Damn Small Linux (DSL)
Damn Small Linux or DSL is a free operating system for the x86 family of personal computers. It was designed to run graphical applications on older PC hardware—for example, machines with 486/early Pentium processors and very little memory. I have chosen this Live CD as it shows that an OS can be as small as 50 MB and can be used in machines that are quite old where the memory of the machine could be really low.
DSL consists of three types of technical controls –
Support (Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls),
Prevent (Preventive controls focus on preventing security breaches from occurring in the first place) and
Detect and Recover (These controls focus on detecting and recovering from a security breach).
DSL follows the following security principle,
Computer Security Supports the Mission of the Organization,
Computer Security is an Integral Element of Sound Management,
Computer Security Should Be Cost-Effective,
Systems Owners Have Security Responsibilities Outside Their Own Organizations,
Computer Security Responsibilities and Accountability Should Be Made Explicit,
Computer Security Requires a Comprehensive and Integrated Approach, Computer Security Should Be Periodically Reassessed and
Computer Security is Constrained by Societal Factors.
Other new principles could be included for specifically Live CDs but the NIST 800-14 just gives the principles for organizations and people to follow security in general.
DSL has the following security practices,
Policy,
Program Management,
Risk Management,
Life Cycle Planning,
Personnel/User Issues,
Preparing for Contingencies and Disasters,
Computer Security Incident Handling,
Awareness and Training,
Security Considerations in Computer Support and Operations,
Physical and Environmental Security,
Identification and Authentication,
Logical Access Control,
Audit Trails and
Cryptography.
Damn Small Linux was primarily designed for users who use older machines and where the memory of usage is not high. DSL supports only x86 PCs. The minimum system requirements are a 486 processor and 8 MB of RAM. DSL has been demonstrated browsing the web with Dillo, running simple games and playing music on systems with a 486 processor and 16 MB of RAM.
The applications on DSL are as follows:
Browser: Dillo
The Dillo browser in Damn Small has been enhanced, it supports SSL, tabs and frames.
Browser: Netrik
A handy and tiny text based browser.
Browser: FireFox
The Firefox used in DSL is built with GTK1.2 bindings and is i386 compatible
Email: Sylpheed
Sylpheed is an e-mail client and news reader based on GTK+ and running on X Window System.
File Manager: emelFM
emelFM is a file manager that implements the popular two-pane design. It features a simple GTK+ interface, a flexible filetyping scheme, and a built-in command line for executing commands without opening an xterm. It’s features are the ones that are given below,
Simple Interface
Bookmarks and History Lists
Flexible filetyping scheme
Multiple actions selectable for each filetype
Filename, Size, and Date Filters
Built-In Command Line
User-defined menu
Configurable Keyboard bindings
Configurable Toolbar
Runtime loadable plugins
Window Manager: FluxBox
Fluxbox is based on the famous BlackBox, but with some really nice enhancements. Window Manager: JWM
A particularly lighter version of JWM, which give a familiar PC interface while being exceedingly light on RAM.
Therefore, it is safe to conclude that the DSL Live CD is worth using in environments where security is required and the system memory is low and the processor is an old one.
References
[1] http://unokitty.freehostia.com/
[2] http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf
[3] http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
[4] http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
[5] http://www.damnsmalllinux.org/
[6] http://en.wikipedia.org/wiki/Damn_Small_Linux
Blog Page : sunil86s.blogspot.com
Tuesday, October 7, 2008
Monday, October 6, 2008
Live CD Assignment Two
| | Knoppix | Puppy Linux | Damn |
| Pur -pose | Knoppix can be used to back up | Puppy Linux is a Live CD Linux distribution that is very small and focuses on ease of use. If the computer has at least 256 MB of RAM, the entire operating system and all the applications will run from RAM, allowing the boot medium to be removed after the operating system starts. | Damn |
| Size | The size ranges from traditional Compact Disc | Puppy Linux ranges from 40 MB to 333 MB | DSL is a |
| Users | Knoppix is used | Puppy Linux is used by people where the OS on the hard-drive fails and those people want to recover the data on the disk. | DSL was |
| Require -ments | Requirements to run Knoppix: Intel-compatible processor 32 MB of RAM Bootable Standard Serial or | Minimum requirements for Puppy Linux are: CPU : Pentium 166MMX
| DSL |
| Latest Version | Version: 5.3.1 Date 2008-03-27 | Version: 4.00 "Dingo" Date 2008-05-04 | Version: 4.4.6 Date 2008-09-28 |
Friday, September 19, 2008
NIST 800-14
The network of computers around the world is growing rapidly. The need of security is proportional to the growth of this network. As the need for security grows, so does the need for Standards and Practices. The NIST 800-14 is a document that contains general Standards and Practices that are to be implemented.
The National Performance Review (NPR) recommended as part of the National Information Infrastructure (NII) that the National Institute of Standards and Technology (NIST) develop generally accepted system security principles and practices for the federal government. These security principles and practices are to be applied in the use, protection, and design of government information and data systems, particularly front-line systems for delivering services electronically to citizens. The need for rules, standards, conventions and procedures that define accepted security practices was outlined in the 1991 National Research Council document Computers At Risk. Their recommendation called for the development of a comprehensive set of generally accepted system security principles (GSSP) which would clearly articulate essential security features, assurances, and practices. Work began on implementing the Computers At Risk recommendation in 1992 by several national and international organizations with an interest in computer security.
The Organization for Economic Co-operation and Development's (OECD) Guidelines for the Security of Information Systems were developed in 1992 by a group of international experts to provide a foundation from which governments and the private sector, acting singly and in concert, could construct a framework for securing IT systems. The OECD Guidelines are the current international guidelines which have been endorsed by the
The principles address computer security from a very high-level viewpoint. The principles are to be used when developing computer security programs and policy and when creating new systems, practices or policies. Principles are expressed at a high level, encompassing broad areas, e.g., accountability, cost effectiveness, and integration.
The practices guide organizations on the types of controls, objectives and procedures that comprise an effective IT security program. The practices show what should be done to enhance or measure an existing computer security program or to aid in the development of a new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. The document provides the practices in a checklist format to assist organizations in reviewing their current policies and procedures against the common practices.
The document describes eight principles and fourteen practices. Each of the principles applies to each of the practices. The nature of the relationship between the principles and the practices varies. In some cases, practices are derived from one or more principles; in other cases practices are constrained by principles. For example, the Risk Management Practice is directly derived from the Cost-Effectiveness Principle. However, the Comprehensive and Reassessment Principles place constraints on the Risk Management Practice.
| | Principles | Practices |
| 1 | Computer Security Supports the | Policy (Program Policy, Issue-Specific Policy, System-Specific Policy) |
| 2 | Computer Security is an Integral Element of Sound Management | Program Management (Central Security Program, System-Level Program) |
| 3 | Computer Security Should Be Cost-Effective | Risk Management (Risk Assessment, Risk Mitigation, Uncertainty Analysis) |
| 4 | Systems Owners Have Security Responsibilities Outside Their Own Organizations | Life Cycle Planning (Initiation Phase, Development/Acquisition Phase, Implementation Phase, Operation/Maintenance Phase, Disposal Phase) |
| 5 | Computer Security Responsibilities and Accountability Should Be Made Explicit | Personnel/User Issues (Staffing, User Administration) |
| 6 | Computer Security Requires a Comprehensive and Integrated Approach | Preparing for Contingencies and Disasters (Identify Resources, Develop Scenarios, Develop Strategies, Test and Revise Plan) |
| 7 | Computer Security Should Be Periodically Reassessed | Computer Security Incident Handling |
| 8 | Computer Security is Constrained by Societal Factors | Awareness and Training |
| 9 | | Security Considerations in Computer Support and Operations |
| 10 | | Physical and Environmental Security |
| 11 | | Identification and Authentication |
| 12 | | Logical Access Control (Access Criteria, Access Control Mechanisms) |
| 13 | | Audit Trails (Audit Trail Records, Audit Trail Security, Audit Trail Reviews, Keystroke Monitoring) |
| 14 | | Cryptography |
The above given table shows the eight principles and the fourteen practices described in the document. It is therefore recommended that everybody and every organization follows the NIST 800-14 for the general principles and practices for securing their workplaces or technology in a better way.
References
[1]http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
[2]http://unokitty.freehostia.com/
Blog page : sunil86s.blogspot.com
Thursday, September 11, 2008
NIST 800-30
1. What is the National Institute for Standards and Technology(NIST)?
NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.
- What role does NIST play in information assurance?
The NIST Information Assurance Framework consists of the standards and guidelines for federal information systems that are not designated as national security systems. The guidelines are not mandatory and binding standards.
- What is the purpose of NIST Special Publication 800-30?
The purpose is to provide a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.
- What is the principle goal of an organization’s risk management process?
The principle goals of an organization’s risk management process are:
(1)Securing the IT systems that store, process, or transmit organizational Information
(2)Enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget
(3) Assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.
- According to NIST, what three processes compose risk management?
Risk management encompasses three processes:
(1)Risk Assessment,
(2)Risk Mitigation,
(3)Evaluation and Assessment.
- How does risk management relate to the System Development Life Cycle(SDLC)?
| SDLC Phases | Phase Characteristics | Support from Risk Management Activities |
| Phase 1—Initiation | The need for an IT system is expressed and the purpose and scope of the IT system is documented | Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations(strategy) |
| Phase 2—Development or Acquisition | The IT system is designed, purchased, programmed, developed, or otherwise constructed | The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development |
| Phase 3—Implementation | The system security features should be configured, enabled, tested, and verified | The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation |
| Phase 4—Operation or Maintenance | The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures | Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces) |
| Phase 5—Disposal | This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software | Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner |
- NIST 800-30 defines seven IA “key roles”. Name and briefly describe them.
• Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.
• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT
planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.
• System and Information Owners. The system and information owners are
responsible for ensuring that proper controls are in place to address integrity,
confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system enhancement, major changes to the software and hardware). The system and information owners must therefore understand their role in the risk management process and fully support this process.
• Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk
management process. These managers are the individuals with the authority and
responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.
• ISSO. IT security program managers and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis.
• IT Security Practitioners. IT security practitioners (e.g., network, system,
application, and database administrators; computer specialists; security analysts;
security consultants) are responsible for proper implementation of security
requirements in their IT systems. As changes occur in the existing IT system
environment (e.g., expansion in network connectivity, changes to the existing
infrastructure and organizational policies, introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems.
• Security Awareness Trainers (Security/Subject Matter Professionals). The
organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or
security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.
- How does NIST 800-30 define a risk?
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
- How does NIST 800-30 define a threat?
Threat is defined as the potential for a threat-source to exercise(accidentally trigger or intentionally exploit) a specific vulnerability.
- How is a threat source defined? In your answer, name three common threat sources.
Threat source is defined as either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
The three common threat sources are,
Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
Human Threats—Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized access to confidential information).
Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.
- How does NIST 800-30 define vulnerability?
A flaw or weakness in system security procedures, design, implementation, or
internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
- According to NIST, whose responsibility is IT Security?(technical or management)
IT Security is the responsibility of the management as they have to take care of who is assigned what and is responsible for how secure an organization is.
- Used appropriately, what does a security control accomplish?
Security controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission.
- Define, compare, and contrast technical controls, management controls, and operational controls.
Technical Security Controls
Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions. Technical controls can be grouped into the following major categories, according to primary purpose:
• Support: Supporting controls are generic and underlie most IT
security capabilities. These controls must be in place in order to implement other
controls.
• Prevent: Preventive controls focus on preventing security breaches from occurring in the first place.
• Detect and Recover: These controls focus on detecting and recovering from a security breach.
Management Security Controls
Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.
Management security controls—preventive, detection, and recovery—that are implemented to reduce risk.
Operational Security Controls
An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the establishment of appropriate operational controls. Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security
operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.
- How can the adverse impact of a security event be described?
The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality.
- Describe the difference between quantitative and qualitative assessment?
The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.
The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls. The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be
interpreted in a qualitative manner.
- Name and describe six risk mitigation options.
Risk mitigation is a systematic methodology used by senior management to reduce mission risk.
Risk mitigation can be achieved through any of the following risk mitigation options:
• Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
• Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
• Risk Limitation. To limit the risk by implementing controls that minimize the
adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,
preventive, detective controls)
• Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
• Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
• Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
- Name and describe the three control categories.
Technical Security Controls
Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions.
Management Security Controls
Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals
and missions.
Operational Security Controls
An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the
establishment of appropriate operational controls.
- Define residual risk.
Implementation of new or enhanced controls can mitigate risk by
• Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby
reducing the number of possible threat-source/vulnerability pairs
• Adding a targeted control to reduce the capacity and motivation of a threat-source
• Reducing the magnitude of the adverse impact
The risk remaining after the implementation of new or enhanced controls is the residual risk.
ID theft
Rapper DMX Charged With Medical Identity Theft
The above given headline is from the link http://www.bloggernews.net/116836.
I had selected this article just to show that the ID theft is not only related to the financial field but also to the medical field as well where a person could steal another’s identity to get diagnosis or insurance for a medical reason.
This news article is also important for the fact that not only does the ID theft affect people in the financial matters but also health-wise, where a person could get a wrong treatment for his disease if his ID was stolen by someone else who gives a different ailment. Some people may also fail a medical test for employment.
Wednesday, September 10, 2008
Live CD
A Live CD is one that contains an operating system that is run upon boot. The operating system is not installed to the hard disk, but rather runs from the CD.A Live CD does not change the operating system already installed in the hard disk or any of the data on it. It only changes the data on the hard disk if it is asked to.
When Windows was the common Operating System and Linux had to be installed on the computer, the disk had to be partitioned for the Linux Operating System. This became a tedious process and even though the Linux Operating System was an Open-Source one, nobody used it just because of the complexity of partitioning their hard disks. The first Linux-based live CD was Yggdrasil Linux (went out of production in 1995), though in practice it did not function well due to the low throughput of then-current CD-ROM drives. The Debian-derived Linux distribution Knoppix was released in 2003, and found popularity as both a rescue disk system and as a primary distribution in its own right. Since 2003, the popularity of live CDs has increased substantially, partly due to Linux Live scripts and remastersys which made it very easy to build customized live systems[1]. KNOPPIX is a bootable CD or DVD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals[2]. Knoppix was the first major Linux live CD that was produced with security interests in mind, although it has been used for many other purposes. Many of the tools regarding Live CD were based on Knoppix to some degree.
The Live CD is much more secure than an ordinary operating system on a desktop/laptop as the vulnerability and the threat involved is lesser than that of a normal desktop/laptop and hence the risk is lower as the OS is separately on the CD and difficult to hack into the information that is available on the hard drive. Live CD’s are unique in the sense that the computer running a Live CD could run without a hard disk drive having a huge capacity.
Hence the Live CD contains an Operating System that can be directly booted from the CD which involves having a much lesser risk and is secure to that of a desktop. It is also not necessary for a Live CD to be installed onto a computer to work on it which makes it easier to work with.
References
[1] http://en.wikipedia.org/wiki/Live_CD
[2] http://www.knopper.net/knoppix-info/index-en.html
[3]http://unokitty.freehostia.com
Subscribe to:
Comments (Atom)