Development of Security Architecture Security Policies, Logical Security Architecture &Physical Security Architecture

By: Imran Ahmed Khan ( University of Texas at Tyler )

Security Policies

• Awareness and TrainingConduct “Computer Security awareness” sessions once in a month to educate users about the security risk associated with their activities and of the applicable laws, regulation and policies related to the security of organizational information system.

• Policy regarding software InstallationsEmployees should not allowed to install any software on their PC whether for business or entertainment purposes without getting approval from the manager in charge of such activities.

• Password selectionThis policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items.

• Policy regarding Instant messengersInstant messenger may help attacker to exploit the vulnerability and send some infected file through messenger. Through chatting attacker will gather information about user which may result in account hacking.

Security Policies

• Email communicationElectronic mail must not be used to communicate confidential or sensitive information. Sometimes email received by the user is crafted to specifically suit its recipient, often quoting a range of information to convince them of its authenticity. So it is always a good practice to make sure that the sender is an authentic person.

• Up to date SystemEvery employee must ensure that software patches and updates are applied in a timely fashion.

Security Policies

• Appoint Security AdministratorA Security administrator maintains an authorization database that specifies what type of access to which resources is allowed for the user. Employees should be given the minimum necessary level of access of data and systems to perform their jobs.

• Authentication and VerificationCombining physical and logical access, it is a core requirement that one single company ID-card is used for both purposes. With his combined card, the user enters the company building in the morning and uses his ID card to open the door to his office.

Logical Security Architecture

• AuditingAll users should be authenticated individually to allow for the auditing of their actions with computer resources.

• Role-based access control policyRole based model will be effective for this company. Instead of giving rights to each user, Security administrator will describe the roles and then those roles will be assigned to the employees

Logical Security Architecture

• LoggingSecurity administrator should maintain logs of logon attempts to ascertain if there were unauthorized attempts to access servers. It will help in Anomaly and signature detection techniques.

• Accessing data physicallySystem administrators has to identify themselves at the physical entrance before being allowed to access the console can prevent users who are authorized to access the physical space from using another user’s credentials to access systems to which they themselves do not have access.

Logical Security Architecture

• Malware ProtectionInstall firewall, anti-virus and anti-malware software on all computers.

• Data and Software AvailabilityBack up, encrypt and store important records and programs on a regular schedule.Check data and software integrity against original files.

Logical Security Architecture

• Confidential InformationAccounts files and company confidential and sensitive files must be encrypted When deleting sensitive files on fixed disks, floppy disks, or cartridges, over-write the remaining space with software that writes a random bit-pattern (e.g., "SDelete" from SysInternals at http://www.sysinternals.com, PGP (Pretty Good Privacy), by NAI, also has similar functionality in its tool kit).

Logical Security Architecture

Logical Security Architecture

• Protection from DoS (Denial of Services):Install appropriate filters such as:–“access-list number deny icmp any any redirect” . This disallows ICPM packets/–“Anti-spoofing”. This will control access through router and would stop packets with source address with internal IP addresses from coming in.–“no ip directed-broadcast”. This will stop packets broadcasts.–Test filters to ensure that the rules are still working (Periodically, Break testing)

Physical Security Architecture

• Secure Server Hardware– Place your servers and communication equipment in a secure room.– Give restricted access to server/communication room.– Avoid using server consoles as much as possible.– Match hardware compatibility while buying/installing the server– Disable CD-ROM or floppy disk boot.– Only authorized user to enter in that room.– Must have Surveillance camera inside and outside the room

Physical Security Architecture

• Host Protection– Install Anti-virus software and update it regularly on all the

workstations.– Ensure workstation data is included in daily nightly backups.– Have a personal firewall installed on all (if possible) workstations. My

recommendation is to use “Windows Firewall” or “Zone Alarm”.

• Intrusion Detection system– Deploy passive network sensors to monitor a copy of network traffic.

This will help in detecting intrusion.– This sensor will analyze network, transport and application protocols

to identify suspicious activity.

Physical Security Architecture

• Critical Resources / Securing the Facility:– Must have access restricted to authorized person also required them

to Identify them before entering and exiting.– Must have Surveillance camera inside and outside the room. – Locked doors of server room even during normal business hours– Adequate electric wiring.– Should not have windows to the outdoors.– Must be located in areas that are not subject to flooding.– Only authorize persons can enter the building after normal office

hours.

Physical Security Architecture

Physical Security Architecture