|
Information Security
Glossary A
This glossary contains industry standard and City specific IT terminology. The glossary
should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
PABX / PBX
Passwords - Choosing
Passwords - Use and Best Practice
Patch
Path
Payload
Penetration
Perimeter Security
Personally Identifiable Information
Pharming
Phishing
Physical Security
Ping
PKI
Plain Text
Platform
Principle of Least Privilege
Principle of Separation of Duties
Privacy
Privacy Statement
Privilege
Process
Production System
Protocol
Proxy Server
PABX / PBX
A Private Automated Branch Exchange. The telephone network used by organizations
to allow a single access number to offer multiple lines to outside callers, and
to allow internal staff to share a range of external lines. All such exchanges
are now automated, and it is common to refer to them as a simple 'PBX'.
Passwords - Choosing
The object when choosing a password, is to make it as difficult as possible
for a hacker (or even a business colleague), to guess or 'work out' your
password. This leaves the hacker with no alternative but to a) give up (which is
what we want!) or b) initiate a 'brute-force' search, trying every possible
combination of letters, numbers, and other characters. A search of this sort,
even processed on a computer capable of generating and testing thousands of
passwords per second, could require many years to complete. So, in general,
passwords should be safe; but only if you select them carefully.
Using only the standard English alphabet and numerals, a non-case-sensitive
password of 6-characters offers over 2 million possible combinations. In
case-sensitive password applications 'a' is not the same as 'A', which doubles
the number of available characters. Thus, making that same 6 character password
case-sensitive, and allowing the shifted version of the numerical keys increases
the number of combinations to approaching 140 million . Each additional
character increases the number of combinations exponentially, and so a
7-character, case-sensitive password would offer over a billion combinations. A
human user has virtually no chance of ever identifying a 6-character password
which has been randomly generated and, obviously, even less chance of cracking a
password of 8 or more characters.
What Not to Use
Don't use your login name in any form e.g. 'as is', reversed,
capitalized, doubled, etc.
Don't use your first or last name in any form.
Don't use your spouse or partner's name; or that of one of your children.
Don't use other information easily obtained about you. This includes
license plate numbers, telephone numbers, social security numbers, the brand
of your automobile, your home or street name etc.
Don't use a password of all digits, or all the same letter. This
significantly decreases the search time for a hacker.
Don't use a word contained in the dictionary (English or foreign
language), spelling lists, or other lists of words.
Don't ever use a password shorter than six characters.
What to Use
Use a password with mixed-case alphabetic characters.
Use a password with non alphabetic characters, e.g., digits or
punctuation.
Use a password that you are able to commit to memory; so you don't have
to write it down.
Use a password that you can type quickly, without having to look at the
keyboard. This makes it harder for someone to steal your password by
watching over your shoulder.
Be aware of Dictionary-Based Off-Line Searches: Hackers will often use a dictionary of common passwords to 'jump start' the
cracking of your password. Instead of using passwords like "kwPpr*Kv8naiszf" or
"2AW~#6k" many people still use simple, easy to remember passwords such as
jackie1 or PeterS. So hackers don't bother with exhaustive searches
for all combinations of random letters or characters, but use a rules-based
password cracking program. Therefore select a password that will be extremely hard to crack and change
it periodically too!
Passwords - Use and Best Practice
A string of characters input by a system user to substantiate their identity,
and/or authority, and/or access rights, to the computer system that they wish to
use. Passwords are central to all computer systems - even sophisticated systems
employing fingerprints, voice recognition, or retinal scans.
Even having chosen an 'impossible to guess' password, (See
Passwords - Choosing)
your management of the password will determine its effectiveness in safeguarding
access to the system using your user ID and password. The following best
practice guidelines should be observed.
Passwords must never (ever) be written down. The moment
they are committed to a paper or a document, discovery of that paper will
invalidate other security measures. A potential hacker may also witness the
removal of the paper as you innocently review your password list, and this
will then offer a simple target; obtain the paper and not only will 'this'
password be available, but possibly those to other systems and credit card
PIN numbers and perhaps your bank account etc........
Passwords of key role holders - such as System and Network administrators
- should be copied and held under dual control in a fire-resistant, secure
location, to enable access to the system by an authorized person in the
unavoidable absence of the password holder.
Passwords must be changed at regular intervals, and should be chosen
privately by the individual users; and although often issued initially by
the IT people, the password must be changed immediately.
Password changes must be forced if necessary by implementing an expiry
period after which a user's password will not be accepted and the next
attempt to log on by that user will result in a security flash to the system
console.
No sensible system would allow a 'user' to remain on-line for up to two
weeks trying all possible combinations, and a lockout must be activated
after a predetermined number of failed attempts or a fixed amount of time.
Patch
Similar to a 'Fix', a Patch is a temporary arrangement used to overcome
software problems or glitches. A patch will normally be released as a 'quick
fix' prior to the next formal release of the software. Patches are usually (but
not always) available on-line from the vendor's Web site.
Caution: A patch will usually (but not always) be an incremental addition
to an assumed software version, i.e. the patch will assume that the software
already installed is version 'x'. It is critical that the patch is applied
carefully and that the software version to which it applies, is confirmed.
Naturally, no software update should be performed without first having
adequately tested the update. See System Testing.
Path
In IT systems, the path refers to the location of a file or directory on that
system. On PCs using MS DOS® or Windows® , the path is as follows:
driveletter:\directoryname\sub-directoryname\filename.suffix
In Microsoft Windows®, the term 'directory' is called a
'folder'; it is the same thing though!
Unix systems are similar but use a modified syntax, as follows:
/directory/subdirectory/filename
Payload
The 'active' element of a virus. Some payloads are extremely malevolent,
others merely childish, while yet others appear to have no real payload at all,
simply reproducing or attaching themselves to existing files all over the place
and filling up hard disks with clutter.
Penetration
Intrusion, trespassing, unauthorized entry into a system. Merely contacting
system or using a key board to enter a password is not penetration, but gaining
access to the contents of the data files by these or other means does constitute
Penetration.
Penetration Testing
The execution of a testing plan, the sole purpose of
which, is to attempt to hack into a system using known tools and techniques.
Perimeter
Security
The ability to protect the outer limits of a network, or a physical area, or
both.
Personally Identifiable Information
Specific data, elements of non-specific aggregate data, or other information
which is tied to, or which otherwise identifies, an individual or provides
information about an individual in a way that is reasonably likely to enable
identification of a person as an individual and make personal information about
them known.
Pharming
Similar in nature to e-mail phishing, pharming seeks to obtain personal or private
(usually financial related) information through domain spoofing. Rather than being
spammed with malicious and mischievous e-mail requests for you to visit spoof Web
sites which appear legitimate, pharming 'poisons' a DNS server by infusing false
information into the DNS server, resulting in a user's request being redirected
elsewhere. Your browser, however will show you are at the correct Web site, which
makes pharming a bit more serious and more difficult to detect. Phishing attempts
to scam people one at a time with an e-mail while pharming allows the scammers to
target large groups of people at one time through domain spoofing.
Phishing
The act of sending an e-mail to a user falsely claiming to be an established legitimate
enterprise in an attempt to scam the user into surrendering private information that
will be used for identity theft. The e-mail directs the user to visit a Web site where
they are asked to update personal information, such as passwords and credit card, social
security, and bank account numbers, that the legitimate organization already has.
The Web site, however, is bogus and set up only to steal the user’s information. For example,
2003 saw the proliferation of a phishing scam in which users received e-mails supposedly
from eBay claiming that the user’s account was about to be suspended unless he clicked on
the provided link and updated the credit card information that the genuine eBay already had.
Because it is relatively simple to make a Web site look like a legitimate organizations site
by mimicking the HTML code, the scam counted on people being tricked into thinking they were
actually being contacted by eBay and were subsequently going to eBay’s site to update their
account information. By spamming large groups of people, the “phisher” counted on the e-mail
being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.
Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,”
the idea being that bait is thrown out with the hopes that while most will ignore
the bait, some will be tempted into biting.
Physical Security
Physical protection measures to safeguard the
organization's systems.
Including but not limited to restrictions on entry to premises, restrictions on
entry to computer department and Tank, locking/disabling equipment,
disconnection, fire-resistant and tamper-resistant storage facilities,
anti-theft measures, anti-vandal measures, etc.
Ping
'Ping' stands for Packet Internet (or Inter-Network) Groper and is a packet
(small message) sent to test the validity / availability of an
IP address on a network.
The technical term for 'ping' is the Internet Control Message Protocol.
Maliciously sending large volumes of 'Pings' to cause difficulties for anyone
else attempting to access that address is known as
Smurfing.
PKI
Where encryption of data is required, perhaps between the
organization's
internal networks and between clients and representatives, a means of generating
and managing the encryption keys is required. PKI, or Public Key Infrastructure, is the use and management of cryptographic
keys - a public key and a private key - for the secure transmission and
authentication of data across public networks.
Caution: Whilst the overall mechanisms and concepts are generally
agreed, there are differences amongst vendors.
A public key infrastructure consists of:
A Certification Authority (CA) that issues and assures the
authenticity of Digital Certificates.
A Digital Certificate will include the public key or other information about
the public key.
A Registration Authority (RA) that validates requests for the issuance of
Digital Certificates. The Registration Authority will authorize the issuance
of the keys to the requestor by the Certificate Authority.
A certificate management system. This will be a software application
developed and provided by the vendor of the PKI system.
A directory where the certificates, together with their public keys are
stored; usually confirming to the X.500 standards.
Plain Text
Also known as ASCII text. Words and figures in unencrypted, unformatted,
readable form.
Platform
Usually, nothing whatsoever to do with railway trains or stations! The term
platform crept into IT jargon in the early 1990s and is now an accepted term in
the vernacular. It refers to the hardware and, by implication, the Operating
System of a certain type of computer.
Principle
of Least Privilege
An operations principle that requires access privileges for any user to be
limited to only what they need to have (nothing in addition) to be able to
complete their assigned duties or functions.
Principle of Separation of Duties
An operations principle that requires that whenever practical, no one person
should be responsible for completing or controlling a task, or set of tasks,
from beginning to end when it involves the potential for fraud, abuse or other
harm.
Privacy
An individual right to be left alone; to withdraw from the influences of his or
her environment; to be secluded, not annoyed, and not intruded upon; to be
protected against the misuse or abuse of something legally owned by an
individual or normally considered by society to be his or her property.
Privacy
Statement
Sometimes referred to as a privacy policy, a privacy statement is posted on an
organization's Web site to notify visitors of the types of information being
collected and what will be done with the information.
Privilege
Privilege is the term used throughout most (if not all) applications and
systems to denote the level of operator permission, or authority. Privilege can
be established at the file or folder (directory) level and can allow (say) Read
only access, but prevent changes. Privileges can also refer to the extent to
which a user is permitted to enter and confirm transactions / information within
the system. In many systems, the security features will offer the ability to
implement dual control or automatic escalation to the next 'highest' level, to
assist with Information Security compliance and best practice.
Privileges are established at 2 levels, firstly at the network level, where
the level of privilege is established with respect to general access rights and
permissions; secondly, at the application level where the user's job function
and responsibility will determine the level of privilege required.
In general, a user of an organization's systems should be offered no more than
is necessary to perform the function required.
Process :
A process, in business terms, refers to a series of linked tasks, which
together, result in a specified objective. One can identify the Sales
process which could start with the identification of markets, through to
prospecting, to making the sale and to the receipt of payment.
In computer terms, a process refers to one of dozens of programs which
are running to keep the computer running. When you run a software program, a
number of processes may be started. Take a look at the Windows Task Manager
in Windows ® NT or 2000® and select the 'Processes' tab. You may be
surprised to see the number of processes running, each with its own Process
ID number so that the operating system
can track each one.
Production System
A (computer) system is said to be in production, when it is in live, day to
day operation. Systems which have been developed and tested are said to be
'migrated into production'.
Protocol
A set of formal rules describing how to transmit data, especially across a
network. Low level protocols define the electrical and physical standards to be
observed, bit- and byte-ordering and the transmission and error detection and
correction of the bit stream. High level protocols deal with the data
formatting, including the syntax of messages, the terminal to computer dialogue,
character sets, sequencing of messages etc. Some examples of protocols are : TCP/IP, the protocol used on the internet to
send and receive information; HTTP - used for Web page communications, is a
subset of TCP/IP.
Proxy Server
A proxy server is a computer server which acts in the place of individual
users when connecting to Web sites. The proxy server receives requests from
individual workstations and PCs and then sends this request to the Internet. It
then delivers the resultant information to the requesting PC on the network. When used in conjunction with a
firewall,
a proxy server's identify (and its connected PCs) is completely masked or hidden
from other users. This is the manner in which secure sites operate.
|
