|
Information Security
Glossary A
This glossary contains industry standard and City specific IT terminology. The glossary
should be consulted when policy, issue papers, etc. are drafted to ensure consistent use of terms across the City.
Data Custodians
Data / Information
Data Encryption
Data Mining
Data Storage Device
Database
Database Administrator - DBA
Debug
Deciplegic
Decryption
Default Password
Denial of Service
DES / AES
Desktop
Dial-up
Digital
Digital Certificate
Digital Signature
Digital Subscriber Line (DSL)
Digital Versatile Disk - DVD
Digital Watermark
Disable
Disaster Recovery Plan - DRP
Distributed Processing
DMZ
DNS
Domain Name
Dongle
Driver
Dual Homing
Due Care
Dynamic Host Configuration Protocol (DHCP)
Data Custodians
Individuals who have been officially designated as being accountable for
protecting the confidentiality of specific data that is transmitted, used, and
stored on a system or systems within a department or administrative agency of
the City.
Data / Information
In
the area of Information Security, data (and the individual elements that
comprise the data) is processed, formatted and re-presented, so that it gains
meaning and thereby becomes information. Information Security is concerned with
the protection and safeguard of that information which, in its various forms can
be identified as Business Assets or Information Assets. The terms data and
information can be used somewhat interchangeably; but, as a general rule,
information always comprises data, but data is not always information.
Data Encryption
Data encryption is a means of scrambling the data so that is can only be read
by the person(s) holding the 'key' - a password of some sort. Without the 'key',
the cipher cannot be broken and the data remains secure. Using the key, the
cipher is decrypted and the data is returned to its original value or state. Each time one wishes to encrypt data, a key from the 72,000,000,000,000,000
possible key variations, is randomly generated, and used to encrypt the data.
The same key must be made known to the receiver if they are to decrypt the data.
Data Mining
Data Mining is the analysis of corporate data, for relationships and
correlations which have yet to be discovered. Such relationship discoveries
can identify significant marketing opportunities to target specific client
segments. The term Data mining was coined by IBM who hold some related
patents.
Spending numerous hours combing the Internet looking for specific pieces
of information, and finding everything except what you are looking for!
Data Storage Device
A device that may or may not have intelligence that is connected to the City network via a network port, or by insertion into a computing device port that is connected to the network. These devices are generally used for data storage.
Database
A collection of files, tables, forms,
reports, etc., held on computer media that have a predictable relationship with
each other for indexing, updating, and retrieval purposes.
Database Administrator
DBAA 'DBA' is a highly technical person who has
specialized in the development
and maintenance of databases and database applications. The DBA is responsible
for ensuring that all housekeeping routines are performed on the database, which
may include designing and maintaining the structure and content of the (many)
tables which together form the database, and the relationships between these
tables. In addition, the DBA will usually be specialized in writing reports and
querying the database, usually using Structured Query Language - or SQL.
Debug
To trace and fix faults (bugs) in computer software and, occasionally, hardware.
The term derives from the same source as Bug.
Deciplegic
Mouse Potato suffering from Trigger Finger.
Decryption
The process by which encrypted data is
restored to its original form in order to be understood/usable by another
computer or person.
Default Password
The password installed by a manufacturer and required to access a computer
system when it is initially delivered, or a password required by software
(typically shareware) to prove that the user is registered with the software
vendor. Default passwords are not normally encountered on new PCs and have
become relatively rare, but, in cases where such a password has been installed,
the new owner of the equipment should change it at the earliest opportunity, to
avoid it being known to third parties. There are a range of default passwords known to everyone; and these are the
first ones tried by anyone hacking into, or merely attempting opportunistic
access. Such passwords as 'password', '123456' and ' ' i.e. blank (nothing) must
be changed immediately. If you have one of these or similar passwords; please
change it now. RUSecure™ will still be here when you have finished!
Denial of Service
A Denial of Service (DoS) attack, is an Internet attack against a Web site
whereby a client is denied the level of service expected. In a mild case, the
impact can be unexpectedly poor performance. In the worst case, the server can
become so overloaded as to cause a crash of the system.
DoS attacks do not usually have theft or corruption of data as their primary
motive and will often be executed by persons who have a grudge against the
organization concerned. The following are the main types of DoS attack: :
Buffer Overflow Attacks; whereby data is sent to the server at a rate
and volume that exceeds the capacity of the system; causing errors.
SYN Attack. This takes places when connection requests to the server
are not properly responded to, causing a delay in connection. Although these
failed connection will eventually time out, should they occur in volume,
they can deny access to other legitimate requests for access.
Teardrop Attack. The exploitation of a features of the TCP/IP
protocol whereby large packets of data are split into 'bite sized chunks'
with each fragment being identified to the next by an 'offset' marker. Later
the fragments are supposed to be re-assembled by the receiving system. In
the teardrop attack, the attacker enters a confusing offset value in the
second (or later) fragment which can crash the recipient's system.
Smurf Attack or Ping Attack. This is where an illegitimate 'attention
request' or Ping is sent to a system, with the return address being
that of the target host (to be attacked). The intermediate system responds
to the Ping request but responds to the unsuspecting victim system. If the
receipt of such responses becomes excessive, the target system will be
unable to distinguish between legitimate and illegitimate traffic.
Viruses. Viruses are not usually targeted but where the host server
becomes infected, it can cause a Denial of Service; or worse.
Physical Attacks. A physical attack may be little more that cutting
the power supply, or perhaps the removal of a network cable.
DES / AES
DES - The Data Encryption Standard and the AES - Advanced Encryption Standard
are both data encryption standards for the scrambling of data to protect its
confidentiality. It was developed by IBM in co-operation with the American National Security
Agency and published in 1974. It has become extremely popular and, because it
used to be so difficult to break, with 72,000,000,000,000,000 possible key
variations, was banned from export from the USA. However, restrictions by the US
Government, on the export of encryption technology was lifted in 2000 to the
countries of the U.S. and a number of other countries. The AES - Advanced Encryption Standard, is a state of the art algorithm
(developed by Rijndael) and chosen by the United States National Institute of
Standards and Technology on October 2, 2000. Although selected, it will not
become officially "approved" by the US Secretary of Commerce until Q2 2001.
Meanwhile, products are already available which use the Rijndael algorithm
within AES encryption tools.
Desktop
Verbal shorthand for Desktop Personal Computer, normally used to
differentiate such a system from a 'Laptop' or portable PC.
In Windows 95®, and later releases, the screen visible on the computer
monitor is known as the desktop and can be used to store programs and data
as if it were a normal directory/folder. It is generally considered better
practice to use the desktop as a place to store links to files and programs,
rather than the files and programs themselves. This is partly because of the
risk of accidental deletion, but - more importantly to companies - to avoid
such files being visible to any curious passer-by.
Dial-up
A method of communicating via telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by a computer on the other end.
Digital
Employing the binary system of numbers (1 and 0 only) for processing
purposes.
Digital Certificate
A digital certificate is the electronic version of an ID card that
establishes your credentials and authenticates your connection when performing
e-Commerce transactions
over the Internet, using the World Wide Web. To obtain Digital Certificate an
organization must apply to a
Certification Authority
which is responsible for validating and ensuring the authenticity of
requesting organization. The Certificate will identify the name of the
organization, a serial number, the validity date ("from / to") and the
organization's Public Key where encryption to / from that organization is
required. In addition, the Digital Certificate will also contain the
Digital Signature
of the Certification Authority to allow any recipient to confirm the
authenticity of the Digital Certificate. A global standard (X. 509 Public Key Infrastructure for the Internet) defines
the requirements for Digital Certificates and the major Certificate Authorities
conform to this. Such standards, and the integrity of the Certificate
Authorities are vital for the establishment of 'digital trust', without which
e-Commerce will never attain its potential.
Digital Signature
A digital signature is an electronic equivalent of an individual's signature.
It authenticates the message to which it is attached and validates the
authenticity of the sender. In addition, it also provides confirmation that the
contents of the message to which it is attached, have not been tampered with, en
route from the sender to the receiver. A further feature is that an e-mail 'signed' with a digital signature cannot
easily be repudiated; i.e. the sender is not able to deny the sending and the
contents of the message; plus it provides a digital time stamp to confirm the
time and date of transmission. For a digital signature to be recognized, and acknowledged as something of
integrity, it needs to be trusted by the recipient. It is for this reason that a
Certification Authority
will supply a digital signature to persons, the identity of whom, it has been
able to verify; perhaps by having an Attorney's stamp on a document which
validates the applicant's name, address, date of birth etc. To provide greater digital trust, the Digital Signature is packaged with the
certificate of the Certification Authority, and this too may be inspected for
validity and expiration. Most people expect digital signatures to totally replace the use of the ('old
fashioned') pen and ink signature with orders and authorities being accepted via
digitally signed e-mails, the contents of which may, or may not, be encrypted
for additional security.
Digital Subscriber Line (DSL)
A form of high speed Internet access competing with cable modems. DSL works over standard telephone lines and supports data speeds of over 1.5 Mbps downstream (to the user) and slower speeds upstream (to the Internet).
Digital
Employing the binary system of numbers (1 and 0 only) for processing
purposes.
Digital Versatile Disk (DVD)
Currently, these optical storage disks are being pioneered by the entertainment
business; notably because the DVD is able to store a full length feature movie
on a single CD size disk, with faithful reproduction of visual and audio
quality. DVD, with a capacity (using both sides of the disk) of approx. 17GB,
will doubtless replace the present CDs / CD-ROMs with their 'modest' 670MB
capacity. At present consumer models are read only, but they will soon offer
full record capability with integration into information systems.
Digital Watermark
A unique identifier that becomes part of a digital document and cannot be
removed. The watermark is invisible to the human eye but a computer can analyze
the document and extract the hidden data. Digital watermarks are being used for
Classified/Top Secret documents - usually Military/Governmental - and highly
confidential commercial material. The primary use of such marks is to allow
different marks to be used when the document is copied to different persons and
thereby establish an Audit Trail should there be any leakage of information.
Disable
The process by which hardware or software is deliberately prevented from
functioning in some way. For hardware, it may be as simple as switching off a
piece of equipment, or disconnecting a cable. It is more commonly associated
with software, particularly shareware or promotional software, which has been
supplied to a user at little or no cost, to try before paying the full purchase
or registration fee. Such software may be described as 'crippled' in that
certain functions, such as saving or printing files are not permitted. Some
in-house development staff may well disable parts of a new program, so that the
user can try out the parts which have been developed, while work continues on
the disabled functions. Disabling is also often used as a security measure, for
example the risk of virus infection through the use of infected floppy diskettes
can be greatly reduced, by disconnecting a cable within the PC, thereby
disabling the floppy drive. Even greater protection is achieved by removing the
drive altogether, thereby creating a diskless PC.
Disaster Recovery Plan
The master plan needed by technical and non-technical staff to cope with a
major problem - such as the Boeing Syndrome. Do not confuse and merge the DRP with the
Business Continuity Plan. The DRP is the plan which is
activated when there is an emergency. It is the plan which ensures that health
and safety come first followed by damage limitation. Having contained the impact
of the disaster, and having ensured that the situation is now under control e.g.
through the Emergency Services, then the Business Continuity Plan will be
activated. One of the most difficult aspects of a DRP is agreeing when it should be
activated. In some circumstances it will be clear. For example, a tornado
destroys part of the office block; or a serious fire reduces the premises to
ashes. However, on many occasions, disasters have multiple warnings or
indicators, and it is these which need to be considered and identified as the
triggers to invoke your DRP.
N.B. The skills required to prepare and manage a DRP are not necessarily
the same as those required for a Business Continuity Plan.
Distributed Processing
Spreading the organization's computer processing load between two or more
computers, often in geographically separate locations. If a organization has the
necessary financial and technical resources, distributed processing, with
mirroring between sites, is an excellent contingency plan for sudden disasters. Even if there is a total loss of one system, the remaining computer(s) can
carry the load without disruption to users and without loss or corruption of
data.
DMZ
A DMZ - De-Militarised Zone, is a separate part of an organization's network
which is shielded and 'cut off ' from the main corporate network and its
systems. The DMZ contains technical equipment to prevent access from external
parties (say on the Internet) from gaining access to your main systems. The term comes from the buffer zone that was set up between North Korea and
South Korea following their war in the early 1950s. A DMZ is not a single
security component; it signifies a capability. Within the DMZ will be found
firewalls, choke and access routers, front-end and back-end servers.
Essentially, the DMZ provides multi-layer filtering and screening to completely
block off access to the corporate network and data. And, even where a legitimate
and authorized external query requests corporate data, no direct connection will
be permitted from the external client, only a back-end server will issue the
request (which may require additional authentication) from the internal
corporate network. However, the extent to which you permit corporate data to be accessible from
and by external sources will depend upon the value of the Business Assets which
could be placed at (additional) risk by allowing access to (even) pre-specified
data types.
DNS
Domain Name System (or Server). The DNS is the means by which user friendly Web
addresses are translated into arcane IP addresses. The DNS ensures that a Web
address is routed to the correct site.
Domain Name
The domain name identifies the location of an organization or entity on the
Internet and, through Domain Name Service
translates this to an IP Address,
which is the real address to which traffic destined for that domain name is
routed.
Dongle
A mechanical device used by software developers to prevent unlicensed use of
their product. Typically, a Dongle is a small connector plug, supplied with the
original software package, which fits into a socket on a PC - usually a parallel
port, also known generally as the LPT1 Printer port. Without the Dongle present,
the software will not run. Some older Dongles act as a terminator, effectively
blocking the port for any other use, but later versions have a pass-through
function, allowing a printer to be connected at the same time. Even though the
PC can still communicate with the printer, there have been problems with more
recent printers which use active two-way communications with the PC to notify
printing status, ink levels, etc.
Driver
A driver is a small interface program which allows a computer to communicate
with a peripheral device, such as a printer or a scanner. The driver will be
automatically installed when you connect the device to the PC; hence the need
for a CD-ROM or floppy disk when installing such peripherals.
Dual Homing
Having concurrent connectivity to more than one network from a computer or network device. Examples include, but are not limited to:
Connecting a server to two different networks using two network interface cards (NIC).
Connecting a computer to a City provided DSL, ISDN, or cable modem AND concurrently connecting to a public ISP, a bulletin board, or a family member's network via modem or publicly provisioned broadband.
Configuring an ISDN router to dial into the City network and an ISP, depending on packet destination.
Connecting a computing device to the City network and concurrently using a modem to connect to another network (whether wired or wireless)
Due Care
Due is the collective steps that an organization must take to properly protect its networks, computer systems and data that resides on them.
Dynamic Host Configuration Protocol (DHCP)
Software that automatically assigns IP addresses to client stations logging onto a TCP/IP network. It eliminates having to manually assign permanent IP addresses. DHCP software typically runs in servers and is also found in network devices such as ISDN routers and modem routers that allow multiple users access to the Internet. Newer DHCP servers dynamically update the DNS servers after making assignments.
|
