Site security and the future

We have spent a considerable amount of time discussing the meaning of security concepts which we did not have time to amplify on in the system administration course. Let us now try to collect the sum of this knowledge into some kind of checklist for securing a site or enterprise.

Zones of security clearance

The first thing to decide is the nature of the organization we are trying to protect. Many companies, like banks or large cooperate empires require many levels of security. Information is provided on a need to know basis. There might be physical security checkpoints and logical security checkpoints.

The enemy within...

Remember that most major hacking and net crime cases have been carried out by insiders. There is a balance to be struck between trusting workers and checking their behaviour. If we are too lax, someone will try it on. If we are too strict, we will generate bad feelings and encourage staff to turn against the organization.

Insecure operating systems

These have no memory protection or file protection. They are trivially infected with viruses. The only thing one can do with these is to place them behind a firewall and cross your fingers. You can try to drill users to avoid making the worst mistakes with such machines, but probably you will not be able to make them understand or listen.

Insecure operating systems which are used for important work should never be attached to a public network, or be available to unauthorized persons.

It is difficult to trust an operating system which is wide open to attack, both from the console and from the network.

Analysis and checklist

• Basics
  • Backup, redundancy plan, recovery plan
  • Access controls on backup media.
  • One host per task is easiest to secure, but costly.
  • Security policy (avoid too much inconvenience to users)
  • Physical security of machines and the site.
  • Inform users about policy. (They need to understand the ramifications)
  • Train users against social engineering. Who do you trust on the telephone? If your boss asks you for your password, do you give it to him?
  • Understand the trust relationships in your network.
• Look at network topology: how many ways in/out are there?
  • How many routes in?
  • What access controls on routed traffic?
  • Honey pots, sacrificial lambs
  • Firewall (do not protect against data attacks)
  • Modems (don't forget these!)
  • Backdoors
  • Dependencies. Denial of service attacks.
• Examine the hosts on the network:
  • What operating systems do they run?
  • Are they properly configured, according to the security policy?
  • What security problems are known to exist on those operating systems?
  • Have the operating systems been upgraded with the latest security patches?
  • What access controls are in use on files?
  • Privacy of data with VPN, encryption or use of access rights.
  • Examine the setuid privileged programs on the system: do they all need to have those permissions?
    (e.g. removing the setuid flags from the Common Desktop Environment window system has saved us here on several occasions!)
  • Is software installed correctly?
  • Monitor permissions and configuration constantly.
• Examine network services
  • Look at router filters. RPC (SMB) and SNMP should not be passed outside domain.
  • What access rights do services run with?
    (Don't run privileged if you can avoid it)
  • What information could services be exploited to provide?
  • Do they have a history of software errors?
  • What access controls are in use? (TCP wrappers/firewalls)
  • What dependencies exist between services?
  • How safe is E-mail? Privacy?
• Authentication
  • Smartcards/javacards
  • Biometric authentication?
  • Digital signatures.
  • Kerberos
• Denial of service attacks
  • Router filters
  • Firewall susceptible
  • Intrusion detection system vulnerable
  • Spam?
• WWW security
  • Run as non-privileged user www
  • CGI scripts - never setuid. Check content.
  • CGI scripts can circumvent any .htaccess security
  • File permissions - data files should not be owned by www user!
  • Mail is always anonymous (as www user)
  • Use HTTPS for privacy. (e.g. mod_ssl in Apache)
• Intrusion detection to estimate how often you are being attacked. (You will never find the clever ones...) This should be the last thing you spend money on, since it is probably only for curiousity.
  • Look for tell-tale files: nuke rootkit cloak zap icepick toneloc .mo etc
  • Set up an md5 checksum database on /usr

The future of security

Who knows what the future will be bring? The need for security has always existed. What we have seen in this course is that computer security is nothing very special. It is the application of a few basic security principles to the computer arena. It is only the technological climate which focuses attention on specific issues.

The security problem will never be solved because it all has to do with trust. If you understand one thing from this course, it should be this: every security problem has its roots in trust. We can use technology to move trust from place to place, but we can never avoid the final judgement. Why should we bother with security? If you don't know yet......

What specific things can we expect?

• IPv6 will provide layer 3 encryption.
• Prime numbers will become less important as quantum cryptography arrives.
• We will have new operating systems with ideas from Unix, NT and Novell. But this will take time, because many have tried this. The model which has really endured the test of time is the Unix model: creeping change, increasing chaos and then a battle for rationalization.
• Anarchy has been unleashed by the internet. There is no turning back.
• User software will be written with security in mind (okay, I was joking).
• Secure languages will be built (Java is a first step).
• Computer warefare will reach a peak and then it will become too difficult. If we are lucky, free access to information and education will increase personal freedom, wealth and make conventional warfare less attractive.

If nothing else, an attention to security now will optimize the security issue later. New technology will make actual attacks difficult, but trickery is what human intelligence was invented for. Until the machines are smarter than we are, there will be no end to deception.

The future of security is you! Go and spread good practices by setting a good example.