Thoughts on 403

Emphasis on self-managed servers

Project 403 asks for training materials to teach users about security.

In this project we want to focus on users who manage a self-managed machine, and especially on those who have a self-managed server. Self-managed servers do need looking after. Sitting in a corner of a room for years, not being anyone's main everyday machine, these machines can be particularly vulnerable to being quietly hacked and infected with malware.

Someone needs to be in charge of them. That person has responsibilities. This project is about:

  1. identifying which of these responsibilities concern security.
  2. identifying the most basic and important of these.
  3. finding a way to teach them effectively to everyone responsible for such a machine.

If there is time, a Learn course will be produced, and it's envisaged that passing such a course would be compulsory for the managers of self-managed servers. If there isn't time, we'll knock up some explanatory web pages, hoping to grow them into a Learn course later on.

What do we want to say?

These, more or less, are the responsibilities laid on the machine manager by the self-managed policy:

  • Everyone using the machine is bound by the computing regulations.
  • If the machine is disruptive or compromised it'll be disconnected from the network.
  • Users must abide by the School's policies.
  • You must obey the law. (Notable laws: GDPR, freedom of information, RIPA.)
  • External networks come with Acceptable Use Policies.
  • You must keep its OS and software fully updated with security fixes.
  • You must configure the OS and software to be secure enough, too.
  • You must not create a wireless network without explicit permission.
  • You must agree to the University's periodical electrical safety tests.
  • If a vulnerability is identified, you must fix it in a timely manner.
We can add some more:
  • Keep it somewhere that's secure enough that it won't be either stolen or physically interfered with.
  • Somebody should be officially in charge of it - to take responsibility for the machine's security and for its basic management (managing user accounts and OS upgrades, for instance).
  • That somebody has to be currently in the School of Informatics!
  • They should document their management of the machine, such that someone else could take over the job if needed.
  • If/when the machine's manager leaves, someone else should take over the role.
  • Are you aware of how frequently disks can fail?
  • Given this, are you happy with the data backup arrangements?
  • Are you keeping offsite backups? Are they secure enough?
  • RAID?
  • If you're managing several machines, consider automating the configuration.
  • Does your machine need to be accessible by people outside Informatics, outside the University?
  • Are you aware of the constant, relentless hacking attempts which our externally visible machines are subjected to every day?
  • Who has access to the machine? Is everyone's login password adequately secure? Is everyone with access still meant to have it? Do you lose access to the machine when you leave the research project?
  • Was the machine externally funded? Did that funding come with security requirements, whether explicit or implied?
  • Given all this, are you sure that you don't want the computing staff to manage the machine for you?

Security?

Not all of these points are about security, particularly. Some are simply things which the computing staff would prefer that the managers of such machines do - complying with the law, for instance, or making regular backups.

The dictionary defines security as freedom from danger or threat - but it's conventional to think of computer security as being concerned specifically with vulnerability to malicious attack.

If we use this latter sense, these would seem to be the most directly security-related points:

  • Keeping the OS and software updated with all security fixes.
  • Keeping the machine's configuration secure enough.
  • Fixing security problems quickly.
  • Keeping the machine in a secure enough place.
  • Accessibility from outside, and awareness of the extra threat that brings.
  • Keeping track of who has access; keeping their passwords secure; removing accounts when people no longer need access.

However, several other points are also about security, albeit indirectly, because they make it far more likely that effective measures will actually be taken.

  • There should always be someone with responsibility for the machine's management. If the manager leaves Informatics, someone else in Informatics should take over.
  • The manager should document what they do, or at least adequately train their replacement.
  • Knowing that compromised machines will lose their network connection.
  • Especially if there are more than one or two machines, consider automating your machine management, for instance with a configuration management tool.
  • Remember that if the computing staff manage your machine for you, you won't need to worry about most of this.

Also - what are we trying to keep secure here?

  • The physical hardware
    • The computer itself
    • Portable and removable components - e.g. GPUs, memory, SSDs.
  • The software
    • We're trying to prevent the software from being maliciously altered or replaced
    • or simply vandalised
  • The data
    • Someone might want to destroy it.
    • Someone might want to steal it.
  • The service
    • Someone might want to take down the service.

How much would it matter if any of these happened?

Topic revision: r12 - 28 Jan 2020 - 15:44:31 - ChrisCooke
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies