Sách THE INFORMATION SECURITY DICTIONARY Defining the Terms that Define Security for E-Business, Internet

Contents
List of Figures
List of Tables
Preface
Acknowledgements
Why is IT Security Important
About This Dictionary
About The Author
How to Use This Dictionary




Epilogue: Critical Infrastructure Protection (CIP)
Appendices
Suggestions for Additional Resources
Appendix 1
Appendix 2
Appendix 3
On-LineDatabases for Vulnerabilities and Security
Dictionaries & Encyclopedias
Miscellaneous Resources


Appendix 4
Appendix 5
Appendix 6
Legislation and Regulation – European Union
Legislation and Regulation
Standards and Best Practice
Section A
Section B
Security and Utility Tools
Appendix 7
Appendix 8
‘Nearly’ or Outright Free Security Tools for System
Administrators
‘Nearly’ or Outright Free Security Tools for
Home Users
Awareness Raising – Skill Development
Appendix 9
Appendix 10
Newsletters
Alerts and Advisories


List of Figures
Figures
Figure 4
Figure 5
Description Page
Basic model about vulnerabilities resulting in
unauthorized access or use of processes.
Prevention mechanisms for reducing the risk of
unauthorized access while protecting against physical,
syntactic and/or semantic attacks.
Attack resulting in unauthorized access and use
of processes with various results as outcome
thereoff – prevention mechanisms to increase security.
A taxonomy for risk management.
Taxonomy of malicious code or malware.

Figure 1
Figure 2
Figure 3

List of Tables
Table Description Page
Table 1
Table 2A
Table 2B
Table 2C
Table 2D
Table 3A
Table 3B
Table 3C
Table 4A
Table 4B
Table 4C
Table 5A
Table 5B
Table 5C
Table 6
Table 7A
Table 7B
Table 7C
Value of information – asset approach
Value of information – hard costs
Value of information – soft costs
Asset value of data/information or object
Assurance: Security – costs and benefits
Taxonomy of attacks
Attributes of attacks
Elements of attacks
Biometrics and authentication – access controls
Authentication – access controls
Biometrics and authentication – less effective
access controls
Critical Information Infrastructure Protection (CIIP) –
information sharing approaches
Critical Information Infrastructure Protection (CIIP) –
trusted information sharing network
Confidentiality, Integrity, Availability of Data, User
Accountability, Authentication and Audit (CIA-UAA)
A baseline for security – taxonomy of policies for
enhancing and supporting critical infrastructure
protection (CIP) efforts
Damages – using the asset and policy document
approach to quantify losses
Defense – what it might entail
Defense – possible escalations

Distributed denial-of-service (DDoS) attack – tools
to reduce the risk for a successful DDoS
E-government
Criteria for an electronic (e-voting) system – voter
and votes
Criteria for an electronic (e-voting) system – election
system and process
Encryption-decryption algorithms
Encryption-decryption algorithms
Firewalls
System safety and security - system complexity
System safety and security – failure of safety
System safety and security – human behavior
and techno babble
Information theory
Information as a concept
Intrusion detection
Intrusion Detection System (IDS) – evolving
terminology
Intrusion Detection System (IDS) – calculating
Return on Investment (ROI)
Jurisdiction
Justice, ethics, morality and rights – Or how do
these concepts relate to code of conduct
Key management
Key recovery (KR) – trusted third party
encryption (TTPE)
Learning and type of training
Information security skills (ISS)
Defining malware – a simplified structure
Vulnerabilities and malware
Types of malware – categorization
Digital divide and broadband connection
Reducing digital divide – different technologies
with different suppliers
Password issues
Password use, policy and best practice
Vulnerabilities and malware - managing patches
and upgrades – corporate users
Vulnerabilities and malware - managing patches
and upgrades as a Small and Medium-Sized
Enterprises (SMEs) or a home user


Policies and IT-resources – appropriate user behaviors
Privacy and asymmetric information spaces – definition
and principles
Privacy and asymmetric information spaces – properties
and boundaries
Cognitive and emotional components of risk – perception
and worry
Risk – experts versus lay-people
The business perspective of internet and IT security risks
The user’s perspective of internet and IT security risks
Network security risks – visibility and vulnerability
Schemata with the scientific roots of information
security – the birth of securematics
Defining security and safety for information
systems-related products and services
Security engineering versus safety engineering
Security engineering for a small and medium-sized
enterprise (SME)
Differentiating threat, vulnerability and risk at one glance
Typology of threats: Two main types
Taxonomy for structured and unstructured threats
Further classification of typology of threats
and their taxonomy
Definition of criteria to be used for evaluating threat
level for malware and vulnerabilities
Threat level definition – malware
Threat level definition – software/operating
system vulnerabilities
Types of viruses – categorization
Taxonomy of vulnerabilities
Constituencies for a WARP
Focus and functions for a WARP
Leaks and security lapses in Wi-Fi 802.11
Worms



Something for Everyone
If this book is to succeed and help readers, its cardinal virtue must be to provide
a simple reference text. It should be an essential addition to an information
security library. As such it should also serve the purpose of being a quick
refresher for terms the reader has not seen since the days when one attended a
computing science program, information security course or workshop.
As a reference work, THE INFORMATION SECURITY DICTIONARY
provides a relatively complete and easy-to-read explanation of common secu-
rity, malware, vulnerability and infrastructure protection terms, without causing
much damage to the usually slim student pocketbook.
This dictionary can help non-specialist readers better understand the informa-
tion security issues encountered in their work or studying for their certification
examination or whilst doing a practical assignment as part of a workshop.
This book is also essential to a reference collection for an organization’s
system personnel. Special attention is paid to terms which most often prevent
educated readers from understanding journal articles and books in cryptology,
computing science, and information systems, in addition to applied fields that
build on those disciplines, such as system design, security auditing, vulnerabi-
lity testing, and role-based access management. The dictionary provides defini-
tions that enable readers to get through a difficult article or passage. We do not,
for the most part, directly explain how to conduct research or how to implement
the terms briefly described.
The emphasis throughout, is on concepts, rather than implementations. Be-
cause the concepts are often complicated, readers may find that a definition
makes sense only after it has been illustrated by an example. Thus explanations
and illustrations are sometimes longer than the definitions.
Quite a few terms are included that might not meet strict definitions of “in-
formation security”—for instance, validity, reliability, attitudes, cognition, and

digital divide. But they, and several others like them, are defined because they
meet the main criteria for inclusion:
The words pop up fairly often, in more than one discipline, and many people are
unsure of the meaning.
When learning any language, beginners will sometimes be frustrated because
they have to look up words in the definition of the term they just looked up. By
writing the definitions in ordinary English whenever possible, we have tried to
keep this unavoidable annoyance to a minimum. However, there is simply no
escape when defining advanced concepts that are built upon several additional
basic concepts. Those terms, also defined in this dictionary:
start with a capital letter (e.g., Computer Literacy), or may be simply
listed in the text or, finally, be
added to a term or definition in brackets in the paragraph or at the end (see also
Computer Literacy).
Hence, the reader is able to find the other term quickly in order to understand
the larger picture.
As in any language, in Information Security, more than one word may be used
to express the same idea. In such cases, we have defined fully what we believe
to be the more common term. Others are briefly defined and cross-referenced
(Computer Literacy). Nonetheless, we have not tried to stipulate the “proper”
labels for concepts that appear under more than one name. Neither have we
specified the “correct” use of terms that are used in different ways. In short, we
have attempted to be:



The Information Security Dictionary