Chapter 7 : Operating System Security

Operating system security refers to the protective measures and technologies designed to safeguard an
operating system (OS) from unauthorized access, use, disclosure, disruption, modification, or
destruction.

In this chapter, we are going to duel on ; Threats and vulnerabilities in operating system, Access control
mechanisms and policies, and Security mechanisms and techniques

A. Threats and vulnerabilities in operating system

There are several threats and vulnerabilities in operating systems , below we are going to see them.

a. Threats to Operating Systems

1. Malware: Viruses, worms, trojans, spyware, ransomware, and adware can harm the OS, applications,
and data.

2. Unauthorized Access: Hackers exploiting weaknesses to gain access, disrupt operations, or steal data.

3. Denial of Service (DoS): Overwhelming the OS with requests, causing performance issues or crashes.

4. Physical Threats: Theft, damage, or destruction of hardware or media.

5. Insider Threats: Authorized users intentionally or unintentionally causing harm.

b. Vulnerabilities in Operating Systems

1. Outdated or Unpatched Software: Failing to update or patch the OS, applications, or libraries.

2. Weak Passwords: Easily guessable or default passwords.

3. Misconfigured Settings: Improperly set permissions, access controls, or network configurations.

4. Buffer Overflows: Insufficient input validation, allowing malicious code execution.

5. SQL Injection: Poorly sanitized database queries.

6. Cross-Site Scripting (XSS): Injecting malicious scripts into web applications.

7. Privilege Escalation: Exploiting vulnerabilities to gain elevated access.

8. Network Exposure: Unsecured or unencrypted network connections.

B. Access control mechanisms and policies

a.Access Control Mechanisms

1. Authentication: Verifies user identity through passwords, biometrics, smart cards, or multi-factor
authentication.

2. Authorization: Grants or denies access based on user roles, permissions, or attributes.

3. Access Control Lists (ACLs): Define permissions for users or groups on specific resources.

4. Role-Based Access Control (RBAC): Assigns roles with predefined permissions.

5. Attribute-Based Access Control (ABAC): Grants access based on user attributes, such as department or
job title.

6. Mandatory Access Control (MAC): Enforces access control through labels or classifications.

7. Discretionary Access Control (DAC): Allows owners to control access.

b.Access Control Policies

1. Least Privilege: Users have only necessary permissions.

2. Separation of Duty: Divides responsibilities to prevent unauthorized access.

3. Need-to-Know: Limits access to sensitive information.

4. Password Policy: Enforces password complexity, expiration, and history.

5. Account Lockout Policy: Locks accounts after failed login attempts.

6. Audit and Logging: Monitors and records access attempts.

7. Incident Response Plan: Responds to security breaches.

c. Implementation Considerations

1. Centralized Management: Use tools like Active Directory or LDAP.

2. Regular Reviews: Update access controls and policies.

3. Training and Awareness: Educate users on security best practices.

4. Compliance: Align with regulatory requirements (e.g., GDPR, HIPAA).

5. Continuous Monitoring: Detect and respond to security threats.

Benefits
1. Improved Security: Protects against unauthorized access.

2. Compliance: Meets regulatory requirements.

3. Efficient Management: Streamlines access control.

4. Reduced Risk: Minimizes potential breaches.

Challenges

1. Complexity: Managing multiple access control mechanisms.

2. User Resistance: Ensuring user adoption.

3. Resource Intensive: Requires regular updates and monitoring.

C. Security mechanisms and techniques

Physical Security Mechanisms

1. Access Control: Limiting entry to authorized personnel through doors, gates, or turnstiles.

2. Surveillance: CCTV cameras, alarms, and motion detectors.

3. Secure Storage: Safes, vaults, and locked cabinets.

4. Perimeter Security: Fences, walls, and barriers.

Network Security Mechanisms

5. Firewalls: Blocking unauthorized traffic.

6. Intrusion Detection/Prevention Systems (IDPS): Monitoring network traffic.

7. Virtual Private Networks (VPNs): Encrypting internet traffic.

8. Network Segmentation: Isolating sensitive data.

Cryptography Techniques

9. Encryption: Converting plaintext to unreadable ciphertext.

10. Decryption: Converting ciphertext back to plaintext.

11. Hashing: One-way transformation of data.

12. Digital Signatures: Verifying authenticity.

13. Passwords: Knowledge-based authentication.

14. Multi-Factor Authentication (MFA): Combining multiple factors.

15. Biometric Authentication: Fingerprints, facial recognition.

16. Smart Cards/Tokens: Physical devices.

Access Control Techniques

17. Role-Based Access Control (RBAC): Limiting access by role.

18. Attribute-Based Access Control (ABAC): Granting access based on attributes.

19. Mandatory Access Control (MAC): Enforcing strict policies.

20. Discretionary Access Control (DAC): Owner-controlled access.

Threat Mitigation Techniques

21. Patch Management: Regularly updating software.

22. Vulnerability Scanning: Identifying weaknesses.

23. Incident Response: Responding to security breaches.

24. Penetration Testing: Simulated attacks.

Web Application Security

25. Secure Sockets Layer/Transport Layer Security (SSL/TLS): Encrypting web traffic.

26. Input Validation: Preventing SQL injection.

27. Cross-Site Scripting (XSS) Protection: Preventing malware injection.

28. Cross-Site Request Forgery (CSRF) Protection: Preventing unauthorized requests.

Coud Securityl

29. Cloud Access Security Broker (CASB): Monitoring cloud activity.

30. Data Loss Prevention (DLP): Protecting sensitive data.

31. Encryption: Protecting data in transit and at rest.

32. Identity and Access Management (IAM): Controlling user access.

33. Device Encryption: Protecting mobile data.

34. Mobile Device Management (MDM): Controlling device access.

35. App Security: Secure coding practices.

36. Secure Authentication: Biometric authentication.