What Sort of Things Do Policies Regulate ? Flashcards
Encryption
Many providers, especially cloud providers and ISP providers have policies in place that dictate which encryption should be used.
This is done to prevent the usage of compromised encryption and it ensures that there is compatibility and ease of use.
Dictating your set of encryptions is also important when it comes to allowing decryption between any entities whom have clearance to view or use the encrypted information.
(if you and a team are working on a project, then you would often have the same encryption on all data to be exchanged among you, so all members of that team would be able to decrypt the information they need to view).
Access Control
Most personnel w/in a system will not need access to sensitive hardware (routers, servers, etc.) and giving personnel unnecessary access to such things can have a massive affect on overall security in a bad way (no beuno, boy-o).
As such, there are often policies to restrict access to these devices.
(ex. routers in the ceiling, servers behind locked doors, monitored outlets, all that saucy shoizte)
Authentication
He didn’t give me much of an outline for this one, but here’s an example of a policy pertaining to authentication at least:
In a good amount of cases, a corporation will not allow you to authenticate from an unknown or publicly accessible source (like off the wifi connection at a coffee shop) to help prevent fraudulent authentication.
Firewalls
An example:
The prohibition of social media domains.
If for work-related reasons, an employee requires access to social media, then they’ll often have to submit a request, in which case that request must be approved by someone who has the authority to do so.
Antivirus
Basically:
- What’s the program ?
- Is it half-decent ?
- What’s the developer’s track record like ?
- Are there any flaws, if so, what are they ?
- Are there any programs that’d be more reliable, if so, are they worth the cost ?
A policy could be:
Personnel may only make use of Antivirus software that were developed by [x] companies, countries, ect.
If a sanction is placed w/in a country and you use antivirus software from that country that is inconsistent with said sanction, then your company could become legally liable.
Websites
The vast majority of companies will have a website where they will display all relevant information to their clients.
Policies pertaining to such websites are set in place in order to:
- regulate the sort of data that may be displayed
- dictate where the website may be hosted
- so on ? ?
Ex. all photographs displayed on the website must be approved by [this person] in order to verify that the company does not infringe on copyright in order to prevent lawsuits
(Equipment policy)
A policy can state “all network equipment must be purchased from [x] company so that the network structure consists entirely of products from a single manufacturer”
This’ll
(Equipment policy)
A policy can state “all network equipment must be purchased from [x] company so that the network structure consists entirely of products from a single manufacturer”
This reduces the cost drastically, it provides better intercompatibility, and it lowers all operating costs just on account of the fact that you will only need one set of employees who have been trained to operate these products
(Equipment policy)
A policy can state “all network equipment must be purchased from [x] company so that the network structure consists entirely of products from a single manufacturer”
This reduces the cost drastically, it provides better intercompatibility, and it lowers all operating costs just on account of the fact that you will only need one set of employees who have been trained to operate these products.
What are the different types of security policies ?
- Promiscuous
- Permissive
- Prudent
- Paranoid
Paranoid Security Policies
Somewhat akin to the Linux FirewallD command, “panic”.
When the panic command is issued, all traffic on the specified device is dropped (if you’re locking via SSH to a remote server and you issue this command, your connection’ll also be dropped).
This is essentially the function of a paranoid policy, wherein you institute a policy whereby all network traffic going in and out is stopped.
In this scenario, traffic could be entirely non-existent or just severely limited.
Q. in what circumstance is it a good idea to create such a policy ?
A. in the case wherein the system in question is hosting something of such significantly high value or importance that it’s no longer worth even taking the slightest risks in terms of security to allow for increased functionality.
(now, in simple terms for all you mongoloidian baby-brained boys out there
(ie: me): essentially, you got a big piece of data or information or what not that you wanna protect at all costs, so you do, and the /cost/ is decreased functionality.
Remember:
increased security = decreased functionality).
Promiscuous Security Policies
Think of Promiscuous Security Policies as a sort of “opposite” to Paranoid Security Policies in terms of functionality.
Whereas paranoid policies cease all network traffic, promiscuous policies place no restrictions on all personnel of which they apply.
Enacting this sort of policy is most generally a very bad idea and should pretty much only be used in very particular circumstances.
Actually, the only 1% circumstance (according to Ermin) of which these policies should be implemented is when you have a team made up of extremely knowledgeable, well educated, and efficient people (all w/ good track records) because all members of the team would already have an in-depth understanding of how to behave w/in a network and how to defend themselves and the system from a security standpoint, so it may be worth it to lift all network restrictions held on the team for the sake of their overall efficiency.
Permissive Security Policies
A Permissive Security Policy allows all traffic, in and out, w/out restrictions except in the cases where it identifies a piece of traffic as malicious.
Prudent Security Policies
Prudent Security Policies are essentially the direct contrary to Permissive Security Policies.
Prudent Security Policies block all traffic except that of which it can identify as non-malicious w/ complete certainty.
Permissive = restricts nothing except that which it identify’s as malicious.
Prudent = restricts everything except that which it identify’s as non-malicious.
? ? ? Prudent Security Policies will make use of policies which state exactly which programs are allowed to run on which ports, ect. ? ? ?