171 lines
6.8 KiB
Plaintext
171 lines
6.8 KiB
Plaintext
|
|
ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
|
|
3 Founded By: 3 : Network Information Access : 3 Founded By: 3
|
|
3 Guardian Of Time 3D: 12SEP90 :D3 Guardian Of Time 3
|
|
3 Judge Dredd 3 : Guardian Of Time : 3 Judge Dredd 3
|
|
@DDDDDDDDBDDDDDDDDDY : File 51 : @DDDDDDDDDBDDDDDDDDY
|
|
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
|
|
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
|
|
3 : System Security Part 01 : 3
|
|
@DDD6Introduction: Types Of Computer Security Problems:DY
|
|
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
|
|
|
Introduction:
|
|
|
|
This file is quite basic an elementary, those of you who are experienced in
|
|
security, may find this chapter boring, also this file does not go into any
|
|
detail or technical discussions about security, it is just an overview of what
|
|
DIGITAL classifies users and problem cases.
|
|
|
|
The System Security Series will be spread out over the following topics:
|
|
|
|
System Security Part 01 -- Introduction: Types Of Computer Security Problems
|
|
System Security Part 02 -- Security For The User // System Manager Side
|
|
System Security Part 03 -- File Protection
|
|
System Security Part 04 -- Implementing System Security
|
|
System Security Part 05 -- Breaching Of Security
|
|
System Security Part 06 -- Security For DECnet Node
|
|
System Security Part 07 -- Secruity On A Cluster
|
|
|
|
$_Problems
|
|
|
|
Security breaches can be classified into three (3) catagories:
|
|
|
|
1) User Irresponsibility
|
|
2) User Probing
|
|
3) User Penetration
|
|
|
|
Number 1:
|
|
|
|
User irresponsibility is determined by Digital to be like a user who is
|
|
authorized to access certain files, makes a copy of a Key File and then
|
|
tries/does sells the file.
|
|
|
|
Not much can be done about that, suggestions are to run tigher controls, not
|
|
to give users control of certain areas, try to get users to be good, etc...
|
|
|
|
User irresponsibility is the hardest to cope with, b/c you do not know when
|
|
a user is going to become irresponsible.
|
|
|
|
Number 2:
|
|
|
|
User probing is when a user tries to exploit insufficiently protected parts
|
|
of a system.
|
|
|
|
quote from Pag 1-1 "Some users consider gaining access to a fobidden system
|
|
area as an intellectual challenge, playing a game of user-versus-system.
|
|
Although intentions may be harmless, theft of services is a crime. Users
|
|
with more serious intent may seek confidential information, attempt
|
|
embezzlement, or even destroy data by probing. Always treat user probing
|
|
seriously."
|
|
|
|
Number 3:
|
|
|
|
User penetration, is a user that breaks through security controls to gain
|
|
access to a system. It is IMPOSSIBLE to make ANY VMS system impenetrable.
|
|
|
|
A user that is doing this, is skilled, and malicious, according to Digital.
|
|
This is the most serious user to watch out for. But with VMS security
|
|
controls you can make it harder for him to get inside your system.
|
|
|
|
$_Levels Of Security Requirements
|
|
|
|
You are taught to ask yourself What Does A User Need (Access wise/Security
|
|
wise)?
|
|
|
|
If you can tolerate some probing, some digging, your system may not need
|
|
High levels. But if your system requires High levels ( such as a military
|
|
computer system ), then you may find that your security will be quite
|
|
detailed for both YOU and the user.
|
|
|
|
$_Secure System Environment
|
|
|
|
Security Measures basically boils down to the following:
|
|
|
|
The most secure system is the most difficult to use
|
|
Increased security can slow CPU time down and cause a slowness to the system
|
|
Harder security means more personal time required
|
|
|
|
Most security break ins, occur because the system manager is unware, doesn't
|
|
care, or just oblivious to the fact that people do harm to computers.
|
|
|
|
VMS provides all the mechanisms to control access to the system and its
|
|
data. VMS also provides you with monitoring tools that will ensure that
|
|
access is restriced to only those users that you specify.
|
|
|
|
Problem with security breaches, is that its not UN-authorized accounts that
|
|
commits the crime, it is AUTHORIZED accounts. When you leave your password
|
|
out, or when you give it to someone, you then fall into user irresponisbilty
|
|
and thus breach the security of the system. Make sure that your users has
|
|
the correct access, and are AWARE of their access.
|
|
|
|
When designing a Secure Evnrionment, you must think of all possibilities, if
|
|
not, that one possibilty could turn out to become fact and thus cause system
|
|
damage or loss of data.
|
|
|
|
Some questions that should be asked are:
|
|
|
|
Does the users need to know the images being executed?
|
|
|
|
Need to know the names of another user's files?
|
|
|
|
Accessing the file of another user in the group?
|
|
|
|
Outsider knowing the name of the system just dialed into?
|
|
|
|
Questions like this are good to ask. That is your job as a system manager,
|
|
you need to THINK, ACT, and visualize the worst case scenario and make sure
|
|
it never happens.
|
|
|
|
Problems that occure are basic:
|
|
|
|
Do I need to leave dialups on 24hrs a day?
|
|
Am I giving access to people I don't even know?
|
|
Do I change system passwords often?
|
|
Have system passwords been changed since your system's instalation?
|
|
|
|
If you have any say in your system, make sure that you stress all
|
|
environmental consideratins as well as operating system protections when
|
|
reviewing your site security.
|
|
|
|
When deciding on which of these measures to implement, it is important for
|
|
you to assess site security needs realistically. While instituting adequate
|
|
security for your site is essential, instituting more security than actually
|
|
necessary is costly and time-consuming.
|
|
|
|
You also do not want to fall into a feeling that since it never happened it
|
|
can't happen, or that people don't accidentally do something. All problems
|
|
that occur, can be logically found out. If you use the right equipment and
|
|
problem solving techniques.
|
|
|
|
Just because something has never happened, you do not want to be left open,
|
|
just because your house has never been broken into, should you leave your
|
|
doors open?
|
|
|
|
$_Conclusions:
|
|
|
|
System security begins with you. If you blow off complaints or deny that a
|
|
problem exists, then you, yourself are causing a problem, that should be
|
|
corrected.
|
|
|
|
A system can only be as secure as its system manager will alow, if its left
|
|
to free, people might/will take advantage of it, if the system is to
|
|
hard/complicated, then you will loose users, and still cause complaints.
|
|
Make sure that you judge your users and your system to the best of your
|
|
knowledge. If you do not, serious problems could/will happen.
|
|
|
|
Guardian Of Time
|
|
Judge Dredd
|
|
Ignorance, Theres No Excuse.
|
|
For questions or comments write to:
|
|
Internet: elisem@nuchat
|
|
Fidonet: 1:106/69.0
|
|
or
|
|
NIA FeedBack
|
|
P.O. Box 299
|
|
Santa Fe, Tx. 77517-0299
|
|
|
|
[OTHER WORLD BBS]
|
|
|
|
|