«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Malicious Code Malicious code includes all and any programs (including macros and scripts) which are deliberately coded in order to cause an unexpected (and usually, unwanted) event on a user’s PC. However, whereas anti virus definitions (‘vaccines’) are released weekly or monthly, they operate retrospectively. In other words, someone’s PC has to become infected with the virus before the anti-virus definition can be developed. In May 2000, when the ‘Love Bug’ was discovered, although the Anti Virus vendors worked around the clock, the virus had already infected tens of thousands of organisations around the world, before the vaccine became available.
However, this may not be fast enough to prevent your PC from becoming infected with a virus that was delivered to your PC whilst you were innocently browsing a new Web site.
In June 2000 it was further revealed that a new type of attack was possible; called the ‘No-Click’ Stealth Bomb Attack. Such attacks use HTML, the code used for Web sites and, within this code, the pay load is then executed. The threat is that HTML is not only found on Web sites but can also be used to format and present the text of an e-mail. This means that simply opening an e-mail encoded in HTML, could deliver its pay load with no user intervention at all.
The solution is to run both a top rate anti-virus program and also a malicious code detection system which is able to constantly monitor the behaviour of downloaded “content” (e.g. a “harmless” page from a Web site) including executable files (.exe), scripts, ActiveX and Java. Such solutions can either run on individual PCs and workstations or from a central server.
See Compressors and Packers Glossary 449 Manhole Alternative name for a developer’s Back Door.
Masquerading Identifying yourself as someone else, i.e. purporting to be another (probably genuine) user for example, sending an e-mail to a client under someone else’s name. E-mail systems usually do not allow the sender’s ‘From’ field to be altered, but those that do thereby permit messages to be sent under a completely false name.
Massaging Data Especially when interfacing systems, it is often necessary to re-format or manipulate data from one format into another, to enable another system to accept the input, e.g. order processing output being input into the accounting system.
Sometimes, the data will need to be massaged, e.g. by the removal of extraneous characters or the addition of some control characters. Whatever the exact requirements, such manipulation of data poses a threat to the integrity of the data, and thorough System Testing is advised.
Media The physical material which stores computer information. Comes in two basic types - Fixed and Removable - and a variety of flavours:Hard Disk, Floppy Disk, Compact Disc, Laser Disk, Magneto-Optical Disk, Zip Disk, Super Floppy, Magnetic Tape Reel, Magnetic Tape Cartridge, Digital Audio Tape, Paper Tape, and so on and so forth.
Each of these have their ‘for’ and ‘against’ lobby groups, and there are no ‘best’ media, only the ‘most appropriate’ for a given organisation in given circumstances.
Irrespective of which media are used, they will contain important data, and therefore must be used and stored under properly controlled conditions.
Methodology A term that is often misused / misapplied. In systems development, the tasks required to achieve the end result can be complex and usually require adoption of a disciplined and formal approach. Having perfected such an approach, consulting companies and software developers will refer to their methodology. Methodology suggests an almost scientific and objective approach, which, of course, is rarely the case.
MicroFiche Before the days of electronic data storage, computer print out was stored physically. Micro-fiche was a means of storing (relatively) large quantities of printed text and images on film transparencies in a greatly reduced (physical) form. Microfiche readers are required to project and magnify the output onto a backlit display.
Glossary 450 Migration Changing from one computer system to a different one, entailing changes in software and the transfer of data from the old system to the new, possibly necessitating conversion of data from the old format into another for use on the new system. For example: switching from an NCR-based system to an IBM constitutes a migration, while simply moving to a larger, newer, NCR system would be an ‘upgrade’.
Migrations are complex, and any organisation contemplating or conducting one would be well advised to appoint a dedicated Project Manager and team, to ensure its smooth implementation.
Mission Critical Derived from Military usage, the term is used to describe activities, processing, etc., which are deemed vital to the organisation’s business success and, possibly, its very existence.
Some major applications are described ad being Mission Critical in the sense that, if the application fails, crashes, or is otherwise unavailable to the organisation, it will have a significant negative impact upon the business. Although the definition will vary from organisation to organisation, such applications include accounts/billing, customer balances, computer controlled machinery and production lines, JIT ordering, delivery scheduling, etc.
Mockingbird A Special type of Trojan Horse virus program, a Mockingbird is software that intercepts communications (especially login transactions) between users and hosts, and provides system-like responses to the users while saving their responses (especially account IDs and passwords) for later transmission to, or collection by, a third party.
Moore's Law ‘The amount of information storable on a given amount of silicon has roughly doubled every year since the technology was invented.’ First uttered in 1964 by semiconductor engineer Gordon Moore, co-founder of Intel in 1968, this held until the late 1970s, at which point the doubling period slowed to 18 months, however, as at the New Millenium, Moore’s Law is again true.
Mouse Potato Computer-using version of a Couch Potato. Identified by highly developed wrist and index finger, and complete lack of any other muscles.
Multi-tasking Doing more than one thing at a time - or so it would seem. Human beings can multi-task: breathing, walking, thinking, and chewing gum, all at the very same time - but single processor computers do not.
It may seem that, for example, when a user is printing a file and viewing Web pages on the Net, the computer is doing two things at once, but, in practice, it is handling bits of each job, one after the other, so quickly that it just looks as though they are being done at the same time. Purists maintain that true multi-tasking requires more than one processor.
As the two or more programs squabble for memory space or communication port access on a single processor machine - such as a PC – multi-tasking causes more hang-ups, freezing, and plain JOOTTs than any other factor.
Murphy's Law Also ‘Sod's Law’. The correct, original Murphy's Law reads: ‘If there are two or more ways to do something, and one of those ways can result in a catastrophe, then someone will do it.’ The term originated with Edward A. Murphy, Jr., who was one of the engineers on the rocket-sled experiments, undertaken by the US Air Force in 1949 to test human acceleration tolerances. One experiment involved a set of 16 accelerometers mounted to different parts of the subject's body. There were two ways each sensor could be glued to its mount, and somebody methodically affixed all 16 the wrong way around. Murphy then made the original form of his pronouncement, which the test subject quoted at a news conference a few days later. Within months ‘Murphy's Law' had spread to various technical cultures connected to aerospace engineering. Before too many years had gone by variants had passed into the popular imagination, changing as they went. Most of these are variants on ‘Anything that can go wrong, will.’ which is sometimes referred to as Finagle's Law.
Native Format The native format refers to the default format of a data file created by its associated software program. For example, Microsoft Excel® produces its output as ‘.xls’ files by default; this is the native format of Excel. Microsoft Word®
Network A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other.
Network Administrator Individual(s) responsible for the availability of the Network is available, and controlling its use. For smaller installations, this function is often combined with that of System Administrator.
News Group News Group. Part of Usenet. Although termed ‘News Groups’, most of them are anything but this. They exist, theoretically for groups of like-minded users to ask questions and swap information etc. Currently there are approximately 60,000 News Groups covering virtually any subject imaginable, with titles ranging from ‘3b.config’ to ‘zz.unity.netlink’. Regrettably, most News Groups have their share of contributors whose sole mission appears to be to hurl abuse and ‘flame’ others’ points of view, and some are definitely ‘18’ rated. Caution is advised.
Non Disclosure Agreement – NDA A Non Disclosure Agreement (NDA) is a legally binding document which protects the confidentiality of ideas, designs, plans, concepts or other commercial material.
Most often, NDA’s are signed by vendors, contractors, consultants and other nonemployees who may come into contact with such material.
Non-Repudiation For e-Commerce and other electronic transactions, including ATMs (cash machines), all parties to a transaction must be confident that the transaction is secure; that the parties are who they say they are (authentication), and that the transaction is verified as final. Systems must ensure that a party cannot subsequently repudiate (reject) a transaction. To protect and ensure digital trust, the parties to such systems may employ Digital Signatures, which will not only validate the sender, but will also ‘time stamp’ the transaction, so it cannot be claimed subsequently that the transaction was not authorised or not valid etc.
Object Code The machine code generated by a source code language processor, such as an assembler or compiler. A file of object code may be immediately executable or it may require linking with other object code files, e.g. libraries, to produce a complete executable program.
Operating System Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than with processing work for users.
Computers can operate without application software, but cannot run without an operating system.
Major manufacturers - IBM etc., - tend to use proprietary operating systems, but popular commercial operating systems include Unix, Windows® 95/98/NT/2000, MacOS®, OS/2®, Linux®, and DOS® variants.
Operating System Hardening Hardening of operating systems is the first step towards safeguarding systems from intrusion. Workstations and servers typically arrive from the vendor, installed with a multitude of development tools and utilities, which, although beneficial to the new user, also provide potential back-door access to an organisation’s systems.
Hardening of an operating system involves the removal of all non essential tools, utilities and other systems administration options, any of which could be used to ease a hacker’s path to your systems. Following this, the hardening process will ensure that all appropriate security features are activated and configured correctly.
Again, ‘out of the box’ systems will likely be set up for ease of access with access to ‘root’ / Administrator account. Some vendors have now recognised that a market exists for pre-hardened systems; see Trusted Operating Systems.
Output Literally, material which is put out by the computer, (as instructed by an application program) often onto paper, but, increasingly, to a screen, or storage device.
Out-Sourcing Having some or all of an organisation’s computer processing performed by a separate specialist organisation, such as a computer payroll bureau. This approach can generate savings in resource, but rarely operates in real time and carries a high risk of breach of confidentiality.
Glossary 454 Overhead Overhead refers to the load placed upon a computer or system. For example, if a system, which usually has 10 persons processing transactions needs to accommodate 50, the overhead on the system has increased. Likewise, encrypting and decrypting data will increase a system’s overhead and reduce the resources available for other processes during the encrypt/decrypt cycle.
Take care not to increase the overheads on your systems without due consideration of the impact this may have. Your systems may well have adequate capacity to absorb the extra load; but there again, they may not, and this may affect your Information Security.
PABX / PBX A Private Automated Branch Exchange. The telephone network used by organisations to allow a single access number to offer multiple lines to outside callers, and to allow internal staff to share a range of external lines. All such exchanges are now automated, and it is common to refer to them as a simple ‘PBX’.
Package Software Software that is provided ‘as is’ or, ‘Off the Shelf’ by a supplier, and which is almost certainly in use by a number of organisations and companies.
Unless your organisation is prepared to be a beta test guinea pig, commercial users would be well advised to steer clear of package software which is not is use in any other organisation, and with evidence of some track record.
Padded Cell Where a sensible organisation puts lusers so they can't do any damage. A program that limits a luser to a carefully restricted subset of the capabilities of the host system, and which is not so much aimed at enforcing security as protecting others (and the luser) from the consequences of the luser's boundless energy and enthusiasm.