Microsoft NTFS permissions
Privileged Programs
Setuid (Set user ID) is a Linux and Unix is a file permission that makes an executable run with the permissions of a file’s owner and not the running user.
Setgid (Set Group ID) programs run with the permissions of a file’s group.
Attackers may attempt to trick the passwd command to alter other files. The integrity of all setuid and setgid programs on a system should be closely monitored.
Virtualization and Distributed Computing
Virtualization
Virtualization adds a software layer between an operating system and the underlying computer hardware allowing multiple guests operating systems to run simultaneously on one physical host. Vmware, QEMU and Xen.
Transparent Virtualization – Runs stock operating systems as virtual guests such as Windows 10, Ubuntu
Paravirutalization – runs specifically modified operating systems with modified kernel system calls. This may not be possible for closed operating systems such as Microsoft Windows.
Hypervisor
Controls access between virtual guests and host hardware.
Type 1 (bare metal) is part of an operating system that runs directly on host hardware such as Vmware ESX
Type 2 runs as an application on a normal operating system such as Vmware Workstation
Virtualization Benefits
Lower overall hardware costs, hardware consolidation, lower power and cooling needs. Snapshots allow administrators to create OS images that can be restored with a click of a mouse, making backup and recovery simple and fast, testing new OS, applications and patches can be quite simple. Clustering simplified.
Virtualization Security Issues
Complexity is the enemy of security. Never combine guests with different security requirements (such as DMZ and internal) onto one host. VMEscape allows exploits on the host OS or a guest from another guest. Many network based security tools, such as NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another. There’s a shift to virtual network devices going forward.
Cloud Computing
- Public Cloud Computing – outsources IT infrastructure, storage or applications to a 3rd party provider allowing geographic diversity and large providers to leverage economies of scale
- IaaS – Infrastructure as a service – Provides entire virtualized OS, which the customer configures from OS up.
- PaaS – Platform as a service – provides pre-configured OS and the customer configures the application
- SaaS – Software as a service – is completely configured from OS to application where the customer simply uses the application
- Private Cloud – House data for a single organization and maybe operated by a 3rd party or organization itself. Government clouds are designed to keep data an resources geographically contained within the borders of one country.
Benefits include reduced upfront capital, reduced maintenance costs, robust levels of service, and overall operational cost savings. Security considerations include, require strict SLAs, and understanding new sources of risks, multiple organizations’ guest running on same host, compromise of one leads to other customers, preconfigured OS introduces risk via insecure configurations.
Organizations should negotiate specific rights before signing contract with cloud provider. These rights include right to audit, right to conduct vulnerability assessment, right to conduct penetration test.
Where is the data? Public clouds may move data to any country beyond the jurisdiction of organization’s home country where laws such as HIPAA or GLBA have no effect.
