Security Today; Standardizing Security - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 42. Security Overview

42.1.1.2. Security Today

In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the
most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com,
fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for
several hours with large-byte ICMP packet transfers, also called a ping flood. The attack was brought
on by unknown assailants using specially created, widely available programs that scanned vulnerable
network servers, installed client applications called trojans on the servers, and timed an attack with
every infected server flooding the victim sites and rendering them unavailable. Many blame the attack
on fundamental flaws in the way routers and the protocols used are structured to accept all incoming
data, no matter where or for what purpose the packets are sent.
Currently, an estimated 945 million people use or have used the Internet worldwide (Computer
Industry Almanac, 2004). At the same time:
• On any given day, there are approximately 225 major incidences of security breach reported to the
CERT Coordination Center at Carnegie Mellon University.
• In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from
2
52,658 in 2001.
• The worldwide economic impact of the three most dangerous Internet Viruses of the last three years
was estimated at US$13.2 Billion.
Computer security has become a quantifiable and justifiable expense for all IT budgets. Organizations
that require data integrity and high availability elicit the skills of system administrators, developers,
and engineers to ensure 24x7 reliability of their systems, services, and information. Falling victim to
malicious users, processes, or coordinated attacks is a direct threat to the success of the organization.
Unfortunately, system and network security can be a difficult proposition, requiring an intricate
knowledge of how an organization regards, uses, manipulates, and transmits its information.
Understanding the way an organization (and the people that make up the organization) conducts
business is paramount to implementing a proper security plan.

42.1.1.3. Standardizing Security

Enterprises in every industry rely on regulations and rules that are set by standards making bodies
such as the American Medical Association (AMA) or the Institute of Electrical and Electronics
Engineers (IEEE). The same ideals hold true for information security. Many security consultants and
vendors agree upon the standard security model known as CIA, or Confidentiality, Integrity, and
Availability. This three-tiered model is a generally accepted component to assessing risks of sensitive
information and establishing security policy. The following describes the CIA model in further detail:
• Confidentiality — Sensitive information must be available only to a set of pre-defined individuals.
Unauthorized transmission and usage of information should be restricted. For example,
confidentiality of information ensures that a customer's personal or financial information is not
obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud.
• Integrity — Information should not be altered in ways that render it incomplete or incorrect.
Unauthorized users should be restricted from the ability to modify or destroy sensitive information.
• Availability — Information should be accessible to authorized users any time that it is needed.
Availability is a warranty that information can be obtained with an agreed-upon frequency and
timeliness. This is often measured in terms of percentages and agreed to formally in Service Level
Agreements (SLAs) used by network service providers and their enterprise clients.
584
3
1