Previous Next Top
Detailed TOC Last
Update: 17 Mrz 2000 Previous Next Top
Detailed TOC Last
Update: 17 Mrz 2000
| Ref. | Document number | Title | Date | Author |
| [nt1] | Technet CD | Enterprise Planning Guide - Security | May'95 | Microsoft |
| [nt2] | ISBN 1-55615-653-7 | NT 3.5 resource Toolkit | 1995 | Microsoft |
| [nt3] | ISBN 1-55615-814-9 | Windows NT 3.5 Guidelines for Security, Audit and Control | 1994 | Microsoft |
| [nt4] | Technet CD | Enterprise Planning Guide - Domains | May'95 | Microsoft |
| [nt5] | Technet CD /Backoffice | The Microsoft Strategy for Distributed Computing and DCE Services | May'95 | Microsoft |
| [nt6] | NT Server "Concepts and Planning Guide" | Microsoft | ||
| ISBN ? | Windows for Workgroups 3.11 resource Toolkit | Microsoft | ||
| [unix1] | ISBN 1-56592-148-8 2nd Edition |
"Practical UNIX Security", O'Reilly & Associates. |
April 1996 | Garfinkel / Spafford |
| 1st Edition | "Practical UNIX Security", O'Reilly & Associates. |
June 1991 | Garfinkel / Spafford | |
| [unix2] | Unixworld magazine | Encrypting Shell Scripts | Sept. 1992 | R. Schwartz |
| [unix3] | ISBN 0-201-63357-4 | Firewalls Internet and Security | 1994 | Cheswick / Bellovin |
| [unix4] | ISBN 0-13-149386-8 | Panic! UNIX system crash dump analysis. | 1995 | Drake / Brown |
| [tcsec] | DoD 5200.28-STD | "Orange Book" TCSEC - Trusted Computer Evaluation Criteria American Department of Defence (DoD). Local copy |
26.12.85 | DoD |
| [nsa1] | List of NSA publications. | Information Systems Security: Product and Services Catalog | Spring 1996 | NSA |
| [green] | CSC-STD-002-85 | "Green Book" - Password management guideline American Department of Defence (DoD). |
12.4.85 | DoD |
| [itsec] | "European Orange Book" | ITSEC Information Technology Security Evaluation Criteria Local copy |
June 1991 | F/GB/D/ NL |
| [itsem] | V1.0 | ITSEM: Information Technology Security Evaluation Manual Local copy |
10.10.93 | EC |
| [sql1] | SY52433-0893 | System Administrator's Guide: SQL 4.2 Server | 1993 | Microsoft |
| [winkler] | 5th USENIX UNIX Security Symposium | "Case Study: Social Engineers Wreak Havoc" | 1995 | Ira S. Winkler |
| [infowar1] | ISBN 1-56025-080-1 |
Information Warfare: Chaos on the Electronic Superhighway | 1996 | Winn Schwartau |
| [infowar2] | 4th Infowarcon proceedings (Europe) | 1996 | NCSA | |
| [java1] | 1996 IEEE Symposium on Security and Privacy | Java Security: From HotJava to Netscape and Beyond | 5.1995 | Princeton University |
| [uk1] | Brochure "IT Security - It's your business, A business guide to ITSEC" | DTI (UK ITSEC scheme) | ||
| [bsi1] | ISBN 0-580-22536-4 | A Code of Practice for Information Security Management | 1993 | BSI |
| [bund] | IT Baseline Protection Manual www.bsi.bund.de/gshb/english/menue.htm |
1998 | ||
| [sans1] | Incident handling Step By Step www.sans.org |
1998 | Community | |
| [sans2] | Windows NT Security Step By Step www.sans.org |
1998 | Community | |
| [sans3] | Solaris Security Step By Step www.sans.org |
1999 | Community |
| Document number | Ver. | Title | Date | Author |
| SMS Schulungsdokumentation | Microsoft | |||
| Technet CD | 5.95 | Enterprise Planning Guide - Domains | May'95 | Microsoft |
| Technet CD /Backoffice | 5.95 | The Microsoft Strategy for Distributed Computing and DCE Services | May'95 | Microsoft |
| TechNet CD 9.95 | Introducing Microsoft Exchange Part 1-6 | 1995 | Microsoft | |
| TechNet CD 9.95 | MS Exchange Server: Using Industry Standards for Greater Compatibility | Microsoft | ||
| TechNet CD 9.95 | MS SQL Server 6.0 Reviewer's Guide | Microsoft | ||
| MS SQL V4.2 Documentation: System Administrator's Guide, ... | 1993 | Microsoft | ||
| RFC1244 | Site Security Handbook | Internet | ||
| ISBN 0-13-151051-7 | Unix System Administration Handbook, Prentice Hall |
1995 | Nameth /Snyder.... | |
| 399 8675-001 | 001 | Host Integration Toolkit: Reference Guide | 2.1994 | Unisys |
| 7431 0004-000 7430 9964-000 |
U6000 Series Open/OLTP doc: "Conceptual Overview", "Installation and Administration" | 4.1991 | Unisys | |
| Open/OLTP4.2.1 NPIT | 7.1993 | Unisys | ||
| "Unix-based OLTP: Architectures, Vendor Strategies and Issues" Patricia Seybold's office computing Group |
6.1991 | Jonathan Spencer |
||
| ISBN 1-56592-124-0 | "Building Internet Firewalls", O'Reilly & Associates | 1995 | Chapman / Zwicky |
|
| ISBN 2-84177-005-2 | "Introduction à Perl" (French) | Schwartz | ||
| ISBN | "Introduction to Perl" (English) | Schwartz | ||
| ISBN 0-937175-64-1 | "Programming Perl" | 1992 | Schwartz | |
| Solaris 2.5 Documentation: "System Administration Guide, Vol1", Vol2, "SunSHIELD BSM Guide" | 1995 | SunSoft | ||
| RFC 2119 [MUSTSHOULD] |
"Key words for use in RFCs to Indicate Requirement Levels", BCP 1l4. | March 1997 | Bradner, S. | |
| IT Architect www.sunworld.com/swol-03-1999/swol-03-itarchitect.html?0308a |
Feb.'99 | Sunworld |
Security:
Security is a mix of procedural, logical and physical measures aimed
at prevention, detection and correction of certain kinds of misuse, together with tools to
install, operate and maintain these measures.
Security is a property of a system that guarantees correct status, behaviour, availability and dependability. [Security Architecture for Open Systems, ISBN 0-471-93472-0]
Security minimises the vulnerabilities of assets and resources. As Asset is anything of value. A vulnerability is a weakness that could be exploited to violate a system or it's information. A threat is a potential violation of security. A risk is the consequence of a threat. [ISO 1988: Information Processing Systems - OSI RM. Part 2: Security Architecture, ISO/TC 97 7498-2]
Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects.
Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete.
Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services.
A threat is a danger which which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Assurance: Confidence that a System behaves as expected (i.e. according to it's
specification).
Identification / Authentication: When users or programs communicate with each other,
the two parties must identify each other, such that they know who they are communicating
with.
Accountability/Audit Trail: The ability to know who did what, when, where. Users are
responsible and accountable for their actions. Automatic audit trail monitoring and
analysis to detect security breaches.
Access Control: Access to specified resources can be restricted to certain
entities.
Object Reuse: Objects used by one process may not be reused or manipulated by another
process such that security may be violated.
Accuracy: Objects (information and processes) are accurate and complete.
Secure data exchange:
Confidentiality: data should remain private during transmission.
Integrity: data should remain accurate & complete during transmission.
When sending email or when programs communicate with each other, authentication (see above) may be required.
In certain situations, it may be necessary to be able to prove where information came from. This is called non repudiation of origin. A sender may also require proof that the message was received by the intended receiver - non repudiation of receipt.
Reliability of service: Data and vital services are available as specified/when needed.
Miscellaneous definitions:
| Abbreviation | Meaning |
| ACL | Access Control List |
| APSAD | L'Assemblé Plénière de Sociétés d'Assurance Domage (France) |
| BDC | Backup Domain Controller: A copy of PDC information is kept on a "backup" machine to ensure high availability and spread network/system load in Lan Manager domains. |
| CA | Certification Authority |
| CERT | Computer Emergency Response Team at Carnegie Mellon University, USA act a central distribution point for help on security matters (especially UNIX related). |
| CLUSIF | Club de la Sécurité Informatique Francais |
| CORBA | Common Object Request Broker Architecture. A new evolving, open standard for the use of distributed objects in a heterogeneous environment. Version 1.2 was available on the market in 1995 and V2.0 was to finalised in late 1995. |
| Cryptography | is the translation of information (known as plaintext) into a coded form (known as cypertext) using a key. Cryptography is mostly used to protect the privacy of information (i.e. limit who can access the information). |
| CSP | Cryptographic Service Providers (Security modules in the Windows NT Crypto API) |
| DAC | Discretionary Access Control |
| DB | Database |
| DCOM | Distributed Common Object Model (Microsoft's response to CORBA). |
| dba | see sa. |
| DES | Data Encryption Standard |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain name service, allows the resolution of hostnames to IP addresses and vice versa in large networks. |
| DoD | U.S. Department of Defense |
| DTP | The X/Open Distributed Transaction Processing standard. |
| EMP | electromagnetic Pulse |
| FDDI | Fibre Distributed Data Interface, a 100MB/sec wide area fibre optic network. |
| FireWire | A fast serial bus protocol (IEEE 1394) that may become an important standard for PC peripherals in 1998. |
| FTP | File Transfer Protocol |
| GUI | Graphical User Interface |
| HTTP | Hypertext transfer protocol, the principal protocol used by the WWW |
| HW | Hardware |
| ICAP | Internet Calendar Access Protocol |
| IDL | Interface Definition Language |
| IIOP | Internet Interoperable ORB Protocol |
| IMAP | Internet Mail Access Protocol |
| IRC | Internet Relay Chat |
| ISDN | Integrated services digital network |
| IT | Information Technology, basically computerised / digital systems. (=Informatik in German) |
| ITSEC | IT Security Evaluation Criteria, sometimes called the European Orange Book |
| LDAP | Lightweight Directory Access Protocol (an Internet standard for directory services) |
| Linux | A free UNIX-like operating system. |
| MAC | Mandatory Access Control |
| MARION | Méthodologie d'Analyse des Risques Informatique et d'Optimation par Niveau |
| MFT | Multi Functional Terminal. A client/server system from Unisys (B38 terminal) which runs the CTOS operating system. Used for making contracts, accessing Terco and word-processing. 3270 and VT emulators are available. |
| NCSC | U.S. National Computer Security Center (part of the NSA) |
| news | see NNTP |
| NFS | Network File System |
| NIS | Network Information Service (also called Yellow pages) |
| NIS+ | New hierarchical, more secure version of NIS |
| NIST | U.S. National Institute for Standards and Technology |
| NNTP | Network news transfer protocol |
| NSA | National Security Agency (USA) |
| NT | New Technology: New multitasking operating system from Microsoft. Also called Windows NT. Has lots of features from UNIX and VMS. |
| NTFS | NT-File System |
| NTP | Network Time Protocol |
| OLAP | On-line Analytical Processing |
| OLTP | On Line Transaction Processing. Open /OLTP Unisys transaction monitor, based on Tuxedo (USL) |
| OODA | Observation, Orientation, Decision, Action loop (U.S. Military speak for making decisions) |
| Orange Book | See TCSEC |
| ORB | Object Request Broker |
| OS | Operating System |
| PDC | Primary Domain Controller: The principal NT server containing user account information in a domain. |
| PKCS | Public Key Cryptography Standards, established by a consortium composed of RSA, Microsoft, Lotus, Apple, Novell, Digital Equipment Corporation, Sun Microsystems and MIT in 1991. |
| Proxy | A service which is normally used to provide indirect access a particular Internet service. Proxies eliminate the need for direct access to the Internet for normal clients. |
| PSTN | Public Switch Telephone Network (= POTS, Plain old telephone service) |
| RAID | Redundant array of disks. RAID disks increase availability. |
| RAS | Remote Access Service: Microsoft's utility for connecting computers over Dialup lines or for connecting laptops. |
| sa | Database system administrator |
| SecurID | Intelligent one-time generator (credit card sized) from Secure Dynamics. |
| SHS | Secure Hashing Standard (from NIST) |
| S/MIME | Secure/Multipurpose Internet Mail Extensions, S/MIME provides a standard way to send and receive secure electronic mail. Based on the popular Internet MIME standard (RFC 1521), S/MIME provides authentication, message integrity, privacy and non-repudiation of origin of electronic messages, using digital signatures and encryption. |
| SMS | Systems Management Server: Microsoft's software distribution & centralised helpdesk system. |
| SMTP | Simple Mail Transfer Protocol |
| SNMP | Simple Network Management Protocol |
| SQL* Net | An Oracle TNS based tool for using and managing Oracle7 databases. V2.1 is not compatible with 1.x. |
| SSH | Secure Shell, a secure replacement for telnet, rlogin, rcp, rsh among other things. |
| SSL | Secure Socket Layer |
| SSO | System Security Officer |
| SW | Software |
| TBD | To Be Defined or To Be Done (means basically that I'd like to get around to giving some detail on a particular issue). |
| TCB | Trusted Computing Base: The Orange Book (TCSEC) classes use the notion of a Trusted Computing Base (or TCB) extensively. This is the central part of the system (e.g. the kernel) which is trusted to carry out security functions. |
| TCP/IP | Transmission Control Protocol / Internet Protocol: This suite of protocols, originally developed for the Internet, is now the standard enterprise network protocol. |
| TCSEC | U.S. DoD Trusted Computer System Evaluation Criteria, also called the Orange Book |
| TIS | Trusted Information Systems Inc. |
| TNS | Transparent Network Substrate: is the name of Oracle's network architecture. |
| TTP | Trusted Third Party |
| UC | Under Construction: Some, but not information is given on this topic, needs to be finished. |
| USB | Universal Serial Bus: a 12Mbps serial bus for PC peripherals designed for low and medium speed devices such as keyboards, monitors, tape drives, etc. |
| USL | UNIX System Laboratories, now owned by Novell. |
| WfW | Microsoft Windows for Workgroups V3.11 |
| WINS | Windows Internet Naming Service |
| WOSA | Windows Open Services Architecture (basically means the networking services as delivered with the newer Microsoft OS's such as NT, Windows 95, WfW 3.11). |
| WWW | World Wide Web (also called W3, pronounced W cubed) |
| X/Open | International Open Standards Organisation, based in England. |
| X11 | X11 is the standard GUI on UNIX machines. Also available on PC & MAC. |
Previous Next Top
Detailed TOC Last
Update: 17 Mrz 2000