|
|
|
Information Security
Glossary A
This glossary contains industry standard and City specific IT terminology. The glossary
should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
Sacrificial Host
Scope Creep
Screen Capture
Screen Savers
Scripts
Secure Area (on a system)
Secure Socket Layer (SSL)
Security
Security Administrator
Security Breach
Security for Electronic Transactions - SET
Security Incident
Segregation of Duties
Server
Service Set Identifier (SSID)
Shareware
Shoulder Surfing
Simulation
Smart Card
Smurf / Smurfing
Sniffers
Social Engineering
Soft Copy
Softlifting
Software Licensing
Software Version Control
Source Code
Spam
Split Tunnel
Spoofing
Spyware
Stealth Bomb
Steganography
Stripping
Structured Query Language - SQL
System
System Administrator
System Operators
System Owners
System Software
Systems Development
Systems Operations
Sacrificial Host
A computer server placed outside an organization's Internet Firewall to
provide a service that might otherwise compromise the local net's security.
Scope Creep
Scope Creep is the expression used by project managers and/or vendors who are
under pressure to constantly deliver in excess of what was originally agreed.
Scope creep normally results from a failure to establish the clear requirements
of the business users. As these begin to solidify the scope of the original plan
can start to move - and continue to move. If the project manager is not alert to
this (all too common) phenomenon, the requirements will constantly change thus
ensuring that the projects spends years on delivering nothing, as they are
continually reviewing and altering direction.
Screen Capture
Formal term for Screen Grabbing.
Screen Savers
Screen savers, once created to save the screen from premature CRT burn out,
are now used as a means of both protecting the screen and also for preventing
casual shoulder surfing!
Screen savers do have a useful and valid Information Security role. Used
correctly, they will cut-in, blank the screen from view and require a user or
network Administrator password to regain access. Provided the screen saver is
set to trigger after (say) 2 minutes of inactivity, and upon user request, it
can provide a useful and effective means of diverting casual / opportunistic
incidents.
Scripts
In a programming context Scripts are a type of programming language which are
run, or executed, by another program. For example, Java Script is run by the Web
browser which is running on the user's PC. In the context of
System Testing
and User Acceptance Testing,
scripts are used as the pre-determined input data to test the system. Scripts
should not only state the precise data to be input, but also the expected
response from the system. As User Acceptance Testing proceeds, the results from
running the scripts will be recorded, as will the overall system conditions at
the time to allow developers to more easily debug errors.
Scripts can take the form of input data sheets for manual input, or can be a
series of files, the processing of which simulates the generation of
transactions across the network to the system. This latter approach can allow
for significant volumes to be processed. However, it is essential to
proceed carefully as errors can so easily compound making analysis a nightmare!
Secure Area (on a system)
Where an unknown file - e.g. one downloaded from the Internet - is to be
opened (and this is especially true for any executable file i.e. a .exe file (a program), it must
not be opened or executed in the normal filing space for your live
systems. A Secure Area - sometimes referred to as a 'Sand Pit' - is an area on a
system which is totally shielded and / or isolated, from the potential impact of
any code which is executed there. Whilst the isolation of the system is a clear
requirement, scanning software which is able to detect malicious code activity
must also be used, as Trojan code activity may go undetected.
Secure Socket Layer (SSL)
A transmission protocol that employs encryption of data.
Security
An attribute of information systems which includes specific policy-based
mechanisms and assurances for protecting the confidentiality and integrity of
information, the availability and functionality of critical services and the
privacy of individuals.
Security Administrator
Individual(s) who are responsible for all security aspects of a system on a
day-to-day basis. The security administrator should be independent of both
development and operations staff and often holds the highest power password on
the system in order than the most sensitive activities can only be undertaken
with a combination of both System Administrator and Security Administrator
top-level passwords.
Security Breach
A breach of security is where a stated organizational policy or legal
requirement regarding Information Security, has been contravened. However every
incident which suggests that the Confidentiality,
Integrity and Availability
of the information has been inappropriately changed, can be considered a
Security Incident.
Every Security Breach will always be initiated via a Security Incident, only if
confirmed does it become a security breach.
Security for Electronic Transactions - SET
SET was originally supported by companies such as MasterCard, VISA, Microsoft
and Netscape and provides a means for enabling secure transactions between
purchaser, merchant (vendor) and bank. The system is based upon the use of a
electronic wallet which, carries details of the credit card, the owner and,
critically a Digital Certificate.
To provide end to end encryption and authentication, the
SSL standard is used between the parties,
thus ensuring digital trust between each leg of the transaction.
Security Incident
A security incident is an alert to the possibility that a breach of security
may be taking, or may have taken, place.
Segregation of Duties
A method of working whereby tasks are apportioned between different members
of staff in order to reduce the scope for error and fraud. For example, users
who create data are not permitted to authorize processing; Systems Development
staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in
different areas, but is a deterrent. In addition, the segregation of duties
provides a safeguard to your staff and contractors against the possibility of
unintentional damage through accident or incompetence - 'what they are not able
to do (on the system) they cannot be blamed for'.
Server
Typically a dual (or better) processor computer which supplies (serves) a
network of less powerful machines such as desktop PCs, with applications, data,
messaging, communications, information, etc.. The term is replacing 'host' in
many situations since the processing power of a desk top server is such that one
machine is sufficient to run the computing requirements of a complete
organization.
Service Set Identifier (SSID)
The unique name shared among all computers and other devices in a wireless LAN (WLAN).
Shareware
Software supplied on a 'try before you buy' basis. Shareware is produced by
software companies and independent programmers and supplied to users through a
variety of channels including magazine cover disks, e-mail, mail order, Internet
downloads, etc. The basic idea is that users will try out the software (which is
sometimes, but not always crippled or limited in some way) and will like it so
much that they will pay a relatively small registration fee to become an
authorized user of the unrestricted program.
Shareware has been very successful and several software houses have
established themselves as niche market leaders this way but companies should
exercise caution in the use of such material. Shareware form independent
programmers has a reputation for being 'buggy', causing conflicts with other
software already installed on the computer, or simply failing to perform as
expected.
Companies with policies which permit the installation and use of such
material should restrict it to stand alone test or development machines where
the software behavior and the programs claimed benefits can be examined fully
before being installed as registered version on live machines.
Shoulder Surfing
Looking over a user's shoulder as they enter a password. This is one of the
easiest ways of obtaining a password to breach system security. The practice is
not restricted to office computers, it is used wherever passwords, PINs, or
other ID codes are used.
Simulation :
Simulation software - Sometimes classed as a game, but more often
used in a business training or decision-making environment to replicate
situations from real life but without the risk! For example an Air Traffic
Control simulation allows controllers to hone their skills without the risk
of a 'mid-air passenger exchange' or 'aluminium rain' Similarly, FX traders
can deal without losing the organization a real fortune, business
managers/economists/regulators etc., can follow the effects of their
decisions over a number of accounting periods in just a few hours. Good
package simulations are relatively rare, and specifically written versions
are expensive.
Exercises to simulate emergencies such as a major virus infection, or
sudden loss of system (achieved quite simply by the expedient method of
switching the system off!) can be extremely useful in monitoring
organization performance during the emergency as well as providing many
hours of frustration and/or amusement for management and staff. For the
organization, it is never a good time to run such an exercise, but the
lessons to be learned from such an exercise can prove invaluable should a
real emergency ever arise.
Smart Card
Smart cards look, and feel like, credit cards, but have one important
difference, they have a 'programmable' micro-chip embedded. Their uses are
extremely varied but, for Information Security, the are often used, not only to
authenticate the holder, but also to present the range of functions associated
with that user's profile. Smart Cards will often have an associated PIN number or password to provide a
further safeguard. The main benefits of using Smart Cards is that their
allocation can be strictly controlled, they are hard to forge and are required
to be physically inserted into a 'reader' to initiate the authenticate process.
Smurf / Smurfing
A smurf attack is one that is very technical and exploits features of the IP
protocol within the TCP/IP protocol used for Internet communications. A smurf attack causes a victim's computer to become completely 'way laid'
with answering fictitious network requests ('Pings') that it grinds to a halt
and prevents anyone else from logging on. See Denial Of
Service
for further information.
Sniffers
A sniffer is a program which captures and analyses packets of data as it
passes across a network. They are used by network administrators who wish to
analyze loading across network segments, especially where they suspect that
spurious packets are 'bleeding' from one network to another. The other use of sniffers is by connecting to the Internet then capturing
data; such data can include user names and passwords. However, crackers who
deploy sniffers usually target sniffers at a strategic position e.g. at the
gateway between the target system and another network; through this gateway will
pass all the login names and passwords. Having said that, most modern systems
will ensure that the username and password is encrypted prior to transmission
such that the sniffer will not yield such information 'on a plate'.
Social Engineering
Social engineering is a means by which information is
extracted, usually verbally, by someone impersonating a legitimate holder or
user of the information in question. Social engineering will often take place
over the telephone; here are some examples :
A 'senior member of staff' calls the IT support desk in a 'great hurry'
and has forgotten their password (and they need it now!)
A 'secretary' calls to inform that their superior needs to access some
information urgently but has forgotten the 'new' password.
A 'telephone engineer' calls to request details of the access number to
the computer system as they have received a fault log and they need to 'test
it'.
In response to a request from a 'colleague' to speak to Ms X, they are
advised that she is away for 3 days on business. To the caller, this
knowledge is indicative that Ms X's logon account to the system is unlikely
to be used during this period.
Soft Copy
A document created and saved on computer media rather than paper. The
transmission of 'soft copy' files between parties is now common place;
especially since a de-facto standard has emerged for desktop tools such as Word
Processor and Spread Sheet.
Softlifting:
The piracy of software for individual use (as opposed to commercial
piracy for gain).
The process of interrogating computers on a network, to gather
intelligence on what software is being run on the machines. This can be a
useful tool for security administrators to check compliance with software
licenses, and identify unauthorized or inappropriate activity.
Software Licensing
The use of unlicensed software is illegal, and whilst the majority of
organizations would not condone it, the vast majority are believed to be using
unlicensed software to some extent. In many cases, software piracy occurs
unintentionally; for example a genuinely licensed program is copied for use on
multiple workstations.
It is common practice for software vendors to permit customers to 'try before
they buy'. In this case, they offer the software as 'shareware' and propose a
trial of say, 30 days. At the expiration of the 30 day period, and depending
upon the ingenuity of the developer, the software can refuse to load without the
input of a valid license key; or it can continue to run as normal or can require
the continue depression of a button to signify your understanding of the terms
of the license.
Unlicensed software is major threat to an organization's Information Security
because, not only does this jeopardize the legal position, it also threatens the
data held on such systems as no support will be provided.
The End User License Agreement - EULA is normally seen during the install
process of the software.
Software Version Control
Although not a global standard per se, software developers have a generally
agreed code of practice with regard to software versioning. In general, the
version number will be identified by two or three digits e.g. (version) 1.2.1
This example indicates that the software is in its first major release,
its second point release and its first mini release or
patch. Be wary of software in its '1.0' release as this suggests that the software
is new and may not have undergone thorough testing and subsequent update.
Be cautious when using any software in its 1.0 release; even those from the
largest names in the software industry!
Source Code
The actual program - as written by the programmer - which is compiled into
machine code (object code) which the computer can understand. Source code is the
intellectual property of the developer(s) and for many years commercial source
code was never released to users, only licensed for use. Possession of Source
Code is essential if a organization is to maintain and/or modify the software
without being reliant upon the original developer. There are now Escrow
provisions in the agreements for major developments to protect users in the case
of a developer/supplier ceasing to trade.
Spam
Computer Spam is the electronic equivalent of Junk Mail.
Companies and individuals who specialized previously in Mail Shots through the
postal system have turned to Spam as a means of delivering (usually) worthless
messages at a fraction of the cost. Given the huge databases now
held on computers around the world, 'Spammers' can send literally hundreds of
thousands of messages for a few cents. Some companies consider this to
be a 'better' use of their marketing budgets than the traditional routes.
Spam is also a feature of Usenet, where individuals, who need to get out
more, post lengthy and irrelevant messages to dozens, if not hundreds, of groups
at a time, attracting considerable irritation, generating significant amounts of
angry message transmissions, and sometimes starting a Flame War.
Split Tunnel
Split tunneling is the definition of how network traffic is handled by a remote end of a VPN tunnel. If using a split tunnel, traffic bound for the City's network uses the VPN tunnel and traffic bound for anywhere else, is not sent to the City, but rather is handled by the ISP. If not using a split tunnel, any traffic from the remote computing device is sent through the VPN tunnel and handled by the City network. The choice of using a split tunnel or not is configurable by the VPN client.
Spoofing:
Alternative term for Identity Hacking and Masquerading
The interception, alteration, and retransmission of data (in an attempt)
to fool the recipient.
Spyware
Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Stealth Bomb
A stealth bomb is a piece of malicious code that is disguised as something
else. It may be received as a 'normal' e-mail, or perhaps as an amusing screen
saver. Stealth bombs deliver their 'payload' surreptitiously and the results can
be both damaging to your system and also highly embarrassing. See
Malicious Code
for more detailed information.
Steganography
Steganography is the technique whereby a message, possibly encrypted, is
concealed within another medium. In the world of computing, this means that a
seemingly innocuous graphic or sound file (say) can conceal a message which
could be used to disguise corporate espionage.
Stripping
Deliberately deleting files, records, or data, from a system. This can be an
authorized activity when, for example, duplicate files are identified and
removed from the system to reclaim the disk storage space they occupy. More
often, however, stripping is associated with the removal of records which
evidence some fraudulent or other criminal activity. It is not unusual for
Auditors, or Law Enforcement officers to find that the records they need for
their investigations are not there.
Deleted records can be recovered if the storage media is secured quickly
enough, but a skilled stripper can usually remove all trace of them before such
action can be taken. The only recourse then is to backup files where (hopefully)
copies can be obtained.
Structured Query Language
SQL Structured Query Language or SQL (pronounced 'S' 'Q' 'L' or 'Seekwul') is a
type of programming language used to interact with a database. The language is
used to both update and issue queries to the database. A query is a request for
information based upon specific criteria e.g. 'output all our clients with a
sales turnover of more than $x sorted by region'.
System
A network, computer, software package, or other entity for which there can be
security concerns.
System Administrator
Individuals who support
the operations and integrity of computing systems and their use. These
activities might include system installation, configuration, integration,
maintenance, security management, and problem analysis and recovery. In an
inter-networked computing environment, managing the computer network often is
their responsibility.
System
Operators
Individuals within the City who are accountable for the operational decisions
about the use and management of a computing system. (See also, system owners).
System Owners
Individuals within the City who are accountable for the budget, management, and
use of one or more electronic information systems or electronic applications
that are associated with the City.
System Software
System software is the general term used to describe the many software
programs, drivers and
utilities which,
together enable a computer system to operate. One of the main components of
system software is the operating system
of the computer e.g. Microsoft Windows® 2000 Professional.
Systems Development
Systems Development is the term used to describe the function of designing,
coding, testing and updating software programs and other code e.g. scripts. The
roles within Systems Development, will be Systems Analysts and Programmers and
possibly other technical specialists.
Systems Operations
Systems Operations refers to a team, or possibly even a department within the IT
group, which is responsible for the running of the centralized systems and
networks.
Systems Operations personnel have 3 main types duty. Firstly they will run
the day to day procedures for each of the main systems. Whilst these operations
may well be automated, a systems operator will execute and oversee the
operation. Secondly, they will perform routine housekeeping procedures on the
systems, reviewing error logs and responding to any problems which occur day to
day. Thirdly, Systems Operations personnel will run end of day and 'end of
period' (e.g. monthly) procedures which will include the creation of backup
copies of all the key data files across the systems.
From the above, it will be noted the Systems Operations do not concern
themselves with development, testing or the functionality of the various
software applications being run. Their task is focused upon maintaining maximum
'up-time' by keeping all system and networks running efficiently.
|
|
|
