| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
About the Series | |
| |
| |
| |
Information Security Basics | |
| |
| |
| |
What is Information Security? | |
| |
| |
Where Sorcery Is Traded for Fallible, Manageable Realities | |
| |
| |
A Retrospective Look at Security | |
| |
| |
Define Security as a Process, Not as Point Products | |
| |
| |
And-virus Software | |
| |
| |
Access Controls | |
| |
| |
Firewalls | |
| |
| |
Smart Cards | |
| |
| |
Biometrics | |
| |
| |
Intrusion Detection and Prevention | |
| |
| |
Policy Management | |
| |
| |
Vulnerability Scanning | |
| |
| |
Encryption | |
| |
| |
Data Loss Prevention | |
| |
| |
Physical Security Mechanisms | |
| |
| |
| |
Types of Attacks | |
| |
| |
Access Attacks | |
| |
| |
Snooping | |
| |
| |
Eavesdropping | |
| |
| |
Interception | |
| |
| |
How Access Attacks Are Accomplished | |
| |
| |
Modification Attacks | |
| |
| |
Changes | |
| |
| |
Insertion | |
| |
| |
Deletion | |
| |
| |
How Modification Attacks Are Accomplished | |
| |
| |
Denial-of-Service Attacks | |
| |
| |
Denial of Access to Information | |
| |
| |
Denial of Access to Applications | |
| |
| |
Denial of Access to Systems | |
| |
| |
Denial of Access to Communications | |
| |
| |
How Denial-of-Service Attacks Are Accomplished | |
| |
| |
Repudiation Attacks | |
| |
| |
Masquerading | |
| |
| |
Denying an Event | |
| |
| |
How Repudiation Attacks Are Accomplished | |
| |
| |
| |
Hacker Techniques | |
| |
| |
A Hacker's Motivation | |
| |
| |
Challenge | |
| |
| |
Greed | |
| |
| |
Malicious Intent | |
| |
| |
Hacking Techniques | |
| |
| |
Bad Passwords | |
| |
| |
Open Sharing | |
| |
| |
Software Vulnerabilities | |
| |
| |
Network Hacking | |
| |
| |
Social Engineering | |
| |
| |
Denial-of-Service | |
| |
| |
Malicious Software | |
| |
| |
Methods of the Untargeted Hacker | |
| |
| |
Targets | |
| |
| |
Reconnaissance | |
| |
| |
Attack Methods | |
| |
| |
Use of Compromised Systems | |
| |
| |
Methods of the Targeted Hacker | |
| |
| |
Targets | |
| |
| |
Reconnaissance | |
| |
| |
Attack Methods | |
| |
| |
Use of Compromised Systems | |
| |
| |
| |
Information Security Services | |
| |
| |
The Confidentiality Service | |
| |
| |
Confidentiality of Files | |
| |
| |
Confidentiality of Information in Transmission | |
| |
| |
Traffic Flow Confidentiality | |
| |
| |
Attacks That Can Be Prevented | |
| |
| |
The Integrity Service | |
| |
| |
Integrity of Files | |
| |
| |
Integrity of Information During Transmission | |
| |
| |
Attacks That Can Be Prevented | |
| |
| |
The Availability Service | |
| |
| |
Backups | |
| |
| |
Fail-Over | |
| |
| |
Disaster Recovery | |
| |
| |
Attacks That Can Be Prevented | |
| |
| |
The Accountability Service | |
| |
| |
Identification and Authentication | |
| |
| |
Audit | |
| |
| |
Attacks That Can Be Prevented | |
| |
| |
| |
Groundwork | |
| |
| |
| |
Policy | |
| |
| |
Why Policy Is Important | |
| |
| |
Defining What Security Should Be | |
| |
| |
Putting Everyone on the Same Page | |
| |
| |
The Various Policies Used by Organizations | |
| |
| |
Information Policy | |
| |
| |
Security Policy | |
| |
| |
Acceptable Use Policy | |
| |
| |
Internet Use Policy | |
| |
| |
E-mail Policy | |
| |
| |
User Management Procedures | |
| |
| |
System Administration Procedure | |
| |
| |
Backup Policy | |
| |
| |
Incident Response Procedure | |
| |
| |
Configuration Management Procedure | |
| |
| |
Design Methodology | |
| |
| |
Disaster Recovery Plans | |
| |
| |
Creating Appropriate Policy | |
| |
| |
Defining What Is Important | |
| |
| |
Defining Acceptable Behavior | |
| |
| |
Identifying Stakeholders | |
| |
| |
Defining Appropriate Outlines | |
| |
| |
Policy Development | |
| |
| |
Deploying Policy | |
| |
| |
Gaining Buy-In | |
| |
| |
Education | |
| |
| |
Implementation | |
| |
| |
Using Policy Effectively | |
| |
| |
New Systems and Projects | |
| |
| |
Existing Systems and Projects | |
| |
| |
Audits | |
| |
| |
Policy Reviews | |
| |
| |
| |
Managing Risk | |
| |
| |
Defining Risk | |
| |
| |
Threat | |
| |
| |
Vulnerability | |
| |
| |
Consequences | |
| |
| |
Countermeasures | |
| |
| |
Measuring Risk | |
| |
| |
Probabilistic | |
| |
| |
Maximum Impact | |
| |
| |
A Hybrid Approach | |
| |
| |
| |
The Information Security Process | |
| |
| |
Conducting an Assessment | |
| |
| |
Network | |
| |
| |
Physical Security | |
| |
| |
Policies and Procedures | |
| |
| |
Precautions | |
| |
| |
Awareness | |
| |
| |
People | |
| |
| |
Workload | |
| |
| |
Attitude | |
| |
| |
Adherence | |
| |
| |
Business | |
| |
| |
Assessment Results | |
| |
| |
Developing Policy | |
| |
| |
Choosing the Order of Policies to Develop | |
| |
| |
Updating Existing Policies | |
| |
| |
Implementing Security | |
| |
| |
Security Reporting Systems | |
| |
| |
Use-Monitoring | |
| |
| |
System Vulnerability Scans | |
| |
| |
Policy Adherence | |
| |
| |
Authentication Systems | |
| |
| |
Perimeter Security | |
| |
| |
Network Monitoring Systems | |
| |
| |
Encryption | |
| |
| |
Physical Security | |
| |
| |
Staff | |
| |
| |
Awareness Training | |
| |
| |
Employees | |
| |
| |
Administrators | |
| |
| |
Developers | |
| |
| |
Executives | |
| |
| |
Security Staff | |
| |
| |
Audits | |
| |
| |
Policy Adherence Audits | |
| |
| |
Periodic and New Project Assessments | |
| |
| |
Penetration Tests | |
| |
| |
| |
Information Security Best Practices | |
| |
| |
Administrative Security Practices | |
| |
| |
Policies and Procedures | |
| |
| |
Resources | |
| |
| |
Responsibility | |
| |
| |
Education | |
| |
| |
Contingency Plans | |
| |
| |
Security Project Plans | |
| |
| |
Technical Security Practices | |
| |
| |
Network Controls | |
| |
| |
Malicious Code Protection | |
| |
| |
Authentication | |
| |
| |
Monitoring | |
| |
| |
Encryption | |
| |
| |
Patching Systems | |
| |
| |
Backup and Recovery | |
| |
| |
Physical Security | |
| |
| |
Making Use of ISO 27002 | |
| |
| |
Key Concepts of the Standard | |
| |
| |
How This Standard Can Be Used | |
| |
| |
| |
Network Security Technology | |
| |
| |
| |
Perimeter Technology | |
| |
| |
Perimeters and Perimeter Policy Basics | |
| |
| |
Perimeter Controls | |
| |
| |
Routers | |
| |
| |
Firewalls | |
| |
| |
Network Intrusion Prevention Systems | |
| |
| |
Web Application Firewalls | |
| |
| |
Proxies and URL Filters | |
| |
| |
Data Loss Prevention | |
| |
| |
Anti-malware Controls | |
| |
| |
Virtual Private Networks | |
| |
| |
Physical Separation | |
| |
| |
Defense-in-Depth | |
| |
| |
Creating a Perimeter Architecture | |
| |
| |
DMZ Perimeter Architecture | |
| |
| |
Employee Perimeter Architecture | |
| |
| |
| |
Monitoring Technology | |
| |
| |
The Purposes of Monitoring | |
| |
| |
Monitoring Technologies | |
| |
| |
Intrusion Detection Systems | |
| |
| |
Network Behavior Analysis | |
| |
| |
Network Forensics | |
| |
| |
System Logs | |
| |
| |
Application Logs | |
| |
| |
Vulnerability Scanning | |
| |
| |
Creating a Monitoring Architecture | |
| |
| |
Correlating Events | |
| |
| |
Separation of Duties | |
| |
| |
| |
Encryption Technology | |
| |
| |
Basic Encryption Concepts | |
| |
| |
Encryption Terms | |
| |
| |
Attacks Against Encryption | |
| |
| |
Symmetric Key Encryption | |
| |
| |
Substitution Ciphers | |
| |
| |
One-Time Pads | |
| |
| |
Data Encryption Standard | |
| |
| |
Password Encryption | |
| |
| |
The Advanced Encryption Standard: Rijndael | |
| |
| |
Public Key Encryption | |
| |
| |
Diffie-Hellman Key Exchange | |
| |
| |
RSA | |
| |
| |
Other Public Key Algorithms | |
| |
| |
Digital Signatures | |
| |
| |
Secure Hash Functions | |
| |
| |
Key Management | |
| |
| |
Key Creation | |
| |
| |
Key Distribution | |
| |
| |
Key Certification | |
| |
| |
Key Protection | |
| |
| |
Key Revocation | |
| |
| |
Key Recovery | |
| |
| |
Trust in the Encryption System | |
| |
| |
Other Considerations | |
| |
| |
The Supporting Cast | |
| |
| |
Availability | |
| |
| |
Glossary | |
| |
| |
Index | |