A comprehensive security policy has a number of benefits, including the following:
- Demonstrates an organization’s commitment to security
- Sets the rules for expected behavior
- Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
- Defines the legal consequences of violations
- Gives security staff the backing of management
Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.
The table lists policies that may be included in a security policy.
Policy | Description |
---|---|
Identification and authentication policy | Specifies authorized persons that can have access to network resources and identity verification procedures. |
Password policies | Ensures passwords meet minimum requirements and are changed regularly. |
Acceptable Use Policy (AUP) | Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated. |
Remote access policy | Identifies how remote users can access a network and what is accessible via remote connectivity. |
Network maintenance policy | Specifies network device operating systems and end user application update procedures. |
Incident handling procedures | Describes how security incidents are handled. |
One of the most common security policy components is an AUP.
A BYOD (Bring Your Own Device) security policy should be developed to accomplish the following:
- Specify the goals of the BYOD program.
- Identify which employees can bring their own devices.
- Identify which devices will be supported.
- Identify the level of access employees are granted when using personal devices.
- Describe the rights to access and activities permitted to security personnel on the device.
- Identify which regulations must be adhered to when using employee devices.
- Identify safeguards to put in place if a device is compromised.
The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.
Best Practice | Description |
---|---|
Password protected access | Use unique passwords for each device and account. |
Manually control wireless connectivity | Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks. |
Keep updated | Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits. |
Back up data | Enable backup of the device in case it is lost or stolen. |
Enable “Find my Device” | Subscribe to a device locator service with remote wipe feature. |
Provide antivirus software | Provide antivirus software for approved BYOD devices. |
Use Mobile Device Management (MDM) software | MDM software enables IT teams to implement security settings and software configurations on all devices that connect to company networks. |
Access Control Models
The table lists various types of access control methods.
Access Control Models | Description |
---|---|
Discretionary access control (DAC) |
|
Mandatory access control (MAC) |
|
Role-based access control (RBAC) |
|
Attribute-based access control (ABAC) | ABAC allows access based on attributes of the object (resource) to be accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed, such as time of day. |
Rule-based access control (RBAC) |
|
Time-based access control (TAC) | TAC Allows access to network resources based on time and day. |
AAA Component | Description |
---|---|
Authentication |
|
Authorization |
|
Accounting |
|
The table lists the differences between the two protocols.
TACACS+ | RADIUS | |
---|---|---|
Functionality | It separates authentication, authorization, and accounting functions according to the AAA architecture. This allows modularity of the security server implementation. | It combines authentication and authorization but separates accounting, which allows less flexibility in implementation than TACACS+ |
Standard | Mostly Cisco supported | Open/RFC standard |
Transport | TCP port 49 | UDP ports 1812 and 1813, or 1645 and 1646 |
Protocol CHAP | Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) | Unidirectional challenge and response from the RADIUS security server to the RADIUS client |
Confidentiality | Encrypts the entire body of the packet but leaves a standard TACACS+ header. | Encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted, leaving the username, authorized services, and accounting unprotected. |
Customization | Provides authorization of router commands on a per-user or per-group basis | Has no option to authorize router commands on a per-user or per-group basis |
Accounting | Limited | Extensive |
Type of Accounting Information | Description |
---|---|
Network Accounting | Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts. |
Connection Accounting | Connection accounting captures information about all outbound connections that are made from the AAA client, such as by SSH. |
EXEC Accounting | EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address. |
System Accounting | System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off). |
Command Accounting | Command accounting captures information about the EXEC shell commands for a specified privilege level, as well as the date and time each command was executed, and the user who executed it. |
Resource Accounting | The Cisco implementation of AAA accounting captures “start” and “stop” record support for connections that have passed user authentication. The additional feature of generating “stop” records for connections that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks. |
The table lists a few important network security organizations.
Organization | Description |
---|---|
SANS | SysAdmin, Audit, Network, Security (SANS) Institute resources are largely free upon request and include:
|
Mitre | The Mitre Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations. |
FIRST | Forum of Incident Response and Security Teams (FIRST) is a security organization that brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction. |
SecurityNewsWire | A security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities. |
(ISC)2 | International Information Systems Security Certification Consortium (ISC2) provides vendor neutral education products and career services to more than 75,000+ industry professionals in more than 135 countries. |
CIS | The Center for Internet Security (CIS) is a focal point for cyber threat prevention, protection, response, and recovery for state, local, tribal, and territorial (SLTT) governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24×7 cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response. |
Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report.
Search the internet to locate and download Cisco Cybersecurity Reports from the Cisco website.
You can also subscribe to receive notifications of new blogs by email. Cisco Talos also offers a series of over 80 podcasts that can be played from the internet or downloaded to your device of choice.
Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.
FireEye offers SIEM and SOAR with the Helix Security Platform, which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network.
The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).
The MITRE Corporation defines unique CVE Identifiers for publicly known information-security vulnerabilities to make it easier to share data.
- Structured Threat Information Expression (STIX) – This is a set of specifications for exchanging cyber threat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX.
- Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
- CybOX – This is a set of standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations that supports many cybersecurity functions.
The Malware Information Sharing Platform (MISP) is an open source platform for sharing indicators of compromise for newly discovered threats.