Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Networking and Security Chapter 7 Security, Ethics, and Privacy.

Published byClara Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "Linux Networking and Security Chapter 7 Security, Ethics, and Privacy."— Presentation transcript:

1 Linux Networking and Security Chapter 7 Security, Ethics, and Privacy

2 List security risks typical in modern networked computer systems Understand how to assess risk and create a security policy Describe the function of top security-awareness organizations Outline government’s security and privacy role Locate Linux products designed especially for security-conscious environments

3 Introducing Computer Security and Privacy Computer security is a large and specialized field, separate in many ways from the day-to-day operation of a network server There are many unauthorized computer access events due to the fact that the more broadly a computer is networked, the more potential for access to that computer This broad access is what represents the power of networked computers, but also represents opportunities for malicious intent

4 The Privacy Debate Any personal information stored on a computer is threatened by someone cracking the system where it is stored A great deal of personal information must be stored on computers to make government and businesses function efficiently Laws and government regulations control who can access your credit records; businesses typically provide privacy policies

5 The Privacy Debate

6 Privacy policies usually contain information similar to one of the following:  We don’t collect or save any information about visitors to our web site  We collect information in order to complete a sale or register users, but we do not share that data  We collect information on visitors and use patterns to determine if a visitor might be interested in some of our other products  We collect information and share it with our partners who may have products that interest you

7 Ethics and System Administrators The burden of ethical use of data typically falls on the system administrator Ethics deals with the issue of doing the right thing at the right time, for the right reason Ethics codes were developed to define the role of system administrators in organizations and to increase the respectability and raise standards of behavior in the profession Support organizations for system administrators include SAIR/GNU and SAGE

8 Risk Assessment and Security Policies The best approach to security is to make a system highly secure without undue annoyance to authorized users “Security through obscurity” assumes that if no one knows about your system, you are safe, but this approach must be avoided Hardware, software and data are primary targets of attack, but of these three, data presents the most serious threat

9 Risk Assessment and Security Policies Crackers break into systems:  In order to steal data (such as credit card) for their own use  To corrupt data, maybe unintentionally, but often for malicious reasons  To block access to the system, as in a Denial-of-Service (DoS) attack Crackers are not the only threat to systems, a majority of security incidents result from the actions of users within an organization

10 Risk Assessment and Security Policies Standard computer attack techniques:  Password cracking involves obtaining a password by using a password guessing program or by guessing based on a user’s personal information  Trojan horse attacks occur when an illicit program is run from an untrustworthy source  Buffer overflow attacks rely on a weakness in the design of a program dealing with buffer (memory space) management  Denial-of-Service attacks try to overwhelm your system so that valid users cannot access it

11 Risk Assessment and Security Policies Security should begin with a careful analysis of the assets being protected and their value  These assets can include reputation, revenue generation, secret data, or other factors Security is often divided into four layers:  Physical security - physical access to Linux server  User security - user authorization and privileges  File security - file access limitations  Network security - secure network configuration

12 Social Security Computer security includes an aspect which is really about people, knowing why they act as they do and knowing whom to trust This is true from the perspective of the system administrator and the cracker The system administrator must be keenly aware of how to implement measures that will thwart the activities and access attempts of the cracker

13 Social Security The system administrator must proceed with caution regarding where they obtain Linux, since the Linux kernel taken from the Internet could have been altered by a cracker to permit access via a source code back door  A back door is a method of accessing a program that is known to its creator but not to other users The Linux code must be continually upgraded with security patches to prevent attacks

14 Social Security Not only must the system administrator be savvy as to the plans of crackers, but also the users of any system due to a tactic called social engineering used by crackers  Social engineering involves a cracker manipulating a system user to extract needed access information  Often a cracker will simply obtain a user’s name and call them in order to obtain information, or they could walk past an employee’s workstation and gather information from posted data

15 Creating a Security Policy A security policy is a written document that may do any of the following:  Analyze what assets are at risk  Provide network danger statistics to end users  Provide security procedures  Outline user access levels  Compile specific actions to make the system secure after reboot  Outline procedures to follow when an intrusion by a cracker has been detected

16 Security-Focused Organizations Two key ways that an organization can stay security- focused are:  Upgrading the Linux system regularly using information from security organizations whenever a security issue is discovered  Taking advantage of professional organizations which act as clearinghouses for recent security information; they help organizations learn more about security and how to implement what is learned

17 Upgrading Your Linux System Your first goal is to keep your system upgraded, including the Linux kernel and programs that run on Linux Most of the updates for security problems come in the form of a patch The best way to stay informed about upgrades and patches is to subscribe to the security notification service of a reputable Linux vendor

18 The Security Experts Two organizations are known as bastions of computer security information:  The CERT Coordination Center (CERT/CC) is a federally funded software engineering institute operated by Carnegie-Mellon University  The System Administration, Networking, and Security (SANS) Institute is a prestigious and well-regarded education and research organization whose staff includes most of the leading security experts in the country

19 The Security Experts

20

21 The U.S. Government and Computer Security Because computer security is increasingly viewed as part of our national security, the U.S. federal government continues to increase its involvement with the computer security industry Two examples of new roles the government is playing are prosecutor of computer crimes and an information clearinghouse to encourage good security practices

22 Security and the Law When congress passed the Computer Fraud and Abuse Act, it became a crime to access a computer without authorization Additional laws have been passed to help stop the acts of crackers, including the Computer Security Act, the National Information Infrastructure Protection Act and the Patriot Act Since crackers are difficult to prosecute, the FBI now has special computer crime units

23 Government Agency Resources The following list describes some key resources for learning about U.S. government involvement with computer crime:  The FBI’s National Computer Crime Squad  The U.S. Department of Justice, Criminal Division  The FBI’s National Infrastructure Protection Center (NIPC)  The Department of the Treasury runs the Secret Service and the Financial Crimes Enforcement Network (FinCEN)

24 Security-Focused Linux Products The National Security Agency has released an experimental version of Linux called NSA security- enhanced Linux Trustix released Trustix Secure Linux, which is a thoroughly configured server with tight security Another more security-conscious Linux is the Bastille Linux hardening package (to harden a package is to make it more cracker secure)

25 Security-Focused Linux Products

26 Chapter Summary An amazing number and variety of unauthorized computer access events continually plague network servers all over the world Computer security is a serious field that pits crackers against administrators seeking to protect their employer’s assets Computer crime statistics are hard to gather, but billions of dollars are spent annually to recover from unauthorized access Privacy concerns make computer security a personal issue for anyone using the Internet

27 Chapter Summary System administrators are in a position of great trust and power because of the information they control Codes of ethics help system administrators understand professional expectations that can help them create lasting careers and serve both internal and external customers effectively Difficult security decisions are best made before a crisis arises, based on a considered long-term view of consequences of each possible course of action Organizations such as SAGE and SANS can help system administrators learn more about security from experts and colleagues

28 Chapter Summary A proactive approach to security, rather that “security through obscurity,” yields the best results in protecting information systems from attack Hardware, software, and data are all possible subjects of attack, though data is the most likely target Crackers may try to steal data, corrupt data, or deny access to your system by legitimate users. Having written a security policy document helps you prepare for all types of attacks by justifying the need for security efforts, informing users of security concerns, and providing security breach guidance

29 Chapter Summary Social engineering is a potential tool of crackers who contact end users and manipulate them to extract needed information You must keep your Linux system upgraded with any security patches to prevent attacks via a known problem with software that you are using Many laws now exist to allow prosecution of computer crimes Security products for Linux may help you improve your security posture, though you must be careful about trusting products that you have not tested

Download ppt "Linux Networking and Security Chapter 7 Security, Ethics, and Privacy."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
CS5038 The Electronic Society

CS5038 The Electronic Society
Confidentiality and HIPAA

Confidentiality and HIPAA
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Handling Security Incidents

Handling Security Incidents
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
1 Software Testing and Quality Assurance Lecture 37– SWE 205 Course Objective: Learn about ethical issues of software engineering.

1 Software Testing and Quality Assurance Lecture 37– SWE 205 Course Objective: Learn about ethical issues of software engineering.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Similar presentations

Ads by Google