Twitter
Home Blog Page 607

Linux Security Fundamentals Part 3: Risk Assessment / Trade-offs and Business Considerations

By
Linux Training Staff
-

Start exploring Linux Security Fundamentals by downloading the free sample chapter today. DOWNLOAD NOW

Earlier in this series, you learned the types of hackers who might try to compromise your Linux system, where attacks might originate, and the kinds of attacks to expect. The next step is to assess the security risks to your own system and the costs of both securing, and not securing, your assets in order to begin formulating a security plan.

Focusing on likely threats to the highest value assets is a reasonable place to start your risk assessment. A common method for determining likelihood is to create a use case from the point of view of a malicious actor attempting to cause harm to the system.

Next, calculating the value of the assets will help determine the amount of security that should be implemented to protect those assets. It may not always be cost-effective to protect everything. Many types of attacks can be mitigated by implementing minimal security. It is not likely possible to protect all assets, all of the time.

And finally, knowing the potential impact to business operations is also essential in determining the level of security required for any particular asset. If the business is severely impacted due to a compromise, then more resources should be dedicated to maintaining the security of the assets. Another business consideration is the impact of adding additional security to the environment, possibly creating a performance challenge.

Let’s look at each of these areas in turn and some important factors to consider and questions to ask as you’re evaluating the trade-offs.

Likelihood

Evaluating the feasibility of a potential attack is important. Is the threat real or theoretical? You can begin to asses the risk by asking:

• Method: Are the skills, knowledge, tools, etc. available?

• Opportunity: Is there time and access?

• Motive: Is it an intentional act or an accidental damage?

Recently, it has been demonstrated that fingerprint scanners on smart phones can be fooled into thinking an authorized user has scanned their fingerprint. The researchers claimed that the attack was rather easy to accomplish. The reality is that the particular attack required a fair amount of specific things to happen in proper order to be successful. This is rather unlikely.

Even if the methods are well-known, if the tools are difficult to acquire, only the most resource-wealthy will be able to perpetrate the attack. Access and opportunity are also areas that can be designed into a system, such that attacks can only be accomplished during certain windows. By limiting the opportunity to certain situations, time-based or access-based, security costs can be reduced outside of those situations.

Asset Value

A thorough inventory of business assets will be the basis for the valuation required when determining what and how much security will be required.

Most environments handle this process via an Asset Management System. The roles of each asset will also determine the importance of the asset in the business operations. Components that are not expensive and yet carry large responsibility for operations should be considered highly valuable. Estimating the impact of a service outage, damage to the infrastructure, or compromise will also be necessary in determining the value of the assets.

To determine asset value, you should:

• Identify network/system/service assets

• Determine asset roles and relationships

• Evaluate the impact of asset damage/failure/loss.

In part four we’ll consider the difficulty of estimating the cost of a cyber attack and give you some questions to ask when weighing the cost of protecting your business assets, with the business impact of a potential security compromise.

Stay one step ahead of malicious hackers with The Linux Foundation’s Linux Security Fundamentals course. Download a sample chapter today!

Read the other articles in the series:

Linux Security Threats: The 7 Classes of Attackers

Linux Security Threats: Attack Sources and Types of Attacks

Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark

Linux Security Fundamentals Part 6: Introduction to nmap

Understand Your Distributed Apps with the OpenTracing Standard

By
Ian Murphy
-

Microservices and services-oriented architecture are here to stay, but this kind of distributed system destroys the traditional type of process monitoring. Nonetheless, companies still need to understand just what’s happening inside the flow of an application. Ben Sigelman, Co-founder of LightStep, said at his keynote at CloudNativeCon that by adopting a new standard for distributed applications called OpenTracing can tell those stories without building complex instrumentation, or fundamentally changing the code of your application.

“If you previously told a story about what happened in your process in that way with this squiggly line going through a single process, that story is gone,” Sigelman said. “In our conversations with numerous companies that have adopted this sort of technology, what they’ve been telling us is that, as they decouple their systems and their transactions I/O, behold they are no longer on any single process, they are literally unable to answer the most basic questions about what’s happening.

“The solution historically for this has been distributed tracing,” Sigelman said. “It still is a solution and it’s wonderful. So the question is, why isn’t it ubiquitous? … That is what OpenTracing is here for. The reason is the instrumentation has been too difficult. It’s required you to instrument not just across processes but across library boundaries in a way that often couples you to poorly engineered libraries that were written in an afternoon or a weekend by someone.”

OpenTracing is a vendor-neutral API standard, not something that one deploys, Sigelman said. Instead it’s something you program against, something you build into your microservices architecture. The OpenTracing API sits in the middle of the microservices process, like application logic, control-flow packages or existing instrumentation, and tracing infrastructure like LightStep, Zipkin, or Jaeger.

Sigelman showed how OpenTracing works through a demo involving a fake donuts-as-a-service website he created (DonutSalon.com, imbued with the glorious motto “Move Fast and Bake Things”), showing how to track where bottlenecks occurred when the audience faithfully ordered free donuts all at once.

“This can be really powerful if you think about a real system, in that any time you have a latency issue, it’s probably due to some kind of throughput concurrency bottleneck,” Sigelman said. “Being able to actually root-cause where these requests came from in the distributed system is actually fairly profound and something that is not possible with logging at the local level.”

In a Kubernetes system, OpenTracing tracks both the breadth of transactions (called “spans”) and the depth (the communication between clients and services, called “references”). Just tracking one or the other is essentially traditional logging, Sigelman said, but capturing both leads to a much better picture of the traffic in a distributed applications.

“I think it’s possible to get good quality tracing and avoid the pain and suffering of adding a lot of instrumentation or even really changing an application in meaningful ways if we can add the existing API standardization of OpenTracing to a little bit of magic between applications, client proxies, and then the network that connects containers to each other,” he said.

Watch the complete presentation below:

Want to learn more about Kubernetes? Get unlimited access to the new Kubernetes Fundamentals training course for one year for $199. Sign up now!

What Do You Mean by “Event-Driven”?

By
Martin Fowler.com
-

Towards the end of last year I attended a workshop with my colleagues in ThoughtWorks to discuss the nature of “event-driven” applications. Over the last few years we’ve been building lots of systems that make a lot of use of events, and they’ve been often praised, and often damned. Our North American office organized a summit, and ThoughtWorks senior developers from all over the world showed up to share ideas.

The biggest outcome of the summit was recognizing that when people talk about “events”, they actually mean some quite different things. So we spent a lot of time trying to tease out what some useful patterns might be. This note is a brief summary of the main ones we identified.

Event Notification

This happens when a system sends event messages to notify other systems of a change in its domain. 

Read more at Martin Fowler

Meet OpenStack Big Tent Projects Storlets and Tricircle

By
OpenStack
-

OpenStack’s big tent has expanded to include two projects: Storlets and Tricircle.

We’ll give you a quick overview of them and find out how you can get involved from the project team leads (PTLs) ahead of the Project Teams Gathering (PTG).

Storlets

What

Storlets enables a user-friendly, cost-effective scalable and secure way for executing storage-centric user-defined functions near the data within OpenStack Swift.

Read more at Superuser

Blockchain: The Invisible Technology That’s Changing the World

By
PC Magazine
-

Blockchain isn’t a household buzzword, like the cloud or the Internet of Things. It’s not an in-your-face innovation you can see and touch as easily as a smartphone or a package from Amazon. But when it comes to our digital lives—every digital transaction; exchange of value, goods and services; or private data —blockchain is the answer to a question we’ve been asking since the dawn of the internet age: How can we collectively trust what happens online?

 

Every year we run more of our lives—more core functions of our governments, economies, and societies—on the internet. We do our banking online. We shop online. We log into apps and services that make up our digital selves and send information back and forth. Think of blockchain as a historical fabric underneath recording everything that happens exactly as it occurs.

Read more at PCMag

 

Optimizing Linux for Slow Computers

By
AkitaOnRails
-

I’ve been researching a lot about Linux on the Desktop these days as you may see from my posts about Fedora 25 and Arch Linux (recommended!).

There are some things you must have in mind when migrating to Linux systems. Even if you have a top of the line Intel Core i7 Kaby Lake, 32GB of RAM, 2TB M.2 SSDs, you may still benefit from the optimizations I will talk about.

One of the best resources is Arch Linux’s Wiki page on “Improving Performance”. You don’t need everything there but it’s a comprehensive resource that any enthusiast must read.

Read more at AkitaOnRails

Keymetrics Is a Node.js Monitoring Tool for Your Server Infrastructure

By
TechCrunch
-

French startup Keymetrics just raised $2 million from Alven Capital and Runa Capital to build the best monitoring tool for your Node.js infrastructure. The startup’s founder and CEO Alexandre Strzelewicz also created the popular open source Node.js process manager PM2.

How do you turn a popular open source project into a successful startup? This question has so many different answers that sometimes it’s hard to find the right one from the first try, and Keymetrics is no exception.

A few years ago, when Strzelewicz developed PM2 while living in Shanghai, he was just trying to create a better process manager for Node.js because existing solutions were lacking. 

Read more at TechCrunch

rtop – An Interactive Tool to Monitor Remote Linux Server Over SSH

By
Tecmint
-

rtop is a straightforward and interactive, remote system monitoring tool based on SSH that collects and shows important system performance values such as CPUdiskmemorynetwork metrics.

It is written in Go Language and does not require any extra programs to be installed on the server that you want to monitor except SSH server and working credentials.

rtop basically functions by launching an SSH session, and executing certain commands on the remote server
Read more at Tecmint

Speak at ApacheCon 2017: 4 Days Left to Submit a Talk

By
The Linux Foundation
-

ApacheCon gathers attendees from over 60 countries to learn about core open source technologies directly from the Apache developer and user communities.

The ApacheCon program committee is seeking proposals from speakers with fresh ideas, enlightening case studies, best practices or deep technical knowledge for new standalone tracks such as FlexJS Summit, TomcatCon, ApacheIoT, CloudStack Collaboration Conference and general tracks covering other Apache projects.

You have 4 days left to submit a proposal. The deadline is February 11. Submit a Proposal Now!

And check out the list of suggested topics for ApacheCon here>>

ApacheIoT

ApacheIoT is a new conference track that lays the vision, framework, and components for an IoT system architected to operate at scale for a wide range of compelling use cases. It is aimed at developers, operators, and users to discuss applicable projects, to reach beyond the boundaries of each product, and collaborate on evolving into coherent end-to-end systems.

CloudStack Collaboration Conference

The CloudStack Collaboration Conference is aimed at developers, operators and users to discuss and evolve the open source software project, its functionality and real world operability. The event will offer participants the opportunity to learn and collaborate on CloudStack, while also discovering new projects.

TomcatCon

TomcatCon is the place for all users of Tomcat to expand their Tomcat knowledge in areas such as networking, security, performance and deployment. It also offers an opportunity to discuss the current Tomcat roadmap and help inform future development.

FlexJS Summit

FlexJS Summit is a new summit track that shows where FlexJS is today and lays out the future for the FlexJS project. It is aimed at existing Apache Flex and new Apache FlexJS developers, designers, and users. Participants have a wonderful opportunity to discover new projects and exchange ideas.

Apache: Big Data

Apache: Big Data gathers together the Apache projects, people and technologies working in Big Data, ubiquitous computing and data engineering and science to educate, collaborate and connect in a completely project-neutral environment. It is the only event that brings together the full suite of Big Data open source projects.

Not looking to speak at ApacheCon but want to attend? Register by March 12 to save $400! One registration gives you access to ApacheCon, Apache: Big Data, FlexJS Summit, TomcatCon, ApacheIoT, Traffic Server Conf and CloudStack Collaboration Conference. 

Linux.com readers can register now for ApacheCon or Apache: Big Data with the discount code, LINUXRD5, for 5% off the registration price.

Speak at The Linux Foundation’s Open Source Summit and Automotive Linux Summit in Japan

By
The Linux Foundation
-

More than 600 open source professionals, developers and operators will convene in Tokyo this year to collaborate, share information, and learn at Open Source Summit Japan. The technical conference will cover the latest in open source technologies, including Linux, containers, cloud computing, software-defined networking, and more.

This year Open Source Summit Japan will also be co-located with Automotive Linux Summit, to be held May 31 – June 2 at the Tokyo Conference Center.  Automotive Linux Summit gathers the most innovative minds from the automotive arena including automotive systems engineers, Linux experts, R&D managers, business executives, open source licensing and compliance specialists and community developers. The event connects the developer community with the vendors and users providing and using the code in order to drive the future of embedded devices in automotive.  

The Linux Foundation is now seeking proposals for both conferences from speakers with fresh ideas, enlightening case studies, best practices, or deep technical knowledge.

The deadline to submit proposals is March 4. Submit your proposal now!

Some suggested topics for Open Source Summit Japan 2017 speakers include:

  • Kernel (e.g., CGroups, Namespaces, Zones)

  • Container Runtime (e.g. Docker, rkt, LXC, LXD, openvz, lmctfy, Warden, libvirt-lxc)

  • Orchestration (e.g., Kubernetes, Mesos)

  • Real World Experiences with SDN & NFV Deployment

  • SDN for Service Providers

  • Is there a Benefit for SDN in Enterprise Networks?

  • Open Network Hardware (Both Hardware Design and Operating Systems)

See the full list of suggested topics for Open Source Summit Japan and Automotive Linux Summit and tips for creating a great proposal.

Not interested in speaking but want to attend? Linux.com readers get 5% off the “attendee” registration with code LINUXRD5. Register now to save over $150 on Open Source Summit Japan through April 16.

There is a complimentary add-on option on the Open Source Summit Japan registration form to join Automotive Linux Summit.  

1...606607608...10,743Page 607 of 10,743