| |
| |
| Introduction | |
| |
| |
| |
| Laying the Groundwork | |
| |
| |
| |
| Why Do I Need Security? | |
| |
| |
| The Importance of an Effective Security Infrastructure | |
| |
| |
| People, Process, and Technology | |
| |
| |
| What Are You Protecting Against? | |
| |
| |
| Security as a Competitive Advantage | |
| |
| |
| Choosing a Solution | |
| |
| |
| Finding Security Employees | |
| |
| |
| The Layered Approach | |
| |
| |
| |
| Understanding Requirements and Risk | |
| |
| |
| What Is Risk? | |
| |
| |
| Embracing Risk | |
| |
| |
| Information Security Risk Assessment | |
| |
| |
| Assessing Risk | |
| |
| |
| Insurance | |
| |
| |
| |
| Security Policies and Procedures | |
| |
| |
| Internal Focus Is Key | |
| |
| |
| Policy Life Cycle | |
| |
| |
| Developing Policies | |
| |
| |
| Components of a Security Policy | |
| |
| |
| Sample Security Policies | |
| |
| |
| Procedures | |
| |
| |
| |
| Understanding Basic Security Technologies | |
| |
| |
| |
| Cryptography and Encryption | |
| |
| |
| A Brief History of Cryptography | |
| |
| |
| Cryptography Today | |
| |
| |
| Hash Algorithms | |
| |
| |
| Digital Signatures | |
| |
| |
| e-Signature Law | |
| |
| |
| Digital Certificates | |
| |
| |
| Public Key Infrastructure (PKI) | |
| |
| |
| Secure Sockets Layer (SSL) | |
| |
| |
| Other Protocols and Standards | |
| |
| |
| Pretty Good Privacy (PGP) | |
| |
| |
| Other Uses of Encryption | |
| |
| |
| |
| Authentication | |
| |
| |
| Multifactor Authentication | |
| |
| |
| Methods of Authentication | |
| |
| |
| Single Sign-On | |
| |
| |
| Centralized Administration Remains Elusive | |
| |
| |
| |
| Building the Frame | |
| |
| |
| |
| Network Architecture and Physical Security | |
| |
| |
| Changing Network Architecture | |
| |
| |
| Common Configurations | |
| |
| |
| Anson, Inc. Architecture | |
| |
| |
| Internal Architecture | |
| |
| |
| VLANs | |
| |
| |
| Physical Security | |
| |
| |
| |
| Firewalls and Perimeter Security | |
| |
| |
| Firewall Advances | |
| |
| |
| Firewall Technologies | |
| |
| |
| Firewall Features | |
| |
| |
| The Best Firewall for You | |
| |
| |
| Hardware Appliance Versus Software | |
| |
| |
| In-House Versus Out-Source | |
| |
| |
| Firewall Architectures | |
| |
| |
| Which Architecture Will Work for You? | |
| |
| |
| Configuring Your Firewall | |
| |
| |
| Firewall Rules | |
| |
| |
| Firewall Add-Ons | |
| |
| |
| A Good Start | |
| |
| |
| |
| Intrusion Detection | |
| |
| |
| What Are Intrusion Detection Systems? | |
| |
| |
| Categories of Intrusion Analysis | |
| |
| |
| Characteristics of a Good Intrusion Detection System | |
| |
| |
| Errors | |
| |
| |
| Categories of Intrusion Detection | |
| |
| |
| Separating the Truth from the Hype | |
| |
| |
| Network Architecture with Intrusion Detection | |
| |
| |
| Managed Services | |
| |
| |
| Problems with Intrusion Detection | |
| |
| |
| Technologies Under Development | |
| |
| |
| |
| Remote Access | |
| |
| |
| Remote Access Users | |
| |
| |
| Remote Access Requirements | |
| |
| |
| Remote Access Issues | |
| |
| |
| Remote Access Policies | |
| |
| |
| Remote Access Technologies | |
| |
| |
| Deploying and Supporting Remote Access | |
| |
| |
| End-User Security | |
| |
| |
| |
| Applications, Servers, and Hosts | |
| |
| |
| |
| Host Security | |
| |
| |
| Implementing Host Security | |
| |
| |
| Understanding System Functions | |
| |
| |
| Operating System (OS) Hardening | |
| |
| |
| Security Monitoring Programs | |
| |
| |
| System Auditing | |
| |
| |
| |
| Server Security | |
| |
| |
| OS Hardening Versus Server Security | |
| |
| |
| Firewalls | |
| |
| |
| Web Servers | |
| |
| |
| E-Mail Servers | |
| |
| |
| Databases | |
| |
| |
| DNS Servers | |
| |
| |
| Domain Controllers | |
| |
| |
| Appliances | |
| |
| |
| E-Mail Security | |
| |
| |
| Policy Management | |
| |
| |
| Policy Control | |
| |
| |
| |
| Client Security | |
| |
| |
| Locking Down Systems | |
| |
| |
| Protecting Against Viruses | |
| |
| |
| Protecting Against Malware | |
| |
| |
| Microsoft Applications | |
| |
| |
| Instant Messaging | |
| |
| |
| |
| Application Development | |
| |
| |
| Identifying Threats | |
| |
| |
| Web Application Security | |
| |
| |
| Prevention | |
| |
| |
| Technology Tools and Solutions | |
| |
| |
| |
| Review, Response, and Maintenance | |
| |
| |
| |
| Security Maintenance and Monitoring | |
| |
| |
| Security Is an Ongoing Process | |
| |
| |
| Patches | |
| |
| |
| Monitor Mailing Lists | |
| |
| |
| Review Logs | |
| |
| |
| Periodically Review Configurations | |
| |
| |
| Managed Security Services | |
| |
| |
| |
| Vulnerability Testing | |
| |
| |
| How Does the Assessment Work? | |
| |
| |
| When Are Vulnerability Assessments Needed? | |
| |
| |
| Why Assess Vulnerability? | |
| |
| |
| Performing Assessments | |
| |
| |
| Data Interception | |
| |
| |
| Password Cracking | |
| |
| |
| Common Attacks | |
| |
| |
| Taking Control | |
| |
| |
| |
| Security Audits | |
| |
| |
| Audit Overview | |
| |
| |
| The Audit | |
| |
| |
| Types of Audits | |
| |
| |
| Analysis of an Audit | |
| |
| |
| Surviving an Audit | |
| |
| |
| The Cost of an Audit | |
| |
| |
| Sample Audit Checklist | |
| |
| |
| |
| Incident Response | |
| |
| |
| Understanding Incident Management | |
| |
| |
| Importance of CSIR Teams | |
| |
| |
| Justifying a Response Team | |
| |
| |
| Cost of an Incident | |
| |
| |
| Assessing Your Needs | |
| |
| |
| How to Use Your Assessment | |
| |
| |
| Building an Incident Response Plan of Attack | |
| |
| |
| When an Incident Occurs | |
| |
| |
| The SANS Institute's Incident Response Plan | |
| |
| |
| Analyzing an Attack | |
| |
| |
| |
| Putting It All Together | |
| |
| |
| |
| Integrating People, Process, and Technology | |
| |
| |
| Your Security Infrastructure | |
| |
| |
| How to Maintain a Successful Security Infrastructure | |
| |
| |
| Security Awareness Training | |
| |
| |
| Security ROI | |
| |
| |
| Security Infrastructure Components | |
| |
| |
| Interoperability and Management | |
| |
| |
| Security Infrastructure Myths | |
| |
| |
| |
| Trends to Watch | |
| |
| |
| PDA | |
| |
| |
| Peer-to-Peer Networks | |
| |
| |
| Wireless LAN Security | |
| |
| |
| Mobile Commerce | |
| |
| |
| Honeypots | |
| |
| |
| The Rewards Are Yours | |
| |
| |
| |
| Resources | |
| |
| |
| Antivirus | |
| |
| |
| Apache Web Server | |
| |
| |
| Authentication | |
| |
| |
| Automated Scanning Tools for Security Analysis | |
| |
| |
| Backup and Recovery | |
| |
| |
| Buffer Overflows | |
| |
| |
| Build/Buy Security Systems | |
| |
| |
| Computer Crime | |
| |
| |
| Cryptography and Encryption | |
| |
| |
| Databases | |
| |
| |
| Digital Certificates and E-Signatures | |
| |
| |
| DNS Security | |
| |
| |
| E-Mail Security | |
| |
| |
| Exchange Server | |
| |
| |
| File Encryption | |
| |
| |
| Firewalls | |
| |
| |
| Hiring Hackers | |
| |
| |
| Host Security | |
| |
| |
| Hubs and Switches | |
| |
| |
| IIS Web Servers | |
| |
| |
| Information Security Professionals | |
| |
| |
| Instant Messaging | |
| |
| |
| Intrusion Detection | |
| |
| |
| Log Analysis | |
| |
| |
| Malware | |
| |
| |
| Managed Service Providers | |
| |
| |
| Network Security | |
| |
| |
| Personal Firewalls | |
| |
| |
| Physical Security | |
| |
| |
| Policy Management | |
| |
| |
| Probability of Attack | |
| |
| |
| Public Key Infrastructure (PKI) | |
| |
| |
| Remote Access | |
| |
| |
| Remote Management | |
| |
| |
| Risk Management | |
| |
| |
| Secure Shell (SSH) | |
| |
| |
| Secure Sockets Layer (SSL) | |
| |
| |
| Security Audits | |
| |
| |
| Security Policies | |
| |
| |
| Sendmail | |
| |
| |
| Smart Cards | |
| |
| |
| System Auditing | |
| |
| |
| Technology Insurance | |
| |
| |
| Terminal Services | |
| |
| |
| Virtual Private Networks (VPNs) | |
| |
| |
| VLANs | |
| |
| |
| Vulnerability Scanners | |
| |
| |
| Index | |