Seattle.gov Home Page
Seattle.gov This Department
Link to DoIT Home Page Link to DoIT Home Page Link to DoIT About Us Page Link to DoIT Contact Us Page
We make technology work for the City Erin Devoto, Director
Information Security Home Page
Chief Information Security Officer
Information Security Bulletins
Information Security Newsletter
Information Systems Security Policy
Spams and Scams
Creating Passwords
Securing Your Laptop
Protecting Your Home
Spyware Solutions
Wireless Network Security Solutions
Digital Consumer
Living Digital
Contact Us
Glossary of IT Terms

Information Security

Glossary A


This glossary contains industry standard and City specific IT terminology. The glossary should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
A B C D E F G H I J K L M
N O P Q R S T U V W X Y Z

Sacrificial Host
Scope Creep
Screen Capture
Screen Savers
Scripts
Secure Area (on a system)
Secure Socket Layer (SSL)
Security
Security Administrator
Security Breach
Security for Electronic Transactions - SET
Security Incident
Segregation of Duties
Server
Service Set Identifier (SSID)
Shareware
Shoulder Surfing
Simulation
Smart Card
Smurf / Smurfing
Sniffers
Social Engineering
Soft Copy
Softlifting
Software Licensing
Software Version Control
Source Code
Spam
Split Tunnel
Spoofing
Spyware
Stealth Bomb
Steganography
Stripping
Structured Query Language - SQL
System
System Administrator
System Operators
System Owners
System Software
Systems Development
Systems Operations


Sacrificial Host
A computer server placed outside an organization's Internet Firewall to provide a service that might otherwise compromise the local net's security.


Scope Creep
Scope Creep is the expression used by project managers and/or vendors who are under pressure to constantly deliver in excess of what was originally agreed. Scope creep normally results from a failure to establish the clear requirements of the business users. As these begin to solidify the scope of the original plan can start to move - and continue to move. If the project manager is not alert to this (all too common) phenomenon, the requirements will constantly change thus ensuring that the projects spends years on delivering nothing, as they are continually reviewing and altering direction.


Screen Capture
Formal term for Screen Grabbing.


Screen Savers
Screen savers, once created to save the screen from premature CRT burn out, are now used as a means of both protecting the screen and also for preventing casual shoulder surfing! Screen savers do have a useful and valid Information Security role. Used correctly, they will cut-in, blank the screen from view and require a user or network Administrator password to regain access. Provided the screen saver is set to trigger after (say) 2 minutes of inactivity, and upon user request, it can provide a useful and effective means of diverting casual / opportunistic incidents.


Scripts
In a programming context Scripts are a type of programming language which are run, or executed, by another program. For example, Java Script is run by the Web browser which is running on the user's PC. In the context of System Testing and User Acceptance Testing, scripts are used as the pre-determined input data to test the system. Scripts should not only state the precise data to be input, but also the expected response from the system. As User Acceptance Testing proceeds, the results from running the scripts will be recorded, as will the overall system conditions at the time to allow developers to more easily debug errors.

Scripts can take the form of input data sheets for manual input, or can be a series of files, the processing of which simulates the generation of transactions across the network to the system. This latter approach can allow for significant volumes to be processed. However, it is essential to proceed carefully as errors can so easily compound making analysis a nightmare!


Secure Area (on a system)
Where an unknown file - e.g. one downloaded from the Internet - is to be opened (and this is especially true for any executable file i.e. a .exe file (a program), it must not be opened or executed in the normal filing space for your live systems. A Secure Area - sometimes referred to as a 'Sand Pit' - is an area on a system which is totally shielded and / or isolated, from the potential impact of any code which is executed there. Whilst the isolation of the system is a clear requirement, scanning software which is able to detect malicious code activity must also be used, as Trojan code activity may go undetected.


Secure Socket Layer (SSL)
A transmission protocol that employs encryption of data.


Security
An attribute of information systems which includes specific policy-based mechanisms and assurances for protecting the confidentiality and integrity of information, the availability and functionality of critical services and the privacy of individuals.


Security Administrator
Individual(s) who are responsible for all security aspects of a system on a day-to-day basis. The security administrator should be independent of both development and operations staff and often holds the highest power password on the system in order than the most sensitive activities can only be undertaken with a combination of both System Administrator and Security Administrator top-level passwords.


Security Breach
A breach of security is where a stated organizational policy or legal requirement regarding Information Security, has been contravened. However every incident which suggests that the Confidentiality, Integrity and Availability of the information has been inappropriately changed, can be considered a Security Incident. Every Security Breach will always be initiated via a Security Incident, only if confirmed does it become a security breach.


Security for Electronic Transactions - SET
SET was originally supported by companies such as MasterCard, VISA, Microsoft and Netscape and provides a means for enabling secure transactions between purchaser, merchant (vendor) and bank. The system is based upon the use of a electronic wallet which, carries details of the credit card, the owner and, critically a Digital Certificate. To provide end to end encryption and authentication, the SSL standard is used between the parties, thus ensuring digital trust between each leg of the transaction.


Security Incident
A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.


Segregation of Duties
A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorize processing; Systems Development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to your staff and contractors against the possibility of unintentional damage through accident or incompetence - 'what they are not able to do (on the system) they cannot be blamed for'.


Server
Typically a dual (or better) processor computer which supplies (serves) a network of less powerful machines such as desktop PCs, with applications, data, messaging, communications, information, etc.. The term is replacing 'host' in many situations since the processing power of a desk top server is such that one machine is sufficient to run the computing requirements of a complete organization.


Service Set Identifier (SSID)
The unique name shared among all computers and other devices in a wireless LAN (WLAN).


Shareware
Software supplied on a 'try before you buy' basis. Shareware is produced by software companies and independent programmers and supplied to users through a variety of channels including magazine cover disks, e-mail, mail order, Internet downloads, etc. The basic idea is that users will try out the software (which is sometimes, but not always crippled or limited in some way) and will like it so much that they will pay a relatively small registration fee to become an authorized user of the unrestricted program.

Shareware has been very successful and several software houses have established themselves as niche market leaders this way but companies should exercise caution in the use of such material. Shareware form independent programmers has a reputation for being 'buggy', causing conflicts with other software already installed on the computer, or simply failing to perform as expected.

Companies with policies which permit the installation and use of such material should restrict it to stand alone test or development machines where the software behavior and the programs claimed benefits can be examined fully before being installed as registered version on live machines.


Shoulder Surfing
Looking over a user's shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used.


Simulation:

  • Simulation software - Sometimes classed as a game, but more often used in a business training or decision-making environment to replicate situations from real life but without the risk! For example an Air Traffic Control simulation allows controllers to hone their skills without the risk of a 'mid-air passenger exchange' or 'aluminium rain' Similarly, FX traders can deal without losing the organization a real fortune, business managers/economists/regulators etc., can follow the effects of their decisions over a number of accounting periods in just a few hours. Good package simulations are relatively rare, and specifically written versions are expensive.

  •  
  • Exercises to simulate emergencies such as a major virus infection, or sudden loss of system (achieved quite simply by the expedient method of switching the system off!) can be extremely useful in monitoring organization performance during the emergency as well as providing many hours of frustration and/or amusement for management and staff. For the organization, it is never a good time to run such an exercise, but the lessons to be learned from such an exercise can prove invaluable should a real emergency ever arise.

  • Smart Card
    Smart cards look, and feel like, credit cards, but have one important difference, they have a 'programmable' micro-chip embedded. Their uses are extremely varied but, for Information Security, the are often used, not only to authenticate the holder, but also to present the range of functions associated with that user's profile. Smart Cards will often have an associated PIN number or password to provide a further safeguard. The main benefits of using Smart Cards is that their allocation can be strictly controlled, they are hard to forge and are required to be physically inserted into a 'reader' to initiate the authenticate process.


    Smurf / Smurfing
    A smurf attack is one that is very technical and exploits features of the IP protocol within the TCP/IP protocol used for Internet communications. A smurf attack causes a victim's computer to become completely 'way laid' with answering fictitious network requests ('Pings') that it grinds to a halt and prevents anyone else from logging on. See Denial Of Service for further information.


    Sniffers
    A sniffer is a program which captures and analyses packets of data as it passes across a network. They are used by network administrators who wish to analyze loading across network segments, especially where they suspect that spurious packets are 'bleeding' from one network to another. The other use of sniffers is by connecting to the Internet then capturing data; such data can include user names and passwords. However, crackers who deploy sniffers usually target sniffers at a strategic position e.g. at the gateway between the target system and another network; through this gateway will pass all the login names and passwords. Having said that, most modern systems will ensure that the username and password is encrypted prior to transmission such that the sniffer will not yield such information 'on a plate'.


    Social Engineering
    Social engineering is a means by which information is extracted, usually verbally, by someone impersonating a legitimate holder or user of the information in question. Social engineering will often take place over the telephone; here are some examples :

  • A 'senior member of staff' calls the IT support desk in a 'great hurry' and has forgotten their password (and they need it now!)
  • A 'secretary' calls to inform that their superior needs to access some information urgently but has forgotten the 'new' password.
  • A 'telephone engineer' calls to request details of the access number to the computer system as they have received a fault log and they need to 'test it'.
  • In response to a request from a 'colleague' to speak to Ms X, they are advised that she is away for 3 days on business. To the caller, this knowledge is indicative that Ms X's logon account to the system is unlikely to be used during this period.

  • Soft Copy
    A document created and saved on computer media rather than paper. The transmission of 'soft copy' files between parties is now common place; especially since a de-facto standard has emerged for desktop tools such as Word Processor and Spread Sheet.


    Softlifting:

  • The piracy of software for individual use (as opposed to commercial piracy for gain).
  • The process of interrogating computers on a network, to gather intelligence on what software is being run on the machines. This can be a useful tool for security administrators to check compliance with software licenses, and identify unauthorized or inappropriate activity.

  • Software Licensing
    The use of unlicensed software is illegal, and whilst the majority of organizations would not condone it, the vast majority are believed to be using unlicensed software to some extent. In many cases, software piracy occurs unintentionally; for example a genuinely licensed program is copied for use on multiple workstations.

    It is common practice for software vendors to permit customers to 'try before they buy'. In this case, they offer the software as 'shareware' and propose a trial of say, 30 days. At the expiration of the 30 day period, and depending upon the ingenuity of the developer, the software can refuse to load without the input of a valid license key; or it can continue to run as normal or can require the continue depression of a button to signify your understanding of the terms of the license.

    Unlicensed software is major threat to an organization's Information Security because, not only does this jeopardize the legal position, it also threatens the data held on such systems as no support will be provided.

    The End User License Agreement - EULA is normally seen during the install process of the software.


    Software Version Control
    Although not a global standard per se, software developers have a generally agreed code of practice with regard to software versioning. In general, the version number will be identified by two or three digits e.g. (version) 1.2.1 This example indicates that the software is in its first major release, its second point release and its first mini release or patch. Be wary of software in its '1.0' release as this suggests that the software is new and may not have undergone thorough testing and subsequent update. Be cautious when using any software in its 1.0 release; even those from the largest names in the software industry!


    Source Code
    The actual program - as written by the programmer - which is compiled into machine code (object code) which the computer can understand. Source code is the intellectual property of the developer(s) and for many years commercial source code was never released to users, only licensed for use. Possession of Source Code is essential if a organization is to maintain and/or modify the software without being reliant upon the original developer. There are now Escrow provisions in the agreements for major developments to protect users in the case of a developer/supplier ceasing to trade.


    Spam
    Computer Spam is the electronic equivalent of Junk Mail. Companies and individuals who specialized previously in Mail Shots through the postal system have turned to Spam as a means of delivering (usually) worthless messages at a fraction of the cost. Given the huge databases now held on computers around the world, 'Spammers' can send literally hundreds of thousands of messages for a few cents. Some companies consider this to be a 'better' use of their marketing budgets than the traditional routes.

    Spam is also a feature of Usenet, where individuals, who need to get out more, post lengthy and irrelevant messages to dozens, if not hundreds, of groups at a time, attracting considerable irritation, generating significant amounts of angry message transmissions, and sometimes starting a Flame War.


    Split Tunnel
    Split tunneling is the definition of how network traffic is handled by a remote end of a VPN tunnel. If using a split tunnel, traffic bound for the City's network uses the VPN tunnel and traffic bound for anywhere else, is not sent to the City, but rather is handled by the ISP. If not using a split tunnel, any traffic from the remote computing device is sent through the VPN tunnel and handled by the City network. The choice of using a split tunnel or not is configurable by the VPN client.


    Spoofing:

  • Alternative term for Identity Hacking and Masquerading
  • The interception, alteration, and retransmission of data (in an attempt) to fool the recipient.

  • Spyware

    Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.


    Stealth Bomb
    A stealth bomb is a piece of malicious code that is disguised as something else. It may be received as a 'normal' e-mail, or perhaps as an amusing screen saver. Stealth bombs deliver their 'payload' surreptitiously and the results can be both damaging to your system and also highly embarrassing. See Malicious Code for more detailed information.


    Steganography
    Steganography is the technique whereby a message, possibly encrypted, is concealed within another medium. In the world of computing, this means that a seemingly innocuous graphic or sound file (say) can conceal a message which could be used to disguise corporate espionage.


    Stripping
    Deliberately deleting files, records, or data, from a system. This can be an authorized activity when, for example, duplicate files are identified and removed from the system to reclaim the disk storage space they occupy. More often, however, stripping is associated with the removal of records which evidence some fraudulent or other criminal activity. It is not unusual for Auditors, or Law Enforcement officers to find that the records they need for their investigations are not there.

    Deleted records can be recovered if the storage media is secured quickly enough, but a skilled stripper can usually remove all trace of them before such action can be taken. The only recourse then is to backup files where (hopefully) copies can be obtained.


    Structured Query Language
    SQL Structured Query Language or SQL (pronounced 'S' 'Q' 'L' or 'Seekwul') is a type of programming language used to interact with a database. The language is used to both update and issue queries to the database. A query is a request for information based upon specific criteria e.g. 'output all our clients with a sales turnover of more than $x sorted by region'.


    System
    A network, computer, software package, or other entity for which there can be security concerns.


    System Administrator
    Individuals who support the operations and integrity of computing systems and their use.  These activities might include system installation, configuration, integration, maintenance, security management, and problem analysis and recovery. In an inter-networked computing environment, managing the computer network often is their responsibility.


    System Operators
    Individuals within the City who are accountable for the operational decisions about the use and management of a computing system. (See also, system owners).


    System Owners
    Individuals within the City who are accountable for the budget, management, and use of one or more electronic information systems or electronic applications that are associated with the City.


    System Software
    System software is the general term used to describe the many software programs, drivers and utilities which, together enable a computer system to operate. One of the main components of system software is the operating system of the computer e.g. Microsoft Windows® 2000 Professional.


    Systems Development
    Systems Development is the term used to describe the function of designing, coding, testing and updating software programs and other code e.g. scripts. The roles within Systems Development, will be Systems Analysts and Programmers and possibly other technical specialists.


    Systems Operations
    Systems Operations refers to a team, or possibly even a department within the IT group, which is responsible for the running of the centralized systems and networks.

    Systems Operations personnel have 3 main types duty. Firstly they will run the day to day procedures for each of the main systems. Whilst these operations may well be automated, a systems operator will execute and oversee the operation. Secondly, they will perform routine housekeeping procedures on the systems, reviewing error logs and responding to any problems which occur day to day. Thirdly, Systems Operations personnel will run end of day and 'end of period' (e.g. monthly) procedures which will include the creation of backup copies of all the key data files across the systems.

    From the above, it will be noted the Systems Operations do not concern themselves with development, testing or the functionality of the various software applications being run. Their task is focused upon maintaining maximum 'up-time' by keeping all system and networks running efficiently.