Protection of Network Operating Systems
15 July 2012
Operating systems are essential to business operations, system security and software applications. Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for everyday operations (UMUC, 2011). Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011). Although many operating systems have incorporated controls to address these security concerns, there are additional measures that need to be taken to ensure the necessary level of security is achieved. Identification and Authentication protection measures are the most significant measures to implement. Before a user or administrator is allowed to access the system, security measures must be implemented to identify and authenticate the need for and level of access. After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network. Internal to external and external to internal communications must also be protected and restricted. Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures. The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005).
Keywords: firewalls, security training, operating systems, security policies, password, access control, security management
Protection of Network Operating Systems
Operating systems are essential to business operations, system security and software applications. Operating systems allow administrators to control access to the system, install and configure third party commercial-off-the-shelf (COTS) software and monitor activity with built in auditing tools. Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for daily operations (UMUC, 2011). Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011). Although many operating systems include built in controls to address these security concerns, additional measures should be taken to ensure the required level of security is achieved. This paper will address the implementation, advantages and disadvantages, and security management issues of three protection measures: Identification and Authentication, Access Control, and Security Policies and Auditing (Information Assurance Directorate, 2010).
Security Ratings and Prioritization
The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005). A high severity rating is one in which could result in an attacker or intruder gaining root level access to a system leading to potential loss of critical data. A medium severity rating is given to vulnerabilities that could result in remote nonprivileged access to the system. A low security rating is that related to events which are improbable and may result in a local attacker gaining nonprivileged access to the system (Zeltzer, 2005). The measures listed in this paper are rated as follows:
|Identification and Authentication protection measures||High|
Identification and Authentication
Identification and Authentication protection measures are the most significant measures to implement. Before a user or administrator allowed access to the system, security measures must be implemented to identify and authenticate the need for and level of access. Pre-employment background checks can prevent organizations from hiring individuals with criminal records and verify qualifying information on a candidate’s resume (Mallery, 2009). A popular method for controlling identification and authentication is by utilizing access badges. Access badges can be linked to security systems and control and monitor physical access to the facility, to rooms within the facility and most importantly logical access to the systems that contain proprietary sensitive information. Access badges also provide employees a visual tool for monitoring levels of access, job titles, and recognition of visitors.
Today many different types of access badge systems are available. An organization must weigh the cost of the system with the benefit to security. Smart card systems are relatively easy to implement offering a multitude of vendors and interoperability with legacy systems. After the user has verified his or her identity using a passport or drivers license and a representative of the company has verified the users’ required level of access, the user can be issued a smart card where he or she sets a pin number to be used from that point forward to verify his or her identity and authentication for physical and logical access into the facility (Smart Card Alliance, 2003).
Management of the system will require information assurance professionals who can conduct background checks and verify identities as well as control and administer the computer applications associated with the system. The organization will also need to prepare for possible outages of the system and develop procedures for training employees to identify badges, escort unauthorized individuals and properly wear, use and store badges.
Utilizing smart card technologies removes the need to verify identify on a daily basis and also allows for ease of monitoring of a person’s whereabouts. Access changes can also be made remotely from the management software application if an employee switches jobs, loses their badge, or leaves the company. Smart cards can be used for physical and logical access and such access can be limited throughout the facility. Smart cards can also limit the number of passwords an employee has to remember, decreasing man hours spent on password resets and locked out systems. Although the advantages are many, access badge systems can be costly, and a strong social engineer may be able to outsmart the system by replicating a badge or fooling an employee in to granting them access they should not have.
The second most critical security measure is access control. After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network. Internal to external and external to internal communications must also be protected and restricted.
A firewall is one of the best mechanisms to protect the network from internal and external threats and control as well as monitor communications. The Windows operating system offers an integrated firewall for use on clients, which drops incoming solicited traffic that is not in response to a request made by the computer, and allows specified unsolicited traffic. Host based firewalls such as the Windows Firewall safeguard against threatening applications that utilize unsolicited traffic as an attack mechanism (Microsoft , 2012). The network firewall should be attached directly to the internet connection, to block malicious traffic from entering the network. Network firewall software can be installed on a dedicated server located between the internet and the protected network (Goldman, 2006). Firewalls can filter and monitor incoming traffic and also protect against insider threats such as users clicking on phishing e-mail links or navigating to dangerous websites. Goldman (2006) notes research shows that seventy to eighty percent of malicious activity comes from insiders who already have network access. Although firewalls are an advantageous method of protection, they can cause more damage if not configured properly or if maintained by administrators that do not understand the complex rules or monitoring procedures. Firewalls must also be combined with other protection strategies such as vulnerability assessment tools, intrusion detection and prevention systems and antivirus tools (Goldman, 2006).
The physical location and configuration of assets on the network is also vital to access control on the network. For example, a demilitarized zone or DMZ is a controlled area for the most vulnerable systems on the network. If a user is hacked or a system is infected the DMZ prevents interruption of essential functions such as e-mail and databases (Turner, 2010).
Password, user and administrative access policies are equally essential to protecting the network and clients from outside and inside threats. The level of access a user requires must first be determined using the principle of least privilege. Files and information should be separated by roles or departments within an organization and access given only to those assigned in those roles or associated with that department. Limiting data access also decreases the possibility of an intruder gaining access to critical files. Administrative access should also be limited to the roles and responsibilities of the administrator. Full administrative access to the network should be given on an extremely limited basis following a separation of duty policy. Password policies should be understood by all users and administrators, and Windows active directory configured to enforce policy. Studies have shown the most secure password policies are those that require a 14 character password comprised of at least two uppercase and lowercase letters, two numbers, and two unique characters. Passwords should be changed every 60 days and screen saver passwords enforced to prevent intruders from accessing open systems (Turner, 2010). An excellent prevention and education measure to enforce the use of strong passwords is to run a password cracking application such as L0phtcrack against the password database using a keyboard progression dictionary often used by crackers. If passwords are cracked, users should be notified and forced to change their passwords. Training in this way helps users and administrators learn to create and maintain strong passwords, and understand how easily weak passwords can be exploited for malicious purposes.
Security Policies and Auditing
The likelihood of a business falling victim to cyber-attack becomes more prevalent as more and more businesses utilize technology to conduct operations and store critical information. Attacks can cause severe financial losses to businesses and customers and destroy reputations. Research has shown that most security breaches are not due to misconfiguration of firewalls or poor password policies, but caused by inadequate security planning (Hamdi, Doudriga, & Obaidat, 2006). Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures. The security policy should be based on business objectives and detail security measures for information systems, operating systems, and key management in the business environment and document procedures for handling security incidents. Security policies can also be multifaceted and separated by audience (such as technical versus end-user policies), or separated by issues (such as information classification and access control policies). At a minimum, the security policy should address access privileges, user accountability and responsibility, authentication procedures, availability and maintenance of resources, and procedures for reporting violations (Hamdi, Doudriga, & Obaidat, 2006).
Enforcing securing policies requires awareness programs and employee training. Employees should feel they are stakeholders in the security of the organization. Policies should be widely disseminated, easy to understand and follow, and retrained on a regular basis. Employees should know how to recognize and respond to security incidents. The effectiveness of a security policy can be assessed using simple tests such as a contingency plan or emergency response practice drill (Hamdi, Doudriga, & Obaidat, 2006).
Conducting regular vulnerability assessments and audits of an organization’s security posture will help to ensure weaknesses in operating systems, third party applications, and security policies are identified. This is best accomplished by hiring a third party to conduct an audit. Security professionals are trained on many different systems and can educate staff on vulnerability management. Audits can include penetration tests, which can assess the external security of the network, or a less invasive vulnerability assessment to scan the system for threats and provide fix actions (Mallery, 2009). If the organization decides not to outsource the audit, there are other options for scanning the network using tools such as the Nessus vulnerability assessment tool as well as employing intrusion detection and prevention systems and antivirus. The benefits of utilizing in-house tools are that they are always available and can often automatically assess and mitigate vulnerabilities. The drawbacks are that employee training to maintain such systems can be extensive, and systems can be costly (Kakareka, 2009). After audits are conducted it is paramount to set a time frame in which to accept risks, remedy vulnerabilities, and update security policies and other relevant documents.
Businesses rely on network operating systems as an effective way to control, manage and secure their operations with ease. Effective security of operating systems requires a defense in depth strategy that goes beyond what is inherent to the operating system. Businesses must identify and authenticate employees using background checks, physical security procedures such as badging systems.
After identification and authentication, access to assets is best controlled using the principles of least privilege and separation of duties. User and administrator access to shared electronic data folders and applications should be separated and limited by function or role. Firewalls, DMZs and physical separation of assets can be utilized to protect the network from unwanted incoming and outgoing traffic and malicious actors. Strong password policies and practices can also assist in protecting the network and preventing unauthorized access.
Finally, drafting a strong security policy based on risk analysis and business objectives and confirming employees have a clear understanding of policies and procedures will go a long way in developing a security culture in the organization. Conducting periodic audits will ensure policies are updated and put into practice.
Goldman, J. (2006). Firewall Basics. In H. Bidgoli, Handbook of Information Security (pp. 2-14). Hoboken: John Wiley & Sons, Inc.
Hamdi, M., Doudriga, N., & Obaidat, M. (2006). Security Policy Guidelines. In H. Bidgoli, Handbook of Information Security (pp. 227-241). Hoboken: John Wiley & Sons, Inc.
Information Assurance Directorate. (2010). US Government Protection Profile for General-Purpose Operating Systems in a Networked Environment. Information Assurance Directorate. Retrieved from http://www.niap-ccevs.org/pp/pp_gpospp_v1.0.pdf
Kakareka, A. (2009). What is Vulnerability Assessment? In J. Vacca, Computer and Information Security Handbook (pp. 383-393). Boston: Morgan Kaufmann Inc.
Mallery, J. (2009). Building a Secure Organization. In J. Vacca, Computer and Information Security (pp. 3-21). Boston: Morgan Kaufmann Inc.
Microsoft . (2012). Windows Firewall. Retrieved from Microsoft Technet: http://technet.microsoft.com/en-us/network/bb545423.aspx
Smart Card Alliance. (2003). Using Smart Cards for Secure Physical Access. Princeton Junction: Smart Card Alliance. Retrieved from http://www.smartcardalliance.org/resources/lib/Physical_Access_Report.pdf
Stallings, W. (2011). Operating Systems Security. Handbook of Information Security, 154-163.
Sensei Enterprises, I. (Director). (2010). How do I secure my computer network? [Educational Video]. Retrieved from http://www.youtube.com/watch?v=g_xzh1rqkNs&feature=youtube_gdata_player
UMUC. (2011). Prevention and Protection Strategies in Cybersecurity. Adelphi, MD, USA.
Zeltzer, L. (2005). Auditing UNIX Systems: A Case Study. Retrieved from Lenny Zeltzer: http://zeltser.com/auditing-unix-systems/#prioritizing