| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
About the Author | |
| |
| |
Acknowledgments | |
| |
| |
Prologue: The Future of Business | |
| |
| |
The Business Environment is Changing | |
| |
| |
Business Relationships are Changing | |
| |
| |
Business Information is Changing | |
| |
| |
Information Technology is Changing | |
| |
| |
Information Security Must Change | |
| |
| |
Introduction: Information Security | |
| |
| |
Information is a Business Asset | |
| |
| |
Security is a Business Process | |
| |
| |
Information Security is a Business Requirement | |
| |
| |
Building an Information Security Plan | |
| |
| |
| |
Inspection | |
| |
| |
Defining Resources | |
| |
| |
Assessing Threats | |
| |
| |
Evaluating Potential Losses | |
| |
| |
Identifying Vulnerabilities | |
| |
| |
Assigning Safeguards | |
| |
| |
Evaluate Current Status | |
| |
| |
| |
Resource Inventory | |
| |
| |
Identifying Resources | |
| |
| |
Assigning Ownership | |
| |
| |
Determining Value | |
| |
| |
Security Classification | |
| |
| |
| |
Threat Assessment | |
| |
| |
Human Error | |
| |
| |
Natural Disasters | |
| |
| |
System Failures | |
| |
| |
Malicious Acts | |
| |
| |
Malicious Software | |
| |
| |
Collateral Damage | |
| |
| |
| |
Loss Analysis | |
| |
| |
Denial of Service | |
| |
| |
Theft of Resources | |
| |
| |
Deletion of Information | |
| |
| |
Theft of Information | |
| |
| |
Disclosure of Information | |
| |
| |
Corruption of Information | |
| |
| |
Theft of Software | |
| |
| |
Theft of Hardware | |
| |
| |
Disruption of Computer Controlled Systems | |
| |
| |
| |
Identifying Vulnerabilities | |
| |
| |
Location of Vulnerabilities | |
| |
| |
Known Vulnerabilities | |
| |
| |
Security Design Flaw | |
| |
| |
Innovative Misuses | |
| |
| |
Incorrect Implementation | |
| |
| |
Social Engineering | |
| |
| |
| |
Assigning Safeguards | |
| |
| |
Avoidance | |
| |
| |
Transference | |
| |
| |
Mitigation | |
| |
| |
Acceptance | |
| |
| |
| |
Evaluation of Current Status | |
| |
| |
Assessment | |
| |
| |
Testing | |
| |
| |
Business Impact Analysis | |
| |
| |
| |
Protection | |
| |
| |
Philosophies | |
| |
| |
Principles | |
| |
| |
Policies | |
| |
| |
Procedures | |
| |
| |
Practices | |
| |
| |
| |
Awareness | |
| |
| |
Appropriate Use | |
| |
| |
Awareness Programs | |
| |
| |
Design Choices | |
| |
| |
Implementation Options | |
| |
| |
Lack of Awareness | |
| |
| |
| |
Access | |
| |
| |
Global Access | |
| |
| |
Access Methods | |
| |
| |
Access Points as Security Checkpoints | |
| |
| |
Access Servers | |
| |
| |
Abuse of Access | |
| |
| |
| |
Identification | |
| |
| |
Enterprise Identification | |
| |
| |
Issuance of Identifiers | |
| |
| |
Scope of Use | |
| |
| |
Administration of Identifiers | |
| |
| |
Identity Errors | |
| |
| |
| |
Authentication | |
| |
| |
Factors of Authentication | |
| |
| |
Authentication Models | |
| |
| |
Authentication Options | |
| |
| |
Authentication Management | |
| |
| |
Subverting Authentication | |
| |
| |
| |
Authorization | |
| |
| |
What Authorizations Provide | |
| |
| |
Granularity of Authorizations | |
| |
| |
Requirements | |
| |
| |
Design Choices | |
| |
| |
Abuse of Authorization | |
| |
| |
| |
Availability | |
| |
| |
Types of Outages | |
| |
| |
Protecting all Levels | |
| |
| |
Availability Models | |
| |
| |
Availability Classifications | |
| |
| |
Availability Outage | |
| |
| |
| |
Accuracy | |
| |
| |
Information Lifecycle | |
| |
| |
Information System Accuracy | |
| |
| |
Methods | |
| |
| |
Loss of Accuracy | |
| |
| |
| |
Confidentiality | |
| |
| |
Information in the Enterprise | |
| |
| |
Confidentiality Concerns | |
| |
| |
Methods of Ensuring Confidentiality | |
| |
| |
Sensitivity Classifications | |
| |
| |
Invasion of Privacy | |
| |
| |
| |
Accountability | |
| |
| |
Accountability Models | |
| |
| |
Accountability Principles | |
| |
| |
Accounting Events | |
| |
| |
Accountability System Features | |
| |
| |
Accountability Failures | |
| |
| |
| |
Administration | |
| |
| |
Enterprise Information Security Administration | |
| |
| |
Administration Process | |
| |
| |
Areas of Administration | |
| |
| |
Administration Errors | |
| |
| |
| |
Detection | |
| |
| |
Intruder Types | |
| |
| |
Intrusion Methods | |
| |
| |
Detection Methods | |
| |
| |
| |
Intruder Types | |
| |
| |
Outside Intruders | |
| |
| |
Inside Intruders | |
| |
| |
Professional Intruder | |
| |
| |
| |
Intrusion Methods | |
| |
| |
Technical Intrusions | |
| |
| |
Physical Security | |
| |
| |
Social Engineering | |
| |
| |
| |
Intrusion Process | |
| |
| |
Reconnaissance | |
| |
| |
Gaining Access | |
| |
| |
Gaining Authorizations | |
| |
| |
Achieve Goals | |
| |
| |
| |
Intrusion Detection Methods | |
| |
| |
Profiles | |
| |
| |
Offline Methods | |
| |
| |
Online Methods | |
| |
| |
Human Methods | |
| |
| |
| |
Reaction | |
| |
| |
Incident Response Philosophies | |
| |
| |
Incident Response Plan | |
| |
| |
| |
Response Plan | |
| |
| |
Response Procedures | |
| |
| |
Resources | |
| |
| |
Legal Review | |
| |
| |
| |
Incident Determination | |
| |
| |
Possible Indicators | |
| |
| |
Probable Indicators | |
| |
| |
Definite Indicators | |
| |
| |
Predefined Situations | |
| |
| |
| |
Incident Notification | |
| |
| |
Internal | |
| |
| |
Computer Security Incident Organizations | |
| |
| |
Affected Partners | |
| |
| |
Law Enforcement | |
| |
| |
News Media | |
| |
| |
| |
Incident Containment | |
| |
| |
Stopping the Spread | |
| |
| |
Regain Control | |
| |
| |
| |
Assessing the Damage | |
| |
| |
Determining the Scope of Damage | |
| |
| |
Determining the Length of the Incident | |
| |
| |
Determining the Cause | |
| |
| |
Determining the Responsible Party | |
| |
| |
| |
Incident Recovery | |
| |
| |
Setting Priorities | |
| |
| |
Repair the Vulnerability | |
| |
| |
Improve the Safeguard | |
| |
| |
Update Detection | |
| |
| |
Restoration of Data | |
| |
| |
Restoration of Services | |
| |
| |
Monitor for Additional Signs of Attack | |
| |
| |
Restoration of Confidence | |
| |
| |
| |
Automated Response | |
| |
| |
Automated Defenses | |
| |
| |
Gathering Counterintelligence | |
| |
| |
Counterstrike | |
| |
| |
| |
Reflection | |
| |
| |
Postmortem Documentation | |
| |
| |
Process Management | |
| |
| |
External Follow-up | |
| |
| |
| |
Incident Documentation | |
| |
| |
Incident Source Information | |
| |
| |
Incident Timeline | |
| |
| |
Technical Summary | |
| |
| |
Executive Summary | |
| |
| |
| |
Incident Evaluation | |
| |
| |
Identify Processes for Improvement | |
| |
| |
Process Improvement | |
| |
| |
| |
Public Relations | |
| |
| |
The Right People | |
| |
| |
The Right Time | |
| |
| |
The Right Message | |
| |
| |
The Right Forum | |
| |
| |
The Right Attitude | |
| |
| |
| |
Legal Prosecution | |
| |
| |
Computer Crime Laws | |
| |
| |
Jurisdiction | |
| |
| |
Collection of Evidence | |
| |
| |
Successful Prosecution | |
| |
| |
Epilogue: The Future of Business | |
| |
| |
A World without Borders | |
| |
| |
Service-based Architecture | |
| |
| |
Basic Business Principles | |
| |
| |
Pervasive Security | |