The operating system (OS) environment is the second level of concern in the Confidentiality, Integrity and Availability of the ITSE; and it is the most important program/platform on which everything else rests. The OS is essentially the ITSE’s brains and controls every task your computer carries out, manages system resources and provides a software platform on top of which other programs, called application programs, can run. At the simplest level, an operating system does two things:

  1. It manages the hardware and software resources of the system.
  2. It provides a stable, secure and consistent way for applications to deal with the hardware resources.

The security of the operating systems running your PCs and servers is vital to the security of your network as a whole.

  • Not applying a patch or missing news about a new vulnerability on one machine can affect the security of thousands of computers.
  • Software bugs will not only make a system unstable, but also leave it wide open to unauthorized users.

Once these vulnerabilities are discovered, attackers can exploit them and gain access to your system. From there, they can install malware, launch attacks on other machines or even take complete control of your system.

For large systems, the operating system has even greater responsibilities and powers. It is like a traffic cop, that makes sure different programs and users do not interfere with each other and also responsible for security, ensuring that unauthorized users do not access the system. References – eweek.com, intel.com, etc.

The increasing amount of valuable and private information processed by computers implies a long-term need for much more rigorous security controls in the operating system to ensure Confidentiality, Integrity and Availability of IT systems.

The following are some important considerations that GetAdvise is concerned about;

  • Has an OS review been conducted to provide management with an independent assessment relating to the effectiveness of configuration and security of the operating systems with the enterprise’s computing environment.
  • Has the process of auditing OS security included evaluating whether the security features have been enabled and parameters have been set to values consistent with the security policy of the organization, and verifying that all users of the system (user IDs) have appropriate privileges to the various resources and data held in the system.
  • Has some of the most common security parameters been evaluated; for e.g. password rules, such as minimum password length, password history, password required, compulsory password aging, lock-out on unsuccessful logins, login station and time restrictions.
  • Has scrutiny of logging of certain events been conducted, such as unsuccessful login attempts has been enabled or whether the superuser password is held by the appropriate person. Other OS/version-specific parameters also have to be verified.

Another area of scrutiny is to ascertain whether access privileges given to various users are appropriate.

  • The first step is to ascertain what data/systems are on the server and how critical and sensitive they are. From this information, we can get an idea of who should have access to what.
  • Next, we would obtain the list of user IDs in the system and map these with actual users.
  • Then, we would determine for each user what the permissions and privileges to the different resources/data are in the system. There are different methods, for example, commands for ascertaining this from the system for different OS. Another way is to determine for a given critical piece of data who the users with access are, and whether their access is appropriate.

Reference: isaca.org, eweek, intel, microsoft, www.

The above text are a sample of the advisory rigor we undertake in our pursuit to get you the right advise!