| |
| |
| Foreword | |
| |
| |
| Preface | |
| |
| |
| About the Author | |
| |
| |
| Acknowledgments | |
| |
| |
| Prologue: The Future of Business | |
| |
| |
| The Business Environment is Changing | |
| |
| |
| Business Relationships are Changing | |
| |
| |
| Business Information is Changing | |
| |
| |
| Information Technology is Changing | |
| |
| |
| Information Security Must Change | |
| |
| |
| Introduction: Information Security | |
| |
| |
| Information is a Business Asset | |
| |
| |
| Security is a Business Process | |
| |
| |
| Information Security is a Business Requirement | |
| |
| |
| Building an Information Security Plan | |
| |
| |
| |
| Inspection | |
| |
| |
| Defining Resources | |
| |
| |
| Assessing Threats | |
| |
| |
| Evaluating Potential Losses | |
| |
| |
| Identifying Vulnerabilities | |
| |
| |
| Assigning Safeguards | |
| |
| |
| Evaluate Current Status | |
| |
| |
| |
| Resource Inventory | |
| |
| |
| Identifying Resources | |
| |
| |
| Assigning Ownership | |
| |
| |
| Determining Value | |
| |
| |
| Security Classification | |
| |
| |
| |
| Threat Assessment | |
| |
| |
| Human Error | |
| |
| |
| Natural Disasters | |
| |
| |
| System Failures | |
| |
| |
| Malicious Acts | |
| |
| |
| Malicious Software | |
| |
| |
| Collateral Damage | |
| |
| |
| |
| Loss Analysis | |
| |
| |
| Denial of Service | |
| |
| |
| Theft of Resources | |
| |
| |
| Deletion of Information | |
| |
| |
| Theft of Information | |
| |
| |
| Disclosure of Information | |
| |
| |
| Corruption of Information | |
| |
| |
| Theft of Software | |
| |
| |
| Theft of Hardware | |
| |
| |
| Disruption of Computer Controlled Systems | |
| |
| |
| |
| Identifying Vulnerabilities | |
| |
| |
| Location of Vulnerabilities | |
| |
| |
| Known Vulnerabilities | |
| |
| |
| Security Design Flaw | |
| |
| |
| Innovative Misuses | |
| |
| |
| Incorrect Implementation | |
| |
| |
| Social Engineering | |
| |
| |
| |
| Assigning Safeguards | |
| |
| |
| Avoidance | |
| |
| |
| Transference | |
| |
| |
| Mitigation | |
| |
| |
| Acceptance | |
| |
| |
| |
| Evaluation of Current Status | |
| |
| |
| Assessment | |
| |
| |
| Testing | |
| |
| |
| Business Impact Analysis | |
| |
| |
| |
| Protection | |
| |
| |
| Philosophies | |
| |
| |
| Principles | |
| |
| |
| Policies | |
| |
| |
| Procedures | |
| |
| |
| Practices | |
| |
| |
| |
| Awareness | |
| |
| |
| Appropriate Use | |
| |
| |
| Awareness Programs | |
| |
| |
| Design Choices | |
| |
| |
| Implementation Options | |
| |
| |
| Lack of Awareness | |
| |
| |
| |
| Access | |
| |
| |
| Global Access | |
| |
| |
| Access Methods | |
| |
| |
| Access Points as Security Checkpoints | |
| |
| |
| Access Servers | |
| |
| |
| Abuse of Access | |
| |
| |
| |
| Identification | |
| |
| |
| Enterprise Identification | |
| |
| |
| Issuance of Identifiers | |
| |
| |
| Scope of Use | |
| |
| |
| Administration of Identifiers | |
| |
| |
| Identity Errors | |
| |
| |
| |
| Authentication | |
| |
| |
| Factors of Authentication | |
| |
| |
| Authentication Models | |
| |
| |
| Authentication Options | |
| |
| |
| Authentication Management | |
| |
| |
| Subverting Authentication | |
| |
| |
| |
| Authorization | |
| |
| |
| What Authorizations Provide | |
| |
| |
| Granularity of Authorizations | |
| |
| |
| Requirements | |
| |
| |
| Design Choices | |
| |
| |
| Abuse of Authorization | |
| |
| |
| |
| Availability | |
| |
| |
| Types of Outages | |
| |
| |
| Protecting all Levels | |
| |
| |
| Availability Models | |
| |
| |
| Availability Classifications | |
| |
| |
| Availability Outage | |
| |
| |
| |
| Accuracy | |
| |
| |
| Information Lifecycle | |
| |
| |
| Information System Accuracy | |
| |
| |
| Methods | |
| |
| |
| Loss of Accuracy | |
| |
| |
| |
| Confidentiality | |
| |
| |
| Information in the Enterprise | |
| |
| |
| Confidentiality Concerns | |
| |
| |
| Methods of Ensuring Confidentiality | |
| |
| |
| Sensitivity Classifications | |
| |
| |
| Invasion of Privacy | |
| |
| |
| |
| Accountability | |
| |
| |
| Accountability Models | |
| |
| |
| Accountability Principles | |
| |
| |
| Accounting Events | |
| |
| |
| Accountability System Features | |
| |
| |
| Accountability Failures | |
| |
| |
| |
| Administration | |
| |
| |
| Enterprise Information Security Administration | |
| |
| |
| Administration Process | |
| |
| |
| Areas of Administration | |
| |
| |
| Administration Errors | |
| |
| |
| |
| Detection | |
| |
| |
| Intruder Types | |
| |
| |
| Intrusion Methods | |
| |
| |
| Detection Methods | |
| |
| |
| |
| Intruder Types | |
| |
| |
| Outside Intruders | |
| |
| |
| Inside Intruders | |
| |
| |
| Professional Intruder | |
| |
| |
| |
| Intrusion Methods | |
| |
| |
| Technical Intrusions | |
| |
| |
| Physical Security | |
| |
| |
| Social Engineering | |
| |
| |
| |
| Intrusion Process | |
| |
| |
| Reconnaissance | |
| |
| |
| Gaining Access | |
| |
| |
| Gaining Authorizations | |
| |
| |
| Achieve Goals | |
| |
| |
| |
| Intrusion Detection Methods | |
| |
| |
| Profiles | |
| |
| |
| Offline Methods | |
| |
| |
| Online Methods | |
| |
| |
| Human Methods | |
| |
| |
| |
| Reaction | |
| |
| |
| Incident Response Philosophies | |
| |
| |
| Incident Response Plan | |
| |
| |
| |
| Response Plan | |
| |
| |
| Response Procedures | |
| |
| |
| Resources | |
| |
| |
| Legal Review | |
| |
| |
| |
| Incident Determination | |
| |
| |
| Possible Indicators | |
| |
| |
| Probable Indicators | |
| |
| |
| Definite Indicators | |
| |
| |
| Predefined Situations | |
| |
| |
| |
| Incident Notification | |
| |
| |
| Internal | |
| |
| |
| Computer Security Incident Organizations | |
| |
| |
| Affected Partners | |
| |
| |
| Law Enforcement | |
| |
| |
| News Media | |
| |
| |
| |
| Incident Containment | |
| |
| |
| Stopping the Spread | |
| |
| |
| Regain Control | |
| |
| |
| |
| Assessing the Damage | |
| |
| |
| Determining the Scope of Damage | |
| |
| |
| Determining the Length of the Incident | |
| |
| |
| Determining the Cause | |
| |
| |
| Determining the Responsible Party | |
| |
| |
| |
| Incident Recovery | |
| |
| |
| Setting Priorities | |
| |
| |
| Repair the Vulnerability | |
| |
| |
| Improve the Safeguard | |
| |
| |
| Update Detection | |
| |
| |
| Restoration of Data | |
| |
| |
| Restoration of Services | |
| |
| |
| Monitor for Additional Signs of Attack | |
| |
| |
| Restoration of Confidence | |
| |
| |
| |
| Automated Response | |
| |
| |
| Automated Defenses | |
| |
| |
| Gathering Counterintelligence | |
| |
| |
| Counterstrike | |
| |
| |
| |
| Reflection | |
| |
| |
| Postmortem Documentation | |
| |
| |
| Process Management | |
| |
| |
| External Follow-up | |
| |
| |
| |
| Incident Documentation | |
| |
| |
| Incident Source Information | |
| |
| |
| Incident Timeline | |
| |
| |
| Technical Summary | |
| |
| |
| Executive Summary | |
| |
| |
| |
| Incident Evaluation | |
| |
| |
| Identify Processes for Improvement | |
| |
| |
| Process Improvement | |
| |
| |
| |
| Public Relations | |
| |
| |
| The Right People | |
| |
| |
| The Right Time | |
| |
| |
| The Right Message | |
| |
| |
| The Right Forum | |
| |
| |
| The Right Attitude | |
| |
| |
| |
| Legal Prosecution | |
| |
| |
| Computer Crime Laws | |
| |
| |
| Jurisdiction | |
| |
| |
| Collection of Evidence | |
| |
| |
| Successful Prosecution | |
| |
| |
| Epilogue: The Future of Business | |
| |
| |
| A World without Borders | |
| |
| |
| Service-based Architecture | |
| |
| |
| Basic Business Principles | |
| |
| |
| Pervasive Security | |