Information System Security Essay

1538 words - 7 pages

Claudia Goodman
IT302 Homework 2
Security-Enhanced Linux
The NSA has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security. It recognizes the critical role of operating system security mechanisms in supporting security at higher levels.
End systems must be able to enforce confidentiality and integrity requirements to provide system security. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. Application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed ...view middle of the document...

The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.
Researchers in the National Information Assurance Research Laboratory of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. The architecture was enhanced to provide better support for dynamic security policies named Flask. The NSA integrated the Flask architecture into the Linux® operating system to transfer the technology to a larger developer and user community.
http://www.nsa.gov/research/selinux
Chroot Jail
On Unix-like operating systems, such as Linux, a chroot jail is the common expression used to describe a section of a filesystem that is sectioned off for a particular user. On a web server, it is particularly useful for the security of shared hosting accounts.
Without a chroot jail, a user with limited file permissions would still be able to navigate to top-level directories. As an example, suppose the user’s directory is /home/user. Without chroot, nothing would prevent the user from navigating up to /home to see other users’ directories or even navigating up to / where they can see /etc, /usr, /var, /lib, and other system-critical directories. Although the user would not have the permissions to edit them, they would be able to see the files and target specific ones to try to exploit.
It is not just a matter of trust. By allowing your user access, you also allow anyone who can hack their account access. That just creates one more weak link in your security fence.
Many control panels that reconfigure web servers for shared hosting will automatically create chroot directories for user accounts. There is also software that can help you more easily create chroot jails. One such software suite is called Jailkit, which is available for free.
Another important use for chroot is for virtualization. With a virtual private server (vps), the user has a complete operating system installed within a chroot directory. As a result, even though the user has root privileges for his or her own account, the user cannot access higher directories and would not even be aware that they exist (on a technical level). In other words, if the user is in /var/chroot/vhosts/user/, there is no way to move up beyond that /user directory. It will appear to the user as the default root directory, which is /.
Chroot is very useful for basic preventative security, but it is not designed to prevent deliberate attempts to gain root access and attack a server. Chroot helps tremendously to at least make it more...

Other Papers Like Information System Security

Cmgt400 Week 4 Individual Essay

1359 words - 6 pages The Role of Information Security Policy A successful Information Security Program is determined by how the security policy for an organization is developed, how it is implemented, and maintained. An effective sound security policy creates a solid foundation for an information system. The policy makers must emphasize that within the organization, the role played by information security is of paramount importance. The system administrator is

Chapter 1 Review Questions

870 words - 4 pages of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study? A. Hardware, Data, People, Software, Procedures, Networks. B. Data is most critical component of an information system, and therefore the most directly affected by the study of computer security. C. The most commonly component associated with the study of information systems, is in fact all of them

It Audit Guide

4838 words - 20 pages IT [pic] Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Table of Contents 1. Introduction to Accreditation 4 2. The Information System Audit – Checklist 7 2.1. What is an Information System Audit? 7 2.2. Why is an Information System Certification needed? 7 2.3. Assessing an Information System’s Security Risks 7

Chapter 1-Introduction to Information Security: Principles of Information Security

979 words - 4 pages Chapter 1-Introduction to Information Security: 1. What is the difference between a threat and a threat agent? A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack. 2. What is the difference between vulnerability and exposure? Vulnerability: is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or

Principles of Security 5th Edition Chapter 1 Review Questions

844 words - 4 pages make a system weak and open to attacks without protection. 3. How is infrastructure protection (assuring the security of utility services) related to information security? If the infrastructure of a network is exposed and accessible to anyone this leaves the network vulnerable to damage both to hardware and software. The infrastructure must be protected to allow only authorized user to have access to the network. 4. What type of

Course Discription

968 words - 4 pages : Wiley. Article References Barr, J. G. (2012). Business continuity for web sites. Faulkner Information Services, 1-9. Barr, J. G. (2012). Identity management market trends. Faulkner Information Services, 1-10. Barr, J. G. (2013). Common criteria overview. Faulkner Information Services, 1-10. Barr, J. G. (2013). Biometrics market trends. Faulkner Information Services, 1-7. Week One: IT Security Overview Details Due Points

Public Policing Vs Private Security

1153 words - 5 pages one would be able to access information. Public policing and private security of different similarities and differences; however both have common goals in mind and that is to protect and serve. Both of the goals of these agencies intertwine within each other. Both roles play an important role within the criminal justice system. Public policing have to abide by the laws and regulations that affect society that private security do not have to

Linux Security

448 words - 2 pages recognized best practice framework for an information security management system. It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. • Identify risks and put controls in place to manage or reduce them • Flexibility to adapt controls to all or selected areas of your business • Gain stakeholder and customer trust that their data is protected • Demonstrate compliance and gain

Security Breach

1832 words - 8 pages , management support to execute the law will also help the firm to avoid security breach (Roberds & Schreft, 2009). Improve security and lock system: The firm should develop security and lock system to ensure high security of information of the customers. In this, the firm should have effective backup recovery programs and systems that will minimize the chances of security breach at the workplace (Colwill, 2009). Conclusion On the

Information Security

988 words - 4 pages switching off computers that are used publicly. These examples of omission are a threat to the security of information. The second human trait is acts of commission. Parsons et.al (2010) indicates that there are cases whereby individuals miss out on the correct procedure of performing a particular action. There are cases whereby forget to enter their passwords in the correct forms hence creating challenges to the information system security

Computer Security In Education

330 words - 2 pages is having a student’s private information exposed, such as their Social Security number stolen, a nightmare for the individual, but it also causes much additional stress for the university. The higher education system then has to deal with legal issues, public relations fiascos, and various financial losses. In order to avoid any unnecessary headaches, universities go to great lengths to protect their networks from security threats

Related Essays

Information System Security Essay

1267 words - 6 pages hardware and software problems and about security events on your computer. A computer running Windows Server 2008 records events in at least three kinds of logs: application, system, and security. A computer running Windows Server 2008 which is configured as a domain controller records events in two additional logs, the Directory Service log and the File Replication Service log. A computer running Windows Server 2008 which is configured as a Domain

Cap Study Guide Essay

5295 words - 22 pages CAP study guide – 1. Who is responsible for establishing the rules for appropriate use and protection of the subject information (e.g. rules of behavior)? a. System owner 2. Who has the authority to formally assume responsibility for operating an information system at an acceptable level of risk? a. Accrediting Authority 3. Who is responsible for ensuring that the appropriate operational security posture is

Introduction To Information Security Student Essay

1249 words - 5 pages and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While there are many manuals to support individual systems, there is no manual for implementing security throughout an entire interconnected system. This is especially true given the complex levels of interaction among users, policy, and technology controls. Information Security: Security as Science There are

Top 10 Laws Of Security Essay

1706 words - 7 pages security, the more security level will be gained. 4 Third Law: Security is built from the Core, not on the Edge As a complementary to the second law, security should be applied step by step as we build the system, from requirements to analysis to design to implementation up to termination stage. Most security vendors apply their measures in the boundaries of the system, forgetting that relations among information assets and employees their selves