© fandijki/ShutterStock, Inc.
Index
Note: Page numbers followed by f and t indicate figures and tables, respectively
21 CFR Part 11, 304
802.1x protocol, 213
A
AAA framework, 221
ABAC. See attribute-based access control
accents, 188
acceptability parameter, 191
acceptable use policy (AUP), 50–51, 313
access-challenge response, 208
access control, 4, 27–38, 62–65, 69–71, 81–85, 100, 109–130, 133–155, 175, 176, 182, 253, 272, 282–284, 288, 325–329
access control entries (ACEs), 79–80, 164–165, 165t
access control lists (ACLs), 79–80, 100, 164
access control solutions for remote workers, 205
access control strategy, 46–47
access mask, 164
access owners responsibilities, 49–50
access protocols to minimize risk, 205–212
access restrictions on information, 30–31
account management policy, 314
accuracy, monitoring and reporting, 283
Acme Credit Card Processing, 332
acquisition phase, 257
Active Directory, 164
Active Directory forest, 170
administrative access level, 11
administrative policies, 114
administrative rights, 123
Administrative Simplification provisions, HIPAA, 297
administrative strategies, 121
administrator, 123
Advanced Encryption Standard (AES), 102, 229, 236
ALE. See annualized loss expectancy
analyst conflicts of interest, SOX, 301
annualized loss expectancy (ALE), 66, 67
annualized rate of occurrence (ARO), 66
anomaly detection, 283
anti-circumvention parameter, 191
application development standard, 314
Application Layer, 137
application-level events, 284
application-level firewalls, 71
applications, 6, 12, 118, 141–142, 308
ARO. See annualized rate of occurrence
assess impact, 273
assessment, 134
asset inventory, 34
asymmetric algorithms, 229–232, 235–236
asymmetric attributes, 236t
asymmetric cryptography, 230, 235, 239
asymmetric encryption, 230–232
asymmetric key algorithms, 231
asymmetric key encryption process, 231f
asymmetric key systems, 232
asynchronous tokens, 88
ATM. See automated teller machine
attribute-based access control (ABAC), 80, 83–84
auditor independence, SOX, 300
authentication, 5, 7, 8, 73, 85, 205–207, 211, 219, 239, 240, 280
authentication factors, 13–17, 85–91
authentication header (AH), 217
authentication methods, 151
authentication server (AS), 94, 213
authentication service, 93, 246
authentication tickets, 96
authenticity, 281
author access level, 11
authorization, 5, 7–9, 102–103, 154, 205–206, 211
authorized subject, 5
automated account review, 121
automated expiration of temporary access, 122
automated patching, 71
automated teller machine (ATM), 6, 269, 278
automated testing, 254
automatic declassification, 23
B
bad hiring decision, consequences of, 44
barriers, 183
baselines, 141
behavioral biometrics, 17
behavior-based biometrics, 187–188
believability, 42
Bell-LaPadula Model, 83
best practices, 155–156, 306–312
binary large objects (BLOBs), 166
biometrics, 16, 90, 104, 185–193, 327
black-hat hackers, 331
blacklist, 283
blue team, 269
border firewalls, PNNL, 73
boundary conditions, 253
breaches, 321
breach planning, 259
Bring Your Own Device (BYOD) policy, 84
British Telecom, 162
broadcast domains, 99
brute-force attacks, 86, 96, 229
Bugtraq alert, 264
building security, 182
business cryptography, 242–245
business drivers for access control, 27–35
business issues, 192
business partners, access, 147–150
business reasons to secure information, 27–35
business requirements for asset protection, 21
business to business (B2B) transactions, 151
business to customer (B2C) transactions, 151
business use of Kerberos, 96
C
CA. See certificate authority
California Identity Theft Statute, 323–324
Cardenas, D., 317
card holder unique identification (CHUID), 195
case studies in risk assessment, 71–73
Center for Internet Security (CIS), 138
Centers for Medicare and Medicaid Services (CMS), 299
CER. See crossover error rate
certificate authority (CA), 227, 233, 234, 236–238, 238f, 245–247
certificate issuer, 245
certificate manufacturer, 245
certificate PKI software/hardware, 245
Certificate Practice Statement (CPS), 238
certificate repository, 228
certificate revocation list (CRL), 238
certificate server, 228
certificate validation, 228
CFAA. See Computer Fraud and Abuse Act
challenge handshake authentication protocol (CHAP), 213, 213t
challenge-response device, 89
challenge-response tokens, 15, 195
CHAP. See challenge handshake authentication protocol
chief security officer (CSO), 101
child objects, 164
Children’s Internet Protection Act (CIPA), 303–304
C-I-A triad, 80, 277–279, 278f
cipher locks, 194
civil penalties, Enforcement Rule, 300
classification of information, 21–25
classified government facilities, 185
clearance, 21
cleartext, 94
client/server model, 209
cloud service, 232
code injection, 267
Code of Federal Regulations (CFR), 304
collectability parameter, 191
combination locks, 194
commercial off-the-shelf (COTS) products, 93
Commission Resources and Authority, SOX, 301
common access card (CAC), 89, 195
Common Criteria for Information Technology Security Evaluation, 81
Communications Assistance for Law Enforcement Act (CALEA), 303
communications, internal business operations and, 150
compartmentalization, 122
competitive advantage, 25–26, 114
competitive use of information, 26–27
compromise, 102
Computer Fraud and Abuse Act (CFAA), 321–322
computer rooms, 185
computer security, 331
Confidential information, 21, 22, 35
confidentiality, 80, 102, 117, 239, 241, 278, 282
confidentiality agreement, 26
configuration, PNNL, 73
consistent approach, 68
consistent measurement, 68
contactless smart card, 89
contact smart card, 89
Content Scramble System (CSS), 323
contractor access controls, 36–37
Controlled Unclassified Information (CUI), 22
controlling access to information, 35–37
cookies, 104
copyright technology protection, 322–323
Corporate Fraud Accountability, SOX, 301
corporate newsletter, 28
corporate responsibility, SOX, 300
corporate tax returns, SOX, 301
corporations access to information, 23
cost-benefit analysis, 27
cost-effectiveness of biometric solutions, 192
cost of deployment and maintenance, 192
cost of impact, 67
cost of replacement, 67
Counter Mode Cipher Block Chaining Message Authentication Protocol (CCMP), 102
crackers, 331
creative risk-taking, 54
credentials, 87
credit card information, 26
Criminal Fraud Accountability, SOX, 301
critical infrastructure access control, 56–57, 106–107, 129, 157–158, 177, 199–200, 221, 291, 310–312, 317–318
critical infrastructure PKI, 249
critical infrastructure risk assessment, 74
critical infrastructure security breaches, 335
crossover error rate (CER), 189, 189f
cryptographic hash function, 239
cryptography, 93, 232, 242–245
CSS. See Content Scramble System
culture of open discussion, 53–54
customer relationship management (CRM), 31
D
DAC. See discretionary access control
DACL. See discretionary access control list
database, 12
database storage, 193
database transmission, 193
data centers, 185
data element, 12
data encryption, PNNL, 73
Data Encryption Standard (DES) encryption, 327
Data General Corporation, 26
data in motion (DIM), 162–164, 163f
data integrity, 278
data leaks, 162
dbcreator, 147
declassification, 23
decommissioning of users, 177
Defense-in-depth, 143
defense-in-depth strategy, 73
delegated access rights, 166–167
demilitarized zone (DMZ), 71
denial of service (DoS) attack, 61, 101, 330
departmental guidelines, 315
Department of Health and Human Services (HHS), 299–300
depreciated cost, 66
designated file types properties, 144, 146f
development phase, 256
dictionary attacks, 86
Diffie-Hellman algorithm, 235
Diffie-Hellman key exchange, 235
digital certificates, 151, 218–219, 233–235, 233f, 238, 239, 245–246
Digital Computer Controls, 26
Digital Millennium Copyright Act (DMCA), 322
DIM. See data in motion
direct costs of security breaches, 325, 332
directory information, 302
disaster recovery, 110, 112–113
discretionary access control (DAC), 81, 121, 127, 161, 316
discretionary access control list (DACL), 79, 164–165
disgruntled employees, 45
disk encryption, 162
distributed denial of service (DDoS) attacks, 330, 335
distribution of keys, 244
distributors, extranets, 150–151
document-sharing, 161
domain administrator, 170
domains of typical IT infrastructure, 265–268
domain validated (DV), 234
double-blind penetration test, 270
E
EAP. See extensible authentication protocol
EAP with flexible authentication via secure tunneling (EAP-FAST), 215
EAP with message digest 5 (EAP-MD5), 214
EAP with transport layer security (EAP-TLS), 214–215
EAP with tunneled transport layer security (EAP-TTLS), 215
electronic key management system (EKMS), 194–195
electronic protected health information (EPHI), 298–299
electronic security guidelines, NERC, 304–305
elliptic curve cryptosystem (ECC), 236
Emergency Disconnect Prime Directive, 101
employees, 50–51, 112, 114, 116, 119–121, 148
employee training, 114
Encapsulating Security Payload (ESP), 217–218
enclaves implementation, PNNL, 72
encryption, 151–152, 162, 228, 228f, 229, 308
end users guidelines, 315
enforcement properties, 144, 145f
enhanced financial disclosures, SOX, 301
enrollment process, 186
enterprise organization access controls best practices, 104–105
enterprise-wide password database system, 141
Equifax security breach, 333
ESP. See Encapsulating Security Payload
ethical hackers, 331
event-type audit logs, 284–285
existence of information, 124
explicitly delegated rights, 166
exposure factor (EF), 66
Extended TACACS (XTACACS), 210–211
extended validation (EV), 234
extensible authentication protocol (EAP), 214–216, 214f, 215t, 216f
external access controls, 36–37
external audit, 49
F
facial recognition, 187
facilities, access control for, 307
failure to acquire rate. See failure to capture rate
failure to capture rate, 190
failure to enroll rate, 189
Fair Credit Reporting Act, 44
false acceptance rate (FAR), 188
false positives, 283
false rejection rate (FRR), 189
Family Educational Rights and Privacy Act (FERPA), 301–303
federal facilities, 184
Federal Financial Institutions Examination Council (FFIEC), 152–154
Federal Information Processing Standard (FIPS), 232
Federal Information Security Management Act (FISMA), 136–137, 309
federation, 154
FFIEC. See Federal Financial Institutions Examination Council
file permissions in Linux, 172–173, 172t, 173f
file-sharing sites, 327
file systems access control, 147, 164–165
File Transfer Protocol (FTP), 267
file transfers, encrypting, 243
financial impact of security breaches, 332–333
Financial Modernization Act of 1999. See Gramm-Leach-Bliley Act
fingerprints, 186
fingerprint scan, 8
firewall, 71
FISMA. See Federal Information Security Management Act
five pillars of information assurance, 279–280
fobs, 195
folder access, 147
folder permissions in Windows, 169–170, 169f–170f
Food and Drug Administration (FDA) guidelines, 304
Freedom of Information Act (FOIA), 22
Freedom of Information Act request, 22
full asset inventory, 34
G
gaps identification, 273
generic routing encapsulation (GRE), 217
generic work areas, 183
get out of jail free card, 269
government facilities, 184–185
Gramm-Leach-Bliley Act (GLBA), 296–297
group access controls, 11
guests, 124
guidelines, 134, 140, 142, 313, 315
Guide to Enterprise Password Management, 139
H
hand geometry systems, 187, 193
hardening, network, 260
hash salt, 327
Hawaii Integrated Maritime Information System (HIMIS), 291
health information system (HIS), 176
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, 299
Health Insurance Portability and Accountability Act (HIPAA), 26, 44, 115, 289, 297–300
Her Majesty’s Revenue & Customs (HMRC), 335
HHS Office for Civil Rights, 299
highly sensitive data, encrypting, 243
highly sensitive information, 23
HIPAA. See Health Insurance Portability and Accountability Act
History-based access control (HBAC), 84
HMI. See human machine interface
Homeland Security Presidential Directive 12 (HSPD 12), 305–306
host-based firewalls, PNNL, 73
host discovery methods, 259
host synchronization, 97
human machine interface (HMI), 311
human resources (HR), 53
Hypertext Transfer Protocol Secure (HTTPS) communications, 163
I
IA. See information assurance
ICS. See industrial control system
identification, 7–8, 154, 204–205
identification mode of a biometric system, 190
identification process, 186
identification standard, 314
Identity as a Service (IDaaS), 155
Identity-based access control (IBAC), 82
identity management, application, 141–142
identity provider, 154
Identity Theft Enforcement and Restitution Act, 321
IDS. See intrusion detection system
IEEE Standards Association (IEEE-SA), 99, 136
IETF. See Internet Engineering Task Force
implicitly delegated rights, 167
incident response, 264
indirect attacks, 330
indirect costs of security breaches, 325, 332
individual guidelines, 315
industrial control system (ICS), 173–174
information, 6, 21–38, 32f, 271
information assets inventory, 28
information assurance (IA), 276–282, 278f, 279f, 281f, 282–283, 288–292
information integrity, 278
information security activities, 258, 277
information security policy, FISMA, 136
information technology (IT), 296–301
in-house key management, 244–245
initial key, 234
initiation phase, 257
input controls, 125
instant messaging communication, encrypting, 243
intangible damages, security breach, 330
integration testing, 256
integrity, 80, 117, 239, 241, 278, 282
intellectual property. See information assets inventory
internal access controls, 35–36
internal audit, 49
internal business operations and communications, 150
internal information, 23
International Electrotechnical Committee (IEC), 137
Internet Engineering Task Force (IETF), 137–138
Internet key exchange (IKE), 218
Internet Layer, 137
Internet Protocol (IP), 10, 97, 259
Internet protocol security (IPSec) protocol, 217–218
Internet Security Association and Key Management Protocol (ISAKMP), 218
Internet service provider (ISP), 102, 323
intranets, 150
intrusion detection system (IDS), 71, 163, 283, 288
intrusion prevention system (IPS), 71, 163
intrusive testing method, 259–260, 268
inventory of IT assets, 143
IPS. See intrusion prevention system
iris, 187
ISA Security Compliance Institute (ISCI), 311
ISO, 137
IT infrastructure, 68
J
job rotation, 47
K
key archival, 234
key distribution, 234
Key Distribution Center (KDC), 93, 95–96
key generation, 234
key management, 233–235, 244–245
key recovery, 234
key recovery service, 228
keyspace, 229
key termination, 234
key usage, 234
knowledge-based authentication (KBA), 219
L
LAN Manager (LM) hash, 327
LAN-to-WAN Domain, 267
law enforcement databases, 193
Layer 2 techniques, 98
Layer 3 techniques, 100
Layer 2 Tunneling Protocol (L2TP), 217
LDAP. See Lightweight Directory Access Protocol
least privilege, 80, 114, 122–124
least privileged scenario, 22
least user access (LUA), 122
legal issues, 192
LexisNexis, 334
liability, risk assessment, 69–71
library access monitoring, 142
Lightweight Directory Access Protocol (LDAP), 175, 176, 207
Lightweight EAP (LEAP), 215
Linux file permissions, 172–173, 172t, 173f
load testing, 256
Local Area Network (LAN) Domain, 71, 98, 163, 266–267
locking mechanism, 182
locks, 194
logical access controls, 9–13, 13f
logical link control (LLC), 98
logical location, 10
logon/password access, 153–154
log shipping, 71
Los Angeles County Department of Health Services, 316
M
MAC spoofing, 99
maintenance of biometric solutions, 192
malicious hackers, 331
mandatory access control (MAC), 81, 82, 121, 128, 161, 316
mandatory declassification review, 24
man-in-the-middle attacks, 235, 236
Massachusetts Institute of Technology (MIT), 93
mechanical locks, 194
Media Access Control (MAC), 10–11, 98, 99, 128
membership in groups, 150
mesh network topology, 128, 129f
minutiae matching, 186
mitigation plans, 35
mobile devices, encrypting information on, 243
monetary gain, 331
Monster.com security breach, 332
MS-CHAP, 213
multilayered access control, 143–148
multilayered approach, 68
multilevel security (MLS) system, 82
multiple contacts, 42
multiple single level (MSL), 82
Multipurpose Internet Mail Extensions (MIME) format, 243
N
National Audit Office (NAO), 335
National Institute of Standards and Technology (NIST), 136
National Security classification, 22
National Vulnerability Database (NVD), 135
need to know, 22, 114, 124–125
network access control (NAC), 97–101
network access server (NAS), 206
network administrators, assets, 143
network admission control, 97
network analysis, identity management, 141–142
network antivirus, 326
network authentication protocols, 213–216
network devices, 119
network interface card (NIC), 98
Network Layer, 100
network scanners, 260
New York Times, The, 333
NIST National Vulnerability Database (NVD), 135
NIST Special Publication (SP) 800-53, 139
NIST Special Publication (SP) 800-118, 139
Nmap (Network Mapper), 260, 261f
Nmap report in Zenmap GUI, 260
no access, 11
non-directory information, 302
nondisclosure agreement (NDA), 23, 36
non-financial impact, 69
nonintrusive testing methods, 259–260
non-sensitive work areas, 183
normalization, 287
North American Electric Reliability Council (NERC), 304–305
NTLM hash, 327
O
OAKLEY, 218
objectives of risk assessment, 68
object level security, 164
objects, 3, 4, 6, 11–13, 13f, 118
one-to-many scenario, 28
ongoing observation of personnel, 45–46
ongoing training policy, 288
online banking access control, 152–153
Online Certificate Status Protocol (OCSP), 238
open discussion culture, 53–54
OpenID Connect, 154
Open Systems Interconnection (OSI) Reference Model, 98
Open Vulnerability Assessment Scanner (OpenVAS), 263, 263f, 264f
operational efficiency, 33
operation, principles of, 186
operations and maintenance phase, 258
Orange Book, 83
order process example, 29–31, 29f
organizational behavior, 53–54
organizational ethics programs, 52
organizational structure model, 47
organizational units (OUs), 168
Organization-based access control (OrBAC), 83
organization validated (OV), 234
output controls, 125
P
Pacific Northwest National Laboratory (PNNL), 72
parent object, 167
Parkerian hexad, 280–282, 281f
parsing, 286
Partner Standards Development Organization (PSDO), 137
passphrase, 14
pass-the-hash attack, 171
Password Authentication Protocol (PAP), 212, 213t
password cracking, 62–64, 63t, 64t
password hash, 65
password policy, 313
patch management, PNNL, 73
pattern matching, 187
Payment Card Industry Data Security Standard (PCI DSS), 26, 138, 243
PCI DSS. See Payment Card Industry Data Security Standard
PCI Security Standards Council, 138
penalties for improper disclosure, 26–27
penetration attempt, 271
penetration testing, 253, 268–270, 326
performance parameter, 191
periodic vacation requirement, 47
permanence parameter, 191
Perot Systems, 248
personal danger issues, 193
personal identification numbers (PINs), 88, 269
personally identifiable information (PII), 24, 78, 328
phased approach, 134
physical access controls, 114, 117, 196–197, 334
physical attacks, 330
physical biometrics, 16
physical guidelines, NERC, 304
physical locks, 194
physical obstacles, 183
physical security, 6, 114, 180, 195–196, 325, 327
physiological biometric types, 186–187
PII. See personally identifiable information
PINs. See personal identification numbers
PKI. See public key infrastructure
plaintext password, 124
planning, penetration test, 270–271
points of entry and exit, 182
Point-to-Point Protocol (PPP), 212
Point-to-Point Tunneling Protocol (PPTP), 217
policies, 4, 5, 21, 23, 35, 52–53, 134, 139, 272, 313–315
policy authority, 245
policy-based routing, 100
position sensitivity, 47
possession or control, 281
potential liability, 69
pre-employment background checks, 43–44
principals, 96
principle of least privilege, 80, 122–124
Privacy Act information, 24
privacy impact assessment (PIA), 328–329
Privacy Rule, 297
private sector access control, 54–55, 104–105, 126–129, 156, 175, 197–198, 220–221, 289, 306–309, 315–316
private sector PKI, 248
private sector risk assessment, 71–72
private sector security breaches, 334–335
probability of occurrence, 60, 61
procedures, 4, 5, 134, 140, 313–315
processes, 6
programmable logic controllers (PLCs), 311
proprietary information, 23
Protected EAP (PEAP), 215
protected health information (PHI), 297
protecting value of information, 35–37
Public Company Accounting Oversight Board (PCAOB), 300
public information, 23
public key, 151, 230, 231f, 245
public key cryptography, 227
public key infrastructure (PKI), 227–228, 240–241, 247–249
public records, 106
public sector access control, 55–56, 106, 128–129, 156–157, 175–176, 198–199, 221, 289–291, 309–310, 316–317
public sector risk assessment, 72–73
public sector security breaches, 335
purchase cost, 66
Q
qualitative risk assessment, 67
quantitative risk assessment, 66
R
RA. See registration authority
RAdAC. See risk-adaptive access control
Radio Frequency Identification (RFID) badges, 328
RADIUS. See Remote Authentication Dial In User Service
RBAC. See role-based access control
read only access level, 11
realm, 96
red team, 269
registration authority (RA), 227, 234, 246
regulatory compliance, 295
relational database (RDB), 164
relational database management system (RDBMS), 166
release and training phase, 256
remediation plans, 273
remote access, 204–205, 219–220, 309
Remote Access Domain, 268
remote access policy, 314
remote access server (RAS), 210
remote access standard, 314
Remote Authentication Dial In User Service (RADIUS), 175, 206–209, 207f, 212, 212t, 221
remote authentication protocols, 212–213
remote terminal units (RTUs), 311
remote virtual private network (VPN) access, 148–150
removable devices, encrypting, 243
repository, 246
request for help, 42
Requests for Comments (RFCs), 137
requirements analysis, 254, 255
requirements definition, 258
restricted information, 32
restricting access to information, 30–31
retina, 187
retinal scans, 187
return on investment (ROI), 104
revocation manufacturer, 245
ridges, 186
risk, 60, 62f, 114, 242, 246–247
risk-adaptive access control (RAdAC), 81, 84–85
risk assessment, 28, 34–35, 60, 66–69, 71–73
risk assessment policy, 67
risk assessment process, 66
risk exposures, 273
risk management strategies, 67
risk transference, 67, 115–116
rogue internal operatives, 326
role-based access control (RBAC), 81–83, 121, 127, 161, 316
role-playing activities, 50
root certificate authorities, 245
root superuser, 173
root user, 123
route maps, 100
RSA asymmetric encryption algorithm, 236
S
SACLs. See system access control lists
sandbox, 165
Sarbanes-Oxley (SOX) Act of 2002, 300–301
SCADA. See supervisory control and data acquisition
scalability, 93
Secret information, 22
Secure/Multipurpose Internet Mail Extensions (S/MIME), 243
Secure Sockets Layer (SSL), 163
Securities and Exchange Commission (SEC), 301
security, 93
security administrator, 62, 63
Security Assertion Markup Language (SAML), 154
security association (SA), 218
security audit, 196
security awareness policy, 51
security breach attack plan, 264–265
security breaches, 264–265, 330–333
security countermeasures, 272
security development life cycle, 256–258, 257f
security gaps, 273
security identifier (SID), 79
security information and event management (SIEM) system, 287–288
security risk, 219
self-signed digital certificate, 245
senior management role, 21
Sensitive Compartmented Information Facilities (SCIFs), 13, 70
sensitive positions, pre-employment background checks for, 43–44
sensitive work areas, 184
separation of duties, 48–49, 83
separation of responsibilities, 122
serveradmin, 147
service level agreements (SLAs), 196
Service provider, 154
service set identifier (SSID), 101
session key, 96
shadow password file, 327
shoulder surfing, 88
signature analysis, 188
signing server, 228
simple security rule, 83
Simultaneous Authentication of Equals (SAE), 102
single-factor authentication, 91
single loss expectancy (SLE), 66
single point of failure, 97
single sign-on (SSO), 103–104, 141
situation, risk assessment, 69–71
smart card ID badge, 64
SMShing, 87
social engineering, 41–43, 54–55, 62, 64–65, 86, 269, 270, 272, 307, 326, 330
social networking sites, 327
Social Security number (SSN), 24, 324
Software as a Service (SaaS) office suite, 126
software design, 255
software development life cycle, 254–256, 255f
spam remailer, 331
spear phishing, 73, 87, 326–327
specification detection, 284
SSL 128-bit encryption, 157
staff, 143
standards, 133–155, 272, 313, 314
standard testing procedures, third-party application, 308
status motivation, 43
storage of biometric data, 193
strong authentication, 91
strong *-property rule, 83
subjects, 3–6, 10–13, 118, 119
subordinate certificate authorities, 245
subscribers, 227
subsequent key, 234
substitute user do (sudo), 173
sunset phase, 258
supervisory control and data acquisition (SCADA), 173–174, 310–311
supplicant, 213
support phase, 256
symmetric algorithms, 229–230, 235–236
symmetric attributes, 236t
symmetric cryptography, 239
symmetric cryptosystems, 229, 239
symmetric encryption, 89
symmetric encryption algorithms, 229
symmetric encryption key, 152
symmetric key encryption process, 230f
symmetric key systems, 229, 232
synchronous tokens, 88
sysadmin, 147
system access control lists (SACLs), 80, 144–145, 165
System/Application Domain, 268
systematic declassification, 23
system exploits, 330
system-level events, 284
systems access control, 307
T
table, 12
tailgating, 65
tangible damage, security breach, 330
target, 43
TCSEC. See Trusted Computer System Evaluation Criteria
technological access controls, 114
technology-related access control solutions, 194–195
Temporal Key Integrity Protocol (TKIP), 102
Terminal Access Controller Access Control System (TACACS), 210–212
Terminal Access Controller Access Control System Plus (TACACS+), 211–212, 212t, 221
termination of employment, 45–46
testing access control systems, 253
testing security systems, 256
test plan development, 259–268
third parties access controls, 36
third-party application, standard testing procedures, 308
threats, 60, 62–66, 116–117, 311–312
three-factor authentication, 92
Ticket-Granting Service (TGS), 93
Ticket-Granting Ticket (TGT), 94
time, 287
timeliness, monitoring and reporting, 283
time server, 228
TJX Companies, Inc., 333
TJX security breach, 333
TLS. See Transport Layer Security
tools, 5
Top Secret information, 22
transaction authorization, 82
Transactions and Code Set Rule, 297–298
transmission, database, 193
transportation, critical infrastructure, 310–312
Transportation Worker Identification Credential (TWIC), 199–200
Transport Layer, 137
Transport Layer Security (TLS), 163, 213, 242
Trojan horse malware, 87
trust, 7
trusted certificate authorities, 236, 237f
Trusted Computer System Evaluation Criteria (TCSEC), 81, 82
trusted publishers properties, 145, 146f
trusted-third party authentication, 95
tumbler locks, 194
tunnel vision, 287
TWIC Privacy Key (TPK), 199
two-factor authentication, 8, 91–92, 205, 218
two-person control, 48
type I errors, 189
typing tempo, 188
U
U.K. Data Protection Act of 1998, 335
unauthorized access, 264–265, 285–286, 320–324
unauthorized subject, 5
unclassified information, 22
unintentional threat, 42
uninterruptable power supply (UPS), 197
Unique Identifier Standards Rule, 298
uniqueness parameter, 191
United States Patent and Trademark Office (USPTO), 248, 249
unit testing, 256
Universal City Studios v. Reimerdes, 323
universality parameter, 190
universal serial bus (USB) drives, 243
unknown subject, 5
U.S. compliance laws and regulations, 295–306
user access control profiles, 144
user account standard, 314
user behavior, identity management, 141–142
User Domain, 266
user-level events, 284
users, 117, 118, 123, 124, 127
user type audit logs, 285
V
vacation requirement, 47
valleys, 186
valuable information, 25
vandalism for security breaches, 331
vendor access controls, 36
verification mode of a biometric system, 190
verification process, 186
view full record, 125
view partial information, 124
virtual local area networks (VLANs), 99–100
virtual private networks (VPNs), 120, 148–150, 164, 217–218, 309
virus, high-risk rating, 61
voice recognition systems, 188, 193
VPNs. See virtual private networks
vulnerabilities, 62–66, 117–118, 259, 267, 268, 271, 311–312
vulnerability assessment, 34
W
Wall Street Journal, The, 116
warded locks, 194
wards, 194
Web 2.0, 150
Web application scanners, 260
Web-facing systems, 71
Web servers, 61
what criteria, 10
when criteria, 10
white collar crime penalty enhancement, SOX, 301
white-hat hackers, 331
whitelist, 284
who criteria, 10
wide area network (WAN), 98, 267–268
Wi-Fi Protected Access (WPA), 101
Windows, 167–171, 167t, 168t, 169f–170f
Wired Equivalent Privacy (WEP), 102
wireless IEEE 802.11 LANs, 101–103
wireless mesh networks, 128
workers, remote employees and, 148–150, 149f
Workstation Domain, 266
World Intellectual Property Organization (WIPO), 322
Y
yardstick measurement, 68