On any system there can be two types of users: authorized
and unauthorized. Any person authorized to use the computer system
has the right to access the system and its resources according to
the authorization criteria set up by the site security administrator.
Usage criteria may include the time of day, types of logins, use
of different resources like printers and terminals, and so on. Unauthorized
users have no right to use the system at all or only at a given
time of day, or they have no right to use certain system resources.
On a computer system, security breaches usually result from
one of four types of actions:
User irresponsibility refers
to situations where the user purposely or accidentally causes some noticeable
damage. One example would be a user who is authorized to access
certain files making a copy of a key file to sell. There is little that an operating system can do to protect
sites from this source of security failure. The problem frequently
lies in application design deficiencies or inconsistent use of available
controls by users and the security administrator. Sometimes the
failure to enforce adequate environmental security unwittingly encourages
this type of security problem. Even the best security system will fail if implemented inconsistently.
This, along with the failure to motivate your users to observe good
security practices, will make your system vulnerable to security failures
caused by user irresponsibility.
Using the System Responsibly discusses what users can do to help maintain system security.
User probing refers to situations
where a user exploits insufficiently protected parts of the system. Some
users consider gaining access to a forbidden system area as an intellectual
challenge, playing a game of user versus system. Although intentions
may be harmless, theft of services is a crime. Users with more serious
intent may seek confidential information, attempt embezzlement,
or even destroy data by probing. Always treat user probing seriously. The system provides many security features to combat user
probing. Based on security needs, the security administrator implements
features on either a temporary or permanent basis. See
Protecting Data for information on protecting
data and resources with protection codes and access control lists.
User penetration refers to
situations where the user breaks through security controls to gain
access to the system. While the system has security features that
make penetration extremely difficult, it is impossible to make any
operating system completely impenetrable. A user who succeeds in penetrating a system is both skilled
and malicious. Thus, penetration is the most serious and potentially
dangerous type of security breach. With proper implementation of
the OpenVMS security features, however, it is also the rarest security
breach, requiring unusual skills and perseverance.
Social engineering refers
to situations in which an intruder gains access to a system not
by technical means, but by deceiving users, operators, or administrators.
Potential intruders may impersonate authorized users over the phone.
Potential intruders may request information that gains them access
to the system, such as telephone numbers or passwords, or they may
request an unwitting operator to perform some action that compromises
the security of the system. As the technical security features of operating systems have
strengthened in recent years, social engineering has been a factor
in a growing percentage of security incidents. Operator training, administrative
procedures, and user awareness are all critical factors to ensure
that access is not inadvertently granted to unauthorized persons.
The following chapters explain how to avoid these problems:
Managing System Access describes the intrusion detection system and how to
set its parameters.
HP OpenVMS Guide to System Security
Security Overview