«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Parallel Processing A computer which uses more than one processor, either to be able to perform more than one task at the same time or to improve processing speed by breaking down one larger task between different processors. Parallel processing is not quite the same as ‘Multi-tasking’ since, by definition, a single processor cannot do two things at once. It just seems that way to the user because the two things are handled one after the other so very quickly.
A typical organisation/business server will employ at least two and often four processors within the same machine. Although they may appear identical from the outside, dual processor (and better) systems are not aimed at the domestic, home user, market. Generally they demand specifically written application software and are not suitable for games/entertainment use. This feature alone makes them more attractive to companies.
Some very large systems can employ huge numbers of processors - hundreds or more - and, naturally are extremely powerful (approaching the SuperComputer class). Such systems are generally described as being ‘Massively Parallel’.
Parallel processing has considerable advantages fro companies with Mission Critical applications - but it comes at a price.
Parkinson's Law of Data ‘Data expands to fill the space available for storage.’, i.e. buying more memory encourages the use of more memory-intensive techniques. It has been observed since the mid-1980s that the memory usage of evolving systems tends to double roughly once every 18 months. Fortunately, (per Moore’s Law) memory density available for a constant price also tends to about double once every 18 months.
Unfortunately, the laws of physics mean that the latter cannot continue indefinitely.
Password Management Package A piece of software that is used to control password functions, often for several different application systems simultaneously.
Passwords – Choosing The object when choosing a password, is to make it as difficult as possible for a hacker (or even a business colleague), to guess or ‘work out’ your password. This leaves the hacker with no alternative but to a) give up (which is what we want!) or
b) initiate a ‘brute-force’ search, trying every possible combination of letters, numbers, and other characters. A search of this sort, even processed on a computer capable of generating and testing thousands of passwords per second, could require many years to complete. So, in general, passwords should be safe;
but only if you select them carefully.
Using only the standard English alphabet and numerals, a non-case-sensitive password of 6-characters offers over 2 million possible combinations. In casesensitive password applications ‘a’ is not the same as ‘A’, which doubles the number of available characters. Thus, making that same 6 character password case-sensitive, and allowing the shifted version of the numerical keys increases the number of combinations to approaching 140 million. Each additional character increases the number of combinations exponentially, and so a 7character, case-sensitive password would offer over a billion combinations. A human user has virtually no chance of ever identifying a 6-character password which has been randomly generated and, obviously, even less chance of cracking a password of 8 or more characters.
What Not to Use • Don't use your login name in any form e.g. ‘as is’, reversed, capitalized, doubled, etc.
• Don't use your first or last name in any form.
• Don't use your spouse or partner’s name; or that of one of your children.
• Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, your home or street name etc.
• Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a hacker.
Glossary 456 • Don't use a word contained in the dictionary (English or foreign language), spelling lists, or other lists of words.
• Don't ever use a password shorter than six characters.
What to Use
• Use a password with mixed-case alphabetic characters.
• Use a password with non alphabetic characters, e.g., digits or punctuation.
• Use a password that you are able to commit to memory; so you don't have to write it down.
• Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
Be aware of Dictionary-Based Off-Line Searches Hackers will often use a dictionary of common passwords to ‘jump start’ the cracking of your password. Instead of using passwords like "kwPpr*Kv8naiszf" or "2AW~#6k" many people still use simple, easy to remember passwords such as jackie1 or PeterS. So hackers don't bother with exhaustive searches for all combinations of random letters or characters, but use a rules-based password cracking program.
Therefore select a password that will be extremely hard to crack and change it periodically too!
Passwords – Use and Best Practice A string of characters input by a system user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use.
Passwords are central to all computer systems - even sophisticated systems employing fingerprints, voice recognition, or retinal scans.
Even having chosen an ‘impossible to guess’ password, (See Passwords – Choosing) your management of the password will determine its effectiveness in safeguarding access to the system using your user ID and password. The following best practice guidelines should be observed.
• Passwords must never (ever) be written down. The moment they are committed to a paper or a document, discovery of that paper will invalidate other security measures. A potential hacker may also witness the removal of the paper as you innocently review your password list, and this will then offer a simple target; obtain the paper and not only will ‘this’ password be available, but possibly those to other systems and credit card PIN numbers and perhaps your bank account etc……..
• Passwords of key role holders - such as System and Network administrators - should be copied and held under dual control in a fireresistant, secure location, to enable access to the system by an authorised person in the unavoidable absence of the password holder.
• Passwords must be changed at regular intervals, and should be chosen privately by the individual users; and although often issued initially by the IT people, the password must be changed immediately.
• Password changes must be forced if necessary by implementing an expiry period after which a user’s password will not be accepted and the next attempt to log on by that user will result in a security flash to the system console.
Patch Similar to a ‘Fix’, a Patch is a temporary arrangement used to overcome software problems or glitches. A patch will normally be released as a ‘quick fix’ prior to the next formal release of the software. Patches are usually (but not always) available on-line from the vendor’s Web site.
Caution. A patch will usually (but not always) be an incremental addition to an assumed software version, i.e. the patch will assume that the software already installed is version ‘x’. It is critical that the patch is applied carefully and that the software version to which it applies, is confirmed. Naturally, no software update should be performed without first having adequately tested the update. See System Testing.
Path In IT systems, the path refers to the location of a file or directory on that system.
On PCs using MS DOS® or Windows®, the path is as follows :driveletter:\directoryname\sub-directoryname\filename.suffix In Microsoft Windows®, the term ‘directory’ is called a ‘folder’; it is the same thing though!
Unix systems are similar but use a modified syntax, as follows :directory/subdirectory/filename Payload The ‘active’ element of a virus. Some payloads are extremely malevolent, others merely childish, while yet others appear to have no real payload at all, simply reproducing or attaching themselves to existing files all over the place and filling up hard disks with clutter.
Peer Review Peer Review refers to the checking and review of work performed by one’s peers (equals) in a working group. The term is frequently used in projects where systems development takes place. Both systems analysts and programmers will have their work checked by each other and this forms a critical aspect to the quality process.
Peers can usually identify each other’s errors quickly and easily and can result in elevated performance.
Penetration Intrusion, Trespassing, Unauthorised entry into a system. Merely contacting system or using a key board to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute Penetration.
Penetration Testing, is the execution of a testing plan, the sole purpose of which, is to attempt to hack into a system using known tools and techniques.
Peripherals Pieces of hardware attached to a computer rather than built into the machine itself.
The term includes Printers, Scanners, Hard Drive Units, Portable drives, and other items which can be plugged into a port.
Physical Security Physical Protection Measures to safeguard the Organisation's systems. Including but not limited to restrictions on entry to premises, restrictions on entry to computer department and Tank, locking/disabling equipment, disconnection, fireresistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.
Pickling Archiving a working model of obsolete computer technology so that a machine will be available to read old archive records which were created and stored using that machines’ system. Reportedly, Apple Computers have pickled a shrink-wrapped Apple II machine so that it can read Apple II software (if necessary) in the future.
Ping ‘Ping’ stands for Packet Internet (or Inter-Network) Groper and is a packet (small message) sent to test the validity / availability of an IP address on a network. The technical term for ‘ping’ is the Internet Control Message Protocol. Maliciously sending large volumes of ‘Pings’ to cause difficulties for anyone else attempting to access that address is known as Smurfing.
PKI Where encryption of data is required, perhaps between the organisation’s internal networks and between clients and representatives, a means of generating and managing the encryption keys is required.
PKI, or Public Key Infrastructure, is the use and management of cryptographic keys - a public key and a private key - for the secure transmission and authentication of data across public networks.
Caution : Whilst the overall mechanisms and concepts are generally agreed, there are differences amongst vendors.
A public key infrastructure consists of:
• A Certification Authority (CA) that issues and assures the authenticity of Digital Certificates. A Digital Certificate will include the public key or other information about the public key.
Glossary 459 • A Registration Authority (RA) that validates requests for the issuance of Digital Certificates. The Registration Authority will authorise the issuance of the keys to the requestor by the Certificate Authority.
• A certificate management system. This will be a software application developed and provided by the vendor of the PKI system.
• A directory where the certificates, together with their public keys are stored; usually confirming to the X.500 standards.
Platform Usually, nothing whatsoever to do with railway trains or stations! The term platform crept into IT jargon in the early 1990s and is now an accepted term in the vernacular. It refers to the hardware and, by implication, the Operating System of a certain type of computer.
Policy A policy may be defined as ‘An agreed approach in theoretical form, which has been agreed to / ratified by, a governing body, and which defines direction and degrees of freedom for action.’ In other words, a policy is the stated views of the senior management (or Board of Directors) on a given subject.
Polling Checking the status of an input line, sensor, or memory location to see if a particular external event has been registered. Typically used on fax machines to retrieve information from a remote source, the user, will dial from one fax machine to another, then press the polling button to get information from the remote fax machine.
Polymorphic Term used to describe a virus which changes itself each time it replicates in an attempt to hide from Anti-virus software. Nasty.
POTS POTS – Plain Old Telephone Service. This acronym was born in the early 1990s when everything (it seemed) HAD to have an acronym. The term POTS was created by systems’ professionals to clarify their documentation and diagrams when referring to networks and computer links which perhaps only used or required the use of, the plain old telephone system! It also implies the older non digital copper wiring which was ‘OK’ for voice but was poor for data at speeds beyond 4800bps.
Glossary 460 Privilege Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow (say) Read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system. In many systems, the security features will offer the ability to implement dual control or automatic escalation to the next ‘highest’ level, to assist with Information Security compliance and best practice.
Privileges are established at 2 levels, firstly at the network level, where the level of privilege is established with respect to general access rights and permissions;
secondly, at the application level where the user’s job function and responsibility will determine the level of privilege required.