| |
|
|
|
|
|
Error processing SSI file |
|
|
A computer server placed outside an organization's Internet Firewall to provide a service that might otherwise compromise the local net's security. Scope Creep is the expression used by project managers and/or vendors who are under pressure to constantly deliver in excess of what was originally agreed. Scope creep normally results from a failure to establish the clear requirements of the business users. As these begin to solidify the scope of the original plan can start to move - and continue to move. If the project manager is not alert to this (all too common) phenomenon, the requirements will constantly change thus ensuring that the projects spends years on delivering nothing, as they are continually reviewing and altering direction. Screen Capture Formal term for Screen Grabbing. Screen savers, once created to save the screen from premature CRT burn out, are now used as a means of both protecting the screen and also for preventing casual shoulder surfing! Screen savers do have a useful and valid Information Security role. Used correctly, they will cut-in, blank the screen from view and require a user or network Administrator password to regain access. Provided the screen saver is set to trigger after (say) 2 minutes of inactivity, and upon user request, it can provide a useful and effective means of diverting casual / opportunistic incidents. In a programming context Scripts are a type of programming language which are run, or executed, by another program. For example, Java Script is run by the Web browser which is running on the user's PC. In the context of System Testing and User Acceptance Testing, scripts are used as the pre-determined input data to test the system. Scripts should not only state the precise data to be input, but also the expected response from the system. As User Acceptance Testing proceeds, the results from running the scripts will be recorded, as will the overall system conditions at the time to allow developers to more easily debug errors. Scripts can take the form of input data sheets for manual input, or can be a series of files, the processing of which simulates the generation of transactions across the network to the system. This latter approach can allow for significant volumes to be processed. However, it is essential to proceed carefully as errors can so easily compound making analysis a nightmare! Secure Area (on a system) Where an unknown file - e.g. one downloaded from the Internet - is to be opened (and this is especially true for any executable file i.e. a .exe file (a program), it must not be opened or executed in the normal filing space for your live systems. A Secure Area - sometimes referred to as a 'Sand Pit' - is an area on a system which is totally shielded and / or isolated, from the potential impact of any code which is executed there. Whilst the isolation of the system is a clear requirement, scanning software which is able to detect malicious code activity must also be used, as Trojan code activity may go undetected. A transmission protocol that employs encryption of data. Security Individual(s) who are responsible for all security aspects of a system on a day-to-day basis. The security administrator should be independent of both development and operations staff and often holds the highest power password on the system in order than the most sensitive activities can only be undertaken with a combination of both System Administrator and Security Administrator top-level passwords. A breach of security is where a stated organizational policy or legal requirement regarding Information Security, has been contravened. However every incident which suggests that the Confidentiality, Integrity and Availability of the information has been inappropriately changed, can be considered a Security Incident. Every Security Breach will always be initiated via a Security Incident, only if confirmed does it become a security breach. Security for Electronic Transactions - SET SET was originally supported by companies such as MasterCard, VISA, Microsoft and Netscape and provides a means for enabling secure transactions between purchaser, merchant (vendor) and bank. The system is based upon the use of a electronic wallet which, carries details of the credit card, the owner and, critically a Digital Certificate. To provide end to end encryption and authentication, the SSL standard is used between the parties, thus ensuring digital trust between each leg of the transaction. A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place. Segregation of Duties A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorize processing; Systems Development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to your staff and contractors against the possibility of unintentional damage through accident or incompetence - 'what they are not able to do (on the system) they cannot be blamed for'. Typically a dual (or better) processor computer which supplies (serves) a network of less powerful machines such as desktop PCs, with applications, data, messaging, communications, information, etc.. The term is replacing 'host' in many situations since the processing power of a desk top server is such that one machine is sufficient to run the computing requirements of a complete organization. Service Set Identifier (SSID) Software supplied on a 'try before you buy' basis. Shareware is produced by software companies and independent programmers and supplied to users through a variety of channels including magazine cover disks, e-mail, mail order, Internet downloads, etc. The basic idea is that users will try out the software (which is sometimes, but not always crippled or limited in some way) and will like it so much that they will pay a relatively small registration fee to become an authorized user of the unrestricted program. Shareware has been very successful and several software houses have established themselves as niche market leaders this way but companies should exercise caution in the use of such material. Shareware form independent programmers has a reputation for being 'buggy', causing conflicts with other software already installed on the computer, or simply failing to perform as expected. Companies with policies which permit the installation and use of such material should restrict it to stand alone test or development machines where the software behavior and the programs claimed benefits can be examined fully before being installed as registered version on live machines. Looking over a user's shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used. : Smart cards look, and feel like, credit cards, but have one important difference, they have a 'programmable' micro-chip embedded. Their uses are extremely varied but, for Information Security, the are often used, not only to authenticate the holder, but also to present the range of functions associated with that user's profile. Smart Cards will often have an associated PIN number or password to provide a further safeguard. The main benefits of using Smart Cards is that their allocation can be strictly controlled, they are hard to forge and are required to be physically inserted into a 'reader' to initiate the authenticate process. A smurf attack is one that is very technical and exploits features of the IP protocol within the TCP/IP protocol used for Internet communications. A smurf attack causes a victim's computer to become completely 'way laid' with answering fictitious network requests ('Pings') that it grinds to a halt and prevents anyone else from logging on. See Denial Of Service for further information. A sniffer is a program which captures and analyses packets of data as it passes across a network. They are used by network administrators who wish to analyze loading across network segments, especially where they suspect that spurious packets are 'bleeding' from one network to another. The other use of sniffers is by connecting to the Internet then capturing data; such data can include user names and passwords. However, crackers who deploy sniffers usually target sniffers at a strategic position e.g. at the gateway between the target system and another network; through this gateway will pass all the login names and passwords. Having said that, most modern systems will ensure that the username and password is encrypted prior to transmission such that the sniffer will not yield such information 'on a plate'. Social engineering is a means by which information is extracted, usually verbally, by someone impersonating a legitimate holder or user of the information in question. Social engineering will often take place over the telephone; here are some examples : A document created and saved on computer media rather than paper. The transmission of 'soft copy' files between parties is now common place; especially since a de-facto standard has emerged for desktop tools such as Word Processor and Spread Sheet. Softlifting: The use of unlicensed software is illegal, and whilst the majority of organizations would not condone it, the vast majority are believed to be using unlicensed software to some extent. In many cases, software piracy occurs unintentionally; for example a genuinely licensed program is copied for use on multiple workstations. It is common practice for software vendors to permit customers to 'try before they buy'. In this case, they offer the software as 'shareware' and propose a trial of say, 30 days. At the expiration of the 30 day period, and depending upon the ingenuity of the developer, the software can refuse to load without the input of a valid license key; or it can continue to run as normal or can require the continue depression of a button to signify your understanding of the terms of the license. Unlicensed software is major threat to an organization's Information Security because, not only does this jeopardize the legal position, it also threatens the data held on such systems as no support will be provided. The End User License Agreement - EULA is normally seen during the install process of the software. Software Version Control Although not a global standard per se, software developers have a generally agreed code of practice with regard to software versioning. In general, the version number will be identified by two or three digits e.g. (version) 1.2.1 This example indicates that the software is in its first major release, its second point release and its first mini release or patch. Be wary of software in its '1.0' release as this suggests that the software is new and may not have undergone thorough testing and subsequent update. Be cautious when using any software in its 1.0 release; even those from the largest names in the software industry! Source Code The actual program - as written by the programmer - which is compiled into machine code (object code) which the computer can understand. Source code is the intellectual property of the developer(s) and for many years commercial source code was never released to users, only licensed for use. Possession of Source Code is essential if a organization is to maintain and/or modify the software without being reliant upon the original developer. There are now Escrow provisions in the agreements for major developments to protect users in the case of a developer/supplier ceasing to trade. Computer Spam is the electronic equivalent of Junk Mail. Companies and individuals who specialized previously in Mail Shots through the postal system have turned to Spam as a means of delivering (usually) worthless messages at a fraction of the cost. Given the huge databases now held on computers around the world, 'Spammers' can send literally hundreds of thousands of messages for a few cents. Some companies consider this to be a 'better' use of their marketing budgets than the traditional routes. Spam is also a feature of Usenet, where individuals, who need to get out more, post lengthy and irrelevant messages to dozens, if not hundreds, of groups at a time, attracting considerable irritation, generating significant amounts of angry message transmissions, and sometimes starting a Flame War. Split tunneling is the definition of how network traffic is handled by a remote end of a VPN tunnel. If using a split tunnel, traffic bound for the City's network uses the VPN tunnel and traffic bound for anywhere else, is not sent to the City, but rather is handled by the ISP. If not using a split tunnel, any traffic from the remote computing device is sent through the VPN tunnel and handled by the City network. The choice of using a split tunnel or not is configurable by the VPN client. Spoofing: Spyware Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. A stealth bomb is a piece of malicious code that is disguised as something else. It may be received as a 'normal' e-mail, or perhaps as an amusing screen saver. Stealth bombs deliver their 'payload' surreptitiously and the results can be both damaging to your system and also highly embarrassing. See Malicious Code for more detailed information. Steganography is the technique whereby a message, possibly encrypted, is concealed within another medium. In the world of computing, this means that a seemingly innocuous graphic or sound file (say) can conceal a message which could be used to disguise corporate espionage. Deliberately deleting files, records, or data, from a system. This can be an authorized activity when, for example, duplicate files are identified and removed from the system to reclaim the disk storage space they occupy. More often, however, stripping is associated with the removal of records which evidence some fraudulent or other criminal activity. It is not unusual for Auditors, or Law Enforcement officers to find that the records they need for their investigations are not there. Deleted records can be recovered if the storage media is secured quickly enough, but a skilled stripper can usually remove all trace of them before such action can be taken. The only recourse then is to backup files where (hopefully) copies can be obtained. Structured Query Language SQL Structured Query Language or SQL (pronounced 'S' 'Q' 'L' or 'Seekwul') is a type of programming language used to interact with a database. The language is used to both update and issue queries to the database. A query is a request for information based upon specific criteria e.g. 'output all our clients with a sales turnover of more than $x sorted by region'. System Individuals who support the operations and integrity of computing systems and their use. These activities might include system installation, configuration, integration, maintenance, security management, and problem analysis and recovery. In an inter-networked computing environment, managing the computer network often is their responsibility. System
Operators System Owners System software is the general term used to describe the many software programs, drivers and utilities which, together enable a computer system to operate. One of the main components of system software is the operating system of the computer e.g. Microsoft Windows® 2000 Professional. Systems Development is the term used to describe the function of designing, coding, testing and updating software programs and other code e.g. scripts. The roles within Systems Development, will be Systems Analysts and Programmers and possibly other technical specialists. Systems Operations Systems Operations refers to a team, or possibly even a department within the IT group, which is responsible for the running of the centralized systems and networks. Systems Operations personnel have 3 main types duty. Firstly they will run the day to day procedures for each of the main systems. Whilst these operations may well be automated, a systems operator will execute and oversee the operation. Secondly, they will perform routine housekeeping procedures on the systems, reviewing error logs and responding to any problems which occur day to day. Thirdly, Systems Operations personnel will run end of day and 'end of period' (e.g. monthly) procedures which will include the creation of backup copies of all the key data files across the systems. From the above, it will be noted the Systems Operations do not concern themselves with development, testing or the functionality of the various software applications being run. Their task is focused upon maintaining maximum 'up-time' by keeping all system and networks running efficiently. -------------------------------- |
 |
Error processing SSI file |
 |
|
|
 |
|