M
M of N Control, 277
MaaS (Monitoring as a Service), 503
MAC (mandatory access control), 398–400
MAC (Message Authentication Code), 269
magnetic stripe readers, 383
MAID (massive array of inactive disks), 608
MAID (massive array of inactive hard drives), 513
mail bombing, 447
maintaining, BCP (business continuity plan), 621–622
malicious software threats, 456
APTs (advanced persistent threats), 462
rootkits, 461
worms, 457
malware
Sality, 578
managed mode, 348
managing
clipping level, 496
assets. See asset management
data. See data management
controlling access, 495
privileged entities, 495
resource protection, 496
mandatory access control (MAC), 398–400
mandatory vacations, security management, 159
man-in-the middle attack, 288
man-made threats, physical security, 74–75
MANs (metropolitan area networks), 325
mantraps, 85
manual authorization input control, 520
Marconi, Guglielmo, 503
MARS, 251
maskable interrupts, 180
massive array of inactive hard drives (MAID), 513, 608
master boot record infection, 456, 576
master license agreements, 50
master mode, 348
maturity levels, CMM (Capability Maturity Model), 559
maximum tolerable downtime (MTD), 598
McCain campaign, security, 348
MD (Message Digest) algorithms, 268–269
mean time between failure (MTBF), 101, 516–517, 606
mean time repair (MTTR), 101
mean time to repair (MTTR), 516–517, 606
mechanical locks, 91
media storage, secondary storage, 183
media-rotation strategies, 611–612
meets, 403
Melissa virus, 464
forensics, 479
meme, 576
Memorandum of Understanding (MOU), 118
memory, 177
CAM (content addressable memory), 329
RAM (random access memory), 181–182
ROM (read-only memory), 182
secondary storage, 183
memory addressing, 181
memory cards, 384
memory leaks, 182
memory management systems, 180
memory protection, 189
memory-mapped I/O, 180
mergers, risk management, 119–120
Merkle-Hellman Knapsack, 264
mesh topology, 321
Message Authentication Code (MAC), 269
message digest, 236
Message Digest (MD) algorithms, 268–269
Message Security Protocol (MSP), 278
metropolitan area networks (MANs), 325
Microsoft Point-to-Point Encryption (MPPE), 55
The Midnight Skulker, 465
military data classification, 47–48
MIME (Object Security Services), 278
Mitnick, Kevin, 465
mixed law, 125
mobile devices, 186
mobile sites, 604
mobile system vulnerabilities, 225–226
models
access control models. See access control models
business reference model, 215
cloud computing models, 504
CMM (Capability Maturity Model), 558–560
CMMI (Capability Maturity Model Integration), 610–611
data reference model, 215
MPM (Modified Prototype Model), 557
OSI (Open Systems Interconnection) model. See OSI (Open Systems Interconnection) model, 297–303
performance reference model, 215
product security evaluation models, 206
SABSA (Sherwood Applied Business Security Architecture), 215
security models. See security models
service component reference model, 215
SSDLC (security software development lifecycle) model, 432
technical reference model, 215
waterfall model, 554
Zachman model, 215
modes of operation
DES (Data Encryption Standard), 252
Modified Prototype Model (MPM), 557
MOM (Means, Opportunity, and Motive), 466
monitor mode, 348
monitoring
application transactions, 520–521
BCP (business continuity plan), 621–622
IDS (intrusion detection systems), 409–410
anomaly-based IDS engines, 412
behavioral-based IDS, 412
HIDS (host-based intrusion detection systems), 411
NIDS (network-based intrusion detection systems), 410
rule-based IDS, 412
sensor placement, 413
signature-based IDS engines, 411
IPS (intrusion prevention systems), 414
keystroke monitoring, 415–416, 523
NAC (Network Access Control), 414–415
surveillance, 479
monitoring and auditing controls, 518–519
auditing user activities, 519
controlling physical access, 524–525
emanations, 524
keystroke monitoring, 523
monitoring application transactions, 520–521
NAC (Network Access Control), 522
SIEM (security information and event management), 521–522
monitoring and detection, alarm systems, 107–108
Monitoring as a Service (MaaS), 503
Monsegur, Hector, 466
MOSS (MIME Object Security Services), 278
motherboards, 176
motion detectors, 106
MOU (Memorandum of Understanding), 118
MPLS (Multiprotocol Label Switching), 329, 337
MPM (Modified Prototype Model), 557
MPPE (Microsoft Point-to-Point Encryption), 55
MS-CHAPv2, 404
MSP (Message Security Protocol), 278
MTBF (mean time between failure), 101, 516–517, 606
MTD (maximum tolerable downtime), 598
MTTR (mean time to repair), 101, 516–517, 606
multifactor, 390
multi-level, security modes of operation, 193
multimode fiber, 324
multipath solutions, SAN (storage area network), 40
multiple-choice questions, 21
multiprogramming, 178
Multiprotocol Label Switching (MPLS), 329
multistate systems, 194
multitasking, 178
N
NAC (Network Access Control), 414–415, 522
naming distinctions, 179
Napoleonic law, 125
NAS (Network Attached Storage), 325
NAS (network attached storage), 38–39
NAT (Network Address Translation), 358
National Computer Security Center), 207
National Information Assurance Certification and Accreditation Process (NIACAP), 213
National Institute of Standards and Technology (NIST), 60, 800–37, 213
National Security Agency (NSA), 207
natural disasters
facilities, 77
Katrina (hurricane), 600
natural gas, 100
NCSC (National Computer Security Center), 207
NDA (Nondisclosure Agreement), 119, 157, 495
negligence, 483
Network Access Control. See NAC (Network Access Control)
network access control devices, 355
NAT (Network Address Translation), 358
firewall designs, 359
firewalls, 355
Network Access Control (NAC), 522
network access layer, TCP/IP, 305–306
network access layer controls, TCP/IP, 283–284
Network Address Translation (NAT), 358
network administrators, 494
Network Attached Storage (NAS), 325
network attached storage (NAS), 38–39
network database management system, 567
network equipment, 328
bridges, 328
gateways, 333
hubs, 328
mirrored ports, 330
repeaters, 328
VLANs (virtual LANs), 331
network forensics, 472
Network Information Service (NIS), 315
network layer, OSI (Open Systems Interconnection) model, 300
OSI (Open Systems Interconnection) model, 297–298
application layer, 302
network layer, 300
physical layer, 299
session layer, 301
TCP/IP, 313
host-to-host layer. See host-to-host layer
Internet layer. See Internet layer
network protection, 607
network security threats, 439
ARP poisoning, 446
database attacks, 446
DDoS attacks, 443
DNS spoofing, 447
mail bombing, 447
pharming attacks, 447
session hijacking, 440
traffic analysis, 447
war dialing, 447
war driving, 447
wiretapping, 441
zero-day exploits, 447
network topologies, 319
bus topology, 319
fully connected topology, 322
mesh topology, 321
network-based intrusion detection systems (NIDS), 410, 526–527
networks
802.11 wireless networks. See 802.11 wireless networks, 346–348
CANs (campus area networks), 325
de-encapsulation, 304
GANs (Global Area Networks), 325
MANs (metropolitan area networks), 325
PAN (personal area networks), 325
SANs (storage area networks), 325–326
secure network design, 296
WANs (wide area networks). See WANs (wide area networks), 325
WPANs (wireless PANs), 325, 349
new-hire agreements and policies, 157
NIACAP (National Information Assurance Certification and Accreditation Process), 213
NIDS (network-based intrusion detection systems), 410, 526, 526–527
Nimda, 498
NIS (Network Information Service), 315
NIST (National Institute of Standards and Technology), 60
NIST 800–37, 213
NIST 800–53, 145
NIST risk framework, 129
NIST SP 800–34, 589
NIST SP 800–34s, 545
nonce, 247
nondisclosure agreement (NDA), 119, 157, 495
noninterference model, 199
non-maskable interrupts, 180
nonrepudiation, cryptography, 235–236
NSA (National Security Agency), 207
cryptography, 242
O
OAKLEY Protocol, 283
Object Request Broker (ORB), 566
object reuse, 45
object-oriented analysis and design (OOAD), 566
object-oriented design (OOD), 566
object-oriented programming (OOP), 565–566
object-relational database system, 567
objects, 376
TCB (trusted computer base), 191
obsolete information, 48
OFB (Output Feedback) mode, 254
OFDM (orthogonal frequency division multiplexing), 346
OLA (Operating Level Agreement), 119
OLTP (online transaction processing), 569–570
on-demand backups, 512
one-time pad, stream ciphers, 248
one-time passwords (OTPs), 379–380, 381
online transaction processing (OLTP), 569–570
OOAD (object-oriented analysis and design), 566
OOB (out-of-band) signaling, 508–509
OOD (object-oriented design), 566
OOP (object-oriented programming), 565–566
open networks, VoIP (voice over IP), 344
Open Source Security Testing Methodology Manual (OSSTMM), 431
open system authentication (OSA), 352
open systems, 192
Open Systems Interconnection model. See OSI (Open Systems Interconnection) model
Open Web Application Security Project, 431
Operating Level Agreement (OLA), 119
operating states, security management, 194–195
operational security incidents, responding to, 530
operations and maintenance, SDLC (System Development Life Cycle), 552–553
operations management, 553
optical media, 183
Orange Book, 500
TCSEC (Trusted Computer System Evaluation Criteria), 207–209
orange box, phreakers, 508
ORB (Object Request Broker), 566
organization processes, risk management, 119–120
organizational unique identifier (OUI), 305
organized crime members, 436
organizing, data, 35
orthogonal frequency division multiplexing (OFDM), 346
OSA (open system authentication), 352
OSI (Open Systems Interconnection) model, 297–298
application layer, 302
network layer, 300
physical layer, 299
session layer, 301
OSPF (Open Shortest Path First), 335
OSSTMM (Open Source Security Testing Methodology Manual), 431
OTPs (one-time passwords), 381
OUI (organizational unique identifier), 305
outbound dialing systems, 615–616
out-of-band, 242
Output Feedback mode, 254
outsider testing, 429
outsiders, threat actors, 435
ownership
data governance policies, 31
P
PaaS (Platform-as-a-Service), 342, 503
packet switching, WANs (wide area networks), 336
ATM (asynchronous transfer mode), 337
Frame Relay, 337
X.25, 336
PACs (Privilege Attribute Certificates), 396
PAIN (privacy, authentication, integrity, and nonrepudiation), 235
PAN (personal area networks), 325
panic bars, 79
PAO (public affairs officer), 616
PAP (Password Authentication Protocol), 360, 404
parallel operations, 553
parallel tests, 552
BCP (business continuity plan), 620
passive infrared sensors, 107
passive sniffing, 440
passphrases, 379
password aging, 379
brute-force crack, 451
rainbow tables, 452
password attempts, 379
Password Authentication Protocol (PAP), 360, 404
password composition, 378
password guessing, 449
password history, 379
password length, 378
password management, 391
password sharing, 449
password storage, 379
password synchronization, 374, 391
assisted password reset, 391
cognitive passwords, 380
password synchronization, 391
self-service password reset, 391
PAT (Port Address Translation), 358
patch management, 511
patches, 572
verifying, 511
patents, 34
pattern-based, signature-based IDS engines, 528
payback analysis, 546
payload, steganography, 244
Payment Card Industry Data Security Standard (PCI-DSS), 41, 218
PCI (Peripheral Component Interconnect), 184
PCI-DSS (Payment Card Industry Data Security Standard), 41, 218
PCIe (Peripheral Component Interface Express), 184
PDU (protocol data unit), 303, 304
PEAP (Protected EAP), 361
peer-to-peer, 348
PEM (Privacy Enhanced Mail), 278
penetration, 439
penetration test teams, 430
performance reference model, 215
perimeter controls, 83
CCTV (closed-circuit television), 87
guards and dogs, 89
perimeter intrusion and detection assessment system (PIDAS), 83
perimeters, security perimeters, 192
Peripheral Component Interconnect (PCI), 184
Peripheral Component Interface Express (PCIe), 184
permanent virtual circuits (PVCs), 337
personal area networks (PAN), 325
personal information, protecting, 121–122
personal information websites, 122
personnel mobilization, BCP (business continuity plan), 615–616
personnel security, implementing, 156–157
personnel security attacks, 126
PERT (Program Evaluation and Review Technique), 560
PGP (Pretty Good Privacy), 242, 278, 317
pharming attacks, 447
phased changeover, 553
phishing, 454
photoelectric sensors, 107
phreakers, 127, 345–346, 508, 508–509
FEMA (Federal Emergency Management Administration), 508
phreaking, Van Eck phreaking, 524
physical access
password attacks, 449
physical controls, 155
physical destruction, 503
physical layer, OSI (Open Systems Interconnection) model, 299
physical port controls, 82
physical security, 72
alarm systems, 106
IDS (intrusion detection systems), 106–107
monitoring and detection, 107–108
disaster recovery, 534
equipment lifecycle, 101
facilities, 76
asset placement, 82
construction, 78
CPTED (Crime Prevention Through Environmental Design), 76–77
employee access control. See employee access control
environmental controls, 98
heating, ventilating, and air conditioning, 98–99
location, 78
perimeter controls. See perimeter controls
UPS (uninterruptible power supplies), 100
fire suppression, 103
fire-detection equipment, 102–103
perimeter controls, CCTV (closed-circuit television), 87
physical port controls, 82
technical problems, 75
physical security attacks, 126
physical security testing, 429
PIA (privacy impact analysis), 42
picks, 93
PIDAS (perimeter intrusion and detection assessment system), 83
piggybacking, 85
pilot tests, 551
ping of death, 442
pipelining, 177
piracy, software piracy, 50
PKI (public key infrastructure, 95, 272
CA (Certificate Authority), 272–273
CRL (Certificate Revocation List), 273–274
RA (Registration Authority), 273
Plain Old Telephone Service (POTS), 337–338
plan design and development, BCP (business continuity plan), 615
employee services, 617
interacting with external groups, 616–617
personnel mobilization, 615–616
Platform-as-a-Service (PaaS), 342, 503
Please Do Not Throw Sausage Pizza Away, 297–298
plenum-grade cable, 324
Point-to-Point Protocol (PPP), 360
Point-to-Point Tunneling Protocol (PPTP), 55, 283
policies
data governance policies, 30–31
new-hire agreements and policies, 157
advisory policies, 151
developing/implementing, 149–150
regulatory policies, 152
polyalphabetic cipher, 238–239
polyinstantiation, OOP (object-oriented programming), 565–566
polymorphism, OOP (object-oriented programming), 565
POP3, 505
Port Address Translation (PAT), 358
port-mapped I/O, 180
ports
application layer, TCP/IP, 314
physical port controls, 82
TCP/IP, 317
potential loss, assessing, 595–598
POTS (Plain Old Telephone Service), 337–338
power
generators, 100
PP (Protection Profile), 212
PPP (Point-to-Point Protocol), 360
PPTP (Point-to-Point Tunneling Protocol), 55, 283
pre-action, water sprinklers, 104
presentation layer, OSI (Open Systems Interconnection) model, 301–302
pressure sensitive sensors, 106
pretexting, 454
Pretty Good Privacy (PGP), 242, 278, 317
preventative access controls, 155
preventative controls, 550–551
preventing
social engineering attacks, 496
PRI (Primary Rate Interface), 338
primary images, 478
primary keys, databases, 568
Primary Rate Interface (PRI), 338
principle, Kerberos, 394
principle of least privilege, 374–375, 495
print servers, 186
priorities, criticality prioritization, 594
privacy
cryptography, 235
HIPAA (Health Insurance Portability and Accountability Act), 58–59
privacy controls, 43
Privacy Enhanced Mail (PEM), 278
privacy impact assessment, 42–43
private, public/private data classification, 48
private key cryptography, 259
Privilege Attribute Certificates (PACs), 396
privileged entities, 495
privileged mode, 188
probabilistic risk assessment, 130
probalistic approach, knowledge extraction, 37
problem mode, 188
problem state, CPU (central processing unit), 177
procedures
forensics, 473
risk management, 153
process activation, 189
process activity, 179
process isolation techniques, 179
process spoofing, 453
processes
change control process, 561–562
data governance policies, 31
processor speed, 178
product security evaluation models, 206
ITSEC (Information Technology Security Evaluation Criteria), 210
Rainbow Series, 207
profile management, 391
Program Evaluation and Review Technique (PERT), 560
programmed I/O, 180
programming languages, 562–565
ActiveX, 564
C, 564
C#, 564
C+, 564
C++, 564
COBOL (Common Business Oriented Language), 564
FORTRAN, 564
HTML, 564
Java, 564
Ruby, 564
scripting languages, 565
Visual Basic, 564
XML (Extensible Markup Language), 565
project initiation, SDLC (System Development Life Cycle), 546–547
project management, BCP (business continuity plan), 591–593
promiscuous mode, 440
Protected EAP (PEAP), 361
protection of data, 28
intellectual property, 121
resources, 496
protection of personal information, 121–122
Protection Profile (PP), 212
protocol data unit (PDU), 303, 304
protocol translators, 333
protocol-based, anomaly-based IDS engines, 528
protocols
ARP (Address Resolution Protocol), 306, 310
BootP (Bootstrap Protocol), 315
CHAP (Challenge Handshake Authentication Protocol), 360, 404
communication protocols, 318–319
distance-vector protocols, 334
DNS (Domain Name Service), 315
EAP (Extensible Authentication Protocol), 360–361, 404
EGP (Exterior Gateway Protocol), 336
Ethernet II protocol, 318
exterior gateway protocols, 336
FTP (File Transfer Protocol), 314
HTTP (Hypertext Transfer Protocol), 315–316
ICMP, 306
ICMP (Internet Control Message Protocol), 309–310
IGMP (Internet Group Management Protocol), 310–311
IGRP (Internet Gateway Routing Protocol). See IGRP (Internet Gateway Routing Protocol)
IMAP (Internet Message Authentication Protocol), 316
IP (Internet Protocol), 306–309
LDAP (Lightweight Directory Access Protocol), 316, 404
Line Printer Daemon, 316
link-state protocols, 335
MS-CHAPv2, 404
OSPF (Open Shortest Path First), 335
PAP (Password Authentication Protocol), 360, 404
PGP (Pretty Good Privacy), 317
PPP (Point-to-Point Protocol), 360
RIP (Routing Information Protocol), 316–317
routed protocols, 333
routing protocols, 333–334, 335
SMTP (Simple Mail Transfer Protocol), 314–315
SNMP (Simple Network Management Protocol), 316
SSL (Secure Sockets Layer), 316
STP (Spanning Tree Protocol), 331
TCP (Transmission Control Protocol), 312–313
Telnet, 314
TFTP (Trivial File Transfer Protocol), 315
trunking protocols, 331
UDP (User Datagram Protocol), 313
prototyping, development methods, 556–557
pseudorandom, 247
public, public/private data classification, 48
public affairs officer (PAO), 616
public key cryptography, 259
public key encryption, 260–261
public key infrastructure. See PKI (public key infrastructure)
public-key cryptosystem, 265
public/private data classification, 48
PVCs (permanent virtual circuits), 337
Q
QoS (quality of service), VoIP (voice over IP), 343
qualitative assessment, 596–597
versus quantitative assessments, 145–146
qualitative ranking, 597
quality assurance specialists, 493
versus qualitative assessment, 145–146
quantum cryptography, 242
question-handling strategies, 24–25
questionnaires, BIA (business impact analysis), 595–597
questions
drag and drop questions, 21
hotspot question format, 22–23
multiple-choice questions, 21
R
RA (Registration Authority), 273
race conditions, 220
RAD (Rapid Application Development), 556
radio frequency interference (RFI), 99
Radio Shack, 154
RADIUS (remote authentication dial-in user service), 362, 404–405
RAID (Redundant Array of Inexpensive Disks), 514–516, 606–607
Rainbow Series, 207
Red Book, 209
rainbow tables, 452
RAIT (redundant array of independent tapes), 513
raking, 93
RAM (random access memory), 181–182
random access memory (RAM), 181–182
range check, 544
Rapid Application Development (RAD), 556
Rapid Spanning Tree Protocol (RSTP), 331
RAT (remote access Trojan), 458
RBAC (role-based access controls), 401–402
RC2, 258
RC4 (Rivest Cipher 4), 251, 258–259
WEP (Wired Equivalent Privacy), 352
RC5 (Rivest Cipher 5), 251, 259
RC6, 259
RDBMS (relational database management system), 567
read-only memory (ROM), 182
ready state, CPU (central processing unit), 177
realms, Kerberos, 393
reasonably prudent person rule, 497
reciprocal agreements, facility and supply recovery, 604–605
reciprocation, social engineering, 163
recovery access controls, 155
recovery point objective (RPO), 613
recovery procedures, 195
recovery strategies, BCP (business continuity plan), 599–600
backup and restoration, 609–611
business process recovery, 600–601
data and information recovery, 608–609
facility and supply recovery, 601
user recovery, 605
recovery time objective (RTO), 613
recovery times, 610
Red Book, 209
red box, phreakers, 508
red teams, 430
Reduced Instruction Set Computing (RISC), 178
redundancy (location), SAN (storage area network), 40
Redundant Array of Inexpensive Disks (RAID), 514–516
redundant array of independent tapes (RAIT), 513
redundant routing, 607
reference monitors, TCB (trusted computer base), 189–191
referential integrity, 569
Regional Internet Registry (RIR), 333
Registration Authority (RA), 273
regression tests, 552
regulatory compliance, 218
regulatory law, 124
regulatory policies, 152
regulatory requirements, ethics, 167–168
relation, databases, 568
relational database management system (RDBMS), 567
relative addressing, 181
religious law, 125
remote access, 502
CHAP (Challenge Handshake Authentication Protocol), 360
EAP (Extensible Authentication Protocol), 360–361
PAP (Password Authentication Protocol), 360
PPP (Point-to-Point Protocol), 360
remote access Trojan (RAT), 458
remote authentication dial-in user service (RADIUS), 362
remote journaling, 612
remote meetings, 365
removable media, endpoint security, 56
repeaters, 328
replay attack, 288
reports, risk management teams, 148
reputation, 599
residual information, 554
resource protection, 496
international resources, 61–63
responding to operational security incidents, 530
responsibilities
BCP (business continuity plan), 622
restoration from backups, 609–611
results, incident response, 470–471
retina patterns, 388
retina scans, 97
reverse engineering, 551
RFC (Request for Comments), 165–166
RFI (radio frequency interference), 99
RIP (Routing Information Protocol), 316–317, 334–335
RIR (Regional Internet Registry), 333
RISC (Reduced Instruction Set Computing), 178
risk
defined, 130
exposed risk, 138
risk acceptance, 146
counter measure selection, 146–149
qualitative assessment, 142–146
quantitative assessments, 139–142
security policies, developing/implementing, 149–150
risk avoidance, 137
risk factor analysis, 130
asset identification and valuation, 133–135
baselines, 152
guidelines, 153
organization processes, 119–120
procedures, 153
counter measure selection, 146–149
standards, 152
risk management teams, 131–132
reports, 148
risk matrix, 149
risk mitigation, 147
risk registers, 130
risk tolerance, 147
risk transference, 147
risks, physical security, 72–73
rogue security software, 463
role-based access control (RBAC), 401–402
roles
rollback plans, 499
ROM (read-only memory), 182
rootkits, 461
ROT3, 237
rotation cipher, 237
routed protocols, 333
routing, 332
alternate routing, 607
diverse routing, 607
routing by rumor, 334
Routing Information Protocol (RIP), 316–317
routing protocols, 333–334, 335
Royce, Winston, 554
RPO (recovery point objective), 613
RSTP (Rapid Spanning Tree Protocol), 331
RTM worm, 577
RTO (recovery time objective), 613
rubber hose attack, 288
Ruby, 564
rule-based access controls, 402, 412
running key cipher, 241
S
SA (Security Association), 282
SaaS (Software-as-a-Service), 341, 504
SABSA (Sherwood Applied Business Security Architecture), 215
SAFER (Secure and Fast Encryption Routine), 251
salami attacks, 575
Sality, 578
SAML (Security Association Markup Language), 377
SAN (storage area network), 38–41, 613
sandboxes, 509
SANs (storage area networks), 325–326, 513–514
Sarbanes-Oxley Act (SOX), 60, 168, 497
SAS 70 report, 119
SASD (sequential access storage device), 513
SATA (Serial ATA), 184
SATAN (Security Administrator Tool for Analyzing Networks), 164
scanning, 438
scarcity, social engineering, 162
schemas, databases, 568
scoping, 58
screened host firewalls, 359
scripting languages, 565
scrubbing, 93
scrum, 558
SCSI (Small Computer Systems Interface), 184
scytale, 237
SDL (Security Development Lifecycle), 545
SDLC (Synchronous Data Link Control), 341
SDLC (System Development Life Cycle), 545–546
acceptance testing and implementation, 551–552
disposal, 553
functional requirements and planning, 547–548
operations and maintenance, 552–553
separation of duties, 550
software design specifications, 548
software development and build, 549–551
SDRAM (synchronous DRAM), 182
SDSL (symmetric digital subscriber line), 340
sealing configurations, 53
secondary evidence, 482
secondary storage, 183
secret, military data classification, 47
Secure Electronic Transaction (SET), 280
Secure European System and Applications in a Multivendor Environment (SESAME), 396
Secure FTP (SFTP), 280
secure hashing algorithms (SHA), 269
Secure Hypertext Transfer Protocol (S-HTTP), 280
Secure Multipurpose Internet Mail Extensions (S/MIME), 278
secure network design, 296
secure real-time transport protocol (SRTP), 344
Secure Socket Tunneling Protocol (SSTP), 281
Secure Sockets Layer (SSL), 281, 316
secure storage management and replication, SAN (storage area network), 40
Secure Trusted Operating Program (STOP), 194
security
asset security, 28
availability, 29
CIA (confidentiality, integrity, and availability), 28
confidentiality, 28
data governance policies, 30–31
data security. See data security
integrity, 29
physical security, 72
facilities. See facilities
technical problems, 75
roles and responsibilities, 32–33
security governance, third party governance, 118–119
of software environments, 571–573
Security Administrator Tool for Analyzing Networks (SATAN), 164
security advisory groups, roles and responsibilities, 32
security and risk management domains, 116
security architects, 494
security architecture, 187
closed systems, 192
open systems, 192
TCB (trusted computer base), 189–192
vulnerability, 218
back doors, 220
mobile system vulnerabilities, 225–226
state attacks, 220
web-based vulnerabilities, 223–225
security assessments
vulnerability assessments, 427–428
Security Association Markup Language (SAML), 377
Security Association (SA), 282
Security Development Lifecycle (SDL), 545
Security DNS (DNSSEC), 315
Security Event Management (SEM), 414, 522
third party governance, 118–119
security information and event management (SIEM), 521–522
Security Information Management (SIM), 414, 522
security kernels, 191
security labels, reference monitors, 191
security logs, 434
security management
computer crime and hackers, 125–128
common computer ethics fallacies, 167
Computer Ethics Institute, 165
IAB (Internet Architecture Board), 165–166
ISC2, 164
regulatory requirements, 167–168
job rotation, 158
laws, 123
common law, 123
mandatory vacations, 159
new-hire agreements and policies, 157
personnel security, implementing, 156–157
protection of intellectual property, 121
protection of personal information, 121–122
separation of duties, 157
sexual harassment, 128
Brewer and Nash model, 205
Clark-Wilson model, 204
confidentiality, 199
CPU (central processing unit), 176–180
Graham Denning model, 205
Harrison-Ruzzo-Ullman model, 205
information flow model, 199
integrity, 202
Lipner model, 205
noninterference model, 199
product security evaluation models. See product security evaluation models
storage media, 181
Take-Grant model, 205
Security Parameter Index (SPI), 282
security perimeters, 192
advisory policies, 151
developing/implementing, 149–150
regulatory policies, 152
security software development lifecycle (SSDLC) model, 432
Security Target (ST), 212
security teams, 534
security threats. See threats
Security-Enhanced Linux, 195
SEDs (self-encrypting hard drives), 53–54
self-service password reset, 391
SEM (Security Event Management), 414, 522
semantic integrity, 569
senior management
BCP (business continuity plan), project management and initiation, 591–593
roles and responsibilities, 32
sensitive but unclassified or restricted
military data classification, 47
public/private data classification, 48
sensitivity, 48
data governance policies, 31
sensitivity labels, 400
sensor placement, IDS (intrusion detection systems), 413, 529
separation of duties, 157–158, 401, 494
SDLC (System Development Life Cycle), 550
sequence check, 543
sequential access storage device (SASD), 513
sequential storage, 183
Serial ATA (SATA), 184
server rooms, 82
service component reference model, 215
service packs, 572
Service Provisioning Markup Language (SPML), 392
Service Set ID (SSID), 351
service-level agreements (SLAs), 75, 101, 118, 606
service-oriented architecture (SOA), 392
SESAME (Secure European System and Applications in a Multivendor Environment), 396
session hijacking, 440
session keys, 265
session layer, OSI (Open Systems Interconnection) model, 301
SET (Secure Electronic Transaction), 280
sexual harassment, 128
SFTP (Secure FTP), 280
SHA (secure hashing algorithms), 269
SHA-1, 269
SHA-2, 269
SHA-3, 269
shared key authentication (SKA), 352
Sherwood Applied Business Security Architecture (SABSA), 215
shielded twisted pair (STP), 322–323
shoulder surfing, 453
shrink-wrap license agreements, 51
S-HTTP (Secure Hypertext Transfer Protocol (S-HTTP), 280
side channel attack, 288
SIEM, 414
SIEM (security information and event management), 521–522
signature scanning, 509
signature-based, anomaly-based IDS engines, 528
signature-based IDS engines, 411, 528
signatures, 577
digital signatures. See digital signatures
signing speeds, 271
silent hostage alarms, 95
SIM (Security Information Management), 414, 522
simple integrity property, 202
Simple Key Management for Internet Protocol (SKIP), 283
Simple Mail Transfer Protocol (SMTP), 314–315, 504
Simple Network Management Protocol (SNMP), 316
simple security property (ss property), 199–200
simple tape-rotation schemes, 611
simplex, 327
simulation, BCP (business continuity plan), 620
single loss expectancy (SLE), 139
single point of failure (SPOF), 195–196, 517
single sign-on (SSO), 374, 392–393
SESAME (Secure European System and Applications in a Multivendor Environment), 396
single-mode fiber, 324
single-state systems, 194
SKA (shared key authentication), 352
skilled hackers, 436
SKIP (Simple Key Management for Internet Protocol), 283
Skipjack, 251
slamming, 509
SLAs (service-level agreements), 75, 101, 118, 606
SLDC (System Development Life Cycle), 545
SLE (single loss expectancy), 139
Small Computer Systems Interface (SCSI), 184
smartphones, 186
SMDS (Switched Multimegabit Data Service), 341
S/MIME (Secure Multipurpose Internet Mail Extensions), 278
smishing, 454
SMTP (Simple Mail Transfer Protocol), 314–315, 357, 504
smurf, 442
SNIA (Storage Network Industry Association), 39
sniffers, 440
sniffing password hashes, 449–450
SNMP (Simple Network Management Protocol), 316
Snowden, Edward, 286
SOA (service-oriented architecture), 392
sociability tests, 552
social engineering, 176
preventing attacks, 496
social engineering attacks, 126, 454–455
techniques for, 455
social engineering testing, 429
social networking, background checks, 157
social validation, social engineering, 163
SOCKS, 357
software design specifications, SDLC (System Development Life Cycle), 548
agile development methods, 557–558
CASE (Computer-Aided Software Engineering), 557
change control process, 561–562
CMM (Capability Maturity Model), 558–560
CMMI (Capability Maturity Model Integration), 610–611
CORBA (Common Object Request Broker Architecture), 566
development methods, 554
JAD (Joint Application Development), 555–556
MPM (Modified Prototype Model), 557
RAD (Rapid Application Development), 556
waterfall model, 554
OOP (object-oriented programming), 565–566
programming languages, 562–565
SDLC (System Development Life Cycle)
acceptance testing and implementation, 551–552
disposal, 553
functional requirements and planning, 547–548
operations and maintenance, 552–553
software design specifications, 548
software development and build phase, 549–551
software development and build phase, SDLC (System Development Life Cycle), 549–551
software encryption, 54
software forensics, 472
Software IP Encryption (SwIPe), 283
software keystroke loggers, 416, 523
software licensing, 50–51, 183
software piracy, 50
Software-as-a-Service (SaaS), 341, 504
something you are (Type 3), authentication, 376, 385–390
something you have (Type 2), authentication, 376, 381
asynchronous token devices, 382–383
something you know (Type 1), 377–379
authentication, 376
SONET (Synchronous Optical networking), 336
SOX (Sarbanes-Oxley Act), 60, 168, 497
spam, 457
Spam over Internet Telephony (SPIT), 344
Spanning Tree Protocol (STP), 331
spear phishing, 454
SPI (Security Parameter Index), 282
SPIT (Spam over Internet Telephony), 344
SPML (Service Provisioning Markup Language), 392
SPOF (single point of failure), 195–196, 517
spoofing, 453
spread-spectrum technology, 346
SRAM (Static Random Access Memory), 181
SRTP (secure real-time transport protocol), 344
SSD (static separation of duty), 401
SSDLC (security software development lifecycle) model, 432
SSID (Service Set ID), 351
SSL (Secure Sockets Layer), 281, 316
SSO (single sign-on), 374, 392–393
SSTP (Secure Socket Tunneling Protocol), 281
ST (Security Target), 212
standards
communication, 327
risk management, 152
WLANs (wireless LANs), 349
standby lighting, 88
star * security property, 200
start * integrity property, 202
state attacks, 220
stateful firewalls, 356
static NAT, 358
Static Random Access Memory (SRAM), 181
static routing, 334
static separation of duty (SSD), 401
static WEP, 352
statistical approach, knowledge extraction, 37
statistical based, anomaly-based IDS engines, 528
steganography operations, 244–245
stegomedium, 244
Stoll, Clifford, 466
STOP (Secure Trusted Operating Program), 194
storage
data storage. See data storage
storage area networks (SANs), 325–326
storage media, 181
RAM (random access memory), 181–182
ROM (read-only memory), 182
Storage Network Industry Association (SNIA), 39
store-and-forward switches, 330
STP (shielded twisted pair), 322–323
STP (Spanning Tree Protocol), 331
strategies for taking exams, 24–25
question-handling strategies, 24–25
boolean operators, 248
strict source routing, 307
strong authentication, 390
strong star * property, 200
structured walkthrough, BCP (business continuity plan), 620
subjects, 375
TCB (trusted computer base), 191
subscription services, 601–603
substitution box (s-box), 248
superscalar processors, 178
supervisor state, CPU (central processing unit), 177
supplicant, 362
supplies teams, 534
surveillance, 479
SVCs (switched virtual circuits), 337
swap partitions, 185
SwIPe (Software IP Encryption), 283
Switched Multimegabit Data Service (SMDS), 341
switched virtual circuits (SVCs), 337
application switches, 330
content switches, 330
content-services switches, 330
higher-layer switches, 330
symmetric algorithms, 247, 250–251
symmetric cryptography, 236
symmetric digital subscriber line (SDSL), 340
symmetric encryption, 237, 249–252, 272
versus asymmetric encryption, 264–265
confidentiality, 250
stream ciphers, 248
symmetric keys, distribution of, 249–250
symmetric substitution ciphers, 240
SYN flood, 442
Synchronous Data Link Control (SDLC), 341
Synchronous DRAM (SDRAM), 182
Synchronous optical networking (SONET), 336
synchronous replication, 611
synthetic transactions, 434
system analysts, 494
System Cold Start, 195
Orange Book, 501
System Compromise, 195
system development. See software development
System Development Life Cycle (SLDC). See SDLC (System Development Life Cycle)
system failures
checks and application controls, 543–544
recovery procedures, 195
system high, security modes of operation, 193
system logs, 434
System Reboot, 195
system reboot, Orange Book, 501
system resilience, 511
System Restart, 195
system testing, 551
system validation, 213
systems administrators, 493
T
T1, 339
T3, 339
table lookups, 544
TACACS (Terminal Access Controller Access Control System), 362, 406
TACACS+, 362
tailgating, 85
tailoring, 58
Take-Grant model, 205
tamper protection, 108
tangible assets, 496
tape backups, 611
tape rotation methods, 513
Target of Evaluation (TOE), 210
task-based access control (TBAC), 402
TBAC (task-based access control), 402
TCB (trusted computer base), 189–192
TCP (Transmission Control Protocol), 311, 312–313
comparing to UDP, 313
TCP/IP, 313
host-to-host layer, 311
TCP (Transmission Control Protocol), 312–313
UDP (User Datagram Protocol), 313
Internet layer, 306
ARP (Address Resolution Protocol), 310
ICMP (Internet Control Message Protocol, 309–310
IGMP (Internet Group Management Protocol), 310–311
IP (Internet Protocol), 306–309
ports, 317
securing with cryptography, 279
application/process layer controls, 280
host to host layer controls, 280–282
Internet layer controls, 282–283
network access layer controls, 283–284
TCSEC (Trusted Computer System Evaluation Criteria), 207, 500
teams
administrative support teams, 534
BCP (business continuity plan) teams, 591–593
communications teams, 534
coordination teams, 534
damage assessment teams, 534
disaster recovery teams, 533–534
emergency management teams, 534
emergency operations teams, 534
emergency response teams, 534
finance teams, 534
incident response, 468
incident response teams, 534
penetration test teams, 430
risk management teams, 131–132
reports, 148
security teams, 534
supplies teams, 534
transportation teams, 534
teardrop, 442
technical controls, 155
technical problems, physical security, 75
technical reference model, 215
technical support, equipment lifecycle, 52
Tejon Crypter, 460
Telco gear, 472
telecommunication controls, 503
blacklists, 506
graylists, 506
whitelists, 506
telecommunications equipment, 328
bridges, 328
gateways, 333
hubs, 328
mirrored ports, 330
repeaters, 328
VLANs (virtual LANs), 331
temperatures, data centers, 98
Temporal Key Integrity Protocol (TKIP), 353
tension wrenches, 93
Terminal Access Controller Access Control System (TACACS), 362
terminated employees
data access, 33
terrorism, physical security, 74
testing
application security testing, 429
BCP (business continuity plan), 619–621
blackbox testing, 428
blind tests, 429
denial-of-service (DoS) testing, 429
garbage in, garbage out testing, 552
graybox testing, 428
importance of, 435
interface testing, 551
outsider testing, 429
physical security testing, 429
social engineering testing, 429
system testing, 551
unit testing, 551
war dialing, 429
whitebox testing, 428
wireless network testing, 429
alpha tests, 551
blackbox tests, 552
double-blind tests, 429
final tests, 552
function tests, 552
parallel tests, 552
pilot tests, 551
regression tests, 552
sociability tests, 552
whitebox tests, 552
TFTP (Trivial File Transfer Protocol), 315
TGTs (ticket-granting tickets), 394
theft, physical security, 74
thin clients, 393
third party governance, 118–119
threat agents, 136
access control threats, 448
eavesdropping, 453
shoulder surfing, 453
spoofing, 453
unauthorized access, 448
to business operations, 588–589
malicious software threats, 456
APTs (advanced persistent threats), 462
rootkits, 461
worms, 457
network security threats, 439
ARP poisoning, 446
database attacks, 446
DDoS (distributed denial of service) attacks, 443
DNS spoofing, 447
mail bombing, 447
pharming attacks, 447
session hijacking, 440
traffic analysis, 447
war dialing, 447
war driving, 447
wiretapping, 441
zero-day exploits, 447
Tibetan monks, Biba model, 203
ticket-granting service, KDC (Key Distribution Center), 394
ticket-granting tickets (TGTs), 394
tickets, Kerberos, 393
tidal waves, 73
time multiplexing, 179
time of check (TOC), 220
time of use (TOU), 220
TKIP (Temporal Key Integrity Protocol), 353
TLS (Transport Layer Security), 281, 354
TNI (Trusted Network Interpretation), 209
TOC (time of check), 220
TOE (Target of Evaluation), 210
asynchronous token devices, 382–383
employee access control, 94–95
reference monitors, 191
top secret, military data classification, 47
topologies, network topologies, 319
bus topology, 319
fully connected topology, 322
mesh topology, 321
tornadoes, 73
TOU (time of use), 220
Tower of Hanoi, 612
TP (transformation procedures), 204
TPM (trusted platform module), 53
trace evidence, 482
trade secrets, 34
trademarks, 34
traffic analysis, 447
traffic padding, 285
traffic-based, anomaly-based IDS engines, 528
training
BCP (business continuity plan), implementing, 619
transaction processing, 569–570
transformation procedures (TP), 204
Transmission Control Protocol. See TCP (Transmission Control Protocol)
transport and tunnel modes, 283
transport layer, OSI (Open Systems Interconnection) model, 300–301
Transport Layer Security (TLS), 281
transport layer security (TLS), 354
transport mode, IPSec, 363
transportation teams, 534
transposition ciphers, 240
Triangle Shirtwaist factory, 79
Trivial File Transfer Protocol (TFTP), 315
tropical cyclones, 73
trunking protocols, 331
trusted computer base (TCB), 189–192
Trusted Computer System Evaluation Criteria (TCSEC), 207, 500
Trusted Network Interpretation (TNI), 209
trusted platform modules (TPM), 53
TrustedBSD, 195
tsunamis, 73
tumbler locks, 91
tunnel mode, IPSec, 363
tunnels
Host-to-LAN tunnels, 55
LAN-to-LAN tunnels, 55
tuple, databases, 568
turnstiles, 85
Twofish, 250
Type I errors, 386
Type II errors, 386
typhoons, 73
U
UA (Uptime Agreement), 119
UDIs (unconstrained data items), 204
UDP (User Datagram Protocol), 311, 313
comparing to TCP, 313
UEFI (Unified Extensible Firmware Interface), 182
unauthorized access, 448
unauthorized phone use, VoIP (voice over IP), 344
uncappers, 340
unclassified or official, military data classification, 47
unconstrained data items (UDIs), 204
unicode encoding, 223
Unified Extensible Firmware Interface (UEFI), 182
uninterruptible power supply (UPS), 100
unit testing, 551
United States
methods government can use to defeat encryption, 286
privacy laws, 122
United States resources, 60–61
United States Securities Act of 1933, 496–497
unshielded twisted pair (UTP), 322–323
UPS (uninterruptible power supplies), 100
Uptime Agreement (UA), 119
URL encoding, 223
U.S. Child Pornography Prevention Act of 1996, 123
U.S. Patriot Act of 2001, 123
usage patterns, monitoring, 408–409
USB, 82
user activities, auditing, 519
User Datagram Protocol. See UDP (User Datagram Protocol)
user mode, 188
user provisioning, 391
user recovery, 605
user spoofing, 453
users
controlling access, 495
privileged entities, 495
resource protection, 496
roles and responsibilities, 32
terminated employees, data access, 33
utilities, facilities, 77
utility loss, physical security, 75
UTP (unshielded twisted pair), 322–323
V
vacations, mandatory vacations, 159
validity check, 544
vandalism, physical security, 74
Venema, Wietse, 427
ventilating, facilities, 98–99
verifying, patches, 511
vertical privilege escalation, 439
very high data rate digital subscriber line (VDSL), 340
vibration sensors, 106
views, databases, 568
virtual LANs (VLANs), 329
virtual mapping, 179
virtual private networks (VPNs), 55
virtual SAN (VSAN), 39
virtualization, 185
fast infection viruses, 576–577
I Love You virus, 464
Melissa virus, 464
forensics, 479
Visual Basic, 564
VLAN hopping, 331
VLANs (virtual LANs), 329, 331
voice communication recovery, 607
voice recognition, 388
VoIP (voice over IP), 343
QoS (quality of service), 343
UDP (User Datagram Protocol), 313
VPNs (virtual private networks), 55
VSAN (virtual SAN), 39
security architecture, 218
back doors, 220
mobile system vulnerabilities, 225–226
state attacks, 220
web-based vulnerabilities, 223–225
vulnerability assessments, 427–428
BIA (business impact analysis), 595
vulnerability scanners, 427–428
W
wait state, CPU (central processing unit), 177
WANs (wide area networks), 325, 336
circuit switching, 337
DSL (digital subscriber line), 339–340
ISDN (Integrated Services Digital Network), 338
POTS (Plain Old Telephone Service), 338
HDLC (High-Level data Link Control), 341
high-speed serial interface, 341
packet switching, 336
ATM (asynchronous transfer mode), 337
Frame Relay, 337
X.25, 336
SDLC (Synchronous Data Link Control), 341
SMDS (Switched Multimegabit Data Service), 341
WAP (Wireless Application Protocol), 354
war chalking, 354
warded locks, 91
warm sites, 602
Wassenaar Arrangement, 285
waterfall model, 554
watermarks, digital watermarks, 245–246
Watson, 570
web conferencing, 364
web servers, 186
Web Services Security, 392
web-based vulnerabilities, 223–225
websites, personal information websites, 122
Weev, 436
WEP (Wired Equivalent Privacy), 258–259, 352
static WEP, 352
wet pipes, water sprinklers, 104
whaling, 454
whitebox testing, 428
whitebox tests, 552
whitelists, 506
wide area networks (WANs), 325
Wi-Fi Protected Access (WPA), 353
windows
physical security, 81
wire area networks. See WANs (wide area networks)
Wired Equivalent Privacy (WEP), 258–259, 352
static WEP, 352
wireless access points, 351
Wireless Application Protocol (WAP), 354
wireless devices, 347
wireless LANs (WLANs), 347
components of, 351
standards, 349
wireless markup language (WML), 354
wireless network testing, 429
wireless networking cards, 351
wireless networks, topologies, 348
wireless PANs (WPANs), 325, 349
wireless protection mechanisms, 352–354
wireless sniffers, 351
wireless topologies, 348
Wireless Transport Layer Security (WTLS), 281–282
wiretapping, 441
WLANs (wireless LANs), 347
components of, 351
standards, 349
WML (wireless markup language), 354
work recovery time (WRT), 615
workflow, business process recovery, 600–601
WPA (Wi-Fi Protected Access), 353
WPA2-Enterprise, 284
WPANs (wireless PANs), 325, 349
wrappers, 459
WRT (work recovery time), 615
WTLS (Wireless Transport Layer Security), 281–282, 354
X-Y
X.25, 336
XML (Extensible Markup Language), 392, 565
XOR (exclusive-or), 352
XP (extreme programming), 558
XSS (cross-site scripting), 223
XTACACS (Extended TACACS), 406
XTR, 263
XTS-400, 194
Z
Zachman model, 215
zero knowledge proof, 260
zero-day exploits, 447
ZigBee, 350
Zimmermann, Phil, 278