When Secure Systems Are Not

My company makes security software for UNIX, Linux and Mac OS X computers. Those of you not familiar with these operating systems might be asking why we don’t do this for Windows since it’s so often Windows that’s the subject of security flaws in the popular press. The answer is that is a bit more complicated than you might think.

A lot of our business is driven by security regulations. SOX, PCI, HIPAA and other laws/initiatives require that computers that are in scope employ adequate security measures. The cost of non-compliance can be signficant: shareholder lawsuits, criminal charges or, worst of all, increased credit card transaction costs. If a company fails to attain the top PCI rating, it can be forced to pay higher fees that can run into tens millions of dollars a year for large e-commerce firms.

A computer is considered in scope from the perspective of security regulations if it is involved in the processes covered by the regulation. For HIPAA, any system that stores patient data would be considered in scope. For SOX, any system that feeds data into corporate financial reports would be in scope.

It is not surprising to find many non-Windows systems in scope (or put another way, it is not surprising to find that a disproportionate number of in scope systems are running operating systems other than Windows). Since Windows is more frequently the target of hacker attacks and has more known exploits, companies like to use non-Windows systems for security critical applications, especially if the applications run “on the network edge” — they’re available on the Internet. By definition, e-commerce applications are on the network edge and PCI, particularly, brings a lot of non-Windows systems into regulatory scope.

Now here’s the kicker: for the most part, non-Windows systems employ terrible security practices!

What good is it that the operating system is well-written and tested if the root password is weak? How about if all the admins regularly login as root and, thus, all know its password? How about if adequate logging facilities aren’t available because everyone is logging in as root?

These hypothetical scenarios occur much more often than you think. Why? Because most companies do not have any centralized account management for their non-Windows systems.

Their Windows systems typically use Microsoft Active Directory (AD). Users login with their personal accounts and are granted special privileges by being made members of specific administrative groups. Files and programs are tagged with access control lists (ACLs) that only allow authorized users to access them. Windows and AD support group policy features that allow standardized security practices to be enforced throughout the corporation. Special audit ACLs can be defined to keep track of accesses to restricted resources.

These practices, for the most part, are completely alien to non-Windows systems. Although there are several LDAP directories (from Sun, IBM, Red Hat, Novell, others) that can be used for centralized account management, these are rarely implemented. Either they’re too expensive or they are too clumsy to use.

A few companies use NIS servers (developed by Sun) for this purpose but NIS is, itself, not secure and the “NIS replacement business” is also a healthy source of income for us.

There is no analog for group policy in the non-Windows world. Implementing standard security practices across all non-Windows systems usually means using manual processes and settling for the least common denominator solution. Some old versions of UNIX restrict passwords to 8 characters in length, for example, and disallow the use of punctuation marks. They may not provide any mechanism for forcing periodic password changes, for requiring strong passwords or for reusing recent passwords.

The Likewise Software solution is to connect these systems to Microsoft Active Directory and to implement a powerful group policy solution for non-Windows systems. We allow companies to connect over 110 flavors of UNIX, Linux and Mac OS X to AD and to use the same username and password on all these systems. We enable effective and efficient use of sudo to implement role-based access control and eliminate the broad use of root logins.

So, the next time you’re considering the security of your company’s computing infrastructure, look beyond the evening news and spend a little time thinking about how your own practices affect the vulnerability of your systems.

31 Responses to “When Secure Systems Are Not”

  1. vbmemxzjpu says:

    Muchas gracias. ?Como puedo iniciar sesion?

  2. Very wonderful info can be found on blog.

  3. you have brought up a very excellent points, regards for the post.

  4. Thanks for the tips shared on the blog. Something else I would like to express is that fat reduction is not all about going on a fad diet and trying to get rid of as much weight as you can in a set period of time. The most effective way to lose weight naturally is by having it bit by bit and using some basic guidelines which can make it easier to make the most from your attempt to lose weight. You may be aware and be following many of these tips, but reinforcing information never damages.

  5. Reina Dubow says:

    This really answered my downside, thanks!

  6. Polish Guide says:

    I am normally a language learner, but thrilled of what a detailed guide you made here today. You could learn alot from this. Very Polished argument.

  7. WallyLes says:

    prescription meds without the prescriptions cheap medications online online ed pills

  8. WallyLes says:

    help with ed new erectile dysfunction treatment comparison of ed drugs

  9. Stevenslilk says:

    where to buy viagra buy viagra from canada viagra professional

  10. Stevenslilk says:

    how to get viagra viagra canada online viagra

  11. Stevenslilk says:

    online viagra viagra canada cheap viagra online

  12. DanielEnank says:

    erectile dysfunction pills ED Pills Without Doctor Prescription pills for ed

  13. DanielEnank says:

    ed meds generic ed pills best ed treatment pills

  14. NathanHok says:

    the cost of cialis cialis tiujana cialis

  15. Williamphish says:

    new ed drugs best ed pills drug prices comparison

  16. Williamphish says:

    what is the best ed pill ed drugs online from canada best male enhancement pills

  17. RobertKic says:

    buy tadalafil tadalafil for sale

  18. RobertKic says:

    buy generic drugs online from india best place to buy generic drugs

  19. RobertKic says:

    buy cheap tadalafil cheap tadalafil

  20. RobertKic says:

    buy sildenafil online sildenafil generic

  21. RobertKic says:

    cheap generic sildenafil sildenafil pharmacy

  22. CaseyHof says:

    what are ed drugs https://sildenafilxxl.com/ discount viagra

  23. hey says:

    Taxi moto line
    128 Rue la Boétie
    75008 Paris
    +33 6 51 612 712  

    Taxi moto paris

    My brother suggested I would possibly like this blog.
    He was once totally right. This post actually made my day.
    You cann’t consider simply how much time I had spent for this information! Thank you!

  24. I am also commenting to let you know of the great encounter my friend’s daughter found reading through your web page. She figured out numerous issues, not to mention what it’s like to have an amazing giving mood to have men and women really easily have an understanding of selected hard to do subject areas. You really exceeded our own expectations. Many thanks for imparting the interesting, safe, explanatory and even easy thoughts on the topic to Janet.

  25. Khthsmat says:

    longs drug store canadian mail order pharmacy rx express pharmacy

  26. Lokuapeno says:

    rx pharmacy coupons canadian online pharmacies my canadian pharmacy

  27. NllpExork says:

    24 hour pharmacy california pharmacy best drugstore foundation for dry skin

  28. Aqwsapeno says:

    erectile dysfunction pills canada drugs on line pharmacy

  29. Jtmfapeno says:

    best online pharmacy express scripts pharmacy legit online pharmacy

Leave a Reply