Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. Whether it be physical terrorism, or malicious acts of information security, we have all raised our level of awareness. For many across the world, the new year brings a sense of rebirth and recommitment. All of us take time to reflect on the past year, reexamine our lives, and focus on how we can do better the upcoming year. Some have career related goals, others only wish to make more time for their family because of the realization that those close to you are in fact the real and only reason for everything. Personally, I am one who loves to set goals. Without a mission and plan, very little gets accomplished. The new year should not only be a time to set personal goals such as an exercise regiment, but also a time to focus on security practices and configurations. 2005 will be hostile, now is the time to prepare.
Reflect on Present
Those of us long-time security gurus always chant the mantra "security is a process, not a product; repeat." The new year should be a time to refine that process. Take a moment to analyze and ask the following questions:
- Are we doing everything the way we should?
- What areas of our operation need to be improved?
- Are we following security best practices?
- Do I feel confident about our security practices?
- Do I have metrics to provide assurance about our security?
- Are we proactive, or do we always seem to be catching up?
Although many network environments are similar, it is important to keep the questions as broad as possible. It is necessary to reflect on the overall picture of security. Some of you may be responsible for hundreds of servers, others may only keep a hobby-server running on a DSL line. Security should be important to all in every situation, and many of the broad concepts of security are the same. For example, the first question says "Are we doing everything the way we should?" Although simple, and warrants only a YES/NO response, it is loaded with other questions. One of the most obvious ones, do you take shortcuts? I'll admit, I'm sometimes guilty. Rather than taking the time to do something completely right the first time, I focus all of my time on functionality, and once it is working, move on to more pressing matters. One must be dedicated in making sure that severs are setup and configured in the most sound way possible. It's not enough for something just to work; it should be configured to reduce as much risk as possible.
One of the more pointed questions above is about security confidence. While too much confidence can lead to disaster, too much paranoia can drive someone mad. The obvious balance is in the middle. Security personnel should strive to be confident, but paranoid. It sounds like an oxymoron, but its not. It is important to have faith in one's own system, but always be aware and ready for emerging threats. For example, early 2004 was inundated with Linux kernel vulnerabilities. Although I was confident that my EnGarde Linux servers would hold up; I didn't ignore the bugs completely. It is important to keep up with vulnerability news and apply patches when available. Confidence(trust) can be obtained through good security practices. Using standards such as BS7799/ISO17799, ISF Best Practices, as well as others can help establish a program for building security confidence. Documentation such as the Linux Security Howto, Linux Security Administrators Guide, as well as NIST's dozens of configuration guides can ensure software has been setup and configured properly.
Its not enough just to be confident. One must have assurance that the systems in place will provide adequate protection for its information assets. Weather its trade secrets to protect, or just protecting a website from defacement, the information security principles are the same. Layer, layer, layer! Provide multiple levels of security through authentication, access control, network traffic regulation and segmentation, and the use of strong cryptography. Know your system inside and out by monitoring logs, system events, as well as understanding legitimate activity. Being able to quantitate the number of failed unauthorized attempts provides a level of assurance and demonstrates the value of each security control. A proactive security process is a combination of knowing your assets, knowing your systems, understanding its threats and vulnerabilities, while working in a prioritized manner to reduce the risk of each.
A Security Resolution
Rather than focus on management related security issues such as policy development, security awareness & training, and risk analysis, I am writing resolutions that can be directly applied by system administrators. Also, please beware that the issues I touch here are by no means a complete list of security issues that should be examined. I would be writing for weeks if I attempted to cover all issues that affect Linux administrators.
- Change Passwords/Keys: We all have our favorite passwords and passphrases. We get comfortable with them and become reluctant to change them. For many, it is a huge job. However, maintaining fresh passwords is important to the security of a system. Using the same root password for three years is simply unacceptable. Make it a habit to change major password regularly. If you haven't done it recently, change them now.
- Apply System Patches/Keep Software Up-to-Date: Yes, all of us can get lazy, but that is simply no excuse if you wish to maintain a secure system. Vulnerability advisories are released by Linux vendors every day, it should be top priority to test and then apply appropriate patches to production systems. If it is just simply too much work to apply them manually; consider subscribing to an automated distribution service such as those offered by Red Hat and Guardian Digital.
- Analyze Accounts/Permissions: It has been said that a large number of corporate information security break-ins are a result of stale user accounts. Do you have accounts left on your system for people that quit or were fired six months ago? If so, that's a huge risk. Perhaps quarterly, review the accounts on your system and verify their necessity and validity. It is also important to review file critical file permissions. Sometimes testing a system warrants a permission changes, and then an administrator forgets to set it back to its original state.
- Review Backup/Restore Procedures: Are the systems being backed? If on tape, how old are the tapes? Have the tapes been verified to ensure that they are actually backing up the correct data, and do the restore procedures work? In an emergency, one does not have the luxury of spare time. It is important to sort through the problems beforehand.
- Review Logs/Intrusion Detection: Are there procedures in place to periodically review system activity? Nearly every system keeps some form of logs, but very few administrators actually review frequently. Now is a good time implement an automated alert system and refine exactly what information is logged and determine responses to specific events.
- Physical Security: Ensure all system are running in a safe and secure operating environment. Is the room adequately cooled and ventilated, is it connected to a UPS, is the room locked physically? Physical access to a system opens the door of vulnerability much wider.
- Use Encryption: These days, there are no excuses. We should all be using GnuPG to sign and encrypt emails. The software is free, its easy to use, and provides a high level of security. When e-mailing sensitive information to fellow administrators, using cryptography should be a no-brainer.
- Penetration Testing: After hardening your severs, put them to test. With the advent of OSSTMM (Open Source Security Testing Methodology Manual), light penetration testing is possible for everyone. Using the techniques in OSSTMM and learning to think like the enemy is a skill that can help and administrator improve security greatly.
- Document Configurations/Settings: There's not much worse than loosing application configuration settings. Security often requires a lot of tweaking, which is easy to forget. Document the settings in critical applications to ensure that the system can be restored in the event of corruption.
- Learn Something New: What have you just been itching to know about? Have you always wanted to setup a honeypot, or learn more about SELinux? Now is the time! Rather than keep pushing it off to 'when I have time,' setup a schedule to begin learning about it. None of us have three hours a day to dedicate to reading, but all of us can make five minutes. As months pass, knowledge will accumulate and you'll be a well-rounded administrator.
Final Remarks
It has been another great year, and I look forward to the next. To have a successful and productive year, planning is the key. Whatever your security challenges be, now is the time to address them. We've all been there. Get help by asking questions in forums, asking colleagues, reading howtos, etc. The information is out there, it is up to you to take the initiative.