Operating System Security - Integrated Computer Security - Lecture Slides, Slides of Computer Security

These lecture slides are very easy to understand the ntegrated Computer Security system.The major points in these lecture slides are:Operating System Security, Different Users, Shared, Needs to Control, Sharing, Provide An Interface, Allow the Access, Authentication, Identification, Access Control

Typology: Slides

2012/2013

Uploaded on 04/25/2013

bageshri
bageshri 🇮🇳

4.3

(24)

175 documents

1 / 47

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture 18
Operating System Security
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f

Partial preview of the text

Download Operating System Security - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!

Lecture 18

Operating System Security

Operating System

• An OS allows different users to access

different resources in a shared way

• The OS needs to control

  • the sharing and
  • provide an interface to allow the access
    • Identification and authentication are required for access control

Separation

  • Keep one user's objects separate from other users
  • Physical separation
    • Use different physical resources for different users
    • Easy to implement, but expensive and inefficient
  • Temporal separation
    • Execute different users' programs at different times
  • Logical separation
    • User is given the impression that no other users exist
    • As done by an operating system
  • Cryptographic separation
    • Encrypt data and make it unintelligible to outsiders
    • Complex

Sharing

  • Sometimes, users want to share resources
    • Library routines (e.g., libc)
    • Files or database records
  • OS should allow flexible sharing , not “all or nothing”
    • Which files or records?
      • Which part of a file/record?
    • Which other users?
      • Can other users share objects further?
    • What uses are permitted?
      • Read but not write, view but not print (feasibility?)
      • Aggregate information only
    • For how long?

Measures

  • the 2010 Australian Defense Signals Directorate (DSD)

list the “ Top 35 Mitigation Strategies

  • over 70% of the targeted cyber intrusions investigated by DSD in 2009 could have been prevented
  • the top four measures for prevention are:
  • patch operating systems and applications using auto-update
  • patch third-party applications
  • restrict admin privileges to users who need them
  • white-list approved applications

Operating System Security

  • possible for a system to be compromised during the

installation process

  • before it can install the latest patches
    • building and deploying a system should be a planned process designed to counter this threat
  • process must:
  • assess risks and plan the system deployment
  • secure the underlying operating system and then the key applications
  • ensure any critical content is secured
  • ensure appropriate network protection mechanisms are used
  • ensure appropriate processes are used to maintain security

NIST System Security Planning

  • the purpose of the system, the type of information stored, the applications and services provided, and their security requirements
  • the categories of users of the system, the privileges they have, and the types of information they can access
  • how the users are authenticated
  • how access to the information stored on the system is managed
  • what access the system has to information stored on other hosts, such as file or database servers, and how this is managed
  • who will administer the system, and how they will manage the system (via local or remote access)
  • any additional security measures required on the system, including the use of host firewalls, anti-virus or other malware protection mechanisms, and logging

OPERATING SYSTEM HARDENING

Initial Setup and Patching

  • system security begins with the installation of the OS
    • ideally new systems should be constructed on a protected network
    • full installation and hardening process should occur before the system is deployed to its intended location
  • initial installation should install the minimum necessary for the desired system
  • overall boot process must also be secured
  • the integrity and source of any additional device driver code must be carefully validated
  • critical that the system be kept up to date, with all critical security related patches installed - should stage and validate all patches on the test systems before deploying them in production

Remove Unnecessary Services, Applications, Protocols

  • if fewer software packages are available to run the risk is reduced - system planning process should identify what is actually required for a given system
  • when performing the initial installation the supplied defaults should not be used - default configuration is set to maximize ease of use and functionality rather than security - if additional packages are needed later they can be installed when they are required
  • not installing unwanted software
    • many uninstall scripts fail to completely remove all components
    • disabled service might be enabled by an attacker who got in

Configure Resource Controls

• once the users and groups are defined,

appropriate permissions can be set on data

and resources

• many of the security hardening guides provide

lists of recommended changes to the default

access configuration

Install Additional Security Controls

  • further security possible by installing and

configuring additional security tools:

  • anti-virus software
  • host-based firewalls
  • IDS or IPS software
  • application white-listing

APPLICATION SECURITY

Application Configuration

  • may include:
    • creating and specifying appropriate data storage areas for application
    • making appropriate changes to the application or service default configuration details
  • some applications or services may include:
    • default data, scripts, user accounts
  • of particular concern with remotely accessed

services such as Web and file transfer services

  • risk from this form of attack is reduced by ensuring that most of the files can only be read by the server