Chapter 1. Security Overview Because of the increased reliance on powerful,networked computers to help run businesses and keeptrack of our personal information, entire industries havebeen formed around the practice of network andcomputer security. Enterprises have solicited theknowledge and skills of security experts to properly auditsystems and tailor solutions to fit the operatingrequirements of their organization. Because mostorganizations are increasingly dynamic in nature, theirworkers are accessing critical company IT resourceslocally and remotely, hence the need for securecomputing environments has become more pronounced. Unfortunately, many organizations (as well asindividual users) regard security as more of anafterthought, a process that is overlooked in favor ofincreased power, productivity, convenience, ease of use,and budgetary concerns. Proper security implementationis often enacted postmortem — after an unauthorizedintrusion has already occurred. Taking the correctmeasures prior to connecting a site to an untrustednetwork, such as the Internet, is an effective means ofthwarting many attempts at intrusion.
1.1. Introduction to Security1.1.1. What is Computer Security?Computer security is a general term that covers a widearea of computing and information processing. Industriesthat depend on computer systems and networks toconduct daily business transactions and access criticalinformation regard their data as an important part oftheir overall assets. Several terms and metrics haveentered our daily business vocabulary, such as total costof ownership (TCO), return on investment (ROI), andquality of service (QoS). Using these metrics, industriescan calculate aspects such as data integrity and high-availability (HA) as part of their planning and processmanagement costs. In some industries, such as electroniccommerce, the availability and trustworthiness of datacan mean the difference between success and failure.184.108.40.206. How did ComputerSecurity come about?Information security has evolved over the years due tothe increasing reliance on public networks not to disclosepersonal, financial, and other restricted information.There are numerous instances such as the Mitnick andthe Vladimir Levin cases that prompted organizationsacross all industries to re-think the way they handle
information, including its transmission and disclosure.The popularity of the Internet was one of the mostimportant developments that prompted an intensifiedeffort in data security.An ever-growing number of people are using theirpersonal computers to gain access to the resources thatthe Internet has to offer. From research and informationretrieval to electronic mail and commerce transactions,the Internet has been regarded as one of the mostimportant developments of the 20th century.The Internet and its earlier protocols, however, weredeveloped as a trust-based system. That is, the InternetProtocol (IP) was not designed to be secure in itself.There are no approved security standards built into theTCP/IP communications stack, leaving it open topotentially malicious users and processes across thenetwork. Modern developments have made Internetcommunication more secure, but there are still severalincidents that gain national attention and alert us to thefact that nothing is completely safe.220.127.116.11. Security TodayIn February of 2000, a Distributed Denial of Service(DDoS) attack was unleashed on several of the mostheavily-trafficked sites on the Internet. The attackrendered yahoo.com, cnn.com, amazon.com, fbi.gov, and
several other sites completely unreachable to normalusers, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a ping flood. Theattack was brought on by unknown assailants usingspecially created, widely available programs that scannedvulnerable network servers, installed client applicationscalled Trojans on the servers, and timed an attack withevery infected server flooding the victim sites andrendering them unavailable. Many blame the attack onfundamental flaws in the way routers and the protocolsused are structured to accept all incoming data, nomatter where or for what purpose the packets are sent.In 2007, a data breach exploiting the widely-knownweaknesses of the Wired Equivalent Privacy (WEP)wireless encryption protocol resulted in the theft from aglobal financial institution of over 45 million credit cardnumbers.Currently, an estimated 1.4 billion people use or haveused the Internet worldwide. At the same time: On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University. The number of CERT reported incidences jumped from 52,658 in 2001, 82,094 in 2002 and to 137,529 in 2003. According to the FBI, computer-related crimes cost US businesses $67.2 Billion dollars in 2006.
From a 2009 global survey of security and informationtechnology professionals, "Why Security Matters Now" ,undertaken by CIO Magazine, some notable results are: Just 23% of respondents have policies for using Web 2.0 technologies. These technologies, such as Twitter, Facebook and LinkedIn may provide a convenient way for companies and individuals to communicate and collaborate, however they open new vulnerabilities, primarily the leaking of confidential data. Even during the recent financial crisis of 2009, security budgets were found in the survey to be mostly at the same amount or increasing over previous years (nearly 2 out of 3 respondents expect spending to increase or remain the same). This is good news and reflects the importance that organizations are placing on information security today.These results enforce the reality that computer securityhas become a quantifiable and justifiable expense for ITbudgets. Organizations that require data integrity andhigh availability elicit the skills of system administrators,developers, and engineers to ensure 24x7 reliability oftheir systems, services, and information. Falling victim tomalicious users, processes, or coordinated attacks is adirect threat to the success of the organization.Unfortunately, system and network security can be adifficult proposition, requiring an intricate knowledge ofhow an organization regards, uses, manipulates, andtransmits its information. Understanding the way anorganization (and the people who make up the
organization) conducts business is paramount toimplementing a proper security plan.18.104.22.168. Standardizing SecurityEnterprises in every industry rely on regulations and rulesthat are set by standards-making bodies such as theAmerican Medical Association (AMA) or the Institute ofElectrical and Electronics Engineers (IEEE). The sameideals hold true for information security. Many securityconsultants and vendors agree upon the standardsecurity model known as CIA, or Confidentiality, Integrity,and Availability. This three-tiered model is a generallyaccepted component to assessing risks of sensitiveinformation and establishing security policy. Thefollowing describes the CIA model in further detail: Confidentiality — Sensitive information must be available only to a set of pre-defined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that a customers personal or financial information is not obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud. Integrity — Information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information. Availability — Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed- upon frequency and timeliness. This is often measured in
terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients.1.1.2. Security ControlsComputer security is often divided into three distinctmaster categories, commonly referred to as controls: Physical Technical AdministrativeThese three broad categories define the main objectivesof proper security implementation. Within these controlsare sub-categories that further detail the controls andhow to implement them.22.214.171.124. Physical ControlsPhysical control is the implementation of securitymeasures in a defined structure used to deter or preventunauthorized access to sensitive material. Examples ofphysical controls are: Closed-circuit surveillance cameras Motion or thermal alarm systems Security guards Picture IDs Locked and dead-bolted steel doors Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
126.96.36.199. Technical ControlsTechnical controls use technology as a basis forcontrolling the access and usage of sensitive datathroughout a physical structure and over a network.Technical controls are far-reaching in scope andencompass such technologies as: Encryption Smart cards Network authentication Access control lists (ACLs) File integrity auditing software188.8.131.52. Administrative ControlsAdministrative controls define the human factors ofsecurity. They involve all levels of personnel within anorganization and determine which users have access towhat resources and information by such means as: Training and awareness Disaster preparedness and recovery plans Personnel recruitment and separation strategies Personnel registration and accounting1.1.3. Conclusion Now that you have learned about the origins,reasons, and aspects of security, you will find it easier todetermine the appropriate course of action with regardto Red Hat Enterprise Linux. It is important to know what
factors and conditions make up security in order to planand implement a proper strategy. With this informationin mind, the process can be formalized and the pathbecomes clearer as you delve deeper into the specifics ofthe security process.Fonte: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Security_Overview.html