3   Founded By:    3 :  Network Information Access   : 3   Founded By:    3
 3 Guardian Of Time 3D:            12SEP90            :D3 Guardian Of Time 3
 3   Judge Dredd    3 :        Guardian Of Time       : 3   Judge Dredd    3
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          3   :             System Security Part 01             : 3
          @DDD6Introduction: Types Of Computer Security Problems:DY


This file is quite basic an elementary, those of you who are experienced in
security, may find this chapter boring, also this file does not go into any
detail or technical discussions about security, it is just an overview of what
DIGITAL classifies users and problem cases.

The System Security Series will be spread out over the following topics:

System Security Part 01 -- Introduction: Types Of Computer Security Problems
System Security Part 02 -- Security For The User // System Manager Side
System Security Part 03 -- File Protection
System Security Part 04 -- Implementing System Security
System Security Part 05 -- Breaching Of Security
System Security Part 06 -- Security For DECnet Node
System Security Part 07 -- Secruity On A Cluster


Security breaches can be classified into three (3) catagories:

1) User Irresponsibility
2) User Probing
3) User Penetration

Number 1:

User irresponsibility is determined by Digital to be like a user who is
authorized to access certain files, makes a copy of a Key File and then
tries/does sells the file.

Not much can be done about that, suggestions are to run tigher controls, not
to give users control of certain areas, try to get users to be good, etc...

User irresponsibility is the hardest to cope with, b/c you do not know when
a user is going to become irresponsible.

Number 2:

User probing is when a user tries to exploit insufficiently protected parts
of a system.

quote from Pag 1-1 "Some users consider gaining access to a fobidden system
area as an intellectual challenge, playing a game of user-versus-system.
Although intentions may be harmless, theft of services is a crime.  Users
with more serious intent may seek confidential information, attempt
embezzlement, or even destroy data by probing.  Always treat user probing

Number 3:

User penetration, is a user that breaks through security controls to gain
access to a system.  It is IMPOSSIBLE to make ANY VMS system impenetrable.

A user that is doing this, is skilled, and malicious, according to Digital.
This is the most serious user to watch out for.  But with VMS security
controls you can make it harder for him to get inside your system.

$_Levels Of Security Requirements

You are taught to ask yourself What Does A User Need (Access wise/Security

If you can tolerate some probing, some digging, your system may not need
High levels.  But if your system requires High levels ( such as a military
computer system ),  then you may find that your security will be quite
detailed for both YOU and the user.

$_Secure System Environment

Security Measures basically boils down to the following:

The most secure system is the most difficult to use
Increased security can slow CPU time down and cause a slowness to the system
Harder security means more personal time required

Most security break ins, occur because the system manager is unware, doesn't
care, or just oblivious to the fact that people do harm to computers.

VMS provides all the mechanisms to control access to the system and its
data.  VMS also provides you with monitoring tools that will ensure that
access is restriced to only those users that you specify.

Problem with security breaches, is that its not UN-authorized accounts that
commits the crime, it is AUTHORIZED accounts.  When you leave your password
out, or when you give it to someone, you then fall into user irresponisbilty
and thus breach the security of the system.  Make sure that your users has
the correct access, and are AWARE of their access.

When designing a Secure Evnrionment, you must think of all possibilities, if
not, that one possibilty could turn out to become fact and thus cause system
damage or loss of data.

Some questions that should be asked are:

Does the users need to know the images being executed?

Need to know the names of another user's files?

Accessing the file of another user in the group?

Outsider knowing the name of the system just dialed into?

Questions like this are good to ask.  That is your job as a system manager,
you need to THINK, ACT, and visualize the worst case scenario and make sure
it never happens.

Problems that occure are basic:

Do I need to leave dialups on 24hrs a day?
Am I giving access to people I don't even know?
Do I change system passwords often?
Have system passwords been changed since your system's instalation?

If you have any say in your system, make sure that you stress all
environmental consideratins as well as operating system protections when
reviewing your site security.

When deciding on which of these measures to implement, it is important for
you to assess site security needs realistically.  While instituting adequate
security for your site is essential, instituting more security than actually
necessary is costly and time-consuming.

You also do not want to fall into a feeling that since it never happened it
can't happen, or that people don't accidentally do something.  All problems
that occur, can be logically found out.  If you use the right equipment and
problem solving techniques.

Just because something has never happened, you do not want to be left open,
just because your house has never been broken into, should you leave your
doors open?


System security begins with you.  If you blow off complaints or deny that a
problem exists, then you, yourself are causing a problem, that should be

A system can only be as secure as its system manager will alow, if its left
to free, people might/will take advantage of it, if the system is to
hard/complicated, then you will loose users, and still cause complaints.
Make sure that you judge your users and your system to the best of your
knowledge.  If you do not, serious problems could/will happen.

                            Guardian Of Time
                              Judge Dredd
                      Ignorance, Theres No Excuse.
                  For questions or comments write to:
                         Internet: elisem@nuchat
                           Fidonet: 1:106/69.0
                             NIA FeedBack
                             P.O. Box 299
                       Santa Fe, Tx.  77517-0299