Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
11121314151617181920
Solaris 9 Security CX-310-301 12
is less likely that he/she will continue with the attack. Compare this aspect with adding security to
your motor car – alarms, immobilizers, steering wheel clamps, wheel clamps and so on. This
creates problems for the attacker (or thief) and will take longer to break in. Remember, there is
always another, easier opportunity for the attacker, just make sure it isn’t you! A simple example
is allowing the root user to login only from the system console. This means a potential attacker
must penetrate two user accounts before gaining privileged access to the system.
Security Awareness
Being aware that security is an issue does not constitute security awareness. Security awareness is the
understanding that computer security involves a number of aspects at different levels and that all the levels
collectively provide the security that is required.
Security Policies
A security policy is an unambiguous document that describes the framework for protecting the company’s
assets and staff. It defines what is permitted and what is not permitted as well as any tolerances. An
important aspect of a security policy is that it should clearly state one of two assumptions – either
everything that is not explicitly permitted will be denied or that everything that is not explicitly denied will
be permitted – the former is the normal course of action.
A security policy reflects the specific security requirements of a company and should detail not only what
the policy covers, but also what it excludes. It must be explicit in the systems, buildings, networks, people
and media that are being protected by the policy and why they are important as well as how to protect them.
Another important aspect of a security policy is the procedure to follow if a security breach occurs. A lot of
policies merely lay down a number of rules, but do not detail what happens if the rules are broken!
Every security policy should address the following topics in detail:
Policies and Procedures
Every company should have a security policy describing the rules for protecting the staff and assets. The
policy was defined above. Here, the procedures are examined. A security policy needs to contain the
following information:
¾ Which assets are covered by the policy
¾ The reason for the assets to be protected
¾ Who is responsible for each asset
¾ How the asset is physically accessed
¾ The threats and risks to the asset
¾ Password selection criteria
¾ The applications and services that are available to be utilized and those that are not allowed
(Internet chat rooms, games, download sites for example)