< draft-ietf-ssh-users-09.txt   draft-ietf-ssh-users-10.txt >
draft-ietf-ssh-users-09.txt Erik Guttman / Sun Microsystems draft-ietf-ssh-users-10.txt Erik Guttman / Sun Microsystems
Site Security Handbook WG Lorna Leong / COLT Internet Site Security Handbook WG Lorna Leong / COLT Internet
G. Malkin / Bay Networks G. Malkin / Bay Networks
October 7, 1998 October 7, 1998
Users' Security Handbook Users' Security Handbook
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
skipping to change at page 1, line 32 skipping to change at page 1, line 32
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.ietf.org (US East Coast), nic.nordu.net Directories on ftp.ietf.org (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim). Rim).
Abstract Abstract
The Users' Security Handbook is the companion to the Site Security The Users' Security Handbook is the companion to the Site Security
Handbook (SSH). It is intended to provide users with the information Handbook (SSH). It is intended to provide users with the information
they need to keep their networks and systems secure. they need to help keep their networks and systems secure.
Table of Contents Table of Contents
Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2 Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2
1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 2 2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 2
Part Two: End-users in a centrally-administered network . . . 4 Part Two: End-users in a centrally-administered network . . . 4
skipping to change at page 2, line 19 skipping to change at page 2, line 19
communication private, and their systems and networks secure. communication private, and their systems and networks secure.
Part Two of this document concerns "corporate users" in small, medium Part Two of this document concerns "corporate users" in small, medium
and large corporate and campus sites. Part Three of the document and large corporate and campus sites. Part Three of the document
addresses users who administer their own computers, such as home addresses users who administer their own computers, such as home
users. users.
System and network administrators may wish to use this document as System and network administrators may wish to use this document as
the foundation of a site-specific users' security guide; however, the foundation of a site-specific users' security guide; however,
they should consult the Site Security Handbook first [RFC2196]. they should consult the Site Security Handbook first [RFC2196].
A glossary of terms is included in an appendix at the end of the A glossary of terms is included in an appendix at the end of this
document introducing computer network security notions to those not document, introducing computer network security notions to those not
familiar with them. familiar with them.
1. READ.ME 1. READ.ME
Before getting connected to the Internet or any other public network, Before getting connected to the Internet or any other public network,
you should obtain the security policy of the site that you intend to you should obtain the security policy of the site that you intend to
use as your access provider, and read it. A security policy is a use as your access provider, and read it. A security policy is a
formal statement of the rules by which users who are given access to formal statement of the rules by which users who are given access to
a site's technology and information assets must abide. As a user, a site's technology and information assets must abide. As a user,
you are obliged to follow the policy created by the decision makers you are obliged to follow the policy created by the decision makers
and administrators at your site. and administrators at your site.
A security policy exists to protect a site's hardware, software and A security policy exists to protect a site's hardware, software and
data. It explains what the security goals of the site are, what data. It explains what the security goals of the site are, what
users can and cannot do, what to do when problems arise and who to users can and cannot do, what to do and who to contact when problems
contact, and generally informs users what the "rules of the game" arise, and generally informs users what the "rules of the game" are.
are.
2. The Wires have Ears 2. The Wires have Ears
It is a lot easier to eavesdrop on communications over data networks It is a lot easier to eavesdrop on communications over data networks
than to tap a telephone conversation. Any link between computers may than to tap a telephone conversation. Any link between computers may
potentially be insecure, as can any of the computers through which potentially be insecure, as can any of the computers through which
data flows. All information passing over networks may be data flows. All information passing over networks may be
eavesdropped on, even if you think "No one will care about this..." eavesdropped on, even if you think "No one will care about this..."
Information passing over a network may be read not only by the Information passing over a network may be read not only by the
skipping to change at page 3, line 12 skipping to change at page 3, line 12
Web" and "Email Pitfalls" sections for specific information on Web" and "Email Pitfalls" sections for specific information on
protecting your privacy. protecting your privacy.
As a user, your utmost concerns should, firstly, be to protect As a user, your utmost concerns should, firstly, be to protect
yourself against misuse of your computer account(s) and secondly, to yourself against misuse of your computer account(s) and secondly, to
protect your privacy. protect your privacy.
Unless precautions are taken, every time you log in over a network, Unless precautions are taken, every time you log in over a network,
to any network service, your password or confidential information may to any network service, your password or confidential information may
be stolen. It may then be used to gain illicit access to systems you be stolen. It may then be used to gain illicit access to systems you
have access to. In some cases the consequences are obvious: If have access to. In some cases, the consequences are obvious: If
someone gains access to your bank account, you might find yourself someone gains access to your bank account, you might find yourself
losing some cash, quickly. What is not so obvious is that services losing some cash, quickly. What is not so obvious is that services
which are not financial in nature may also be abused in rather costly which are not financial in nature may also be abused in rather costly
ways. You may be held responsible if your account is misused by ways. You may be held responsible if your account is misused by
someone else! someone else!
Many network services involve remote log in. A user is prompted for Many network services involve remote log in. A user is prompted for
his or her account ID (ie. username) and password. If this his or her account ID (ie. user name) and password. If this
information is sent through the network without encryption, the information is sent through the network without encryption, the
message can be intercepted and read by others. This is not really an message can be intercepted and read by others. This is not really an
issue when you are logging in to a "dial-in" service where you make a issue when you are logging in to a "dial-in" service where you make a
connection via telephone and log in, say to an online service connection via telephone and log in, say to an online service
provider, as telephone lines are more difficult to eavesdrop on than provider, as telephone lines are more difficult to eavesdrop on than
Internet communications. Internet communications.
The risk is there when you are using programs to log in over a The risk is there when you are using programs to log in over a
network. Many popular programs used to log in to services or to network. Many popular programs used to log in to services or to
transfer files (such as telnet and ftp, respectively) send your transfer files (such as telnet and ftp, respectively) send your
username and password and then your data over the network without user name and password and then your data over the network without
encrypting them. encrypting them.
The precaution commonly taken against password eavesdropping by The precaution commonly taken against password eavesdropping by
larger institutions, such as corporations, is to use one-time larger institutions, such as corporations, is to use one-time
password systems. Until recently, this has been far too complicated password systems.
and expensive for home systems and small businesses. However, an
increasing number of products allow this to be done without fancy Until recently, it has been far too complicated and expensive for
hardware, using cryptographic techniques. An example of such a home systems and small businesses to employ secure log in systems.
technique is Secure Shell [SSH], which is both freely and However, an increasing number of products enable this to be done
without fancy hardware, using cryptographic techniques. An example
of such a technique is Secure Shell [SSH], which is both freely and
commercially available for a variety of platforms. Many products commercially available for a variety of platforms. Many products
(including SSH-based ones) also allow data to be encrypted before it (including SSH-based ones) also allow data to be encrypted before it
is passed over the network. is passed over the network.
Part Two: End-users in a centrally-administered network Part Two: End-users in a centrally-administered network
The following rules of thumb provide a summary of the most important The following rules of thumb provide a summary of the most important
pieces of advice discussed in Part Two of this document: pieces of advice discussed in Part Two of this document:
- Know who your security point-of-contact is. - Know who your security point-of-contact is.
- Keep passwords secret at all times. - Keep passwords secret at all times.
- Use a password-locked screensaver or log out when you leave your - Use a password-locked screensaver or log out when you leave your
desk. desk.
- Don't let simply anyone have physical access to your computer or - Don't let simply anyone have physical access to your computer or
your network. your network.
- Be aware what software you run and very wary of software of - Be aware what software you run and very wary of software of
unknown origin. Think hard before you execute downloaded unknown origin. Think hard before you execute downloaded
software. software.
- Do not panic. Consult your security point-of-contact if possible - Do not panic. Consult your security point-of-contact, if
before spreading alarm. possible, before spreading alarm.
- Report security problems as soon as possible to your security - Report security problems as soon as possible to your security
point-of-contact. point-of-contact.
3. Watch out! 3. Watch Out!
3.1. The Dangers of Downloading 3.1. The Dangers of Downloading
An ever expanding wealth of free software has become available on the An ever expanding wealth of free software has become available on the
Internet. While this exciting development is one of the most Internet. While this exciting development is one of the most
attractive aspects of using public networks, you should also exercise attractive aspects of using public networks, you should also exercise
caution. Some files may be dangerous. Downloading poses the single caution. Some files may be dangerous. Downloading poses the single
greatest risk. greatest risk.
Be careful to store all downloaded files so that you will remember Be careful to store all downloaded files so that you will remember
skipping to change at page 5, line 8 skipping to change at page 5, line 8
appears to be a shoot-em-up game, but unbeknownst to you, it appears to be a shoot-em-up game, but unbeknownst to you, it
transfers all your files, one by one, over the Internet to a transfers all your files, one by one, over the Internet to a
cracker's machine! cracker's machine!
Many corporate environments explicitly prohibit the downloading and Many corporate environments explicitly prohibit the downloading and
running of software from the Internet. running of software from the Internet.
3.2. Don't Get Caught in the Web 3.2. Don't Get Caught in the Web
The greatest risk when web browsing is downloading files. Web The greatest risk when web browsing is downloading files. Web
browsers allow any file to be retrieved from the Internet. See "The browsers allow any file to be retrieved from the Internet. See "The
Dangers of Downloading." Dangers of Downloading".
Web browsers are downloading files even when it is not entirely Web browsers are downloading files even when it is not entirely
obvious. Thus, the risk posed by downloading files may be present obvious. Thus, the risk posed by downloading files may be present
even if you do not actively go out and retrieve files overtly. Any even if you do not actively go out and retrieve files overtly. Any
file which you have loaded over the network should be considered file which you have loaded over the network should be considered
possibly dangerous (even files in the web browser's cache.) Do not possibly dangerous (even files in the web browser's cache). Do not
execute them by accident, as they may be malicious programs. execute them by accident, as they may be malicious programs.
(Remember, programs are files, too. You may believe you have (Remember, programs are files, too. You may believe you have
downloaded a text file, when in fact it is a Trojan Horse program, downloaded a text file, when in fact it is a Trojan Horse program,
script, etc.) script, etc.)
Web browsers may download and execute programs on your behalf, either Web browsers may download and execute programs on your behalf, either
automatically or after manual intervention. You may disable these automatically or after manual intervention. You may disable these
features. If you leave them enabled, be sure that you understand the features. If you leave them enabled, be sure that you understand the
consequences. You should read the security guide which accompanies consequences. You should read the security guide which accompanies
your web browser as well as the security policy of your company. You your web browser as well as the security policy of your company. You
should be aware that downloaded programs may be risky to execute on should be aware that downloaded programs may be risky to execute on
your machine. (See "What program is this, anyway?"). your machine. See "What program is this, anyway?".
Web pages often include forms. Be aware that, as with Email, data Web pages often include forms. Be aware that, as with Email, data
sent from a web browser to a web server is not secure. Several sent from a web browser to a web server is not secure. Several
mechanisms have been created to prevent this, most notably Secure mechanisms have been created to prevent this, most notably Secure
Sockets Layer [SSL]. This facility has been built into many web Sockets Layer [SSL]. This facility has been built into many web
browsers. It encrypts data sent between the user's web browsers. It encrypts data sent between the user's web browser and
browser to the web server so no one along the way can read it. the web server so no one along the way can read it.
It is possible that a web page will appear to be genuine, but is, in It is possible that a web page will appear to be genuine, but is, in
fact, a forgery. It is easy to copy the appearance of a genuine web fact, a forgery. It is easy to copy the appearance of a genuine web
page and possible to subvert the network protocols which contact the page and possible to subvert the network protocols which contact the
desired web server, to misdirect a web browser to an imposter. desired web server, to misdirect a web browser to an imposter.
That threat may be guarded against using SSL to verify if a web page That threat may be guarded against using SSL to verify if a web page
is genuine. When a 'secure' page has been downloaded, the web is genuine. When a 'secure' page has been downloaded, the web
browser's 'lock' or 'key' will indicate so. It is good to double- browser's 'lock' or 'key' will indicate so. It is good to double-
check this: View the 'certificate' associated with the web page you check this: View the 'certificate' associated with the web page you
skipping to change at page 6, line 14 skipping to change at page 6, line 14
of business. It is very easy to forge an Email message to make it of business. It is very easy to forge an Email message to make it
appear to have come from anyone. appear to have come from anyone.
Another security issue you should consider when using Email is Another security issue you should consider when using Email is
privacy. Email passes through the Internet from computer to privacy. Email passes through the Internet from computer to
computer. As the message moves between computers, and indeed as it computer. As the message moves between computers, and indeed as it
sits in a user's mailbox waiting to be read, it is potentially sits in a user's mailbox waiting to be read, it is potentially
visible to others. For this reason, it is wise to think twice before visible to others. For this reason, it is wise to think twice before
sending confidential or extremely personal information via Email. sending confidential or extremely personal information via Email.
You should never send credit card numbers and other sensitive data You should never send credit card numbers and other sensitive data
via unprotected Email. Please refer to "The Wires Have Ears." via unprotected Email. Please refer to "The Wires Have Ears".
To cope with this problem, there are privacy programs available, some To cope with this problem, there are privacy programs available, some
of which are integrated into Email packages. of which are integrated into Email packages.
One service many Email users like to use is Email forwarding. This One service many Email users like to use is Email forwarding. This
should be used very cautiously. Imagine the following scenario: should be used very cautiously. Imagine the following scenario:
A user has an account with a private Internet Service Provider and A user has an account with a private Internet Service Provider and
wishes to receive all her mail there. She sets it up so that her wishes to receive all her Email there. She sets it up so that her
Email at work is forwarded to her private address. All the mail Email at work is forwarded to her private address. All the Email
she would receive at work then moves across the Internet until it she would receive at work then moves across the Internet until it
reaches her private account. All along the way, the Email is reaches her private account. All along the way, the Email is
vulnerable to being read. A sensitive Email message sent to her vulnerable to being read. A sensitive Email message sent to her
at work could be read by a network snoop at any of the many stops at work could be read by a network snoop at any of the many stops
along the way the Email takes. along the way the Email takes.
Note that Email sent or received at work may not be private. Check Note that Email sent or received at work may not be private. Check
with your employer, as employers may (in some instances) legally both with your employer, as employers may (in some instances) legally both
read your mail and make use of it. The legal status of Email depends read your Email and make use of it. The legal status of Email
on the privacy of information laws in force in each country. depends on the privacy of information laws in force in each country.
Many mail programs allow files to be included in mail messages. The Many mail programs allow files to be included in Email messages. The
files which come by mail are files like any other. Any way in which files which come by Email are files like any other. Any way in which
a file can find its way onto a computer is possibly dangerous. If a file can find its way onto a computer is possibly dangerous. If
the attached file is merely a text message, fine. But it may be more the attached file is merely a text message, fine. But it may be more
than a text message. If the attached file is itself a program or an than a text message. If the attached file is itself a program or an
executable script, extreme caution should be applied before running executable script, extreme caution should be applied before running
it. See the section entitled "The Dangers of Downloading." it. See the section entitled "The Dangers of Downloading".
3.4 Passwords 3.4 Passwords
Passwords may be easily guessed by an intruder unless precautions are Passwords may be easily guessed by an intruder unless precautions are
taken. Your password should contain a mixture of numbers, upper and taken. Your password should contain a mixture of numbers, upper and
lower case letters, and punctuation. Avoid all real words in any lower case letters, and punctuation. Avoid all real words in any
language, or combinations of words, license plate numbers, names and language, or combinations of words, license plate numbers, names and
so on. The best password is a made-up sequence (e.g., an acronym so on. The best password is a made-up sequence (e.g., an acronym
from a phrase you won't forget), such as "2B*Rnot2B" (but don't use from a phrase you won't forget), such as "2B*Rnot2B" (but don't use
this password!) this password!).
Resist the temptation to write your password down. If you do, keep Resist the temptation to write your password down. If you do, keep
it with you until you remember it, then shred it! NEVER leave a it with you until you remember it, then shred it! NEVER leave a
password taped onto a terminal or written on a whiteboard. You password taped onto a terminal or written on a whiteboard. You
wouldn't write your PIN code on your automated teller machine (ATM) wouldn't write your PIN code on your automated teller machine (ATM)
card, would you? You should have different passwords for different card, would you? You should have different passwords for different
accounts, but not so many passwords that you can't remember them. accounts, but not so many passwords that you can't remember them.
You should change your passwords periodically. You should change your passwords periodically.
You should also NEVER save passwords in scripts or login procedures You should also NEVER save passwords in scripts or login procedures
skipping to change at page 7, line 41 skipping to change at page 7, line 41
to do? What part of the computer system has the virus attacked? to do? What part of the computer system has the virus attacked?
Some viruses are 'time bombs' which activate only when given a Some viruses are 'time bombs' which activate only when given a
particular condition, such as reaching a certain date. Others remain particular condition, such as reaching a certain date. Others remain
latent in the system until a particular afflicted program is latent in the system until a particular afflicted program is
activated. There are still others which are continually active, activated. There are still others which are continually active,
exploiting every opportunity to do mischief. A subtle virus may exploiting every opportunity to do mischief. A subtle virus may
simply modify a system's configuration, then hide. simply modify a system's configuration, then hide.
Be cautious about what software you install on your system. Use Be cautious about what software you install on your system. Use
software from "trusted sources", if possible. Check your site policy software from "trusted sources", if possible. Check your site policy
before installing any software: Some sites only allow administrators before installing any software: Some sites only allow administrators
to install software to avoid security and system maintenance to install software to avoid security and system maintenance
problems. problems.
Centrally-administered sites have their own policy and tools for Centrally-administered sites have their own policy and tools for
dealing with the threat of viruses. Consult your site policy or find dealing with the threat of viruses. Consult your site policy or find
out from your systems administrator what the correct procedures are out from your systems administrator what the correct procedures are
to stay virus free. to stay virus free.
You should report it if a virus detection tool indicates that your You should report it if a virus detection tool indicates that your
system has a problem. You should notify your site's systems system has a problem. You should notify your site's systems
administrators as well as the person you believe passed the virus to administrators as well as the person you believe passed the virus to
you. It is important to remain calm. Virus scares may cause more you. It is important to remain calm. Virus scares may cause more
delay and confusion than an actual virus outbreak. Before announcing delay and confusion than an actual virus outbreak. Before announcing
the virus widely, make sure you verify its presence using a virus the virus widely, make sure you verify its presence using a virus
detection tool, if possible, with the assistance of technically- detection tool, if possible, with the assistance of technically-
competent personnel. competent personnel.
Trojan Horse programs and worms are often categorized with viruses. Trojan Horse programs and worms are often categorized with viruses.
Trojan Horse programs are dealt with in the "What Program is This, Trojan Horse programs are dealt with in the "What Program is This,
Anyway?" section. F the purposes of this section, worms should be Anyway?" section. For the purposes of this section, worms should be
considered a type of virus. considered a type of virus.
3.6 Modems 3.6 Modems
You should be careful when attaching anything to your computer, and You should be careful when attaching anything to your computer, and
especially any equipment which allows data to flow. You should get especially any equipment which allows data to flow. You should get
permission before you connect anything to your computer in a permission before you connect anything to your computer in a
centrally-administered computing environment. centrally-administered computing environment.
Modems present a special security risk. Many networks are protected Modems present a special security risk. Many networks are protected
by a set of precautions designed to prevent a frontal assault from by a set of precautions designed to prevent a frontal assault from
public networks. If your computer is attached to such a network, you public networks. If your computer is attached to such a network, you
must exercise care when also using a modem. It is quite possible to must exercise care when also using a modem. It is quite possible to
use the modem to connect to a remote network while *still* being use the modem to connect to a remote network while *still* being
connected to the 'secure' net. Your computer can now act as a hole connected to the 'secure' net. Your computer can now act as a hole
in your network's defenses. Unauthorized users may be able to get in your network's defenses. Unauthorized users may be able to get
skipping to change at page 8, line 45 skipping to change at page 8, line 45
access' software requires this. Be sure to turn on all the security access' software requires this. Be sure to turn on all the security
features of your 'remote access' software before allowing your features of your 'remote access' software before allowing your
computer to be accessed by phone. computer to be accessed by phone.
Note that having an unlisted number will not protect you from someone Note that having an unlisted number will not protect you from someone
breaking into your computer via a phone line. It is very easy to breaking into your computer via a phone line. It is very easy to
probe many phone lines to detect modems and then launch attacks. probe many phone lines to detect modems and then launch attacks.
3.7 Don't Leave Me... 3.7 Don't Leave Me...
Do not leave a terminal or computer logged in and walk away. Use Do not leave a terminal or computer logged in and walk away. Use
password-locked screensavers whenever possible. These can be set up password-locked screensavers whenever possible. These can be set up
so that they activate after the computer has been idle for a while. so that they activate after the computer has been idle for a while.
Sinister as it may seem, someone coming around to erase your work is Sinister as it may seem, someone coming around to erase your work is
not uncommon. If you remained logged in, anyone can come by and not uncommon. If you remained logged in, anyone can come by and
perform mischief for which you may be held accountable. For example, perform mischief for which you may be held accountable. For example,
imagine the troubles you could be in for if nasty Email were sent to imagine the trouble you could be in for if nasty Email were sent to
the president of your company in your name, or your account were used the president of your company in your name, or your account were used
to transfer illegal pornography. to transfer illegal pornography.
Anyone who can gain physical access to your computer can almost Anyone who can gain physical access to your computer can almost
certainly break into it. Therefore, be cautions regarding who you certainly break into it. Therefore, be cautious regarding who you
allow allow access to your machine. If physically securing your machine is
access to your machine. If physically securing your machine is not not possible, it is wise to encrypt your data files kept on your
possible, it is wise to encrypt your data files kept on your local local hard disk. If possible, it is also wise to lock the door to
hard disk. If possible, it is also wise to lock the door to one's one's office where the computer is stored.
office where the computer is stored.
3.8 File Protections 3.8 File Protections
Data files and directories on shared systems or networked file Data files and directories on shared systems or networked file
systems require care and maintenance. There are two categories of systems require care and maintenance. There are two categories of
such systems: such systems:
- Files to share - Files to share
Shared files may be visible to everyone or to a restricted group Shared files may be visible to everyone or to a restricted group
of other users. Each system has a different way of specifying of other users. Each system has a different way of specifying
this. Learn how to control sharing permissions of files and this. Learn how to control sharing permissions of files and
implement such control without fail. implement such control without fail.
- Protected files - Protected files
These include files which only you should have access to, but These include files that only you should have access to, but
which are available to anyone with system administrator which are also available to anyone with system administrator
privileges. An example of this are files associated with the privileges. An example of this are files associated with the
delivery of Email. You don't want other users to read your Email, delivery of Email. You don't want other users to read your Email,
so make sure such files have all the necessary file permissions so make sure such files have all the necessary file permissions
set accordingly. set accordingly.
3.9 Encrypt Everything 3.9 Encrypt Everything
Additionally, there are files that are private. You may have files Additionally, there are files that are private. You may have files
which you do not wish anyone else to have access to. In this case, which you do not wish anyone else to have access to. In this case,
it is prudent to encrypt the file. This way, even if your network is it is prudent to encrypt the file. This way, even if your network is
broken into or the systems administrator turns into Mr. Hyde, your broken into or the systems administrator turns into Mr. Hyde, your
confidential information will not be available. Encryption is also confidential information will not be available. Encryption is also
very important if you share a computer. For example, a home computer very important if you share a computer. For example, a home computer
may be shared by roomates who are friends but prefer to keep their may be shared by room mates who are friends but prefer to keep their
Email and financial information private. Encryption allows for Email and financial information private. Encryption allows for
shared yet private usage. shared yet private usage.
Before you encrypt files you should check your site's security Before you encrypt files, you should check your site's security
policy. Some employers and countries expressly forbid or restrict policy. Some employers and countries expressly forbid or restrict
the storing and/or transferring of encrypted files. the storing and/or transferring of encrypted files.
Be careful with the passwords or keys you use to encrypt files. Be careful with the passwords or keys you use to encrypt files.
Locking them away safely not only helps to keep them from prying eyes Locking them away safely not only helps to keep them from prying eyes
but it will help you keep them secure too; for if you lose them, you but it will help you keep them secure too; for if you lose them, you
will lose your ability to decrypt your data as well! It may be wise will lose your ability to decrypt your data as well! It may be wise
to save more than one copy. This may even be required, if your to save more than one copy. This may even be required, if your
company has a key escrow policy, for example. This protects against company has a key escrow policy, for example. This protects against
the possibility that the only person knowing a pass phrase may leave the possibility that the only person knowing a pass phrase may leave
skipping to change at page 10, line 39 skipping to change at page 10, line 39
contain valuable data may be to reformat it. contain valuable data may be to reformat it.
3.11 What Program is This, Anyway? 3.11 What Program is This, Anyway?
Programs have become much more complex in recent years. They are Programs have become much more complex in recent years. They are
often extensible in ways which may be dangerous. These extensions often extensible in ways which may be dangerous. These extensions
make applications more flexible, powerful and customizable. They make applications more flexible, powerful and customizable. They
also open the end-user up to all sorts of risks. also open the end-user up to all sorts of risks.
- A program may have "plug-in" modules. You should not trust the - A program may have "plug-in" modules. You should not trust the
plug-ins simply because you are used to trusting the programs they plug-ins simply because you are used to trusting the programs
plug into. For example: Some web pages suggest that the user they plug into. For example: Some web pages suggest that the
download a plug-in to view or use some portion of the web page's user download a plug-in to view or use some portion of the web
content. Consider: What is this plug-in? Who wrote it? Is it page's content. Consider: What is this plug-in? Who wrote it?
safe to include it in your web browser? Is it safe to include it in your web browser?
- Some files are "compound documents." This means that instead of - Some files are "compound documents". This means that instead of
using one single program, it will be necessary to run several using one single program, it will be necessary to run several
programs in order to view or edit a document. Again, be careful programs in order to view or edit a document. Again, be careful
of downloading application components. Just because they of downloading application components. Just because they
integrate with products which are well-known does not mean that integrate with products which are well-known does not mean that
they can be trusted. Say you receive an Email message which can they can be trusted. Say, you receive an Email message which can
only be read if you download a special component. This component only be read if you download a special component. This component
could be a nasty program which wipes out your hard drive! could be a nasty program which wipes out your hard drive!
- Some programs are downloaded automatically when accessing web - Some programs are downloaded automatically when accessing web
pages. While there are some safeguards to make sure that these pages. While there are some safeguards to make sure that these
programs may be used safely, there have been security flaws programs may be used safely, there have been security flaws
discovered in the past. For this reason, some centrally- discovered in the past. For this reason, some centrally-
administered sites require that certain web browser capabilities administered sites require that certain web browser capabilities
be turned off. be turned off.
4. Paranoia is Good 4. Paranoia is Good
Many people do not realise it, but social engineering is a tool which Many people do not realize it, but social engineering is a tool which
many intruders use to gain access to computer systems. The general many intruders use to gain access to computer systems. The general
impression that people have of computer break-ins is that they are impression that people have of computer break-ins is that they are
the result of technical flaws in computer systems which the intruders the result of technical flaws in computer systems which the intruders
have exploited. People also tend to think that break-ins are purely have exploited. People also tend to think that break-ins are purely
technical. However, the truth is that social engineering plays a big technical. However, the truth is that social engineering plays a big
part in helping an attacker slip through security barriers. This part in helping an attacker slip through security barriers. This
often proves to be an easy stepping-stone onto the protected system often proves to be an easy stepping-stone onto the protected system
if the attacker has no authorized access to the system at all. if the attacker has no authorized access to the system at all.
Social engineering may be defined, in this context, as the act of Social engineering may be defined, in this context, as the act of
skipping to change at page 12, line 18 skipping to change at page 12, line 18
problems he is facing will be more than happy when someone comes problems he is facing will be more than happy when someone comes
to offer some help. The attacker may come disguised as the to offer some help. The attacker may come disguised as the
systems administrator or maintenance technician. This attacker systems administrator or maintenance technician. This attacker
will often gain valuable information because the user thinks that will often gain valuable information because the user thinks that
it is alright to reveal secrets to technicians. Site visits may it is alright to reveal secrets to technicians. Site visits may
pose a greater risk to the attacker as he may not be able to make pose a greater risk to the attacker as he may not be able to make
an easy and quick get-away, but the risk may bring fruitful an easy and quick get-away, but the risk may bring fruitful
returns if the attacker is allowed direct access to the system by returns if the attacker is allowed direct access to the system by
the naive user. the naive user.
- Sometimes attackers can gain access into a system without prior - Sometimes, attackers can gain access into a system without prior
knowledge of any system secret nor terminal access. In the same knowledge of any system secret nor terminal access. In the same
way that one should not carry someone else's bags through Customs, way that one should not carry someone else's bags through Customs,
no user should key in commands on someone's behalf. Beware of no user should key in commands on someone's behalf. Beware of
attackers who use users as their own remotely-controlled fingers attackers who use users as their own remotely-controlled fingers
to type commands on the user's keyboard that the user does not to type commands on the user's keyboard that the user does not
understand, commands which may harm the system. These attackers understand, commands which may harm the system. These attackers
will exploit system software bugs and loopholes even without will exploit system software bugs and loopholes even without
direct access to the system. The commands keyed in by the end- direct access to the system. The commands keyed in by the end-
user may bring harm to the system, open his own account up for user may bring harm to the system, open his own account up for
access to the attacker or create a hole to allow the attacker access to the attacker or create a hole to allow the attacker
skipping to change at page 12, line 40 skipping to change at page 12, line 40
of the commands you have been asked to key in, do not simply of the commands you have been asked to key in, do not simply
follow instructions. You never know what and where these could follow instructions. You never know what and where these could
lead to... lead to...
To guard against becoming a victim of social engineering, one To guard against becoming a victim of social engineering, one
important thing to remember is that passwords are secret. A password important thing to remember is that passwords are secret. A password
for your personal account should be known ONLY to you. The systems for your personal account should be known ONLY to you. The systems
administrators who need to do something to your account will not administrators who need to do something to your account will not
require your password. As administrators, the privileges they have require your password. As administrators, the privileges they have
will allow them to carry out work on your account without the need will allow them to carry out work on your account without the need
for you to reveal your password. An administrator should not have to for you to reveal your password. An administrator should not have to
ask you for your password. ask you for your password.
Users should guard the use of their accounts, and keep them for
their own use. Accounts should not be shared, not even temporarily
with systems administrators or systems maintenance techinicians.
Most maintenance work will require special privileges which end-users Most maintenance work will require special privileges which end-users
are not given. Users should guard the use of their accounts, and are not given. Systems administrators will have their own accounts
keep them for their own use. Accounts should not be shared, not even to work with and will not need to access computer systems via an end-
temporarily with a maintenance staff or administrator. Systems user's account.
administrators will have their own accounts to work with and will not
need to access a system via an end-user's account.
Systems maintenance technicians who come on site should be Systems maintenance technicians who come on site should be
accompanied by the local site administrator (who should be known to accompanied by the local site administrator (who should be known to
you). If the site administrator is not familiar to you, or if the you). If the site administrator is not familiar to you, or if the
technician comes alone, it is wise to give a call to your known site technician comes alone, it is wise to give a call to your known site
administrator to check if the technician should be there. Yet, many administrator to check if the technician should be there. Yet, many
people will not do this because it makes them look paranoid and it is people will not do this because it makes them look paranoid and it is
embarrassing to show that they have no, or little trust in these embarrassing to show that they have no, or little trust in these
visitors. visitors.
skipping to change at page 13, line 49 skipping to change at page 13, line 50
regular intervals and whenever the need to do so arises. It may be regular intervals and whenever the need to do so arises. It may be
wise to simply avoid downloading any software from the network which wise to simply avoid downloading any software from the network which
comes from an unknown source to a computer storing business records, comes from an unknown source to a computer storing business records,
other valuable data and data which is potentially damaging if the other valuable data and data which is potentially damaging if the
information was lost or stolen. information was lost or stolen.
If the system has a mixed purpose, say recreation, correspondence If the system has a mixed purpose, say recreation, correspondence
and some home accounting, perhaps you will hazard some downloading of and some home accounting, perhaps you will hazard some downloading of
software. You unavoidably take some risk of acquiring stuff software. You unavoidably take some risk of acquiring stuff
which is not exactly what it seems to be. which is not exactly what it seems to be.
It may be worthwhile installing privacy software on a computer if it It may be worthwhile installing privacy software on a computer if it
is shared by multiple users. That way, a friend of a roommate won't is shared by multiple users. That way, a friend of a room mate won't
have access to your private data, and so on. have access to your private data, and so on.
6. Bad Things Happen 6. Bad Things Happen
If you notice that your files have been modified or ascertain somehow If you notice that your files have been modified or ascertain somehow
that your account has been used without your consent, you should that your account has been used without your consent, you should
inform your security point-of-contact immediately. When you do inform your security point-of-contact immediately. When you do
not know who your security point-of-contact is, try calling not know who your security point-of-contact is, try calling
your Internet service provider's help desk as a first step. your Internet service provider's help desk as a first step.
skipping to change at page 14, line 31 skipping to change at page 14, line 31
these features. these features.
- Back up user data. This is always important. Backups are - Back up user data. This is always important. Backups are
normally thought of as a way of ensuring you will not lose your normally thought of as a way of ensuring you will not lose your
work if a hard disk fails or if you make a mistake and delete a work if a hard disk fails or if you make a mistake and delete a
file. Backing up is also critical to insure that data cannot be file. Backing up is also critical to insure that data cannot be
lost due to a computer security incident. One of the most vicious lost due to a computer security incident. One of the most vicious
and unfortunately common threats posed by computer viruses and and unfortunately common threats posed by computer viruses and
Trojan Horse programs is erasing a computer's hard disk. Trojan Horse programs is erasing a computer's hard disk.
- Obtain virus checking software or security auditing tools. Learn - Obtain virus checking software or security auditing tools. Learn
how to use them and install them before connecting to a public how to use them and install them before connecting to a public
network. Many security tools require that they be run on a network. Many security tools require that they be run on a
"clean" system, so that comparisons can be made between the "clean" system, so that comparisons can be made between the
present and pristene states. Thus, it is necessary for some work present and pristine states. Thus, it is necessary for some work
to be done ahead of time. to be done ahead of time.
- Upgrade networking software regularly. As new versions of - Upgrade networking software regularly. As new versions of
programs come out, it is prudent to upgrade. Security programs come out, it is prudent to upgrade. Security
vulnerabilities will likely have been fixed. The longer you wait vulnerabilities will likely have been fixed. The longer you wait
to do this, the greater the risk that security vulnerabilities of to do this, the greater the risk that security vulnerabilities of
the products will be become known and be exploited by some network the products will be become known and be exploited by some network
assailant. Keep up to date! assailant. Keep up to date!
- Find out who to contact if you suspect trouble. Does your - Find out who to contact if you suspect trouble. Does your
skipping to change at page 15, line 7 skipping to change at page 15, line 7
There are 3 ways to avoid problems with viruses: There are 3 ways to avoid problems with viruses:
1. Don't be promiscuous 1. Don't be promiscuous
If at all possible, be cautious about what software you install on If at all possible, be cautious about what software you install on
your system. If you are unaware of or unsure of the origin of a your system. If you are unaware of or unsure of the origin of a
program, it is wise not to run it. Obtain software from trusted program, it is wise not to run it. Obtain software from trusted
sources. Do not execute programs or reboot using old diskettes sources. Do not execute programs or reboot using old diskettes
unless you have reformatted them, especially if the old diskettes unless you have reformatted them, especially if the old diskettes
have been used to bring software home from a trade show, and other have been used to bring software home from a trade show and other
potentially security-vulnerable places. potentially security-vulnerable places.
Nearly all risk of getting infected by viruses can be eliminated Nearly all risk of getting infected by viruses can be eliminated
if you are extremely cautious about what files are stored on your if you are extremely cautious about what files are stored on your
computer. See "The Dangers of Downloading" for more details. computer. See "The Dangers of Downloading" for more details.
2. Scan regularly. 2. Scan regularly.
Give your system a regular check-up. There are excellent Give your system a regular check-up. There are excellent
virus-checking and security audit tools for most computer virus checking and security audit tools for most computer
platforms available today. Use them, and if possible, set them to platforms available today. Use them, and if possible, set them to
run automatically and regularly. Also, install updates of these run automatically and regularly. Also, install updates of these
tools regularly and keep yourself informed with new virus threats. tools regularly and keep yourself informed of new virus threats.
3. Notice the unusual. 3. Notice the unusual.
It's not true that a difference you cannot detect is no difference It's not true that a difference you cannot detect is no difference
at all, but it is a good rule of thumb. You should get used to at all, but it is a good rule of thumb. You should get used to
the way your system works. If there is an unexplainable change the way your system works. If there is an unexplainable change
(for instance, files you believe should exist are gone, or strange (for instance, files you believe should exist are gone, or strange
new files are appearing and disk space is 'vanishing'), you should new files are appearing and disk space is 'vanishing'), you should
check for the presense of viruses. check for the presense of viruses.
You should take some time to be familiar with computer virus You should take some time to be familiar with computer virus
detection tools available for your type of computer. You should use detection tools available for your type of computer. You should use
an up-to-date tool (i.e. not older than three months). It is very an up-to-date tool (i.e. not older than three months). It is very
important to test your computer if you have been using freeware, important to test your computer if you have been using shared
other peoples' used floppy disks to transfer files, and so on. software of dubious origin, someone else's used floppy disks to
transfer files, and so on.
6.2 What To Do if You Suspect Trouble 6.2 What To Do if You Suspect Trouble
If you suspect that your home computer has a virus, that a malicious If you suspect that your home computer has a virus, that a malicious
program has been run, or that a system has been broken into, the program has been run, or that a system has been broken into, the
wisest course of action is to first disconnect the system from all wisest course of action is to first disconnect the system from all
networks. If available, virus detection or system auditing software networks. If available, virus detection or system auditing software
should be used. should be used.
Checking vital system files for corruption, tampering or malicious Checking vital system files for corruption, tampering or malicious
skipping to change at page 16, line 17 skipping to change at page 16, line 17
backup storage. The reason for this is that a system may have been backup storage. The reason for this is that a system may have been
broken into some time ago, so the backed up system or program files broken into some time ago, so the backed up system or program files
may already include some altered files or viruses. Restoring a may already include some altered files or viruses. Restoring a
system from scratch is tedious but worthwhile. Do not forget to re- system from scratch is tedious but worthwhile. Do not forget to re-
install all security related fixes you had installed before the install all security related fixes you had installed before the
security incident. Obtain these from a verified, unsuspicious security incident. Obtain these from a verified, unsuspicious
source. source.
6.3 Email 6.3 Email
Remember to be careful with saved mail. Copies of sent or received Remember to be careful with saved Email. Copies of sent or received
mail (or indeed any file at all) placed in storage provided by an Email (or indeed any file at all) placed in storage provided by an
Internet service provider may be vulnerable. The risk is that Internet service provider may be vulnerable. The risk is that
someone might break into the account and read the old mail. Keep someone might break into the account and read the old Email. Keep
your mail files, indeed any sensitive files, on your home machine. your Email files, indeed any sensitive files, on your home machine.
7. Home Alone 7. Home Alone
A home system can be broken into over the Internet if a home user is A home system can be broken into over the Internet if a home user is
unwary. The files on the home system can be stolen, altered or unwary. The files on the home system can be stolen, altered or
destroyed. The system itself, if compromised, could be accessed destroyed. The system itself, if compromised, could be accessed
again some time in the future. This section describes issues and again some time in the future. This section describes issues and
makes recommendations relevant to a home user of the Internet. makes recommendations relevant to a home user of the Internet.
7.1 Beware of Daemons 7.1 Beware of Daemons
A home system which uses PPP to connect directly to the Internet is A home system which uses PPP to connect directly to the Internet is
increasingly common. These systems are at the greatest risk if they increasingly common. These systems are at the greatest risk if they
run certain kinds of programs called "services." If you run a run certain kinds of programs called "services". If you run a
service, you are in effect making your computer available to others service, you are in effect making your computer available to others
across the network. Some services include: across the network. Some services include:
- File servers (an NFS server, a PC with 'file sharing' turned on) - File servers (an NFS server, a PC with 'file sharing' turned on)
- An FTP server - An FTP server
- A Web server - A Web server
There are, in general, two types of programs which operate on the There are, in general, two types of programs which operate on the
Internet: Clients (like web browsers and Email programs) and Servers Internet: Clients (like web browsers and Email programs) and Servers
(like web servers and mail servers). (like web servers and mail servers).
skipping to change at page 17, line 7 skipping to change at page 17, line 7
but, increasingly, server software is available on traditionally but, increasingly, server software is available on traditionally
client platforms (e.g., PCs). Server software which runs in the client platforms (e.g., PCs). Server software which runs in the
background is referred to as a "daemon" (pronounced dee-mon). Many background is referred to as a "daemon" (pronounced dee-mon). Many
Internet server software programs that run as daemons have names that Internet server software programs that run as daemons have names that
end in `d', like "inetd" (Internet Daemon) and "talkd" (Talk Daemon). end in `d', like "inetd" (Internet Daemon) and "talkd" (Talk Daemon).
When set to run, these programs wait for clients to request some When set to run, these programs wait for clients to request some
particular service from across the network. particular service from across the network.
There are four very important things to keep in mind as far as the There are four very important things to keep in mind as far as the
security implications of running services on a home computer are security implications of running services on a home computer are
concerned. First and most important, concerned.
- If a server is not properly configured, it is very vulnerable to - First and most important, if a server is not properly configured,
being attacked over a network. It is vital, if you run services, it is very vulnerable to being attacked over a network. It is
to be familiar with the proper configuration. This is often not vital, if you run services, to be familiar with the proper
easy, and may require training or technical expertise. configuration. This is often not easy, and may require training
or technical expertise.
- All software has flaws, and flaws exploited deviously can be used - All software has flaws, and flaws exploited deviously can be used
to breach computer security. If you run a server on your home to breach computer security. If you run a server on your home
machine you have to stay aware. This requires work: You have to machine, you have to stay aware. This requires work: You have to
stay in touch with the supplier of the software to get security stay in touch with the supplier of the software to get security
updates. It is highly recommended that you keep up with security updates. It is highly recommended that you keep up with security
issues through on-line security forums. See [SSH] for a list of issues through on-line security forums. See [RFC2196] for a list
references. of references.
If security flaws in your server software are discovered, you will If security flaws in your server software are discovered, you will
need to either stop using the software or apply "patches" or need to either stop using the software or apply "patches" or
"fixes" which eliminate the vulnerability. The supplier of the "fixes" which eliminate the vulnerability. The supplier of the
software, if it is a decent company or freeware author, will software, if it is a decent company or freeware author, will
supply information and updates to correct security flaws. These supply information and updates to correct security flaws. These
"patches" or "fixes" must be installed as soon as possible. "patches" or "fixes" must be installed as soon as possible.
- As a rule of thumb, the older the software, the greater the chance - As a rule of thumb, the older the software, the greater the chance
that it has known vulnerabilities. This is not to say you should that it has known vulnerabilities. This is not to say you should
simply trust brand new software either! Often it takes time to simply trust brand new software either! Often, it takes time to
discover even obvious security flaws in servers. discover even obvious security flaws in servers.
- Some servers start up without any warning. There have been web - Some servers start up without any warning. There are some web
browsers and telnet clients in common use which automatically browsers and telnet clients which automatically start FTP servers
start FTP servers if not explicitly configured to not do so. If if not explicitly configured to not do so. If these servers are
these servers are not themselves properly configured, the entire not themselves properly configured, the entire file system of the
file system of the home computer can become available to anyone on home computer can become available to anyone on the Internet.
the Internet.
In general, any software MAY start up a network daemon. The way to In general, any software MAY start up a network daemon. The way to
be safe here is to know the products you are using. Read the manual, be safe here is to know the products you are using. Read the manual,
and if any questions arise, call the company or mail the author of and if any questions arise, call the company or mail the author of
free software to find out if you are actually running a service by free software to find out if you are actually running a service by
using the product. using the product.
A home user running a remote login service on his home machine faces A home user running a remote login service on his home machine faces
very serious risks. This service allows the home user to log in to very serious risks. This service allows the home user to log in to
his home machine from other computers on the Internet and can be his home machine from other computers on the Internet and can be
skipping to change at page 18, line 32 skipping to change at page 18, line 32
accounts. These companies include Internet service providers, and accounts. These companies include Internet service providers, and
even banks. Users should be very careful when making remote logins. even banks. Users should be very careful when making remote logins.
As discussed in "The Wires have Ears" section, Internet connections As discussed in "The Wires have Ears" section, Internet connections
can be eavesdropped on. If you intend to use a remote login service, can be eavesdropped on. If you intend to use a remote login service,
check that the connection can be done securely, and make sure that check that the connection can be done securely, and make sure that
you use the secure technologies/features. you use the secure technologies/features.
Connections may be secured using technologies like one-time Connections may be secured using technologies like one-time
passwords, secure shell (SSH) and Secure Sockets Layer (SSL). One- passwords, secure shell (SSH) and Secure Sockets Layer (SSL). One-
time passwords make a sniffed password useless to the intruder, while time passwords make a stolen password useless to steal, while secure
secure shell encrypts data sent over the connection. Please refer to shell encrypts data sent over the connection. Please refer to "Don't
"Don't Get Caught in the Web" for a discussion on SSL. Secure Get Caught in the Web" for a discussion on SSL. Secure services such
services such as these have to be made available on the systems to as these have to be made available on the systems to which you log in
which you log in remotely. remotely.
7.3 Secure It! 7.3 Secure It!
Administering your own home computer means you get to choose what Administering your own home computer means you get to choose what
software is run on it. Encryption software provides protection for software is run on it. Encryption software provides protection for
data. If you keep business records and other sensitive data on your data. If you keep business records and other sensitive data on your
computer, encryption will help to keep it safe. For example, if you computer, encryption will help to keep it safe. For example, if you
ran a network service from your home computer and missed setting ran a network service from your home computer and missed setting
restrictions on a private directory, a remote user (authorised or restrictions on a private directory, a remote user (authorized or
not) may gain access to files in this private directory. If the not) may gain access to files in this private directory. If the
files are encrypted, the user will not be able to read them. But as files are encrypted, the user will not be able to read them. But as
with all forms of encryption running on any system, the keys and with all forms of encryption running on any system, the keys and
passwords should first be kept safe! passwords should first be kept safe!
8. A Final Note 8. A Final Note
This document has provided the reader with an introduction and as This document has provided the reader with an introduction and as
much concise detail as possible. Present security issues go out of much concise detail as possible. Present security issues go out of
date quickly, and although effort has been made to keep discussions date quickly, and although effort has been made to keep discussions
skipping to change at page 19, line 24 skipping to change at page 19, line 24
Acceptable Use Policy (AUP) Acceptable Use Policy (AUP)
A set of rules and guidelines that specify in more or less detail A set of rules and guidelines that specify in more or less detail
the expectations in regard to appropriate use of systems or the expectations in regard to appropriate use of systems or
networks. networks.
Account Account
See (Computer) Account See (Computer) Account
ActiveX
Microsoft's system that allows webpages to run (active) application
code from a websource on the client system, bypassing various
controls.
Anonymous and Guest Log In Anonymous and Guest Log In
Services may be made available without any kind of authentication. Services may be made available without any kind of authentication.
This is commonly done, for instance, with the FTP protocol to This is commonly done, for instance, with the FTP protocol to
allow anonymous access. Other systems provide a special account allow anonymous access. Other systems provide a special account
named "guest" to provide access, typically restricting the named "guest" to provide access, typically restricting the
privileges of this account. privileges of this account.
Auditing Tool Auditing Tool
Tools to analyze computer systems or networks in regard to their Tools to analyze computer systems or networks in regard to their
security status or in relation to the set of services provided by security status or in relation to the set of services provided by
them. COPS (Computer Oracle Password and Security analyzer) and them. COPS (Computer Oracle Password and Security analyzer) and
SATAN (Security Administrator's Tool for Analyzing Networks) are SATAN (Security Administrator's Tool for Analyzing Networks) are
famous examples of such tools. famous examples of such tools.
Authentication Authentication
Authentication refers to mechanisms which are used to verify the Authentication refers to mechanisms which are used to verify the
identity of a user. The process of authentication typically identity of a user. The process of authentication typically
requires a name and a password to be supplied by the user as proof requires a name and a password to be supplied by the user as proof
of his identity. of his identity.
Centrally-Administered Network Centrally-Administered Network
A network of systems which is the responsibility of a single group A network of systems which is the responsibility of a single group
of administrators who are not distributed but work centrally to of administrators who are not distributed but work centrally to
take care of the network. take care of the network.
Certificate Certificate
A certificate is used to verify digital signatures. Say, an Email Certificates are data which is used to verify digital signatures.
message contains a digital signature which says "I am from Bob". A certificate is only as trustworthy as the agency which issued it.
To verify this, Bob's key will have to be used to check it. A certificate is used to verify a particular signed item, such as
Without getting Bob's key, recipients may, instead, rely on an Email message or a web page. The digital signature, the item
certificates (which certify that the key actually belongs to Bob) and the certificate are all processed by a mathematical program.
to verify the source of the message. It is possible to say, if the signature is valid, that "According
to the agency which issued the certificate, the signer was (some
name)".
Clean System Clean System
A computer which has been freshly installed with its operating A computer which has been freshly installed with its operating
system and software obtainied from trusted software distribution system and software obtainied from trusted software distribution
media. As more software and configuration are added to a media. As more software and configuration are added to a
computer, it becomes increasingly difficult to determine if the computer, it becomes increasingly difficult to determine if the
computer is 'clean' or has been compromised by viruses, trojan computer is 'clean' or has been compromised by viruses, trojan
horse or misconfiguration which reduces the security of the horse or misconfiguration which reduces the security of the
system. system.
skipping to change at page 21, line 11 skipping to change at page 21, line 11
which consists most probably of a combination of user name and which consists most probably of a combination of user name and
password or another means of proving that the end-user is the password or another means of proving that the end-user is the
person the account is assigned to. person the account is assigned to.
Configuring Network Services Configuring Network Services
The part of an administrator's task that is related to specifying The part of an administrator's task that is related to specifying
the conditions and details of network services that govern the the conditions and details of network services that govern the
service provision. In regard to a Web server, this includes which service provision. In regard to a Web server, this includes which
Web pages are available to whom and what kind of information is Web pages are available to whom and what kind of information is
logged to review the use of the Web server. logged for later review purposes.
Cookies Cookies
Cookies register information about a visit to a web site, for Cookies register information about a visit to a web site for
future use by the server. A server may receive information of future use by the server. A server may receive information of
cookies of other sites as well which create concern in terms of cookies of other sites as well which create concern in terms of
breach of privacy. breach of privacy.
Cracker Cracker
These term is used to describe attackers, intruders or other bad This term is used to describe attackers, intruders or other bad
guys that do not play by the rules and try to circumvent security guys that do not play by the rules and try to circumvent security
mechanisms and/or attack individuals and organisations. mechanisms and/or attack individuals and organisations.
Daemons (inetd, talkd, etc.) Daemons (inetd, talkd, etc.)
These are processes that run on computer systems to provide These are processes that run on computer systems to provide
services to other computer systems or processes. Typically, services to other computer systems or processes. Typically,
daemons are considered "servers". daemons are considered "servers".
Decrypting Decrypting
The process of reversing the encryption of a file or message to The process of reversing the encryption of a file or message to
recover the original data in order to use or read it. recover the original data in order to use or read it.
Default Account Default Account
Some systems and server software come with preconfigured accounts. Some systems and server software come with preconfigured accounts.
These accounts may be set up with a predefined (username and) These accounts may be set up with a predefined (user name and)
password to allow anyone access and aare often put there to make password to allow anyone access and are often put there to make it
it convenient for users to login initially. Default accounts convenient for users to login initially. Default accounts should
should be turned off or have their predefined passwords changed, be turned off or have their predefined passwords changed, to
to reduce the risk of abuse to the system. reduce the risk of abuse to the system.
Dial-in Service Dial-in Service
A way of providing access to computer systems or networks via a A way of providing access to computer systems or networks via a
telecommunications network. A computer uses a modem to make a telecommunications network. A computer uses a modem to make a
telephone call to a another modem, which in turn provides 'network telephone call to a another modem, which in turn provides 'network
access service'. See also: PPP. access service'. See also: PPP.
Digital Signature Digital Signature
skipping to change at page 22, line 18 skipping to change at page 22, line 18
Downloaded Software Downloaded Software
Software packages retrieved from the Internet (using, for example, Software packages retrieved from the Internet (using, for example,
the FTP protocol). the FTP protocol).
Downloading Downloading
The act of retrieving files from a server on the network. The act of retrieving files from a server on the network.
Email Bombs
A denial-of-service attack caused by too many Email being received
by a server to the stage where the server runs out of resources.
Email Packages Email Packages
To communicate via electronic mail, an end-user usually makes use To communicate via electronic mail, an end-user usually makes use
of an Email client that provides the user-interface to create, of an Email client that provides the user-interface to create,
send, retrieve and read Email. Various different Email packages send, retrieve and read Email. Various different Email packages
provide the same set of basic functions but have different provide the same set of basic functions but have different
user-interfaces and perhaps, special/extra functions. Some Email user-interfaces and perhaps, special/extra functions. Some Email
packages provide encryption and digital signature capabilities. packages provide encryption and digital signature capabilities.
Email Security Software Email Security Software
Software like PGP provides security functionalities like Software which provides security through digital signatures and
encryption (and decryption) to enable the end-user to protect encryption (and decryption) to enable the end-user to protect
messages and documents prior to sending them over a possibly messages and documents prior to sending them over a possibly
insecure network. insecure network. PGP is an example of such software.
Encrypting / Encryption Encrypting / Encryption
This is a mathematical process of scambling data for privacy This is a mathematical process of scambling data for privacy
protection. protection.
Encryption Software Encryption Software
The software that actually provides the needed functionality for The software that actually provides the needed functionality for
end users to encrypt messages and files. PGP is one example. end users to encrypt messages and files. PGP is one example.
skipping to change at page 23, line 18 skipping to change at page 23, line 18
system and the system's configuration data. system and the system's configuration data.
File Server File Server
A computer system that provides a way of sharing and working on A computer system that provides a way of sharing and working on
files stored on the system among users with access to these files files stored on the system among users with access to these files
over a network. over a network.
File Transfer File Transfer
The process of transfering files between two computer systems The process of transferring files between two computer systems
over a network, using a protocol such as FTP or HTTP. over a network, using a protocol such as FTP or HTTP.
Fixes, Patches and installing them Fixes, Patches and installing them
Vendors, in response to the discovery of security vulnerabilities, Vendors, in response to the discovery of security vulnerabilities,
provide sets of files that have to be installed on computer provide sets of files that have to be installed on computer
systems. These files 'fix' or 'patch' the computer system or systems. These files 'fix' or 'patch' the computer system or
programs and remove the security vulnerability. programs and remove the security vulnerability.
FTP (File Transfer Protocol) FTP (File Transfer Protocol)
skipping to change at page 24, line 17 skipping to change at page 24, line 17
To make use of encryption, an end-user has to provide some secret, To make use of encryption, an end-user has to provide some secret,
in the form of some data, usually called a key. in the form of some data, usually called a key.
Log In, Logging into a System Log In, Logging into a System
This is an action performed by an end-user, when he authenticates This is an action performed by an end-user, when he authenticates
himself to a computer system. himself to a computer system.
Log In Prompt Log In Prompt
The chracters that are displayed when logging into a system to ask The characters that are displayed when logging into a system to
for user name and password. ask for user name and password.
Logged In Logged In
If an end-user has successfully proven to have legitimate access If an end-user has successfully proven to have legitimate access
to a system, he is considered to be logged in. to a system, he is considered to be logged in.
Logging Logging
Systems and server software often provide the ability to keep Systems and server software often provide the ability to keep
track of events. Events may be configured to be written out to a track of events. Events may be configured to be written out to a
skipping to change at page 25, line 52 skipping to change at page 25, line 52
web browsers) to provide additional features. web browsers) to provide additional features.
Point-of-Contact, Security Point-of-Contact, Security
In case of security breaches or problems, many organisations In case of security breaches or problems, many organisations
provide a designated point-of-contact which can alert others and provide a designated point-of-contact which can alert others and
take the appropriate actions. take the appropriate actions.
PPP (Point to Point Protocol) PPP (Point to Point Protocol)
PPP is the mechanism which most end-users establish between PPP is the mechanism which most end-users establish a network
their PC and their Internet service provider, that effectively connection between their PC and their Internet service provider
provides the PC with a "host" status (level with other servers with. Once connected, the PC is able to transmit and receive
on the network), enabling them to make data to any other system on the network.
further Internet connections
(eg. Email, chat etc)
Privacy Programs Privacy Programs
Another term for encryption software that highlights the use of Another term for encryption software that highlights the use of
this software to protect the confidentiality and therefore privacy this software to protect the confidentiality and therefore privacy
of the end-users that make use of it. of the end-users that make use of it.
Remote Access Software Remote Access Software
This software allows a computer to use a modem to connect to This software allows a computer to use a modem to connect to
skipping to change at page 26, line 34 skipping to change at page 26, line 34
Security Features Security Features
These are features which provide protection or enable end-users These are features which provide protection or enable end-users
and administrators to assess the security of a system, for and administrators to assess the security of a system, for
example, by auditing it. example, by auditing it.
Security Policy Security Policy
A security policy is written by organisations to address security A security policy is written by organisations to address security
issues, in the form of "do's" and "don'ts". These guidelines and issues, in the form of "do's" and "don'ts". These guidelines and
rules are for users with respect to physical secruity, data rules are for users with respect to physical security, data
security, information security and content (eg. rules stating that security, information security and content (eg. rules stating that
sites with sexual content should not be visited, and that sites with sexual content should not be visited, and that
copyrights should be honoured when downloading software, etc). copyrights should be honoured when downloading software, etc).
Server Server
A server is a computer system, or a set of processes on a A server is a computer system, or a set of processes on a
computer system providing services to clients across a network. computer system providing services to clients across a network.
Shared Account Shared Account
skipping to change at page 28, line 24 skipping to change at page 28, line 24
A program which carries within itself a means to allow the creator A program which carries within itself a means to allow the creator
of the program access to the system using it. of the program access to the system using it.
Virus Virus
A program which replicates itself on computer systems by A program which replicates itself on computer systems by
incorporating itself (secretly and maliciously) into other incorporating itself (secretly and maliciously) into other
programs. A virus can be transferred onto a computer system programs. A virus can be transferred onto a computer system
in a variety of ways. in a variety of ways.
Virus Detection Tool Virus-Detection Tool
Software that detects and possibly removes computer viruses, Software that detects and possibly removes computer viruses,
alerting the user appropriately. alerting the user appropriately.
Vulnerability Vulnerability
A vulnerability is the existence of a weakness, design, or A vulnerability is the existence of a weakness, design, or
implementation error that can lead to an unexpected, undesirable implementation error that can lead to an unexpected, undesirable
event compromising the security of the system, network, event compromising the security of the system, network,
application, or protocol involved. application, or protocol involved.
Web Browser Cache Web Browser Cache
This is the part of the file system that is used to store web This is the part of the file system that is used to store web
pages and related files. It can be utilized to reload recently pages and related files. It can be utilized to reload recently
accessed files from the cache instead of loading it every time accessed files from the cache instead of loading it every time
from the network. from the network.
Web Browser Capabilities Web Browser Capabilities
The set of functionalities on a web browser for use by the end- The set of functionalities on a web browser for use by the end-
user. This includes the set of plug-ins available. user. This includes the set of plug-ins available.
Web Server Web Server
A server program that provides access to web pages. Some web A server program that provides access to web pages. Some web
servers provide access to other services, such as databases, and servers provide access to other services, such as databases, and
directories. directories.
Worm Worm
A computer program which replicates itself and is self- A computer program which replicates itself and is self-
 End of changes. 78 change blocks. 
143 lines changed or deleted 135 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/