[CentOS] General questions about security

Les Bell lesbell at lesbell.com.au
Fri Feb 1 09:28:31 UTC 2008


Niki Kovacs <contact at kikinovak.net> wrote:

>>
I wonder where to begin.
<<

Policy. It's a drag, writing policies, but without policies, you're in the
"Ready! Fire! Aim!" school of security.  The top tier of policy is the
"Enterprise Security Policy", which establishes the security function,
roles, responsibilities, budget, etc. It also gives the power to enforce
penalties for breaches of policies. At the next tier, you have system- and
issue-specific policies, such as the "Use of corporate email" policy, the
"Inappropriate content in the workplace" policy. You may then move down to
standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user
accounts, resetting passwords, etc.).

Everything then flows from a Threats and Risk Assessment. Identify the
information assets of the enterprise, value them. Then identify the
possible threats, essentially giving them a likelihood of occurring. This
is then plugged into a risk matrix: high value asset with almost certain
likelihood of compromise = extreme risk; insignificant value asset with
rare likelihood of compromise = low risk. Obviously, you focus on the high
risk stuff first.

You then put in place controls to mitigate the risk. For some things, you
can't mitigate (e.g. data centre hit by asteroid and now a smoking hole in
the ground); those you push over into Disaster Recovery Planning and deal
with through relocation, equipment replacement, off-site backups, etc.

Your controls could be technical (firewalls, proxies, authentication and
authorization/access control, etc.), physical (locked doors, fences,
alarms) and administrative (policies/procedures/standards, pre-employment
screening, job rotation, segregation of duties, etc.). ISO 27001/27002 are
a good guide in this area, or if you're US Gummint, check out the NIST
SP800-series publications.

>>
I would say first thing is get a series of
"auditing" tools such as, for example, the port scanner nmap, to test
the firewall on the server. Any other ideas for that?
<<

Actually, tools like nmap, Nessus, etc. come in quite late in the day, for
assurance that things are configured correctly. You can usually get much
better bang from the buck from an internal audit first (it's amazing how
often things are documented as being one way, when actually they're
configured a completely different way).

>>
Maybe some good reads on security? That is, articles that don't require
you to be a doctor in computer science to get a grasp of the subject?
<<

If you want a rapid overview of Linux security, I recommend the book "Real
World Linux Security" by Bob Toxen. If you want a rapid overview of the
business aspects of security, I'd recommend you investigate Security+,
which is an entry-level security certification - a course or even just a
study guide would help you. I'll let others comment on SELinux - I've
worked with it, but my experience is definitely atypical.

A closing quote, which I think comes from the old edition of the "Official
(ISC)² Guide to the CISSP CBK", but is probably the key point:

"Technical specialists are not the right people to decide how the
organization approaches security and what security measures should be
implemented. Companies which deal with security at the administrator level
do not view security in broad enough terms. Senior management is not
sufficiently involved and aware, proper risk management is not performed,
security is under-funded and there is no planning and procedures to deal
with unanticipated events."

In other words, your top priority in security should be to obtain senior
management backing. Without that, you'll just be spinning your wheels. And
always remember: you can secure the technology fairly easily - it's the
*people* that are the weakest link.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909





More information about the CentOS mailing list