If you're a system admin for one or more Linux systems at an organization, you probably want to involve company management, as well as the users, in setting up the security policy. Obviously, you can't create a draconian policy that blocks all access; that would prevent anyone from effectively working on the system. On the other hand, if users are create or use data valuable to the organization, you have to set up a policy that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between the users' needs and the need to protect the system.

For a standalone Linux system, or a home system that you occasionally connect to the Internet, the security policy can be just a listing of the Internet services that you want to run on the system and the user accounts that you plan to set up on the system. For any larger organization, you probably have one or more Linux systems on a LAN connected to the Internet, preferably through a firewall. In such cases, thinking of computer security across the entire organization systematically is best.

The security framework entails:

• Determining the business requirements for security.
• Performing risk assessments.
• Establishing a security policy.
• Implementing a security solution that includes people, process and technology to mitigate identified security risks.
• Continuously monitoring and managing security.

• Enabling access to information by authorized users.
• Implementing business rules that specify who has access to what information.
• Employing a strong user-authentication system.
• Denying malicious or destructive actions on data.
• Protecting data from end to end as it moves across networks.
• Implementing all security and privacy requirements that applicable laws impose.

• Threats: What you're protecting against.
• Vulnerabilities: Weaknesses that may be exploited by threats (these are the risks).
• Probability: The likelihood that a threat will exploit the vulnerability.
• Impact: The effect of exploiting a specific vulnerability.
• Mitigation: What to do to reduce vulnerabilities.

Typical Threats
Some typical threats to your Linux system include:

• Denial of service: The computer and network are tied up so legitimate users can't use the systems. For businesses, denial of service can mean a loss of revenue.
  
  
• Unauthorized access: Use of the computer and network by someone who isn't an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity from an unauthorized user gaining access to the system, even if there's no sign of explicit damage.
  
  
• Disclosure of information to the public: The unauthorized release of information to the public. For example, the disclosure of a password file enables potential attackers to figure out username and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, may be a potential liability for a business.

Typical Vulnerabilities
The threats to your system and network come from exploitation of vulnerabilities in your organization's resources -- both computer and people. Here are some common vulnerabilities:

• User foibles (divulging passwords, losing security cards and so on).
• Internal network connections (routers, switches).
• Interconnection points (gateways -- routers and firewalls -- between the Internet and the internal network).
• Third-party network providers (ISPs, long-distance carriers) with looser security.
• OS security holes (potential holes in Internet servers, such as those associated with sendmail, named, bind and so on).
• Application security holes (known security holes in specific applications).

The 1-2-3 of Risk Analysis
To perform risk analysis, assign a numeric value to the probability and impact of each potential vulnerability. To develop a workable risk analysis, do the following for each vulnerability or risk:

• Assign subjective ratings of Low, Medium and High for the probability. Low probability means there's a lesser chance that the vulnerability will be exploited; High probability means a greater chance.

• Assign similar ratings to impact. What you consider impact is up to you. If the exploitation of a vulnerability will affect your business greatly, assign it a High impact.

• Assign a numeric value to the three levels -- Low = 1, Medium = 2 and High = 3 -- for both probability and impact.

• Multiply the probability by the impact; you can think of this product as the risk level. Then make a decision to develop protections for vulnerabilities that exceed a specific threshold for the product of probability and impact. For example, you may choose to handle all vulnerabilities with a probability-times-impact greater than 6.

If you want to characterize the probability and impact with finer gradations, pick a scale of 1 through 5 (for example) instead of 1 through 3, and follow the same steps as before.

Establishing a Security Policy
Using risk analysis and any business requirements that you may have to address (regardless of risk level) as a foundation, you can craft a security policy for the organization. Such a security policy typically addresses high-level objectives such as ensuring the confidentiality, integrity and availability of data and systems.

The security policy typically addresses the following areas:

• Authentication: What method is used to ensure that a user is the real user? Who gets access to the system? What is the minimum length and complexity of passwords? How often do users change passwords? How long can a user be idle before that user is logged out automatically?

• Authorization: What can different classes of users do on the system? Who can have the root password?

• Data protection: What data must be protected? Who has access to the data? Is encryption necessary for some data?

• Internet access: What are the restrictions on users (from the LAN) accessing the Internet? What Internet services (such as Web, Internet Relay Chat and so on) can users access? Are incoming e-mails and attachments scanned for viruses? Is there a network firewall? Are VPNs used to connect private networks across the Internet?

• Internet services: What Internet services are allowed on each Linux system? Are there any file servers? Mail servers? Web servers? What services run on each type of server? What services, if any, run on Linux systems used as desktop workstations?

• Security audits: Who tests whether the security is adequate? How often is the security tested? How are problems found during security testing handled?

• Incident handling: What are the procedures for handling any computer security incidents? Who must be informed? What information must be gathered to help with the investigation of incidents?

• Responsibilities: Who's responsible for maintaining security? Who monitors log files and audit trails for signs of unauthorized access? Who maintains the security policy?

• Services (authentication, access control, encryption)
• Mechanisms (username/password, firewalls)
• Objects (hardware, software)

Because it's impossible to protect computer systems from all attacks, solutions identified through the risk management process must support three integral concepts of a holistic security program:

• Protection provides countermeasures such as policies, procedures and technical solutions to defend against attacks on the assets being protected.

• Detection monitors for potential breakdowns in the protective measures that could result in security breaches.

• Reaction or response, which often requires human involvement, responds to detected breaches to thwart attacks before damage can be done.

Because absolute protection from attacks is impossible to achieve, a security program that doesn't incorporate detection and reaction is incomplete.

The combination of the risk analysis, security policy, security solutions and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security concerns -- and a common basis for the design and implementation of security solutions.