UNIX Computing Security/Principles and policies
Suggested topics: education, risk management and enforcement, government security levels (C2, &c.)
|The way to be safe is never to be secure.|
Computing security as it applies to UNIX is usually taken to mean protection of a UNIX-based computing system against unauthorized access to information or services on that system, including viewing, copying, modifying or destroying data.
But security can also apply to unauthorized attempts to deny appropriate individuals access to the stored information through loss of availability. Security is also used to manage privacy on a system, whether by confirming the identity of a person who performed an action, and by allowing individuals to maintain control of private information.
Providing security to a system is not a goal so much as it is an ongoing process. At least at present, a UNIX computing system can never be made fully secure. However by continually applying a series of security measures to the systems, the net risk to the system can be brought to a minimum.
A necessary element of system security is the legal system. The threat of prosecution is an important element in deterring an unlawful intrusion or activity, particularly in the circumstance where the system is serving as a component of a company business or when the loss of important information can have significant consequences. It is not even necessary for a system to be compromised in order to have business consequences. A business service can be rendered inoperative for a period of time, costing a firm a significant source of income.
To allow successful prosecution of unlawful activities against a computer system, forensic evidence must be available to demonstrate that a crime occurred. This necessitates the use of logging to track activities and events on the system, and the protection of these logs against tampering. This also includes the need to make periodic backup copies of files on the system on secure media, as frequently as once per day if feasible. In the event of a direct compromise through the hardware, unmodified physical evidence may also be needed, including camera records, witnesses, and so forth.
It can be important during the prosecution to demonstrate that you were performing on-going active measures to prevent inappropriate access, rather than just initiating monitoring in the particular circumstance. So logging and auditing need to be part of the standard security measures. In addition, a carefully-worded legal warning notice needs to be presented prior to login so that the potential intruder can not claim ignorance. Even a greeting message presented prior to login can be used as a legal defense. Finally, due diligence in securing your system can help demonstrate that an inappropriate intrusion was willful and dedicated, rather than as a result of curiosity.
The Sarbanes-Oxley Act of 2002 was a significant piece of legislation designed to help prevent corporate financial fraud. Although computing security was not a factor in the events that resulted in this act, the legislation has had an indirect impact on security requirements. The law imposes accounting requirements and control practices on U.S. companies, or at least those that are publically owned. Requirements for accurate financial records have been strengthened, resulting in the need for control of all aspects of how financial information is processed.
Computing security became relevant due to a provision in Sarbanes-Oxley requiring disclosure of potential liabilities that might impact the bottom line. Events that resulted in the compromise of key computing systems can have a significant impact on the company business. Three of the most relevant sections of Sarbanes-Oxley for computing security are:
- Section 302 — Certification of the completeness and accuracy of financial reports by the CEO and CFO.
- Section 404 — Management assessment of internal controls, which must be reported to the SEC each year.
- Section 409 — Real time disclosure of information.
Due to these requirements, attention to computing security has became an important factor. The act requires companies to disclose when their financial information has been tampered with, describe the measures used to protect the data, and safeguard the information used to track the information security. Companies that are required to disclose that they have poor security practices could prove an uninviting investment, which can affect their stock value. This has brought an increased, and in some cases much-needed attention to computing security in many commercial companies.
Applying security measures is a constant trade-off between maintaining the usefulness of a system and keeping it secure. Each new security measure will further restrict activities on a system, and is likely to be met with resistance by the users. So the system operators must weigh the risks of data loss versus less utility, and decide whether the extra measures are worth the trade-off.
The Administrator of a UNIX system has a significant ability to reduce security risks by properly configuring the operating system to enable security features. In many instances the operating system as shipped by a vendor is applied with a weak security configuration. It requires careful examination of the system to control or eliminate these weaknesses, and neglecting to apply an appropriate restriction can leave a system vulnerable to exploitation.
Once a system has been properly secured, it will still require steady maintenance and monitoring to keep it that way. New exploitations are constantly being discovered, and the administrator will need to stay on top of remedies for newly discovered vulnerabilities. Doing so may require periodic application of new patches, additional changes to the system configuration, or simply an assessment of the risk and determining a means to manage it.
Unfortunately, individual actions by users on a UNIX system can result in a net increase in the security risk. So, in addition to monitoring potentially harmful actions by users, some education of the users is needed. This education includes raising security awareness, training users against certain types of harmful actions, and demonstrating useful tools that can enhance the security of their data.
Determining whether an individual is authorized to have access to the information is an essential component of UNIX system security, and requires access control policies, secure methods of verifying identity, and methods of storing and transmitting credentials. The identity of the individual is used to determine the information they can access, and their ability to modify information on the system.