A policy that the user agrees to follow before being allowed to access a network.

Transcription

1 Part IV: Appendixes Appendix A. Glossary THESE DEFINITIONS WILL GIVE YOU A BASIC understanding of the terms used throughout this book. As with many technical definitions, more information may be required to fully understand the concepts. A good place to find detailed definitions to these and other technical terms is at Acceptable Use Policy (AUP) A policy that the user agrees to follow before being allowed to access a network. access control list (ACL) A table used by systems and systems software to define access rights. ActiveX The object-oriented language from Microsoft used to create mobile code. air gap A term used to describe the absolute separation of two or more networks. anti-virus A class of software that attempts to prevent computer viruses from infecting a system.

2 applet A small program that is delivered from a server and run on the client's computer. asymmetric encryption See [public key cryptography] attack scenario Part of survivable network analysis. Attack scenarios define how a system could be attacked. AUP See [Acceptable Use Policy (AUP)] authentication The process of determining whether someone or something is who or what it is declared to be. backdoor In software design, the mechanism programmed to allow the programmer special access to the software. biometrics The technologies for measuring and analyzing human body characteristics to authenticate someone. Bootstrap Protocol (BOOTP) A protocol that lets a network machine automatically receive a network address when the operating system boots or is initialized. BOOTP is the basis for the Dynamic Host Configuration Protocol (DHCP). bounds checking A software development method that checks the boundaries of internal memory operations to prevent problems, such as buffer overflows. BSA See [Business Software Alliance (BSA)] buffer overflow A common software problem that could be prevented with bounds checking, where an internal memory operation writes data in areas outside its boundaries.

3 Bureau of Export Affairs (BXA) The bureau of the U.S. Federal Trade Commission that implements the administration's policy on encryption export. Business Software Alliance (BSA) An international industry organization whose main purpose is to fight software piracy. BXA See [Bureau of Export Affairs (BXA)] CGI See [Common Gateway Interface (CGI)] Commercial Off-The-Shelf (COTS) Describes products that can be readily purchased from commercial entities. Common Gateway Interface (CGI) A standard used to pass data from a client (for example, a browser) to a web server to be processed by a particular program on the server. contingency planning The act of creating procedures to ensure that the network, systems, and data are not lost in the event of an outage or disaster. The result of contingency planning is the Disaster Recovery Plan. copyright The exclusive legal right to reproduce, publish, and sell a piece of intellectual property. Copyrights do not have to be registered, but it helps when trying to protect them in the courts. COTS See [Commercial Off-The-Shelf (COTS)] cryptographic hash A function that uses cryptographic functions to transform data into a unique, fixed-length value that cannot be converted back into the original data. data ownership The concept of who owns the data for the purposes of assigning security responsibilities.

4 DDoS See [Distributed Denial of Service (DDoS)] decryption The process of converting encrypted data back into its original form. demilitarized zone (DMZ) A network segment that is placed between the organization's network and a public network, usually the Internet. Public network services, such as DNS and web servers, are usually installed on the DMZ. denial of service (DoS) An attack on a system or network that prevents users from accessing its resources. DHCP See [Dynamic Host Configuration Protocol (DHCP)] digital certificate A small bit of data issued by a certification authority that contains information about who the certificate was issued to, as well as the certifying authority that issued it. Digital certificates contain the public key used in public key cryptography. digital signature Cryptographic hashes created by using the private key in the digital certificate. Digital signatures can be verified using the signer's public key, which may be kept by the certification authority. Distributed Denial of Service (DDoS) When more than one system is used to attack the resources of a single server to create a denial-ofservice attack. Disaster Recovery Plan (DRP) The procedures created from contingency planning to ensure that networks, systems, and databases are not lost in the event of an outage or disaster. Some DRPs include procedures for continuous operations in the event of an outage. DMZ See [demilitarized zone (DMZ)] Domain Name Service (DNS) The server that translates the readable domain name to an IP address.

5 DoS See [denial of service (DoS)] DRP See [Disaster Recovery Plan (DRP)] duress password A special password assigned to administrative accounts that will signal the user logged in under duress. The purpose is to have the system contact or notify an authority to handle the problem. Dynamic Host Configuration Protocol (DHCP) A protocol that allows Network Administrators to centrally manage and automate the assignment of Internet Protocol (IP) addresses on an organization's network. Electronic Data Interchange (EDI) A standard format for trading partners to exchange business data. An EDI message contains strings of data elements, each representing a singular item. The entire string is called a data segment. One or more data segments can be grouped together to form a transaction set. These transaction sets usually contain elements that would appear in a typical business document or form. encryption The conversion of data into a form that cannot be easily understood by unauthorized people. exploit An attack on a computer system that takes advantage of a particular vulnerability. extranet A private network that uses the Internet protocol and the public Internet to securely extend the organization's intranet, making it accessible to partners, customers, vendors, and so on. Federal Information Processing Standards (FIPS) Standards used by U.S. federal agencies to define their information-processing environment. FIPS Publications are the documentation of the standards maintained by National Institute of Standards and Technology (NIST). FIPS Pub Security Requirements for Cryptographic Modules, the standard for using encryption with U.S. federal agencies.

6 firewall A device or program that protects a network. Firewalls are placed at network gateways to prevent unwanted or malicious traffic from entering the organization's network and block unauthorized traffic from leaving the internal network. Frame Relay A telecommunication service designed to connect local area networks (LANs). These are called endpoints on the Frame Relay network. Frame Relay works by packaging data in variable-sized packets (frames) and transmitting them to the associated end-point. All error correction is left to the endpoints, which speeds up overall data transmission. gateway A point on a network that acts as an entrance to another network. hacker A term used by programmers to mean a good programmer. When used by the mainstream media, it means anyone who breaks into systems and networks without authorization or who uses computers to commit fraud. hub A device where network traffic comes together before being distributed out to connected systems or other networks. ICMP See [Internet Control Message Protocol (ICMP)] IETF See [Internet Engineering Task Force (IETF)] incident response The policies and procedures for responding to a security problem or breach. industrial espionage The stealing of trade secrets from one company by another or by a foreign government. information assets The organization's data that creates value of the organization. In many organizations, information assets define the goals and mission.

7 Information Ownership The concept of assigning the responsibility to someone who will be responsible for the management and integrity of the data. information security policies The statements that define the information security program. intellectual property In the concept of information security, the data created by the organization that is being protected by the policies. Internet Control Message Protocol (ICMP) An error-reporting and message-control protocol between Internet hosts. ICMP uses IP datagrams transparent to the user and the user's application. Internet Engineering Task Force (IETF) The volunteer organization that maintains the standards used on the Internet. Internet Network Information Center (InterNIC) A cooperative between the U.S. government and Network Solutions, Inc. It was the organization responsible for registering and maintaining the top-level domain names. Today, a nonprofit global organization, the Internet Corporation for Assigned Names and Numbers (ICANN), was formed to monitor the registrar accreditation process. interoperability The ability of software or systems to work with each other without special effort. intranet A private network that is contained within an enterprise. The intranet can be a single network or several linked networks accessible only to the enterprise. intruder Another name the mainstream media gives to a hacker.

8 intrusion detection A system that monitors system or network traffic to detect security violations. Internetwork Packet Exchanged (IPX) A networking protocol from Novell that interconnects networks that use Novell's Netware software. ISO 9001 A standard describing quality control standards of all business processes and procedures. Java The object-oriented language used to create mobile code from Sun Microsystems. Kerberos Developed as part of the Athena Project at the Massachusetts Institute of Technology (MIT). A secure method for authorizing requests on a computer network. Kerberos enables a user to request a "ticket" from an authorization process to be used to request a service from a server. Kerberos-aware services check the requesting ticket to determine access rights. Man In The Middle Attack An attack where the message is intercepted and copied or modified before being transmitted to the intended recipient. Its purpose is to intercept authentication information or to falsify transmitted information such as financial transactions. mobile code The term given to software that can be downloaded from a server and run on any system. ActiveX and Java are commonly used to create mobile code. NAT See [Network Address Translation (NAT)] National Infrastructure Protection Center (NIPC) An investigation unit of the FBI whose jurisdiction is the nation's critical infrastructure, including the Internet. National Institute of Standards and Technology (NIST) A bureau of the U.S. Department of Commerce. The Computer Security Resource Center maintains the information security standards for the federal government.

9 Netware A network operating system created by Novell, Inc. that supports IPX and IP networking protocols. Network Address Translation (NAT) The translation of an IP address used within one network to a different IP address known within another network. Network File System (NFS) A protocol that lets a computer use a disk on a remote computer as though it was mounted on the user's own computer. NFS See [Network File System (NFS)] NIPC See [National Infrastructure Protection Center (NIPC)] NIST See [National Institute of Standards and Technology (NIST)] open source Refers to any program whose source code is made available for public use or modification. Most open source software is developed as a public collaboration. outsourcing An arrangement in which one company provides services that are normally provided internally for another organization. packet The smallest transmission unit on a network. password A unique series of characters that users enter to identify themselves to the system as part of the authentication process. penetration testing The process of checking the security of a network's perimeter.

10 PKI See [public key infrastructure (PKI)] Point-to-Point Protocol (PPP) A protocol used for communications between two computers using a serial interface, usually over telephone lines. PPP See [Point-to-Point Protocol (PPP)] privacy policy A statement that specifies how an organization will handle the private information it collects. proxy server A service that acts as an intermediary between a user or service from the internal network and the Internet so that security can be ensured. public key cryptography Based on a mathematical function that uses one key to encrypt a message and another to decrypt. One key is meant to be made public, the other one is kept private. public key infrastructure (PKI) Enables users of insecure public networks to securely exchange data. PKI uses public and private key pairs generated using public key cryptography that is obtained from a trusted authority. Request For Comments (RFC) A document from the IETF that defines or updates standards. Some RFC documents are written to provide information only. risk assessment The review process to assess the security and vulnerability of a network. router Software or device that examines the address within a packet and decides the path that a packet should take as it is forwarded toward its destination. Routers use tables that describe the state of network connections to decide how packets should be forwarded.

11 sendmail The popular open source program used to manage the transmission of Internet . servlet A small program that is run on a server. shareware Software that is freely distributed with the understanding that if the user continues to use it after a certain amount of time, usually 30 days, the user will pay the author for its continued use. Simple Mail Transfer Protocol (SMTP) The Level 5 protocol that is used to transmit from one system to another. spam Unsolicited, bulk . spoofing Part of a network attack where the attacker alters the IP address of the packet to one that the system being attacked trusts or will forward responses to. stateful packet inspection A type of firewall filtering that maintains the state of incoming packets to prevent attacks that rely on fragmentation of packets. Stateful packet inspection also can match replies to outbound requests to provide additional controls. subnetwork A part of an organization's network. Usually, subnetworks are created to isolate network traffic from the rest of the network. survivability The ability of a network computing system to provide essential services in the presence of attacks and failures and recover full services in a timely manner. symmetric encryption A type of encryption where the same key is used to encrypt and decrypt data.

12 TCP See [Transmission Control Protocol (TCP)] telecommuting Working outside the traditional office using networking to connect the user to the organization's system. transient connection A connection that is not permanent. Modem and wireless connections to a network are considered transient connections. Transmission Control Protocol (TCP) A connection-oriented communications protocol that transmits messages between systems. TCP keeps up with the state of packet transmissions to ensure that all data arrives at the remote system and the remote system puts them together in order. Trojan Horse A program in which malicious code is contained inside a program or data that appears harmless but can gain control and damage the computer. tunneling A protocol that defines a specific virtual path that messages will travel over IP networks. UDP See [User Datagram Protocol (UDP)] Usenet News A collection of messages organized into newsgroups that are transmitted over the Internet. Usenet News works using a store and forward system that distributes the postings to other servers. There is not a central Usenet server. User Datagram Protocol (UDP) A connectionless communications protocol that transmits single units of data, called datagrams, between systems. UDP does not guarantee that datagrams will be received in the order sent, nor does it guarantee that the remote server will receive the datagrams. Virtual Private Network (VPN) A private data network that uses the public telecommunication infrastructure, maintaining security through the use of a tunneling protocol and encryption.

13 virus Self-replicating malicious code that integrates itself into executable hosts such as boot sectors, programs, and macros. Viruses replicate when they are executed. VPN See [Virtual Private Network (VPN)] vulnerability A weakness in the system that can be exploited by attackers. These weaknesses are usually caused by design flaws, bugs, or configuration errors in systems and supporting software. Wassenaar Arrangement (WA) International armaments agreement that also has provisions for the import and export of encryption products. Windows Internet Naming Service (WINS) A component of Microsoft Windows network services that maintains the translation of system names between Windows networking and IP addresses. World Wide Web (WWW) "The World Wide Web is the universe of network-accessible information, an embodiment of human knowledge" (definition by web inventor, Tim Berners-Lee). worm Self-replicating malicious code that replicates itself through networks. Worms may become apparent through harmful payloads or when the replication process gets out of control.