Solaris 9 Security CX-310-301 15
¾ Unnecessary services and ports being available, allowing known vulnerabilities to be exploited
¾ The system giving out too much information to potential attackers
¾ No firewall implemented
¾ No logging of failed login attempts, which would indicate, for example, an attacker trying to guess
passwords
¾ No auditing of operations, such as file deletions
User Trust
With any computer network, or computer system, there has to be an element of trust between the system
administrator and the user community. An employee, for example, is trusted to a certain extent because
he/she is working for the company. Also, effective computer security involves balancing the need for
security with permitting people to do their job. An over cautious security regime can have a dramatic effect
on productivity because it takes much longer to do even the simplest task.
Threat
A threat is something that could be deemed a potential target to an attacker. A good security policy should
identify the relevant threats to an organization, assess the likelihood of an attack being successful and also
establish the damage that could be caused (usually in financial terms).
Risk
There is always a chance that something might happen. The term “risk” is associated with the likelihood of
an event occurring, coupled with the impact that it would have if it did occur. In assessing a risk to an asset,
the outcome is normally one of four options:
¾ Acceptance – The cost of dealing with the risk might be too great, and the chances of it happening
quite low. The risk can be accepted because nothing can be done to prevent it.
¾ Avoidance – Action can be taken to completely remove the risk
¾ Reduction – Action can be taken to reduce the chances of the event happening, or at least its
effect is minimized.
¾ Transfer – Move the risk to another system, which might be much more secure from external
attackers. Sometimes this option can also involve taking out insurance, especially where the risk
might be related to hardware theft.
Authentication and Privacy
This subsection describes a number of terms and concepts:
