Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material .
NUMBERS
3DES (Triple DES), 6–7
90-day clock, e-discovery, 350–351
802.1x authentication, VLANs, 57
A
academic industry conference, 424–425
acceptable risk
assuring for third-party products, 505–507
defined, 333
access control
controls for remote access, 535–536
ensuring confidentiality with, 321
facilities management role in, 149–150
guiding staff/senior management on, 482
infrastructure design for, 153
iSCSI SANs, 102
mobile devices, 536–537
physical security manager role, 490
SANs, 99
single platform hosting multiple companies’ VMs and, 64
storage devices, 106
ACM Conference on Computer and Communications Security, 425
acquisitions. See M&A (mergers and acquisitions)
Acunetix WVS (Web Vulnerability Scanner), 267–268
AD (Active Directory), securing, 145–146
Address Space Layout Randomization (ASLR), countering zero-day attacks, 418
administrator accounts
data breaches using, 361
local, 308
principle of least privilege for, 386
privilege escalation using root accounts, 237
securing AD, 145–146
Web application design considerations, 223
advanced persistent threats (APT), 415
AES (Advanced Encryption Standard), 7
aggregate score, CIA, 323, 325
agreements, security requirements for, 431
Air Sharing, 531
AJAX (Asynchronous JavaScript and XML), security issues, 243–244
ALE (annualized loss expectancy), quantitative risk analysis, 327–328
algorithms
asymmetric, 9
Diffie-Hellman key exchange, 25–26
hashing, 18–20
not using outdated or deprecated, 4
symmetric, 6–7
Altiris Suite, Symantec, 530
analysis, digital forensics process, 353
Android-based malware, 541
Annual Computer Security Applications Conference, 425
annual rate of occurrence (ARO), quantitative risk analysis, 328
annualized loss expectancy (ALE), quantitative risk analysis, 327–328
anomaly-based detection, IDS, 205–206
Anonymous organization, 428–429
anti-malware software, 191–192
anti-spyware software, 190–191
anti-XSS library functions, 228
AntiSamy, OWASP, 233
antivirus software
endpoint security with, 189–190
in maintenance phase of technology life cycle, 580
securing instant messaging, 528
securing remote access, 128
securing virtual servers, 59–60
appliances, securing virtual, 59–61
application firewalls, host-based, 185
application layer gateway (ALG), VoIP, 133
application security
buffer overflow exploits, 244–245
clickjacking, 228–229
client-side vs. server-side processing, 240–243
cross-site scripting, 228
exploits from improper error/exception handling, 235–236
fuzzing/false injection, 238–239
implementing frameworks, 231–234
improper storage of sensitive data, 238
input validation, 226–227
integer overflows, 245
memory leaks, 246
overview of, 222
privilege escalation, 237
Q&A self-test, 252–257
race conditions, 246–247
resource exhaustion, 247–248
sandboxing, 231
secure coding standards, 234–235
secure cookie storage and transmission, 239–240
session management, 229–230
SQL injection attacks, 230–231
two-minute drill, 249–251
Web application design considerations, 222–225
application tier, multitier networks, 150
application vulnerability scanners, 267–268
applications
hardening system by limiting, 195
isolating in virtualization, 51
OS vulnerabilities vs., 413
securing desktop sharing and, 528–529
virtualization support for legacy, 51
Approved Products List, COTS systems, 506–507
APT (advanced persistent threats), 415
arithmetic overflows, 245
ARO (annual rate of occurrence), quantitative risk analysis, 328
AS (autonomous system), BGP, 161
AS number (ASN), BGP, 161
ASBRs (autonomous system boundaries), 160
ASLR (Address Space Layout Randomization), countering zero-day attacks, 418
ASN (AS number), BGP, 161
assertions, SAML, 556–557
assessments. See security assessments, methods; security assessments, tools
asset management
electronic inventory and, 353–354
inventory control, 199–200
asymmetric/public key encryption
advantages and disadvantages, 8
asymmetric algorithms, 9
code signing, 24–26
digital signatures, 21–22
nonrepudiation and, 26
overview of, 7–8
Asynchronous JavaScript and XML (AJAX), security issues, 243–244
asynchronous replication, 108
attack signatures, IDS, 205
attack surface, web application design, 223
attack tools, 276–277
attackers, categorizing, 426–428
attacks
defined, 236
situational awareness of latest clientside, 412–414
attestation, and authentication, 563–564
auditing
Active Directory service, 146
cloud computing issues, 67
logical controls for SANs, 99
LUNs on storage devices, 105
security controls, 334
security policy for, 388
as security requirement, 304–305
authentication
cloud computing, 70
collaboration platforms, 539
data flows for changing business needs, 138
digital certificate, 12–13
ESB, 162
interpreting security policies for, 478–479
iSCSI SAN, 102
mobile device, 139
SAML, 556–557
Single Sign On, 559–560
VLAN, 57
WS-Security, 167
authentication, advanced
attestation, 563–564
certificate-based, 561–563
federated identity management systems, 554–557
OpenID, 560
overview of, 554
Q&A self-test, 567–574
SOAP, 558–559
SPML, 560–561
SSO, 559–560
two-minute drill, 565–566
XACML, 557–558
Authentication Request Protocol, SAML, 556
authorization
collaboration platforms, 539
data flows for changing business needs, 138
ESB, 162
SAML, 556–557
automation, and continuous monitoring, 336–337
autonomous system (AS), BGP, 161
autonomous system boundaries (ASBRs), 160
availability
analyzing security system for, 458–459
CIA tradeoffs, 322
cloud computing advantages, 65
determining aggregate score for CIA, 323–325
ensuring, 322
presence in unified communications as, 530–531
VoIP considerations, 132
avoidance, risk, 333
B
Back Orifice app, 529
BackTrack Linux, attack tool/framework, 277
backup
cryptographic key, 15–16
data storage strategies, 98, 355–356
point-in-time or snapshot replication, 110–111
redundant storage locations, 107–109
bandwidth, replication and, 108
barcode tags, inventory control/asset management, 200
baselines, NIST, 332
bash (Bourne-Again shell), command-shell restrictions, 197–198
benchmarks, enterprise security, 446–448
BES (Blackberry Enterprise Server), mobile devices, 309
best practices, ongoing security, 403–406
BGP (Border Gateway Protocol), route protection, 161
bit-by-bit copies, digital evidence, 353–354
BitLocker Drive Encryption
Microsoft security checklist for, 404
for mobile devices in enterprise, 542
with TPM, 5
black-box testing
assessment method, 279
of COTS products, 507
in gray-box testing, 280
of third-party products, 505
white-box testing vs., 280
black hats, attackers, 417–418
Blackberry Enterprise Server (BES), mobile devices, 309
Blackhat conference, 425
block-level data storage. See SANs (storage area networks)
block methods, symmetric algorithms, 6–7
blogs, on security, 407–408
body, of SOAP message, 558
Border Gateway Protocol (BGP), route protection, 161
botnets
phishing attacks and, 413
spam filters for, 192–193
bots
phishing attacks and, 413
spam filters for, 192–193
bottom-up policies, 378
Bourne-Again shell (bash), command-shell restrictions, 197–198
Bourne shell (sh), command-shell restrictions, 197–198
BPA (business partnership agreement), 393
branching (read-write) snapshots, 111
bring-your-own-device (BYOD), security policy issues, 139, 308–309
browsers, vulnerabilities of JavaScript, 242–243
brute force attack, password crackers, 272–273
BS7799 standard, United Kingdom, 409
buffer overflow exploits
application security and, 244–245
attack tools and frameworks using, 276
countering zero-day attacks, 417
input validation and, 226
bugs
application security and, 222
COTS systems and, 506–507
countering zero-day attacks, 418
detecting with black-box testing, 279
detecting with code reviews, 282
detecting with fuzzing/false injection, 238–239
detecting with white-box testing, 279–280
from improper error/exception handling, 235–236
understanding results of solutions in advance, 578
building layout, network design, 148–149
bulk usage, with symmetric encryption, 5–6
Burp Suite, HTTP interceptor, 275
business
best practices, 379
developing standard desktop for, 307
integrating tools within, 423
security implications of new tools, 420–422
security policies reflecting objectives of, 378–379
security solutions reflecting needs of, 455–459
business continuity, 98, 107–108
business plans, recovery efforts, 357
business risk, defined, 297
business risk, of new/changing models
managed security services, 300–301
mergers and acquisitions, 301–302
outsourcing, 300
overview of, 297–298
partnerships, 299
Q&A self-test, 311–318
risk management process, 298–299
two-minute drill, 310
BYOD (bring-your-own-device), security policy issues, 139, 308–309
C
C shell (csh), command-shell restrictions, 197–198
C&A (certification and accreditation), 334
CA (Certificate Authority)
digital certificate validation, 13–14
digital certificates, 10
digital certificates types issued by, 10–11
overview of, 11–12
verifying certificate validity, 16
cabling, building layout design, 149
California Senate Bill 1386 (SB 1386), data breach notification, 357
canonicalization errors, input validation, 227
CanSecWest conference, 426
capability, analyzing security for business needs, 457–458
CAPEC (Common Attack Pattern Enumeration), 236
CCB (change control board) process, 581
CCTVs (closed-circuit televisions), 490
Center for Internet Security (CIS), 405
central incident response teams, 365
Certificate Authority. See CA (Certificate Authority)
certificate-based authentication
attestation of, 562
overview of, 561–562
SSL/TLS, 562–563
certificate revocation list (CRL), certificate validity, 16–17
certification and accreditation (C&A or CnA), 334
certification practices statement (CPS), CAs, 12
change control
assuring acceptable risk of third-party products, 505–507
concerns of interconnecting multiple industries, 500–503
designing mergers, acquisitions and demergers, 503–504
integration of products and services, 510–511
network segmentation and delegation, 508–509
Q&A self-test, 515–518
scenario and solution, 511
two-minute drill, 513–514
change control board (CCB) process, 581
change management process, 581
change-of-state (COS) events, SCADA, 130
character sets, application security, 227
checklists
as benchmarks, 448
security best practices research, 403–405
security control, 334
chief information security officers (CISOs), 449–450
CIA (confidentiality, integrity, and availability)
availability, 322
confidentiality, 320–321
determining aggregate score for, 323–325
integrity, 321
interpreting requirements for others, 478–479
overview of, 320
tradeoffs, 322
CIS (Center for Internet Security), 405
CISOs (chief information security officers), 449–450
civil applications
digital forensics, 351
e-discovery, 350–351
classes, digital certificate, 12–13
clear-box testing, 279
clickjacking, 228–229
client-side attacks, 412–414
client-side processing, 240–243
clients, security-related requirements, 305
closed-circuit televisions (CCTVs), 490
closed port response, port scanner, 262
cloud computing
advantages, 65–66
emergent security issues, 419–420
issues associated with, 66–68
making more secure, 68–70
password cracking and, 272
cloud storage
geographical replication using, 108–109
virtual storage via, 95–96
CnA (certification and accreditation), 334
code review
assessment method, 281–282
of third-party products, 505
code signing, 24–26
coding standards
SAFECode, 233–234
secure, 234–235
secure libraries for, 233
security requirements for programmers, 479
collaboration. See also security controls, for communication/collaboration
establishing team, 482–483
implementing secure platforms, 539
collection, digital forensics process, 352
collisions, hashing, 19
command shell restrictions, in host hardening, 197–198
commercial off-the-shelf. See COTS (commercial off-the-shelf) products
Common Attack Pattern Enumeration (CAPEC), 236
Common Criteria
replacing Orange Book, 430
trusted OS, 187
validating system design, 588–589
Common Vulnerability Enumeration (CVE), 236
Common Weakness Enumeration (CWE), 236
communication
after data breach, 358
interpreting security requirements for others, 478–481
reverse-engineering existing security solution, 454
role in change management, 510
security controls for. See security controls, for communication/collaboration
unified. See unified communications security
compliance, 303
computing platforms
cloud computing advantages, 65–66
cloud computing issues, 66–68
cloud computing security, 68–70
Q&A self-test, 82–90
securing virtual environments, appliances, and equipment, 59–61
Terminal Services, 76–78
two-minute drill, 79–81
Virtual Desktop Infrastructure, 73–76
virtualization advantages, 46–51
virtualization disadvantages, 51–54
VLAN usage, 54–57
VLAN vulnerabilities, 57–58
vulnerabilities from comingling hosts with different security requirements, 71–73
vulnerabilities with single physical server hosting multiple companiesÍ VMs, 62–63
vulnerabilities with single platform hosting multiple companiesÍ VMs, 63–64
conferences, computer-security-related, 424–426
confidentiality
CIA tradeoffs, 322
database administrator discipline of, 486–487
determining aggregate score for CIA, 323–325
Enterprise Service Bus and, 162
financial personnel discipline of, 488–489
FISMA definition of, 320
overview of, 320–321
securing data flows for changing business needs, 138
confidentiality agreements, 300, 382
configuration
improper storage of sensitive data in files, 238
management, 336
mobile device management, 536–537
remote assistance, 530
confirm, incident response cycle, 365
confusion, cryptographic processes, 31
consolidation tools. trend data analysis, 452
content screening, input validation, 226
continuous monitoring, risk management via, 337–338
contracts, security requirements, 430–432
controls. See security controls
conventions, computer-security-related, 424–426
Converged Network Adapter, 103
cookies
secure storage and transmission, 239–240
session management via, 230
state management via, 241
coordinating incident response teams, 365
COS (change-of-state) events, SCADA, 130
cost benefit analysis (ROI, TCO), 449–450
costs
secure development life cycle lowering, 584
of virtualization, 46–48, 51–52
COTS (commercial off-the-shelf) products
assuring acceptable risk of, 505
overview of, 506–507
testing for acceptable risk, 507
using custom-developed software vs., 506
covert storage channels, 202–203
CPS (certification practices statement), CAs, 12
CPUs
benefits of virtualization, 48
monitoring using benchmarks, 447
credit card information
confidentiality requirements, 322
data exfiltration of, 201
data minimization of, 358
deduplication of, 111–112
as emerging source of threat, 428
PCI DSS requirements for processing, 305
specific security controls by entities handling, 380
criminal actions, incident response, 362–363
CRL (certificate revocation list), certificate validity, 16–17
cross-certification certificates (or cross- certificates), 10–11
cross-site scripting (XSS) attacks, 228, 232
cross-training, reducing risk, 385–386
CRSFGuard, OWASP, 233
cryptographic tools
asymmetric/public key encryption method, 7–9
code signing, 24–26
confusion, 31
diffusion, 32
digital signatures, 21–23
entropy, 30
hashing, 17–20
implications of, 27–29
nonrepudiation, 26
perfect forward secrecy, 31
PKI. See PKI (public key infrastructure)
practical applications, 20
pseudorandom number generation, 30
storing keys when disposing of equipment, 581
summary Q & A, 36–45
symmetric key encryption methods, 4–7
transport encryption, 27
two-minute drill, 33–35
csh (C shell), command-shell restrictions, 197–198
custom-developed software, acceptable risk of, 506
CVE (Common Vulnerability Enumeration), 236
CWE (Common Weakness Enumeration), 236
cyber security. See situational awareness
D
DAMs (database access monitors), 166
data
analyzing/interpreting trend, 451–452
centralization, in virtualization, 49–50
cloud computing advantages, 65
cloud computing issues, 67–68
combating distance with virtual storage, 96
improper storage of sensitive, 238
leakage from personal devices, 308
leakage prevention, 201
length, input validation, 226–227
minimization, 358–359
recovery, 355–356
redundancy, 107–109
retention policies, 354–355
size, challenge of e-discovery, 351
storage strategies, 355–356
vulnerabilities from comingling hosts with different security requirements, 71
data breaches
data minimization protecting from, 358–359
incident and emergency response, 363–366
mitigation and response to, 359–360
network segmentation limiting damage of, 508–509
overview of, 357
ownership and handling, 356
Q&A self-test, 369–375
recovery, 357–358
system design for response to, 360–363
two-minute drill, 368
Data Execution Prevention (DEP), zero-day attacks, 417
data exfiltration (extrusion), 201–204
data flow
for changing business needs, 137–140
secure solutions for, 136–137
data in flight (DIF), storage security, 94
data tier, multitier networks, 150
database activity monitors (DAMs), 166
database administrator role, 486–487
database vulnerability scanners, 268
databases, SQL injection attacks against, 230–231
datacenters, FCOE in, 103–104
Daubert Standard, 351
DDoS (distributed denial of service) attacks, 65
de-perimeterization, 306–309
de-provisioning, cloud computing issues, 68
decentralized access control, 536
declarative access control policy, XACML, 557
deconstruction, 453–455
deduplication, 111–112
default, securing web application by, 224
DEFCON ìhackerî conference, 425–426
defense-in-depth
designing solutions, 584
designing VoIP network, 133
Enterprise Service Bus as, 162
multitier networking as, 150–151
network segmentation for, 508–509
risk mitigation via, 333
securing data flows for changing business needs, 137–139
Defense Information Systems Agency (DISA)
Approved Products List, 506–507
security best practices, 405–406
delegation, in segmented environment, 509
demergers, designing, 503–504
denial-of-service (DoS) attacks, 162, 247–248
DEP (Data Execution Prevention), zero-day attacks, 417
Department of Defense. See DoD (Department of Defense)
deployment, securing web applications by, 224
design
of end-to-end solution ownership, 576–578
securing web application by, 223
understanding results of solutions in advance, 578–581
validating system, 587–590
design patterns, ESA frameworks as, 336
desktop sharing, 528–529
detection
in incident response, 360
quantitative risk analysis using numeric values, 329–330
Development/Acquisition phase, systems development life cycles, 583–584
development environment, comingling hosts with different security requirements, 71
devices
mobile. See mobile devices
personally managed, 308
placement of security, 128–130, 154
devices, network, 152, 157–161
dictionary file attack, password crackers, 271–272
DIF (data in flight), storage security, 94
Differentiated Services, IP networks, 540
Diffie-Hellman key exchange protocol, 25–26
diffusion, cryptographic processes, 32
digital certificates
applications, 14
authentication based on, 561
Certificate Authority and, 11–12
defined, 9
fields within X.509, 11
issuance to entities, 15–16
OSCP vs. CRL, 16–17
overview of, 10–11
Registration Authority and, 12–14
SSL/TLS certificate-based authentication, 562–563
users, 15
validating, 14
wildcard, 17
digital forensics
overview of, 351–352
process, 352–354
security policy development for, 387
set of procedures to cover, 350
digital identities, consolidating with OpenID, 560
Digital Signature Algorithm (DSA), 9, 21–22
Digital Signature Standard, 21–22
digital signatures
code signing, 24–26
creating, 22–23
ElGamal algorithm for, 9
nonrepudiation and, 26
overview of, 21–23
digital watermarks, 204
Directive 2002/58 on Privacy and Electronic Communications, EU, 502
directory services, secure
AD, 145–146
Federated Identity, 146–147
LDAP, 144–145
overview of, 144
Single Sign On, 147–148
DISA (Defense Information Systems Agency)
Approved Products List, 506–507
security best practices, 405–406
disaster recovery
benefits of virtualization, 49, 51
consolidating data storage into SANs for, 98
redundancy for, 107–108
SANs benefits, 156
for virtual vs. physical servers, 61
discover and report, incident response cycle, 365
disgruntled employees, threats from, 429
disk image, implementing SOE, 196
Disposal phase, systems development life cycles, 584
Distinguished Name, digital certificates, 561
distributed denial of service (DDoS) attacks, 65
distributed incident response teams, 365
DMZ, multitier networks, 150–151
DNS (Domain Name System), 140–143
DNSKEY, 142
DNSSEC (Domain Name System Security Extensions), 140–143
documentation
common business, 381–383
contracts, 430–432
digital evidence, 353
maintenance phase of technology life cycle, 580
security requirements traceability matrix, 585
VLAN best practices, 57
DoD (Department of Defense)
Common Criteria, 588–589
publishing TCSEC (Orange Book), 186–187, 430
risk of third-party products, 507
validating system design, 588
Domain Name System (DNS), 140–143
Domain Name System Security Extensions (DNSSEC), 140–143
DoS (denial-of-service) attacks, 162, 247–248
double-tagging (802.1q encapsulation), VLANs, 58, 160
Dropbox, 95–96
DSA (Digital Signature Algorithm), 9, 21–22
DTP (Dynamic Trunking Protocol), 159–160
due care, 385
dumpster diving, by security service providers, 408
Dynamic Trunking Protocol (DTP), 159–160
dynamic updates, DNS, 141
E
e-discovery
data ownership and handling, 356
data recovery and storage, 355–356
data retention policies, 354–355
digital forensics, 351–352
digital forensics process, 352–354
electronic inventory and asset control, 354
overview of, 350–351
partnerships/outsourcing for, 301
Q&A self-test, 369–375
two-minute drill, 368
preventing client-side attacks with policies, 414
securing, 531–533
social engineering via, 282
SPAM. See SPAM (unsolicited bulk e-mail)
EALs (Evaluation Assurance Levels), Common Criteria, 589
eavesdropping
securing e-mail, 532
securing instant messaging, 527–528
securing video conferencing, 527
securing web conferencing, 526
electronic inventory, asset management, 353–354
ElGamal algorithm
digital signatures using, 9
DSA using, 21
Elliptic Curve cryptography, 9, 29
emergency response. See incident response
emergency response team, 489
emergent issues, situational awareness of, 418–420
EMET (Enhanced Mitigation Experience Toolkit), countering zero-day attacks, 418
employees. See personnel
encryption
choosing asymmetric or public key, 7–9
choosing symmetric key, 4–7
of data at rest, 94
as defense against loss of control of information, 357
limitations in VoIP, 534
mitigating data breaches, 359
monitoring network traffic, 136
overview of, 10
reverse-engineering of existing security solution using, 454
securing cloud services, 70
securing cookies, 239
securing iSCSI SANs, 102
securing laptops, 542
securing LDAP store, 145
securing mobile devices, 139, 481
vulnerabilities from comingling hosts with different security requirements, 71
WS-Security and, 167
endpoint security
anti-malware, 191–192
anti-spyware, 190–191
antivirus, 189–190
defined, 188
host-based firewalls as, 182–186
overview of, 188–189
spam filters, 192–193
understanding malware, 194
Enhanced Mitigation Experience Toolkit (EMET), countering zero-day attacks, 418
enterprise security
analyzing solutions for business needs, 455–459
analyzing trend data, 451–452
benchmarks, 446–448
cost benefit analysis of, 449–450
effectiveness of existing, 452–453
lessons-learned/after-action review, 460–461
network traffic analysis, 462–464
overview of, 446
prototyping/testing multiple solutions, 448–449
Q&A self-test, 468–474
reverse engineering/deconstructing existing solutions, 453–455
two-minute drill, 465–467
using judgment to solve problems, 461–462
Enterprise Security API, OWASP, 233
enterprise security architecture (ESA) frameworks, 335–336
Enterprise Service Bus (ESB), 162
enterprise standard operating environments, 307
enterprise storage. See also storage
FCOE, 103–104
HBA allocation, 106
iSCSI, 101–102
LUN masking, 104–105
NAS, 96–97
overview of, 92
Q&A self-test, 117–124
redundancy (location), 107–109
SANs, 98–99
secure management of, 109–112
security best practices for, 93–94
security implications of, 92–95
two-minute drill, 113–116
virtual storage, 95–96
VSANs, 100–101
entropy, cryptographic, 30
envelope, SOAP message, 558
environments, securing virtual, 59–61
equipment, securing virtual, 59–61
error handling, exploits from improper, 235–236
ESA (enterprise security architecture) frameworks, 335–336
ESB (Enterprise Service Bus), 162
Ethernet
NAS device connecting to network via, 96–97
securing enterprise storage using FCOE, 103–104
ethical hacking
by security service providers, 408
by white hats, 427
EU Data Protection Directive, 299
EuroCrypt (European Cryptology Conference), 425
European Cryptology Conference (EuroCrypt), 425
European Data Protection Regulation, 299
Evaluation Assurance Levels (EALs), Common Criteria, 589
evaluation, incident response, 361
evidence
data breaches, 362–363
digital forensic. See digital forensics
evolution, technology, 408–409
examination, digital forensics, 352
exception handling, exploits from improper, 235–236
explicit targets, 426
exploits
defined, 236
from improper error/exception handling, 235–236
privilege escalation, 237
extensible Access Control Markup Language (XACML), 557–558
external audit policy, 388
external communications, security controls for, 537–538
external influences, risk implications of, 302–306
external parties, data breach issues, 361
F
Facebook, using as SSO, 559
facilities management
network design, 149–150
security responsibilities of, 490
failure mode effects analysis (FMEA), 329–330
false injection, application security, 238–239
false-negatives
antivirus software, 189
defined, 193
IDS and IPS, 206
vulnerability scanners, 267
false-positives
antivirus software, 189
defined, 194
IDS and IPS, 206
spam filters, 193
vulnerability scanners, 267
FC (Fiber Channel), connecting SANs over, 156
FCOE (Fiber Channel Over Ethernet), 103–104, 106
feasibility, cryptography, 29
Federal Information Security Management Act. See FISMA (Federal Information Security Management Act)
Federated Identity, 146–147
federated identity management systems, 554–557
Fiber Channel (FC), connecting SANs over, 156
Fiber Channel Over Ethernet (FCOE), 103–104, 106
file checksums. monitoring with benchmarks, 448
file emulation, antivirus software, 189
filtered response, port scanner, 262
financial personnel role, 488–489
fingerprinting, assessment method, 280–281
FIPS (Federal Information Processing Standard)
determining aggregate score of CIA, 323–325
Digital Signature Standard, 21–22
nomenclature for security categories, 324
security impacts of CIA, 320
validating system design, 589–590
firewalls
addressing client-side attacks, 413
analyzing for business needs, 457
functions of, 182–183
host-based, 182–186
IDSs detecting failure of, 204
in multitier networking data design, 150–151
placing security devices at network border, 129
reviewing effectiveness of existing security, 453
securing desktop sharing, 529
securing directory services, 144
securing infrastructure design, 153
security checklists for Windows Firewall, 404
unlikely to detect zero-day attacks, 416
FISMA (Federal Information Security Management Act)
on availability, 322
on confidentiality, 320
definitions for CIA, 320
implementing controls, 334
on integrity, 321
overview of, 501–502
FMEA (failure mode effects analysis), 329–330
forensic copies, digital evidence, 353–354
forensics. See digital forensics
formal business partnerships, 299
formal proofs, 587
Fortify 360 SCA, source code scanner, 268
frameworks
application security, 231–234
as assessment tool, 276–277
enterprise security architecture, 337–338
risk management, 296–297
Frye Standard, 351
of COTS products, 507
of third-party products, 505
fuzz testing
application security and, 238–239
assessment tool, 273–274
understanding results of solutions in advance, 578
G
geographical replication, data redundancy, 107–108
Ghostery, 228
GLB (Gramm-Leach-Bliley) act, 501
global information assurance community
attackers, 426–428
conventions, 424–426
emerging threat sources, 428–429
overview of, 423–424
goals, policies for business, 378–379
GPMC (Group Policy Management Console), host hardening, 196–197
Gramm-Leach-Bliley (GLB) act, 501
gray-box testing, 280
gray hats, 418
Group Policy implementation, host hardening with, 196–197
Group Policy Management Console (GPMC), host hardening, 196–197
guidance, for staff and senior management, 482–483
guidelines
defined, 378
designing mergers, acquisitions and demergers, 503–504
interpreting requirements for others, 478–479
H
Hackers On Planet Earth (HOPE) conference, 426
hacking community
addressing zero-day attacks within, 416
debate on posting new vulnerabilities to, 417
hacker conferences, 424–426
hacking groups, 427
handshakes, SSL/TLS, 562–563
hard-coded passwords, vulnerability of, 238
hard drives, encrypting, 5
hard zoning, 156
hardening. See host hardening
hardphones, VoIP, 130
hardware abstraction, virtualization, 50
hardware, network administrator maintaining, 487
hash message authentication code (HMAC), code signing, 24–25
hash tables, 19
hashing
collecting digital evidence, 353–354
creating digital signatures, 21–22
modern digital cryptography and, 28
overview of, 17–20
HBAs (Host Bus Adapters)
securing enterprise storage by allocating, 106, 109–110
Health Insurance Portability and Accountability Act (HIPAA), 501, 503
help desk
securing remote assistance, 530
social engineering via, 282–283
SSO reducing costs of password resets from, 560
heuristic-based detection, antivirus software, 189
HIDSs (host-based intrusion detection systems), 206–207
high impact factor, CIA, 323–325, 331–332
high-level impact incident, risk exposure, 364
highly structured attacks, 427
HIPAA (Health Insurance Portability and Accountability Act), 501, 503
HIPSs (host-based intrusion prevention systems), 201, 206–207
HMAC (hash message authentication code), code signing, 24–25
honeynets, 416–417
honeypots, 416–417
HOPE (Hackers On Planet Earth) conference, 426
hopping attacks, VLAN, 159–160
horizontal escalation exploit, 237
host-based firewalls, 182–186
host-based intrusion detection systems (HIDSs), 206–207
host-based intrusion prevention systems (HIPSs), 201, 206–207
Host Bus Adapters (HBAs). See HBAs (Host Bus Adapters)
host hardening
command shell restrictions for, 197–198
Group Policy implementation for, 196–197
restricted interfaces for, 199
standard operating environment for, 195–196
warning banners and, 198–199
host security controls
asset management (inventory control), 199–200
data exfiltration, 201–204
endpoint security software. See endpoint security
HIPS/HIDS, 204–206
host-based firewalls, 182–186
host hardening. See host hardening
NIPS/NIDS, 207–209
Q&A self-test, 213–219
trusted OS, 186–188
two-minute drill, 211–212
host vulnerability scanners, 264–266
HR (human resources)
partnering with, 380
privacy and security concerns of, 489
HTTP, in web conferencing, 526
HTTP interceptor, assessment tool, 274–275
HTTPrint, 281
HTTPS
mitigating data breaches, 359
securing web conferencing, 526
transport encryption, 27
human resources (HR)
partnering with, 380
privacy and security concerns of, 489
hybrid mode, password crackers, 271–272
hypervisors
comingling hosts with different security requirements and, 71
hardware abstraction and, 50
monitoring traffic between VMs and, 59
I
iCloud, security implications, 95–96
IDEA (International Data Encryption Algorithm), 6
identification, digital forensics process, 352
identity management systems, 554
identity provider, 146
Identity Providers (IdP), SAML, 556–557
identity thieves, 383–384
IdP (Identity Providers), SAML, 556–557
IDPSs (intrusion detection and prevention systems), 153
IDS/IPS (intrusion prevention/detection) systems
development of, 204–206
HIDS/HIPS, 206
NIPS/NIDS, 207–209
placement of, 129–130
reviewing effectiveness of, 453
unlikely to detect zero-day attacks, 416
IEEE Symposium on Security and Privacy conference, 425
IETF (Internet Engineering Task Force)
ISO vs., 409
QoS architectures for IP networks, 540
Requests for Comments, 408–409
IM (instant messaging), 527–528
image files
hiding data electronically using, 204
spammers using, 194
IMAP (Internet Message Access Protocol), e-mail, 531
impact factors, CIA
determining aggregate score with, 323–325
enterprise definitions for, 324
FIPS definitions for, 320
qualitative risk analysis using, 326–327
risk determination using, 331
Implementation phase, systems development life cycles, 583–584
incident response
data breaches and external, 357–360
defined, 350
e-discovery. See e-discovery
facilitating, 360–363
lessons-learned/after-action review, 460–461
overview of, 363–364
partnerships/outsourcing for, 301
policy development, 386–387
Q&A self-test, 369–375
recovery efforts based on, 357
system design for, 360–363
teams, 364–366
two-minute drill, 368
incident response cycle (plan), 365–366
industry standards, security best practices, 403
industry trends
application security frameworks, 233–234
global information assurance community, 423–429
ongoing security research. See research, ongoing security
overview of, 402
Q&A self-test, 435–440
research security implications of new business tools, 420–423
security concerns of interconnecting multiple industries, 500–503
security requirements for contracts, 430–432
situational awareness. See situational awareness
two-minute drill, 433–434
informal business partnerships, 299
information
assurance. See global information assurance community
protecting in transit. See security controls, for communication/collaboration
security objectives for, 320
sharing across partnerships, 299
information technology (IT). See technologies; technology life cycle
infrastructure
advanced configuration of network devices, 157–161
data flow solutions, 136–137
data flows for changing business needs, 137–139
database access monitors, 166
design, 152–154
directory services, 144–148
disabling unnecessary services, 166–167
DNS, 140–143
emerging technologies, 137–139
Enterprise Service Bus, 162
logical and physical deployment diagrams, 152
multitier networking data design, 150–151
Q&A self-test, 173–179
Security Information and Event Management, 164–165
Service Oriented Architecture, 163–164
storage integration, 154–156
two-minute drill, 169–172
WSSecurity, 167
zone transfers, 141–142
infrastructure, network design
IPv6, 133–135
overview of, 148–150
placement of security devices, 128–130
remote access, 126–128
SCADA systems, 130–131
VoIP, 131–133
Initiation phase, systems development life cycles, 583–584
input validation
finding errors via fuzzing/false injection, 238–239
mitigating vulnerabilities via, 226–227
mitigating XSS attacks via, 228
instant messaging (IM), 527–528
insurance, and risk transference, 333
integer overflows, 245
Integrated Services, IP networks, 540
integrity
CIA tradeoffs, 322
database administrator role, 486–487
determining aggregate score for CIA, 323–325
ensuring, 321
hash functions for, 17–20
interceptors, HTTP, 274–275
interconnection security agreement (ISA), 381
interfaces, restricted, 199
internal audit policy, 388
internal influences, risk implications of, 302–306
internal parties, data breach issues, 361
International Data Encryption Algorithm (IDEA), 6
International Symposium on Recent Advances in Intrusion Detection (RAID) conference, 425
Internet Engineering Task Force. See IETF (Internet Engineering Task Force)
Internet Message Access Protocol (IMAP), e-mail, 531
Internet Protocol Security. See IPSec (Internet Protocol Security)
Internet Protocol v6 (IPv6)
Requests for Comments, 409
security implications of, 133–135, 410
Internet Security Association and Key Management Protocol (ISAKMP), 36
Internet Small Computer System Interface (iSCSI), 101–102, 106
interoperability, cryptographic, 29
intrusion prevention/detection systems. See IDS/IPS (intrusion prevention/detection) systems
investigations
cloud computing issues, 67
incident response cycle, 365
IP-based devices, security controls for, 542
IPBXs, VoIP, 132
IPSec (Internet Protocol Security)
IPv6 security with, 133–134
transport security, 157–158
VPNs, 538
iptables, Linux firewalls, 183
IPv6 (Internet Protocol v6)
Requests for Comments, 409
security implications of, 133–135, 410
IRTs (incident response teams)
designing mergers, acquisitions and demergers, 504
overview of, 364–366
security policy development for, 386–387
ISA (interconnection security agreement), 381
ISAKMP (Internet Security Association and Key Management Protocol), 36
iSCSI (Internet Small Computer System Interface), 101–102, 106
ISO (International Organization for Standardization), 409
isolation, application, 51, 138–139
issuance, PKI, 15–16
IT (information technology). See technologies; technology life cycle
J
JavaScript
mitigating clickjacking via frame- busting, 229
security issues of, 241–243
jitter, VoIP, 535
job rotation policy development, 385
John the Ripper, password cracker, 272–273
judgment, solving difficult problems with, 461–462
jurisdiction, cloud computing issue, 419
K
Kerberos authentication, SSO, 559
key escrow, 15–16
key exchange, code signing, 25–26
key management
key archiving and key recovery, 15–16
public key cryptosystems, 8
symmetric encryption, 5
key-pair. See PKI (public key infrastructure)
key recovery, 15–16
keyloggers, 190–192
Korn shell (ksh), 197–198
L
L2TP (Layer 2 Tunneling Protocol), VPNs, 538
Labeled Security Protection Profile, Common Criteria, 187
laptops
accessing enterprise storage from, 93
complexity of securing, 419, 542
impact of de-perimeterization, 140
implementing softphones on, 132
increase in theft of, 412–413
remote access design, 126–128
securing corporate data on, 307,
480–481, 542
latency
analyzing security system for business needs, 456–457
VoIP QoS issue, 535
Layer 2 Forwarding protocol, VPNs, 538
Layer 2 Tunneling Protocol (L2TP), VPNs, 538
layered security, 508–509, 584
LDAP (Lightweight Directory Access Protocol), 144–145
legacy applications, and virtualization, 51
legislation. See regulations
lessons-learned/after-action reviews, 366, 460–461
libraries, application security with standard, 232–233
life cycles
digital certificate, 15
systems development, 582–585
technology. See technology life cycle
Lightweight Directory Access Protocol (LDAP), 144–145
likelihood of threat, risk determination, 331–332
limited adverse effect, potential impact, 324
Linux OS
firewalls, 183
network traffic analysis via tcpdump, 463
security checklists, 405
litigation
changes impacting business security requirements, 379
common business documents for security, 381–383
compliance by partnering with HR, legal, management, and other entities, 380
criminal actions in data breach, 362–363
data breach notification laws, 357
data retention periods, 355
digital forensics, 351
outsourcing, 300
partnerships and, 299
recovery from data breach and, 358
security best practices in case of, 403
litigation hold, 352
live CDs, for attack tools/frameworks, 277
local administrator accounts, 308
log files
analyzing for trend data, 451–452
reviewing after data breach, 363
securing instant messaging, 528
logical deployment diagrams, of relevant devices, 152
login failures, desktop sharing, 529
low impact factor, CIA, 323–325, 331–332
low impact incident, risk exposure in, 364
LUN (logical unit) masking, securing SANs, 99, 104–105, 156
M
M&A (mergers and acquisitions)
designing demergers and, 503–504
risk implications of, 301–302
using network segmentation, 508–509
MAC (Mandatory Access Control), trusted OS, 187
MAC (Media Access Control) address
infrastructure design, 153
VLANs, 56–57
MAC (message authentication code), code signing, 24
magnitude of impact, risk determination, 331
maintenance
analyzing security system, 458
facilities manager role in, 490
maintenance phase, technology life cycle, 577
Maintenance phase, technology life cycle, 580
malware
Android-based, 541
anti-malware for, 190–191
desktop sharing software as, 529
understanding, 194
via instant messaging, 528
via mobile devices, 541
via personally managed devices, 308
whitelisting to secure video conferencing, 527
managed security service provider (MSSP), 301
managed security services
researching, 407–408
risk implications of, 300–301
using penetration testing, 408
management
of emergency response team, 489
enterprise configuration, of mobile devices, 536–537
of host-based firewalls, 185
of iSCSI SANs, 102
legal compliance/advocacy by partnering with, 380
providing guidance on security controls to senior, 482–483
security functions of top-level, 306
security responsibilities of, 487–488
storage, 109–112
Mandatory Access Control (MAC), trusted OS, 187
mandatory vacation policy development, 386
MBSA (Microsoft Baseline Security Analyzer), 265–266
MD5 hash functions
defined, 18
HMAC-MD5, 24
route protection with, 160–161
MDT (Microsoft Deployment Toolkit), implementing SOE, 196
mean time between failure (MTBF) rating, 459
mean time to recovery (MTTR), 459
Media Access Control (MAC) address
infrastructure design, 153
VLANs, 56–57
medium impact factor, CIA, 323–325, 331–332
memorandums of understanding (MOUs), 302, 381
memory, benefits of virtualization, 48
mergers and acquisitions. See M&A (mergers and acquisitions)
message authentication code (MAC), code signing, 24
message digests, and hashing, 17–20
microphones, securing video conferencing, 527
Microsoft
Next-Generation Secure Computing Base, 187–188
Secure Development Life Cycle, 584–585
security checklists for OS, 404
Web Protection Library, 233
Microsoft Baseline Security Analyzer (MBSA), 265–266
Microsoft Deployment Toolkit (MDT), implementing SOE, 196
migration, 510–511
minimization, data, 358–359
mission of organization, compatibility of security with, 481
mitigation
data breaches and external, 359
in incident response, 360–361
risk, 333
vulnerability assessment, 278
zero day vulnerability, 416
MITRE, 235–326
Mobile Active Defense, 309
mobile computing, 419
mobile device management, 309
mobile devices
addressing vulnerabilities, 415
BYOD concept, 308–309
emergent security issues, 139–140, 410, 419
enterprise configuration management of, 536–537
security controls, 540–542
security requirements for sales staff, 480–481
understanding new security systems/services, 407–408
moderate impact incident, risk exposure in, 364
monitoring
data flows, 136–137
with database access monitors, 166
HIDS/HIPS, 204–206
NIPS/NIDS, 207–209
policy development for on-going security, 387
risk management via continuous, 298, 337–338
securing SANs, 99
traffic in cloud computing, 66
traffic in virtual environment, 59
MOUs (memorandums of understanding), 302, 381
MSSP (managed security service provider), 301
MTBF (mean time between failure) rating, 459
MTTR (mean time to recovery), 459
multifactor authentication, remote access, 128
multilevel security, trusted OS, 186–188
multipath, for storage management, 109–110
multiple round method, 3DES, 6–7
multitier networking data design
network infrastructure, 150–151, 153
security device placement in, 130
N
NAS (network attached storage), 96–97, 154–155
NAT (Network Address Translation), IPv6, 134–135
nation states, cyber attacks of, 429
National Institute of Standards and Technology. See NIST (National Institute of Standards and Technology)
NDAs (nondisclosure agreements), 300, 382
NDP (Neighbor Discover Protocol), IPv6, 135
need to know principle, security policy, 386
Neighbor Discover Protocol (NDP), IPv6, 135
Nessus network scanner, 264–265
Network Access Protection, Microsoft, 128
Network Address Translation (NAT), IPv6, 134–135
network administrator role, 487
network attached storage (NAS), 96–97, 154–155
network-based intrusion detection systems (NIDS), host security, 207–209
network-based intrusion prevention systems (NIPS), 207–209
network design
considerations, 148–150
IPv6, 133–135
multitier data, 150–151
placement of security devices, 128–130
remote access, 126–128
SCADA systems, 130–131
VoIP, 131–133
network engineer role, 480
network enumerator, assessment tool, 271
network interface cards (NICs), storage management, 109–110
network mapping, 271
network segmentation, 508–509
network taps
infrastructure design, 153
network traffic analysis via, 464
network traffic
analyzing security for business needs, 456–457
analyzing with switch port analyzer, 270
capturing with protocol analyzer, 269
prioritizing, 539–540
reverse-engineering existing security, 454
securing external communications, 537–538
network vulnerability scanners, 263–266
networks
advanced configuration of devices, 157–161
vulnerabilities from comingling hosts with different security requirements, 71–72
Next-Generation Secure Computing Base (NGSCB), Microsoft, 187–188
NGSCB (Next-Generation Secure Computing Base). Microsoft, 187–188
NICs (network interface cards), storage management, 109–110
NIDS (network-based intrusion detection systems), host security, 207–209
ìNight Dragonî attack, 201
NIPS (network-based intrusion prevention systems), 207–209
NIST (National Institute of Standards and Technology)
enterprise security architecture, 335–336
Risk Management Framework, 296
security best practice guidelines, 405
security controls, 332
systems development life cycles, 582–585
node WWNs, HBAs, 106
nomenclature for security categories, 324–325
nondisclosure agreements (NDAs), 300, 382
nonpersistent cross-site scripting attacks, 228
nonrepudiation
DNS using TSIG for, 142
interpreting requirements for others, 478–479
overview of, 26
NoScript for Firefox
detecting clickjacking, 228
for JavaScript vulnerabilities, 242
mitigating XSS attacks, 228
numeric values
input validation, 227
quantitative risk analysis, 329
O
Oakley Key Determination Protocol, 25–26
OASIS standards
defined, 555
SPML, 561
XACML ratification by, 557
occurrence, quantitative risk analysis, 329–330
OLAS (operating level agreements), 382
on-demand/elastic cloud computing. See cloud computing
Online Certificate Status Protocol (OSCP), 16–17
online resources
Android-based malware, 541
hacking printers, 542
Mobile Active Defense, 309
SAFECode, 233–234
security checklists for Microsoft OS, 404
Splunk consolidation tool, 452
Storage Networking Industry Association, 94
VOIPSA (Voice over IP Security Alliance), 535
Zenmap, 263
OP (OpenID provider), 560
open port response, port scanner, 260–262
Open Security Architecture (OSA), 335–336
Open Shortest Path First (OSPF), route protection, 160
open source, defined, 507
Open Vulnerability and Assessment Language (OVAL), 236
Open Web Application Security Project. See OWASP (Open Web Application Security Project)
OpenID, 559–560
OpenID provider (OP), 560
operating level agreements (OLAS), 382
operating systems
monitoring via benchmarks, 447
security best practices for, 404–405
Operation/Maintenance phase, systems development life cycles, 583–584
Operational activities phase, technology life cycle, 577, 579
Organizationally Unique Identifier (OUI), HBAs, 106
origin policy, AJAX, 243
OSA (Open Security Architecture), 335–336
OSCP (Online Certificate Status Protocol), 16–17
OSPF (Open Shortest Path First), route protection, 160
OUI (Organizationally Unique Identifier), HBAs, 106
output validation, preventing integer overflows, 245
incident response teams, 365
security services, 300
OVAL (Open Vulnerability and Assessment Language), 236
OWASP (Open Web Application Security Project)
AntiSamy, 233
CRSFGuard, 233
Enterprise Security API, 233
overview of, 222
Top 10 list of web application vulnerabilities, 235
P
packet analyzers (sniffers), 269
packet fragmentation, IPv6, 134
packet headers, IPv6, 134
packet inspections, preventing data loss, 201
partnerships, risk implications of, 299
password cracker, 271–273
PasswordDigest, WS-Security, 167
passwords
changing network device, 157
ESB authentication, 162
Federated Identity, 146–147
financial personnel role, 489
hashed, 19–20
LDAP, 144–145
mobile devices, 139
NAS devices, 155
Single Sign On, 147
storage of sensitive data, 238
telephony, 533
token-based authentication for SSO, 559
web applications, 225
web conferencing, 526
WS-Security, 167
patches
addressing client-side attacks through, 413
debate over whether to use software, 483
not effective against buffer overflows, 244
remote access countermeasures, 128
for zero day vulnerabilities, 416–417
PBXs (private branch exchanges), telephony, 533
PCI DSS (Payment Card Industry Data Security Specification)
data minimization requirement, 358
defined, 27
effect on organizational policies and procedures, 380
overview of, 502
penetration testing (pentest)
as assessment method, 278–279
attack tools and frameworks for, 276–277
by security service providers, 408
via reverse-engineering of existing security, 455
via social engineering, 283
perfect forward secrecy, cryptography, 31
performance
analyzing security system for business needs, 456
cryptographic, 29
disadvantages of virtualization, 52
multipath increasing, 109–110
using benchmarks to monitor, 446–447
virtual storage issues, 96
perimeter security design, and deperimeterization, 306–307
permissions, LDAP store, 145
persistent cross-site scripting attacks, 228
personal health information (PHI), 362
Personal Identity Verification (PIV) standards, FIPS 201, 590
personally identifiable information. See PII (personally identifiable information)
personally managed devices
merging SOE and personal device networks, 309
security considerations, 308
personnel
computing total cost of ownership, 450
cost reduction of virtualization, 46–47
disadvantages of virtualization, 52
personnel and security
access control via facilities management, 149–150
analyzing security system for usability, 458
communicating requirements to others, 478–479
data loss prevention measures, 202
database administrators, 486–487
disgruntled employees as threat, 429
emergency response team, 489
establishing team collaboration, 483–484
facilities managers, 490
financial personnel, 488–489
guidance for staff and senior management, 482–483
human resources, 489
integrating new products and services, 510–511
management, 487–488
network administrators, 487
network engineers, 480
overview of, 478
physical security manager, 490
Q&A self-test, 494–498
sales staff, 480–481
scenario and solution, 491
securing virtual environments, appliances, and equipment, 59–60
stakeholders, 488
two-minute drill, 492–493
phased approach, new products and services integration, 510–511
PHI (personal health information), 360–362
phishing
as common client-side attack, 413
defined, 282
educating users on, 413
physical controls, guiding staff/senior management on, 482
physical deployment diagrams, devices, 152
physical security
cloud computing issues, 66
facilities manager role in, 490
manager, 490
virtual environment issues, 61
warning banners acting like, 199
PIA (privacy impact analysis), 384
PII (personally identifiable information)
extracting through social networks, 422
general privacy principles for, 383–384
mitigating data breaches, 360–361
privacy policy violations, 362
PIV (Personal Identity Verification) standards, FIPS 201, 590
PKI (public key infrastructure)
applications, 14
Certificate Authorities, 11–12
code signing using, 24–26
digital certificates, 10–11
issuance to entities, 15–16
OSCP vs. CRL, 16–17
overview of, 9
principal components of, 9–10
reasons for creating, 8
Registration Authority (RA), 12–14
users, 15
wildcard certificates enabling, 17
PKIX (Public Key Infrastructure X.509), 561
platform, virtual, 63–64
point-in-time or snapshot replication, 108, 110–111
Point-to-Point Tunneling Protocol (PPTP), VPNs, 538
Poison Ivy app, 529
policies, security and privacy
best practices, 403–405
common business documents for, 381–383
concerns of interconnecting multiple industries, 501–503
designing mergers, acquisitions and demergers, 503–504
development and updates in, 378–379
establishing for social media, 422–423
establishing team collaboration, 482–483
federated identity management systems for, 554–557
guiding staff/senior management on, 482–483
interpreting requirements for others, 478–481
legal compliance/advocacy by partnering with HR, legal, management, and other entities, 380
management role in, 488
mobile devices, 541
in operational activities phase of technology life cycle, 579
overview of, 378
preventing client-side attacks, 414
privacy principles for PII/Sensitive PII, 383–384
processes/procedures/updates in, 379
Q&A self-test, 391–398
reviewing effectiveness of existing security, 453
securing cloud services, 70
securing mobile devices, 139–140
supporting development of, 384–388
two-minute drill, 390
policy certificates, 11
policy sets, XACML, 557
POP (Post Office Protocol), e-mail, 531
port mirroring, 270
port monitoring, 270
port scanners, 260–263, 451–452
port World Wide Name (pWWN), zoning configurations, 156
port WWNs, HBAs, 106
ports
isolating VLAN switch, 55
MAC-level security for VLANs, 56–57
securing desktop sharing, 528–529
Post Office Protocol (POP), e-mail, 531
power consumption, and virtualization, 46–47
PPs (Protection Profiles), Common Criteria, 589
PPTP (Point-to-Point Tunneling Protocol), VPNs, 538
preparation, digital forensics process, 352
Presence app, iPhone and iPad, 531
presence, securing, 530–531
presentation, digital forensics, 353
preservation, digital forensics, 352
prevention technology, firewalls, 204
privacy impact analysis (PIA), 384
privacy policy. See also policies, security and privacy
data breaches violating, 361–362
financial personnel role, 488–489
general privacy principles for PII, 383–384
private branch exchanges (PBXs), telephony, 533
private clouds, 66
private keys, asymmetric encryption, 8
probability, qualitative risk analysis, 326–327
procedural/administrative controls, 482
procedures
business best practices for, 379
change management, 581
defined, 379
designing mergers, acquisitions and demergers, 503–504
development and updates due to business changes, 379–380
legal compliance/advocacy by partnering with HR, legal, management, and other entities, 380
processes
interpreting requirements for others, 478–479
mitigating data breaches, 359
policy updates due to business changes, 380
production environment, 49, 71
products
integrating into existing environment, 510–511
risk implications of new, 296–297
profiles, SAML authentication, 556
programmers
SAFECode for, 584
security requirements for, 479
security responsibilities of, 485–486
proprietary models, cloud computing, 67
Protection Profiles (PPs), Common Criteria, 589
protocol analyzer, 269
protocols
e-mail, 531
federated identity management systems, 554–557
remote access, 536
securing external communications, 537–538
SOAP, 558
prototyping multiple security solutions, 448–449
provider(s), cloud services, 69
proxy servers
intercepting communications between client/server, 241
securing data flows, 136–137
prudent person principle, 385
pseudorandom number generation, cryptography, 30
PSTN (public switched telephone network), 533
public key infrastructure. See PKI (public key infrastructure)
Public Key Infrastructure X.509 (PKIX), 561
public keys
asymmetric encryption with. See asymmetric/public key encryption
digital certificates, 561
PKI concepts. See PKI (public key infrastructure)
public relations representative, emergency response team, 489
pWWN (port World Wide Name), zoning configurations, 156
Q
QoS (quality of service)
IPv6 support for, 134–135
prioritizing network traffic, 539–540
VoIP issues, 534–535
qualitative risk analysis, 278, 326–327
quantitative risk analysis
defined, 278
overview of, 327–328
using numeric values, 329
R
RA (Registration Authority), 12–14
race conditions, 246–247
Radio-Frequency Identification (RFID) tags, 200
RAID array
creating redundant storage locations, 107
NAS systems, 97
RAID (International Symposium on Recent Advances in Intrusion Detection) conference, 425
rainbow table attacks, 19, 272
RAM, benefits of virtualization, 48
random numbers, cryptography, 30
RBAC (Role-Based Access Control), segmented environments, 509
reactive capabilities, reverse-engineering existing security, 454
read-only snapshots, 111
read-write (branching) snapshots, 111
real-time protection, anti-malware, 192
recovery
cryptographic key, 15–16
from data breach, 357–358
incident response cycle, 366
redundancy
deduplication and, 111–112
multipath reliability via, 109–110
securing enterprise storage, 107–109
Registration Authority (RA), 12–14
regular expressions, input validation, 227
regulations
changes impacting business security requirements, 379
defined, 378
emergent security issues, 420
guiding staff/senior management on, 482
interconnecting multiple industries, 501–503
mergers, acquisitions and demergers, 504
partnering with HR, legal, management, and other entities, 380
regulatory risks, 297
relying parties (RP), OpenID, 560
remote access
advanced network design, 126–128
securing desktop sharing, 529
security controls for, 535–536
remote assistance, securing, 530
Remote Desktop Services (Terminal Services), 76–78
replication, securing LDAP, 145
Request for Information (RFI), 430–432
Request for Proposal. See RFP (Request for Proposal)
Request for Quotation (RFQ), 430–431
Requests for Comments (RFCs), 408–409
research, ongoing security
best practices, 403–405
implications of new business tools, 420–422
new security systems and services, 407–408
new technologies, 405–406
overview of, 402–403
Q&A self-test, 435–440
technology evolution, 408–410
two-minute drill, 433–434
residual risk, handling, 333
resource exhaustion, 247–248
Resource Reservation Protocol (RSVP), Integrated Services for IP networks, 540
resources
in virtualized environment, 48
vulnerabilities from comingling hosts with different requirements for, 71
vulnerabilities of single server hosting multiple companies’ VMs, 62
response stage
incident response, 361
mitigation, 359
restricted interfaces, in host hardening, 199
RestrictRemoteClients Registry key, restricted interfaces, 199
retention policies, data, 354–355
Retirement/Decommissioning phase, technology life cycle, 577, 580
return on investment. See ROI (return on investment)
Return Record SIGnature (RRSIG), DNSSEC, 142–143
returning of evidence, digital forensics, 353
reverse-engineering, of existing security solution, 453–455
reviews, lessons-learned/after-action, 460–461
rewards, countering zero-day attacks, 418
RFCs (Requests for Comments), 408–409
RFI (Request for Information), 430–432
RFID (Radio-Frequency Identification) tags, 200
RFP (Request for Proposal)
for assessment, 260
contractual document, 430–431
for custom-developed software, 506
scenario and solution, 432
RFQ (Request for Quotation), 430–431
RIPEMD hash functions, 18
RIPv2 (Routing Information Protocol version 2), 161
risk
understanding for solutions in advance, 578–581
risk analysis
calculating risk, 328
qualitative, 326–327
quantitative, 327–330
system-specific, 326
vulnerability assessment vs., 277
impact of de-perimeterization, 306–309
internal and external influences, 302–306
of new/changing business models. See business risk, of new/changing models
of new products/technologies/user behaviors, 296–297
overview of, 296
Q&A self-test, 311–318
two-minute drill, 310
Risk Management Framework (RMF), NIST, 296
risk management strategy/controls
basing on minimum requirements, 332–333
classifying information types into CIA levels, 320–322
continuous monitoring, 337–338
determining aggregate score of CIA, 323–325
ESA frameworks, 335–336
implementing controls, 334–335
making risk determination, 331–332
Q&A self-test, 341–348
system-specific risk analysis, 326–330
two-minute drill, 339–340
risk priority number (RPN), quantitative risk analysis, 329–330
Rivest, Shamir and Adleman (RSA) algorithm, 9
RMF (Risk Management Framework), NIST, 296
road warriors
securing via VPNs, 538
security controls for laptops, 542
ROI (return on investment)
cost benefit analysis for security, 449–450
cost-benefit of virtualization, 46–47
hidden costs of virtualization, 51
Role-Based Access Control (RBAC), segmented environments, 509
rollback, virtual vs. physical servers, 61
root accounts, in privilege escalation, 237
route protection, 160–161
routers, advanced configuration, 157–161
Routing Information Protocol version 2 (RIPv2), 161
RP (relying parties), OpenID, 560
RPN (risk priority number), quantitative risk analysis, 329–330
RRSIG (Return Record SIGnature), DNSSEC, 142–143
RSA industry conference, 424–425
RSA (Rivest, Shamir and Adleman) algorithm, 9
RSVP (Resource Reservation Protocol), Integrated Services for IP networks, 540
Rule 702 of the Federal Rules of Evidence, 351
rules
interconnecting multiple industries, 501–503
TLS/SSL. See TLS/SSL encryption
rules, firewall
addressing client-side attacks through, 413
host-based firewalls, 182–183, 185
reviewing effectiveness of existing security, 453
S
SAFECode
industry best practices, 233–234
overview of, 584
sales staff, security requirements, 480–481
SAML (Security Assertion Markup Language), 554–556
SANS/MITRE Top 25 list of errors, 235
SANs (storage area networks)
geographical replication capabilities, 108
NAS vs., 97
overview of, 98–99
securing and protecting, 156
securing iSCSI, 101–102
VSANs, 100–101
vulnerabilities, 93
SANS (Sysadmin, Audit, Networking, and Security) Institute, 423–424
SASL (Simple Authentication and Security Layer), LDAP, 144
SBC (session border controller), VoIP networks, 133
SC (security category), FIPS, 332–335
SCADA (Supervisor Control and Data Acquisition) systems, 130–131, 490
scalability, security for business needs, 457
scales, quantitative risk analysis using numeric values, 329–330
SCAP (Security Content Automation Protocol), 236
scareware ads, social engineering via, 282
Screen Warning Banners, 198–199
script kiddies, 427–428
scripts, mitigating XSS attacks by disabling, 228
SDL (Secure Development Life Cycle), Microsoft, 584–585
SDLC (security development life cycle), 583–585
secret (session key), cryptographic performance, 29
secure by default, web application design, 224
secure by deployment, web application design, 224–225
secure by design, web application design, 223
Secure File Transfer Protocol (SFTP), 138,155
Secure Neighbor Discovery (SeND), IPv6, 135
Secure Shell (SSH), VLANs, 56
Secure Sockets Layer (SSL)
monitoring network traffic, 137
securing cookies, 240
for VLANs, 56
for VPNs, 159
Security Assertion Markup Language (SAML), 554–556
security assessments, methods
black-box testing, 279
code review, 281–282
fingerprinting, 280–281
gray-box testing, 280
mergers and acquisitions, 301
penetration testing, 278–279
Q&A self-test, 287–292
social engineering, 281–283
vulnerability assessment, 277–278
white-box testing, 279–280
security assessments, tools
attack tools/frameworks, 276–277
fuzzer, 273–274
HTTP interceptor, 274–275
network enumerator, 271
password cracker, 271–273
port scanner, 260–263
protocol analyzer, 269
Q&A self-test, 287–292
switch port analyzer (SPAN), 270
two-minute drill, 284–286
vulnerability scanner, 263–268
security category (SC), FIPS, 332–335
Security Content Automation Protocol (SCAP), 236
security controls
adapting to emerging threats/trends, 586–587
basing on minimum requirements, 332–333
continuous monitoring of, 336
determining based on aggregate score, 325
guiding staff/senior management on, 482–483
implementing, 334–335
interpreting requirements for others, 478–481
risk management process and, 298
security controls, for communication/collaboration
enterprise configuration management of mobile devices, 536–537
external communications, 537–538
implementing collaboration platforms, 539
mobile devices, 540–542
overview of, 524
prioritizing traffic, 539–540
Q&A self-test, 546–552
remote access, 535–536
two-minute drill, 544–545
unified communications security. See unified communications security
VoIP implementation, 534–535
VoIP security, 533–534
security development life cycle (SDLC), 583–585
Security Information and Event Management (SIEM)
monitoring large log files, 363
security considerations, 164–165
security profile, 137–138
security requirements traceability matrix (SRTM), 334–335, 585
security services, outsourcing, 300
security solutions
analyzing to ensure business needs, 455–459
prototyping and testing multiple, 448–449
reverse-engineering/deconstructing existing, 453–455
reviewing effectiveness of existing, 452–453
using judgment to solve difficult problems, 461–462
security system development life cycle (SSDLC), 583–585
Security Target (ST), Common Criteria, 589
security testing. See testing
segmentation
of remote access traffic, 127
using network, 508–509
segregation, securing VoIP, 133
SEHOP (Structured Exception Handler Overwrite Protection), countering zero-day attacks, 418
SeND (Secure Neighbor Discovery), IPv6, 135
separation of duties
security policy development for, 385
single platform hosting multiple companies’ VMs, 64
server consolidation, virtualization, 47–48, 52
server provisioning, virtualization, 51
server-side processing, 240–243
servers
clients less protected than, 413
standard operating procedure managing, 307
virtual server sprawl, 53
vulnerabilities of single server hosting multiple companies’ VMs, 62–63
service level agreements (SLAs), 300, 382
Service Oriented Architecture (SOA), 162–164
Service Providers (SP), SAML, 556–557
Service Provisioning Markup Language (SPML), 560–561
services
disabling unnecessary, 166–167
hardening system by limiting, 195
integrating into existing environment, 510–511
managed security, 300
port scanners identifying open, 261
understanding new, 407–408
session border controller (SBC), VoIP networks, 133
session hijacks, 230
session IDs, securing cookies, 239
session management, 229–230, 232
severity, quantitative risk analysis, 329–330
SFRs (Security Functional Requirements), Common Criteria, 589
SFTP (Secure File Transfer Protocol), 138, 155
sh (Bourne shell), command-shell restrictions, 197–198
SHA2 hash functions, 18, 21, 28
shared resources, and resource exhaustion, 247
SIEM (Security Information and Event Management)
monitoring large log files, 363
security considerations, 164–165
signature-based systems, IDS, 205, 416–417
signature detection, antivirus software, 189
signatures
digital. See digital signatures
selecting antivirus vendor, 190
signing process, digital signatures, 22–23
Simple Authentication and Security Layer (SASL), LDAP, 144
Simple Mail Transfer Protocol (SMTP), e-mail, 531
Simple Object Access Protocol (SOAP), 558–559
single loss expectancy (SLE), quantitative risk analysis, 328
Single Sign On. See SSO (Single Sign On)
situational awareness
countering zero day, 415–418
emergent issues, 418–420
latest client-side attacks, 412–414
overview of, 411–412
Q&A self-test, 435–440
threats, 414–415
two-minute drill, 433–434
SLAAC (StateLess Address AutoConfiguration), IPv6, 135
Slammer worm attack, 244
SLAs (service level agreements), 300, 382
SLE (single loss expectancy), quantitative risk analysis, 328
smartphones. See mobile devices
SMTP (Simple Mail Transfer Protocol), e-mail, 531
snapshot or point-in-time replication, 108, 110–111
SNIA (Storage Networking Industry Association), 94
sniffers, for network traffic analysis, 463–464
SNMP (Simple Network Management Protocol), 157
Snort, NIPS/NIDS system, 208
SOA (Service Oriented Architecture), 162–164
SOAP (Simple Object Access Protocol), 558–559
social engineering
assessment method, 281–283
as common client-side attack, 413
by security service providers, 408
on social networks, 422
social media/networking
emergent security issues, 418–419, 422
integration within business, 423
SOE (standard operating environment)
host hardening using, 195–196
merging personal device networks with, 309
soft zoning, 156
softphones, VoIP, 132
software. See also application security
assuring acceptable risk of third-party, 505–507
being aware of downloading security tool, 424
bugs. See bugs
countering zero-day attacks on, 417
debate on patching, 483
endpoint security. See endpoint security
inventory control/asset management, 200
malware in desktop sharing, 529
network administrator role, 487
programmers role, 479, 485–486
Software Engineering Institute/CERT, coding standards, 235
software vulnerability, 222
SOP (standard operating procedure), server environments, 307
source code
proofreading with code reviews, 281–282
scanners, 268
SP (Service Providers), SAML, 556–557
SPAM over instant messaging (SPIM), 528
SPAM (unsolicited bulk e-mail)
data minimization and, 358
over instant messaging, 528
preventing, 532
spam filters for, 192–193
SPAN (Switched Port Analyzer)
assessment tool, 270
network traffic analysis via, 464
secure infrastructure design and, 153
securing VoIP, 534
security devices placed on, 130
spear phishing attacks, e-mail, 532
speed, symmetric encryption, 5
SPIM (SPAM over instant messaging), 528
Splunk consolidation tool, 452
SPML (Service Provisioning Markup Language), 560–561
spoofing attacks
OSPF considerations, 160
as VLAN vulnerability, 58
spyware, 190–192
SQL injection attacks, 230–232
SRM (Storage Resource Management), 94
SRTM (security requirements traceability matrix), 334–335, 585
SSDLC (security system development life cycle), 583–585
SSH (Secure Shell), VLANs, 56
SSL (Secure Sockets Layer)
monitoring network traffic, 137
securing cookies, 240
TLS/SSL. See TLS/SSL encryption
for VLANs, 56
for VPNs, 159
SSO (Single Sign On)
advanced authentication, 559
advantages and disadvantages, 560
SAML authentication profile, 556
securing, 147–148
unified communications and, 525
SSS (Storage System Security), 94
ST (Security Target), Common Criteria, 589
staff. See personnel
stakeholders, role of, 488
standard libraries, for application security, 232–233
standard operating environment (SOE)
host hardening using, 195–196
merging personal device networks with, 309
standard operating environments, risks, 307
standard operating procedure (SOP), server environments, 307
standards
defined, 378
federated identity management systems, 554–557
organizations establishing, 408–410
SAML, 555
StateLess Address AutoConfiguration (SLAAC), IPv6, 135
status reporting and documentation, 337
steganography, in data exfiltration, 203–204
storage. See also enterprise storage
of cryptographic keys when disposing equipment, 581
data minimization for, 358
data retention policies, 354–355
digital evidence, 353
enterprise. See enterprise storage
integration into network infrastructure, 154–156
mitigating data breaches, 359
mobile device risks, 540
secure cookie transmission and, 239–240
of sensitive data improperly, 238
strategies for data, 355–356
storage area networks. See SANs (storage area networks)
Storage Networking Industry Association (SNIA), 94
Storage Resource Management (SRM), 94
Storage System Security (SSS), 94
stored procedures, SQL injection attacks using, 231
strength, modern digital cryptography, 28
structured attacks, 427
Structured Exception Handler Overwrite Protection (SEHOP), countering zero-day attacks, 418
STUXNET attack, 415
subject matter experts, emergency response teams, 489
Supervisor Control and Data Acquisition (SCADA) systems, 130–131, 490
switch spoofing, VLANs, 58, 159
Switched Port Analyzer. See SPAN (Switched Port Analyzer)
switches
advanced configuration of, 157–161
building layout design, 149
Symantec’s Altiris Suite, 530
symmetric key encryption
advantages and disadvantages, 5
asymmetric or public key vs., 7–9
overview of, 4–5
selecting, 6
symmetric algorithms, 6–7
SYN flood attacks, 247
synchronous replication, 108
Sysadmin, Audit, Networking, and Security (SANS) Institute, 423–424
System Starter GPOs, Windows Server 2008, 197
systems development life cycles, 582–585
T
tablets. See mobile devices
tagging
inventory control/asset management, 200
as VLAN vulnerability, 58
Target of Evaluation (TOE), Common Criteria, 589
targets of opportunity, attacks on, 426–427
TCO (total cost of ownership), 449–450
TCP
port scanner response, 261–262
prioritizing network traffic, 540
tcpdump, network traffic analysis, 463
TCSEC (Trusted Computer System Evaluation Criteria) or “Orange Book,” 430, 588
team collaboration, 483–484
technical controls, 482–483
technological risk, 297
technologies
evolution of, 408–410
risk implications of new, 296–297
security policies for emerging, 139–140
understanding new, 407–408
understanding security impact of new, 405–406
technology introduction phase, technology life cycle, 577
technology life cycle
addressing emerging threats/security trends, 586–587
defined, 576
end-to-end solution ownership, 576–578
phases of, 577
Q&A self-test, 592–596
systems development life cycles, 582–585
two-minute drill, 591
understanding results of solutions in advance, 578–581
validating system design, 587–590
telephony, securing, 533
Terminal Services (Remote Desktop Services), 76–78
terrorist groups, cyber attacks of, 429
testing
for acceptable risk of third-party products, 505–507
COTS products, 507
meeting system validation requirements via, 587
multiple security solutions, 449
via SRTM, 585
TGT (Ticket-Granting-Ticket), Kerberos, 559
third-party products
assuring only acceptable risk for, 505–507
as SSO gateways, 559
threads, creating race conditions, 246–247
threat modeling
defined, 223
operational activities phase of technology life cycle, 579
understanding risk in solutions, 578
threats
adapting to emerging, 586–587
advanced persistent, 415
to certificate-based authentication systems, 561
cloud computing advantages, 66
desktop sharing, 529
emerging sources of cyber, 428–429
identifying in risk management, 298
identifying in vulnerability assessment, 278
risk determination for, 331
securing instant messaging, 528
situational awareness of, 414–415
Ticket-Granting-Ticket (TGT), Kerberos, 559
time of check race condition, 246–247
time of use race condition, 247
TLS/SSL encryption
certificate-based authentication, 562–563
ESB, 162
transport encryption, 27
transport security, 157–158
wildcard certificates enabling, 17
TLS (Transport Layer Security), securing LDAP, 144
TOE (Target of Evaluation), Common Criteria, 589
token-based authentication, 128, 559
tools. See security assessments, tools
top-level management, security functions of, 306
total cost of ownership (TCO), 449–450
TPM (Trusted Platform Module)
generating random numbers with, 30
hard drive encryption with, 5
laptop protection with, 542
traditional proxy servers, 136
traffic analysis
conducting network, 462–464
detecting zero-day attacks, 417
traffic filtering, 63
training of personnel
adapting security to emerging threats/trends, 586–587
analyzing security for business needs, 458
in change management, 510
disadvantages of virtualization, 52
reviewing effectiveness of existing security, 452
securing virtual environments, appliances, and equipment, 59–60
security policy awareness, 387–388
Transaction Signature (TSIG), DNS, 142
transference, risk, 333
transparent proxy servers, 136
transport encryption, 27
Transport Layer Security (TLS), securing LDAP, 144
transport security, 157–158
trend data, analyzing, 451–452
trialware, for web conferencing, 525–526
Triple DES (3DES), 6–7
Trojan horses, 191–192
troubleshooting
disadvantages of virtualization, 52
securing remote assistance, 530
trunking security, 159–160
trust relationships
certificate-based authentication, 561–563
federated identity management, 554–557
Trusted Computer System Evaluation Criteria (TCSEC) or “Orange Book,” 430, 588
trusted OS
contracts and, 430–432
overview of, 186–188
Trusted Platform Module. See TPM (Trusted Platform Module)
trustworthy computing, 188
TSIG (Transaction Signature), DNS, 142
two-factor authentication, cloud services, 70
U
UBE (unsolicited bulk e-mail). See SPAM (unsolicited bulk e-mail)
UDP
port scanner response, 261–262
prioritizing network traffic, 540
unified communications security
desktop sharing, 528–529
e-mail, 531–533
instant messaging, 527–528
overview of, 524–525
presence, 530–531
Q&A self-test, 546–552
remote assistance, 530
telephony, 533
two-minute drill, 544–545
video conferencing, 527
web conferencing, 525–527
United States Government Configuration Baseline (USGCB), SOE, 196
unsolicited bulk e-mail. See SPAM (unsolicited bulk e-mail)
unstructured attacks, 426–427
UPA (uniform partnership act), 393
updates, process/procedure, 379–380
UPSs, building layout design, 149
usability, analyzing security for, 458
USENIX conferences, 425
user interface redress attack (clickjacking), 228–229
usernames
changing network device, 157
ESB authentication, 162
Federated Identity, 146
NAS devices, 155
WS-Security, 167
users
adapting solutions to emerging threats/trends, 586–587
impact of de-perimeterization on, 307
latest client-side attacks, 412–414
personally managed devices for end, 308
public key, 15
risk of changes in behavior of, 296–297
security policy development for, 384–388
USGCB (United States Government Configuration Baseline), SOE, 196
utilization of resources, virtualization, 48
V
Validated Products List, COTS systems, 506–507
validation
client-side processing vs. server-side, 240
Common Criteria for, 588–589
digital certificate, 14
input. See input validation
output, 245
of system design, 587–590
verifying certificate, 16
vulnerabilities of JavaScript client-side, 242
valuation, vulnerability assessment, 277
VDI (Virtual Desktop Infrastructure), 73–76
vendors, acceptable risk of third-party, 505–507
verification
digital signatures, 22–23
system design, 587–590
VeriSign, digital certificate classes, 13
vertical escalation (or elevation) exploit, 237
video conferencing, 525–527
Virtual Desktop Infrastructure (VDI), 73–76
virtual private networking. See VPNs (virtual private networking)
virtual server sprawl, 53
virtual storage, 95–96
virtual storage area networks (VSANs), 100–101
virtualization
application isolation advantages, 51
cost reduction benefits, 46–47
disadvantages of, 51–54
disaster recovery benefits, 49
Q&A self-test, 82–90
securing environments, appliances, and equipment, 59–61
security benefits, 48–49
server consolidation benefits, 47–48
server provisioning benefits, 51
Terminal Services, 76–78
two-minute drill, 79–81
utilization of resources, 48
VDI, 73–76
VLAN usage, 54–57
VLAN vulnerabilities, 57–58
vulnerabilities from comingling hosts with different security requirements, 71–73
vulnerabilities with single physical server hosting multiple companiesÍ VMs, 62–63
vulnerabilities with single platform hosting multiple companiesÍ VMs, 63–64
viruses. See also antivirus software
as malware, 191–192
risk to personally managed devices, 308
VLANs (virtual LANs)
implementing network segmentation, 509
implementing VoIP network, 133, 534–535
securing external communications, 537
securing iSCSI SANs, 102
trunking security, 159–160
usage, 54–57
vulnerabilities, 57–58
VM Escape attacks, 71
VMsafe, VMware, 59
VoIP (Voice over IP), security, 131–133, 533–535
VOIPSA (Voice over IP Security Alliance), 535
volatility of digital information, digital forensics, 353
VPNs (virtual private networking)
mitigating data breaches, 359
securing external communications, 537–538
securing mobile sales staff, 481, 538
VSANs (virtual storage area networks), 100–101
vulnerabilities
defined, 236
detection methods. See security assessments, methods
detection tools. See security assessments, tools
of mobile devices, 540–542
of new technologies, 405–406
privilege escalation, 237
vulnerability assessment
method, 277–278
operational activities phase of technology life cycle, 579
penetration testing vs., 278
reviewing effectiveness of existing security, 453
risk analysis vs., 277
using social engineering for, 283
vulnerability scanners
application, 267–268
attack tools and frameworks vs., 276
database, 268
false-positives and false-negatives from, 267
host, 264–266
network, 263–265
network enumeration, 271
overview of, 263
selecting, 266
source code, 268
vulnerability window, 416
W
warning banners, host hardening and, 198–199
web application scanners, 267–268
web application security, 222–225
web cams, video conferencing, 527
web conferencing, securing, 525–527
Web Protection Library, Microsoft, 233
web proxy tools, 274–275
Web Service Definition Language (WSDL), SOAP, 558–559
web services
automating requests with SPML, 560–561
SOAP exchanging information with, 558–559
Web Services Security (WSSecurity), 167
Web Vulnerability Scanner (WVS), Acunetix, 267–268
white-box testing
assessment method, 279–280
of COTS products, 507
gray-box testing using, 280
of third-party products, 505
white hats, attackers, 427
white papers, global information assurance community, 424
whitelisting
countering zero-day attacks, 418
input validation, 227
securing video conferencing, 527
wildcard certificates, 17
Windows Defender, anti-spyware, 190
Windows Filtering Platform, firewalls, 183
Windows Firewall, 183–184, 404
Windows Volume labels, LUN masking, 104–105, 115
wireless computing
advantages and vulnerabilities of, 403–405, 410
unsecured access points, 410
Wireshark, network traffic analysis, 463
workload-driven approach, migrating to cloud services, 69
World Wide Names (WWNs), HBAs, 106
World Wide Port Names (WWPNs), HBAs, 106
worms, 191–192
write blockers, forensic copies, 353
WS-Routing protocols, SOAP, 558
WSDL (Web Service Definition Language), SOAP, 558–559
WSSecurity (Web Services Security), 167
WVS (Web Vulnerability Scanner), Acunetix, 267–268
WWNs (World Wide Names), HBAs, 106
WWPNs (World Wide Port Names), HBAs, 106
X
X-FRAME-OPTIONS header, mitigating clickjacking, 229
X.509 standard, certificate-based authentication, 561
XACML (extensible Access Control Markup Language), 557–558
XML
as basis of SOAP, 558–559
as basis of XACML, 556–558
XSS (cross-site scripting) attacks, 228, 232
Z
Zappos data breach crisis, 358
Zenmap, 263–264
zero day vulnerability, 205, 415–418
zombies, spam filters for, 192–193
zone signing, DNSSEC, 143
zone transfers, securing DNS, 141–142
zones, network segmentation, 509
zoning, SAN, 156
3.17.128.129