«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Digital Watermark A unique identifier that becomes part of a digital document and cannot be removed. The watermark is invisible to the human eye but a computer can analyse the document and extract the hidden data. Digital watermarks are being used for Classified/Top Secret documents - usually Military/Governmental - and highly confidential commercial material. The primary use of such marks is to allow different marks to be used when the document is copied to different persons and thereby establish an Audit Trail should there be any leakage of information.
Disable The process by which hardware or software is deliberately prevented from functioning in some way. For hardware, it may be as simple as switching off a piece of equipment, or disconnecting a cable. It is more commonly associated with software, particularly shareware or promotional software, which has been supplied to a user at little or no cost, to try before paying the full purchase or registration fee. Such software may be described as ‘crippled’ in that certain functions, such as saving or printing files are not permitted. Some in-house development staff may well disable parts of a new program, so that the user can try out the parts which have been developed, while work continues on the disabled functions.
Disabling is also often used as a security measure, for example the risk of virus infection through the use of infected floppy diskettes can be greatly reduced, by disconnecting a cable within the PC, thereby disabling the floppy drive. Even greater protection is achieved by removing the drive altogether, thereby creating a diskless PC.
Glossary 421 Disaster Recovery Plan - DRP The master plan needed by technical and non-technical staff to cope with a major problem - such as the Boeing Syndrome. Do not confuse and merge the DRP with the Business Continuity Plan. The DRP is the plan which is activated when there is an emergency. It is the plan which ensures that health and safety come first followed by damage limitation. Having contained the impact of the disaster, and having ensured that the situation is now under control e.g. through the Emergency Services, then the Business Continuity Plan will be activated.
One of the most difficult aspects of a DRP is agreeing when it should be activated.
In some circumstances it will be clear. For example, a tornado destroys part of the office block; or a serious fire reduces the premises to ashes. However, on many occasions, disasters have multiple warnings or indicators, and it is these which need to be considered and identified as the triggers to invoke your DRP.
N.B. The skills required to prepare and manage a DRP are not necessarily the same as those required for a Business Continuity Plan.
Distributed Processing Spreading the organisation’s computer processing load between two or more computers, often in geographically separate locations. If a organisation has the necessary financial and technical resources, distributed processing, with mirroring between sites, is an excellent contingency plan for sudden disasters.
Even if there is a total loss of one system, the remaining computer(s) can carry the load without disruption to users and without loss or corruption of data.
DMZ A DMZ – De-Militarised Zone, is a separate part of an organisation’s network which is shielded and 'cut off ' from the main corporate network and its systems.
The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems.
The term comes from the buffer zone that was set up between North Korea and South Korea following their war in the early 1950s. A DMZ is not a single security component; it signifies a capability. Within the DMZ will be found firewalls, choke and access routers, front-end and back-end servers. Essentially, the DMZ provides multi-layer filtering and screening to completely block off access to the corporate network and data. And, even where a legitimate and authorised external query requests corporate data, no direct connection will be permitted from the external client, only a back-end server will issue the request (which may require additional authentication) from the internal corporate network.
However, the extent to which you permit corporate data to be accessible from and by external sources will depend upon the value of the Business Assets which could be placed at (additional) risk by allowing access to (even) pre-specified data types.
Dongle A mechanical device used by software developers to prevent unlicenced use of their product. Typically, a Dongle is a small connector plug, supplied with the original software package, which fits into a socket on a PC - usually a parallel port, also known generally as the LPT1 Printer port. Without the Dongle present, the software will not run. Some older Dongles act as a terminator, effectively blocking the port for any other use, but later versions have a pass-through function, allowing a printer to be connected at the same time. Even though the PC can still communicate with the printer, there have been problems with more recent printers which use active two-way communications with the PC to notify printing status, ink levels, etc.
Down In IT terms, when a system is down, it is not available to users. This is not necessarily due to hardware or software faults, it may well be necessary to disconnect non-IT users, or take the system down for maintenance, installation of new hardware, loading new software etc. Traditionally such activities would take place after the End of Day, but the advent of 24x7 processing means there is no natural break in the cycle, and IT staff will therefore schedule the work for the time of minimum system workload - probably around 03:00 on Sunday morning!
Downtime The amount of time a system is down in a given period. This will include crashes and system problems as well as scheduled maintenance work. Obviously, downtime impacts upon system availability, and most IT departments will maintain a downtime log to record when, and why, the system was not available to users.
This log should be reviewed at intervals to identify any recurring problems, failure patterns etc.
Driver A driver is a small interface program which allows a computer to communicate with a peripheral device, such as a printer or a scanner. The driver will be automatically installed when you connect the device to the PC; hence the need for a CD-ROM or floppy disk when installing such peripherals.
Glossary 423 Dual Control A control procedure whereby the active involvement of two people is required to complete a specified process. Such control may be physical; e.g. two persons required to unlock the Data Safe, or logical; as in the case of a higher level authorisation password required to permit the entry of data created or amended by another person.
Dual Control is one of the foundations of Information Security as it is based upon the premise that, for a breach to be committed, then both parties would need to be in collusion and, because one should always alternate the pairs of people, it would require a much greater level of corruption in order to breach dual control procedures; especially is such procedures require nested dual control access, such that (say) 2 pairs of people are required to enable access.
st If this procedure appears someone ‘dated’ in today’s 21 century ‘wired’ environment, please note that in 2000 a number of vendors started to sell ‘Trusted Operations Systems’, which enforce the requirement for dual control and the separation of duties, to provide substantially greater Information Security.
Dumb Terminal A type of terminal that consists of a keyboard and a display screen that can be used to enter and transmit data to, or display data from, a computer to which it is connected. A dumb terminal, in contrast to an intelligent terminal, or PC, has no independent processing or storage capability and thus cannot function as a standalone device.
eWidely used - now widely overused - abbreviated prefix indicating ‘electronic’.
Given the current frenzy for on-line services, companies are sticking the ‘e-’ prefix onto the front of almost any word to show how progressive and technologically advanced they are :e-business, e-commerce, e-trading, e-finance, e-broking, e-shopping, e-retailing, e-money, e-cash, e-purse, e-wallet, - the list is (probably) endless.
EarwiggingAlternative (slang) term for Eavesdropping.
Eavesdropping Listening to someone else's conversation. In its most basic form, it amounts to one person keeping within earshot of a conversation between two other persons, but in the security and IT worlds it extends to remote listening and recording devices, include the interception of telephone calls, fax transmissions, e-mails, data transmissions, data-scoping, and even radio scanning for mobile communications.
The security implications for companies are primarily that user identification details or passwords can become known to criminally inclined individuals, or that confidential/sensitive information about the organisation, its finances, or activity plans may leak to competitors.
Glossary 424 e-Business Another term for e-Commerce.
e-Commerce e-Commerce, e-Business or e-Tailing is an electronic transaction, performed over the Internet – and usually via the World Wide Web - in which the parties to the transaction agree, confirm and initiate both payment and goods transfer; at the click of the mouse.
There are two general types of e-Commerce activity; Business to Consumer (or Business to Customer) - B2C, and Business to Business – B2B.
Business to Consumer is usually, but not always, characterised by the purchase of goods or services, using the “shopping cart” metaphor and the acceptance of credit / debit cards in payment.
Business to Business, on the other hand, is concerned with using the Internet to place and receive orders from other businesses; establishing legally binding contractual commitments and pooling the resources of companies across the globe to tender for a project, with each party being authenticated and legally bound by their digital commitments.
However, to achieve this, and for e-Commerce to reach its true potential requires ‘digital trust’, and for this to take place requires strong technical tools to authenticate, encrypt and assure the confidentiality of data. Whilst e-Commerce can be initiated using e-mail, this requires the adoption of Digital Signatures which not only authenticates the sender, it also confirms the time and date of transmission and assures that the contents of the transmission were not tampered with.
Transactions initiated using Web servers, usually rely upon Digital Certificates and the use of the Secure Sockets Layer authentication and encrypted communication standard. In addition, to provide security for the secure transmission of documents, and other data, the use of the RSA standard is common, with Public Key Infrastructure (PKI) being used to create, issue and manage the use of public and private keys (or Digital Certificates).
Editor A program which allows a user to create, view, and amend, the contents of certain types of files. There are several types of editors, the most common being Text Editors, and Hex (Hexadecimal) Editors.
Editors work at the lowest level, either in ASCII (Text Editor) or directly with disk contents (Hex Editor).
Although text Editors, e.g. Notepad in Windows®, are common, companies should give consideration to staff access to Editors, particularly the more powerful types such as Hex Editors. A Hex Editor can do considerable damage to the contents of computer files, which may not be recoverable.
N.B. Although Word Processors and other programs can be used to edit their own files, they are NOT Editors in this context.
Electronic Mail - E-mail Electronic Mail - an electronically transmitted message which arrives as a computer file on your PC or organisation’s server. Originally conceived as a simple means of sending short messages from one computer to another, the Simple Mail Transfer Protocol (SMTP) was introduced without security in mind.
Whilst standards have been agreed for the attachment of files to e-mail messages, be aware that such files can contain malicious code such a virus. Use extreme caution when opening an e-mail message with an attachment; even if the e-mail is from someone you know; it is better to leave it unopened and enquire whether the e-mail is bona fide. If in doubt; destroy the e-mail and advise the sender that you have been unable to verify the authenticity of the attachment and to advise its contents. If in doubt; destroy the e-mail; if it’s genuinely important, they will either make contact again or you have the option to send them an explanatory email.
Why is e-mail insecure ?
• An e-mail message can purport to have been sent from a specific individual, but the message could have come from someone else entirely. Anyone can set up an e-mail address with anyone else’s name as the sender. e.g. a Mr. Bill Clinton could easily setup and email address as George_Bush@hotmail.com. However, where email comes from a company or organisation, the user name is likely to have been setup centrally, with the opportunity for misrepresentation, less likely.
• Even where you have your own organisation’s domain name e.g.
firstname.lastname@example.org, this too can be modified, such that the “From” field in the e-mail is sent with a fallacious sender; all designed to deceive the recipient.
• An e-mail message can be opened by anyone; and not only the intended recipient. There is no authentication such that only the intended recipients are able to read the mail. Like a postcard, an e-mail may be read by anyone who comes across it, either legitimately, or otherwise.
• The safe transmission of e-mail to its destination is not secure.
Whilst the use of a “Read-Receipt” can be useful, especially using email on Local Area Networks where network traffic is within known boundaries. E-mail sent across the Internet will pass through multiple computer nodes as it “hops” and “bounces” towards its destination address. However, even if it reaches its destination mail server, delivery to the recipient may be delayed or may not necessarily occur.