UNIX Unleashed, Internet Edition
- 14 -
by Robin Burk
A wide range of organizations exists to help systems administrators and other computer professionals address computer and security needs. This chapter lists a number of the most useful and accessible groups.
The latter part of the chapter also lists online and printed resources that will be helpful to you in planning and executing your security procedures.
Every attempt has been made to ensure that the contact information supplied in this chapter is current as of the date of authoring; however, things may have changed by the time you read this information. You can use your favorite search engine to find these and related Web sites and online information sources to help you with specific problems or put you in touch with supporting organizations.
Several United States government agencies are tasked with gathering and protecting sensitive information. The Defense and Energy Departments, in particular, have provided both the need and the funding for much of the computer security research and development that has occurred over the decades during which use of computers and networks has spread widely. More subtly, these agencies (and especially DOD) were the first to establish formal security procedures, many of which served as prototypes for what is now the best industrial practice in safeguarding computers and computer-based resources.
Several of these U.S. agencies are now tasked with providing advice, information, and consulting to corporate and non-profit organizations. The following is a list of leading agencies.
CIAC-Computer Incident Advisory Capability
CIAC is a product of the movement toward technology transfer from the government's advanced laboratories into commercial use. An activity of the Department of Energy, CIAC is an element of the Lawrence Livermore National Laboratory's Computer Security Technology Center. For decades, Lawrence Livermore Labs was a main site for nuclear weapons development, supercomputing, and security-related concerns.
Although originally formed to support the DOE and its contractors, CIAC now provides a wide range of information to industry and researchers. CIAC is a founding member of the Forum of Incident Response and Security Teams, a global organization described later in this chapter.
Other resources offered: several e-mail discussion lists, advisories, articles, workshops, and consulting
FIRST-Forum of Incident Response and Security Teams
Over the last decade, companies and governments around the world have experienced both an explosion in the use of networked computers and a corresponding rise in computer security-related incidents. FIRST was formed in 1989 as a global coalition of government, private, and academic organizations to respond to the threat posed by malicious penetration of critical computer systems.
FIRST's Web site states that its mission goes beyond gathering and providing security information. FIRST also provides its members with tools and techniques to improve system security, and works to encourage cooperation and collaboration in addressing potential threats.
Other resources offered: FIRST does not disseminate its information and tools directly to the public, working instead through its member organizations, which include many leading network and computer companies. However, the FIRST web site does provide instructions for contacting the appropriate teams to report security breaches or problems.
NIST-National Institute of Standards and Technology
NIST has long been the clearinghouse for standards and other well-established documents regarding computers and networking. The Computer Security Division of its Information Technology Laboratory evaluates proposed standards and technologies for network and computer security. This division is especially well known for its work in authentication and encryption technologies, fundamentally and as they apply to activities such as Electronic Data Interchange, electronic commerce, and e-mail.
Other resources offered: NIST hosts the Computer Security Resource Clearinghouse, with links to a wide variety of papers, tools, evaluations, and e-mail discussion forums at: http://csrc.nist.gov/
There are several academic research centers that investigate computer security from both a theoretical and a practical point of view. These centers provide a wide range of information, tools, and services to system administrators, especially in UNIX environments. The following are several of the best known academic centers.
CERT-Computer Emergency Response Team
CERT is located at the Software Engineering Institute of Carnegie Mellon University. SEI was established by the Defense Department's Advanced Research Projects Agency (DARPA) to address a wide range of software issues; CERT's activities are a component of the SEI Survivable Systems Initiative.
CERT is best known for its security advisories, which give specific information regarding security vulnerabilities found in a wide range of operating systems, including the full range of UNIX variants. CERT also issues bulletins regarding viruses and similar attacks.
Other resources offered: security tutorials, archives, FAQs, and advisory alert e-mail lists
COAST-Computer Operations, Audit, and Security Technology
COAST is a multiple-project, multiple-investigator laboratory in computer security research in the Computer Science Department at Purdue University. It is intended to function with close ties to researchers and engineers in major companies and government agencies. It focuses its research on real-world needs and limitations, with a special focus on security for legacy computing systems. With its recent increase in support and student and faculty participation, COAST is now the largest dedicated, academic computer security research group in the world.
Other resources offered: newsletter, e-mail discussion list, extensive archive of papers, information, and tools
Several associations have been formed around the UNIX platforms. Given the widespread use of UNIX in networks and, increasingly, in business, these groups inevitably address security issues on a regular basis.
A vendor-independent association that encourages the adoption of open systems based on industry standards.
Other resources offered: conferences, training, and e-mail discussion lists.
USENIX is the leading UNIX-related technical association, providing a wide range of activities, publications, and symposia. USENIX represents the UNIX community in various standards definition efforts.
Other resources offered: The System Administrators' Guild (SAGE) offers a wealth of information and resources for UNIX administrators.
Professional and Technical
Finally, a number of professional and technical organizations provide their members with information and training regarding computer security. Membership in these organizations is typically held both by individual professionals and by companies.
ACM-Association for Computing Machinery
A leading forum for computer research and publications for 50 years, ACM sponsors activities including its Special Interest Group for Security, Audit, and Control (SIGSAC). The ACM and its SIGS have local and student chapters that meet regularly.
ASIS-American Society for Industrial Security
ASIS is a professional association for those who manage security and loss prevention. Its headquarters are located in Arlington, Virginia near the Pentagon. ASIS provides a variety of professional development services, including a security certification, and distributes security-related information to its members. Members may also purchase books, videos, software, and other security-related items from the association's online store.
CPSR-Computer Professionals for Social Responsibility
CPSR is a public interest alliance concerned with the impacts of computer technology on society. Their intent is to provide the public and policy makers with objective assessments regarding the power, promise, and limitations of computer technology. CPSR's Web site, hosted by Sunnyside Computing, Inc., provides policy statements on a wide variety of computer topics, including both security and privacy issues. Members are encouraged to participate in local chapters and to effect social activism on computer-related issues.
Other resources offered: several e-mail discussion lists and archives of CPSR papers and policy statements
CSI-Computer Security Institute
CSI offers courses and technical conferences aimed at training information security professionals. The courses are fairly non-technical, concentrating on steps to take rather than theory or detailed technical information.
HTCIA-High Tech Crime Investigation Association
HTCIA's members are primarily law enforcement officers or computer crime investigators, along with senior professionals from industry and academia.
Other resources provided: technical training seminars, links to information regarding legislation, court cases, and law enforcement guidelines for the investigation of computer-related crimes
IEEE-Institute of Electrical and Electronics Engineers
The oldest and largest technical professional society, IEEE has a wide range of journals and activities that are relevant to computing and security.
ISACA-Information Systems Audit and Control Association
This association provides a wide range of suggested standards and procedures, information, and conferences to IT professionals.
Other resources offered: e-mail discussion list, book store, membership directory, and professional certification
ISSA-Information Systems Security Association
Another international association of IT professionals. Membership includes many senior MIS managers and technologists.
(ISC)2-International Information Systems Security Certification Consortium
(ISC)2 was formed by several data processing associations, government agencies, and other organizations to provide a common certification program for IT security professionals.
Online Sources of Information
Many computer-related publications, journals, and online groups regularly discuss security issues. There isn't room here to list all of the general computer-related resources, including security newsletters and books, that might be helpful. We have included a number of the best online sources for UNIX-related security information.
E-mail Discussion Lists
The USENET includes a number of e-mail discussion lists dedicated to Unix and security issues. The quality of information can vary greatly from list to list and from time to time, but in general these can be really useful.
8LGM (Eight Little Green Men)
Posts detailed information regarding UNIX bugs and hacker attacks.
BEST OF SECURITY
Provides security administrators with a single source of computer security information, including product issues, advisories, conference and class announcements, and links to other information.
An excellent source of information for those exploring security issues for the first time and for the experienced pros, as well.
Subscribe to: firstname.lastname@example.org
Message: subscribe best-of-security
Discusses UNIX security holes and how they can be exploited or fixed.
Subscribe to: email@example.com
Message: subscribe bugtraq
Useful information about choosing, installing, and administering firewalls.
HP Security Bulletin
Distributes information and patches for security problems in HP-UX systems.
Subscribe to: firstname.lastname@example.org
Message: subscribe security-info
INTRUSION DETECTION SYSTEMS
Information regarding the development of intrusion detection schemes.
Subscribe to: email@example.com
Message: subscribe ids
Archive: (Contact the list for the current archive location.)
Sun Security Alert
Distributes security alerts about the Sun operating system.
Subscribe to: firstname.lastname@example.org
Message: subscribe cws your-e-mail-address
VIRUS-L and VALERT-L
These lists are related to the comp.virus newsgroup. VALERT-L is for urgent virus warnings only (no discussion allowed); VIRUS-L is a moderated forum for discussing viruses.
Subscribe to: email@example.com
Message: sub virus-l your-name
sub valert-l your-name
Dedicated to an open discussion of security within the World Wide Web, with a focus on emerging standards.
Subscribe to: firstname.lastname@example.org
Message: sub www-security
Usenet newsgroups are bulletin boards devoted to specific topics. There are currently over 20,000 newsgroups formed on a wide range of issues.
Following is a list of a few newsgroups that are especially relevant to UNIX security issues. If you are new to Usenet, please note that all newsgroups must be organized around a specified topic, but that actual discussion can vary greatly as to value and topic.
Where the Hackers Hang Out
Security administrators differ in their attitude to using hacker publications and online sites. Most are uncomfortable taking steps, such as subscribing to a discussion list, that might seem to imply approval of hacker activities.
At the same time, hackers themselves are your best source of information regarding new UNIX vulnerabilities, hacking tools, and other threats to your system. With that in mind, this section lists a few of the more informative sources of information by and about hackers.
Computer Underground Digest
Discusses the computer underground.
Dedicated to phone and computer hacking.
Subscribe to: email@example.com
Message: subscribe phrack
As we've seen, UNIX systems are vulnerable to a number of security risks ranging from inappropriate access to hijacking of system resources and even sabotage.
Fortunately, an equally wide range of information, tools and services is available to administrators who want to defend their systems against misuse. Of these, perhaps the most useful is current information on attacks and defenses. With the increased use of UNIX for corporate computing and network servers, commercial security products are also increasingly powerful and sophisticated.
Security begins with a good set of policies, backed by procedures and the tools with which to implement them. Effective security must balance cost against benefit and usually requires the cooperation and support of the user community and of management. Identifying and responding to system security risks is increasingly one of the system administrator's main responsibilities.