ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Founded By: 3 3 Guardian Of Time 3D: 12SEP90 :D3 Guardian Of Time 3 3 Judge Dredd 3 : Guardian Of Time : 3 Judge Dredd 3 @DDDDDDDDBDDDDDDDDDY : File 51 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3 3 : System Security Part 01 : 3 @DDD6Introduction: Types Of Computer Security Problems:DY HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< Introduction: This file is quite basic an elementary, those of you who are experienced in security, may find this chapter boring, also this file does not go into any detail or technical discussions about security, it is just an overview of what DIGITAL classifies users and problem cases. The System Security Series will be spread out over the following topics: System Security Part 01 -- Introduction: Types Of Computer Security Problems System Security Part 02 -- Security For The User // System Manager Side System Security Part 03 -- File Protection System Security Part 04 -- Implementing System Security System Security Part 05 -- Breaching Of Security System Security Part 06 -- Security For DECnet Node System Security Part 07 -- Secruity On A Cluster $_Problems Security breaches can be classified into three (3) catagories: 1) User Irresponsibility 2) User Probing 3) User Penetration Number 1: User irresponsibility is determined by Digital to be like a user who is authorized to access certain files, makes a copy of a Key File and then tries/does sells the file. Not much can be done about that, suggestions are to run tigher controls, not to give users control of certain areas, try to get users to be good, etc... User irresponsibility is the hardest to cope with, b/c you do not know when a user is going to become irresponsible. Number 2: User probing is when a user tries to exploit insufficiently protected parts of a system. quote from Pag 1-1 "Some users consider gaining access to a fobidden system area as an intellectual challenge, playing a game of user-versus-system. Although intentions may be harmless, theft of services is a crime. Users with more serious intent may seek confidential information, attempt embezzlement, or even destroy data by probing. Always treat user probing seriously." Number 3: User penetration, is a user that breaks through security controls to gain access to a system. It is IMPOSSIBLE to make ANY VMS system impenetrable. A user that is doing this, is skilled, and malicious, according to Digital. This is the most serious user to watch out for. But with VMS security controls you can make it harder for him to get inside your system. $_Levels Of Security Requirements You are taught to ask yourself What Does A User Need (Access wise/Security wise)? If you can tolerate some probing, some digging, your system may not need High levels. But if your system requires High levels ( such as a military computer system ), then you may find that your security will be quite detailed for both YOU and the user. $_Secure System Environment Security Measures basically boils down to the following: The most secure system is the most difficult to use Increased security can slow CPU time down and cause a slowness to the system Harder security means more personal time required Most security break ins, occur because the system manager is unware, doesn't care, or just oblivious to the fact that people do harm to computers. VMS provides all the mechanisms to control access to the system and its data. VMS also provides you with monitoring tools that will ensure that access is restriced to only those users that you specify. Problem with security breaches, is that its not UN-authorized accounts that commits the crime, it is AUTHORIZED accounts. When you leave your password out, or when you give it to someone, you then fall into user irresponisbilty and thus breach the security of the system. Make sure that your users has the correct access, and are AWARE of their access. When designing a Secure Evnrionment, you must think of all possibilities, if not, that one possibilty could turn out to become fact and thus cause system damage or loss of data. Some questions that should be asked are: Does the users need to know the images being executed? Need to know the names of another user's files? Accessing the file of another user in the group? Outsider knowing the name of the system just dialed into? Questions like this are good to ask. That is your job as a system manager, you need to THINK, ACT, and visualize the worst case scenario and make sure it never happens. Problems that occure are basic: Do I need to leave dialups on 24hrs a day? Am I giving access to people I don't even know? Do I change system passwords often? Have system passwords been changed since your system's instalation? If you have any say in your system, make sure that you stress all environmental consideratins as well as operating system protections when reviewing your site security. When deciding on which of these measures to implement, it is important for you to assess site security needs realistically. While instituting adequate security for your site is essential, instituting more security than actually necessary is costly and time-consuming. You also do not want to fall into a feeling that since it never happened it can't happen, or that people don't accidentally do something. All problems that occur, can be logically found out. If you use the right equipment and problem solving techniques. Just because something has never happened, you do not want to be left open, just because your house has never been broken into, should you leave your doors open? $_Conclusions: System security begins with you. If you blow off complaints or deny that a problem exists, then you, yourself are causing a problem, that should be corrected. A system can only be as secure as its system manager will alow, if its left to free, people might/will take advantage of it, if the system is to hard/complicated, then you will loose users, and still cause complaints. Make sure that you judge your users and your system to the best of your knowledge. If you do not, serious problems could/will happen. Guardian Of Time Judge Dredd Ignorance, Theres No Excuse. For questions or comments write to: Internet: elisem@nuchat Fidonet: 1:106/69.0 or NIA FeedBack P.O. Box 299 Santa Fe, Tx. 77517-0299 [OTHER WORLD BBS] Downloaded From P-80 International Information Systems 304-744-2253 12yrs+