Download InfoSec Acceptable Use Policy. (nd). SANS Institute. Retrieved from

Assignment 2
Angie Abu-Alam
September 26, 2013
Prof: Steven Bale
AUP
2. Using Figure 2.1, review the seven domains of a typical IT infrastructure.
FIGURE 1: Seven domains of a typical IT infrastructure
Seven domain of IT:
User Domain: People access the company’s information system
Workstation Domain: Connected to IT infrastructer (computers or other devices)
LAN Domain: Many computers connected to a common connection (Optic cables, wires, fibers)
LAN-to-WAN Domain: IT infrastructure connected to Wide Area Network and the Internet
WAN Domain: Connects to remote locations
Remote Access Domain: Connects remote users to companies IT infrastructure
Systems / Application Domain: The important of server systems, applications, and data. (Payroll,
Accounting, purchasing, billing) (Risk Management Business Challenges, n.d.).
3. http://cve.mitre.org search the resulting list of articles for entries related to the user
domain. In your text document, identify the risks, threats, and vulnerabilities commonly
found in the user domain. (Name at least three risks/threats.)
1. Unauthorized users: Unauthorized access to system application, data and workstation.
“when configured as an Active Directory domain controller, uses world-writable
permissions on non-default CIFS shares, which allows remote authenticated users to read,
modify, create, or delete arbitrary files via standard filesystem operations” (Common
Vulnerabilities and Exposures,2013).
2. Policy is not enforced to mobile users:
“IBM Lotus Notes Traveler before 8.5.1.3, when a multidomain environment is used,
does not properly apply policy documents to mobile users from a different Domino
domain than the Traveler server, which allows remote authenticated users to bypass
intended access restrictions by using credentials from a different domain” (Common
Vulnerabilities and Exposures, 2013).
3. Viruses and malicious codes and malware infects a user’s devise:
“Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.07 and possibly
earlier allow remote attackers or authenticated users to inject arbitrary web script or
HTML via the (1) ipaddress or (2) domain parameter to setup-network.php, different
vectors than CVE-2011-5149” (Common Vulnerabilities and Exposures,2013).
4. Microsoft windows vulnerabilities (Common Vulnerabilities and Exposures, 2013).
5. Phishing attacks (Common Vulnerabilities and Exposures, 2013).
“Multiple open redirect vulnerabilities in One Click Orgs before 1.2.3 allow (1) remote
attackers to redirect users to arbitrary web sites and conduct phishing attacks via the
return_to parameter, and allow (2) remote authenticated users to redirect users to
arbitrary web sites and conduct phishing attacks via crafted characters in the domain
name of a subdomain” (Common Vulnerabilities and Exposures, 2013).
4. Change your browser’s Web address to
http://www.sans.org/reading_room/whitepapers/threats/. Scroll through the list of articles
to find articles on threats and vulnerabilities in the user domain. Choose two articles that
discuss two of the risks or threats you listed in the previous step. In your text document,
discuss how these articles explain how to mitigate risks or threats in the user domain.
Article: Peyton, E. (November, 2003). Corporate Anti-Virus Protection - A Layered
Approach. SANS Institute. Retrieved from: http://www.sans.org/readingroom/whitepapers/threats/corporate-anti-virus-protection-layered-approach-1251
Threat: Viruses
Mitigation: In order to have the most effective defense, anti-virus detection should be installed in
these network layers:
1. Desktop/Server: The most common place to install an anti-virus protection is at the
desktop/server layer.
2. Email Store (Server): Email the number one source of virus infections in many organizations.
Blocking suspicious emails and scanning attachment before an end-user opens them is an
integral part of keeping viruses away.
3. Gateway Virus/Firewall: Implementing an anti-virus protection at the Internet gateway is very
important; this will reduces the risk of virus-infected data of ever reaching the end-users.
Multi-level protection, prevent infection and eliminate a single point of failure. It ensures viruses
will be stopped somewhere from the Internet or another internal device (Peyton, 2003).
Article: Elledge, A. (July, 2004). Phishing: An Analysis of a Growing Problem. SANS
Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/threats/phishinganalysis-growing-problem-1417
Threat: Phishing
Mitigation: There is no one solution or an immediate solution. The article offers long term
solutions which require collective collaboration between different members of society.
-More research and development of anti-fraud technologies needs to be done
- Computer users needs to be more educated
- Consumers also need to be more educated when it comes to online threats and vulnerabilities
- Organization needs to report online fraud and scams
- The security community needs to find new ways to make e-mail and online commerce much
safer (Elledge, 2004).
Article:
Williams, J. (Nov., 2003). Managing vulnerabilities exposed by Windows services. Retrieved
from: http://www.sans.org/reading-room/whitepapers/threats/managing-vulnerabilities-exposedwindows-services-1247
Threat: Software vulnerabilities
Mitigation: The solution is not one but to incorporate multiple methods of protection together.
This multi-layered solution is the best way to protecting systems for Windows service exploits
while allowing the systems to continue working. Here are the three approaches to use:
First, one must secure the user, then secure the operating system, and finally secure the services
themselves.
1. Securing the user: It’s very important to restrict the user rights.
2. Securing the operating system: Patching the exploits as soon as possible. Time is of the
essence. It is important to have quality assurance and test the system thoroughly. Also,
taking proactive initiative for preventing Windows service exploits is very important.
3. Securing the Service: Many developers allow the service to run under default security
privilege LocalSystem. But preventing users from running services under LocalSystem
privilege and utilizing the “subinacl” resource kit tool will prevent the average “user”
from having access to manipulate this service. They can only be allowed if it’s necessary
or essential to their needs (Williams, 2003).
5. Next, visit the following websites. In your text document, list the main components of
each of the acceptable use policies (AUPs) documented at each of these sites: • Health care:
http://it.jhu.edu/policies/itpolicies.html • Higher education:
http://policies.georgetown.edu/31641.html • U.S. federal government:
https://www.jointservicessupport.org/AUP.aspx
Health care: http://it.jhu.edu/policies/itpolicies.html
Information Technology Policies
A.
Introduction
B.
Definitions
C.
Sponsorship
D.
Enforcement
E.
Review Cycle
USE POLICIES
3.
1.
Use of IT Resources Policy
2.
E-mail Use Policy
Anti-virus Policy
Higher education: http://policies.georgetown.edu/31641.html
Statement
Applicability
Guiding principles
Disclaimer
Responsibilities
1. Functionality and Availability
2. Computer Accounts
3. Information Security4. Shared Resources
5. Intellectual Property
6. Publication
7. Personal Information
Administration and implementation
Enforcement
U.S. federal government: https://www.jointservicessupport.org/AUP.aspx
1. User Agreement with consent
2. Security Rules
6. In your text document, explain how a risk can be mitigated in the user domain with an
acceptable use policy (AUP). Base your answer on what you read in the previous step.
An acceptable use policy is a document that the employee signs in which the
expectations, roles and responsibilities are outlined. It explains to employees what is acceptable
and what is unacceptable to do. The first layer in the IT infrastructure is the User Domain. It’s
also the weakest link where most of the risks, threats and vulnerabilities take place (Risk
Management Business Challenges, n.d.). But these security risks can be mitigated if an
organization has an Acceptable Use Policy (AUP). The AUP defines what is acceptable and what
is unacceptable and it outline the roles and responsilities of each employee. It gives employees
access to the system, applications and data based on their access rights. Here how the AUP
mitigates a risk in the user domain:
Risk: Viruses, malware and other threats:
An AUP will mitigate the risk of viruses, malware and other threats by defining the
responsibility of every user to ensure that anti-virus protection is current:
a. Configuring anti-virus software to provide real-time protection
b. Executing virus scans on a frequently
c.
Not opening e-mail attachments from suspicious sources
d. Not downloading files from suspicious sources
e. Avoiding direct disk sharing with read/write access unless it’s related to your job duty and it
is essential.
f.
Scanning all removable media for viruses before use.
7. Consider the following fictional organization, which needs an acceptable use policy
(AUP):
XYZ Credit Union
Acceptable Use Policy for XYZ Credit Union
Policy Statement
XYZ Credit Union purpose for publishing an Acceptable Use Policy is to define what is
acceptable and what is unacceptable use of the company’s computer equipment, Internet
browsing, network account, emails and operating systems. These systems are to be used for
business purposes only. This policy will be followed by all members and it requires the
participation and support of every XYZ Credit Union employee. XYZ Credit Union complies
fully with the Gramm-Leach-Bliley Act (GLBA) (InfoSec Acceptable Use Policy, n.d).
Purpose/Objectives
The purpose of this policy is to define the acceptable use of computer equipment at XYZ
Credit Union. These rules are in place to protect the employee and XYZ Credit Union. Our
customer service department is the organization’s most critical business function and our IT
equipment must be secured and protected to serve our clients (InfoSec Acceptable Use Policy,
n.d).

No personal use of the Internet at any given time

Internet browsing will be monitored by your employers

Emails are for business use only

All IT equipments are to be used to serve business functions and not for personal use
(phones, faxes, printers, scanners, etc.)
Scope
All employees, consultants, temporary and other workers at XYZ Credit Union must adhere to
this policy. This policy applies to all IT assets owned by XYZ Credit Union, or personal devices
that connect to XYZ Credit Union network. The first player in the IT infrastructure is the User
Domain. It’s also the weakest link where most of the risks, threats and vulnerabilities take place.
System Accounts
1. Every employee is responsible for the security of data, accounts, and systems under your
control. You must keep passwords secure at all times. Passwords must be hard to guess
and should be changed quarterly. Do not share account or password information with
anyone.
2. Anti-virus protection must be current. You are responsible to run them frequently and
update and configure them on a regular basis (InfoSec Acceptable Use Policy, n.d).
Computing Assets
1. All PCs, PDAs, laptops, and workstations must be secured with a password-protected
screensaver with an activation feature of 15 minutes or less. You must log off when you
leave your workstation.
2. All devices that are connected to the organizations network must comply with regulations
(InfoSec Acceptable Use Policy, n.d).
Unacceptable Use:
1. No personal browsing is allowed. Webmonitor will be installed in every workstation.
Also, content filtering will be implemented.
2. Do not open attachments that look suspicious.
3. Do not use email for personal reasons. Email is strictly for business functions. There will
be implementation of email security controls.
Network Use
It’s your responsibility to use the network resource under you control in a secure manner. It’s
unacceptable to:
1. To access data, servers, or accounts that you don’t have authorization to
2. To download pictures, music, videos, software that are not business related and that you
don’t have permission to download
3. Use of the Internet for personal reasons. Every work station will have a sticker placed on
their computer reminding them that they will be monitored by their employee (InfoSec
Acceptable Use Policy, n.d).
Emails: It’s unacceptable:
1. To send non-business related messages
2. To send Spam via-email
3. To open suspicious attachments
Procedures
This policy must be followed by all employs working in all XYZ Credit Union branches. Failure
to adhere to these rules might include disciplinary action or termination of employment (InfoSec
Acceptable Use Policy, n.d).
Guidelines
The establishment and implementation of an effective AUP is very important. If an
employee violates the AUP (depending on how damaging the violations is) and enforcement
must apply. This is a growing issue that many employers do not enforce the AUP. Another
important issue is identifying the sources of threats and who is responsible for them. For
example: if you require password protection for user logins the source of threat can be easily
identified. Also, by monitoring the web browsing you can identify the source of threats.
Knowing where the source of the risk you can mitigate them.
Reference:
Common vulnerabilities and exposures. (2013). retrieved from: http://cve.mitre.org/
Elledge, A. (July, 2004). Phishing: An Analysis of a Growing Problem. SANS Institute.
Retrieved from: http://www.sans.org/reading-room/whitepapers/threats/phishinganalysis-growing-problem-1417
InfoSec Acceptable Use Policy. (n.d.). SANS Institute. Retrieved from:
http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf
Peyton, E. (November, 2003). Corporate Anti-Virus Protection - A Layered Approach. SANS
Institute. Retrieved from: http://www.sans.org/readingroom/whitepapers/threats/corporate-anti-virus-protection-layered-approach-1251
Risk management business challenges (n.d). Retrieved from:
http://samples.jbpub.com/9780763791872/91872_CH01_p001_028.pdf
Williams, J. (Nov., 2003). Managing vulnerabilities exposed by Windows services. Retrieved
from: http://www.sans.org/reading-room/whitepapers/threats/managing-vulnerabilitiesexposed-windows-services-1247
Question Assessments:
Overview The purpose of an acceptable use policy (AUP) is to establish the rules for a specific
system, network, or website. These policies outline the rules for achieving compliance, for
example. They also help an organization mitigate risks and threats because they establish what
can and cannot take place. In this lab, you defined an AUP as it relates to the user domain, you
identified the key elements of sample AUPs, you learned how to mitigate threats and risks with
an AUP, and you created your own AUP for an organization. Lab Assessment Questions &
Answers
1. What are three risks and threats of the user domain?
Lack of user awareness. 2. Security policy violation, 3. User downloads onto devices.4. user
destruction of systems or data
2. Why do organizations have acceptable use policies (AUPs)?
To mitigate the risks and threats that can be created by usage of the system
3. Can Internet use and e-mail use policies be covered in an acceptable use policy?
Yes
4. Do compliance laws, such as HIPAA or GLBA, play a role in AUP definition?
Yes. AUP can be used to have company compliance with policies and rules such as HIPPA and
GLBA
5. Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within
the user domain?
Many employees will violate and will not adhere to the AUP
6. Will the AUP apply to all levels of the organization? Why or why not?
Yes. To maintain consistency and predictability across the organization and to separate
departments and employees based on their work needs
7. When should an AUP be implemented and how?
Prior to providing access to a network and users should sign and acknowledge the rules and
policies
8. Why does an organization want to align its policies with the existing compliance
requirements?
To mitigate legal actions against it.
9. In which domain of the seven domains of a typical IT infrastructure would an acceptable use
policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees
and authorized users of an organization’s IT infrastructure?
An AUP would reside in the first layer of the seven domains which is User Domain. The user
domain defines what data a person can and cannot have access to within an organizations
information system. The AUP mitigate risks by defining what and how a user is allowed to use
organization’s owned IT asset. It outlines employee’s responsibilities towards acceptable and
unacceptable use of email, web browsing, current installation of anti-virus protection, etc. All
this helps mitigate the risks commonly found with users of an organization’s IT infrastructure.
10. Why must an organization have an acceptable use policy (AUP) even for non-employees,
such as contractors, consultants, and other third parties?
Because they are using the company’s resources and company systems, the organization is acting
as a gateway for them and should make them aware of the rules and policies that they should
abide by. Any improper or illegal action done against compliance requirements or drainage of
the system will point back o the organization and non-employees should be aware of it and be
held accountable if rules are broken.
11. What security controls can be deployed to monitor and mitigate users from accessing
external websites that are potentially in violation of an AUP?
Software such as webmonitor can be installed to allow the network managers to monitor traffic.
Also websites can be blocked when they are known to violate AUP rules
12. What security controls can be deployed to monitor and mitigate users from accessing
external webmail systems and services (that is, Hotmail, Gmail, Yahoo, etc.)?
Software such as webmonitor can be installed to allow the network managers to monitor traffic.
Also webmail addresses and services can be blocked when they are known to violate AUP rules
13. Should an organization terminate the employment of an employee if he/she violates an
AUP?
If It’s written in the enforcement section clearly, that any violation of the AUP by an employee
than, yes. If It’s not written than disciplinary action should be taken.