Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
See the “Security Dictionary” at the end of the book for a comprehensive list of terms included throughout the volume.
Symbols and Numbers
. (dot), omitting from paths on Unix systems, 462–463
0-13 ICMP unreachable codes, explanations of, 225–226
20-110 TCP/IP ports, services associated with, 474
221-554 SMTP reply codes, table of, 364
802.1x-based authentication and EAP methods, role in hardening wireless networks, 288–291
802.11a LANs
Bluetooth specification for, 271
handling data encryption and client authentication for, 282
range of, 263–264
wireless links on, 271
802.11 and 802.3 frames, comparing, 279–280
802.11b/g channels, use of, 276–277
802.11b/g WLAN cards, range of, 263–264
802.11b LANs, handling data encryption and client authentication for, 282
802.11b point-to-point links, range of, 263–264
802.11 data-link layer. See also 802.15 data-link layer; data-link layer of OSI model
overview of, 279–281
vulnerabilities of and threats to, 281–285
802.11g devices, handling data encryption and client authentication for, 282
802.11 IDSs, obtaining information about, 316
802.11i security standard, hardening wireless networks with, 287–291
802.11 networks, default authentication method on, 283
802.11 standards for spread spectrum band technology, explanation of, 273
802.15 data-link layer. See also 802.11 data-link layer; data-link layer of OSI model
overview of, 279–281
vulnerabilities of and threats to, 281–285
802.15 standards for spread spectrum band technology, explanation of, 273
A
A1-Verified Design TCSEC rating, usage of, 438
academic open-access model of security, dangers of, 19
acceptable risk, determining for network design, 193–194. See also risk analysis
Access Control (A) rights in NDS file-system security, explanation of, 532
accessibility to security sites, significance of, 120
access layer of Cisco Hierarchical Internetworking model, purpose of, 196–197
access points
dealing with, 276–279
interference created by, 277
protecting on Windows systems, 491–492
accountability controls, role in security management, 181–183
account authentication controls, overview of, 132
account management centralization, role in network hardening, 222–223
Account Operators group, description of, 509
accounts, disabling or deleting when not used, 727
ACEs (access control entries)
role in ACLs, 434
role in Windows file-access permissions, 149
ACK (acknowledgement), role in TCP/IP packet analysis, 298
ACK scan, example of, 240
ACK state flag, purpose of, 298
ACLs (access control lists)
components of, 434
example of, 223
features of, 433–434
role in authorization, 149–151
role in network hardening, 218–219
role in network segmentation defense model, 44
AD (anomaly-detection) IDSs
advantages and disadvantages of, 312–313
events monitored and triggered by, 312
features of, 311–312
Add or Delete Self (A) NDS property right, description of, 537
addresses. See IP addresses; MAC (Media Access Control) addresses
administrative abuse of power, preventing, 180–182
administrative power, delegating, 182
administrative practices, considering in network hardening, 221–224
administrative security, role in security management, 180–181
administrators, limiting on Windows systems, 492–495
Administrators group, description of, 508
ADS (alternative data streams), role in forensics, 754–755
adware, overview of, 574
AES (Advanced Encryption Standard), explanation of, 159
A file and directory attribute in NDS file system, explanation of, 533
after-action assessments, conducting after IR overviews, 786
AirDefense IDS solution, web address for, 293
AirFortress gateways, clients, and access controls servers web address, 293
AirJack driver, web address for, 282
AiroPoint 3600 Security Server, web address for, 293
AirSnort, web address for, 284
alarms, using for physical intrusion detection, 124
alerts, using with IDSs, 324–326
Andran Semiconductor risk identification Case Study, 32–33
antenna choice, significance in RF, 266–269
antennas
choosing for wireless networks, 269
irradiation patterns of, 267–268
anti-spoofing, role in network hardening, 226
antiviruses, features of, 388–389, 411
antivirus scanners, using, 724
AOL Instant Messenger, disabling access to, 211
Apache, features of, 412–413
APOP3 (Advanced POP3), features of, 373
AppDomains, role in .NET security, 641–642
appender viruses, explanation of, 706
appliance- versus OS-based firewalls, 240–241
application administration methods GUIs (graphical user interfaces), 570–571
INI/conf files, 570
application attacks, detecting with IDSs, 300–301
application gateways, features of, 236–238
application layer, relationship to DMZs, 207–208
application-layer attacks, dynamics of, 719–720
application layer of OSI model, purpose of, 233
application-level security
limitations of, 670–671
using with databases, 669–672
applications
auditing on Unix systems, 460–461
installing to nonstandard directories and ports, 734–735
integrating with OS security, 571–572
removing or disabling when not used, 729–730
securing, 731–735
application security. See also embedded applications security
circumventing administrative privilege requirements, 569
conclusions of, 575
configuring, 731–734
ensure that programmers program securely, 736
lock down applications, 735
and new installations, 569
overview of, 568–569
and running privileges, 569
secure P2P services, 735–736
application updates, types of, 572–574
ARP (Address Resolution Protocol), role in NIDSs, 310
ARP poisoning, explanation of, 214–216
AS (authentication server), role in Kerberos process, 136
.asf files, description of and threat caused by, 732
ASICs (application-specific integrated circuits), role in IDS performance, 323
Aspect Communications credit card Case Study, 5–6
ASP.NET. See also .NET
configuring CAS for, 653
running with least privilege, 653–654
ASP.NET authentication, overview of, 654
ASP.NET authorization, overview of, 655–656
ASP.NET impersonation, overview of, 654–655
assessment, role in security process, 96–97
assets. See also classification of assets
explanation of, 21
securing, 122–123
assets step toward improving security, overview of, 13
asymmetric algorithm, explanation of, 159
AT Command application layer protocol, explanation of, 281
attack countermeasures
disable booting from Drive A: and CD, 722
ICF (Internet Connection Firewall), 725
keep patches updated, 722–724
netfilter/iptables, 725
password protect booting, 722
password protect CMOS, 722
secure applications, 731–735
secure file system, 727–731
secure physical environment, 721–722
secure user accounts, 726–727
TCP/IP security, 725
use antivirus scanner, 724
use firewalls, 725
attacks. See also fragmentation and reassembly attacks
application attacks, 300–301
application-layer attacks, 719–720
brute forcing logins, 568
buffer overflows, 407–408, 568, 582–585, 720
computer worms, 709–710
content attacks, 719–720
default samples, 410
detecting with IDSs, 297
dictionary attacks, 489
directory browsing, 410
directory traversal, 408
e-mail worms, 710–711
hardening Windows systems against via system configurations, 495–498
heuristic attacks, 489
integer overflows, 585–587
on JVM (Java virtual machine), 601–602
malicious HTML, 713–715
malicious mobile code, 704–715
man-in-the middle attacks, 169, 278–279
manual cracking, 715–721
miscellaneous types of, 410
network-layer attacks, 716–719
overview of, 703–704
P2P attacks, 721
packet sniffing, 717–718
password cracking, 720–721
physical attacks, 716
protecting against, 169–174
protocol-anomaly attacks, 718–719
RATs (remote-access Trojans), 711–713
script permissions, 408–409
SQL (structured query language) injection, 558–563, 594–596, 719–720
Trojan horse programs, 711
viruses, 705–709
on vulnerable scripts, 567
Zombie Trojans and DDoS attacks, 713
attenuators, purpose of, 270
audit, role in security process, 96–98
auditing
of databases, 676–679
performing with firewalls, 244
auditing activity, 421
log file summarization and reporting, 186–188
system and device logging, 183–186
system and network activity monitoring, 189
vulnerability scanning, 189–190
“Auditing Unix System Services in OS/390”, web address for, 184
audit logs, reviewing for databases, 677–678
AUP enforcement wording, examples of, 176–177
AUPs (acceptable use policies)
developing text for, 177–179
enforcement processing of, 179
role in security management, 175–179
authentication. See also authorization
in ASP.NET, 654
compensating for lack of, 375–376
general uses for, 146–147
in J2EE, 608–609
overview of, 127–129
and proxies, 398
and remote client security concerns regarding VPNs, 252–253
of web-based remote administration, 578–579
authentication controls
overview of, 131
role in security management, 181
authentication credentials, securing with challenge and response, 133–135
authentication policies for computer systems, examples of, 57–62
authentication processes, strengthening for Windows security, 488–492
authentication systems. See also Windows Authentication systems
for 802.11 networks, 283
biometrics, 145–146
central storage, 132–133
certificate-based authentication, 139–144
challenge and response, 133–135
CHAP and MS-CHAP, 135
EAP (Extensible Authentication Protocol), 144–147
IPSec, 147
Kerberos, 135–137
local storage and comparison, 129–130
network authentication, 132–133
one-time password systems, 137–138
password comparison, 132–133
recommendation about, 369
RSA SecurID, 138
securing password files, 130–132
securing passwords with encryption, 130–132
S/Key, 138–139
smart cards and hardware-based devices, 143–144
SSH Communications Security, 147
SSL/TLS (Secure Sockets Layer)/(Transport Layer Security) certificate-based authentication, 141–143
usernames and passwords, 128–139
AUTH LOGIN ESMTP authentication type, explanation of, 368
AUTH LOGIN PLAIN ESMTP authentication type, explanation of, 368
authority, limiting for administrative security, 180
authorization, 151. See also authentication
and ACLs (access control lists), 149–151
in ASP.NET, 655–656
and file-access permissions, 149–151
in J2EE, 610–611
overview of, 147–152
role-based authorization, 148–149
rule-based authorization, 151–152
and user rights, 148
authorization controls, role in security management, 181–182
Automatic Update service, features of, 343
availability
versus DoS (denial of service), 197
role in data security, 165–166
AVDL (Application Vulnerability Description Language) Technical Committee, web address for, 320
B
B1-Labeled Security Protection TCSEC rating, usage of, 437
B2-Structured Protection TCSEC rating, usage of, 438
B3-Security Domains TCSEC rating, usage of, 438
back door programs
damage done by, 8
explanation of, 36
backup and redundancy, significance of, 353
backup policies, components of, 352
backups. See also forensic backups
alternatives to and newer methodologies for creation of, 350–351
overview of, 347
performing, 736
rotation strategies for, 348–350
traditional methods for creation of, 347
types of, 348
backup strategies, resources for, 350
banners, configuring for network hardening, 221
Bantam Technology Services business processes Case Study, 26
basic authentication, features of, 578
basic business requirements, sample security policy topics for, 54–55
Bastille Linux, obtaining, 737
bastion hosts, features of, 236–238
.bat files, description of and threat caused by, 732
BDCs (Backup Domain Controllers), role in Windows NT 4.0 domains, 500
behavior-monitoring HIDSs, features of, 305–306
Bell-LaPadula security model, features of, 435–436
Biba security model, features of, 436
“Big Machine,” origin of, 157
BIND (Berkeley Internet Name Domain), obtaining, 402
bindery security versus NDS (Novell Directory Services), 530–531
biometrics, overview of, 145–146
biometrics, using as entry controls, 123
biometrics spoofing, overview of, 145
BIOS, performing physical vulnerability assessment of, 118
bit-stream backups, creating for forensics, 749
blackout of 2003, viewing from space, 121–122
block cipher, explanation of, 157–158
Bluesocket WG family gateway, web address for, 293
Bluetooth, attacking, 286–287
Bluetooth access points, range of, 263–264
Bluetooth communication channels, setting up, 285–286
Bluetooth emissions, specification for, 272
Bluetooth hops, frequency of, 274
Bluetooth PAN data link security, threats to, 285–286
Bluetooth protocol stack, diagram of, 281
Bluetooth technology, obtaining information about, 287
Bluetooth “TEMPEST” bag, web address for, 281
Bluetooth wireless PANs, functionality in circuit-switched and packet-switched modes, 280
BlueZ open source Bluetooth stack, web address for, 286
Boomerang online backups, web address for, 351
booting, password protecting, 722
BOOTP servers, disabling for network hardening, 220
boot sector viruses, explanation of, 706–707
brute-force attacks, characteristics of, 489, 720
brute forcing logins, overview of, 568
buffer overflow attacks
characteristics of, 407–408, 568, 582–583
defenses against, 584–585
dynamics of, 720
Bugbear Internet worm, obtaining information about, 709
bugs and security, 571
BugTraq, web address for, 341
building and campus security policies, examples of, 75
buildings, performing physical vulnerability assessment of, 118
burstable links, role in network design, 196
business agility
quantifying, 7
significance of, 4–6
business continuity
overview of, 683–684
providing awareness and training programs for, 694
business continuity components
analyzing business impact, 685–687
developing recovery strategies, 687–688
initiating a plan, 685
rehearsing disaster recovery and business continuity, 688–694
business partnerships, significance of, 6
business processes versus technical controls, 24–26
business software versus business processes Case Study, 26
business-to-business security, evaluating, 108
bytecode
role in Java language, 600
role in .NET security, 624
C
C1-Discretionary Protection TCSEC rating, usage of, 437
C2-Controlled Access Protection TCSEC rating, usage of, 437
CA (certificate authority), purpose of, 139–140
California Section 1798.82, overview of, 778–779
Carnivore system, obtaining information about, 376
CAS (code access security)
code groups in, 634
configuring for ASP.NET, 653
membership conditions in, 634
permission sets in, 634
policy levels in, 635–636
policy resolution example, 637–639
role in .NET security, 631–641
role of evidence in, 632–633
role of imperative and declarative security in, 639–641
Case Studies
Business Processes versus Business Software, 26
Dangers of the Academic Open-Access Model, 19
Identifying Risks, 32–33
The Illusion of Security, 20
Maintaining Customer Confidence, 8
Merging Security Models, 40
Oracle’s Security-related Product Direction, 83
Preparing for Credit Card Transactions, 5–6
Walt Disney World’s Information Technology Division, 102
CAS policy, enforcing, 639
CCMP (Counter Mode with CBC-MAC Protocol) 802.11i encryption protocol, explanation of, 288
CCTV (closed-circuit television), using for physical intrusion detection, 123
CDP (Cisco Discovery Protocol), disabling for network hardening, 219
cell phones, vulnerability to viruses, 707–708
CERT, web address for, 341
certificate-based authentication
overview of, 139–144
smart cards and hardware-based devices, 143–144
SSL/TLS (Secure Sockets Layer)/(Transport Layer Security), 141–143
certificates, example of, 168
CFAA (The Computer Fraud and Abuse Act)
“access without authorization” clause of, 763
“damage” defined in, 764–765, 767
“excess of authorization” clause of, 763–764
“hacks for access” clause of, 766
intent element of Section 1030(a)(5), 766
“loss” defined in, 764–765
“mere trespass” clause of, 765–766
overview of, 762–768
“protected computers” defined in, 763, 765
C file and directory attribute in NDS file system, explanation of, 533
chain of custody, role in forensics, 746–747
challenge and response, securing authentication credentials with, 133–135
change control
documenting and analyzing, 336–337
overview of, 336
change control policies, developing, 337–338
change control procedures, usability of, 338–340
channel allocation, impact on rogue access points, 276
channel sink objects, role in .NET remoting, 652
CHAP (Challenge Handshake Authentication Protocol), overview of, 135
checksum HIDSs. See snapshot HIDSs
checksums, role in integrity, 163
.chm files, description of and threat caused by, 732
chroot, using to isolate processes on Unix systems, 458–459
chroot function in Unix, explanation of, 200
CIDF (Common Intrusion Detection Framework) project, obtaining information about, 320
Ci file and directory attribute in NDS file system, explanation of, 533
CIL (Common Intermediate Language), relationship to managed code, 624–626
cipher disk, explanation of, 157
circuit-level gateways, features of, 238
CIRTs (computer incident response teams), responsibilities of, 87–89
CIS (Center for Internet Security) scans, running on Unix systems, 465
Cisco Hierarchical Internetworking model, overview of, 196–197
Cisco routers. See also routers
disabling source routing on, 226–227
encryption methods for, 222
Cisco routing lists, purpose of implicit drops in, 216
CIS security benchmarks, accessing, 451
civil lawsuits related to information security regulation, overview of, 781
Clark-Wilson security model, features of, 436
classification of assets, categories of, 117–118. See also assets
classloaders, role in J2EE containers, 600
client configuration, relationship to remote client concerns for VPNs, 253–254
client networking environment, relationship to remote client concerns for VPNs, 254–260
clients, quarantining, 259
client-side scripts, providing web application security for, 563
closed-system ESSIDs, overview of, 285. See also ESSIDs (Extended Service Set Identifiers)
cluster in a box automated redundancy method, features of, 356
clustering automated redundancy method, features of, 355
.cmd files, description of and threat caused by, 732
CMOS/BIOS settings, password protecting, 722
COBIT standard, overview of, 448–449
“Code of Practice for Information Security Management,” overview of, 779–780
Code Red worm, characteristics of, 704–705
code repository access, overview of, 404–405
Co file and directory attribute in NDS file system, explanation of, 533
collisions, occurrence of, 214
Colubris wireless LAN routers and public access controllers, web address for, 293
.com files, description of and threat caused by, 732
Common Criteria
building blocks of, 446–447
origins of, 445–446
overview of, 444–445
PPs (protection profiles) and STs (security targets) in, 446–447
problems with, 447
sections of, 446
Communication administratively prohibited message in ICMP, description of, 225
communications, securing with IPSec and VPNs, 169–170
Compare (C) NDS property right, description of, 537
compressed data, relationship to forensics, 758
computer crimes
categories of, 762
defining, 761–772
elements of, 762
intrusions and network attacks, 762–768
computer forensics. See forensics
computer network roles, securing on Windows systems, 521
computer systems, sample security policy topics for, 56–68
computer worms, dynamics of, 709–710
computing devices and peripherals, performing physical vulnerability assessment of, 118
confidential e-mail, role in data security, 173–174
confidential information, examples of, 3
confidentiality
and early codes, 155–158
and key exchange, 159, 161–162
and public key cryptography, 159–161
role in data security, 154–161
Configuration Auditor, web address for, 339
connectionless protocol, UDP as, 299
connection-oriented protocol, TCP as, 298
construction and excavation, significance in choosing security sites, 121–122
container object in NDS tree, purpose of, 528–530
containers, role in J2EE architecture, 607–608
content attacks, dynamics of, 719–720
content obfuscation, IDS detection of, 300–301
Content-Type e-mail header field, explanation of, 367
control console, role in SCADA systems, 423
convergence, relationship to routing protocols, 217
cookies and session management, overview of, 565–567
copy backups, description of, 348
copyright infringement, applying to electronic contraband, 771–772
core layer of Cisco Hierarchical Internetworking model, purpose of, 196–197
cracker scenario, 715–716
CRAM-MD5ESMTP authentication type, explanation of, 368
Cray Research Case Study of merging security models, 40
Create (C) rights in NDS file-system security, explanation of, 532
credit card security, overview of, 416–418
credit card transactions, preparing for, 5–6
critical systems, considering in redundancy planning, 354
cron jobs, auditing on Unix systems, 461
cross-site scripting vulnerabilties
defenses against, 590–594
overview of, 588–590
cross-site scripting vulnerabilties, overview of, 210
crypto-contest results, 160
early attempts at, 155–156
public key cryptography, 159–161
using with .NET applications, 644–652
CryptoStor appliance, web address for, 172
.cs files, description of and threat caused by, 733
CSI (Computer Security Institute), crime-loss statistics from, 34–35
CSMA/CA (Carrier Sense Media Access/Collision Avoidance) algorithm, using, 279–280
CSO (chief security officer), responsibilities of, 83–84
customer confidence Case Study, 8
custom remote administration, advantages and disadvantages of, 579–580. See also
remote administration security
CVE (Common Vulnerabilities and Exposures) dictionary, accessing, 320
CVS (concurrent Versions System) source repository software, features of, 404
CWNA (Certified Wireless Network Administrator) exam, obtaining information about, 265
cyber crimes, overview of, 771–772
D
D2D (disk-to-disk) backups, features of, 351
DAC (discretionary access control) versus MAC (mandatory access control), 434–435
DACL (discretionary access control list), purpose of, 434
daemons
avoiding use of root for, 456–458
configuring for logging on Unix systems, 467
removing from Unix systems prior to securing of, 453
removing or disabling when not used, 729–730
replacing with OpenSSH on Unix systems, 454–456
data
passing in hidden fields, 564–565
securing transmission of, 169–171
data audiences, responsibilities of, 106
database backup types
differential backups, 675
full backups, 675
transaction log backups, 675
database-level security
database administration security, 663
database roles and permissions, 664–665
object-level security, 665–667
overview of, 662–663
database objects used for security
stored procedures, 668
triggers, 668–669
views, 667–668
databases
auditing and monitoring, 676–679
backing up and recovering, 673–676
support for Internet applications, 671–672
database security, overview of, 657–659
database security layers
network-level security, 659–661
operating system security, 661–662
role of data encryption in, 660–661
server-level security, 659
database server logins, managing, 661–662
database servers
keeping up to date, 676
monitoring, 678–679
uses of, 658–659
database tiers, relationship to DMZs, 207–208
data centers, locking, 122
data center security policies, examples of, 75–77
data custodian, responsibilities of, 87, 106
data encryption, role in database security layers, 660–661
data-link layer of OSI model, purpose of, 232. See also 802.11 data link layer; 802.15 data link layer
data normalization, IDS detection of, 301
data owners, responsibilities of, 106
data privacy policies for computer systems
example of, 62–68
importance of, 161–162
data security architecture applications confidential e-mail, 173–174
data storage and file encryption, 171–172
DRM (Digital Rights Management), 173
securing data in flight, 169–171
data security principles, 172. See also internal network security; network security;
security
availability, 165–166
confidentiality, 154–161
integrity, 162–165
non-repudiation, 166–168
privacy, 161–162
DATA SMTP command, explanation of, 364, 366
data storage, using file encryption with, 171–172
data-transfer problems, solving in web applications, 565
The Data Vault Corporation, web address for, 351
data-vaulting, features of, 350
data warehousing, using database servers for, 658–659
Date e-mail header field, explanation of, 367
Dc file and directory attribute in NDS file system, explanation of, 533
DDoS attacks and Zombie Trojans, dynamics of, 713
decibels, measuring power gain and loss with, 270
dedicated backup networks, features of, 351
DeepSight Threat Management System, web address for, 311
default sample attacks, characteristics of, 410
defense aspect of security, overview of, 10–12
defense in depth model, overview of, 39–41
defense models
lollipop model, 38–39
network segmentation, 43–44
onion model, 39–41
perimeter security, 38–39
zones of trust, 41–43
DELE message number POP command, description of, 370
Denied file permission in Unix, explanation of, 151
deployment descriptors, role in J2EE containers, 607–608
DES block cipher
cracking of, 160
explanation of, 158–159
desktop encryption, implementing, 171–172
Desktop Protector real-time HIDS, features of, 306–307
destination ports, example of, 233–234
detection aspect of security, overview of, 11–12
deterrence aspect of security, overview of, 10–12
diagnostic servers, disabling for network hardening, 220
dictionary attacks, characteristics of, 489
differential backups
of databases, 675
description of, 348
restoring from, 349
Diffie-Hellman key, explanation of, 159
diff output line, examining on Unix systems, 452
Di file and directory attribute in NDS file system, explanation of, 533
digest authentication, features of, 578
digital signatures
creating with public key cryptography, 159
using for non-repudiation, 166–168
direct connections, role in network connectivity, 391
directed broadcasts, role in ICMP, 226
Direct Mail, relationship to SMTP, 380
direct mapping, features of, 395
directory browsing attacks, characteristics of, 410
directory contents, cataloguing and presenting thumbnails of, 752
directory traversal attacks, characteristics of, 408
dirty interface of packet filters, explanation of, 235
disaster avoidance and recovery, evaluating, 108
disaster recovery
overview of, 683–684
providing awareness and training programs for, 694
using third-party vendors for, 694–698
disaster recovery questionnaire, providing third-party vendors with, 695–698
Disney World’s IT division Case Study, 102
distance-vector routing protocol, explanation of, 217
distribution layer of Cisco Hierarchical Internetworking model, purpose of, 196–197
.dll files, description of and threat caused by, 732
Dm file and directory attribute in NDS file system, explanation of, 533
D-Minimal Protection TCSEC rating, usage of, 437
DMZs (demilitarized zones), considering in network design, 205
DNS cache poisoning, overview of, 403
DNS (Domain Name Service)
hierarchical structure of, 400
overview of, 399–402
protocols and ports associated with, 235
and proxies, 397
role of root servers in, 400
DNS servers
example of, 401–402
overview of, 399–403
DNS server security problems
misconfigured servers, 402
unpatched servers, 402
.doc files, description of and threat caused by, 732
documentation, importance of, 106
documents, performing physical vulnerability assessment of, 119
Domain Admins group, description of, 509
Domain Guests group, description of, 509
Domain Users group, description of, 509
doors and file cabinets, locking, 122
DoS (denial of service) attacks
dynamics of, 718–719
obtaining information about, 220
relationship to DNS cache poisoning, 403
DoS (denial of service) versus availability, 197
dot (.), omitting from paths on Unix systems, 462–463
.dot files, description of and threat caused by, 733
DPAPI (Data Protection API), using with .NET applications, 652
DRM (Digital Rights Management), role in data security, 173
Ds file and directory attribute in NDS file system, explanation of, 533
DSSS (direct sequence spread spectrum), overview of, 273–276
Duty of Care
emergence of, 772–781
future of, 780–781
dwepcrack, web address for, 284
dynamic NAT, features of, 242
E
EAP (Extensible Authentication Protocol), overview of, 144–147, 289–291
Echelon system, obtaining information about, 376
echo requests, relationship to ICMP, 224–226
e-commerce transaction, securing with SSL/TLS, 171
Economic Espionage Act, overview of, 772
ECPA (The Electronic Communications Privacy Act)
overview of, 768–771
stored communications section of, 770–771
EFS (encrypting file system)
explanation of, 166
features of, 730–731
process of, 171–172
Egghead Software customer confidence Case Study, 8
EIRP (equivalent isotropically radiated power)
estimating, 271
role in RF gain, 270
EIRP limit, specification for, 272
EJB (Enterprise JavaBeans), role in J2EE architecture, 605–607
electronic communications retention regulations related to, 783–784
unauthorized access to, 768–771
electronic contraband, discovery of, 771–772
electronic eavesdropping, section in ECPA, 768–770
protocols and security issues related to, 360–378
securing, 732
e-mail header fields, table of, 367
e-mail servers, securing, 390
e-mail worms, dynamics of, 710–711
embedded applications security, 576–577. See also application security
.eml files, description of and threat caused by, 733
EMSs (enterprise-management systems), role in IDSs, 319
EnCase forensic software, web address for, 752
encoding schemes, role in content obfuscation, 300
encryption
for Cisco routers, 222
as countermeasure, 730–731
history of, 154–155
importance of, 164
justification for, 377
mathematics of, 159
for mobile devices, 172
modern uses of, 158–159
obtaining information about, 377
relationship to forensics, 758
role in database security layers, 660–661
securing passwords with, 130–132
using with data storage, 171–172
encryption type, determining, 222
end-user interfaces for IDSs, overview of, 317
Enigma machine, origin of, 157
entity beans, role in J2EE architecture, 606
entry controls
biometrics, 123
building and employee ID badges, 123
security guards, 123
equipment and records, performing physical vulnerability assessment of, 119
equivalent security, explanation of, 22
Erase (E) rights in NDS file-system security, explanation of, 532
ESMPT (Extended SMTP), features of, 367–368
ESMTP authentication types
AUTH LOGIN, 368
AUTH LOGIN PLAIN, 368
CRAM-MD5, 368
ESP (Encapsulating Security Payload), explanation of, 172
ESSID “ANY” value, significance in authentication, 283. See also closed-system ESSIDs
ESSIDs (Extended Service Set Identifiers), guidelines for use of, 282
Ethereal Open Source sniffer, web address for, 364
Ethereal program, web address for, 717
Ethernet, vulnerabilities of, 424–425
ethical worms, overview of, 346–347
Ettercap tool, web address for, 215
event correlation, role in IDS management, 318
event log, example of, 186
event timestamps, reporting in UTC (Coordinate Universal Time), 326
evidence, preserving in IR overviews, 783
evidence, role in CAS (code access security), 632–633
evidence acquisition, role in forensics, 747–751
evidence analysis, role in forensics, 751–754
excavation and construction, significance in choosing security sites, 121–122
Execute file permission in Unix, explanation of, 151
.exe files, description of and threat caused by, 733
EXPN SMTP command, explanation of, 367
external Windows trusts, overview of, 506
extranets, considering in network design, 205
F
facility security officer, responsibilities of, 85
FakeAP, web address for, 278–279
false-positives
decreasing in IDSs, 331
fault tolerance automated redundancy method, features of, 355
fax security, implementing, 420
feedback analyzers, features of, 412
FEK (File Encryption Key), role in EFS, 171–172
FHSS (frequency hopping spread spectrum), explanation of, 274
file-access permissions, role in authorization, 149
file authorization in ASP.NET, explanation of, 655–656
file cabinets and doors, locking, 122
FileCrypto encryption product, web address for, 172
file-integrity HIDSs, features of, 305–306
filemon, web address for, 493
files
comparing on Unix systems, 452
removing or disabling when not used, 729–730
File Scan (F) rights in NDS file-system security, explanation of, 532
file server compromise, statistics related to, 304
file servers, role in NetWare operating system, 525–527
file slack, role in forensics, 749
file systems
examining in forensics, 752–754
securing, 727–731
file-system security in NDS
default rights in, 531
flow of rights in, 531–533
and IRF (Inherited Rights Filter), 531–533
relationship of directory and file attributes to, 533–536
file-system security policies, components of, 535–536
file types, blocking as needed, 732
fingerprinting, role in TCP/IP packet analysis, 299
fingerprint systems, attacks on, 146
finger servers, disabling for network hardening, 220
FIN state flag, purpose of, 298
firewall failover mechanisms, examples of, 198
firewalls
advantages and disadvantages of, 15, 23, 35
appliance- versus OS-based firewalls, 240–241
application gateways, 236–238
auditing and logging considerations, 244
effective attributes of, 229
forms of, 231
increasing internal security with, 203–204
IPSs (intrusion-prevention systems) as, 322
location of, 231
and NAT (network address translation), 241–243
NAT (network address translation) as, 393
obsolescence of, 231
packet-filtering firewalls, 234–236
role in onion model of defense, 39
SPI (stateful packet-inspection) firewalls, 238–240
strengths of, 230
and TCP/IP, 232–234
tools for testing security of, 244
uses of, 200
and VPNs (virtual private networks), 244–245
vulnerability of, 203
weakness of, 230–231
firewall technologies, list of, 231
five steps toward improvement of security
assets, 13
priorities, 14
protections, 13
risks, 13
tools, 13
flag exploits, relationship to IDS detection, 299
Fluhrer, Mantin, and Shamir passive ciphertext-only WEP attack, obtaining information about, 284
FoIP (fax over IP), features of, 420
forensic backups, creating, 748–750. See also backups
forensics
capturing system contents as part of, 750–751
dealing with hidden data, 754–755
detecting deleted data, 757–758
evidence acquisition component of, 747–751
evidence analysis component of, 751–754
investigating encrypted and compressed data, 758
and keyword searching, 759–760
legal requirements for, 746–747
overview of, 746
and steganography, 755–757
working with live systems, 750–751
forests, Windows trusts in, 505–507
forms, providing web application security for, 563–565
FPGA (Field Programmable Gate Array) chips, role in IDS performance, 323
fragmentation and reassembly attacks, IDS detection of, 299–300. See also attacks
fragmentation flags in IP packet headers, purpose of, 298
Fragmentation needed message in ICMP, description of, 225
free space path loss, calculating, 271
frequency allocation tables, web address for, 275
frequency counters, using with wireless networks, 275–276
Fresnel zone, example of, 271
From e-mail header field, explanation of, 367
FSMOs (Flexible Single Master Operations), purpose of, 502–503
FTC and state enforcement trends, overview of, 780
FTP (file transfer protocol), protocol and ports associated with, 235
FTP proxies, features of, 395
FTS for Bluetooth, web address for, 286
FUD (Fear, Uncertainty, and Doubt), relationship to risk management, 7
full backups
of databases, 675
description of, 348
Full Control file permission in Windows, granting, 150
G
gain
achieving, 269–270
relationship to RF, 269
gateways
application gateways, 236–238
circuit-level gateways, 238
Gator adware, overview of, 574
GFS (grandfather, father, son) backup strategy, explanation of, 348–349
girlfriend program or virus, explanation of, 36
GLB (Gramm-Leach-Bliley) Act, overview of, 773–775
global address, relationship to NAT, 241–243
government perimeter blockade model for security, overview of, 17–18
GPOs (Group Policy Objects)
example of, 514–515
features of, 512–514
Greek Trojan horse defensive failure, overview of, 21
Group Policy
effective range of, 513–514
evaluating and troubleshooting, 516
overview of, 512–513
Group Policy settings, overview of, 515–516
groups, purpose in role-based administration on Windows systems, 508–510
GSSAPI authentication, obtaining information about, 369
Guests group, description of, 509
guidelines, role in security hierarchy, 28
gummy finger attack, explanation of, 146
H
H263 streaming media standard, features of, 414–415
hackers, motivations of, 386–388, 712
hardening, role in security process, 96–98
hash algorithms
relationship to integrity, 164–165
using with .NET applications, 644–646
HashKeeper forensic software, web address for, 752
Hazard Fairs, addressing disaster-recovery and business-continuity issues at, 695, 698–699
health and safety security policies, examples of, 78
HELO domain SMTP command, explanation of, 364–365
Hermes/Orinoco cards, web address for, 277–278
heuristic attacks, characteristics of, 489
H file and directory attribute in NDS file system, explanation of, 533
HFnetChkPro and HFNetChkLT, web address for, 346
hidden fields, passing data by means of, 564–565
HIDSs (host-based IDSs)
features of, 305–308
guidelines for selection of, 316
high availability design automated redundancy method, features of, 356
highly directional antennas, role in layer 1 RF security, 266
highly privileged accounts, limiting use of, 726–727
HIPAA (Health Insurance Portability and Accountability Act) and security rules, overview of, 776–778
.hlp files, description of and threat caused by, 733
hold-down timers, role in RIP routing protocol, 217
honeypot HIDSs, overview of, 307–308
Honeypots.net, obtaining information from, 334
horizontal antenna radiation pattern, diagram of, 268
host hardening, considering in network design, 208
Host unreachable message in ICMP, description of, 225
Hotmail and web-based e-mail, features of, 375
hot-swapping, features of, 357
HSM (Hierarchical Storage Management), features of, 350
.hta files, description of and threat caused by, 733
.htm and .html files, description of and threat caused by, 733
HTTP authentication methods, overview of, 578
HTTP BASIC authentication, relationship to J2EE, 608–609
HTTP Connect proxies, features of, 396
HTTP (Hypertext Transfer Protocol), using with J2EE, 611–613
HTTP, protocol and ports associated with, 235
HTTP proxies
features of, 394–395
performance benefit of, 237
HTTPS (Hyper Text Transfer Protocol Secure sockets), using with J2EE, 611–613
HTTPS, protocol and ports associated with, 235
HTTP-Tunnel application, web address for, 231
hubs, relationship to switches, 214
Human Resources, role in security operations management, 95–96
I
IANA (Internet Assigned Numbers Authority), web address for, 392
IAS, securing Windows communications with, 521
Ic file and directory attribute in NDS file system, explanation of, 534
ICF (Internet Connection Firewall), using as countermeasure, 725
ICMP (Internet Control Message Protocol)
and directed broadcasts, 226
protocol number for, 298
and redirects, 226
relationship to network hardening, 224–226
ICMP unreachable code types, table of, 225
ID badges, using as entry controls, 123
identify theft, discouraging, 162
IDS agents, purpose of, 318
IDS benchmarking test, advisory about, 323
IDScenter GUI for Snort, web address for, 317
IDS concepts, 295
purpose of ID (intrusion detection), 296–297
threat types, 297–301
IDS deployment considerations, IDS weaknesses, 327–330
IDS detection
of application attacks, 300–301
of attacks, 297
of content obfuscation, 300–301
of data normalization, 301
and flag exploits, 299
of fragmentation and reassembly attacks, 299–300
limitations of, 301
of misuse, 297
of network protocol attacks, 297–300
of rogue events, 296–297
and TCP/IP packet analysis, 298–299
IDS features
end-user interfaces, 317
intrusion-detection messaging, 320
IPSs (intrusion-prevention systems), 320–322
IDS fine-tuning
decreasing false-positives, 331
increasing inspection speed, 330
logging and alerting efficiency, 331
IDS Host Sensor behavior-monitoring HIDS, web address for, 305
IDS logging and alerting, overview of, 324–326
IDS management consoles, purpose of, 318
IDS performance
and hardware appliances, 323–324
overview of, 323
IDS reporting and analysis, overview of, 326
IDS resources, 334
IDS ROI discussion document, web address for, 305
IDSs (intrusion detection systems)
AD (anomaly-detection) model, 311–312
benefits of, 304–305
costs of, 303–304
distributed IDS topology, 319
first generation of, 301–302
future of, 332–333
guidelines for selection of, 316–317
high false-positive rates of, 302
managing, 318–320
overview of, 295
return on investment in, 303–305
second generation of, 302–303
signature-detection model, 313–316
as targets, 330
types of, 741
using, 412
WIDS (wireless IDSs), 316
IDS solutions behavior-monitoring HIDS, web address for, 306
IDS types and detection modes
HIDSs (host-based IDSs), 305–308
host-based IDS, 305–308
NIDSs (network-based IDSs), 308–313
overview of, 305
IDS weaknesses
encryption blocking inspection, 329
evasion techniques, 329
expense, 328
false-positives, 327
lockups, 328
spoofed IP addresses, 328–329
volume limitations, 328
I file and directory attribute in NDS file system, explanation of, 534
IIOP (Internet Inter-ORB Protocol), using with J2EE, 616–618
IIS (Internet Information Server), features of, 412
IIS Virtual Patching Plan, overview of, 343
I Love You Virus, obtaining information about, 385
IMPA, protocol and ports associated with, 235
IMAP4 (Internet Message Access Protocol) features of, 373–374
security problems and solutions related to, 375–378
SSL support for, 374–375
IM (instant messaging), considering in network design, 210–212
impersonation
.NET RBS support for, 630–631
in ASP.NET, 654–655
vulnerability to, 378
incident detection, dynamics of, 740–741
incident responses, topics for complying with, 101–102
incremental backups, description of, 348
inetd, using on Linux systems, 478–479
information, types of, 3
information classification
categories of, 105
roles and responsibilities involved in, 106
information security
evolution of, 17–22
significance of, 6
information security management, evaluating, 108
information security regulation
agencies responsible for, 773
California Section 1798.82, 778
and civil lawsuits, 781
GLB (Gramm-Leach-Bliley) Act, 773–775
HIPAA (Health Insurance Portability and Accountability Act) and security rules, 776–778
overview of, 772–773
Sarbanes-Oxley Act, 775–776
voluntary standards, 779–780
InfoSec, explanation of, 17
Inheritable (I) NDS property right, description of, 537
input validation products, features, 412
“insurance” analogy for security efforts, explanation of, 7
integer overflow attacks
characteristics of, 585–587
defenses against, 587–588
integrity
role in data security, 162–165
using hash algorithms with, 164–165
intercommunication security, overview of, 421
interference, creating with access points, 276–276
internal network security, evaluating, 108. See also data security principles; network security; security
internal threats, incidence of, 34–35
Internet access, hazards of, 376
Internet applications, database support for, 671–672
internet network routing automated redundancy method, features of, 356
Internet security, evaluating, 108
Internet sniffing, existence of, 369
InterNex academic open-access model Case Study, 19
intranets, considering in network design, 204
IP addresses
purpose of, 213–214
spoofing in IDSs, 328–329
types of, 392
IP (Internet Protocol)
and NetWare security considerations, 526–527
relationship to routers, 216
restricting on Linux systems, 476–479
IP packet headers, fragmentation flags in, 298
IPSec
overview of, 147
securing communications with, 169–170
IPSec tunnel mode VPN protocol, overview of, 249
IPSs (intrusion-prevention systems)
features of, 741
overview of, 320–322
IP telephony and streaming media, overview of, 413–415
IPv4 addresses, conservation of, 241
IPX Novell protocol, NetWare security considerations related to, 526–527
IrDA PANs, attacking, 286–287
IR (incident response) plans
containment and remediation strategy for, 742–744
incident detection considerations, 740–742
overview of, 739–740
recovery and resumption considerations, 744–745
review and improvement considerations, 745
IR (intentional radiator), role in RF gain, 270
IR overviews
compliance with laws for conducting of, 782–787
privilege issues related to, 785–787
irradiated energy, measuring power of, 270
IRTs (incident response teams), responsibilities of, 87–89
ISAPI-based security products, features of, 411
ISM band DSS channels, splitting of, 275–276
ISM (Industrial/Scientific/Medical) range, explanation of, 272
Isof, accessing, 451
isolated storage, role in .NET security, 643–644
Isomair Wireless Sentry IDS solution, web address for, 293
ISO 17799 global standard, overview of, 447–448
ISPs (Internet Service Providers), methods of fighting spam, 381–382, 384
ISP 17799, overview of, 779
IT (Information Technology), separation of duties in, 89–90
IT professionals, role in IR overviews and litigation, 784–785
IV (initialization vector), role in WEP key weakness, 284, 285
J
J2EE architecture components
containers, 607–608
EJB (Enterprise JavaBeans), 605–607
JSP (JavaServer Pages), 604–605
servlets, 602–603
J2EE authentication, overview of, 608–609
J2EE authorization, overview of, 610–611
J2EE (Java 2 Enterprise Edition), overview of, 599
J2EE protocols
HTTP (Hypertext Transfer Protocol), 611–613
HTTPS (Hyper Text Transfer Protocol Secure sockets), 611–613
IIOP (Internet Inter-ORB Protocol), 616–618
JDBC (Java Data Base Connectivity), 619–620
JMS (Java Message Service), 619
JRMP (Java Remote Method Protocol), 618–619
SOAP (Simple Object Access Protocol), 615–616
JAAS (Java Authentication and Authorization Service), overview of, 610–611
Java language, overview of, 599–601
JDBC (Java Data Base Connectivity), overview of, 619–620
JMS (Java Message Service), overview of, 619
John the Ripper, functionality of, 130
JRMP (Java Remote Method Protocol), using with J2EE, 618–619
.js and .jse files, description of and threat caused by, 733
JSP (JavaServer Pages), role in J2EE architecture, 604–605
JVM (Java virtual machine)
attacks on, 601–602
purpose of, 600
K
KDC (Key Distribution Center), role in Kerberos authentication, 136–137
Kerberos, overview of, 135–137
Kerberos_V4 authentication, obtaining information about, 369
key archival, overview of, 166
keyboards, performing physical vulnerability assessment of, 118
key exchange
overview of, 159
role in confidentiality, 161–162
key management issues, relationship to wireless networks, 283
keys
function in certificate-based authentication, 140
protecting with smart cards, 144
keyspaces
role in cryptography, 156
role in forensics, 758
role in Windows LAN Manager challenge and response, 133
keyword searching, role in forensics, 759–760
Kismet, features of, 292
L
L2CAP (Logical Link Control and Adaptation Protocol), explanation of, 280
L2TP over IPSec VPN protocol, overview of, 249–250
labels, role in TCSEC security model, 439
LaBrea sticky honeypot, web address for, 308
ladder logic, role in SCADA systems, 423
laptops, locking, 122
law enforcement, involvement in IR overviews, 782–783
layered defenses, identifying in security audits, 107–108
layer 1 solutions for RF security. See RF layer 1 security solutions
LC4 product, functionality of, 130
leaf object in NDS tree, purpose of, 528–530
LEAP (Lightweight Extensible Authentication Protocol), obtaining information about, 202
least privilege
assigning, 727–728
running ASP.NET with, 653–654
legal compliance, requiring for incident response overviews, 782–787
Level 7 encryption, using with Cisco routers, 222
libpcap Open Source packet-level driver, web address for, 308
lighting in security sites, significance of, 120
link-state routing protocol, explanation of, 217
Linux IrDA
attacking, 286–287
obtaining, 287
Linux security
advisory about, 482–483
overview of, 471
Linux systems
determining server role for, 474–475
installing file scanning application for, 472–474
installing log scanning applications on, 480–488
installing PortSentry on, 475–476
installing TCP Wrappers on, 476–477
installing Tripwire on, 472–474
keeping updated, 483
reading log files on, 479–480
restricting IP on, 476–479
starting with fresh install prior to implementing security on, 472
subscribing to security lists for, 483–484
using inetd on, 478–479
watching commonly scanned ports on, 475–476
List Folder Contents file permission in Windows, granting, 150
LIST POP command, description of, 370–371
litigation and IR overviews, role of IT professionals in, 784–785
LM (LAN Manager), steps followed by, 133–134
LM password, length of, 134
LMP (Link Manager Protocol), explanation of, 280
.lnk files, description of and threat caused by, 733
local address, relationship to NAT, 241–242
locks, securing assets with, 122
LogAnalysis.org, obtaining information from, 334
Logcheck log scanning application
using on Linux systems, 481–482
web address for, 471
log consolidation, techniques for, 188
log files, reading on Linux systems, 479–480
log file summarization and reporting, overview of, 186–188
logging
developing guidelines for, 183–184
enabling, 227
with firewalls, 244
security concerns related to proxies, 397
logins, managing on database servers, 661–662
login scripts, implementing on NetWare operating system, 551
logon process, steps involved in, 149
logs, using with IDSs, 324–326
log scanning applications, installing on Linux systems, 480–488
log servers
centralizing for use with Linux systems, 479–480
centralizing for use with Unix systems, 466–467
lollipop defense model, overview of, 38–39
lsof (list open files) command, using on Unix systems, 464–465
MAC filtering, overview of, 285
MAC (mandatory access control) versus DAC (discretionary access control), 434–435
MAC (Media Access Control) addresses, purpose of, 213–214
macro viruses, explanation of, 707–708
Maginot Line defensive failure, overview of, 21
mail distribution by SMTP
Direct Mail, 380
mail DNS entry, 378–379
mail DNS entry, relationship to SMTP, 378–379
MAIL FROM: <e-mail> SMTP command, explanation of, 364–365
mail servers
rejection of spam by, 382
vulnerabilities of, 378
mainframe recovery, steps involved in, 688–693
malicious file types, table of, 732–733
malicious HTML attacks, dynamics of, 713–715
malicious mobile code
overview of, 704–705
viruses, 705–709
managed code
assemblies in, 625
role in .NET security, 624–628
validation of, 625–626
verification of, 627–628
managed security services, overview of, 110–113
management practices, role in administrative security, 181
Manhunt NIDS, web address for, 308
man-in-the middle attacks
explanation of, 169
on wireless LANs, 278–280
mantraps, using for physical intrusion detection, 124
many-to-one threat versus defense model, diagram of, 21–22
.mdb files, description of and threat caused by, 733
MDB (message-driven beans), role in J2EE architecture, 606
memory-resident viruses, explanation of, 706
Message-ID e-mail header field, explanation of, 367
Microsoft SQL Server security best practices, 678–679
microwave ovens, frequency of, 276
middle ISM (Industrial/Scientific/Medical) range, explanation of, 272
mid-infecting viruses, explanation of, 706
misuse, detecting with IDSs, 297
misuse IDSs, overview of, 313–316
Mitnick, Kevin and InterNex attack, 19
mobile devices, encryption for, 172
modems, role in SCADA security, 424
Modify file permission in Windows, granting, 150
Modify (M) rights in NDS file-system security, explanation of, 532
MOM (Microsoft Operations Manager), obtaining, 737
monitoring activity
log file summarization and reporting, 186–188
system and device logging, 183–186
system and network activity monitoring, 189
vulnerability scanning, 189–190
monitors, performing physical vulnerability assessment of, 118
MONITOR utility, viewing NetWare server use with, 543
moon, proposed offsite backup facilities on, 351
Morris virus, obtaining information about, 385
MS-CHAP, overview of, 135
MSPs (managed service providers)
benefits of, 111–112
services performed by, 112–113
multicast traffic, role in NIDSs, 309
multipartite viruses, explanation of, 707
MX lookup, performance of, 378–379
N
NASA example of vulnerability scan, 189
NAS (network-attached storage), role in data security, 172
National Security Association Museum, web address for, 157
National Strategy to Secure Cyberspace, overview of, 779
NAT (network address translation)
diagram of, 242
dynamic NAT, 242
as firewall, 393
PAT (Port Address Translation), 242–243
relationship to firewalls, 241–243
role in network connectivity, 391–394
static NAT, 242
NCP (NetWare Core Protocol) packet signature, features of, 527
NCP Packet Signature, features of, 545–546
NDS (Novell Directory Services)
versus bindery security, 530–531
default file-system, object, and property rights in, 537–538
overview of, 527–528
NDS object security
and effective rights, 541–542
and inheritance, 540
and IRF (Inherited Rights Filter), 540–541
rules of, 538–542
and security equivalence, 539–540
and trustee assignments, 539
NDS object security rights
Browse object right, 536
Create object right, 536
Delete object right, 536
Inheritable object right, 536
Rename object right, 536
Supervisor object right, 536
NDS property rights, overview of, 537
NDS security
file-system security, 531–536
general ideas for, 551–552
NDS tree structure, diagram of, 528–530
NDS trustee assignments, table of, 538
Nessus tester for firewall security, web address for, 244
.NET, securing web services and web applications in, 653–656. See also ASP.NET
.NET application-level security
using DPAPI (Data Protection API) for, 652
using hashes for, 644–646
using public key cryptography for, 650–651
using symmetric cryptography for, 646–650
NetBIOS, protocol and ports associated with, 235
netcat utility, example of, 715
.NET core security features
AppDomains and isolated storage, 641–644
CAS (code access security), 631–641
managed code, 624–628
RBS (role-based security), 628–631
netfilter/iptables, using as countermeasure, 725
NETLIST utility, location in NetWare operating system, 552
.NET Remoting Central, web address for, 653
.NET remoting security, overview of, 652
netstat tool, displaying ports on Unix systems with, 463–464
NetWare operating system
advisory about placing items in SYS:LOGIN directory, 552
auditing passwords and security products for, 549–551
creating and maintaining strong passwords on, 548–549
implementing login scripts on, 551
implementing passwords on, 547–548
keeping up to date, 545
location of NETLIST utility in, 552
maintaining user accounts on, 547
overview of, 525–527
tips and best practices for securing of, 542–551
NetWare Server Console
implementing, 544–545
limiting or disabling, 543–544
locking, 543
NetWare servers, securing, 543–545
network access, limiting, 575
network and system redundancy, overview of, 353–357
network authentication, occurrence, 133
network availability, overview of, 197–199
network connectivity
relationship to direct connections, 391
role of NAT and PAT in, 391–394
network design
appropriateness of, 195
determining acceptable risk factors for, 193–194
DMZ considerations, 205–207
extranet considerations, 205
host hardening considerations, 208
IM (instant messaging) considerations, 210–212
including security in, 194–195
internal security practices related to, 203–204
intranet considerations, 203–204
models of, 194–195
outbound filtering considerations, 209–212
remote access considerations, 203
role of burstable links in, 196
role of redundancy in, 198
screened subnet considerations, 205–207
security costs related to, 195–196
web access considerations, 209–210
network device security of switches and routers, overview of, 213–217
network evaluation software, explanation of, 339
network hardening
and ACLs (access control lists), 218–219
and administrative practices, 221–224
anti-spoofing and source routing considerations, 226
and centralizing account management, 222–223
and ICMP (Internet Control Message Protocol), 224–226
and logging, 227
and patches, 218
and remote command line, 221–222
and services not in use, 219–221
and SNMP (Simple Network Management Protocol), 223–224
and switch security practices, 218
network-layer attacks, dynamics of, 716–719
network layer of OSI model, purpose of, 232
network perimeter. See also perimeter security
explanation of, 200–201
wireless impact on, 201–202
network protocol attacks, detecting with IDSs, 297–300
network rooms, locking, 122
networks
performance of, 196–197
recovering, 693
redundancy strategies for, 354–355
network security. See data security principles; internal network security; security
enforcing, 103–105
overview of, 199–201
relationship to other forms of security, 9
network segmentation defense model, overview of, 43–44
network segments, role in NIDSs, 309
network share permissions, securing, 730
Network unreachable message in ICMP, description of, 225
N file and directory attribute in NDS file system, explanation of, 534
NFR NID NIDS, web address for, 308
NIDSs (network-based IDSs)
deploying, 331–332
guidelines for selection of, 316
overview of, 308
physical layer considerations, 308
Snort, 310–311
Nimda virus, dynamics of, 386, 709–710
Nmap tool, web address for, 233
NMAS (Novell Modular Authentication Service), features of, 549–550
nonce, treatment in shared key authentication, 284
non-repudiation
performing with J2Ee, 614
role in data security, 166–168
Novell NetWare, access control rights used by, 434
Novell security, overview of, 525
NSLookup screen capture, 379
NTFS (NT file system), using with Windows, 728
NTLM, steps followed by, 133–134
NTLM authentication, features of, 578
NTLMv2, enhancements made to, 134–135
NTP (Network Time Protocol), obtaining information about, 741–742
O
obfuscation, explanation of, 20
obscurity and security, relationship between, 233
offline client activity, relationship to remote client concerns for VPNs, 260–261
OLTP (online transaction processing), using database servers for, 658
omindirectional antennas, role in layer 1 RF security, 266–268
one-time pad algorithms, explanation of, 156
onion defense model, overview of, 39–41
online backups, features of, 350–351
open relay servers, role in sending spam, 382–383
OpenSSH
accessing, 451
replacing vulnerable daemons with, 454–456
OpenSSL
accessing, 451
installing on Unix systems, 454
operating systems, obtaining information about security of, 209
operating system security model
international standards for, 444
relationship to database security layers, 661–662
OPSEC (Open Platform for Security), web address for, 239
Opsware System, web address for, 346
Oracle’s security-related product direction Case study, 83
Orange Book, origin of, 445
OSEC (Open Security Evaluation Criteria), web address for, 323
OSI (Open Systems Interconnection) model
layers of, 232–233
relationship to TCP/IP, 232
OS security, advisory about, 570
OS security, integrating applications with, 571–572
OS- versus appliance-based firewalls, 240–241
outbound filtering, considering in network design, 209–212
Outlook file attachments, blocking, 734
overwriting virus, explanation of, 706
P
P2P attacks, dynamics of, 721
P2P services, securing, 735–736
packet-filtering firewalls, features of, 234–236
packet filters
advantages and disadvantages of, 236
features of, 235
implementing, 235–236
versus SPI firewalls, 240
packet-level drivers, role in NIDSs, 308
packets, impact on SPI firewall interface, 239
packet sniffing, dynamics of, 717–718
PAN setup, obtaining information about, 286
parasitic viruses, explanation of, 706
partition table viruses, explanation of, 706–707
PASS password POP command, description of, 370–371
password and username authentication systems. See usernames and password authentication systems
password attacking programs, obtaining, 759
password authentication controls, overview of, 131
password construction policy, guidelines for, 58–59
password cracking, dynamics of, 720–721
password data, storage of, 132
password files, securing, 130–132
passwords
central storage of, 132–133
implementing on NetWare operating system, 547–548
issues related to, 137
local storage and comparison of, 128–129
securing with encryption, 130–132
using alternatives on Windows systems, 490–491
vulnerabilities of, 137–138
patches
keeping up to date, 722–724
keeping up to date on Unix systems, 465–466
problems with, 573
role in network hardening, 218
patching
decision-making process involved in, 342
determining candidates for, 341
IIS Virtual Patching Plan, 344
overview of, 340–341
process of, 342–343
patching processes and procedures, examples of, 343–345
PatchLite, web address for, 346
patch management products and resources, list of, 345–346
patch notification, obtaining, 341
patch systems, using for Windows security, 487–488
patchworks for Windows systems, web address for, 346
PAT (Port Address Translation)
features of, 242–243
role in network connectivity, 393–394
PBX (Private Branch Exchange) switches
hacking, 426–427
securing, 427
PDA Defense encryption product, web address for, 172
PDA Safe encryption product, web address for, 172
PDAs (personal digital assistants), vulnerability to viruses, 707–708
PDCs (Primary Domain Controllers), role in Windows NT 4.0 domains, 500
PEAP (Protected Extensible Authentication Protocol), obtaining information about, 202
penetration tests versus security audits, 110
performance, role in network design, 196–197
perimeter security. See also network perimeter
considerations related to, 200–201
vulnerability of, 203
perimeter security model, overview of, 38–39
permissions
“deny overrides accept” rule related to, 150
treatment by Windows, 149
personnel management, sample security policy topics for, 68–74
personnel security management, evaluating, 108
P file and directory attribute in NDS file system, explanation of, 534
PGP Corporation, web address for, 173
PGP (Pretty Good Privacy)
role in confidential 3-mail, 173
using, 377
physical access controls, evaluating, 108
physical attacks, dynamics of, 716
physical intrusion detection methods
alarms, 124
CCTV (closed-circuit television), 123
mantraps, 124
system logs, 124
physical layer man-in-the-middle attacks on wireless LANs, overview of, 278–279
physical layer of OSI model, purpose of, 232
physical security
identifying in security audits, 108
sample security policies for, 74–78
physical vulnerability assessment
of buildings, 118
of computing devices and peripherals, 118–119
of documents, 119
of records and equipment, 119
.pif files, description of and threat caused by, 733
PIN as weakness in Bluetooth security systems, explanation of, 286
ping, relationship to ICMP, 224–226
PKI (Public Key Infrastructure)
CA hierarchy of, 518
certificate templates and enrollment in, 518
cross-certification in, 519
overview of, 517–518
revocation of certificates in, 519
role separation in, 519
structure and function of, 518
plaintext authentication, advisory about, 369
plaintext e-mail, overview of, 376
PLC (Programmable Logic Controllers), role in SCADA systems, 423
policies, role in security process, 96–97
policy enforcement
for employees, 104
with software, 104–105
for vendors, 104
poll SCADA configuration, explanation of, 422
POP3 command sequence, overview of, 370–372
POP3 (Post Office Protocol 3)
features of, 369
protocol and ports associated with, 235
security problems and solutions related to, 375–378
SSL support for, 374–375
POP3 proxies, features of, 395–396
POP3 session, example of, 370
port assignments, changing on Unix systems, 457
port mirroring, relationship to NIDSs, 309–310
port numbers, role in TCP/IP packet analysis, 299
ports
determining open status on Unix systems, 463–465
relationship to TCP/IP, 233–234
port scans
explanation of, 233
watching on Linux systems, 475–476
PortSentry
installing on Linux systems, 475–476
web address for, 471
ports 20-110 in TCP/IP, services associated with, 474
Port unreachable message in ICMP, description of, 225
Postfix, accessing, 451
Postfix, replacing sendmail with, 468–469
power gain and loss, estimating, 270
power output tuning, controlling range of wireless devices with, 269–273
Power Users group, description of, 509
PPs (protection profiles), role in Common Criteria, 446–447
PPTP (Point-to-Point Tunneling Protocol), using with VPNs, 250
pre-authentication, explanation of, 136
presentation layer
purpose of, 233
relationship to DMZs, 207
principals, relationship to RBS (role-based security), 629–630
printers
connecting, 419
securing, 419
Print Operators group, description of, 509
priorities step toward improving security, overview of, 14
Prism II chipset cards, web address for, 277–278
privacy, role in data security, 161–162
Privacy Rule, adoption of, 776–777
private addresses
versus public addresses, 392
table of, 241
private network, explanation of, 241
privileges. See also user rights
limiting for administrators of Windows systems, 492–495
managing in application security, 569
procedures, role in security hierarchy, 29
processes, isolating on Unix systems, 458–459
project lifecycle, four primary phases of, 94
project management, role in security operations management, 94
project plans
role in security hierarchy, 28
role in security lifecycle, 98
promiscuous mode, relationship to NIDSs, 309
protections step toward improving security, overview of, 13
protocol-anomaly attacks, dynamics of, 718–719
protocol attacks, detecting with IDSs, 297–300
protocol filtering, overview of, 285
Protocol unreachable message in ICMP, description of, 225
proximity of security sites, significance of, 120
proxy ARP, disabling for network hardening, 219
proxy connectivity, overview of, 394–397
proxy gateways, features of, 236–238
proxy security issues
authentication, 398
interfaces, 397–398
logging, 397
reverse proxy, 398–399
proxy servers
considering in network design, 209
and network connectivity, 391–394
overview of, 391
securing, 398
proxy types
direct mapping, 395
HTTP Connect, 396
HTTP proxies, 394–395
POP3 proxies, 395–396
SOCK proxies, 396
PSTN (Public Switched Telephone Network), role in Cisco Hierarchical Internetworking model, 196
public Internet access, hazards of, 376
public key cryptography
failure of, 168
overview of, 159–161
public key cryptography, using with .NET applications, 650–651
public keys, storing in public key databases, 169
public/private key algorithms, explanation of, 139
public versus private addresses, 392
push SCADA configuration, explanation of, 422
Q
Qaz e-mail worm, obtaining information about, 203
qmail
accessing, 451
replacing sendmail with, 469–470
quarantine logic for authentication of clients, diagram of, 255
quarantining clients, factors involved in, 259
Quick View Plus forensic software, web address for, 752
QUIT POP command, description of, 370
QUIT SMTP command, explanation of, 364
R
RAS (Remote Access Services), securing Windows communications with, 520–521
RATs (remote-access Trojans), dynamics of, 711–713
RBAC (Unix role-based access control), relationship to role-based authorization, 148–149
RBLs (Realtime Blocking Lists), obtaining information about, 381
RBS (role-based security)
relationship to .NET security, 628–631
support for impersonation, 630–631
working with principals in, 629–630
RC5, cracking of, 160
RCONSOLE utility, limiting or disabling NetWare server console with, 543–544
RCPT TO: <e-mail> SMTP command, explanation of, 364–365
Read and Execute file permissions in Windows, granting, 150
Read file permission
in Unix, 151
in Windows, 150
Read (R)
NDS property right, 537
rights in NDS file-system security, 532
RealSecure Desktop Protector real-time HIDS, features of, 306–307
RealSecure Sensor, web address for, 308
real-time HIDS, advantages of, 306–307
Received* e-mail header fields, explanations of, 367
records and equipment, performing physical vulnerability assessment of, 119
Red Book, accessing, 438
Red Hat Update Agent, web address for, 723
redirects, role in ICMP, 226
redundancy
automating, 355–357
considering in network design, 198
identifying in security audits, 107
overview of, 353–357
Reference Monitor Concept, features of, 439–440
references
for attacks and countermeasures, 738
for general information about network security, 29–30
for incident response and forensic analysis, 760
for network design, 212
for Novell security, 553
for operating system security, 449
for physical security, 124–125
for risk analysis and defense models, 45
for security organization, 114
for security policy development, 79
regmon, web address for, 493
regular expression syntax, table of, 591–592
remote access
considering in network design, 203
identifying in security audits, 108
remote-access VPNs, diagram of, 244
remote administration security, overview of, 577–580. See also custom remote administration
remote client security concerns for VPNs
and authentication process, 252–253
and client configuration, 253–254
and client networking environment, 254–260
and offline client activity, 260–261
remote command line, role in network hardening, 221–222
remote dial-in server security, considerations for VPNs, 251
requirements definition, role in security hierarchy, 27–28
Retriever forensic software, web address for, 752
RETR message number POP command, description of, 370–372
Return-Path e-mail header field, explanation of, 367
reverse proxy, security concerns related to, 398–399
RF allocation tables, web address for, 275
RF and wireless transmission interception, significance in choosing security sites, 121
RFCOMM cable replacement protocol, explanation of, 280–281
RF counters, using with wireless networks, 275
RFCs (Requests for Comments), home page for, 360
RF layer 1 security solutions
and controlling range of wireless devices, 269–273
overview of, 266–269
relationship to interference, DoS, wireless signal overlapping, and rogue devices, 273–279
significance of antenna choice in, 266–269
RF power calculations, performing, 270
RF (radio frequency) fundamentals, security benefits of, 265–266
Ri file and directory attribute in NDS file system, explanation of, 534
risk analysis. See also acceptable risk
components of, 32
explanation of, 14–15
and threat definition, 31–37
risk management
security council as form of, 95
significance of, 6–7
risks
identifying, 32–33
types of, 7
risks step toward improving security, overview of, 13
roadmap, role in security hierarchy, 27–28
Ro file and directory attribute in NDS file system, explanation of, 534
rogue access points
dealing with, 276–279
impact of channel allocation on, 276–278
rogue events, detecting with IDSs, 296–297
ROI (return on investment)
for IDSs (intrusion detection systems), 303
realizing for security efforts, 6–9
role-based administration on Windows systems, overview of, 508–510
role-based authorization, overview of, 148–149
roles. See computer network roles; user roles
root, advisory about using for Unix daemons, 456–458
[Root] object in NDS tree, purpose of, 528–530
rootkits
advisory about using in forensics, 751
role in IR recovery and resumption, 744
root servers, role in DNS, 400
routers, overview of, 216. See also Cisco routers
routing protocols, types of, 217
routing updates, disabling, 216
RS232 connections in SCADA, significance of, 424
RSA, challenged related to, 160–161
RSA SecurID authentication system, overview of, 138
RSS (Redundant System Slot) automated redundancy method, features of, 355–356
RST state flag, purpose of, 298
RTU (Remote Telemetry Unit) sensors, role in SCADA systems, 423
RTU (Remote Terminal Unit) sensors, role in SCADA systems, 423
rule-based authorization, overview of, 151–152
rule optimization, obtaining information about, 331
rules
building for packet filters, 235
in signature-detection IDSs, 314–315
RunAs.exe application, purpose of, 570
Rw file and directory attribute in NDS file system, explanation of, 534
S
SACL (system access control list), purpose of, 434
sandboxing
example of, 570
overview of, 390
SANS InfoSec Reading Room-Intrusion Detection, web address for, 334
SANS Institute, web address for, 208
SANs (storage area networks), role in data security, 172
Sarbanes-Oxley Act, overview of, 775–776
SA (Security Association), role in securing communications with IPSec, 169
SCADA security, features of, 423–426
SCADA (Supervisory Control and Data Acquisition) systems, features of, 422–426
scope definition, role in security hierarchy, 27–28
SCRAM-MD5, obtaining information about, 369
screened subnets, considering in network design, 205–207
.scr files, description of and threat caused by, 733
script kiddies, explanation of, 406
script permission attacks, characteristics of, 408–409
scripts
auditing on Unix systems, 462–463
launching attacks on, 567
providing web application security for, 563–565
SCRSAVER utility, using with NetWare servers, 543–544
.sct files, description of and threat caused by, 733
SDP (Service Discovery Protocol), explanation of, 281
Secret encryption, using with Cisco routers, 222
Secrit-e-Lok, obtaining, 737
sectored antenna radiation pattern, diagram of, 268
SecureEXE and SecureNT, obtaining, 737
secure logs, purpose of, 412
secure network design. See network design
security. See also data security principles;
internal network security; network
security
academic open-access model for, 18
advanced security, 404–405
automating, 736–737
basic assumptions of, 21
branches of, 9
building into network design, 194–195
choosing site location for, 119–122
considerations related to, 25–26
costs of, 195–196
equivalent security, 22
evaluating, 108
evolution of, 17–22
five steps toward improvement of, 12–17
Golden Rule of, 597
government perimeter blockade model for, 17–18
illusion of (Case Study), 20
lack of silver bullet for, 23–24
layering, 40–41
quantifying as risk management effort, 7
relationship to RF (radio frequency), 265–266
and software bugs, 571
through obscurity, 233
transitive security, 22
security administrator, responsibilities of, 85–86
security architect, responsibilities of, 85
security architecture specification, role in security hierarchy, 27–28
security assessments, purpose of, 107
security audits
deliverables of, 109
frequency of, 110
objectives of, 108–109
overview of, 107
versus penetration tests, 110
performing, 110
phases of, 109
practices of, 110
preparing for, 110
solutions and recommendations resulting from, 109–110
security awareness
implementing programs for, 101–103
importance of, 99
increasing effectiveness of, 101
objectives of programs related to, 99–100
security awareness trainers, responsibilities of, 86
security benefits
business agility, 4–6
business partnerships, 6
risk management, 6
security checklists, using with Window systems, 514–515
security compromises
back door programs, 8
consequences of, 8
security configuration and analysis
of Windows NT 4.0, 510
of Windows 2000, Windows XP Professional, and Windows Server 2003, 510
security configuration of Windows systems, role-based approach toward, 521–523
security council, role in security operations management, 94–95
security-data exchange languages, development of, 320
security defense plan, creating, 737–738
security documents
components of, 106
presentation of, 106
security efforts, justifying, 6–9
SecurityFocus team, web address for, 470
security guards
familiarizing with wireless equipment, 267
using as entry controls, 123
security hierarchy components
guidelines, 28
procedures, 29
project plan, 28
requirements definition, 27
roadmap, 27–28
scope definition, 27
security architecture specification, 27
security policy, 27
standards, 28–29
security lifecycle management, overview of, 96–98
security lists, subscribing to, 470, 483–484
security management components accountability controls, 181–183
administrative security, 180–181
AUPs (acceptable use policies), 175–179
security manager, responsibilities of, 84
security manager, role in J2EE containers, 600–601
security methodology, Three Ds of, 10–12
security models
Bell-LaPadula, 435–436
Biba, 436
Clark-Wilson, 436
merging, 40
TCSEC (Trusted Systems Security Evaluation Criteria), 436–439
security monitoring services, examples of, 113
security operations management
interaction with human resources, 95–96
responsibilities of, 91–94
role of project management in, 91, 94
role of security council in, 94–95
security organizations
non-security jobs with security responsibilities in, 86–87
positions in, 82–87
publishing mission statement for, 82
roles and responsibilities of, 81–89
separation of duties in, 89–90
security policies
audience for, 50–51
benefits for personnel, 48
categories and organization of, 50–54
contributors to, 48–49
defining scope of, 51–52
developing, 48–55
enforcing for vendors and employees, 104
example of, 52–53
groups represented by, 49
identifying in security audits, 108
implementing, 78
introductory part of, 51
position in hierarchy of implementation, 54
role in security hierarchy, 27–28
role in security lifecycle, 97
topics for complying with, 101–102
security policy topics
for basic business requirements, 54–55
for computer systems, 56–68
for personnel management, 68–74
for physical security, 74–78
security positions
CSO (chief security officer), 83–84
facility security officer, 85
security administrator, 85–86
security architect, 85
security manager, 84
security practices
benefits of, 4
reducing costs with, 7
security products
antiviruses, 411
feedback analyzers, 412
firewalls, 412
IDSs (intrusion detection systems), 412
input validation, 412
ISAPI-based products, 411
secure logs, 412
vulnerability scanners, 412
security specializations, hierarchy of, 9
security strategy
objectives of, 23
and tactics, 15–17
Security Templates, using, 737
Security Templates, using with Window systems, 510–511
security tools, impact of business processes on, 24–26
Security Update Manager, web address for, 345
segmentation defense model, overview of, 43–44
semidirectional antennas, role in layer 1 RF security, 266
sendmail, considering replacement of, 467–470
sensitivity labels, role in TCSEC security model, 439
sensors, role in SCADA systems, 422–423
sensors for network segments, role in NIDSs, 309
Sentry 2020 encryption product, web address for, 172
separation of duties
in IT (Information Technology), 89–90
role in administrative security, 180–181
in system administration, 90
sequence guessing, explanation of, 432
Server Operators group, description of, 509
server role, determining for Linux systems, 474–475
servers
disabling for network hardening, 220
enabling logging on, 227
performing physical vulnerability assessment of, 118
segregating in network design, 200
server security policy, example of, 52–53
servlets, role in J2EE architecture, 602–605
session and cookie management, overview of, 565–567
session beans, role in J2EE architecture, 605–606
session hijacking, explanation of, 432
session layer of OSI model, purpose of, 233
session theft, characteristics of, 566
session tracking, securing, 567
Sfind utility, web address for, 757–758
SFTP (Secure FTP), using with Unix systems, 456
SGID (set group ID) files, scanning on Unix systems, 461–463
SGI (Silicon Graphics) Case Study of merging security models, 40
shadow copy service, features of, 350
shared key authentication
role in WEP, 282
treatment of nonce in, 284
Sh file and directory attribute in NDS file system, explanation of, 534
.shs and .shb files, description of and threat caused by, 733
SID filtering, implementing on Windows systems, 507–508
SID (security identifier), role in Windows file-access permissions, 149
signal strength monitoring tools, web address for, 293
signature-detection model IDSs, overview of, 313–316
single sign-on, dangers of, 128
Sircam virus, obtaining information about, 385
sites, choosing for security, 119–122
site-to-site networking vulnerabilities and threats, relationship to VPNs, 261–262
S/Key authentication system, overview of, 138–139
Slammer worm, dynamics of, 709
smart cards and hardware-based devices, providing authentication with, 143–144
SMTP commands, table of, 364
SMTP reply codes, table of, 364
SMTP servers
compensating for lack of authentication on, 376
connecting to manually, 361–362
SMTP session, example of, 363
SMTP (Simple Mail Transfer Protocol)
character limitation of, 362
command sequence of, 362–367
distributing mail with, 378–379
overview of, 361–362
protocol and ports associated with, 235
security problems and solutions related to, 375–378
SSL support for, 374–375
snapshot HIDSs, features of, 305–306
Sniffer program, web address for, 717
Sniffer Wireless Expert system, web address for, 292
SNMP (Simple Network Management Protocol)
protocols and ports associated with, 235
role in incident detection, 740–741
role in network hardening, 223–224
Snort Open Source IDS
features of, 310–311
sample rule for, 314–315
SNR (signal-to-noise ratio) value, role in physical layer man-in-the-middle attacks, 278–279
SOAP (Simple Object Access Protocol), using with J2EE, 615–616
social engineering, explanation of, 156
SOCK proxies, features of, 396
SocksCap application, web address for, 231
SOCKS proxies, obtaining information about, 238
software-based policy enforcement, overview of, 104–105
software bugs and security, 571
source code repository access, overview of, 404–405
source ports, example of, 234
Source route failed message in ICMP, description of, 225
source routing, disabling on Cisco routers, 226–227
spam
fighting, 383–384
ISPs’ fighting of, 381–382
legal issues related to, 384–385
origin of, 381
overview of, 380
rejecting, 382
spam filters, evading, 362
spammers, reasons for and ways of hiding, 382–383
specialized information, examples of, 3
Special Permissions in Windows, granting, 150
SPI (stateful packet-inspection) firewalls, features of, 238–240
split horizon, role in RIP routing protocol, 217
split -tunnel routing, relationship to VPNs, 256–257
spoofing, explanation of, 169, 432
spread spectrum communications, explanation of, 274
spyware, overview of, 574–575
SQL commands, using for object-level database security, 665–666
SQL Slammer worm, dynamics of, 709
SQL (structured query language) injection
characteristics of, 594–597
dynamics of, 719–720
example of, 558–561
remedies for, 595–596
role in web application security, 558–563
solutions for, 562–563
SQL table structure, overview of, 559
SRM (Security Reference Monitor), features of, 440–442
SRTs (security response teams), responsibilities of, 87–89
SSH Communications Security, overview of, 147
SSH (Secure Shell) protocol enabling, 221
protocol and ports associated with, 235
SSL (Secure Sockets Layer)
encrypting SMTP, POP3, and IMAP4 sessions with, 377
support for POP3, SMTP, and IMAP4, 374–375
using with credit cards, 418
SSL/TLS (Secure Sockets Layer)/(Transport Layer Security) certificate-based authentication
overview of, 141–143
securing e-commerce transactions with, 171
SSL VPNs, overview of, 250
standards, role in security hierarchy, 28–29
standby systems, features of, 357
startup areas, protecting, 728–729
startup scripts, reviewing on Unix systems prior to securing of, 453
state-aware firewalls, explanation of, 238
state flags, list of, 298
stateful protocol, TCP as, 298
stateless protocol, UDP as, 299
static NAT, features of, 242
static routes, purpose of, 216
steganography
role in forensics, 755–757
using, 377
stored communications section of ECPA, overview of, 770–771
stored procedures, using for database security, 668
StormWatch behavior-monitoring HIDS, web address for, 306, 311
strategic document theft, statistics related to, 304
strategic planning, implementing, 16
stream cipher, explanation of, 158
streaming cipher E0, role in Bluetooth PANs, 286
streaming media and IP telephony, overview of, 413–415
strong passwords
applying to user accounts, 727
creating and maintaining on NetWare operating system, 548–549
creating for Windows systems, 489–490
Subject e-mail header field, explanation of, 367
substitution cryptography, explanation of, 155
SUID (set user ID) files, scanning on Unix systems, 461–463
superuser accounts, renaming, 726
Supervisor (S)
NDS property right, 537
trustee rights in NDS file-system security, 532
SurfControl, web address for, 179
SUS (Software Update Services), features of, 343
Swatch, web address for, 471
Swatch log scanning application, using on Linux systems, 480–488
.swf files, description of and threat caused by, 733
switches, overview of, 214–216
switch security practices, role in network hardening, 218
Sy file and directory attribute in NDS file system, explanation of, 534
symmetric cryptography, using with .NET applications, 646–650
symmetric key algorithms
example of, 159
explanation of, 139
SYN flooding, vulnerability to, 433
SYN scan, example of, 240
SYN state flag, purpose of, 298
SYN (synchronization) requests, role in TCP/IP packet analysis, 298
SYS:LOGIN directory, advisory about placing items in, 552
system administration, separation of duties in, 90
system administration security policies for personnel management, examples of, 68–74
system and device logging, performing, 183–186
system and network activity monitoring, overview of, 189
system and network redundancy, overview of, 353–357
system configurations, using to harden Windows systems against attacks, 495–498
system logs, using for physical intrusion detection, 124
systems, keeping up and running, 357
T
TACACS+ (Terminal Access Controller Access Control System) authentication, enabling, 222–223
TCO (total cost of ownership), determining for IDSs, 303–304
tcpdump Open Source packet capturing and analyzing tool, web address for, 308
TCP/IP communication problems, reporting with ICMP, 224–226
TCP/IP packet analysis, overview of, 298–299
TCP/IP ports, services associated with, 474
TCP/IP (Transmission Control Protocol/Internet Protocol)
features of, 213
problems associated with, 432–433
purpose of, 232
relationship to firewalls, 232–234
relationship to OSI model, 232
relationship to ports, 233–234
using as countermeasure, 725
TCP port numbers, obtaining list of, 234–235
TCP protocol specification, obtaining information about, 298
TCP (Transmission Control Protocol)
as connection-oriented protocol, 298
protocol number for, 298
as stateful protocol, 298
configuring for Linux systems, 477–479
installing on Linux systems, 476–477
using on Unix systems, 459–460
TCS BINARY application layer protocol, explanation of, 281
TCSEC (Trusted Systems Security Evaluation Criteria) security model, features of, 436–439
technical controls versus business processes, 24–26
Telnet
protocol and ports associated with, 235
weakness of, 221
“TEMPEST” bag, web address for, 281
T file and directory attribute in NDS file system, explanation of, 534
TFTP servers, disabling for network hardening, 220
third-party security products. See security products threat definition and risk analysis, overview of, 31–37
threat identification, explanation of, 14
threats
estimated percentages of, 34–35
examples of, 33
explanation of, 32
sources and targets of, 34
threat vectors
common types of, 35–36
explanation of, 15
overview of, 33–37
Three Ds of security, overview of, 10–12
ThumbsPlus forensic software, web address for, 752
TKIP (Temporal Key Integrity Protocol) 802.11i encryption protocol, explanation of, 288–289
TLS (Transport Layer Security), role in HTTP Connect, 396
To e-mail header field, explanation of, 367
tools for security, impact of business processes on, 24–26
tools step toward improving security, overview of, 13
Tower of Hanoi backup strategy, explanation of, 349
Toyota door key combination Case Study, 20
traceroute, relationship to ICMP, 224–226
trade secrets, criminal theft of, 771
traffic redirection, relationship to NIDSs, 309–310
transaction-level trust model, dynamics of, 42–43
transitive security, explanation of, 22
transport layer of OSI model, purpose of, 233
transposition cryptography, explanation of, 155
trap door configurations
damage done by, 8
explanation of, 36
traps, purpose in SNMP, 223–224
triggers, using for database security, 668–669
Trillian client, web address for, 211
Triple DES block cipher, explanation of, 159
Tripwire snapshot HIDS,
features of, 307
installing on Linux systems, 472–474
web address for, 471
Trojan horse programs
obtaining information about, 705
trust, role in zones of trust defense model, 42
Trustworthy Computing initiative administering, 443–444
goals of, 443
TTL (time to live) field, relationship to traceroute and ICMP, 224–225
tunnels
role in proxies, 395
role in VPNs, 248
type safety, role in .NET managed code, 624
Type 3 Destination Unreachable message in ICMP, explanation of, 225–226
U
UDP headers, contents of, 299
UDP port numbers, obtaining list of, 234–235
UDP (User Datagram Protocol) as connectionless and stateless protocol, 299
protocol number for, 298
unicast packets, role in NIDSs, 309
UNII band DSSS channels, splitting of, 275–276
UNII (Unlicensed National Information Infrastructure) frequencies, regulations for, 272
Unix file-access permissions, overview of, 151
Unix systems
auditing applications on, 460–461
auditing cron jobs on, 461
auditing scripts on, 462–463
avoiding use of root for daemons on, 456–458
configuring daemons for logging on, 467
installing OpenSSL on, 454
keeping patches up to date on, 465–466
knowing what ports are open on, 463–465
performing fresh install prior to securing of, 452
removing unneeded daemons from prior to securing of, 453
running CIS (Center for Internet Security) scans on, 465
scanning for SUID and SGID files on, 461–463
using centralized log servers with, 466–467
using chroot to isolate processes on, 458–459
using TCP Wrappers on, 459–460
UpdateEXPERT, web address for, 345
URL authorization in ASP.NET, explanation of, 655–656
.url files, description of and threat
caused by, 733
URLs (Uniform Resource Locators), passing parameters by means of, 563–564
user accounts, securing, 726–727
usernames and password authentication systems
central storage, password comparison, and network authentication, 132–133
Kerberos, 135–137
local storage and comparison, 129–130
network systems based on challenge and response, 133–135
one-time password systems, 137–139
overview of, 128–139
securing passwords with encryption and securing password files, 130–132
user rights, role in authorization, 148. See also privileges
user roles, securing on Windows systems, 522–523
Users group, description of, 509
USER username POP command, description of, 370–371
UTC (Coordinate Universal Time), reporting event timestamps in, 326
V
.vb, .vbe, and .vbs files, description of and threat caused by, 733
version control, overview of, 336
views, using for database security, 667–668
virtual honeypots, creation of, 307
viruses
creators of, 386–387
dynamics of, 705–709
evolution of, 385–386
obtaining information about, 705
overview of, 385
for PDAs and cell phones, 708–709
protecting against, 390
removing, 388
semantics of, 389
statistics related to, 304
types of, 706–707
viruses, dynamics of, 37
VMware sandbox application, web address for, 570
VoIP (voice over IP), use of, 413–415
VPN protocols
IPSec tunnel mode, 249
L2TP over IPSec, 249–250
PPTP (Point-to-Point Tunneling Protocol), 250
SSL VPNs, 250
VPNs (virtual private networks)
and client configuration, 253–254
and client networking environment, 254–260
client/server remote access vulnerabilities of and threats to, 251–261
goals of, 248
and offline client activity, 260–261
providing remote access with, 203
relationship to firewalls, 244–245
and remote client security, 251–261
and remote dial-in server security, 251
securing Windows communications with, 520
site-to-site networking vulnerabilities and threats related to, 261–262
VPNs (virtual private networks), securing communications with, 169–170
VRFY SMTP command, explanation of, 367
VRRP (Virtual Router Redundancy Protocol), limitation of, 198
VSS (Visual SafeSource) code repository server, features of, 404
vulnerability assessment, purpose of, 14
vulnerability scanners, using, 412
vulnerability scanning, overview of, 189–190
.vxd files, description of and threat caused by, 733
W
Walt Disney World’s IT division Case Study, 102
WAP (Wireless Application Protocol) shortcomings, solutions for, 202
Wavemon signal strength monitoring tools, web address for, 293
wave-object interactions, dependencies for, 272
weakest link in security, determining, 22–23
web access, considering in network design, 209–210
web addresses
AirDefense Guard IDS solution, 293
AirFortress gateways, clients, and access controls servers, 293
AirJack driver, 282
AiroPoint 3600
Security Server, 293
AirSnort program, 284
“Auditing Unix System Services in OS/390”, 184
AUP examples, 176–178
AVDL (Application Vulnerability Description Language) Technical Committee, 320
backup strategies, 350
Bastille Linux, 737
BIND (Berkeley Internet Name Domain), 402
Bluesocket WG family gateway, 293
Bluetooth technology, 287
Bluetooth “TEMPEST” bag, 281
BlueZ open source Bluetooth stack, 286
Boomerang online backups, 351
Bugbear Internet worm, 709
BugTraq, 341
Carnivore system, 376
CERT, 341
chroot function in Unix, 200
CIDF (Common Intrusion Detection Framework) project, 320
CIS security benchmarks, 451
COBIT standard, 448–449
Colubris wireless LAN routers and public access controllers, 293
Configuration Auditor, 339
cross-site scripting vulnerabilties, 210
CryptoStor appliance, web address for, 172
CVE (Common Vulnerabilities and Exposures) dictionary, 320
CWNA (Certified Wireless Network Administrator) exam, 265
The Data Vault Corporation, 351
DeepSight Threat Management System, 311
DoS (denial of service) attacks, 220
DRM technologies, 173
dwepcrack program, 284
Echelon system, 376
EnCase forensic software, 752
encryption information, 377
encryption mathematics, 159
Ethereal Open Source sniffer, 364
Ethereal program, 717
Ettercap program, 215
FakeAP program, 278–279
FileCrypto encryption product, 172
filemon program, 493
filtering products, 179
Fluhrer, Mantin, and Shamir passive ciphertext-only WEP attack, 284
frequency allocation tables, 275
FTS for Bluetooth, 286
HashKeeper forensic software, 752
Hermes/Orinoco cards, 277–279
HFnetChkPro and HFNetChkLT, 346
Honeypots.net, 334
HTTP-Tunnel application, 231
IANA (Internet Assigned Numbers Authority), 392
IDScenter GUI for Snort, 317
IDS Host Sensor behavior-monitoring HIDS, 305
IDS resources, 334
IDS ROI discussion document, 305
IDS solutions behavior-monitoring HIDS, 306
I Love You Virus, 385
IR (incident response) plan examples, 740
Isof program, 451
Isomair Wireless Sentry IDS solution, 293
LaBrea sticky honeypot, 308
LEAP and PEAP, 202
legal issues related to spam, 385
Level 7 encryption utility, 222
libpcap Open Source packet-level driver, 308
Linux IrDA, 287
LogAnalysis.org, 334
Logcheck program, 471
A Look at Whisker’s Anti-IDS Tactics, 301
Manhunt NIDS, 308
MIT public key database storage, 169
MOM (Microsoft Operations Manager), 737
Morris virus, 385
National Security Association Museum, 157
Nessus tester for firewall security, 244
netcat utility, 715
netfilter/iptables, 725
.NET Remoting Central, 653
NFR NID NIDS, 308
Nimda virus, 386
Nmap tool, 233
NTP (Network Time Protocol), 741–742
OpenSSH, 451
OpenSSL, 451
operating system security, 209
OPSEC (Open Platform for Security), 239
Opsware System, 346
optimizing rules, 331
OSEC (Open Security Evaluation Criteria), 323
PAN setup, 286
password attacking programs, 759
PatchLite program, 346
patchworks for Windows systems, 346
PDA Defense encryption product, 172
PDA Safe encryption product, 172
PGP Corporation, 173
PortSentry program, 471
Postfix program, 451
Prism II chipset cards, 277–279
Qaz e-mail worm, 203
qmail program, 451
Quick View Plus forensic software, 752
RBLs (Realtime Blocking Lists), 381
RealSecure Desktop Protector, 306
RealSecure Sensor, 308
Red Book, 438
Red Hat Update Agent, 723
regmon program, 493
Retriever forensic software, 752
RF allocation tables, 275
RFCs (Requests for Comments) home page, 360
RF power calculators, 270
SANS InfoSec Reading Room-Intrusion Detection, 334
SANS Institute, 209
Secrit-e-Lok, 737
SecureEXE and SecureNT, 737
SecurityFocus team, 470
Security Update Manager, 345
Sentry 2020 encryption product, 172
Sfind utility, 757–758
Sircam virus, 385
Sniffer program, 717
Sniffer Wireless Expert system, 292
Snort NIDS, 308
Snort Open Source IDS, 296
SocksCap application, 231
StormWatch behavior-monitoring HIDS, 306, 311
SurfControl, 179
Swatch program, 471
tcpdump Open Source packet capturing and analyzing tool, 308
TCP protocol specification, 298
ThumbsPlus forensic software, 752
Trillian client, 211
UpdateEXPERT, 345
VMware sandbox application, 570
Wavemon signal strength monitoring tools, 293
Websense, 179
WEPCrack Perl scripts, 284
WEP tools, 284
Western Union change control process, 336
WHC (Windows Hotfix Checker), 346
WIDZ Open Source wireless IDS program, 292
WildPackets AiroPeek protocol analyzer, 293
WinDump Open Source packet capturing and analyzing tool, 308
wireless site survey devices, 271
WiSentry IDS software, 292
WLAN Secure Server, 293
WNET custom wireless frames generation suite for OpenBSD, 282
X-Force Catastrophic Risk Index, 344
Yagi antennas, 201
web application security
conclusions of, 568
encrypting data, 565
implementing for forms and scripts, 563–565
overview of, 557–558
solving data-transfer problems related to, 565
and SQL (structured query language) injection, 558–563
web-based e-mail and Hotmail, features of, 375
web-based patching procedure, example of, 345
web-based remote administration, authenticating, 578–579
web browser vulnerabilities, overview of, 210
Websense, web address for, 179
web server compromise, statistics related to, 304
web servers
attacks on, 406–410
choosing, 412–413
disabling for network hardening, 220
protecting, 410–412
web server security, overview of, 406
web services and applications, securing in .NET, 653–656
web sites, defacing, 406
well known ports, role in TCP/IP packet analysis, 299
WEPCrack Perl scripts, web address for, 284
WEP keys
cryptographic weaknesses of, 283, 285
distributing with 802.1x protocol, 289
generation of, 291
WEP tools, web address for, 284
WEP (Wired Equivalent Privacy) standard
cracking, 284
overview of, 282–283
weakness of, 316
WHC (Windows Hotfix Checker), web address for, 346
WIDS (wireless IDSs), features of, 316
WIDZ Open Source wireless IDS program, web address for, 292
WildPackets AiroPeek protocol analyser, web address for, 293
Windows Authentication systems, modifying defaults for, 492. See also authentication systems
Windows communications, securing, 519–521
Windows file-access permissions, role in authorization, 149–150
Windows file permissions, table of, 150
Windows LAN Manager challenge and response, overview of, 133–135
Windows logical security boundaries
Windows NT 4.0 domain, 500–502
Windows 2000 and Windows Server 2003 forest, 502–504
Windows logs, example of, 184–186
Windows malicious file types, table of, 732–733
Windows network authentication, occurrence, 133
Windows NT 4.0 domain, considering as logical security boundary, 500–502
Windows NT 4.0, security configuration and analysis of, 510
Windows security basics
apply technology and physical controls to protect access points, 491–492
block and filter access to services, 486–487
develop and enforce security policy via accountability, technology, and training, 498
harden systems against known attacks via system configurations, 495–498
increase use of port 80 by new services, 487
limit number of administrators and privileges, 492–495
mitigate effect of spoofed ports, 487
modify defaults for Windows Authentication systems, 492
overview of, 485–486
provide specific control at border areas, 486–487
segment network into areas of trust, 486–487
strengthen authentication processes, 488–492
use alternatives to passwords, 490–491
use patch systems, 487–488
use strong passwords, 489
Windows Security Templates, using, 510–511, 737
Windows shadow copy service, features of, 350
Windows systems
disabling services on, 497
role-based administration on, 508–510
role-based approach toward security configuration of, 521–523
selective authentication and SID filtering on, 507–508
threat analysis of, 498–499
using Group Policy with, 512–517
using NTFS with, 728
using security checklists with, 514–515
using Security Templates with, 510–511
well-known vulnerabilities in, 496–497
Windows trusts
complete forest trusts, 507
external trusts, 506
in forests, 505–506
overview of, 504–505
Windows NT 4.0 trusts, 505
Windows Update online service, features of, 343
Windows 2000 and Windows Server 2003 forest, considering as logical security boundaries, 502–504
Windows 2000, Windows XP Professional, and Windows Server 2003, security configuration and analysis of, 510
WinDump Open Source packet capturing and analyzing tool, web address for, 308
wireless and RF transmission interception, significance in choosing security sites, 121
wireless devices, controlling range of, 269–273
wireless impact network perimeter, overview of, 201–202
wireless links, power gain and loss in, 271
wireless network hardening practices
802.1x-based authentication and EAP methods, 288–291
802.11i security standard, 287–291
overview of, 287
positioning and secure gateway considerations, 293
role of TKIP and CCMP in, 288–289
wireless intrusion detection, 291–293
wireless networks
choosing antennas for, 269
diagram of, 264
effect of free space path loss on, 271
key management issues related to, 283
mode of operation of, 279–280
physical layer man-in-the-middle attacks on, 278–279
range limitations of, 263–264
and RF layer 1 security solutions, 266–269
using frequency counters with, 275–276
wireless network security, overview of, 263–265
wireless power output, legal limitations on, 272–273
wireless security data link layer, overview of, 279
wiring closets, locking, 122
WiSentry IDS software, web address for, 292
WLAN Secure Server, web address for, 293
.wma files, description of and threat caused by, 733
WNET custom wireless frames generation suite for OpenBSD, web address for, 282
work product doctrine, role in IR overviews, 785–786
worm, explanation of, 386
worms
computer worms, 709–710
e-mail worms, 710–711
obtaining information about, 705
Write file permission
in Unix, 151
in Windows, 150
Write (W)
NDS property right, 537
rights in NDS file-system security, 532
.ws files, description of and threat caused by, 733
.wsc files, description of and threat caused by, 733
.wsf files, description of and threat caused by, 733
X
X file and directory attribute in NDS file system, explanation of, 534
X-Force Catastrophic Risk Index, web address for, 344
xinetd, using on Linux systems, 479
.xls files, description of and threat caused by, 733
XOR (exclusive or), explanation of, 158
X Windows, protocol and ports associated with, 235
Y
Yagi antennas
deploying, 269
features of, 201
radiation pattern of, 268
Z
zero day exploits, explanation of, 722
Zombie Trojans and DDoS attacks, dynamics of, 713
zones of trust defense model, overview of, 41–43
zone transfer, role in DNS, 402