Auditors, compliance officers and IT managers have been saying it for years: implement security policies to minimize information risk. But even though these mantras get old, security policy management
Lax Linux security policies can come from a “Let’s just cover the majority of our systems” mentality that is encouraged when management isn’t on board with information security. The assumption goes something like this: “Well, our critical business applications -- our email server, financial system and Web portal -- run on Windows, and our policies cover those systems. That’s what we’re audited on. What are we using Linux for, anyway?”
Part of the responsibility lies with management being out of touch and not holding itself and others accountable for minimizing information risk. But network and Linux admins are also responsible parties: They set up their own systems -- perhaps for testing or production -- without telling others. These systems often fly under the radar of security and compliance oversight. Thus the cycle begins.
When Linux security is an issue
This cycle may not seem like a problem, but it can be. Consider the following scenarios:
- Linux-based laptops that house sensitive intellectual property and customer data on unencrypted hard drives being used by network admins and developers: What happens when source code is exposed or a data breach occurs?
- A Linux-based application server that’s part of an enterprise e-commerce system that hasn’t been hardened from common attacks, much less tested for security vulnerabilities: What happens when it’s discovered that a weak password system led to unauthorized access or an old version of OpenSSL was exploited in a denial-of-service attack that caused considerable downtime?
- People with no real oversight or trail of accountability are modifying Linux-based firewalls and network monitoring systems used to protect the network at will: What happens when a firewall rule “tweak” shuts down Internet access or audit logs needed for a breach investigation go missing?
I frequently see these things on Linux-based systems. For whatever reason, such systems often fall out of the scope of critical security policies, and that’s when bad things happen. These issues can have a tremendous impact on any business. I’m not just talking about security policy management “best practices” for the sake of what’s right. I’m talking about the computer breach, identity theft and compliance-related lawsuits that are on the rise and aren’t going away.
Linux security policy management is necessary
The reality is that Linux is an integral part of any business network and should fall under the same security and compliance rules and oversights. Just because certain systems haven’t been audited or proven vulnerable in the past doesn’t mean they don’t matter. Step back and take a look at your information security policies. Just because they exist doesn’t mean they cover the right areas or that they’re reasonable and sound. A proven process for good security policy management starts with knowing which information systems are at risk (including all your Linux-based systems). Based on the threats and vulnerabilities uncovered, determine which policies are needed for which systems and areas of the business. Then develop a formal template structure for your policy documents so they’re consistent, easy to reference and simple to understand.
Finally, check for new risks and policy oversights on a consistent and periodic basis. Not just on Windows or on highly visible systems, but on all of them. All it takes is one Linux security oversight on a seemingly benign system to cause trouble you don’t want.
About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness at Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments. Kevin has authored/co-authored eight books on information security, including Hacking For Dummies, now in its third edition. He’s also the creator of the Security on Wheels information security audio books and a blog providing security learning for IT professionals on the go. Kevin can be reached at his website, www.principlelogic.com, and on Twitter at www.twitter.com/kevinbeaver.
This was first published in September 2010