File System SecurityRobert “Bobby” Roy

And Chris “Sparky” Arnold

Overview

• What we are going to cover• Brief History• File Systems• General Security Practices• Specific Practices for File Systems

What is File System Security?

File system security: the policies and procedures for ensuring the protection of one’s files and file systems.

History of File System Security

• Roots• Sensitive information was originally kept in

file cabinets and other such physical barriers.

• Effective at keeping files from those who were not allowed to access them.

History of File System Security

• Relevance• Transition from analog to digital file

systems.• Ideas put forth in the analog age of file

systems are still relevant in digital security.• Barriers• Locks (Passwords)• Authorities (Administrators)

History of File System Security

• Networking• File system security became more

important to digital systems as they became networked together.

• Access to systems and also the files within the systems.

Types of File Systems

• Disk• Database• Network• Transactional/Special

Types of File Systems

• Disk• A system for organizing and storing files

on a physical drive.• Hard Drive, Removable Storage, etc.

• Does not have to be directly connected to the computer.

• Many Different types• Windows: NTFS, FAT32 (Primitive)• Linux: ext, ext2, ext3, ext3cow, ext4

Types of File Systems

• Database• Newer concept of managing files.• Instead of hierarchy or structure, files are

sorted by characteristics, type, or other such metadata.

An example of a characteristic is Eye Color

Types of File Systems

• Network• Protocol for remote access on a server

• Common types: NFS, SMB, AFP, 9P• Similar (Structurally): FTP, WebDAV

Types of File Systems

• Transactional/Special• Transactional

• Logs events, transactions, or changes• Groups related changes

• Used often in banking software

• Special• Not Disk or Network• Includes systems where files are arranged

dynamically by software• Used for temporary storage

General Security Practices

• Entity Authentication• Properties of an entity (what it has, is, etc.)

• Usernames & Passwords• Password defenses

• Checkers, generators, aging, limiting logins

• Protecting password file• Cryptography

• Encryption algorithms• Securing data transactions

Access Control

• Access control refers to how subjects may manipulate objects• Halts users from accessing restricted files

• It determines what privileges (if any) a user has over a particular object• Observe• Alter

Access Control: Windows NT

• Types of permissions:• Read• Write• Execute• Changing of ownership• Changing permissions• Delete

Access Control: UNIX

• Types:• Read• Write• Execute

• For files and directories, respectively:• View contents, view contents• Append, rename/create• Run, search within

With 777 you have permission to access this bread.

Security Models

• Types of security models:• Bell-LaPadula (BLP)• Clark-Wilson• Biba• Harrison-Ruzzo-Ullman (HRU)

Types of File System Security

• In:• Disk File Systems• Database File Systems• Network File Systems

Disk File System Security

• Tactics:• Encryption• Access Control

• Passwords• Permissions

By denying access by some users to certain files, you can protect the files data and integrity.

Disk File System Security

• Workarounds:• Encryption:

• Stealing secret keys• Breaking secret keys

• Access Control:• Interception of password• Social engineering• Brute force attacks on passwords

Disk File System Security

• Prevention:• Encryption:

• More powerful ciphers• Regular changing of encryption scheme

• Access Control:• Password defenses

• checkers• generators• aging • limiting logins

• Employ awareness of social engineering vulnerabilities

Database File System Security: Apache

• Permissions• Restrict access to upper level files

• SSI (Server Side Includes)• These extra features can create weakness

within a database

• Protect system settings within config files

Database File System Security: Oracle

• Virtual Private Database• customizable, policy-based access control down

to the row level

• Data Encryption• Protects data, even in media theft

• Enterprise User Security• Centralized security management

• Secure Application Roles• Powerful way of setting access control

• Enterprise Manager Grid Control• Tools for setting configurations

Database File System Security: MySQL

• Take the time to audit SQL logins for null or weak passwords

• Frequently check group and role memberships • Physically secure the SQL Server • Enable logging of all user login events • Disable SQL Mail capability unless absolutely

necessary • Remove the Guest user from databases to keep

unauthorized users out • Secure the “sa” account with a strong password • Choose only the network libraries you absolutely

require

Network File System Security

• Entity authentication• Firewall• Intrusion Prevention System (IPS)• Honeypots

• Decoy server containing fake, desirable information which is easily accessible used to lure away attackers and record their activity

Summary

We covered the history of file system security, basic theory, types of file systems, security for those systems, and potential threats.

?Well science shows that general policies, such as

access control, password protection, permissions, encryption, and roles can significantly improve security on any kind of file system.

QUESTIONS?!1?!1?!?!?!!!!ONE

Chris uses Windows XP Media Center Edition 2005 sp2

Bobby uses the Ubuntu release Edgy