Chapter 1. Security Overview

Because of the increased reliance on powerful,

networked computers to help run businesses and keep

track of our personal information, entire industries have

been formed around the practice of network and

computer security. Enterprises have solicited the

knowledge and skills of security experts to properly audit

systems and tailor solutions to fit the operating

requirements of their organization. Because most

organizations are increasingly dynamic in nature, their

workers are accessing critical company IT resources

locally and remotely, hence the need for secure

computing environments has become more pronounced.

Unfortunately, many organizations (as well as

individual users) regard security as more of an

afterthought, a process that is overlooked in favor of

increased power, productivity, convenience, ease of use,

and budgetary concerns. Proper security implementation

is often enacted postmortem — after an unauthorized

intrusion has already occurred. Taking the correct

measures prior to connecting a site to an untrusted

network, such as the Internet, is an effective means of

thwarting many attempts at intrusion.

1.1. Introduction to Security

1.1.1. What is Computer Security?

Computer security is a general term that covers a wide

area of computing and information processing. Industries

that depend on computer systems and networks to

conduct daily business transactions and access critical

information regard their data as an important part of

their overall assets. Several terms and metrics have

entered our daily business vocabulary, such as total cost

of ownership (TCO), return on investment (ROI), and

quality of service (QoS). Using these metrics, industries

can calculate aspects such as data integrity and high-

availability (HA) as part of their planning and process

management costs. In some industries, such as electronic

commerce, the availability and trustworthiness of data

can mean the difference between success and failure.

1.1.1.1. How did Computer

Security come about?

Information security has evolved over the years due to

the increasing reliance on public networks not to disclose

personal, financial, and other restricted information.

There are numerous instances such as the Mitnick and

the Vladimir Levin cases that prompted organizations

across all industries to re-think the way they handle

information, including its transmission and disclosure.

The popularity of the Internet was one of the most

important developments that prompted an intensified

effort in data security.

An ever-growing number of people are using their

personal computers to gain access to the resources that

the Internet has to offer. From research and information

retrieval to electronic mail and commerce transactions,

the Internet has been regarded as one of the most

important developments of the 20th century.

The Internet and its earlier protocols, however, were

developed as a trust-based system. That is, the Internet

Protocol (IP) was not designed to be secure in itself.

There are no approved security standards built into the

TCP/IP communications stack, leaving it open to

potentially malicious users and processes across the

network. Modern developments have made Internet

communication more secure, but there are still several

incidents that gain national attention and alert us to the

fact that nothing is completely safe.

1.1.1.2. Security Today

In February of 2000, a Distributed Denial of Service

(DDoS) attack was unleashed on several of the most

heavily-trafficked sites on the Internet. The attack

rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and

several other sites completely unreachable to normal

users, as it tied up routers for several hours with large-

byte ICMP packet transfers, also called a ping flood. The

attack was brought on by unknown assailants using

specially created, widely available programs that scanned

vulnerable network servers, installed client applications

called Trojans on the servers, and timed an attack with

every infected server flooding the victim sites and

rendering them unavailable. Many blame the attack on

fundamental flaws in the way routers and the protocols

used are structured to accept all incoming data, no

matter where or for what purpose the packets are sent.

In 2007, a data breach exploiting the widely-known

weaknesses of the Wired Equivalent Privacy (WEP)

wireless encryption protocol resulted in the theft from a

global financial institution of over 45 million credit card

numbers.

Currently, an estimated 1.4 billion people use or have

used the Internet worldwide. At the same time:

On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.

The number of CERT reported incidences jumped from 52,658 in 2001, 82,094 in 2002 and to 137,529 in 2003.

According to the FBI, computer-related crimes cost US businesses $67.2 Billion dollars in 2006.

From a 2009 global survey of security and information

technology professionals, "Why Security Matters Now" [9],

undertaken by CIO Magazine, some notable results are:

Just 23% of respondents have policies for using Web 2.0 technologies. These technologies, such as Twitter, Facebook and LinkedIn may provide a convenient way for companies and individuals to communicate and collaborate, however they open new vulnerabilities, primarily the leaking of confidential data.

Even during the recent financial crisis of 2009, security budgets were found in the survey to be mostly at the same amount or increasing over previous years (nearly 2 out of 3 respondents expect spending to increase or remain the same). This is good news and reflects the importance that organizations are placing on information security today.

These results enforce the reality that computer security

has become a quantifiable and justifiable expense for IT

budgets. Organizations that require data integrity and

high availability elicit the skills of system administrators,

developers, and engineers to ensure 24x7 reliability of

their systems, services, and information. Falling victim to

malicious users, processes, or coordinated attacks is a

direct threat to the success of the organization.

Unfortunately, system and network security can be a

difficult proposition, requiring an intricate knowledge of

how an organization regards, uses, manipulates, and

transmits its information. Understanding the way an

organization (and the people who make up the

organization) conducts business is paramount to

implementing a proper security plan.

1.1.1.3. Standardizing Security

Enterprises in every industry rely on regulations and rules

that are set by standards-making bodies such as the

American Medical Association (AMA) or the Institute of

Electrical and Electronics Engineers (IEEE). The same

ideals hold true for information security. Many security

consultants and vendors agree upon the standard

security model known as CIA, or Confidentiality, Integrity,

and Availability. This three-tiered model is a generally

accepted component to assessing risks of sensitive

information and establishing security policy. The

following describes the CIA model in further detail:

Confidentiality — Sensitive information must be available only to a set of pre-defined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that a customer's personal or financial information is not obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud.

Integrity — Information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information.

Availability — Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed-upon frequency and timeliness. This is often measured in

terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients.

1.1.2. Security Controls

Computer security is often divided into three distinct

master categories, commonly referred to as controls:

Physical Technical Administrative

These three broad categories define the main objectives

of proper security implementation. Within these controls

are sub-categories that further detail the controls and

how to implement them.

1.1.2.1. Physical Controls

Physical control is the implementation of security

measures in a defined structure used to deter or prevent

unauthorized access to sensitive material. Examples of

physical controls are:

Closed-circuit surveillance cameras Motion or thermal alarm systems Security guards Picture IDs Locked and dead-bolted steel doors Biometrics (includes fingerprint, voice, face, iris,

handwriting, and other automated methods used to recognize individuals)

1.1.2.2. Technical Controls

Technical controls use technology as a basis for

controlling the access and usage of sensitive data

throughout a physical structure and over a network.

Technical controls are far-reaching in scope and

encompass such technologies as:

Encryption Smart cards Network authentication Access control lists (ACLs) File integrity auditing software

1.1.2.3. Administrative Controls

Administrative controls define the human factors of

security. They involve all levels of personnel within an

organization and determine which users have access to

what resources and information by such means as:

Training and awareness Disaster preparedness and recovery plans Personnel recruitment and separation strategies Personnel registration and accounting

1.1.3. Conclusion

Now that you have learned about the origins,

reasons, and aspects of security, you will find it easier to

determine the appropriate course of action with regard

to Red Hat Enterprise Linux. It is important to know what

factors and conditions make up security in order to plan

and implement a proper strategy. With this information

in mind, the process can be formalized and the path

becomes clearer as you delve deeper into the specifics of

the security process.

Fonte: https://access.redhat.com/knowledge/docs/en-

US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ch

ap-Security_Guide-Security_Overview.html