Determining business requirements for security

The business requirements identify the security needs of the business — the
computer resources and information you have to protect (including any
requirements imposed by applicable laws, such as the requirement to pro-
tect the privacy of some types of data). Typical security requirements may
include items such as the following:
✦ Enabling access to information by authorized users
 ✦ Implementing business rules that specify who has access to what information

 ✦ Employing a strong user-authentication system
 ✦ Denying malicious or destructive actions on data
 ✦ Protecting data from end to end as it moves across networks
 ✦ Implementing all security and privacy requirements that applicable laws
    impose

Performing risk analysis

Risk analysis is all about identifying and assessing risks — potential events
that can harm your Linux system. The analysis involves determining the fol-
lowing and performing some analysis to determine the priority of handling
the risks:
 ✦ Threats: What you’re protecting against
 ✦ Vulnerabilities: Weaknesses that may be exploited by threats (these are
    the risks)
 ✦ Probability: The likelihood that a threat will exploit the vulnerability
 ✦ Impact: The effect of exploiting a specific vulnerability
 ✦ Mitigation: What to do to reduce vulnerabilities

Typical threats

Before I further describe risk analysis, here are some typical threats to your
Linux system:
 ✦ Denial of Service: The computer and network are tied up so legitimate
    users cannot make use of the systems. For businesses, Denial of Service
    can mean a loss of revenue.
 ✦ Unauthorized access: Use of the computer and network by someone who
    isn’t an authorized user. The unauthorized user can steal information or
    maliciously corrupt or destroy data. Some businesses may be hurt by the
    negative publicity from the mere act of an unauthorized user gaining
    access to the system, even if data shows no sign of explicit damage.
 ✦ Disclosure of information to the public: The unauthorized release of
    information to the public. For example, the disclosure of a password file
    enables potential attackers to figure out username and password com-
    binations for accessing a system. Exposure of other sensitive informa-
    tion, such as financial and medical data, may be a potential liability for
    a business.

Typical vulnerabilities

The threats to your system and network come from exploitation of vulnera-
bilities in your organization’s resources — both computer and people. Some
common vulnerabilities are the following:
  ✦ People’s foibles (divulging passwords, losing security cards, and so on)
  ✦ Internal network connections (routers, switches)
  ✦ Interconnection points (gateways — routers and firewalls — between
     the Internet and the internal network)
  ✦ Third-party network providers (ISPs, long-distance carriers) with looser
 security
   ✦ Operating system security holes (potential holes in Internet servers,
     such as those associated with sendmail, named, bind, and so on)
 ✦ Application security holes (known security holes in specific applications)
 The 1-2-3 of risk analysis (probability and impact)
To perform risk analysis, assign a numeric value to the probability and
impact of each potential vulnerability. To develop a workable risk analysis,
do the following for each vulnerability or risk:
  1. Assign subjective ratings of Low, Medium, and High for the probability.
     As the ratings suggest, Low probability means a lesser chance that the
     vulnerability will be exploited; High probability means a greater chance.
  2. Assign similar ratings to impact. What you consider impact is up to you.
     If the exploitation of a vulnerability will affect your business greatly,
     assign it a High impact.
  3. Assign a numeric value to the three levels — Low = 1, Medium = 2, and
     High = 3 — for both probability and impact.
  4. Multiply the probability by the impact — you can think of this product
     as the risk level. Then make a decision to develop protections for vulner-
     abilities that exceed a specific threshold for the product of probability
     and impact. For example, you may choose to handle all vulnerabilities
     with a probability-times-impact of greater than 6.

If you want to characterize the probability and impact with finer gradations,
pick a scale of 1 through 5 (for example) instead of 1 through 3, and follow
the same steps as before.