Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
intrusion detectiondata protectionnetwork protectionKey Security Practices for Protecting Your Server Infrastructure
In a word, No. No machine connected to the internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house — when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil. . 1 What is Information Security? For our purposes, Information Security means the methods we use to protect sensitive data from unauthorized users. 2 Why do we need Information Security? The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples are airports, seaports, telecommunication industries, and TV broadcasting, all of which are thriving as a result of the use of IT. "IT is everywhere." A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation. 3 Security Framework The following illustrates the framework needed to implement a functioning security implementation: [ Risk Analysis ] [ Business Requirements ] | [ Security Policy ] | [ Security Service, Mechanisms, and Objects ] | [ Security Management, Monitoring, Detection and Response ] This framework shows the basic steps inthe life cycle of securing a system. "Risk Analysis" deals with the risk associated with the data in the server to be secured. "Business Requirements" is the study which deals with the actual requirements for conducting business. These two components cover the business aspects of the security implementation. The "Security Policy" covers 8 specific areas of the security implementation, and is discussed in more detail in section 4 below. "Security Service, Mechanisms and Objects" is actually the implementation part of security. "Security Management, Monitoring, Detection and Response" is the operational face of security, where we cover the specifics of how we find a security breach, and how we react if a breach is found. 4 Security Policy The Security Policy is a document which addresses the following areas: Authentication: This section deals with what methods are used to determine if a user is real or not, which users can or cannot access the system, the minimum length of password allowed, how long can a user be idle before he is logged out, etc. Authorization: This area deals with classifying user levels and what each level is allowed to do on the system, which users can become root, etc. Data Protection: Data protection deals with the details like what data should be protected and who can access which levels of data on the system. Internet Access: This area deals with the details of the users having access to the internet and what they can do there. Internet Services: This section deals with what services on the server are accessible from the internet and which are not. Security Audit: This area addresses how audit and review of security related areas and processes will be done. Incident Handling: This area addresses the steps and measures to be taken if there is a breach of security. This also covers the steps to find out the actual culprit and the methods to prevent future incidents. Responsibilities: Thispart covers who will be contacted at any given stage of an incident and the responsibilities of the administrator(s) during and after the incident. This is a very important area, since the operation of the incident handling mechanism is dependent on it. 5 Types of Information Security There are 2 types of security. (1) Physical security / Host Security and (2) Network security. Each of these sections has 3 parts: Protection: Slow down or stop intrusions or damage Detection: Alert someone if a breach (or attempted breach) of security occurs, and quantify and qualify what sort of damage occurred or would have occurred. Recovery: Re-secure the system or data after the breach or damage and where possible, undo whatever damage occurred 5.1 Host Security / Physical Security Host Security / Physical Security means securing the server from unauthorized access. For that we can password protect the box with such steps as setting up a bios password, placing the computer box in a locked room where only authorized users have access, applying OS security patches, and checking logs on regular basis for any intrusion and attacks. In Host security we check and correct the permissions on all OS related files. 5.2 Network security Network security is one of the most important aspects of overall security. As I mentioned earlier, no machine connected to the internet is completely secure, so security administrators and server owners need to be alert, and make sure that they are informed of all new bugs and exploits that are discovered. Failure to keep up with these may leave you at the mercy of some script kiddy. 5.3 Which operating system is the most secure? Every OS has its own pros and cons. There are ways to make Windows more secure, but the implementation is quite costly. Linux is stable and reasonably secure, but many companies perceive it as having little vendor support. My vote for the best OS for security purposes goes to FreeBSD, another free Unix-like OS,but not many people are aware of its existence. 6 Is a firewall the final solution to the Network Security problem? No, a firewall is just a part of the security implementation. Again, we will use the example of a house. In a house all the windows and doors can be closed but if the lock on the front door of the house is so bad that someone can put just any key-like thing in and open it, then what is the use of the house being all closed up? Similarly, if we have a strong firewall policy, it will restrict unauthorized access, but if the software running on the box is outdated or full of bugs then crackers can use it to intrude into the server and gain root access. This shows that a firewall is not the final solution. A planned security implementation is the only real quality solution to this issue. 7 Security is a continuous process Continuing security is a on-going process. Security administrators can only conduct their work on the basis of the alerts and bugfixes released up to the date of securing, so in order to accommodate all of the fixes for the latest bugs, security work has to be done on a regular basis. 8 Does Security implementation create overhead and/or reduce performance? Yes, Security implementation creates a small amount of overhead, but it need not reduce overall performance drastically. In order to take care of such things, a well done security implementation has an optimization section where the security administration gives priority to both performance and security. While securing any software, we should secure it in such a way that it provides maximum performance. 9 Security Audits - What Should be Checked A security audit is a part of security implementation where we try to find out the vulnerabilities of the system and suggest actions to improve the security. In a normal audit, the points below should be checked, and a report with the results of that audit should be created. Check intrusion detection. Use chkrootkit or rkhunter for this purpose. Check forknown bugs in the software installed on the server - the kernel, openssl, openssh, etc. Scan all network ports and find out which ports are open. Report the ports that should not be open and what program is listening on them. Check whether /tmp is secured. Check for hidden processes. Check for bad disk blocks in all partitions. (This is just to make sure that the system is reasonably healthy.) Check for unsafe file permissions. Check whether the kernel has a ptrace vulnerability. Check the memory (Another system health check.) Check if the server is an open e-mail relay. Check if the partitions have enough free space. Check the size of the log files. It's better that the log size remains in megabytes. 10 How to know if you are being hacked? To find out if your box is compromised or not, follow these steps. These are the steps which I used to do and will be handy in most of the situations. 10.1 Check your box to see if your performance has degraded or if your machine is being over used. For that, use the commands vmstat Displays information about memory, cpu and disk. Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count) mpstat Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not. Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count) iostat This command displays statistics about the disk system. Useful options: -d - Gives the device utilization report. -k - Display statistics in kilobytes per second. Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count) sar Displays overall system performance. 10.2 Check to see if your server has any hidden processes running. ps Displays the status of all known processes. lsof List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on yoursystem with this command. 10.3 Use Intrusion Detection Tools rkHunter ( ) chkrootkit ( www.chkrootkit.org ) 10.4 Check your machine's uptime . If the uptime is less than it should be, this can mean that your machine's resources are being used by someone. Linux doesn't crash or reboot under normal conditions because it is such a stable OS. If your machine has been rebooted try to find out the actual reason behind it. 10.5 Determine what your unknown processes are and what they are doing. 10.5.0.1 Use commands like the following to take apart unknown programs readelf This command will display what the executable's program is performing. ldd This command will show the details of libraries used by a executable. string This command will display the strings in the binary. strace This command will display the system calls a program makes as it runs. 11 Hardening Methodology Read all security related sites and keep up to date. This is one of the main things a security administrator or server owner should do. Server owners should be made aware of security and its importance. Security training is an important part of an overall security package. Create a good security policy. Conduct security audits on the basis of this policy. Keep your OS updated by applying all patches. Install a custom kernel with all unwanted services removed and patched with either grsecurity or openwall. Disable all unwanted services and harden the services you leave running; Change file and directory permissions so that security is tightened. Install a firewall and create good rule sets. Test and audit the server on regular basis Install an intrusion detection system, log monitor, all of the Apache security modules, bfd, faf and tmp monitor. Make your partitions secure. Run a good backup system to recover data in case of an intrusion, crash, or other destructiveincident. Install a log analyzer and check your logs for any suspicious entries. Install scripts to send out mail or enable notifications when a security breach occurs. After a security breach try to find out how, when and through what the breach occurred. When you find a fix for it, document the details for future reference. 12 Summary Now lets conclude by covering the main steps by which a hosting server can be secured. 12.1 Determine the business requirements and risk factors which are applicable to this system 12.2 Devise a security policy with the above data in mind. Get management's approval and signoff on this security policy. 12.3 On approval of the policy, do a security audit on any existing systems to determine the current vulnerabilities and submit a report regarding this to the management. The report should also cover the methods needed to improve existing security. A quick checklist: Software Vulnerabilities. Kernel Upgrades and vulnerabilities. Check for any Trojans. Run chkrootkit. Check ports. Check for any hidden processes. Use audittools to check system. Check logs. Check binaries and RPMS. Check for open email relays. Check for malicious cron entries. Check /dev /tmp /var directories. Check whether backups are maintained. Check for unwanted users, groups, etc. on the system. Check for and disable any unneeded services. Locate malicious scripts. Querylog in DNS. Check for the suid scripts and nouser scripts. Check valid scripts in /tmp. Use intrusion detection tools. Check the system performance. Check memory performance (run memtest ). 12.4 Implement the security policy 12.4.1 Correct all known existing software vulnerabilities either byapplying patches or by upgrading the software. 12.4.2 Implement host security Protect your systems with passwords Check the file systems and set correct permissions and ownerships on all directories and files chmod -R 700 /etc/rc.d/init.d/* Use rpm -Va to find out if an rpm is modified Apply security patches to vulnerable software (ie. patch -p1 < patch file ) Remove all unneeded ttys and console logins by removing the entry from /etc/securetty Check system logs (eg: /var/log/messages, /var/log/secure, etc.) Set a password on the boot loader (lilo and grub both support this) Monitor the system (nagios or big brother) 12.4.3 Implement Network security Remove all unwanted users and groups. Use custom security scripts which will send out notification when sshing as root or while creating a user with uid of 0, etc. Require passwords with 16 characters (can be done by making changes in login.def). Disable unwanted services using tcpwrapper (unwanted services can also be disabled through xinet.d or xinetd.Conf). Set up an idle timeout, so that idle users will be logged out after a certain amount of time. Disable all console program access (eg: rm -rf /etc/security/console.app/ .) Enable nospoof option in /etc/host.conf. Specify the order in which domain names should be resolved (eg: order bind hosts). Lock the /etc/services file so that no one can modify it. Restrict direct root login (comment out the PermitRootLogin login option in sshd_config). Restrict su, so that only wheel group members are able to su. (can use pam or disable the permission of other for the su binary). Limit users resources (using pam, specify the limits for each user in /etc/security/limit.conf). Secure /tmp (mount /tmp with noexec,nodev,nosuid). Hide the serverdetails. Remove /etc/issues and /etc/issues.net. Disable unwanted suid and sgid files (eg: find -type -perm -04000 -o perm 02000 .) Examples of these: gpasswd , wall , and traceroute Using iptables, allow only pings from a specific locations (for monitoring systems to work). Take preventive measures against DOS, "ping of death" attacks, etc. Install a firewall (eg: apf and iptables) and only allow ports to operate which the box needs for its normal functions; block all other ports to prevent mischief. Links: rfxnetworks.com and yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html Install intrusion detection (eg: install tripwire or aide ). Links: and redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html Install sxid to keep an eye on suid and sgid scripts. Restrict ssh to specific IP addresses and specific users (I suggest key authentication using passphrase). Install logcheck to check the logs. Install tmpwatch to delete the unused files from /tmp directory. Install and setup portsentry and configure it to use iptables to block IPs. Install mod_security and mod_dosevasive to safe guard apache. Delete files with nouser and nogroup. Deleted unwanted files/folders in htdocs, disable directory indexing. Check for unwanted scripts in /root, /usr/local, /var/spool/mbox. Install BFD and FAF for additional security. Disable open email relaying. Submit a status report to management detailing all discovered vulnerabilities and fixes. 12.5 Testing phase Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test. Security is of utmost importance to a server, compromising security is compromising the server itself. Hence, an understanding of the same is a prerequisite to serverownership and administration. About this document... This document was generated using the LaTeX 2 HTML translator Version 2002 (1.62) My name is Blessen and I prefer people calling me Bless. I got interested in Linux when I joined the software firm, Poornam Info Vision Pvt Ltd. They gave me exposure to linux. I am a B.Tech in Computer Science from the College of Engineering, Chengannur. I passed out in the year 2001 and got into the company that year. During my work, I was passionate with Linux security and I look forward to grow in that field. My hobbies are browsing net, learning new technologies and helping others. In my free time I also develop open source softwares and one of them is a scaled down version of formmail. The project is called "Smart Mail" which is more secure than formmail. Contact Blessen Cherian Copyright © 2005, Blessen Cherian. Released under the Open Publication license . Strong safeguards are essential to shield private information from illicit entry and possible breaches.. Information Security, Network Protection, Host Security, Security Audits, Intrusion Prevention. . Blessen Cherian
Feb 08, 2005
•
102
data protectionaccess managementsecurity policyComprehensive Guide To Network Security Audits For Organizations
"Information for the right people at right time and from anywhere" has been the driving force for providing access to the most of the vital information on the network of an organization over the Internet. This is a simple guide on conducting a network security audit, This article contains points for conducting an audit. . This of course has led to the situations where this valued information falls into the hands of wrong people. This may be because of a bug/vulnerability in the application software which provides these data access from the Internet, Misconfiguration by the administrator/vendor, or due to Negligence from the Management . Whilst we are talking about access from Internet. Most of the surveys indicate that breach attempts are considerably high from Internal users. So a security policy is the most basic need for the Network security. This requires reviews and redefining policies according to the changing business environment. So security policy definition requires an understanding of the environment, Loop holes in it and the steps need to be taken to check these loop holes. Hence this starts with a network audit. This is a simple guide on conducting a network security audit, This article contains points for conducting an audit (of course I too have learned it from many an experts articles on the net and experience). This first of the series (may be, many to come. If u guys really want to hear from me.) doesn't' get into the core of each of the aspects, this will generally outline the things to be kept in mind while conducting a Network security audit. May be you guys let me to put my ideas in my future writings. General assumption of (and wrong) Network security audit is limited to determination of the services available on the network for access. No, it doesn't, A Network security audit should address all the concerned areas that are listed in this article and if possible more (Don't forget, the more steps you take for preventing, themore secure it gets. So don't stop at this, keep on doing it better.....) . So the minimal aspects to consider are. Management The Audit should cover a questionnaire to the Organization's management to know about seriousness about its Information Security. The questionnaire should be able to collect a considerable amount of information like say, Is the Management of the organization serious about the Information security requirements. Any established procedure exists for reporting security breaches or attempts of security breach. Review of Security controls Life Cycle, Etc., ............. Administration Knowing Administration controls helps in understanding the kind of protection of data has and that the security deviations are detected and corrected. Attempts to be made to understand the security implications that the following might have, Backup and Disaster Recovery. Response to Intrusion Detection Response to Virus/Trojans Grant/Change/Removal of Privileges Documentation Log reviews Changes in Network Software License compliance, Etc., ................. LAN Security Get an understanding of the LAN configuration, the number of users on the LAN, the general use of the LAN. Audit on, Protection against Viruses, Trojans, etc., Communication controls Acquisition TCP Ports Firewall/ACLs Application Finger printing Lan Access policy, Etc., ......... Access Control Determine the access control mechanism for users to access various resources across the network. Some times: Authentication, Requests, Duties User guidelines Password policy Operations Physical Security Contingency planning Training H/w and S/w maintenance Now that we have outlined the aspects of Assessing, Lets look into the each of these in as much detail as possible. Management : What is the necessity or things that are to be checked in the Organization's Management? What does it take care of? These are some of the questions arise when we say about Assessing the Organization's Management. I will try to justify as much as possible. The first thing to look up for would be to analyze weather the management has taken the issue of Information security seriously, this can be accessed by knowing, Is there procedure/guideline specified for acquisition and installation of LAN peripherals/accessories etc.,? Are the users been notified about the security concerns, terms of use of systems and network access, Limitations and Proceedings in case of breach of security policy. Have the users been notified about their tasks? Are the users been notified about their emails being monitored (in case if it is)? Is the procedure to formally report security breaches in place? Are the findings of Audit and/or inspections reported to management? Are emergency and disaster procedures established with well defined tasks and responsibilities? Is there a proper backup plan in place so that the operations can return to normal in case of the installations being completely damaged? Are these plans tested ? Does the organization's management taken care of forbidding Software Piracy and informed to the PC users? Are there proper inventory controls for the software and hardwares? Does the users know who is in charge of the security and how to get in touch with him when required to? Is the security policy scrutinized every so often (is the life cycle of the security policy determined)? Are the necessary corrective actionstaken/granted on each of the weakness found? The more precautions/interest taken by the management shows the Management's seriousness about the organization's information security and makes the users feel that they will be liable for any harm/loss caused by them. Thus the management should provide the basic foundation. A organizations failure of IT security is because it's involvement is more reactive one rather than being a pro-active one. Often the vulnerabilities are closed only after those weaknesses have been exploited after an attack, at the cost of time, data, and money. Very few organizations take pro-active steps on evolving a security policy and strategies. So keeping up to date with the organization's security strategies by the management is very important. Administration An effective network administration ensures the continued availability and protection of data as desired by the organization's management. Its very important to have a good network administration team as they are the key peoples when comes to actual implementation of the security policies, Disaster recovery plan, etc., Hence the administration should see that Setup of Servers: Make sure that the applications available on the network are not misconfigured. The applications are patched/updated very frequently as and when available. Keep track of various Vulnerabilities, Backdoors, Viruses on the move and the solution to these. Virus protection both at Mail server/gateway and also at the user's desktop level should be taken care of Servers should conduct proper identification and authentication of users before being granted access. Does the Server setup conducts proper authentication to suit the risk associated with their access? Is proper encryption enabled for data transfer (Where ever required)? User access to applications: User managementlike adding, deleting, modify, disabling, enabling user IDs and setting proper guidelines to the users on password choosing, periodically changing the password, granting and revoking of access rights as required, etc., Formal procedure for seeking/change in access and getting formal approval for it from the management. Periodically Track/Analyze the user requests, Accesses made like time and duration of the access and if possible the kind of data sought by the user etc., Periodically review the user access to the system. Document any anomaly in user access, etc., Report it to the management for action if required. Protecting Top secret applications meant for access only by the privileged of the users, and proper grants to its access. Take note of failed login attempts periodically and verify with the concerned. Procedure established to deal with Repeated attempts by a user to gain unauthorized access to these resources. Check for un-authorized use of external storage devices like Floppies, CD-ROMS, etc. Apart from these checks, other checks should be performed regarding the way the data handling and data exchanges are made. If Third party data access is allowed (Clients/Business partners/etc.), are there proper control on their access, identification and Authentication? Is it possible to identify and track all the assets (ease of it determines the quality)? Are development systems separated from the operational systems? Is the security of media on the move established? Are the system clocks synchronized? And many more aspects. . Performing a thorough cybersecurity evaluation critically gauges the organization's commitment to safeguarding data and adhering to regulations.. Network Audit, Data Protection, Risk Management, User Access, Security Measures. . Brittany Day
Oct 08, 2002
•
102
risk assessmentIT risk managementsecurity strategyAssessing Security: Balancing Risks And Budget In Your Organization
Anton Chuvakin discusses the known approaches to choosing the level of security for your organization, risk assessment, and finding the balance between effective security practices and the existing budget. . Scary stories of companies gutted by the worm attacks, virus outbreaks, malicious hacker intrusions and other information risks are plentiful. The rising exploitation of most existing vulnerabilities is combined with the appearance of new ones resulting in a new and powerful threat to Internet users (see, for example, 2001 CSI/FBI Survey, a standard cyber crime statistical reference). The security industry often takes the position that companies should promptly design and implement more and more security, increase its priority within the business and train all computer users in using the multiple layers of enterprise defense. Similar advice is given to small office, home office and individuals using the Internet from home. Firewall or at least a filtering router is now considered a standard network protective measure for any company. Personal firewalls are recommended for all home users on broadband Internet connections. However, companies will often choose to comply only with the reduced set of requirements due to business needs. So far, it sounds like the beginning of a typical security convincer speech. In fact, the rarely addressed issue of choosing an appropriate level of security for the organization is about to be investigated. All organizations are different; they have different needs (that includes security needs), resources (that includes human, financial and technology resources) and, on the human side of the problem, different perceptions of "how much is enough" security. The article addresses common approaches to information technology risk management and discusses some of the issues that can simplify the assessment and mitigation of these risks. It summarizes existing knowledge in the area and gives someuseful hints on IT risks. It should be noted, that by enforcing security we understand maintaining the classic CIA: Confidentiality, Integrity, Availability. Many experts claim that an average company has "too little" security. However, if you ask the CTO you will sometimes hear that they have "just enough". Apparently, their business process was going on just fine with whatever level of security they had. As someone said, selling security to management is sometimes like asking to pay real many for hypothetical (unlike fire, flood, earthquake) risks. Often, company chooses to implement security only after the major incident strikes them or their competitors, just as emergency planning was brought to light after September 11. What are the known approaches for choosing the level of security? Here are a few of the common ones discussed in a security literature. "No security" used to be a viable option for smaller companies, which considered their information assets as being of little interest to attackers. Believing that "we are too small to be attacked" has proved to be an inherently flawed logic. The popularity of random IP address scanning tools employed by "script kiddies"*, mass deployment of DDoS zombies and recent rise of IIS worms makes this option a perilous choice. Whoever owns a computer does have something of interest to malicious hackers - it can be the hard drive space for hosting a "warez" site, processor power for cracking passwords from other systems or network connection for attacking third parties. In addition, while the threat of "due diligence" lawsuits has not materialized yet, it is often quoted as a motivation for implementing basic security measures. "As much as management allows" is usually simply too little - too late. After the next well-publicized bug story or a security incident, the company decides to implement a certain security measure, such as deploying a firewall. It mightor might not be helpful for overall enterprise security, since technology safeguards implemented without the foundation of a solid security policy are rarely helpful. For example, having a firewall but allowing most of the potentially dangerous protocols through due to "company needs" does not lower the risk by any significant amount. "Qualitative risk assessment" , while favored by many in security industry, is a rather controversial method due to the high degree of uncertainty associated with some IT risks. Several techniques were developed for defining the appropriate level of security spending based on risk. One way is to find risk level by multiplying the threat frequency by the loss amount. Then the resulting amount is compared with the value of protected asset. It is sometimes referred to as Annual Loss Expectancy method and goes back to the FIPS publication 65 from 1979. The problem is that often both loss frequency and amount are totally unknown in many cases for digital risks. For some risk factors, there is not enough statistical data accumulated, some are usually not reported to the authorities, while others are too new and unpredictable. At whatever level of digital risk assessment currently is, it will be needed when digital risks insurance finally catches up since that is the way insurance companies seem to operate. "Best practices" is another often mentioned method to manage company information technology risks. It avoids the uncertainty of a formal risk analysis by relying on the commonly accepted baseline for security protection. Projects such as CASPR (Commonly Accepted Security Practices & Recommendations) or GASSP (Generally Accepted System Security Principles) are aimed at developing the common set of guides on all areas of security. For example, CASPR uses the following topics to organize the developed guides: Operating System and System Security, Network and Telecom Security, Access Controland Authentication, Infosecurity Management, Disaster Recovery and Business Continuity, Infosecurity Auditing and Assessment, Logging and Monitoring, Application Security, Application and System Development, Computer Operations, Investigations and Forensics and Cryptography. By summarizing the methods and techniques to handle technology risks from the majority of industry players, the documented best practices can effectively protect the company that adopts them from attacks and liability suits. Implementing this approach requires the minimum amount of analysis and planning. British standard BS 7799 that recently became the international standard ISO 17799 is another example of the best practices guides. A lot of information is available on the web, for a nice overview and a short resource list, visit the ISO17799. It should be noted that using best practices provides better protection from liability lawsuits than from the actual network intrusions. Some other disadvantages of utilizing this approach are the independence from actual risks that can lead to both over-securing and under-securing, lack of information collection on new threats and difficulties in measuring the efficiency of security procedures. "Scenario analysis approaches" involve creation of various scenarios in which computer security can be compromised. After the threat scenario is created the appropriate mitigation procedure should be developed, deployed and tested. Scenarios can also be used to demonstrate how vulnerable the company is to certain threat factors: for example, penetration testing can show that the company is exposed to insider risks and that the methodology to handle them should be built. This approach requires brainstorming of as many risks as possible done by internal security staff and outside security consultants. Unfortunately, all hazards can never be brought to light. It limits the effectiveness of the scenario-based approach.In case an important and high-probability threat factor is missed in the methodology, the financial loss can be severe. In brief, under this approach the security program will address only those risks for which loss scenarios are developed. Cost-benefits analysis is an attempt to base the choice of security safeguards on the asset cost alone. Apparently, deploying a $10,000 to protect $1,000 information on a server is not a wise decision no matter what the risk is. Cost-benefit analysis allows drawing a line limiting the price of projected security technologies. The cost of protected assets can be used to determine the security requirements, which are than compared with organization technological and human resources. This does not involve any risk assessment, thus the question whether the asset is actually at risk is never asked. However, this method certainly provides a useful way to start the security infrastructure design. Insuring all risks might become a promising option for companies that cannot afford designing a full-blown security architecture in the near future. It might not be the most effective option since it just transfers the need to do assessment to the insurance company. Likely, some combination of managed risk and insured risk will eventually become a standard. Overall, the knowledge of the above methods can help you increase the safety of doing business. Risk assessment is not an esoteric process. Let us apply all of the above methods to a simple IT risk. To those in the know, the example might look simplistic, but it does serve as a useful illustration. For example, security administrator of the site is asked to let the instant messenger (such as ICQ, AIM or MSN Messenger) communication though the firewall. The case of no security is trivial - the protocol is allowed and no second thought is given to the issue. Qualitative risk assessment is complicated: there is no statistical dataon IM risks to the company and only the anecdotal evidence is available. Thus, it is impossible to evaluate the probability and the amount of loss, unless one chooses to trust the risk evaluation based on insufficient data. Best practices approach will call for checking the industry guidelines on allowing IM communication through. In this case, most of the guides will advise against doing this, unless a clear business need for IM use is established. Scenario-based approach will look for all ways to abuse IM and will make provisions for responding to each of them. Security team might want to demonstrate how IM is used as an attack vector and then create appropriate safeguards if they are possible. In case ways to cause loss, using IM cannot be handled by security procedures, the software is not allowed. Cost-benefit analysis might determine that the savings from less phone calls that stem from using IM software will be bigger than endangered assets in engineering department, while in case of accounting department the risks might outweigh the benefits. Thus, IM will be allowed in one case and banned in another. In addition, several important points related to risk strategies should be made. Whatever method of handling risks is implemented, security policy should relate the resources with corresponding protection measures. Thus, policy is written after all organization resources are evaluated and risk assessment (if it is required by the chosen risk mitigation model) is completed to establish the guidelines to be followed by the company. Policy should also be reviewed regularly to reflect the changes in the enterprise and security environment. After an appropriate level of security is carefully chosen and fixed by the written policy, the problem of convincing users to use it remains. Another important requirement is to keep current with all the security-related information, since new vulnerabilities are found everyday. Malware attacks happen with no advance warning and can be initiated by strangers or disgruntled employees seeking revenge. Malicious hackers need only know a single vulnerability to get through your defenses. And you have to defend against all of them. It requires following the changes in security technology, IT industry and even hacker underground. Once you know the enemy you must still implement a defense strategy. Security awareness program for employees should be a crucial part in any infosec policy. Unless the employees are trained in using the deployed security technologies, the effectiveness of those controls will fall apart. In addition, people responsible for critical computing resources should complete a more rigorous infosecurity training to understand all of the security implications of their job functions. Enterprise security education should be kept up to date with technology and current best practices. One possible way to assure the adequate level of cybersecurity knowledge is periodic tests and quizzes based on current policies and procedures accepted by the management. Finding the balance between effective security practices and the existing budget for security is important for every environment. The above guidelines should send the reader in the right direction. When security program is designed, the unfortunate consequence of security measures should be considered. Overall, most security measures hinder usability to some extent. This is a fact, and so far, no workarounds have been developed. We divide all "complications" from security into impact on the information systems and impact on employees. Some of the computer-related issues are: Antivirus software might degrade performance of a desktop system, especially for older computers *Content filtering may remove non-malicious attachment *Firewall may slow down network communication False positives from the IDS and anti-virussoftware heuristic engines create network overhead and undermine employee confidence and value in such security software. Employee related security challenges include: Complicated password policy with no user education, resulting in employees writing passwords on infamous Post-It notes Need to login to many systems to perform daily job duties results in employees selecting the same password or several easily guessable passwords for multiple systems The previous need combined with short system login timeouts causes productivity loss due to a constant need to login Restrictive physical security may result in employees sharing access cards Video surveillance, with no justification, may lower employee morale and degrade trust within an organization Complex remote access procedures may result in some employees installing "black" modems for home access Encrypted email, such as PGP email is hard to use without some level of understanding of public key cryptography Addressing those issues is essential after the security program is designed. Ideally, security should be user-independent (security of the system should not depend upon the decision of an end-user), user-transparent (does not prevent or hinder any authorized action of the user), effective ! (stop all unauthorized actions of a legitimate user and all actions of an intruder) and cost-effective (not cost more than the protected assets). Security measures should also be flexible to reflect a fast-paced and somewhat chaotic environment of the modern infosec threat landscape. To conclude, too much security can be as much of a problem in some cases as too little. Restrictive and unjustified security measures especially those not based on a security policy can lower productivity of human and performance of technology components of a business. Implementing effective security requires careful design, and a need analysis and detailedrisk analysis should be done first. Such assessments are then followed up with an implementation plan, where organizational communication, policy, maintenance plans, training and deployment are considered (to name a few). About the Author Anton Chuvakin, Ph.D. is a Senior Security Analyst with netForensics ( ), security information management company that provides real-time forensics software solutions. His infosecurity expertise includes network security, firewalling, UNIX hardening, security administration, etc.. Evaluate viable security tactics, aligning cost constraints with potential threats to maintain organizational resilience.. IT Risk Management, Security Strategies, Risk Assessment Methods. . Brittany Day
Jan 28, 2002
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More