Enforcing Your Bullet-Proof Security Policy - Page 2
If management fears that the site is sufficiently vulnerable, it may choose a protect-and-proceed strategy. This strategy's primary goal includes protecting and preserving the site facilities and keeping users from experiencing any interruptions, if possible. Active attempts will be made to interfere with the intruder's processes, prevent further access, and begin immediate damage assessment and recovery. This process may involve shutting down the facilities, closing off access to the network, or other drastic measures. Unless the intruder is identified directly, he or she may come back into the site via a different path or may attack another site.
On the other hand, the pursue-and-prosecute strategy adopts the opposite philosophy and goals. The primary goal allows intruders to continue their activities at the site until the site can identify the responsible persons. Law enforcement agencies and prosecutors endorse this approach. However, these agencies can't exempt a site from possible user lawsuits if damage occurs their systems and data.
Prosecution is not the only outcome possible if the intruder is identified. If the culprit is an employee or a student, your organization may choose to take disciplinary actions. To this end, the computer security policy will need to spell out the choices and how they will be selected if an intruder is caught.
Site management will need to carefully consider their approach to this issue before the problem occurs. The strategy adopted might depend upon each circumstance. Or there may be a global policy mandating one approach in all circumstances. You'll need to examine the pos and cons thoroughly. And you'll have to make the users of the facilities aware of the policy so they understand their vulnerabilities no matter which approach is taken.
The following checklists will help a site determine which strategy to adopt: Protect-and-Proceed Strategy or Pursue-and-Prosecute Strategy.
- Protect-and-Proceed Strategy
- If assets are not well protected
- If continued penetration could result in great financial risk
- If the possibility or willingness to prosecute is not present
- If user base is unknown
- If users are unsophisticated and their work is vulnerable
- If the site is vulnerable to lawsuits from users, e.g., if their resources are undermined
- Pursue-and-Prosecute Strategy
- If assets and systems are well protected
- If good backups are available
- If the risk to the assets is outweighed by the disruption caused by the present and possibly future penetrations
- If this is a concentrated attack occurring with great frequency and intensity.
- If the site has a natural attraction to intruders, and consequently regularly attracts intruders
- If the site is willing to incur the financial (or other) risk to assets by allowing the penetrator continue
- If intruder access can be controlled
- If the monitoring tools are sufficiently well developed to make the pursuit worthwhile
- If the support staff is sufficiently clever and knowledgeable about the operating system, related utilities, and systems to make the pursuit worthwhile.
- If there is willingness on the part of management to prosecute
- If the system administrators know in general what kind of evidence would lead to prosecution
- If there is established contact with knowledgeable law enforcement
- If there is a site representative versed in the relevant legal issues
- If the site is prepared for possible legal action from its own users if their data or systems become compromised during the pursuit