On any system there can be two types of users: authorizedand unauthorized. Any person authorized to use the computer systemhas the right to access the system and its resources according tothe authorization criteria set up by the site security administrator.Usage criteria may include the time of day, types of logins, useof different resources like printers and terminals, and so on. Unauthorizedusers have no right to use the system at all or only at a giventime of day, or they have no right to use certain system resources.
On a computer system, security breaches usually result fromone of four types of actions:
User irresponsibility refersto situations where the user purposely or accidentally causes some noticeabledamage. One example would be a user who is authorized to accesscertain files making a copy of a key file to sell.
There is little that an operating system can do to protectsites from this source of security failure. The problem frequentlylies in application design deficiencies or inconsistent use of availablecontrols by users and the security administrator. Sometimes thefailure to enforce adequate environmental security unwittingly encouragesthis type of security problem.
Even the best security system will fail if implemented inconsistently.This, along with the failure to motivate your users to observe goodsecurity practices, will make your system vulnerable to security failurescaused by user irresponsibility. Using the System Responsibly discusses what users can do to help maintain system security.
User probing refers to situationswhere a user exploits insufficiently protected parts of the system. Someusers consider gaining access to a forbidden system area as an intellectualchallenge, playing a game of user versus system. Although intentionsmay be harmless, theft of services is a crime. Users with more seriousintent may seek confidential information, attempt embezzlement,or even destroy data by probing. Always treat user probing seriously.
The system provides many security features to combat userprobing. Based on security needs, the security administrator implementsfeatures on either a temporary or permanent basis. See Protecting Data for information on protectingdata and resources with protection codes and access control lists.
User penetration refers tosituations where the user breaks through security controls to gainaccess to the system. While the system has security features thatmake penetration extremely difficult, it is impossible to make anyoperating system completely impenetrable.
A user who succeeds in penetrating a system is both skilledand malicious. Thus, penetration is the most serious and potentiallydangerous type of security breach. With proper implementation ofthe OpenVMS security features, however, it is also the rarest securitybreach, requiring unusual skills and perseverance.
Social engineering refersto situations in which an intruder gains access to a system notby technical means, but by deceiving users, operators, or administrators.Potential intruders may impersonate authorized users over the phone.Potential intruders may request information that gains them accessto the system, such as telephone numbers or passwords, or they mayrequest an unwitting operator to perform some action that compromisesthe security of the system.
As the technical security features of operating systems havestrengthened in recent years, social engineering has been a factorin a growing percentage of security incidents. Operator training, administrativeprocedures, and user awareness are all critical factors to ensurethat access is not inadvertently granted to unauthorized persons.
The following chapters explain how to avoid these problems:
Managing System Access describes the intrusion detection system and how toset its parameters.