Germany
Berlin starts National
Cyber Defense Initiative: On June 16, 2011, the German Minister for Home
Affairs, officially opened the new German NCAZ (National Center for Cyber
Defense) Nationales Cyber-Abwehrzentrum located in Bonn. The NCAZ closely
cooperates with BSI (Federal Office for Information Security) Bundesamt für
Sicherheit in der Informationstechnik, BKA (Federal Police Organisation) Bundeskriminalamt
(Deutschland), BND (Federal Intelligence Service) Bundesnachrichtendienst, MAD
(Military Intelligence Service) Amt für den Militärischen Abschirmdienst and
other national organisations in Germany taking care of national security
aspects. According to the Minister the primary task of the new organisation
founded on February 23, 2011, is to detect and prevent attacks against the
national infrastructure and mentioned incidents like Stuxnet.
India
Some provisions for
cybersecurity have been incorporated into rules framed under the Information
Technology Act 2000.
The National Cyber Security Policy 2013 is a policy framework by Department of Electronics and Information Technology (DeitY) which aims to protect the public and private infrastructure from cyber attacks, and safeguard "information, such as personal information (of web users), financial and banking information and sovereign data".
The Indian Companies Act 2013 has also introduced cyber law and cyber security obligations on the part of Indian directors.
Pakistan
Cyber-crime has risen
rapidly in Pakistan. There are about 34 million Internet users with 133.4
million mobile subscribers in Pakistan. According to Cyber Crime Unit (CCU), a
branch of Federal Investigation Agency, only 62 cases were reported to the unit
in 2007, 287 cases in 2008, ratio dropped in 2009 but in 2010, more than 312
cases were registered. However, there are many unreported incidents of
cyber-crime.
"Pakistan's Cyber Crime Bill 2007", the first pertinent law, focuses on electronic crimes, for example cyber-terrorism, criminal access, electronic system fraud, electronic forgery, and misuse of encryption.
National Response Centre for Cyber Crime (NR3C) – FIA is a law enforcement agency dedicated to fight cybercrime. Inception of this Hi-Tech crime fighting unit transpired in 2007 to identify and curb the phenomenon of technological abuse in society.[163] However, certain private firms are also working in cohesion with the government to improve cyber security and curb cyberattacks.
South
Korea
Following cyberattacks in
the first half of 2013, when government, news-media, television station, and
bank websites were compromised, the national government committed to the
training of 5,000 new cybersecurity experts by 2017. The South Korean
government blamed its northern counterpart for these attacks, as well as
incidents that occurred in 2009, 2011, and 2012, but Pyongyang denies the
accusations.
Other countries
Canada
On October 3, 2010, Public
Safety Canada unveiled Canada's Cyber Security Strategy, following a Speech
from the Throne commitment to boost the security of Canadian cyberspace. The
aim of the strategy is to strengthen Canada's "cyber systems and critical
infrastructure sectors, support economic growth and protect Canadians as they
connect to each other and to the world." Three main pillars define the
strategy: securing government systems, partnering to secure vital cyber systems
outside the federal government, and helping Canadians to be secure online. The
strategy involves multiple departments and agencies across the Government of
Canada. The Cyber Incident Management Framework for Canada outlines these
responsibilities, and provides a plan for coordinated response between
government and other partners in the event of a cyber incident. The Action Plan
2010–2015 for Canada's Cyber Security Strategy outlines the ongoing
implementation of the strategy.Public Safety Canada's Canadian Cyber Incident Response Centre (CCIRC) is responsible for mitigating and responding to threats to Canada's critical infrastructure and cyber systems. The CCIRC provides support to mitigate cyber threats, technical support to respond and recover from targeted cyber attacks, and provides online tools for members of Canada's critical infrastructure sectors. The CCIRC posts regular cyber security bulletins on the Public Safety Canada website. The CCIRC also operates an online reporting tool where individuals and organizations can report a cyber incident. Canada's Cyber Security Strategy is part of a larger, integrated approach to critical infrastructure protection, and functions as a counterpart document to the National Strategy and Action Plan for Critical Infrastructure.
On September 27, 2010, Public Safety Canada partnered with STOP.THINK.CONNECT, a coalition of non-profit, private sector, and government organizations dedicated to informing the general public on how to protect themselves online. On February 4, 2014, the Government of Canada launched the Cyber Security Cooperation Program.The program is a $1.5 million five-year initiative aimed at improving Canada's cyber systems through grants and contributions to projects in support of this objective. Public Safety Canada aims to begin an evaluation of Canada's Cyber Security Strategy in early 2015. Public Safety Canada administers and routinely updates the GetCyberSafe portal for Canadian citizens, and carries out Cyber Security Awareness Month during October.
China
China's network security
and information technology leadership team was established February 27, 2014.
The leadership team is tasked with national security and long-term development
and co-ordination of major issues related to network security and information
technology. Economic, political, cultural, social and military fields as related
to network security and information technology strategy, planning and major
macroeconomic policy are being researched. The promotion of national network
security and information technology law are constantly under study for enhanced
national security capabilities.
Germany
Berlin starts National
Cyber Defense Initiative: On June 16, 2011, the German Minister for Home
Affairs, officially opened the new German NCAZ (National Center for Cyber
Defense) Nationales Cyber-Abwehrzentrum located in Bonn. The NCAZ closely
cooperates with BSI (Federal Office for Information Security) Bundesamt für
Sicherheit in der Informationstechnik, BKA (Federal Police Organisation) Bundeskriminalamt
(Deutschland), BND (Federal Intelligence Service) Bundesnachrichtendienst, MAD
(Military Intelligence Service) Amt für den Militärischen Abschirmdienst and
other national organisations in Germany taking care of national security
aspects. According to the Minister the primary task of the new organisation
founded on February 23, 2011, is to detect and prevent attacks against the
national infrastructure and mentioned incidents like Stuxnet.
India
Some provisions for
cybersecurity have been incorporated into rules framed under the Information
Technology Act 2000.The National Cyber Security Policy 2013 is a policy framework by Department of Electronics and Information Technology (DeitY) which aims to protect the public and private infrastructure from cyber attacks, and safeguard "information, such as personal information (of web users), financial and banking information and sovereign data".
The Indian Companies Act 2013 has also introduced cyber law and cyber security obligations on the part of Indian directors.
Pakistan
Cyber-crime has risen
rapidly in Pakistan. There are about 34 million Internet users with 133.4
million mobile subscribers in Pakistan. According to Cyber Crime Unit (CCU), a
branch of Federal Investigation Agency, only 62 cases were reported to the unit
in 2007, 287 cases in 2008, ratio dropped in 2009 but in 2010, more than 312
cases were registered. However, there are many unreported incidents of
cyber-crime."Pakistan's Cyber Crime Bill 2007", the first pertinent law, focuses on electronic crimes, for example cyber-terrorism, criminal access, electronic system fraud, electronic forgery, and misuse of encryption.
National Response Centre for Cyber Crime (NR3C) – FIA is a law enforcement agency dedicated to fight cybercrime. Inception of this Hi-Tech crime fighting unit transpired in 2007 to identify and curb the phenomenon of technological abuse in society.[163] However, certain private firms are also working in cohesion with the government to improve cyber security and curb cyberattacks.
South
Korea
Following cyberattacks in
the first half of 2013, when government, news-media, television station, and
bank websites were compromised, the national government committed to the
training of 5,000 new cybersecurity experts by 2017. The South Korean
government blamed its northern counterpart for these attacks, as well as
incidents that occurred in 2009, 2011, and 2012, but Pyongyang denies the
accusations.
Other countries
- CERT Brazil, member of FIRST
(Forum for Incident Response and Security Teams)
- CARNet CERT, Croatia, member of
FIRST
- AE CERT,
United Arab Emirates
- SingCERT,
Singapore
- CERT-LEXSI,
France, Canada, Singapore
- INCIBE, Spain
- ID-CERT,
Indonesia
International actions
Many different teams and
organisations exist, including:
Europe
CSIRTs in Europe collaborate in the TERENA task force TF-CSIRT. TERENA's Trusted Introducer service provides an accreditation and certification scheme for CSIRTs in Europe. A full list of known CSIRTs in Europe is available from the Trusted Introducer website.
- The Forum of Incident Response
and Security Teams (FIRST) is the global association of CSIRTs. The US-CERT,
AT&T, Apple, Cisco, McAfee, Microsoft are all members of this
international team.
- The Council of Europe helps
protect societies worldwide from the threat of cybercrime through the
Convention on Cybercrime.
- The purpose of the Messaging
Anti-Abuse Working Group (MAAWG) is to bring the messaging industry
together to work collaboratively and to successfully address the various
forms of messaging abuse, such as spam, viruses, denial-of-service attacks
and other messaging exploitations. France Telecom, Facebook, AT&T, Apple,
Cisco, Sprint are some of the members of the MAAWG.
- ENISA : The European
Network and Information Security Agency (ENISA) is an agency of the
European Union with the objective to improve network and information
security in the European Union.
Europe
CSIRTs in Europe collaborate in the TERENA task force TF-CSIRT. TERENA's Trusted Introducer service provides an accreditation and certification scheme for CSIRTs in Europe. A full list of known CSIRTs in Europe is available from the Trusted Introducer website.