Linux Security

[Cyber Source]

I have always said, the best defense against data corruption of any kind is
a good backup regimen. I used to build new homes and I can fully understand
your logic below. A large area builder such as Marrano can control it's
costs far easier than the little guy. For instance, they were building an
average of 200 homes per year. For round figures we will say that each house
to insure against fire and liability would cost $1000 per unit. Do you think
they would spend $200,000.00 per year to insure there homes, when the odds
of loosing a house to fire, etc might cost $50,000? There is strength in
numbers and in good backups!

-----Original Message-----
From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org]On Behalf Of Chris
Brown
Sent: Friday, March 23, 2001 10:16 AM
To: nflug at nflug.org
Subject: Re: Linux Security

My guess is that the comments such as "when it comes to
security there is no such thing as overkill" is borne of an
environment where staff and managers do place as much
importance on security as the administrator does.  This is
common and very understandable.

But, playing devils advocate for a moment...

Does is make sense to pay $25,000 of insurance a year
on a house that costs $50,000 to rebuild?  Probably not.
And it won't make sense to managers either.

Risk calculation is often overlooked because it is often
difficult.  Here's a set of formulas:

Annualized Loss Expectancy =
Single Loss Expectancy * Annualized probability of Occurrence

Annualized probability of Occurrence =
1 / frequency of occurrence

A simplified worked out example:
Frequency of a server being successfully hacked =  every 2 years
Loss if server is hacked (this includes hurt reputation, etc) = $2,000

ALE = (1/2 years) * $2000 = $1000 / year

So according to this, one should not spend more than $1000 / year
protecting that particular server.  (Caveat: that doesn't mean you
have to spend all of the $1000 each year, because that is actually
annualized as well.  Maybe you spend $3000 every three years.)

Fire insurance works the same way.  Here's a more complex
example using fire insurance.  Say we have a building downtown,
let's say it's an office occupied by 100 people, and is 60 years old.
It is a 7 story building, there are stand pipes on every other floor,
but there has been problems in the past getting enough water in
this part of the city in winter at buildings over 4 stories high.  There
are only two hydrants within 100 feet.

Frequency of fires in particular geographic area by size, occupancy, and age
of building:  1/65 years

Extent of damage factor based on quality of water supply, etc (likely hood
of complete destruction):  1/3

Frequency of human life loss:  1/135 years (it's an office after all)

Average asset loss based on availability of water, construction of building,
number of hydrants, etc:  $15,000,000

Average human loss in insurance outlays each time someone is killed in fire:
$4,000,000

Average loss of productive work for which there are insurance outlays:
$500,000

So:

Life ALE =  1/135 years * $4,000,000 = $29,629
Asset ALE = 1/65 years * 1/3 * $15,000,000 = $76,923
Work ALE = 1/65 years * $500,000 = $7,692
Total ALE = $114,244 / year

This is obviously not correct, and speaks to all the factors that I glossed
over and the gross simplification of the factors I did include.   But this
is the basis of risk analysis.

My point is, don't say you can never have to much security, because in
reality you can.  Say that you don't have enough security based on current
risk, and the value of assets (tangible and intangible).  I bet you'll get
your manager's attention.

Chris





--
Christopher Brown, CISSP
Manager, Security and System Administration
Information Services
Computer Task Group (CTG)
Ph: 716-888-3505
Fx: 716-888-3318
chris.brown at ctg.com



>>> javabob at localnet.com 03/23/01 05:17AM >>>
Darin Perusich wrote:

> when it comes to security there is no such thing as overkill, expecially
> if your machines are on the internet. generally you want your most
> paranoid sysadmin in control of such boxes. if you can, i recommend only
> running one service per machine. that way if one get's compromised and
> your box get's taken down, you don't loose your other services.
>
> running daemons in a chroot jail is a good habit to get into. again, if
> the system needs to be secured or it's on the net. certain programs,
> like named (BIND) come ready to run chroot'd. others, like sendmail you
> need to "prepare" to run chroot'd. running service as a $USER other then
> root is another good habit to get into.
>
> > With respect to this, what are some good security practices with linux?
What is > overkill and what is not?  As the days go on more and more people
learn how to
> > get past the securotoes in
> > linux -- Trying to come up with a list of which ones are good to do and
which
> > secruity changes will actually "open" up your system more is quite hard.
>
> > Also, in the Securing and Optimizing Linux Guide, I read about a CHroot
> > environment.  Are there any good docs on the theorey of this and can
this method > be done with any daemon (service
> > etc) that has login capabilities?
>
> > FYI - Linux is starting to become the OS of choice on many US NAval
ships -- > WOOHOO
>
> > Ronald K. Wechter
> > Network Systems Administrator
> > Navy Recruiting Department Buffalo
> > (716) 551-4901
>
>
> --
> Darin Perusich
> Unix Administrator
> Cognigen Corp.
> darinper at cognigencorp.com

Take a look at this past issue of Linux Mgazine. Article about User Mode
Linux (UML). Suggests using a UML virtual machine for security risky
processes and
applications that you need to run.
Bob Stockdale
javabob at localnet.com