News Stay informed about the latest enterprise technology news and product updates.

Some old, some new: the seven deadly sins of Linux security revisits the topic of Linux security with a new and improved – but startlingly similar – version of the seven deadly sins of Linux security.

Some security sins never change, but new threats offer new opportunities to make mistakes.

Not too long ago, talked to Bob Toxen, security consultant and author of "Real World Linux Security" about the "seven deadly sins" of Linux security.

What may be most surprising is not that this new list now includes more than the original seven sins, but that the first seven have remained intact even with millions if not billions of dollars poured into the security space by companies worldwide.

Inadequate password practices and protection, general procrastination, and inefficient resource allocation all still top the list. Why? In the words of one anti-virus expert, it's because "that's just how people are."

But even if people plan on being people for the unforeseeable future, they can help themselves by reading and learning from the most common of security snafus, listed below.

Some are brand new, arriving as technology advances through the years, but noticeably it is the ones that have remained that could be most troubling to any IT shop running Linux in the data center.

Viruses in Windows get in deeper; into the registry and memory. [Viruses] can still be stored on Linux and transmitted ... but if it's Linux and nothing else, you can probably breathe easier
James Turnbull
Security ConsultantCommonweatlh Bank of Australia

Deadly sin No. 1: Using weak and default passwords.

Some administrators have been burned by people so many times that this sin is the least likely of the original seven sins to still exist, but Reno, Nev.-based Bytware Inc. CEO Michael Grant said this problem still remains.

Deadly sin No. 2: Leaving network ports open.

It is the administrator who thinks they can outsmart the virus writers that usually ends up getting burned first. "We have customers who have told us that they don't allow anything but port 80, and that they think that has them covered – but that's just a result of a lack of knowledge," Grant said.

Deadly sin No. 3: Running old software versions.

Not just any software, but also your anti-virus software. Grant mentioned several customer cases he has seen where a new virus was able to disable older, out-of-date anti-virus software, infect the computer, and then replace the menu toolbar anti-virus icon with a fake to mimic the appearance of functional software.

Deadly sin No. 4: Running insecure and badly configured programs.

"You would think that as technology has progressed, and as new versions are released, that things would get better, but the trend has been things have gotten worse," Grant said.

People are doing more and more with each piece of new technology, Grant explained, and with each new piece a new vulnerability is born. "People don't take the time to learn [new technologies]. As an example look at wireless – you plug it in, and don't even read the manual. [Meanwhile] everyone in your complex is using it for access," he said.

Deadly sin No. 5: Having insufficient resources and misplaced priorities.

Nothing can be more misplaced or out of touch than an administrator who thinks they know more about viruses than the people who write them. "What we see a lot of times is folks who try to understand how viruses work and implement in their security layer things they think are virus proof," Grant said.

As an example, Grant said one user set their system to filter out certain types of known virus carrying file suffixes like .exe and .com. However, the user allowed SH8 files through the filter because they were a "relatively harmless" file type that they did not believe contained a virus.

Deadly sin No. 6: Failing to delete stale and unnecessary accounts.

As long as there are layoffs and employee terminations, there will be a need to erase any access that the employee had. This sin has remained relatively unchanged in size and scope since Toxen recited it in 2003.

Deadly sin No. 7: Procrastinating.

Grant said that this sin, especially, was "very much still there." There is very little that can be done about a chronic procrastinating administrator than perhaps finding a new administrator. "People still know that they need to update software, but they are too busy. They're either too thin on resources or they don't get around to a task until it is too late," he said.

For more on Linux security

Read about the original seven deadly sins on Linux security

2006 Phish Tales: Flawed and fishy defenses

Deadly Sin No. 8: Ignoring your servers.

Give those Linux servers a hug once in a while, and stop thinking about the desktops so often. "The sin is putting updated protection on the desktop and ignoring your servers," Grant said. A lot of times people ignore the server, but isn't it a lot easier to put something [on the server] where it helps everyone, and not just on PCs?"

Grant advised that ever shop should have protection on PCs, but not as you only defense. That is a secondary defense; an additional security layer, he said.

Deadly Sin No. 9: Don't assume your perimeter will protect you.

Too many companies have a security model of a hard outer shell with softer security internally, said James Turnbull, a security consultant with the Commonwealth Bank of Australia.

"With the rise of wireless, Bluetooth and mobile devices this is no longer a model that protects you. You need to harden your organization's external perimeter and your hosts internally," he said.

Deadly sin No. 10: Risk.

Turnbull said too many of today's security decisions are made without adequate rationale. "Don't just buy the latest upgrade or fad," he said. "Make all security purchasing and architecture decisions based on risk. Review your environment, assess the level of risk using a proven risk standard/methodology such as AS4360 or the like and then target the high risk items for remediation."

Most importantly remember that technical risk means nothing to business. Users must communicate risk in terms that the business side of your organization will understand.

"The best method is usually to measure risk in terms of dollars and cents. If your business people already understand market and/or credit risk then they'll quickly grasp the concept," he said.

Deadly sin No. 11: Business focus and negotiation.

In today's world the first thing any security professional has to remember is that they exist to enable your organization to do business. No longer can security professionals behave in a dictatorial manner and issue blanket refusals.

If an application or piece of infrastructure that is required by the business to do business is not secure, Turnbull said, then you need to negotiate its use with the end users not deny them that use. Introduce controls and mitigation for any security risks and then present any residual risk to the business and allow them to accept that risk.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.