Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Cover
About the Author
Title Page
Copyright Page
Contents at a Glance
Contents
Preface
Acknowledgments
Introduction
Part I: Foundations
Chapter 1: Information Security Overview
The Importance of Information Protection
The Evolution of Information Security
Justifying Security Investment
Business Agility
Cost Reduction
Portability
Security Methodology
How to Build a Security Program
Authority
Framework
Assessment
Planning
Action
Maintenance
The Impossible Job
The Weakest Link
Strategy and Tactics
Business Processes vs. Technical Controls
Summary
References
Chapter 2: Risk Analysis
Threat Definition
Threat Vectors
Threat Sources and Targets
Types of Attacks
Malicious Mobile Code
Advanced Persistent Threats (APTs)
Manual Attacks
Risk Analysis
Summary
References
Chapter 3: Compliance with Standards, Regulations, and Laws
Information Security Standards
COBIT
ISO 27000 Series
NIST
Regulations Affecting Information Security Professionals
The Duty of Care
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act
HIPAA Privacy and Security Rules
NERC CIP
PCI DSS: Payment Card Industry Data Security Standard
Laws Affecting Information Security Professionals
Hacking Laws
Electronic Communication Laws
Other Substantive Laws
Summary
References
Chapter 4: Secure Design Principles
The CIA Triad and Other Models
Confidentiality
Integrity
Availability
Additional Concepts
Defense Models
The Lollipop Model
The Onion Model
Zones of Trust
Best Practices for Network Defense
Secure the Physical Environment
Harden the Operating System
Keep Patches Updated
Use an Antivirus Scanner (with Real-Time Scanning)
Use Firewall Software
Secure Network Share Permissions
Use Encryption
Secure Applications
Back Up the System
Implement ARP Poisoning Defenses
Create a Computer Security Defense Plan
Summary
References
Chapter 5: Security Policies, Standards, Procedures, and Guidelines
Security Policies
Security Policy Development
Security Policy Contributors
Security Policy Audience
Policy Categories
Frameworks
Security Awareness
Importance of Security Awareness
Objectives of an Awareness Program
Increasing Effectiveness
Implementing the Awareness Program
Enforcement
Policy Enforcement for Vendors
Policy Enforcement for Employees
Software-Based Enforcement
Example Security Policy Topics
Acceptable Use Policies
Computer Policies
Network Policies
Data Privacy Policies
Data Integrity Policies
Personnel Management Policies
Security Management Policies
Physical Security Policies
Security Standards
Security Standard Example
Security Procedures
Security Procedure Example
Security Guidelines
Security Guideline Example
Ongoing Maintenance
Summary
References
Chapter 6: Security Organization
Roles and Responsibilities
Security Positions
Security Incident Response Team
Managed Security Services
Services Performed by MSSPs
Services That Can Be Monitored by MSSPs
Security Council, Steering Committee, or Board of Directors
Interaction with Human Resources
Summary
References
Chapter 7: Authentication and Authorization
Authentication
Usernames and Passwords
Certificate-Based Authentication
Extensible Authentication Protocol (EAP)
Biometrics
Additional Uses for Authentication
Authorization
User Rights
Role-Based Authorization (RBAC)
Access Control Lists (ACLs)
Rule-Based Authorization
Compliance with Standards
NIST
ISO 27002
COBIT
Summary
References
Part II: Data Security
Chapter 8: Securing Unstructured Data
Structured Data vs. Unstructured Data
At Rest, in Transit, and in Use
Approaches to Securing Unstructured Data
Databases
Applications
Networks
Computers
Storage (Local, Removable, or Networked)
Data Printed into the Physical World
Newer Approaches to Securing Unstructured Data
Data Loss Prevention (DLP)
Information Rights Management (IRM)
Summary
References
Chapter 9: Information Rights Management
Overview
The Difference Between DRM and IRM
What’s in a Name? EDRM, ERM, RMS, IRM
Evolution from Encryption to IRM
IRM Technology Details
What Constitutes an IRM Technology?
Architecture
Going Offline
Unstructured Data Formats
Getting Started with IRM
Classification Creation
User Provisioning
Rights Assignment
Securing Content
Distributing Content
Installing and Configuring the IRM Client
Authentication
Authorization
Rights Retrieval and Storage
Content Access and Rights Invocation
Access Auditing and Reporting
Rights Revocation
Summary
References
Chapter 10: Encryption
A Brief History of Encryption
Early Codes
More Modern Codes
Symmetric-Key Cryptography
Key Exchange
Public Key Cryptography
Key Exchange
Public Key Infrastructure
Structure and Function
CA Hierarchy
Certificate Templates and Enrollment
Revocation
Role Separation
Cross-Certification
Compliance with Standards
NIST
ISO 27002
COBIT
Summary
References
Chapter 11: Storage Security
Storage Security Evolution
Modern Storage Security
Storage Infrastructure
Administration Channel
Risks to Data
Risk Remediation
Confidentiality Risks
Integrity Risks
Availability Risks
Best Practices
Zoning
Arrays
Servers
Staff
Offsite Data Storage
Summary
References
Chapter 12: Database Security
General Database Security Concepts
Understanding Database Security Layers
Server-Level Security
Network-Level Security
Operating System Security
Understanding Database-Level Security
Database Administration Security
Database Roles and Permissions
Object-Level Security
Using Other Database Objects for Security
Using Application Security
Limitations of Application-Level Security
Supporting Internet Applications
Database Backup and Recovery
Determining Backup Constraints
Determining Recovery Requirements
Types of Database Backups
Keeping Your Servers Up to Date
Database Auditing and Monitoring
Reviewing Audit Logs
Database Monitoring
Summary
References
Part III: Network Security
Chapter 13: Secure Network Design
Introduction to Secure Network Design
Acceptable Risk
Designing Security into a Network
Designing an Appropriate Network
The Cost of Security
Performance
Availability
Security
Wireless Impact on the Perimeter
Remote Access Considerations
Internal Security Practices
Intranets, Extranets, and DMZs
Outbound Filtering
Compliance with Standards
NIST
ISO 27002
COBIT
Summary
References
Chapter 14: Network Device Security
Switch and Router Basics
MAC Addresses, IP Addresses, and ARP
TCP/IP
Hubs
Switches
Routers
Network Hardening
Patching
Switch Security Practices
Access Control Lists
Disabling Unused Services
Administrative Practices
Internet Control Message Protocol (ICMP)
Anti-Spoofing and Source Routing
Logging
Summary
References
Chapter 15: Firewalls
Overview
The Evolution of Firewalls
Application Control
Must-Have Firewall Features
Core Firewall Functions
Network Address Translation (NAT)
Auditing and Logging
Additional Firewall Capabilities
Application and Website Malware Execution Blocking
Antivirus
Intrusion Detection and Intrusion Prevention
Web Content (URL) Filtering and Caching
E-Mail (Spam) Filtering
Enhance Network Performance
Firewall Design
Firewall Strengths and Weaknesses
Firewall Placement
Firewall Configuration
Summary
References
Chapter 16: Virtual Private Networks
How a VPN Works
VPN Protocols
IPSec
PPTP
L2TP over IPSec
SSL VPNs
Remote Access VPN Security
Authentication Process
Client Configuration
Client Networking Environment
Offline Client Activity
Site-to-Site VPN Security
Summary
References
Chapter 17: Wireless Network Security
Radio Frequency Security Basics
Security Benefits of RF Knowledge
Layer One Security Solutions
Data-Link Layer Wireless Security Features, Flaws, and Threats
802.11 and 802.15 Data-Link Layer in a Nutshell
802.11 and 802.15 Data-Link Layer Vulnerabilities and Threats
Closed-System SSIDs, MAC Filtering, and Protocol Filtering
Built-in Bluetooth Network Data-Link Security and Threats
Wireless Vulnerabilities and Mitigations
Wired Side Leakage
Rogue Access Points
Misconfigured Access Points
Wireless Phishing
Client Isolation
Wireless Network Hardening Practices and Recommendations
Wireless Security Standards
Temporal Key Integrity Protocol and Counter Mode with CBC-MAC Protocol
802.1x-Based Authentication and EAP Methods
Wireless Intrusion Detection and Prevention
Wireless IPS and IDS
Bluetooth IPS
Wireless Network Positioning and Secure Gateways
Summary
References
Chapter 18: Intrusion Detection and Prevention Systems
IDS Concepts
Threat Types
First-Generation IDS
Second-Generation IDS
IDS Types and Detection Models
Host-Based IDS
Network-Based IDS (NIDS)
Anomaly-Detection (AD) Model
Signature-Detection Model
What Type of IDS Should You Use?
IDS Features
IDS End-User Interfaces
Intrusion-Prevention Systems (IPS)
IDS Management
IDS Logging and Alerting
IDS Deployment Considerations
IDS Fine-Tuning
IPS Deployment Plan
Security Information and Event Management (SIEM)
Data Aggregation
Analysis
Operational Interface
Additional SIEM Features
Summary
References
Chapter 19: Voice over IP (VoIP) and PBX Security
Background
VoIP Components
Call Control
Voice and Media Gateways and Gatekeepers
MCUs
Hardware Endpoints
Software Endpoints
Call and Contact Center Components
Voicemail Systems
VoIP Vulnerabilities and Countermeasures
Old Dogs, Old Tricks: The Original Hacks
Vulnerabilities and Exploits
The Protocols
Security Posture: System Integrators and Hosted VoIP
PBX
Hacking a PBX
Securing a PBX
TEM: Telecom Expense Management
Summary
References
Part IV: Computer Security
Chapter 20: Operating System Security Models
Operating System Models
The Underlying Protocols Are Insecure
Access Control Lists
MAC vs. DAC
Classic Security Models
Bell-LaPadula
Biba
Clark-Wilson
TCSEC
Labels
Reference Monitor
The Reference Monitor Concept
Windows Security Reference Monitor
Trustworthy Computing
International Standards for Operating System Security
Common Criteria
Summary
References
Chapter 21: Unix Security
Start with a Fresh Install
Securing a Unix System
Reducing the Attack Surface
Install Secure Software
Configure Secure Settings
Keep Software Up to Date
Place Servers into Network Zones
Strengthen Authentication Processes
Require Strong Passwords
Use Alternatives to Passwords
Limit Physical Access to Systems
Limit the Number of Administrators and Limit the Privileges of Administrators
Use sudo
Back Up Your System
Subscribe to Security Lists
Compliance with Standards
ISO 27002
COBIT
Summary
References
Chapter 22: Windows Security
Securing Windows Systems
Disable Windows Services and Remove Software
Securely Configure Remaining Software
Use Group Policy to Manage Settings
Computer Policies
User Policies
Security Configuration and Analysis
Group Policy
Install Security Software
Application Whitelisting
Patch Systems Regularly
Segment the Network into Zones of Trust
Blocking and Filtering Access to Services
Mitigating the Effect of Spoofed Ports
Strengthen Authentication Processes
Require, Promote, and Train Users in Using Strong Passwords
Use Alternatives to Passwords
Apply Technology and Physical Controls to Protect Access Points
Modify Defaults for Windows Authentication Systems
Limit the Number of Administrators and Limit the Privileges of Administrators
Applications that Require Admin Access to Files and the Registry
Elevated Privileges Are Required
Programmers as Administrators
Requiring Administrators to Use runas
Active Directory Domain Architecture
Logical Security Boundaries
Role-Based Administration
A Role-Based Approach to Security Configuration
Compliance with Standards
NIST
ISO 27002
COBIT
Summary
References
Chapter 23: Securing Infrastructure Services
E-Mail
Protocols, Their Vulnerabilities, and Countermeasures
Spam and Spam Control
Malware and Malware Control
Web Servers
Types of Attacks
Web Server Protection
DNS Servers
Install Patches
Prevent Unauthorized Zone Transfers
DNS Cache Poisoning
Proxy Servers
HTTP Proxy
FTP Proxy
Direct Mapping
POP3 Proxy
HTTP Connect
Reverse Proxy
Summary
References
Chapter 24: Virtual Machines and Cloud Computing
Virtual Machines
Protecting the Hypervisor
Protecting the Guest OS
Protecting Virtual Storage
Protecting Virtual Networks
NIST Special Publication 800-125
Cloud Computing
Types of Cloud Services
Cloud Computing Security Benefits
Security Considerations
Cloud Computing Risks and Remediations
Summary
References
Chapter 25: Securing Mobile Devices
Mobile Device Risks
Device Risks
Application Risks
Mobile Device Security
Built-in Security Features
Mobile Device Management (MDM)
Data Loss Prevention (DLP)
Summary
References
Part V: Application Security
Chapter 26: Secure Application Design
Secure Development Lifecycle
Application Security Practices
Security Training
Secure Development Infrastructure
Security Requirements
Secure Design
Threat Modeling
Secure Coding
Security Code Review
Security Testing
Security Documentation
Secure Release Management
Dependency Patch Monitoring
Product Security Incident Response
Decisions to Proceed
Web Application Security
SQL Injection
Forms and Scripts
Cookies and Session Management
General Attacks
Web Application Security Conclusions
Client Application Security
Running Privileges
Application Administration
Integration with OS Security
Application Updates
Remote Administration Security
Reasons for Remote Administration
Remote Administration Using a Web Interface
Authenticating Web-Based Remote Administration
Custom Remote Administration
Summary
References
Chapter 27: Writing Secure Software
Security Vulnerabilities: Causes and Prevention
Buffer Overflows
Integer Overflows
Cross-Site Scripting
SQL Injection
Whitelisting vs. Blacklisting
Summary
References
Chapter 28: J2EE Security
Java and J2EE Overview
The Java Language
Attacks on the JVM
The J2EE Architecture
Servlets
JavaServer Pages (JSP)
Enterprise JavaBeans (EJB)
Containers
Authentication and Authorization
J2EE Authentication
J2EE Authorization
Protocols
HTTP
HTTPS
Web Services Protocols
IIOP
JRMP
Proprietary Communication Protocols
JMS
JDBC
Summary
References
Chapter 29: Windows .NET Security
Core Security Features of .NET
Managed Code
Role-Based Security
Code Access Security
AppDomains and Isolated Storage
Application-Level Security in .NET
Using Cryptography
.NET Remoting Security
Securing Web Services and Web Applications
Summary
References
Chapter 30: Controlling Application Behavior
Controlling Applications on the Network
Access Control Challenges
Application Visibility
Controlling Application Communications
Restricting Applications Running on Computers
Application Whitelisting Software
Application Security Settings
Summary
References
Part VI: Security Operations
Chapter 31: Security Operations Management
Communication and Reporting
Change Management
Acceptable Use Enforcement
Examples of Acceptable Use Enforcement
Proactive Enforcement
Administrative Security
Preventing Administrative Abuse of Power
Management Practices
Accountability Controls
Security Monitoring and Auditing
Keeping Up with Current Events
Incident Response
Summary
References
Chapter 32: Disaster Recovery, Business Continuity, Backups, and High Availability
Disaster Recovery
Business Continuity Planning
The Four Components of Business Continuity Planning
Third-Party Vendor Issues
Awareness and Training Programs
Backups
Traditional Backup Methods
Backup Alternatives and Newer Methodologies
Backup Policy
High Availability
Automated Redundancy Methods
Operational Redundancy Methods
Compliance with Standards
ISO 27002
COBIT
Summary
References
Chapter 33: Incident Response and Forensic Analysis
Incident Response
Incident Detection
Response and Containment
Recovery and Resumption
Review and Improvement
Forensics
Legal Requirements
Evidence Acquisition
Evidence Analysis
Compliance with Laws During Incident Response
Law Enforcement Referrals—Yes or No?
Preservation of Evidence
Confidentiality and Privilege Issues
Summary
References
Part VII: Physical Security
Chapter 34: Physical Security
Classification of Assets
Physical Vulnerability Assessment
Buildings
Computing Devices and Peripherals
Documents
Records and Equipment
Choosing Site Location for Security
Accessibility
Lighting
Proximity to Other Buildings
Proximity to Law Enforcement and Emergency Response
RF and Wireless Transmission Interception
Utilities Reliability
Construction and Excavation
Securing Assets: Locks and Entry Controls
Locks
Entry Controls
Physical Intrusion Detection
Closed-Circuit Television
Alarms
Compliance with Standards
ISO 27002
COBIT
Summary
References
Glossary
Index
← Prev
Back
Next →
← Prev
Back
Next →