Seattle.gov Home Page
Seattle.gov This Department
Link to DoIT Home Page Link to DoIT Home Page Link to DoIT About Us Page Link to DoIT Contact Us Page
We make technology work for the City Erin Devoto, Director
Information Security Home Page
Chief Information Security Officer
Information Security Bulletins
Information Security Newsletter
Information Systems Security Policy
Spams and Scams
Creating Passwords
Securing Your Laptop
Protecting Your Home
Spyware Solutions
Wireless Network Security Solutions
Digital Consumer
Living Digital
Contact Us
Glossary of IT Terms

Information Security

Glossary A


This glossary contains industry standard and City specific IT terminology. The glossary should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
A B C D E F G H I J K L M
N O P Q R S T U V W X Y Z

PABX / PBX
Passwords - Choosing
Passwords - Use and Best Practice
Patch
Path
Payload
Penetration
Perimeter Security
Personally Identifiable Information
Pharming
Phishing
Physical Security
Ping
PKI
Plain Text
Platform
Principle of Least Privilege
Principle of Separation of Duties
Privacy
Privacy Statement
Privilege
Process
Production System
Protocol
Proxy Server


PABX / PBX
A Private Automated Branch Exchange. The telephone network used by organizations to allow a single access number to offer multiple lines to outside callers, and to allow internal staff to share a range of external lines. All such exchanges are now automated, and it is common to refer to them as a simple 'PBX'.


Passwords - Choosing
The object when choosing a password, is to make it as difficult as possible for a hacker (or even a business colleague), to guess or 'work out' your password. This leaves the hacker with no alternative but to a) give up (which is what we want!) or b) initiate a 'brute-force' search, trying every possible combination of letters, numbers, and other characters. A search of this sort, even processed on a computer capable of generating and testing thousands of passwords per second, could require many years to complete. So, in general, passwords should be safe; but only if you select them carefully.

Using only the standard English alphabet and numerals, a non-case-sensitive password of 6-characters offers over 2 million possible combinations. In case-sensitive password applications 'a' is not the same as 'A', which doubles the number of available characters. Thus, making that same 6 character password case-sensitive, and allowing the shifted version of the numerical keys increases the number of combinations to approaching 140 million . Each additional character increases the number of combinations exponentially, and so a 7-character, case-sensitive password would offer over a billion combinations. A human user has virtually no chance of ever identifying a 6-character password which has been randomly generated and, obviously, even less chance of cracking a password of 8 or more characters.

What Not to Use

  • Don't use your login name in any form e.g. 'as is', reversed, capitalized, doubled, etc.
  • Don't use your first or last name in any form.
  • Don't use your spouse or partner's name; or that of one of your children.
  • Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, your home or street name etc.
  • Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a hacker.
  • Don't use a word contained in the dictionary (English or foreign language), spelling lists, or other lists of words.
  • Don't ever use a password shorter than six characters.
  • What to Use

  • Use a password with mixed-case alphabetic characters.
  • Use a password with non alphabetic characters, e.g., digits or punctuation.
  • Use a password that you are able to commit to memory; so you don't have to write it down.
  • Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
  • Be aware of Dictionary-Based Off-Line Searches: Hackers will often use a dictionary of common passwords to 'jump start' the cracking of your password. Instead of using passwords like "kwPpr*Kv8naiszf" or "2AW~#6k" many people still use simple, easy to remember passwords such as jackie1 or PeterS. So hackers don't bother with exhaustive searches for all combinations of random letters or characters, but use a rules-based password cracking program. Therefore select a password that will be extremely hard to crack and change it periodically too!


    Passwords - Use and Best Practice
    A string of characters input by a system user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use. Passwords are central to all computer systems - even sophisticated systems employing fingerprints, voice recognition, or retinal scans.

    Even having chosen an 'impossible to guess' password, (See Passwords - Choosing) your management of the password will determine its effectiveness in safeguarding access to the system using your user ID and password. The following best practice guidelines should be observed.

  • Passwords must never (ever) be written down. The moment they are committed to a paper or a document, discovery of that paper will invalidate other security measures. A potential hacker may also witness the removal of the paper as you innocently review your password list, and this will then offer a simple target; obtain the paper and not only will 'this' password be available, but possibly those to other systems and credit card PIN numbers and perhaps your bank account etc........
     
  • Passwords of key role holders - such as System and Network administrators - should be copied and held under dual control in a fire-resistant, secure location, to enable access to the system by an authorized person in the unavoidable absence of the password holder.
     
  • Passwords must be changed at regular intervals, and should be chosen privately by the individual users; and although often issued initially by the IT people, the password must be changed immediately.
     
  • Password changes must be forced if necessary by implementing an expiry period after which a user's password will not be accepted and the next attempt to log on by that user will result in a security flash to the system console.
     
  • No sensible system would allow a 'user' to remain on-line for up to two weeks trying all possible combinations, and a lockout must be activated after a predetermined number of failed attempts or a fixed amount of time.

  • Patch
    Similar to a 'Fix', a Patch is a temporary arrangement used to overcome software problems or glitches. A patch will normally be released as a 'quick fix' prior to the next formal release of the software. Patches are usually (but not always) available on-line from the vendor's Web site.

    Caution: A patch will usually (but not always) be an incremental addition to an assumed software version, i.e. the patch will assume that the software already installed is version 'x'. It is critical that the patch is applied carefully and that the software version to which it applies, is confirmed. Naturally, no software update should be performed without first having adequately tested the update. See System Testing.


    Path
    In IT systems, the path refers to the location of a file or directory on that system. On PCs using MS DOS® or Windows® , the path is as follows:

    driveletter:\directoryname\sub-directoryname\filename.suffix
    In Microsoft Windows®, the term 'directory' is called a 'folder'; it is the same thing though!
    Unix systems are similar but use a modified syntax, as follows:
    /directory/subdirectory/filename


    Payload
    The 'active' element of a virus. Some payloads are extremely malevolent, others merely childish, while yet others appear to have no real payload at all, simply reproducing or attaching themselves to existing files all over the place and filling up hard disks with clutter.


    Penetration
    Intrusion, trespassing, unauthorized entry into a system. Merely contacting system or using a key board to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute Penetration.


    Penetration Testing
    The execution of a testing plan, the sole purpose of which, is to attempt to hack into a system using known tools and techniques.


    Perimeter Security
    The ability to protect the outer limits of a network, or a physical area, or both.


    Personally Identifiable Information
    Specific data, elements of non-specific aggregate data, or other information which is tied to, or which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a person as an individual and make personal information about them known.


    Pharming
    Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.


    Phishing
    The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.

    Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.


    Physical Security
    Physical protection measures to safeguard the organization's systems. Including but not limited to restrictions on entry to premises, restrictions on entry to computer department and Tank, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.


    Ping
    'Ping' stands for Packet Internet (or Inter-Network) Groper and is a packet (small message) sent to test the validity / availability of an IP address on a network. The technical term for 'ping' is the Internet Control Message Protocol. Maliciously sending large volumes of 'Pings' to cause difficulties for anyone else attempting to access that address is known as Smurfing.


    PKI
    Where encryption of data is required, perhaps between the organization's internal networks and between clients and representatives, a means of generating and managing the encryption keys is required. PKI, or Public Key Infrastructure, is the use and management of cryptographic keys - a public key and a private key - for the secure transmission and authentication of data across public networks.

    Caution: Whilst the overall mechanisms and concepts are generally agreed, there are differences amongst vendors.
    A public key infrastructure consists of:

  • A Certification Authority (CA) that issues and assures the authenticity of Digital Certificates. A Digital Certificate will include the public key or other information about the public key.
  • A Registration Authority (RA) that validates requests for the issuance of Digital Certificates. The Registration Authority will authorize the issuance of the keys to the requestor by the Certificate Authority.
  • A certificate management system. This will be a software application developed and provided by the vendor of the PKI system.
  • A directory where the certificates, together with their public keys are stored; usually confirming to the X.500 standards.

  • Plain Text
    Also known as ASCII text. Words and figures in unencrypted, unformatted, readable form.


    Platform
    Usually, nothing whatsoever to do with railway trains or stations! The term platform crept into IT jargon in the early 1990s and is now an accepted term in the vernacular. It refers to the hardware and, by implication, the Operating System of a certain type of computer.


    Principle of Least Privilege
    An operations principle that requires access privileges for any user to be limited to only what they need to have (nothing in addition) to be able to complete their assigned duties or functions.


    Principle of Separation of Duties
    An operations principle that requires that whenever practical, no one person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse or other harm.


    Privacy
    An individual right to be left alone; to withdraw from the influences of his or her environment; to be secluded, not annoyed, and not intruded upon; to be protected against the misuse or abuse of something legally owned by an individual or normally considered by society to be his or her property.


    Privacy Statement
    Sometimes referred to as a privacy policy, a privacy statement is posted on an organization's Web site to notify visitors of the types of information being collected and what will be done with the information.


    Privilege
    Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow (say) Read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system. In many systems, the security features will offer the ability to implement dual control or automatic escalation to the next 'highest' level, to assist with Information Security compliance and best practice.

    Privileges are established at 2 levels, firstly at the network level, where the level of privilege is established with respect to general access rights and permissions; secondly, at the application level where the user's job function and responsibility will determine the level of privilege required.

    In general, a user of an organization's systems should be offered no more than is necessary to perform the function required.


    Process:

  • A process, in business terms, refers to a series of linked tasks, which together, result in a specified objective. One can identify the Sales process which could start with the identification of markets, through to prospecting, to making the sale and to the receipt of payment.
     
  • In computer terms, a process refers to one of dozens of programs which are running to keep the computer running. When you run a software program, a number of processes may be started. Take a look at the Windows Task Manager in Windows ® NT or 2000® and select the 'Processes' tab. You may be surprised to see the number of processes running, each with its own Process ID number so that the operating system can track each one.

  • Production System
    A (computer) system is said to be in production, when it is in live, day to day operation. Systems which have been developed and tested are said to be 'migrated into production'.


    Protocol
    A set of formal rules describing how to transmit data, especially across a network. Low level protocols define the electrical and physical standards to be observed, bit- and byte-ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc. Some examples of protocols are : TCP/IP, the protocol used on the internet to send and receive information; HTTP - used for Web page communications, is a subset of TCP/IP.


    Proxy Server
    A proxy server is a computer server which acts in the place of individual users when connecting to Web sites. The proxy server receives requests from individual workstations and PCs and then sends this request to the Internet. It then delivers the resultant information to the requesting PC on the network. When used in conjunction with a firewall, a proxy server's identify (and its connected PCs) is completely masked or hidden from other users. This is the manner in which secure sites operate.