There seem to be two kinds of people in the world: those who think computer security is fun and exciting, and those who think it is arcane and scary. Professional system administrators who read their logs will tell you computer security is actually long periods of boredom punctuated by intervals of sleeplessness, panic, and frantic activity.
For months, you read logs that basically consist of the same sequence of messages. Then one morning, you see a different message. Your first thought tends to be "I've been hit!" You want to determine whether the attack was successful. You comb through logs and examine files on your systems, looking for signs of abnormal behavior. There are none; maybe the attack has failed. But perhaps the attacker was smarter than you. For days or weeks you remain unsure if your system's defenses were penetrated. Eventually, you forget about it and move on to a new crisis.
I think driving is an excellent metaphor for computer security, on a number of levels: Some people think driving is enjoyable and exciting, but some think it is dangerous and scary. I insure my vehicle, follow the rules of the road, wear my seatbelt, stay out of harm's way, keep my eyes on the road, and perform regular maintenance. Let's take a look at how each of those steps applies to computer security.
First, a warning: most of computer security is nontechnical, just as most driving doesn't require a detailed understanding of internal combustion engines. Good driving also means boring and predictable driving, which may not be much fun. Computer security requires lots of plodding, methodical examination of details that will hopefully result in boring and predictable computers. Neither safe driving nor safe computing tax your technical abilities; their goal is to keep you out of harm's way in the first place. Think of this article as a defensive driving course for the information superhighway.
Most states won't even let you get on the road without insurance, which is a very old method of distributing and managing risk. By climbing into an automobile, you increase your risk of death or serious injury, but most people still drive to work. Likewise, connecting a computer to a network puts you at risk for theft or loss of data, but most people are loath to permanently disconnect their systems from the Internet. As a Linux system administrator, I work not to eliminate risk, but to manage it.
I need to know the nature of a risk before I can manage it. Car insurance typically covers medical bills, damage to your car, accident-related lawsuits, and theft. When you put a computer on the Internet, what do you put at risk?
Computer security professionals say users and administrators should develop a threat model, which states what you're trying to protect from whom. Do you want to protect your ability to access the network, to print, or to store files? Are you worried about the confidentiality of certain files on your system? Are you worried that people might alter or destroy data? Do you want to keep hackers from defacing your Website and damaging your corporate image?
Implementing security measures requires at least an implicit understanding of your threat model, but simply understanding the risks is not the same as insurance.
A more direct form of insurance is backups. Depending on your threat model and system configuration, you may want to emphasize different portions of the backup procedure. If your system is a standard off-the-CD Linux install with little customization of your configuration files, you may only need a zip disk to back up the files in your home directory. If you've customized your system extensively, you might wish to back up your /etc and /usr/local directories as well. If you don't think restoring those files with a fresh install will accurately reflect your current system, you may want to regularly perform full backups of your system.
Rules of the road
Almost every local government in the world requires you to possess a license in order to drive. Before getting even a learner's permit, you must pass a test that proves you understand the rules of the road. (I've often wished for an Internet Driver's License that indicates an understanding of netiquette, but that's a different article altogether.) As a network user, your driver's handbook is your ISP's Terms of Service agreement; if you use computers at work, you must also abide by corporate guidelines or policies.
Terms of service may include limitations on network monitoring and running services, along with strong language about respecting intellectual property. Corporate policies also typically cover strong passwords, the use of systems for non-work-related activities, confidentiality agreements, and so on.
As a system administrator, I've defined a number of policies, including our organization's password policy and several policies that authorize me to decode network traffic and scan our computer systems for security holes. If you think that doesn't matter, read about the Randal Schwartz case and about the CIA agents recently disciplined for running an unauthorized chat server. (See Resources for links.) If you don't have policies, you should develop them.
Wear your seatbelt
The best advice is also the most pedestrian (no pun intended). Most security violations are not perpetrated by hackers, competitors after your corporate secrets, or nefarious government agencies -- they are caused by (often well-meaning) employees who simply don't follow the rules. They pick bad passwords, take secure laptops and put them on insecure networks at home and at conferences, and so on. Make sure that all staff members understand your policies and the risks associated with violating them. Even when no harm directly results from a violation, it still increases risk, which is the exact opposite of what we're trying to do.
Wearing a seatbelt also implies a certain balancing of risks: friends constantly tell me about some person who would certainly have been killed if he or she had been wearing a seatbelt, but was instead thrown to safety. While at least some of those stories are undoubtedly true, they are the exception, not the rule; the prudent driver or passenger knows that, at the end of the day, seatbelts save lives. Similarly, implementing some computer security may make you a more challenging or juicier target for hackers in some other respect. The question is always, "Overall, does this measure increase or decrease my security?"
Stay out of harm's way
A good automobile is designed to eliminate as much wind resistance as possible. The equivalent of wind resistance on the Internet is the constant stream of low-level scans and probes that hackers use to find systems to break into. The best way to avoid harm is to keep a low profile. Most Linux distributions turn on many more services than are necessary on the average workstation. I've seen dozens of machines hacked through outdated copies of BIND installed on systems where local name service wasn't even being used. If named hadn't been running, the systems would have been safe. Turn off any services you don't need, and remove the software entirely if possible.
Many risky programs run from inetd; you can turn them off by commenting out the relevant lines in /etc/inetd.conf. Some systems, such as Red Hat 7.0, use xinetd as a replacement. xinetd configuration files are fairly easy to use, and it should be easy to turn off services there. Other risky services run from startup scripts in (depending on your distribution) /etc/rc[1-5].d, /etc/init.d/rc[1-5].d, or /sbin/rc[1-5].d. (See sudo (see Resources for a link), but it's best to limit what they can run to the bare minimum.
Finally, protect your data as it travels over the network. Programs like Telnet and FTP transmit all passwords and data over the network in cleartext, which can be read by anyone with a network sniffer. Try replacing those packages with OpenSSH (see Resources for a link) and other software that protects your data using cryptography.
Keep your eyes on the road
Drivers do a better job when they keep an eye out for obstacles, and know what threats to expect and how to respond to them. Mailing lists are essential to doing this. CIAC and CERT run low-volume mailing lists with information about security threats, as do many Linux vendors such as Red Hat, SuSE, Debian, and Mandrake. (See Resources for those vendors' security sites, which have links to their security mailing lists.) If you want a closer look at day-to-day happenings, BugTraq is the mailing list where many security issues first surface.
To keep an eye on where you're going, read your log files. That is the first thing I do at work every morning, after reading my email. If you run an intrusion detection system such as Snort, you should read those logs too. The SANS Institute's GIAC (Global Incident Analysis Center) program lets you find out what other people's intrusion detection systems are uncovering; reading other admins' logs is an excellent way to learn the lay of the land.
Perform regular maintenance
Even the safest automobile must undergo regular inspections and maintenance to remain in good working order. Computers also need to be maintained. For Linux systems, that means regular updates to software. Red Hat Linux, for example, updates security frequently: one or more updates in a week is fairly common.
While it can be challenging to keep all your systems' software up-to-date, it is necessary. Almost all systems are broken into by script kiddies who exploit well-known holes in out-of-date software. You can think of it as a race: will they find the holes in your system before you patch them? Many Linux distributions now have tools that update your software almost automatically. Debian and its derivatives support the apt-get update command, Mandrake has MandrakeUpdate, and Red Hat has up2date. Using those tools, or otherwise keeping all software on your system current, is essential to winning the race against the script kiddies.
Like driving, computer security can be awfully boring. To stay safe, you must abide by these simple principles:
Back up your system as an insurance policy
Know what you're trying to protect
Follow all relevant policies -- write your own if necessary
Know how to measure your exposure, then limit it
Keep an eye out for likely threats
Keep your software up to date
Keeping secure systems requires perseverance, consistency, and eternal vigilance.
You can find the answers to your tough Linux and Unix security questions in our Web Security Q&A discussion:
State of Oregon vs. Randal Schwartz computer security case:
"CIA Secret Chat Room Investigated," Tabassum Zakaria (ZDNet News, Nov. 12, 2000):
The Sudo homepage:
The OpenSSH homepage:
CIAC (Computer Incident Advisory Capability):
CERT (Computer Emergency Response Team) vendor security sites:
GIAC (Global Incident Analysis Center):
No replies to this topic
Also tagged with one or more of these keywords: intrusion detection, ssh, cryptography, patch, sniffer
Exploiting & Hacking →
Security Video Demonstrations →
Exploiting & Hacking →
Exploit Research & Discussion →
Exploiting & Hacking →
Exploit Research & Discussion →
General GSO →
Open Topic →
Exploiting & Hacking →
Beginners Section →