Re: [PLUG] "IT Security for Non-Dummies"?

[Rich Freeman <r-plug@thefreemanclan.net>]

On Tue, Jul 12, 2011 at 7:29 AM, Floyd Johnson <fljohnson3@isp.com> wrote:
> What are they doing so horribly wrong? (2) What should we be doing to
> avoid replicating their mistakes?

Well, I'm not sure which breach you're referring to specifically, but
I think the problem is that our whole security model is fundamentally
unsuited to keeping determined attackers out.

The typical operating system is very permissive by default.  This
makes administration much more convenient, but it makes security very
difficult.  There is almost no defense in depth - once somebody is in
the game is over.  There is usually no provision on a typical system
for verification of integrity, so once somebody is in cleanup is very
difficult.

To give an example, I'm a Gentoo developer.  Gentoo includes some
support for SELinux, but it is fairly limited.  To truly support
something like SELinux you need to have definitions/etc for every
package on the system, since it is much more non-permissive by
default.  Few people want to bother with that.  And I wouldn't say
that SELinux itself is the ultimate solution.

Likewise, anybody can download and install tripwire.  However, if you
update packages every day, then you need to update tripwire
definitions every day.  How do you know that something bad won't slip
in between updates?  And, how do you conveniently store those updates
for a remotely-located server such that they don't get tampered with?

The only solution I can see is an OS with security that is fully
integrated.  The OS includes defense in depth (non-permissive by
default, tuned granular permissions per application, etc).  The OS
includes tripwire-like functionality, with signed manifests/etc from
the source (so instead of just scanning everything on your system you
carefully manage a database of hashes, all signed by their sources).
The OS utilizes commercially available hardware to support secure
storage of hashes/etc - with some kind of mechanism to prevent
tampering.  The system verifies itself during boot, or during every
process load, etc.

The modern PC with TPM/etc actually supports much of this, and most of
the components needed to make this work are available (but not
integrated).  However, most people can't be bothered with it, and so
nobody scratches that itch.  Which would you rather run - Ubuntu, or
some Ubuntu clone with 5% of the packages but with security
definitions for all of them?  Sure, 0.01% of the linux community would
like the latter, but they'll never be able to sustain the mass of
developers needed to maintain it.

The problem with security is that poor security is usually good enough
to get the job done.  So, there is little incentive to do better
unless things get much worse...

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug