linux networking and security chapter 7 security, ethics, and privacy
TRANSCRIPT
Linux Networking and Security
Chapter 7
Security, Ethics, and Privacy
Security, Ethics, and Privacy
List security risks typical in modern networked computer systems
Understand how to assess risk and create a security policy
Describe the function of top security-awareness organizations
Outline government’s security and privacy role Locate Linux products designed especially
for security-conscious environments
Introducing Computer Security and Privacy
Computer security is a large and specialized field, separate in many ways from the day-to-day operation of a network server
There are many unauthorized computer access events due to the fact that the more broadly a computer is networked, the more potential for access to that computer
This broad access is what represents the power of networked computers, but also represents opportunities for malicious intent
The Privacy Debate
Any personal information stored on a computer is threatened by someone cracking the system where it is stored
A great deal of personal information must be stored on computers to make government and businesses function efficiently
Laws and government regulations control who can access your credit records; businesses typically provide privacy policies
The Privacy Debate
The Privacy Debate
Privacy policies usually contain information similar to one of the following: We don’t collect or save any information about visitors to our
web site We collect information in order to complete a sale or register
users, but we do not share that data We collect information on visitors and use patterns to determine
if a visitor might be interested in some of our other products We collect information and share it with our partners who may
have products that interest you
Ethics and System Administrators
The burden of ethical use of data typically falls on the system administrator
Ethics deals with the issue of doing the right thing at the right time, for the right reason
Ethics codes were developed to define the role of system administrators in organizations and to increase the respectability and raise standards of behavior in the profession
Support organizations for system administrators include SAIR/GNU and SAGE
Risk Assessment andSecurity Policies
The best approach to security is to make a system highly secure without undue annoyance to authorized users
“Security through obscurity” assumes that if no one knows about your system, you are safe, but this approach must be avoided
Hardware, software and data are primary targets of attack, but of these three, data presents the most serious threat
Risk Assessment andSecurity Policies
Crackers break into systems: In order to steal data (such as credit card) for their own use To corrupt data, maybe unintentionally, but often for malicious
reasons To block access to the system, as in a Denial-of-Service (DoS)
attack
Crackers are not the only threat to systems, a majority of security incidents result from the actions of users within an organization
Risk Assessment andSecurity Policies
Standard computer attack techniques: Password cracking involves obtaining a password by using a
password guessing program or by guessing based on a user’s personal information
Trojan horse attacks occur when an illicit program is run from an untrustworthy source
Buffer overflow attacks rely on a weakness in the design of a program dealing with buffer (memory space) management
Denial-of-Service attacks try to overwhelm your system so that valid users cannot access it
Risk Assessment andSecurity Policies
Security should begin with a careful analysis of the assets being protected and their value These assets can include reputation, revenue generation, secret
data, or other factors
Security is often divided into four layers: Physical security - physical access to Linux server User security - user authorization and privileges File security - file access limitations Network security - secure network configuration
Social Security
Computer security includes an aspect which is really about people, knowing why they act as they do and knowing whom to trust
This is true from the perspective of the system administrator and the cracker
The system administrator must be keenly aware of how to implement measures that will thwart the activities and access attempts of the cracker
Social Security
The system administrator must proceed with caution regarding where they obtain Linux, since the Linux kernel taken from the Internet could have been altered by a cracker to permit access via a source code back door A back door is a method of accessing a program that is known to
its creator but not to other users
The Linux code must be continually upgraded with security patches to prevent attacks
Social Security
Not only must the system administrator be savvy as to the plans of crackers, but also the users of any system due to a tactic called social engineering used by crackers Social engineering involves a cracker manipulating a system
user to extract needed access information Often a cracker will simply obtain a user’s name and call them in
order to obtain information, or they could walk past an employee’s workstation and gather information from posted data
Creating a Security Policy
A security policy is a written document that may do any of the following: Analyze what assets are at risk Provide network danger statistics to end users Provide security procedures Outline user access levels Compile specific actions to make the system secure after reboot Outline procedures to follow when an intrusion by a cracker has
been detected
Security-Focused Organizations
Two key ways that an organization can stay security-focused are: Upgrading the Linux system regularly using information from
security organizations whenever a security issue is discovered Taking advantage of professional organizations which act as
clearinghouses for recent security information; they help organizations learn more about security and how to implement what is learned
Upgrading Your Linux System
Your first goal is to keep your system upgraded, including the Linux kernel and programs that run on Linux
Most of the updates for security problems come in the form of a patch
The best way to stay informed about upgrades and patches is to subscribe to the security notification service of a reputable Linux vendor
The Security Experts
Two organizations are known as bastions of computer security information: The CERT Coordination Center (CERT/CC) is a federally funded
software engineering institute operated by Carnegie-Mellon University
The System Administration, Networking, and Security (SANS) Institute is a prestigious and well-regarded education and research organization whose staff includes most of the leading security experts in the country
The Security Experts
The Security Experts
The U.S. Government and Computer Security
Because computer security is increasingly viewed as part of our national security, the U.S. federal government continues to increase its involvement with the computer security industry
Two examples of new roles the government is playing are prosecutor of computer crimes and an information clearinghouse to encourage good security practices
Security and the Law
When congress passed the Computer Fraud and Abuse Act, it became a crime to access a computer without authorization
Additional laws have been passed to help stop the acts of crackers, including the Computer Security Act, the National Information Infrastructure Protection Act and the Patriot Act
Since crackers are difficult to prosecute, the FBI now has special computer crime units
Government Agency Resources
The following list describes some key resources for learning about U.S. government involvement with computer crime: The FBI’s National Computer Crime Squad The U.S. Department of Justice, Criminal Division The FBI’s National Infrastructure Protection Center (NIPC) The Department of the Treasury runs the Secret Service and the
Financial Crimes Enforcement Network (FinCEN)
Security-Focused Linux Products
The National Security Agency has released an experimental version of Linux called NSA security-enhanced Linux
Trustix released Trustix Secure Linux, which is a thoroughly configured server with tight security
Another more security-conscious Linux is the Bastille Linux hardening package (to harden a package is to make it more cracker secure)
Security-Focused Linux Products
Chapter Summary
An amazing number and variety of unauthorized computer access events continually plague network servers all over the world
Computer security is a serious field that pits crackers against administrators seeking to protect their employer’s assets
Computer crime statistics are hard to gather, but billions of dollars are spent annually to recover from unauthorized access
Privacy concerns make computer security a personal issue for anyone using the Internet
Chapter Summary
System administrators are in a position of great trust and power because of the information they control
Codes of ethics help system administrators understand professional expectations that can help them create lasting careers and serve both internal and external customers effectively
Difficult security decisions are best made before a crisis arises, based on a considered long-term view of consequences of each possible course of action
Organizations such as SAGE and SANS can help system administrators learn more about security from experts and colleagues
Chapter Summary
A proactive approach to security, rather that “security through obscurity,” yields the best results in protecting information systems from attack
Hardware, software, and data are all possible subjects of attack, though data is the most likely target
Crackers may try to steal data, corrupt data, or deny access to your system by legitimate users. Having written a security policy document helps you prepare for all types of attacks by justifying the need for security efforts, informing users of security concerns, and providing security breach guidance
Chapter Summary
Social engineering is a potential tool of crackers who contact end users and manipulate them to extract needed information
You must keep your Linux system upgraded with any security patches to prevent attacks via a known problem with software that you are using
Many laws now exist to allow prosecution of computer crimes Security products for Linux may help you improve your security
posture, though you must be careful about trusting products that you have not tested