|
Information Security
Glossary A
This glossary contains industry standard and City specific IT terminology. The glossary
should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
Eavesdropping
Editor
Electronic Eavesdropping
Electronic Mail - E-mail
Encryption
End User
Eavesdroppin g
Listening to someone else's conversation. In its most basic form, it amounts to
one person keeping within earshot of a conversation between two other persons,
but in the security and IT worlds it extends to remote listening and recording
devices, include the interception of telephone calls, fax transmissions,
e-mails, data transmissions, data-scoping, and even radio scanning for mobile
communications. The security implications for companies are primarily that user
identification details or passwords can become known to criminally inclined
individuals, or that confidential/sensitive information about the organization,
its finances, or activity plans may leak to competitors.
Editor
A program which allows a user to
create, view, and amend, the contents of certain types of files. There are
several types of editors, the most common being Text Editors, and Hex
(Hexadecimal) Editors. Editors work at the lowest level, either in ASCII (Text
Editor) or directly with disk contents (Hex Editor). Although text Editors, e.g.
Notepad in Windows®, are common, companies should give consideration to staff
access to Editors, particularly the more powerful types - such as Hex Editors. A
Hex Editor can do considerable damage to the contents of computer files, which
may not be recoverable.
Electronic Eavesdropping
Electronic eavesdropping is the
intentional surveillance of data - voice, data, fax, e-mail, mobile telephones
etc, often for nefarious purposes.
Electronic Mail - E-mai l
Electronic Mail - an electronically transmitted message which arrives as a
computer file on your PC or organization's server. Originally conceived as a
simple means of sending short messages from one computer to another, the Simple
Mail Transfer Protocol (SMTP) was introduced without security in mind. Whilst
standards have been agreed for the attachment of files to e-mail messages, be
aware that such files can contain malicious code such a virus. Use extreme
caution when opening an e-mail message with an attachment; even if the e-mail is
from someone you know; it is better to leave it unopened and enquire whether the
e-mail is bona fide. If in doubt; destroy the e-mail and advise the sender that
you have been unable to verify the authenticity of the attachment and to advise
its contents. If in doubt; destroy the e-mail; if it's genuinely important, they
will either make contact again or you have the option to send them an
explanatory email.
Why is e-mail insecure?
An e-mail message can purport to have been sent from a specific
individual, but the message could have come from someone else
entirely. Anyone can set up an e-mail address with anyone else's name as the
sender. e.g. a Mr. Bill Clinton could easily setup and email address as
George_Bush@hotmail.com. However, where email comes from a company or
organization, the user name is likely to have been setup centrally,
with the opportunity for misrepresentation, less likely.
Even where you have your own organization's
domain name e.g.
email@myorganizationname.com, this too can be modified, such that the "From"
field in the e-mail is sent with a fallacious sender; all designed to
deceive the recipient.
An e-mail message can be opened by anyone; and not only the intended
recipient. There is no authentication such that only the intended recipients
are able to read the mail. Like a postcard, an e-mail may be read by anyone
who comes across it, either legitimately, or otherwise.
The safe transmission of e-mail to its destination is not secure. Whilst
the use of a "Read-Receipt" can be useful, especially using e-mail on Local
Area Networks where network traffic is within known boundaries. E-mail sent
across the Internet will pass through multiple computer nodes as it "hops"
and "bounces" towards its destination address. However, even if it reaches
its destination mail server, delivery to the recipient may be delayed or may
not necessarily occur. Therefore, when e-mail is sent, even using a Digital
Certificate, certified delivery to the recipient(s) is lacking. Best
Practice is to request safe receipt from the recipient(s).
It does not carry any legal validity. Unless sent using a
Digital Signature
an e-mail does not carry the legal validity as enjoyed by
hard copy or signed
fax transmission. However, legal reliance upon an e-mail sent using a
Digital Signature cannot necessarily be relied upon as it was only in 2000
that the US accepted that such e-mails could be used as
legally binding documents.
Encryptio n
The process by which data is temporarily re-arranged into an unreadable or
unintelligible form for confidentiality, transmission, or other security
purposes.
End User
Usually reduced simply to User. The person who actually uses the hardware or
software that has been developed for a specific task.
|
