Index

Note: Page numbers followed by b indicates boxes, f indicates figures and t indicates tables.

A

Abstraction 52

Acceptance testing 202–203

Access aggregation 125–126

Access control defensive categories 21b

compensating 22

corrective 21

detective 21

deterrent 21–22

preventive 21

recovery 21

Access control matrix 52

Access control models 

content-dependent 131

context-dependent 131

discretionary access control (DAC) 130

mandatory access control (MAC) 130

nondiscretionary 130–131

rule-based 130–131

Access control technologies 

access review 125–126

audit 125–126

centralized access control 125

decentralized access control 125

Federated identity management (FIdM) 126

identity as service 126–127

Kerberos 127–128

lightweight directory access protocol (LDAP) 127

protocols and frameworks 128–130

security association markup language (SAML) 126

SESAME 128

single sign-on (SSO) 125

user entitlement 125–126

Accountability 4–5

Account lockouts 118–119 See also Passwords

Accreditation 40

Acquisitions 14

Address space location randomization (ASLR) 58

Addy inherits 198

Addy object 198, 198f

Administrative law 7

Administrative personnel controls 

background checks 148

job rotation 147

least privilege/minimum necessary access 147

mandatory leave/forced vacat 148

nondisclosure agreement (NDA) 148

separation of duties 147

Advanced encryption standard (AES) 67, 71, 72t

Agile software development 

extreme programming 190

scrum 189–190

ALU  See Arithmetic logic unit (ALU)

Annualized loss expectancy (ALE) 24–25, 25t

ARO 24

AV 24

EF 24

SLE 24

Annual rate of occurrence (ARO) 24

Antivirus 156

Application-layer, OSI model 99–100

Application-layer TCP/IP protocols 

DNS 103

FTP 102

HTTP and HTTPS 103

IMAP 102

POP 102

SMTP 102

SSH 102

Telnet 102

Application programming interface (API) 193

Application whitelisting 156

Arithmetic logic unit (ALU) 55

ARO  See Annual rate of occurrence (ARO)

ASLR  See Address space location randomization (ASLR)

Assembly language 187

Assessing access control 

log reviews 138

penetration testing 136–137

security assessments 138

security audits 138

vulnerability testing 137

Asset management 

change management 157–158

configuration management 157

Asset security, domain 2 

classifying data 34–35

data destruction 39–40

data security control determination 40–44

memory and remanence 37–39

ownership 36–37

Asset value (AV) 24

cost approach 24

income approach 24

market approach 24

Asymmetric encryption 

Diffie-Hellman key agreement protocol 73

discrete logarithm 73

ECC 73

factoring prime numbers 72–73

tradeoffs 73

Asynchronous dynamic token 120

Attackers 28–29

bots and botnets 29

hackers 28

insiders 29

outsiders 28

phishers and spear phishers 29

Attestation 13

Audit records 158

Authentication, authorization, and accountability (AAA) 4

Authentication methods 

type 1 118–120

type 2 120

type 3 120–124

Authentication protocols and frameworks 

802.1X and EAP 111–112, 111b

Authentication server (AS) 120

Authorization 4, 125–126

AV  See Asset value (AV)

Availability  See Denial of service (DoS)

B

Background checks 19, 148

Backups and availability 

electronic backups 174–176

hardcopy data 174

Backup storage 35

Baselining 157 See also Configuration management

Basic input/output system (BIOS) 38, 57

BCP  See Business continuity planning (BCP)

Bell-LaPadula model 49

rules and properties 50, 50b

Best evidence rule 9

Biba model 51

Binary images 148 See also Forensics

Biometrics 120

control, types of 122–124

enrollment 121

systems, accuracy of 121

throughput 121

BIOS  See Basic input/output system (BIOS)

Black-box testing 139

Black hats hackers 137

Bluetooth 107

Bots and botnets 29

Brewer-Nash  See Chinese Wall model

Bridges, layer 2 device 108

Brute-force attacks 119

BS-25999 and ISO 22301 180

Budget and metrics 26

Buffer overflows 201

Business Continuity Institute (BCI) 180–181

Business Continuity Management System (BCMS) 180

Business continuity planning (BCP) 

business impact analysis (BIA) 167–169

call trees 173

critical state, assessing 167

disaster recovery plan (DRP) 162–163, 163f

Emergency Operations Center (EOC) 173

plans 171–173, 171t

preventive controls 169

project initiation 166–167

recovery strategy 169–170

Business impact analysis (BIA) 

BCP/DRP-focused risk assessment 168

critical assets 167

failure and recovery metrics 168–169

maximum tolerable downtime (MTD) 168

Business owners 36

Business recovery plan (BRP) 172

Bytecode 187

C

Cable modems 113

Cache memory 38

register file 38

SRAM 38

Call trees 165, 173 See also Disaster recovery process

Candidate keys 194

Carnegie Mellon University’s (CMU) 202

CBC  See Cipher block chaining (CBC)

CDN  See Content distribution networks (CDN)

Centralized access control 125

Central processing unit (CPU) 54–56, 186–187

ALU 55

CISC and RISC 56

control unit 55

fetch and execute 55

interrupts 56

multitasking and multiprocessing 56

pipelining 55–56

processes and threads 56

Cerberus  See Kerberos

Certificate authorities (CAs) 77

key management issues 77

Certificate revocation lists (CRL) 77

Certification 40

CFB  See Cipher feedback (CFB)

Chain of custody 9

Challenge-handshake authentication protocol (CHAP) 130

Change management 157–158, 178–179

Chinese Wall model 51

Cipher block chaining (CBC) 70

Cipher feedback (CFB) 70

Circuit-switched networks 

drawback of 97

point-to-point connections 97

CISC  See Complex instruction set computer (CISC)

Civil law 7

legal system 6

Clark-Wilson model 51

Client-side attacks 63

Cloud computing 

benefits of 60

goal of 59

service levels 60, 60t

Code repository security 192

Cold site 170

Collusion 147

Combinatorial software testing 140

Commercial off-the-shelf (COTS) software 203

Common law 6

administrative 7

civil 7

criminal 7

Communication and network security, domain 4 

network architecture and design 96–107

secure communications 111–115

secure network devices and protocols 107–111

Compartmentalization 34, 147 See also Administrative personnel controls

Compensating control 22

Compilers 187

Complex instruction set computer (CISC) 56

Computer-aided software engineering (CASE) 187

Computer bus 54, 55f

Computer crime 9–10, 10b

import/export restrictions 13

international cooperation 12

Computer Ethics Institute 16

Confidentiality, integrity, and availability (CIA) 3–4

Configuration management 

baselining 157

vulnerability management 157

Conflict of interest categories (CoIs) 51

Constrained user interface 196

Content delivery networks 114–115

Content-dependent access control 131

Content distribution networks (CDN) 114–115

Context-dependent access control 131

Continuity of operations 

fault tolerance 158–162

service level agreement (SLA) 158

Continuity of operations plan (COOP) 163, 172

Continuity of support plan 172

Contraband checks 82

Contractor security 20

Control unit 55

Converged protocols 104–105

DNP3 104

storage protocols 104–105

VoIP 105

Copyright 11, 11f

Cornerstone cryptographic concepts 

confidentiality, integrity, authentication, and nonrepudiation 67

confusion, diffusion, substitution, and permutation 67

cryptographic strength 67

data at rest and in motion 68

monoalphabetic and polyalphabetic ciphers 67–68

protocol governance 68

XOR 68

Cornerstone information security concepts 3–5

availability 3–4, 3f

confidentiality 3–4, 3f

DAD 4

integrity 3–4, 3f

Corrective controls 21

Council of Europe Convention on Cybercrime 12

Counter (CTR) 70, 71t

CPU  See Central processing unit (CPU)

Credential set 118

Crime scene 148 See also Forensics

Criminal law 7

Crisis communications plan 172–173

Crisis management plan (CMP) 172

Crossover error rate (CER) 121, 122f

Cross-site request forgery (CSRF) 201

Cryptanalysis 66

Cryptographic attacks 74–75

adaptive chosen ciphertext 75

adaptive chosen plaintext 75

brute-force attack 74

chosen ciphertext 75

chosen plaintext 75

differential cryptanalysis 75

known-key attack 75

known plaintext 74

linear cryptanalysis 75

side-channel attacks 75

social engineering 74

Cryptographic strength 67

Cryptography 66, 68–74

asymmetric encryption 72–73

hash functions 73–74

implementation of 76–79

symmetric encryption 69–72

Cryptology 66

CTR  See Counter (CTR)

Custodian 36

Customary law 6

Custom-developed third-party products 203

Cyberincident response plan 172

D

Data 

in motion 68

at rest 68

Database integrity 195, 197

Database journal 197

Database management system (DBMS) 194

Database normalization 196

Database replication 197

Databases 

data warehousing and data mining 197–198

entity integrity 195, 195t

foreign keys 195

hierarchical 196–197

integrity 197

normalization 196

object-oriented 197

query languages 196

referential 195

relational 194–196

replication and shadowing 197

semantic 195

views 196

Database security 65–66

data mining 65–66

inference and aggregation 65

polyinstantiation 65

Database shadowing 175

Datacenter flood 170

Data classification 34–35

clearance 34

formal access approval 35

labels 34

need to know 35

sensitive information/media security 35

Data collection limitation 37

Data controllers 37

Data definition language (DDL) 196

Data destruction 

degaussing 40

destruction 40

dumpster diving 39

object reuse 39

overwriting 39–40

shredding 40

Data encryption standard (DES) 69–71

CBC 70

CFB 70

CTR 70, 71t

ECB 70

modes of 69–70, 70b

OFB 70

single 71

triple 71

Data execution prevention (DEP) 58

Data integrity 4, 137

Data link layer 98

Data loss prevention (DLP) 155–156

Data manipulation language (DML) 196

Data mining 65–66, 197

Data owners 36

Data processors 37

Data protection 

drive and tape encryption 44

media storage and transportation 44

in motion 43–44

at rest 43–44

Data remanence 37

overwriting 39

Data retention policies 150

Data security controls 

certification and accreditation 40

determination of 40

protecting data 43–44

scoping and tailoring 43

standards and control frameworks 40–43

Data warehouse 197

Decentralized access control 125

Decryption 66

Defense in depth 5

Degaussing 40

Delegation 198

Denial of service (DoS) 4

DEP  See Data execution prevention (DEP)

DES  See Data encryption standard (DES)

Desktop and application virtualization 113

Detection phase 151 See also Incident response management

Detective controls 21

Deterrent controls 21–22

Diameter 129 See also Remote authentication dial in user service (RADIUS) protocol

Dictionary attack 119

Differential backups 174

Differential linear analysis 75

Diffie-Hellman key agreement protocol 73

Digital signatures 76–77

creation of 76, 76f

verification of 76, 76f

Digital subscriber line (DSL) 112–113

speeds and modes 113, 113t

types of 112–113

Direct-sequence spread spectrum (DSSS) 106

Disassembler 187

Disaster recovery plan (DRP) testing 

business interruption 178

parallel processing 177–178

read-through 177

review 177

simulation test/walkthrough drill 177

walkthrough/tabletop 177

Disaster recovery process 

activate team 165

assess 166

communicate 165

reconstitution 166

respond 165

Disclosure, alteration, and destruction (DAD) 4

Discrete logarithm 73

Disk encryption 156–157

Disruptive events 164–165, 165t

Distributed network protocol (DNP3) 104

Divestitures 14

Domain name system (DNS) 103

Drive and tape encryption 44

DRP  See Disaster recovery plan (DRP)

DSL  See Digital subscriber line (DSL)

DSSS  See Direct-sequence spread spectrum (DSSS)

Due care 

and due diligence 8

gross negligence 8

Dumpster diving 39

Duress warning systems 87

Dynamic passwords 118

Dynamic random-access memory (DRAM) 38

Dynamic signature 124

Dynamic testing tests 139

E

EAP  See Extensible authentication protocol (EAP)

EAP-Transport Layer Security (EAP-TLS) 111

EAP Tunneled Transport Layer Security (EAP-TTLS) 111

ECB  See Electronic code book (ECB)

ECC  See Elliptic curve cryptography (ECC)

eDiscovery  See Electronic discovery

EF  See Exposure factor (EF)

802.1X protocols 111–112, 111b

802.11 abgn 106, 106t

802.11i 107

Electronic backups 

database shadowing 175

differential backups 174

electronic vaulting 175

full system 174

HA options 175–176

incremental backups 174

remote journaling 175

tape rotation methods 174–175

Electronic code book (ECB) 70

Electronic discovery 149–150

Electronic vaulting 175

Elliptic curve cryptography (ECC) 73

Embedded device forensics 149

Emergency Operations Center (EOC) 173

Employee termination 19

Encryption 66

Endpoint security 

antivirus 156

application whitelisting 156

disk encryption 156–157

removable media controls 156

End-user license agreements (EULAs) 11

Enticement and entrapment 9

Environmental controls 85–90

ABCD fires and suppression 88

electricity 85–86, 85b

electromagnetic interference (EMI) 86

fire suppression agents 88–90, 89t

portable fire extinguishers 90

sprinkler systems 90

surge protectors 86

ups and generators 86

Equal error rate (EER) 121

Erasable programmable read-only memory (EPROM) 38

Escrowed encryption 79

Ethernet 98

Ethics 15–17

(ISC)²® code of 15–16

Computer Ethics Institute 16

IAB and Internet 16–17

Ethics and the Internet 16–17

EUI-64  See Extended unique identifier-64 (EUI-64)

European union (EU) privacy 11–12

Data Protection Directive 12

US-based organizations 12

Evaluation assurance level (EAL) 41

Evidence 9

best evidence rule 9

integrity 9

types of 9

Exclusive OR (XOR) 68, 68t

Executive Order 12356-National Security Information 34

Exposure factor (EF) 24

Extended unique identifier-64 (EUI-64) 100

Extensible authentication protocol (EAP) 111

EAP-TLS 111

EAP-TTLS 111

LEAP 111

PEAP 111

Extensible markup language (XML) 64, 126

Extranet 96

F

Facial scan 124

False accept rate (FAR) 121

False reject rate (FRR) 121

Fault tolerance 

redundant array of inexpensive disks (RAID) 158–162

system redundancy 162

Federated identity management (FIdM) 126

Fetch and execute cycle 55

FHSS  See Frequency-hopping spread spectrum (FHSS)

Fibre Channel over Ethernet (FCoE) 104–105

Fibre Channel over IP (FCIP) 104–105

File allocation table (FAT) 39

File transfer protocol (FTP) 102

Financial damages 7, 8t

Fingerprints 122

Firewalls 109–110

packet filter 109, 110f

proxies 110

stateful firewalls 109–110, 110f

Firmware 

flash memory 38

PLD 38

ROM, types of 38

Flame detectors 87

Flash memory 38

Forensics 

electronic discovery 149–150

embedded device 149

media analysis 148–149

network 149

Formal access approval 35

Frame relay 104

Frequency-hopping spread spectrum (FHSS) 106

FTP  See File transfer protocol (FTP)

Full disclosure 202

Full-duplex communication 96

Full system backup 174

Fuzzing 140 See also Black-box testing

G

GitHub 192

Global area network (GAN) 96

Global positioning system (GPS) 124

Good Practice Guidelines (GPG) 180–181

Google Map 193

Greatest lower bound (GLB) 50

Grid computing 60

H

Hackers 28

Half-duplex communication 96

Halon extinguishers 89–90

Hand geometry 123–124

Hardcopy data 174

Hardware segmentation 57

Hash functions 73–74

collisions 74

MD5 74

SHA 74

Hashing 119

Heat detectors 87

Heating, ventilation, and air conditioning (HVAC) 86

static and corrosion 86

Heavyweight process (HWP) 56

Heuristic-based antivirus 63

Hierarchical databases 196–197

High-availability cluster 

active-active 162

active-passive 162

Host-based intrusion detection systems (HIDS) 155

Host-based intrusion prevention systems (HIPS) 155

Host-to-host transport layer 100

Hot site 170

HVAC  See Heating, ventilation, and air conditioning (HVAC)

Hybrid attack 119

Hybrid risk analysis 27

Hypertext transfer protocol (HTTP) 103

Hypertext transfer protocol secure (HTTPS) 103

Hypervisor 59

I

IAB ethics  See Internet Activities Board’s (IAB) ethics

IDEA  See International data encryption algorithm (IDEA)

Identity and access management 

access control 

models 130–131

technologies 124–130

authentication methods 118–124

exam objectives 131–132

Identity and authentication 4

Identity as a service (IDaaS) 126

Identity management 126

IMAP  See Internet message access protocol (IMAP)

Immunity Canvas 136

Incident handling checklist 150–151, 151f

Incident response management 

methodology 150–153

root-cause analysis 153

Incremental backups 174

Inference and aggregation 65

Information owner  See Data owners

Information security attestation 13 See also Attestation

Information security governance 17–20

baselines 18

documents 17–18

guidelines 18

procedure 17–18

security policy 17–18

standards 18

Information security professionals 2

Information security program 

business owners and mission owners 36

Information Systems Audit and Control Association (ISACA) 43

Information Technology Infrastructure Library (ITIL) 43

Infrastructure as a service (IaaS) 60

Instant messaging 

chat software 114

IRC 114

Integrated circuit card (ICC) 81

Integrated product team (IPT) 192

Integrity 3–4, 3f, 50–51

Biba model 51, 51b

Clark-Wilson model 51

types of 4

Intellectual property 10–11

copyright 11, 11f

licenses 11

patent 10–11

trademark 10, 10f

trade secrets 11

Interface testing 141

International Common Criteria 41–42

EALs 42

evaluation, levels of 42

International cooperation 12

import/export restrictions 13

International data encryption algorithm (IDEA) 71

International Organization for Standardization 42

International Software Testing Qualifications Board (ISTQB) 202–203

Internet 96, 100

Internet Activities Board’s (IAB) ethics 16–17

Internet control message protocol (ICMP) 99, 101

Internet message access protocol (IMAP) 102

Internet protocol security (IPsec) 78–79, 112

authentication header (AH) 78

encapsulating security payload (ESP) 78

internet security association and key management protocol (ISAKMP) 78

security association (SA) 78

tunnel and transport mode 78–79

Internet protocol version 4 (IPv4) 100–101

Internet protocol version 6 (IPv6) 101

Internet relay chat (IRC) 114

Internet service provider (ISP) 84

Internet small computer system interface (iSCSI) 104–105

Interpreted languages 187

Interrupts 56

Intranet 96

Intrusion detection system (IDS) 153–154

Intrusion prevention system (IPS) 153–154

Investigations, legal aspects of 8–9

entrapment and enticement 9

evidence integrity 9

IPsec  See Internet protocol security (IPsec)

IPv4  See Internet protocol version 4 (IPv4)

IPv6  See Internet protocol version 6 (IPv6)

IRC  See Internet relay chat (IRC)

Iris scan 123

ISACA  See Information Systems Audit and Control Association (ISACA)

(ISC)²® code of ethics 15–16, 16b

canons 15–16

iSCSI  See Internet small computer system interface (iSCSI)

ISO/IEC 17799:2005 42

ISO/IEC 27001:2005 42

ISO/IEC-27031 179–180

J

Java Virtual Machine (JVM) 64

Job rotation  See Rotation of duties

K

Kerberos 127–128

operational steps 127–128, 129f

Kernel, operating system 58–59

Keyboard dynamics 124

Key Distribution Center (KDC) 128

Known-good binaries 156 See also Application whitelisting

L

Labels 34

LAN  See Local-area network (LAN)

Large-scale parallel data systems 60–61

Lattice-based access control 50

Laws and regulations 6

Layered defense  See Defense in depth

Layering 52

Leadership 3

LEAP  See Lightweight extensible authentication protocol (LEAP)

Least privilege 5, 147

Least upper bound (LUB) 50

Legal and regulatory issues 5–13

administrative law 7

civil law 7

compliance with 6

criminal law 7

liability 7–8

major legal systems 6

Legitimate traffic 155

Liability 7–8

Licenses 11

Lightweight directory access protocol (LDAP) 127

Lightweight extensible authentication protocol (LEAP) 111

Lightweight process (LWP) 56

Local-area network (LAN) 96, 103

Ethernet 103

Logical link control (LLC) 98

Log reviews 138

M

Machine code 186–187

Magnetic stripe cards 81

Maintenance hooks 62

Major legal systems 6

civil law (legal system) 6

common law 6

religious and customary law 6

Malicious code (malware) 62–63

antivirus software 63

computer viruses 62

logic bombs 63

packers 63

rootkits 62

Trojans 62

worms 62

Malware infection 163

Mandatory access control 147

Mandatory leave/forced vacation 148

Mantraps 82

Maximum allowable downtime (MTD) 168

MD5  See Message Digest algorithm 5 (MD5)

Mean time between failures (MTBF) 168–169

Mean time to repair (MTTR) 168–169

Media access control (MAC) 98

addresses 100, 100b

EUI-64 100

Media storage and transportation 44

Meeting point leader 87

Memory 37–39

basics of 37–39

cache memory 38

data remanence 37

DRAM and SRAM 38

firmware 38

flash memory 38

protection of 56–57

hardware segmentation 57

process isolation 57

virtual memory 57

WORM storage 57

RAM and ROM 38

and remanence 37–39

SSD 39

Message Digest algorithm 5 (MD5) 74

Metropolitan area network (MAN) 96

Minimum operating requirements (MOR) 168–169

Minutiae 122 See also Fingerprints

Mission owners 36

Misuse case testing 141

Mitigation phase 152

Mobile device attacks 66

defenses 66

full disk encryption 66

Mobile sites 170

Modem 111

Monoalphabetic cipher 67–68

Montreal Protocol 90

Multiprotocol label switching (MPLS) 104

Multipurpose Internet mail extensions (MIME) 79

Multitasking and multiprocessing 56

N

Nessus 137

Network access layer 99–100

Network architecture and design 

application-layer TCP/IP protocols and concepts 101–103

converged protocols 104–105

fundamental concepts 96–97

LAN technologies and protocols 103

OSI model 97–99

RFID 107

SDN 105

TCP/IP model 99–101, 99t

WAN technologies and protocols 103–104

WLANs 105–107

Network attacks 136, 172

Network-based intrusion detection system (NIDS) 154–155, 154f

Network-based intrusion prevention system (NIPS) 154–155, 155f

Network concepts 96–97

circuit-switched networks 97

Extranet 96

full-duplex communication 96

GANS 96

half-duplex communication 96

Internet 96

Intranet 96

LANS 96

MANS 96

packet-switched networks 97

PANS 96

QoS 97

simplex communication 96

WANS 96

Network forensics 149

Network layer 98

The New New Product Development Game 189–190

Nexus 6 196

NIST SP 800-34 166, 171t, 179

Nondisclosure agreement (NDA) 148

Nondiscretionary access control 

role-based 130

task-based 131

Nonrepudiation 5

Nontechnical stake holders 152

O

Object labels 34

Object-oriented databases 197

Object-oriented programming (OOP) 198–200

cornerstone 198–200

Object request brokers (ORBs) 200

Object reuse 39

Occupant emergency plan (OEP) 163, 172

OFB  See Output feedback (OFB)

OFDM  See Orthogonal frequency-division multiplexing (OFDM)

Offshoring 20

One-time passwords 118

One-way hash functions 73

Online Certificate Status Protocol (OCSP) 77

Open and closed systems 54, 54b

OpenFlow 105

Open-source Metasploit 136

Open system interconnection (OSI) 98t

application layer 99

data link layer 98

network layer 98

physical layer 97–98

presentation layer 99

session layer 98–99

transport layer 98

vs. TCP/IP 99, 99t

OpenVAS 137

Open Web Application Security Project (OWASP) 64

Operating systems 49

Operational expenses (OPEX) 153

Operationally Critical Threat, Asset, and Vulnerability Evaluation^sm 41

Operational preventive and detective controls 

data loss prevention 155–156

endpoint security 156–157

HIDS and HIPS 155

IDS and IPS 153–154

NIDS and NIPS 154–155

security information and event management 155

Organisation for Economic Co-operation and Development (OECD) 12, 37

Organizational registration authorities (ORAs) 77

Orphaned software 192

Orthogonal frequency-division multiplexing (OFDM) 106

OSI  See Open system interconnection (OSI)

Output feedback (OFB) 70

Outsiders 28

Outsourcing 20

Overwriting 39–40

data remanence 39

OWASP  See Open Web Application Security Project (OWASP)

Ownership 

business/mission owners 36

custodian 36

data collection limitation 37

data controllers and data processors 37

data owners 36

information security roles 36

system owner 36

users 36

P

Packet filter firewall 109, 110f

Packet-switched networks 97

advantages of 97

QoS 97

Pairwise testing 140

Partial-knowledge tests 136

Passphrases 118

Password authentication protocol (PAP) 130

Passwords 118

dynamic passwords 118

guessing 118–119

hashes and cracking 119–120

one-time passwords 118

passphrases 118

static passwords 118

Patent 10–11

Payment Card Industry Data Security Standard (PCI DSS) 40–41, 138

core principles of 41

security standard 41

PDAs  See Personal digital assistants (PDAs)

PEAP  See Protected EAP (PEAP)

Peer-to-peer (P2P) networks 61

Penetration testing 

confidentiality 137

data integrity 137

system integrity 137

tests 136

tools and methodology 136–137

Pen testers 136

Perimeter defenses 79–83

CCTV 80–81

combination locks 81

dogs 83

doors and windows 82–83

fences 80

gates 80

guards 83

key locks 81

lights 80

locks 81

smart cards and magnetic stripe cards 81

tailgating/piggybacking 81

walls, floors, and ceilings 83

Permanent virtual circuit (PVC) 104

Personal area networks (PAN) 96

Personal digital assistants (PDAs) 114

Personal identification number (PIN) 82, 118

Personally identifiable information (PII) 3, 61

Personnel safety 87–88

Personnel security 19–20

background checks 19

employee termination 19

outsourcing and offshoring 20

security awareness and training 19

vendor, consultant, and contractor security 20

Phishers and spear phishers 29

Photoelectric motion sensor 82

Physical layer 97–98

Piggybacking  See Tailgating

Pipelining 55–56

Platform as a service (PaaS) 60

PLD  See Programmable logic device (PLD)

Point-to-point protocol (PPP) 112

Polyalphabetic cipher 67–68

Polyinstantiation 65, 199

Polymorphism 199

Port-based network access control (PNAC) 111

Power-on self-test (POST) 57

P2P networks  See Peer-to-peer (P2P) networks

Presentation layer 99

Pretty Good Privacy (PGP) 79

Primary memory 37

Privilege escalation 201

Processes and threads 56

Process isolation 57

Procurement 14

Programmable logic device (PLD) 38

Programmable read-only memory (PROM) 38

Protected EAP (PEAP) 111

Protection profile 41

Protocol governance 68

Proxy firewalls 110

application-layer 110

Prudent Man Rule 7

Public key infrastructure (PKI) 77

Publicly released software 

crippleware 188

free software 188

open-source and closed-source software 187

shareware 188

Q

Qualitative risk analysis 27

risk analysis matrix 27

Quality of service (QoS) 97

Quantitative risk analysis 27

ALE calculation 27

R

Radio frequency identification (RFID) 81, 107

Random-access memory (RAM) 37–38

Rapid application development (RAD) 190

Reading down and writing up model 50

Read-only memory (ROM) 37–38

Read-through test 177

Real-time transport protocol (RTP) 105

Reciprocal agreements 170

Recovery controls 21

Recovery phase 152

Recovery point objective (RPO) 168

Recovery strategy 

cold site 170

hot site 170

mobile sites 170

reciprocal agreements 170

redundant site 169

warm site 170

Recovery time objective (RTO) 168

Reduced instruction set computer (RISC) 56

Redundant array of inexpensive disks (RAID) 

Hamming code 159–160

mirrored set 159, 160f

striped set 

dedicated parity 160

distributed parity 160, 161f

dual-distributed parity 161

Redundant hardware 162

Reference monitor 43, 59

Regulatory law  See Administrative law

Relational databases 194–196, 194t

Religious law 6

Remediation 152–153

Remote access 112–115

cable modems 113

CDN 114–115

desktop and application virtualization 113

DSL 112–113, 113t

instant messaging 114

PDAs 114

remote desktop console access 113

remote meeting technology 114

screen scraping 113–114

Remote authentication dial in user service (RADIUS) protocol 128–129

Remote desktop protocol (RDP) 113

Remote journaling 175

Removable media controls 156

Repeaters and hubs 108

Requirements traceability matrix (RTM)  See Traceability matrix

Response phase 151–152 See also Incident response management

Responsible disclosure 202

Retina scan 122–123

Return on investment (ROI) 3, 25–26

loss expectancy 26, 26t

RFID  See Radio frequency identification (RFID)

Right to penetration test/right to audit 14

Rinbow table 119

Ring model 

CPU 53

hypervisor mode 53

schematic diagram of 53, 53f

usage of 53

RISC  See Reduced instruction set computer (RISC)

Risk acceptance criteria 27

Risk analysis 

accept the risk 27

assets 22

impact of 23

mitigating risk 27

quantitative and qualitative 27

risk avoidance 27

TCO and ROI 26

threat 22

transferring risk 27

vulnerability 22

Risk analysis matrix 23, 23t

Risk management process 28

risk analysis process 28

Robust security network (RSN) 107, 107b

ROI  See Return on investment (ROI)

Role-based access control (RBAC) 130

ROM  See Read-only memory (ROM)

Root-cause analysis 153

Rotation of duties 147

Routers 109

S

Safeguards 2

procedures 18

Safety awareness 87–88

Safety training 87–88

Safety warden 87

Sashimi model 188, 189f

Screen scraping 113–114

Scrum development model 189–190

SDN  See Software-defined networking (SDN)

Secondary memory 37

Secure communications 111–115

authentication protocols and frameworks 111–112

remote access 112–115

VPN 112

Secure European system for applications in a multivendor environment (SESAME) 128

Secure hardware architecture 54–58

ASLR 58

computer bus 54, 55f

CPU 54–56

DEP 58

memory protection 56–57

system unit and motherboard 54

TPM 58

Secure hash algorithm (SHA) 73–74

Secure network devices and protocols 107–111

bridges 108

firewalls 109–110

modem 111

repeaters and hubs 108

routers 109

switches 108–109, 108f

VLANs 109

Secure operating system and software architecture 58–59

kernel 58–59

reference monitor 59

Secure shell (SSH) 102

Secure sockets layer (SSL) 78, 112

Secure system design concepts 52–54

abstraction 52

layering 52

open and closed systems 54

ring model 53, 53f

security domains 52

Security and third parties 13–14

acquisitions 14

divestitures 14

procurement 14

service provider contractual security 13–14

vendor governance 14

Security architecture layers 52

Security assessment and testing 

assessing access control 136–138

software testing methods 138–141

Security association markup language (SAML) 126

Security audit 138

Security awareness 19

Security documentation 18, 19t

Security domains 52

Security engineering, domain 3 

cornerstone cryptographic concepts 66–68

cryptographic attacks 74–75

cryptography 68–74, 76–79

environmental controls 85–90

perimeter defenses 79–83

secure hardware architecture 54–58

secure operating system and software architecture 58–59

secure system design concepts 52–54

security models 49–52

site selection, design, and configuration 83–84

system defenses 85

system vulnerabilities, threats, and countermeasures 61–66

virtualization and distributed computing 59–61

Security Information and Event Management (SIEM) 155

Security models 

access control matrix 52

Bell-LaPadula model 50, 50b

Chinese Wall model 51

integrity models 50–51

lattice-based access control 50

operating systems 49

reading down and writing up 50

Security operations 

administrative security 146–148

asset management 157–158

backups and availability 173–176

BCP and DRP 

developing 166–173

frameworks 179–181

maintenance 178–179

process 162–166

testing, training, and awareness 176–178

continuity of operations 158–162

forensics 148–150

incident response management 150–153

operational preventive and detective controls 153–157

Security policy 17–18 See also Information security governance

Security risk management, domain 1 2

access control defensive 20–22

ALE 24–25

attackers 28–29

budget and metrics 26

computer crime 9–10

cornerstone information security concepts 3–5

defense in depth 5

due care and due diligence 8

ethics 15–17

gross negligence 8

identity and AAA 4–5

import/export restrictions 13

information security governance 17–20

intellectual property 10–11

international cooperation 12

investigations 8–9

least privilege 5

legal and regulatory issues 5–13

nonrepudiation 5

personnel security 19–20

privacy 11–12

risk analysis 22–28, 23t

ROI 25–26, 26t

security and third parties 13–14

subjects and objects 5

TCO 25

Security target 41

Security training 19

Sensitive information/media security 35

Sensitive media 35

Separation of duties 147

Server-side attacks 63

Service level agreement (SLA) 13, 158, 203

Service Management Practices-Core Guidance 43

Service-oriented architecture (SOA) 

heterogeneous applications 65

web services 65

Service provider contractual security 13–14

attestation 13

right to penetration test/right to audit 14

SLA 13

Service-side attacks  See Server-side attacks

Session initiation protocol (SIP) 105

Session layer 98–99

SHA  See Secure hash algorithm (SHA)

Shadow database 197

Shredding 40

Signature-based antivirus software 63

Simple mail transfer protocol (SMTP) 102

Simplex communication 96

Single-loss expectancy (SLE) 24

Single sign-on (SSO) 125–126

Site design and configuration issues 84

media storage facilities 84

shared demarc 84

shared tenancy and adjacent buildings 84

site marking 84

Site selection issues 83–84

crime 84

utility reliability 83–84

SLE  See Single-loss expectancy (SLE)

Smart card 81

Smoke detectors 87

SMTP  See Simple mail transfer protocol (SMTP)

SOA  See Service-oriented architecture (SOA)

Social engineering 136

Software as a service (SaaS) 60

Software capability maturity model 202

Software-defined networking (SDN) 105

Software development security 193

application development methods 188–194

databases 194–198

effectiveness of 200–203

object-oriented programming 198–200

programming concepts 186–188

Software Engineering Institute (SEI) 202

Software escrow 192

Software licenses 11

Software testing methods 

combinatorial 140

fuzzing 140

interface testing 141

levels 140

misuse case testing 141

static and dynamic testing 139

synthetic transactions 140

test coverage analysis 141

traceability matrix 139, 139f

Software vulnerabilities 200–202

Solid-state drives (SSDs) 34

ATA Secure Erase and destruction 39

garbage collection 39

vs. magnetic drive 39

TRIM command 39

Source code 186–187

Spiral model 190

SRAM  See Static random-access memory (SRAM)

SSDs  See Solid-state drives (SSDs)

SSH  See Secure shell (SSH)

SSL  See Secure sockets layer (SSL)

SSO  See Single sign-on (SSO)

Standards and control frameworks 40–43

COBIT 43

International Common Criteria 41–42

ISO 17799 and the ISO 27000 Series 42

ITIL® 43

OCTAVE® 41

PCI-DSS 41

Stateful firewalls 109–110, 110f

Static passwords 118

Static random-access memory (SRAM) 38

Static testing tests 139

Storage area network (SAN) 104

Storage protocols 104

Structured query language (SQL) 194

Switches, layer 2 device 108

network switch 108, 108f

Symmetric encryption 69–72

AES 71

blowfish and twofish 71–72

DES 69–71

IDEA 71

initialization vectors and chaining 69

RC5 and RC6 72

stream and block ciphers 69

Synchronous dynamic token 120

counter-based 120

time-based 120

Synthetic transactions 140

System defenses 85

asset tracking 85

port controls 85

System integrity 4, 137

System owner 36

System redundancy 162

Systems development life cycle (SDLC) 191–192

System unit and motherboard 54

System vulnerabilities, threats, and countermeasures 61–66

backdoors 61–62

client-side attacks 63

covert channels 61

database security 65–66

malicious code (malware) 62–63

mobile device attacks 66

server-side attacks 63

web architecture and attacks 63–65

T

Tailgating 81

Tailoring, of organization 43

Tape rotation methods 174–175

Target of evaluation (ToE) 41

Task-based access control 131

TCO  See Total cost of ownership (TCO)

Telnet 102

Terminal access controller access control system (TACACS) 129

Test coverage analysis 141

Thin clients 61

Third-party payroll company 45

Threat 22

Ticket Granting Service’s (TGS) 128

Time of check/time of use (TOC/TOU) 201

Tort law 7

Total cost of ownership (TCO) 3, 25

outsourcing and offshoring 20

TPM  See Trusted platform module (TPM)

Traceability matrix 139, 139f

Trademark 10, 10f

Trade secrets 11

Transmission control protocol/Internet protocol (TCP/IP) 96

application-layer 100–103

host-to-host transport layer 100

ICMP 101

internet layer 100

IPv4 100–101

IPv6 101

MAC addresses 100

network access layer 99–100

vs. OSI model 99, 99t

reserved and ephemeral ports 101

UDP 101

Transport layer security (TLS) 78, 98

Triple data encryption algorithm (TDEA) 71

Triple Data Encryption Standard (TDES) 67

Trojan horse 62

Trusted platform module (TPM) 58

Tunneling 101b

Turnstiles 82

Type 1 authentication 118–120

Type 2 authentication 120

Type 3 authentication 120–124

Type I error  See False reject rate (FRR)

Type II error  See False accept rate (FAR)

U

Ultrasonic and microwave motion detectors 82

Unified Modeling Language (UML) 141

UNIX operating system 119–120

Unshielded twisted pair (UTP) 98

US Department of defense (DoD) 50

User datagram protocol (UDP) 98–99, 127

Users, information security roles 36

US National Institute of Standards and Technology (NIST) 71

V

Vendor governance 14

Virtualization and distributed computing 59–61

cloud computing 59–60

grid computing 60

large-scale parallel data systems 60–61

P2P networks 61

security issues 59

thin clients 61

Virtualization escape (VMEscape) 59

Virtual LAN (VLANs) 109

Virtual memory 57

BIOS system 57

swapping and paging 57

Virtual network computing (VNC) 113

Virtual private networks (VPNs) 112

IPsec 112

PPP 112

SSL and TLS 112

VLANs  See Virtual LAN (VLANs)

Voice over Internet protocol (VoIP) 105

Voiceprint 124

Vulnerability 22, 137, 157

W

WAN  See Wide area network (WAN)

War dialing 136

WarGames 136

Warm site 170

Waterfall model 188

Web 2.0 63

Web architecture and attacks 63–65

ActiveX 64

applets 64

Java 64

OWASP 64

SOA 65

XML 64

WEP  See Wired equivalent privacy protocol (WEP)

White-box software testing 139

Whole-disk encryption 44

Wide area network (WAN) 96, 103–104

frame relay 104

MPLS 104

T1s, T3s, E1s, and E3s 103–104, 103b

Wi-Fi Protected Access 2 (WPA2)  See Robust security network (RSN)

Wired equivalent privacy protocol (WEP) 106–107

Wireless local-area networks (WLANs) 105–107

Bluetooth 107

DSSS 106

802.11 abgn 106, 106t

802.11i 107

FHSS 106

OFDM 106

WEP 106–107

Work recovery time (WRT) 168

Write once, read many (WORM) storage 57

X

XML  See Extensible markup language (XML)

XOR  See Exclusive OR (XOR)

Z

Zed Attack Proxy (ZAP) 64

Zero-day exploits 157

Zero-day vulnerabilities 157

Zero-knowledge test 136