Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Forewords
Acknowledgments
Introduction
Chapter 1 Becoming a CISSP
Why Become a CISSP?
The CISSP Exam
CISSP: A Brief History
How Do You Become a CISSP?
What Does This Book Cover?
Tips for Taking the CISSP Exam
How to Use This Book
Questions
Answers
Chapter 2 Security Trends
How Security Became an Issue
Areas of Security
Benign to Scary
Evidence of the Evolution of Hacking
How Are Nations Affected?
How Are Companies Affected?
The U.S. Government’s Actions
Politics and Laws
So What Does This Mean to Us?
Hacking and Attacking
Management
A Layered Approach
An Architectural View
A Layer Missed
Bringing the Layers Together
Education
Summary
Chapter 3 Information Security and Risk Management
Security Management
Security Management Responsibilities
The Top-Down Approach to Security
Security Administration and Supporting Controls
Fundamental Principles of Security
Availability
Integrity
Confidentiality
Security Definitions
Security Through Obscurity
Organizational Security Model
Security Program Components
Information Risk Management
Who Really Understands Risk Management?
Information Risk Management Policy
The Risk Management Team
Risk Analysis
The Risk Analysis Team
The Value of Information and Assets
Costs That Make Up the Value
Identifying Threats
Failure and Fault Analysis
Quantitative Risk Analysis
Qualitative Risk Analysis
Quantitative vs. Qualitative
Protection Mechanisms
Putting It Together
Total Risk vs. Residual Risk
Handling Risk
Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy
Standards
Baselines
Guidelines
Procedures
Implementation
Information Classification
Private Business vs. Military Classifications
Classification Controls
Layers of Responsibility
Who’s Involved?
The Data Owner
The Data Custodian
The System Owner
The Security Administrator
The Security Analyst
The Application Owner
The Supervisor
The Change Control Analyst
The Data Analyst
The Process Owner
The Solution Provider
The User
The Product Line Manager
The Auditor
Why So Many Roles?
Personnel
Structure
Hiring Practices
Employee Controls
Termination
Security-Awareness Training
Different Types of Security-Awareness Training
Evaluating the Program
Specialized Security Training
Summary
Quick Tips
Questions
Answers
Chapter 4 Access Control
Access Controls Overview
Security Principles
Availability
Integrity
Confidentiality
Identification, Authentication, Authorization, and Accountability
Identification and Authentication
Password Management
Authorization
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Access Control Techniques and Technologies
Rule-Based Access Control
Constrained User Interfaces
Access Control Matrix
Content-Dependent Access Control
Context-Dependent Access Control
Access Control Administration
Centralized Access Control Administration
Decentralized Access Control Administration
Access Control Methods
Access Control Layers
Administrative Controls
Physical Controls
Technical Controls
Access Control Types
Preventive: Administrative
Preventive: Physical
Preventive: Technical
Accountability
Review of Audit Information
Keystroke Monitoring
Protecting Audit Data and Log Information
Access Control Practices
Unauthorized Disclosure of Information
Access Control Monitoring
Intrusion Detection
Intrusion Prevention Systems
A Few Threats to Access Control
Dictionary Attack
Brute Force Attacks
Spoofing at Logon
Summary
Quick Tips
Questions
Answers
Chapter 5 Security Architecture and Design
Computer Architecture
The Central Processing Unit
Multiprocessing
Operating System Architecture
Process Activity
Memory Management
Memory Types
Virtual Memory
CPU Modes and Protection Rings
Operating System Architecture
Domains
Layering and Data Hiding
The Evolution of Terminology
Virtual Machines
Additional Storage Devices
Input/Output Device Management
System Architecture
Defined Subsets of Subjects and Objects
Trusted Computing Base
Security Perimeter
Reference Monitor and Security Kernel
Security Policy
Least Privilege
Security Models
State Machine Models
The Bell-LaPadula Model
The Biba Model
The Clark-Wilson Model
The Information Flow Model
The Noninterference Model
The Lattice Model
The Brewer and Nash Model
The Graham-Denning Model
The Harrison-Ruzzo-Ullman Model
Security Modes of Operation
Dedicated Security Mode
System High-Security Mode
Compartmented Security Mode
Multilevel Security Mode
Trust and Assurance
Systems Evaluation Methods
Why Put a Product Through Evaluation?
The Orange Book
The Orange Book and the Rainbow Series
The Red Book
Information Technology Security Evaluation Criteria
Common Criteria
Certification vs. Accreditation
Certification
Accreditation
Open vs. Closed Systems
Open Systems
Closed Systems
Enterprise Architecture
A Few Threats to Review
Maintenance Hooks
Time-of-Check/Time-of-Use Attacks
Buffer Overflows
Summary
Quick Tips
Questions
Answers
Chapter 6 Physical and Environmental Security
Introduction to Physical Security
The Planning Process
Crime Prevention Through Environmental Design
Designing a Physical Security Program
Protecting Assets
Internal Support Systems
Electric Power
Environmental Issues
Ventilation
Fire Prevention, Detection, and Suppression
Perimeter Security
Facility Access Control
Personnel Access Controls
External Boundary Protection Mechanisms
Intrusion Detection Systems
Patrol Force and Guards
Dogs
Auditing Physical Access
Testing and Drills
Summary
Quick Tips
Questions
Answers
Chapter 7 Telecommunications and Network Security
Open Systems Interconnection Reference Model
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Functions and Protocols in the OSI Model
Tying the Layers Together
TCP/IP
TCP
IP Addressing
IPv6
Types of Transmission
Analog and Digital
Asynchronous and Synchronous
Broadband and Baseband
LAN Networking
Network Topology
LAN Media Access Technologies
Cabling
Transmission Methods
Media Access Technologies
LAN Protocols
Routing Protocols
Networking Devices
Repeaters
Bridges
Routers
Switches
Gateways
PBXs
Firewalls
Honeypot
Network Segregation and Isolation
Networking Services and Protocols
Domain Name Service
Directory Services
Lightweight Directory Access Protocol
Network Address Translation
Intranets and Extranets
Metropolitan Area Networks
Wide Area Networks
Telecommunications Evolution
Dedicated Links
WAN Technologies
Remote Access
Dial-Up and RAS
ISDN
DSL
Cable Modems
VPN
Authentication Protocols
Remote Access Guidelines
Wireless Technologies
Wireless Communications
WLAN Components
Wireless Standards
WAP
i-Mode
Mobile Phone Security
War Driving for WLANs
Satellites
Rootkits
Spyware and Adware
Instant Messaging
Summary
Quick Tips
Questions
Answers
Chapter 8 Cryptography
The History of Cryptography
Cryptography Definitions and Concepts
Kerckhoffs’ Principle
The Strength of the Cryptosystem
Services of Cryptosystems
One-Time Pad
Running and Concealment Ciphers
Steganography
Types of Ciphers
Substitution Ciphers
Transposition Ciphers
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Symmetric Cryptography
Block and Stream Ciphers
Hybrid Encryption Methods
Types of Symmetric Systems
Data Encryption Standard
Triple-DES
The Advanced Encryption Standard
International Data Encryption Algorithm
Blowfish
RC4
RC5
RC6
Types of Asymmetric Systems
The Diffie-Hellman Algorithm
RSA
El Gamal
Elliptic Curve Cryptosystems
LUC
Knapsack
Zero Knowledge Proof
Message Integrity
The One-Way Hash
Various Hashing Algorithms
MD2
MD4
MD5
Attacks Against One-Way Hash Functions
Digital Signatures
Digital Signature Standard
Public Key Infrastructure
Certificate Authorities
Certificates
The Registration Authority
PKI Steps
Key Management
Key Management Principles
Rules for Keys and Key Management
Link Encryption vs. End-to-End Encryption
E-mail Standards
Multipurpose Internet Mail Extension
Privacy-Enhanced Mail
Message Security Protocol
Pretty Good Privacy
Quantum Cryptography
Internet Security
Start with the Basics
Attacks
Cipher-Only Attacks
Known-Plaintext Attacks
Chosen-Plaintext Attacks
Chosen-Ciphertext Attacks
Differential Cryptanalysis
Linear Cryptanalysis
Side-Channel Attacks
Replay Attacks
Algebraic Attacks
Analytic Attacks
Statistical Attacks
Summary
Quick Tips
Questions
Answers
Chapter 9 Business Continuity and Disaster Recovery
Business Continuity and Disaster Recovery
Business Continuity Steps
Making BCP Part of the Security Policy and Program
Project Initiation
Business Continuity Planning Requirements
Business Impact Analysis
Preventive Measures
Recovery Strategies
Business Process Recovery
Facility Recovery
Supply and Technology Recovery
The End-User Environment
Data Backup Alternatives
Electronic Backup Solutions
Choosing a Software Backup Facility
Insurance
Recovery and Restoration
Developing Goals for the Plans
Implementing Strategies
Testing and Revising the Plan
Maintaining the Plan
Summary
Quick Tips
Questions
Answers
Chapter 10 Legal, Regulations, Compliance, and Investigations
The Many Facets of Cyberlaw
The Crux of Computer Crime Laws
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
Different Countries
Types of Laws
Intellectual Property Laws
Trade Secret
Copyright
Trademark
Patent
Internal Protection of Intellectual Property
Software Piracy
Privacy
Laws, Directives, and Regulations
Liability and Its Ramifications
Personal Information
Hacker Intrusion
Investigations
Incident Response
Incident Response Procedures
Computer Forensics and Proper Collection of Evidence
International Organization on Computer Evidence
Motive, Opportunity, and Means
Computer Criminal Behavior
Incident Investigators
The Forensics Investigation Process
What Is Admissible in Court?
Surveillance, Search, and Seizure
Interviewing and Interrogating
A Few Different Attack Types
Ethics
The Computer Ethics Institute
The Internet Architecture Board
Corporate Ethics Programs
Summary
Quick Tips
Questions
Answers
Chapter 11 Application Security
Software’s Importance
Where Do We Place the Security?
Different Environments Demand Different Security
Environment vs. Application
Complexity of Functionality
Data Types, Format, and Length
Implementation and Default Issues
Failure States
Database Management
Database Management Software
Database Models
Database Programming Interfaces
Relational Database Components
Integrity
Database Security Issues
Data Warehousing and Data Mining
System Development
Management of Development
Life-Cycle Phases
Software Development Methods
Computer-Aided Software Engineering
Prototyping
Secure Design Methodology
Secure Development Methodology
Security Testing
Change Control
The Capability Maturity Model
Software Escrow
Application Development Methodology
Object-Oriented Concepts
Polymorphism
Data Modeling
Software Architecture
Data Structures
Cohesion and Coupling
Distributed Computing
CORBA and ORBs
COM and DCOM
Enterprise JavaBeans
Object Linking and Embedding
Distributed Computing Environment
Expert Systems and Knowledge-Based Systems
Artificial Neural Networks
Web Security
Vandalism
Financial Fraud
Privileged Access
Theft of Transaction Information
Theft of Intellectual Property
Denial-of-Service (DoS) Attacks
Create a Quality Assurance Process
Web Application Firewalls
Intrusion Prevention Systems
Implement SYN Proxies on the Firewall
Specific Threats for Web Environments
Mobile Code
Java Applets
ActiveX Controls
Malicious Software (Malware)
Antivirus Software
Spam Detection
Anti-Malware Programs
Patch Management
Step 1: Infrastructure
Step 2: Research
Step 3: Assess and Test
Step 4: Mitigation (“Rollback”)
Step 5: Deployment (“Rollout”)
Step 6: Validation, Reporting, and Logging
Limitations to Patching
Best Practices
Anything Else?
Attacks
Summary
Quick Tips
Questions
Answers
Chapter 12 Operations Security
The Role of the Operations Department
Administrative Management
Security and Network Personnel
Accountability
Clipping Levels
Assurance Levels
Operational Responsibilities
Unusual or Unexplained Occurrences
Deviations from Standards
Unscheduled Initial Program Loads (a.k.a. Rebooting)
Asset Identification and Management
System Controls
Trusted Recovery
Input and Output Controls
System Hardening
Remote Access Security
Configuration Management
Change Control Process
Change Control Documentation
Media Controls
Data Leakage
Network and Resource Availability
Mean Time Between Failures (MTBF)
Mean Time to Repair (MTTR)
Single Points of Failure
Backups
Contingency Planning
Mainframes
E-mail Security
How E-mail Works
Facsimile Security
Hack and Attack Methods
Vulnerability Testing
Penetration Testing
Wardialing
Other Vulnerability Types
Postmortem
Summary
Quick Tips
Questions
Answers
Appendix A Security Content Automation Protocol Overview
Background
SCAP—More Than Just a Protocol
A Vulnerability Management Problem
A Vulnerability Management Solution—SCAP and SCAP Specifications
SCAP Product Validation Program
The Future of Security Automation
Conclusion
Appendix B About the CD-ROM
Running the QuickTime Cryptography Video Sample
Troubleshooting
Installing Total Seminars’ Test Software
Navigation
Practice Mode
Final Mode
Minimum System Requirements for Total Seminars’ Software
Technical Support
Glossary
Index
← Prev
Back
Next →
← Prev
Back
Next →