Transaction Design, Inc.


"We show you how to process the future".

**JavaScript based drop down DHTML menu generated by NavStudio. (OpenCube Inc. - http://www.opencube.com)**

SECURITY CORNER

» Security Corner

» Systems Manager Corner

» ITUG Connection

Security Corner

Information, Please!

Article Date: 9/95

Information systems security is highlighted on the cover of the July 15 edition of "Datamation" magazine. Several articles highlight different aspects of security, so you may want to get hold of a copy and take a look.

Included in the articles is a little checklist of security measures that you may wish to employ. Most of these can be applied to any computer system. In this month's corner, let's look at several of the points in their sidebar "Use Everything You Have in your Security Toolkit" and relate them to VOS systems.

"Implementing access controls that are based on an employee's 'need to know.'"

All VOS sites should be making use of the built-in ACL capabilities of the system to protect their file system assets. Remember to check your ACLs for consistency - make sure you have not created logic holes between your levels of ACLs or between your ACLs and your user registration. Make sure your ACLs have not been changed since the last time you went in and set them. Check your critical files to see exactly which users have which kind of access to them. Check access of key users to your directory tree - look for users in powerful groups (such as SysAdmin) and users who are temporary or who can dialup. Watch for .pm files with the owner access attribute in use, since these bypass the user name for ACL checks.

"Making sure that system privileges are appropriate for each IS member on staff. Obviously, not everyone should have root access, for example."

Review your registration database and find out who your privileged users are. These are the accounts which have free run of the system, so make sure that only the appropriate users can login as privileged. Enough said.

"Limiting employees' ability to off-load company information."

Use device ACLs to control who can access tape drives, etc. Check for privileged users who can use the backup switch on the save command to bypass ACL checking.

"Training managers and employees to spot suspicious activity."

Monitor security logs for particular incidents and trends of incidents. Monitor logins to make sure users are on the system at times when they belong there. Watch dialup line logins to see which users are coming in from the outside.

These are a few of the points made by the "DATAMATION" authors. The articles make for interesting reading and provide a nice review of some of the most critical concerns in data security.