| |
|
|
|
|
|
Error processing SSI file |
|
|
PABX / PBX A Private Automated Branch Exchange. The telephone network used by organizations to allow a single access number to offer multiple lines to outside callers, and to allow internal staff to share a range of external lines. All such exchanges are now automated, and it is common to refer to them as a simple 'PBX'. Passwords - Choosing The object when choosing a password, is to make it as difficult as possible for a hacker (or even a business colleague), to guess or 'work out' your password. This leaves the hacker with no alternative but to a) give up (which is what we want!) or b) initiate a 'brute-force' search, trying every possible combination of letters, numbers, and other characters. A search of this sort, even processed on a computer capable of generating and testing thousands of passwords per second, could require many years to complete. So, in general, passwords should be safe; but only if you select them carefully. Using only the standard English alphabet and numerals, a non-case-sensitive password of 6-characters offers over 2 million possible combinations. In case-sensitive password applications 'a' is not the same as 'A', which doubles the number of available characters. Thus, making that same 6 character password case-sensitive, and allowing the shifted version of the numerical keys increases the number of combinations to approaching 140 million . Each additional character increases the number of combinations exponentially, and so a 7-character, case-sensitive password would offer over a billion combinations. A human user has virtually no chance of ever identifying a 6-character password which has been randomly generated and, obviously, even less chance of cracking a password of 8 or more characters. What Not to Use What to Use Be aware of Dictionary-Based Off-Line Searches: Hackers will often use a dictionary of common passwords to 'jump start' the cracking of your password. Instead of using passwords like "kwPpr*Kv8naiszf" or "2AW~#6k" many people still use simple, easy to remember passwords such as jackie1 or PeterS. So hackers don't bother with exhaustive searches for all combinations of random letters or characters, but use a rules-based password cracking program. Therefore select a password that will be extremely hard to crack and change it periodically too! Passwords - Use and Best Practice A string of characters input by a system user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use. Passwords are central to all computer systems - even sophisticated systems employing fingerprints, voice recognition, or retinal scans. Even having chosen an 'impossible to guess' password, (See Passwords - Choosing) your management of the password will determine its effectiveness in safeguarding access to the system using your user ID and password. The following best practice guidelines should be observed. Similar to a 'Fix', a Patch is a temporary arrangement used to overcome software problems or glitches. A patch will normally be released as a 'quick fix' prior to the next formal release of the software. Patches are usually (but not always) available on-line from the vendor's Web site. Caution: A patch will usually (but not always) be an incremental addition to an assumed software version, i.e. the patch will assume that the software already installed is version 'x'. It is critical that the patch is applied carefully and that the software version to which it applies, is confirmed. Naturally, no software update should be performed without first having adequately tested the update. See System Testing.In IT systems, the path refers to the location of a file or directory on that system. On PCs using MS DOS® or Windows® , the path is as follows: driveletter:\directoryname\sub-directoryname\filename.suffix
Payload
Intrusion, trespassing, unauthorized entry into a system. Merely contacting system or using a key board to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute Penetration. The execution of a testing plan, the sole purpose of which, is to attempt to hack into a system using known tools and techniques. Perimeter
Security
Personally Identifiable Information Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing. The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately. Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. Physical protection measures to safeguard the organization's systems. Including but not limited to restrictions on entry to premises, restrictions on entry to computer department and Tank, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc. 'Ping' stands for Packet Internet (or Inter-Network) Groper and is a packet (small message) sent to test the validity / availability of an IP address on a network. The technical term for 'ping' is the Internet Control Message Protocol. Maliciously sending large volumes of 'Pings' to cause difficulties for anyone else attempting to access that address is known as Smurfing. Where encryption of data is required, perhaps between the organization's internal networks and between clients and representatives, a means of generating and managing the encryption keys is required. PKI, or Public Key Infrastructure, is the use and management of cryptographic keys - a public key and a private key - for the secure transmission and authentication of data across public networks. Caution: Whilst the overall mechanisms and concepts are generally agreed, there are differences amongst vendors. A public key infrastructure consists of: Also known as ASCII text. Words and figures in unencrypted, unformatted, readable form. Usually, nothing whatsoever to do with railway trains or stations! The term platform crept into IT jargon in the early 1990s and is now an accepted term in the vernacular. It refers to the hardware and, by implication, the Operating System of a certain type of computer. Principle
of Least Privilege
Principle of Separation of Duties Privacy Privacy
Statement Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow (say) Read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system. In many systems, the security features will offer the ability to implement dual control or automatic escalation to the next 'highest' level, to assist with Information Security compliance and best practice. Privileges are established at 2 levels, firstly at the network level, where the level of privilege is established with respect to general access rights and permissions; secondly, at the application level where the user's job function and responsibility will determine the level of privilege required. In general, a user of an organization's systems should be offered no more than is necessary to perform the function required. : A (computer) system is said to be in production, when it is in live, day to day operation. Systems which have been developed and tested are said to be 'migrated into production'. A set of formal rules describing how to transmit data, especially across a network. Low level protocols define the electrical and physical standards to be observed, bit- and byte-ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc. Some examples of protocols are : TCP/IP, the protocol used on the internet to send and receive information; HTTP - used for Web page communications, is a subset of TCP/IP. A proxy server is a computer server which acts in the place of individual users when connecting to Web sites. The proxy server receives requests from individual workstations and PCs and then sends this request to the Internet. It then delivers the resultant information to the requesting PC on the network. When used in conjunction with a firewall, a proxy server's identify (and its connected PCs) is completely masked or hidden from other users. This is the manner in which secure sites operate. -------------------------------- |
 |
Error processing SSI file |
 |
|
|
 |
|