The Security Guide Security Guide RSS Feed


Internet and Data Security Knowledgebase

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 


S/MIME S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.
SCW Security Configuration Wizard (SCW) provides guided attack surface reduction for Windows Servers.
SCW asks a series of questions to determine the server role or roles, and then uses a roles-based metaphor driven by an extensible XML knowledge base that defines the services, ports for over 50 server functions.
Any functionality that is not required by the roles that the server is performing will be disabled.
SMS Microsoft Systems Management Server. SMS is a software distribution solution for Microsoft Windows environments that includes update management capabilities.
SQL injections Even if the database is locked down, application programmers need to be careful on how they write their code.
SQL injections happen when a web application, such as a PHP script which parses a form, doesn't check for malicious inputs.
SSL Secure Socket Layer, a public key encryption system that secures web communications.
SUS Software Update Services. WSUS is an updated version of SUS.
Secedit This is a Windows server command-line tool that applies or compares security templates.
Secedit combines the functionality of the Security Configuration and Analysis tool with the ability to use scripting to apply security template settings to servers.
Self signed certificate Anyone can create an SSL certificate. You can sign your own certificate, or anyone else's certificate, to create what's called a self signed certificate.
However, if you try to use it on a web site, the users will see a warning about the certificate being untrusted.
Self-Assessment Use a check list to see if you have incorporated application and information security into your risk management framework and software development cycle.
Server security practices Applying the latest service pack and available security updates. Service packs increase operating system security and stability.
Most attacks against servers exploit vulnerabilities that have been previously reported and fixed in a service pack or in an operating system security update.
Computers that do not have the latest service pack and security updates installed are vulnerable.
Disable services that are not required. Any service or application is a potential point of attack. Therefore, disable or remove all unneeded services to reduce the attack surface.
You can strengthen the password and account lockout policy settings for a domain controller, member server, or stand-alone server by applying the settings in an appropriate security template.
Restricting physical and network access to servers. Store servers in a locked room. Use card-key locks or cipher locks on the entrance to the locked room.
Prevent domain controllers from booting to an alternate operating system.
Allow only trusted personnel to have access to servers. Establish security practices for service administrators and data administrators to ensure that only personnel who require access to servers have that access.
Assign only the permissions and user rights necessary to each user in your organization.
Signature The 'fingerprint' that is used by anti-virus software to detect an infection.
Social engineering Most security breaches are not done by technology, but by social engineering. Using one of the many techniques available, the bad guys get what they want simply by acting.
The easiest way to get a password from someone is to just ask! It may surprise you, but it works. Many people are willing to give their computer password in exchange for money, or some random reward.
In more likely situations, an attacker may simply call random people and pretend they are a tech support person trying to fix a problem, and ask for confidential information as part of the diagnostic.
Pretexting is the art of obtaining information by providing just a bit of known information, and pretending to be someone you're not.
That's how identity thieves can call banks and, after a few tries, by simply providing basic information about the target, getting all the data they want.
If you have confidential information stored on a company's network, and someone sends them a one-line email pretending to be you, will the company reveal to them what your password is? Chances are that yes, they will.
Spam Unsolicited e-mail. Also known as junk e-mail.
Spoofing To make a transmission appear to come from a user other than the user who performed the action.
Forging email messages or scanning internet packets to acquire a valid password, with which to hack into a computer.
Spyware Software that runs on a computer without the explicit permission of its user. It often gathers private information from a user's computer and sends this data over the Internet back to the software manufacturer.
Stateful firewall In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections travelling across it.
The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
Strong authentication People refer to as strong authentication when 2 or more factors are used (e.g. based on something you know, something you have, something you are).
While basic authentication is not enough to prove you are who you say you are, when implemented correctly, strong authentication is a definite proof, and a secure way to access secure resources.
Strong password A password that provides an effective defence against unauthorized access to a resource.

© RuleWorks - All Rights Reserved - Policy -