September 14th, 2003, 11:19 AM
Ummm... Isn't that like relying on just the administrator? Shouldn't the idea of whole security be layers of security that include the technology, good IS/Security Policy, educated users, and support and leadership from management (as in management actually doing what's in the IS/Sec policy)?
Originally posted here by catch
If this is the case, you're already lost. You should be relying on good IS policy and procedures to protect your system. The system administrators are incidental.
September 14th, 2003, 12:01 PM
Not at all, my point is different than the one you are making.
The point is that the security of a system should not be based upon the actions of any given employee, they should be based on a well formed foundation of ideals and practices. (which you more or less restated as layered security)
People tend to over state the roles of ibdividuals within the IS structure.
September 14th, 2003, 12:27 PM
I think you are completely missing the point here, as most sysadmins know what is going to screw their system(s) - and believe me most sysadmins do try their best to protect the systems they love (sorry - perhaps a bit over the top there).
I've been in meetings with higher managment when I have recommended a certain course of action, and been backed by my manager. The thing is, nobody else in the room has a f***ing clue what you are taking about. They would rather stick to company procedures, than look at what is happening in the real world.
Thankfully, I won the argument in this instance and prevented Blaster from getting out of control.
September 14th, 2003, 06:01 PM
mi2g is better as a source of humor than information. That study is far from scientific and not worth much more than the paper it is written on. http://vmyths.com/resource.cfm?id=64&page=1 shows the kind of crap they spew.
September 14th, 2003, 08:46 PM
This just means that your company needs to develop some better policies. System administrators, like programmers in a well defined organization really are not paid to think, they are paid to follow procedure and to do the tasks put on their lap. I know that many programmers/admins out there are not going to like that comment, but you should review the Carnigie Mellon maturity models if you don't want to take my word for it. Add in security concepts like need to know, seperation of duties, and role rotation and it really becomes clear.
They would rather stick to company procedures, than look at what is happening in the real world.
Regardless of your personal on the organization or the subject matter at hand the study points out a very serious issue with Linux. That issue is the complete lack of a Trusted Facility Manual for Linux. This leaves organizations with no quantitative definition of due care and or best practices. This means companies have even more work to do when establishing security guidelines and procedures and consequently they frequently are just not done. (Remember not only would you need to write them yourself, but you'd need to write them in a manner that your underwriters/insurers would agree with.)
mi2g is better as a source of humor than information. That study is far from scientific and not worth much more than the paper it is written on.
September 15th, 2003, 04:10 AM
Sorry about that, I've been working two jobs and looking for a new place. Not mush sleep as of late.
September 15th, 2003, 02:00 PM
I don't think it's true, this is like that : most of the viruses made for windows users but the number of hacking to Linux servers / Microsoft servers is the same.
but a good hacker can hack both... :-)
~^`^~ mess with the best, die like the rest ~^`^~
2) I\'m not an animel I\'m a humanbeing.
September 15th, 2003, 08:15 PM
So they are including 3rd party applications with it and not Linux solely versus Windows only and not the apps? Also, 51% of the attacks going against Linux isn't as huge as it seems. To me, what is more telling is the response by readers (both Windows and Linux readers): how the stats are derived would be interesting.
The data that was gathered was using real life situations. How many linux or windows systems sit out on the internet running just the base OS load? Not very many. Also given that most linux variants are loaded with a standard distribution that in many cases includes the vulnerable software is the main point that the article is trying to raise. If a windows system was successfully attacked via a vulnerability in Domino server, the attack would count against MS, not Novell. The report is meant to show the number of attacks occuring against real-world systems, running real-world software. It is not meant to be taken as an MS is better than linux type article.
The one thing that nobody has mentioned is the market share that MS has and the fact that even with an exponentially larger installed base of systems, MS still has less systems attacked via this method of reporting than linux. I think this shows a major push that Linux was trying to use to gain market share that in reality is not true. Which is that the OS itself is not more secure. I know of several web admins that have switched to linux because they thought they would be more secure systems to run. In a few of the cases the administrators did not have the skills that they needed to properly run a linux server, so the end result is a less secure system.
It should also be noted that in most cases this is only telling you about web defacements. If somebody broke into a SQL server running on Win2k, it wouldn't make it into this set of stats as that is not something you can just email to a web defacement archive and be able to verify. So the article would be more properly named "Linux more popular target amongst script kiddies."
September 15th, 2003, 10:04 PM
Another thing no one has mentioned is that NT retains its logs after a full system compromise, Linux does not. (that pesky failure to segregate admins and operators keeps biting them in the ass) So a much larger percentage of successful Linux compromises go undetected. (this is where open source is very bad because it becomes a trivial matter to trojan the kernel, the compiler, and the IDS system.)
PS. Some further reading for you all:
This article discusses RedHat's (SUSE has gone after the same objective) intent to seek CC CAPP-EAL2 evaluation. This means that the best they could get linux configured and document was EAL2 (because they can submit anything they want, just so long as that configuration is known.)
This is a paper by Dr. Jonathan Shapiro (of the EROS project) slapping around Windows 2000 for its CC CAPP-EAL4 evaluation saying how ineffective it is. (I completely agree.)
However, if the CAPP-EAL4 is weak... what does that make CAPP-EAL2?
With regard to security it means complete and utter garbage, CAPP-EAL4 is at least ok for single level environments and its microkernel architecture allows it to be extended quite easily (such as Argus' Protector)
As Linux becomes more and more common, you will see continually more and more successful compromises against it because it is an inferior system. Consider this remark from Dr. Shapiro:
"Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time."
How many people have their hand in Linux? And at least MS has a central point of control.
September 15th, 2003, 10:31 PM
Catch, I know i'm a newbie and your a jr. member, but I have read some of your postings and have to ask one thing? Did Linux beat you as a child? You seem so negative about the OS, if microsoft is your thing then fine. But you seem to bad mouth linux whenever the chance arises? Just an observation.