Unix Systems security and security evaluation criteria

Agenda Overview of UNIX Flavors and versions of UNIX Open source vs proprietary software Security evaluation criteria Ten general security rule

Flavors and versions of UNIX Following are the example of The proprietary flavors of unix that have been designed to run only (or mainly) on proprietary hardware sold by the same company – AIX - developed by IBM for use on its mainframe computers – BSD/OS - a commercial version of BSD developed by Wind River for Intel processors – HP-UX - developed by Hewlett-Packard for its HP 9000 series of business servers – IRIX - developed by SGI for applications that use 3-D visualization and virtual reality – QNX - a real time operating system developed by QNX Software Systems primarily for use in embedded systems – Solaris - developed by Sun Microsystems for the SPARC platform and the most widely used proprietary flavor for web servers – Tru64 - developed by Compaq for the Alpha processor

Flavors and versions of UNIX Others are developed by groups of volunteers who make them available for free. Among them are: – Linux - the most popular and fastest growing of all the Unix-like operating systems – FreeBSD - the most popular of the BSD systems (all of which are direct descendants of BSD UNIX, which was developed at the University of California at Berkeley) – NetBSD - features the ability to run on more than 50 platforms, ranging from acorn26 to x68k – OpenBSD - may have already attained its goal of becoming the most secure of all computer operating systems – Darwin - the new version of BSD that serves as the core for the Mac OS X

Open source vs. Proprietary software Open source software – Some example are Linux distribution, PHP, Apache, gdb, XML, gcc, java, perl etc Proprietary software – Example are Microsoft windows, Exchange server, Adobe Acrobat, Photoshop, Mac os etc

Security evaluation criteria Computer security evaluation? – is the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities. – It includes a claimed level of Assurance that determines how rigorous the evaluation is. Criteria – Criteria are the "standards" against which security evaluation is carried out.

Security evaluation criteria TCSEC(Trusted Computer System Evaluation Criteria) – The US Department of Defense published the first criteria in 1983 as the TCSEC – more popularly known as the "Orange Book". – The current issue is dated – The US Federal Criteria were drafted in the early 1990s as a possible replacement but were never formally adopted. ITSEC (Information Technology Security Evaluation Criteria) – During the 1980s, the UK, Germany, France and the Netherlands produced versions of their own national criteria. These were harmonised and published as the ITSEC.

Security evaluation criteria Common Criteria – The Common Criteria represents the outcome of international efforts to align and develop the existing European and North American criteria. – The Common Criteria project harmonizes ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (TCSEC)into the Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems and for stating security requirements in a standardized way.

Ten general security rule Rule 1: Security Through Obscurity Doesn't Work Rule 2: Full Disclosure of Bugs and Holes Benefits Security Rule 3: System Security Degrades in Direct Proportion to Use Rule 4: Do It Right Before Someone Does It Wrong For You Rule 5: The Fear of Getting Caught is the Beginning of Wisdom

Ten general security rule Rule 6: There's Always Someone Out There Smarter, More Knowledgeable, or Better- Equipped Than You Rule 7: There Are No Turnkey Security Solutions Rule 8: Good and Evil Blend into Gray Rule 9: Think Like the Enemy Rule 10: Trust is a Relative Concept