Most administrators will tell you that you can’t trust users. Most administrators will also tell you that system uptime is a capricious thing. The simple fact is that you must define the limits of trust for any system or any people on those systems. Just as all order becomes chaos over time, almost all users will persistently test the limits of their permissions either through purposeful hacking or through unintentional operations and all systems will destabilize with use.
While many solutions for reigning in trust exist, none is as powerful as proper organization. Defining who, what, and how anything can have unauthenticated access at any time is difficult, but it is the only way to properly control access levels. So one solution is to assure motherboards contain a Trusted Platform Module (TPM) that forces integrity upon a system. Another solution is to employ virtualization to compartmentalize whole operating systems within systems that revert to a previous state when rebooted. Still another is to apply the appropriate access control model.
You will not find a single all-encompassing solution for a system required in day-to- day service operations. A single solution does not exist. Therefore, whatever solutions you define, involve both humans and systems in your defensive strategy. The human helps the system understand the situation and the system helps the human stick to the rules and not be fast-talked or get emotionally involved.
SUMMARY
To prepare the reader to best use the countermeasures described in this book, this chapter has outlined the fundamental aspects of operational security defined in regards to visibility, access, and trust. Security separates the asset from the threat, and those three components—visibility, access, and trust—are the holes or gateways in that separation, which in turn increase the attack surface of what needs protecting.
A proper application of security means the attack surface is limited to the known and desired available services. For any and all uses of a Linux system, there should be no mystery as to where an attack could happen. By assuring the only holes in security are the intentional ones, which were inserted for the sake of productivity, then only those intentional holes should be available for attack and no others.
13
2
Applying
Interactive
Controls
14
that he was even here meant he had to walk by the security desk and then had to have a card to gain access to the server room. Therefore, everyone figured he should be here—at least that’s what all the people said who were interviewed by the police.
“How does someone just walk out with our entire library of backup tapes?” a very nervous looking CEO asked the head of security.
Jack had been the head of security for exactly two weeks when this incident occurred. He had been hired into a very loosely controlled organization after the former chief of security chose to retire a few years early to deal with some medical problems. As Jack looked around, he saw an organization whose secrets rested on generic access controls even though employee turnover was high. People came and went with very little screening. Nearly every day a new cafeteria worker served up the vegetable of the day, and almost every night a different janitor wandered the halls. While two weeks was enough to get the guards to at least write down the ID information for delivery personnel, it wasn’t nearly enough time to change such a poor security culture—one where far too much trust had been placed in the assumption of who would want to rip them off.
“This shouldn’t have happened,” the CEO complained. “Who steals data from a convenience store home office?”
“Competitors,” Jack suggested.
The CEO eyed the new head of security suspiciously. “The thief walked right out with our tapes.”
“All our tapes,” Jack added.
“So now what? We had our one in a million hit. The odds have got to be small that it would ever happen again.”
“Security doesn’t really work like that,” Jack explained. “We have a small attack surface. Very little is exposed to the outside. But once inside, there is very little security because nobody asks questions, nobody watches anyone, and no one responds actively to threats because no one really knows who all works here.”
“What about the ID badges and the RFID cards needed to open doors? What about the guards at the front gate? How does a box of tapes leave?”
“It doesn’t have to,” Jack said to a very puzzled CEO. “When was the last time you looked at someone’s picture ID as they walked past? You can easily follow someone as he walks in through the door. And if he used to work here, it’s even easier. What’s not so easy is getting a big box of tapes out of the building.”
“So they’re not gone?” the CEO asked hopefully.
“Not necessarily; they could be hidden. If they’re hidden, we can’t use them, which is effectively the same as being stolen. Somebody who used to work here would know that he could never get a box out the door, but the janitorial staff could. In all likelihood, the tapes were put in the trash last night after the last backup, and they were carried out to the bin in the middle of the night. The janitor wouldn’t know to question why we might throw away a bin full of tapes.”
The policeman then searched through the bins around the room and found they were indeed all empty.