INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
Numbers
1G mobile wireless, 733–735
2G mobile wireless, 733–735
3DES (Triple-DES)
comparing algorithm functions, 831
defined, 812
overview of, 808
3G mobile wireless, 733–735
3GPP (Third Generation Partnership Project), 734
4G mobile wireless, 734–735
5G mobile wireless, 734
10Base-T, 568
10Base-TX (Fast Ethernet), 568
10Base2 (ThinNet), 568
10Base5 (ThickNet), 568
64-bit addresses and data buses, 308
1000Base-T, 569
1000Base-X (Gigabit Ethernet), 569, 619
A
AAA (authentication, authorization, and auditing) protocols
Diameter, 238–240
overview of, 233
RADIUS (Remote Authentication Dial-In User Service), 234, 238
TACACS (Terminal Access Controller Access Control System), 234–238
ABR (Available Bit Rate), 681
absolute addresses, 330–331, 339
abstract machine (reference monitor)
defined, 365
for enforcing security policy, 362–363
abstraction
defined, 1141
as goal of memory management, 322
in high-level languages, 1126, 1128
in OOP, 1134
academic software licenses, 1004
acceptable use policy, 1250
acceptance testing, in software development, 1105
access cards, in authentication by ownership, 163
access control
account management, 177
AIC (availability, integrity, confidentiality) triad and, 158–160
authorization. See authorization
biometric systems, 190–192
biometrics for, 187–190
BS7799 and, 37
CBK security domains, 4
cryptographic keys, 198–199
database management and, 1169
database security and, 1184–1185
directories and directory services, 168–169
directories in identity
management, 169–171
directory services as SSO
system, 217–218
dominance relations and, 370
facility and, 476–477
factors used in authentication, 162–164
federated identities, 180–183
identification, authentication, authorization, and accountability, 160–162
identity management, 165–168
Kerberos. See Kerberos
markup languages and, 183–187
media controls, 1258
memory cards, 199
natural access control, 437–440
overview of, 157–158
passphrases, 199
passwords. See passwords personnel and, 483–484
profile updates, 179–180
quick tips, 277–281
review answers, 291–295
review questions, 282–290
security domains, 214–217
SESAME SSO system, 214
smart cards, 200–202
SSO (single sign-on), 207–209
summary, 277
system-based authentication, 164
thin clients, 218–219
token devices, 196–198
user provisioning, 178–179
WAM (web access management), 171–174
Web security and, 1160–1161
wireless standards, 723
access control administration
centralized, 233
decentralized, 240–241
Diameter, 238–240
overview of, 232
RADIUS (Remote Authentication Dial-In User Service), 234, 238
TACACS (Terminal Access Controller Access Control System), 234–238
access control lists. See ACLs (access control lists) access control methods
administrative controls (soft controls), 242–243
categories or layers of, 241–242
overview of, 241
physical controls, 243–245
technical controls (logical controls), 245–248
access control models
DAC (discretionary access control), 220–221, 227
MAC (mandatory access control), 221–223, 227
overview of, 219–220
RBAC (role-based access control), 224–227
sensitivity (security) labels in MAC, 223–224
access control monitoring
anomaly-based intrusion detection, 258–261
application-based intrusion detection, 264
honeypots in, 266–267
IDS sensors, 264–265
IDSs (intrusion detection systems), 255–257, 263
IPSs (intrusion prevention systems), 265–266
knowledge- or signature-based intrusion detection, 257
network sniffers, 268
overview of, 255
rule-based intrusion detection, 261–262
state-based intrusion detection, 258
access control practices
emanation security, 254–255
object reuse and, 253
overview of, 252–253
unauthorized disclosure of information, 253
access control techniques and technologies
access control matrices, 229
ACLs (access control lists), 230–231
capability tables, 229–230
constrained user interfaces, 228–229
content-dependent, 231
context-dependent, 231–232
overview of, 227
rule-based, 227–228
summary of, 233
access control threats
brute force attacks and countermeasures, 270
dictionary attacks and countermeasures, 269
identity theft, 275–277
overview of, 268–269
phishing and pharming attacks, 271–273
spoofing attacks, 270
threat modeling, 273–276
access points (APs), as WLAN component, 716
access rights
in Graham-Denning model, 384
in Harrison-Ruzzo-Ullman (HRU) model, 385
account management
approaches to identity management, 168
ASOR (Authoritative System of Record), 178
federated identities, 180–181
overview of, 177
profile updates, 179–180
user provisioning, 178–179
accountability
access control and, 160–162, 166
auditing in, 1239
computer security and, 298
keystroke monitoring for, 251–252
Orange Book assurance levels, 393
overview of, 248–250
protecting audit data, 251
reviewing audit information, 250–251
accreditation
defined, 412
system evaluation and, 406–407
system implementation and, 1092, 1095
ACID (atomicity, consistency, isolation, durability) test, 1187–1188
ACK packets
stateful firewalls and, 633–634
TCP handshake and, 539
ACLs (access control lists)
capability tables and, 229–230
defaulting to no access, 205
defined, 233
dynamic packet filtering and, 640–641
in identity management, 167
overview of, 229
packet-filtering firewalls and, 630–631
acoustical detection systems, IDSs (intrusion detection systems), 495–496
ACPA (Anti-cybersquatting Consumer Protection Act), 1061
acquisition/development phase, system development life cycle, 1087–1088, 1091
acrylic glass, for window security, 451–452
active agents (users), in Clark-Wilson security model, 374
Active Directory (AD), as SSO system, 218
ActiveX controls, 1156–1157
ActiveX Data Objects (ADO), 1176
AD (Active Directory), as SSO system, 218
AD (architectural description), 300–301
ad hoc query language (QL), for relational databases, 1177–1178
ad hoc WLANs, 716
address resolution protocol (ARP), 580–582, 598
address space layout randomization (ASLR)
defined, 340
memory protection techniques, 336
adequate parameter validation, 1166
ADM (Architecture Development Model), 47
administration
of access control. See access control administration
of locks, 482
remote, 1251
security administrator vs. network administrator, 122–123
administrative controls (soft controls)
access control and, 241–243
overview of, 28
rotation of duties, 127
separation of duties, 126
administrative interfaces, Web security and, 1159–1160
administrative management accountability, 1239
assurance levels, 1240
clipping level, 1239–1240
overview of, 1235–1237
security and network personnel, 1237–1238
administrative (regulatory) law, 996, 998
ADO (ActiveX Data Objects), 1176
ADSL (Asymmetric DSL), 699
Advanced Encryption Standard. See AES (Advanced Encryption Standard)
advanced persistent threat (APT), 987–988
advisory security policies, 104
adware, 1204
AES (Advanced Encryption Standard)
defined, 811
overview of, 809
replaces DES standard, 801
agents, SNMP, 588–589
aggregation, as database security issue, 1183
Agile model, for software development, 1118–1120
AH (Authentication Header)
defined, 864
function of, 705
overview of, 861–863
transport adjacency and, 707
AI (artificial intelligence), in expert systems, 1192
AIC (availability, integrity, confidentiality) triad
access control and, 158–160
availability, 23
confidentiality, 24
integrity, 23–24
overview of, 22
AIK (Attestation Identity Key), in TPM (Trusted Platform Module), 844–845
AirSnort, WLAN security and, 719
alarms, automatic dial-up fire alarm, 471
ALE (annualized loss expectancy), in risk analysis, 87, 99
algorithms. See also ciphers asymmetric key, 786, 815
comparing functions of, 831
comparing symmetric with asymmetric, 782
in cryptography, 765
defined, 770
hashing algorithms, 826–827
mathematics of, 816–817
public vs. secret key, 867
symmetric key, 783
techniques for improving cryptographic strength, 791
ALU (arithmetic logic unit), 304–305, 311
American National Standards Institute (ANSI), 570
American Society for Testing and Materials (ASTM), fire resistance ratings, 469
American Standard Code for Information Interchange. See ASCII (American Standard Code for Information Interchange)
amplitude, measuring signals in, 713
analysis
of evidence (forensics), 1052
incident response procedures, 1039
stages of investigation process, 1047
ANN (artificial neural network), 1195–1197
annualized loss expectancy (ALE), in risk analysis, 87, 99
annualized rate of occurrence (ARO), in quantitative risk analysis, 87–88
annunciator systems, in boundary security, 493
anomaly-based intrusion detection defined, 263
protocol anomaly-based IDS, 260–261
statistical anomaly-based IDS, 258–260
traffic anomaly-based IDS, 260–261
ANSI (American National Standards Institute), 570
Anti-cybersquatting Consumer Protection Act (ACPA), 1061
antimalware programs, 1212–1213
antivirus programs, 602, 1207–1210
AP (authenticator), in IEEE 802.1X, 720–721
APIs (application program interfaces) calling system services via, 335
in communication between application and underlying protocols, 521–522
component interaction via, 1134
controlling access between trusted and non-trusted processes, 345
defined, 354
appliances, firewall, 643
application-based intrusion detection, 264
application controls, vs. operating system controls, 1084–1085
application errors, risk management and, 71
application events, auditing, 249
application layer (layer 7), of OSI model
overview of, 521–522
protocols, 530
application-level proxy firewalls, 637–640, 642
application owner, responsibilities of, 123
application program interfaces. See APIs (application program interfaces) application-specific integrated circuits (ASIC), 618
APs (access points), as WLAN component, 716
APT (advanced persistent threat), 987–988
architectural description (AD), 300–301
architecture
CBK security domains, 5
computer hardware. See hardware
architecture defined in ISO/IEC 42010:2007, 301
developing enterprise architecture. See enterprise architecture development
enterprise security. See enterprise security architecture
firewall, 644–648
hardware architecture. See hardware architecture
operating systems. See operating system architecture
security. See security architecture
system. See system architecture system
security. See system security architecture
Architecture Development Model (ADM), 47
arithmetic logic unit (ALU), 304–305, 311
ARO (annualized rate of occurrence), in quantitative risk analysis, 87–88
ARP (address resolution protocol), 580–582, 598
ARP table cache poisoning, 581–582
artificial intelligence (AI), in expert systems, 1192
artificial neural network (ANN), 1195–1197
AS/NZS 4360, risk assessment and analysis, 81
ASCII (American Standard Code for Information Interchange)
email and, 602
presentation layer and, 522
ASIC (application-specific integrated circuits), 618
ASLR (address space layout randomization)
defined, 340
memory protection techniques, 336
ASOR (Authoritative System of Record), 178
ASs (autonomous systems), 608, 627
assembly languages, 1126, 1141
assessment
designing physical security, 444
planning physical security, 432
responsibilities of security administrator, 1238
risk assessment. See risk assessment
assets
assigning value to, 76–77, 908–909
classifying and controlling, 36
identifying and managing, 1242–1243
assisted password reset, 175
assurance
evaluation criteria, 411
Orange Book assurance levels, 392–393
security modes and, 390–391
system evaluation, 391
trust and, 1240
ASTM (American Society for Testing and Materials), fire resistance ratings, 469
asymmetric cryptography
comparing algorithm functions, 831
comparing with symmetric, 786
defined, 792
Diffie-Hellman algorithm, 812–814
El Gamal algorithm, 818
elliptic curve systems, 818–819
hybrid methods using asymmetric algorithms, 792–796
knapsack algorithm, 819
numbers in, 816–817
one-way functions, 817–818
overview of, 784–786
PKI (public key infrastructure) compared with, 815
RSA algorithm, 815–816
strengths and weaknesses of, 786
types of systems, 812
zero knowledge proof, 819–820
Asymmetric DSL (ADSL), 699
asymmetric mode multiprocessing, 310–311
asymmetric services, DSL (digital subscriber line), 699
asynchronous communication
data transmission, 552–553
defined, 556
asynchronous cryptosystems, 807
asynchronous replication, 940
asynchronous token devices, 197–198
Asynchronous Transfer Mode. See ATM (Asynchronous Transfer Mode)
ATM (Asynchronous Transfer Mode) characteristics of WAN technologies, 694
in evolution of telecommunications, 667–668
overview of, 679–680
atomicity, consistency, isolation, durability (ACID) test, 1187–1188
attack surface analysis, 1099–1100, 1108
attacks. See also by individual type
backdoor attacks, 1293–1295
browsing technique and, 1290
cryptographic, 865–869
on DNS, 597–598
evolution of cybercrime attacks, 986–989
hacking tools and, 1286
on ICMP, 587
Loki attacks, 1292
network channels for and targets of, 521
on one-way hash functions, 827–829
overview of, 1285
on passwords, 193, 213, 1292–1293
on PBX systems, 625
port scanning and, 1288–1289
risk management and, 71
on routing protocols, 611
session hijacking attacks, 1291–1292
on smart cards, 201–202
sniffing attacks, 1290–1291
on SNMP, 590
targeting, 1286–1288
threats. See threats
types of computer crime, 1058–1061
vulnerabilities. See vulnerabilities
vulnerability scanning, 1289–1290
WASC tracking, 1108–1109
Attestation Identity Key (AIK), in TPM (Trusted Platform Module), 844–845
attributes, database, 1174
audit committee, 121
audit-reduction tool, 250
auditing/audit logs
AAA protocols. See AAA (authentication, authorization, and auditing)
in accountability, 1239
facsimile security and, 1285
keystroke monitoring, 251–252
liability and, 1025–1026
physical access, 498
protecting audit data, 251
reviewing audit information, 250–251
security administrator reviewing, 1238
technical controls (logical controls), 247–248
tracking media, 1258
auditors
audit committee and, 121
compliance with laws and regulations and, 1031–1032
responsibilities of, 125
on security steering committee, 120
authentication
AAA protocols. See AAA (authentication, authorization, and auditing)
access control and, 160–162, 166
account management and, 177
biometric systems, 190–192
biometrics for, 187–190
cognitive passwords, 195
cryptographic keys, 198–199
digital signatures for, 198
directories and directory services, 168–169
directories in identity management, 169–171
factors in, 162–164
federated identities, 180–183
identity management, 165–168
IPSec (IP Security) and, 861
Kerberos used for, 210–213
limiting logon attempts, 195
markup languages and, 183–187
memory cards, 199
OTP (one-time passwords), 196
passphrases, 199
password aging, 195
password checkers, 194–195
password hashing and encryption, 195
password management, 174–176, 192–194
PKI and, 833
profile updates, 179–180
race condition and, 161
RADIUS for device
authentication, 548
Red Book, 398
services of cryptosystems, 769
smart cards, 200–202
system-based, 164
token devices, 196–198
user provisioning, 178–179
WAM (web access management), 171–174
Web security and, 1160–1161
wireless standards, 723
authentication, authorization, and auditing (AAA) protocols. See AAA (authentication, authorization, and auditing) protocols
authentication by characteristic, 162–163
authentication by knowledge, 162–163, 196
authentication by ownership, 162–163
Authentication Header. See AH (Authentication Header)
authentication protocols
CHAP (Challenge Handshake Authentication Protocol), 710
EAP (Extensible Authentication Protocol), 710–711
PAP (Password Authentication Protocol), 709
authentication server, 720
authenticator (AP), in IEEE 802.1X, 720–721
authenticity, computer security and, 298
Authenticode, 1156–1157
authoritative source, copying user information to directory, 178
Authoritative System of Record (ASOR), 178
authority, in business continuity and disaster recovery, 950
authorization
AAA protocols. See AAA (authentication, authorization, and auditing) protocols
access control and, 160–162, 166
creep, 207
defaulting to no access, 205
defining access criteria, 203–205
need-to-know principle in, 205–206
overview of, 203
race condition and, 161
services of cryptosystems, 769
automatic tunneling, comparing IPv4 with IPv6, 545–546
autonomous systems (ASs), 608, 627
availability. See also redundancy
access control and, 159
AIC triad. See AIC (availability, integrity, confidentiality) triad
availability, integrity, confidentiality (AIC) triad. See AIC (availability, integrity, confidentiality) triad
backups for, 1273
business continuity planning and, 888–889
computer security and, 298
controls related to, 25
MTBF (mean time between failures) and, 1264
MTTR (mean time to repair) and, 1264–1265
network and resource availability, 1263–1264
security principles, 23
Available Bit Rate (ABR), 681
B
B2B (business-to-business) transactions, 185
B2C (business-to-consumer) transactions, 185
back doors
attacks, 1293–1295
maintenance hooks as, 409–410
removing, 1106
back-off algorithm, for timing collisions, 575–576
Back Orifice, 1293
background checks, hiring practices, 128–129
backups
HSM (Hierarchical Storage Management), 1274–1276
media management and, 1258
offsite facilities and, 923
overview of, 1273–1274
backups, in disaster recovery
data backups, 934–938
electronic solutions, 938–941
hardware backups, 928–929
software backups, 929–930
supplies and technology backups, 926–928
badges, personnel access control and, 484
balanced scorecards, as security metric, 134
bandwidth, 552
base register, in memory management, 323–324, 339
baseband communication, 554–556
Basel II, privacy protection regulations, 1015–1016, 1022
baselines
clipping level as, 1239–1240
combining with policies, standards, guidelines, and procedures, 107
planning physical security and, 434
security, 105
basic input/output system (BIOS), 325
Basic Rate Interface (BRI) ISDN, 697–698
Basic Security Theorem, in computer science, 370
Basic Service Set (BSS), 716
Bayesian filtering, for spam detection, 1210–1212
BCM (business continuity management)
including in enterprise security program, 893–897
overview of, 888–889
standards and best practices, 890–893
BCP (business continuity plan)
backup facility options, 930–931
benefits of, 890
BIA (business impact analysis), 905–906
business process recovery, 918–919
contingency planning compared
with, 1276
data backup options, 934–938
disruption types, 919
documentation and, 931–932
electronic backup solutions, 938–941
emergency response, 956–958
end-user environment and, 933–934
focusing on critical systems, 911
goal setting, 949–951
HA (high availability) and, 941–944
hardware backups, 928–929
human resources and, 932–933
implementing strategies for, 951–952
insurance options, 944–945
integrating into enterprise security plan, 895–897
interdependencies addressed, 912–913
lifecycle of, 960
MTD (maximum tolerable
downtime), 909–910
offsite facilities as recovery options, 920–923
offsite facilities handled by
reciprocal agreements with other companies, 923–925
outsourcing continuity in, 927
overview of, 887
planning for, 887–890
planning requirements, 904–905
policy for, 901
preventive measures, 913–914
project components, 897–899
project management, 901–903
project scope, 899–900
quick tips, 961–964
recent disasters and need for organizational planning, 885–887
recovering and restoring, 945–948
recovery metrics, 915–918
redundant sites, 925–926
review answers, 972–977
review questions, 964–972
risk assessment, 906–908
software backups, 929–930
standards and best practices, 890–893
storing plans for, 933
structure of, 952
summary, 961
supply and technology recovery, 926–928
testing and revising plans, 953–954
tests in, 955–956
training for, 956
valuation of assets, 908–909
BCP committee, 898
BEDO DRAM (Burst EDO DRAM), 326
behavior blocking antivirus programs, 1209–1210, 1214
behavioral model, of software requirements, 1098
Bell-LaPadula security model
Biba security model compared with, 373
core concepts, 385
as information flow model, 377–378
overview of, 369–371
best-effort service, QoS levels, 681
best evidence, 1055
BGP (Border Gateway Protocol), 627
BIA (business impact analysis)
assigning values to assets, 908–909
determining recovery metrics and maximum tolerable downtime, 917
focusing on critical systems, 911
MTD (maximum tolerable
downtime), 909–910
overview of, 905–906
risk assessment, 906–908
Biba security model, 371–373
core concepts, 385
as information flow model, 377–378
binary format, vs. digital, 551
biometrics
authentication by characteristic, 163
overview of, 187–190
processing speed and, 189
types of systems, 190–192
BIOS (basic input/output system), 325
birthday attacks, 828–829, 833
blackout, electric power issues, 462–463
blind tests, penetration testing, 1301
block ciphers
Blowfish, 810
defined, 792
DES, 801
IDEA, 809–810
overview of, 787–788
RC5 and RC6 algorithms, 810
block devices. See I/O (input/output) devices
blocked state, process states, 313–314
Blowfish
comparing algorithm functions, 831
defined, 812
overview of, 810
Bluejacking, 727–728
blueprints, developing for security program, 65–67
Bluesnarfing, 728
Bluetooth wireless standard, 727–728
BNC (British Naval Connector), for coaxial cable, 560
board of directors
responsibilities of, 115
in security governance, 132–133
bollards, in natural access control, 437–438, 487
boot sector viruses, 1199
BOOTP (Bootstrap Protocol), 585
bootup sequence, checking following system crash, 1245–1246
Border Gateway Protocol (BGP), 611, 627
bot herders, 1204
bottom-up approach, to security programs, 63
boundary protections
auditing physical access, 498
bollards, 487
fencing, 485–487
IDSs (intrusion detection systems), 493–496
lighting, 488–489
overview of, 484–485
patrol forces and guards, 496
surveillance, 489–493
bounds checking, buffer overflows and, 334
Brewer and Nash (Chinese Wall) security model, 383–384, 386
BRI (Basic Rate Interface) ISDN, 697–698
bridges
forwarding tables, 614
OSI layer and, 623
overview of, 613
transparent bridging, 614
British Naval Connector (BNC), for coaxial cable, 560
British Standards Institute. See BSI (British Standards Institute)
broadband communication
data transmission, 554–555
defined, 556
satellite wireless connectivity, 729–730
Broadband ISDN, 697
broadcast storms, bridges and, 613
broadcast transmission, 579
brownout, electric power issues, 462–463
browsers, Internet security and, 853
browsing technique, used by intruders, 1290 brute force attacks
countermeasures, 270
overview of, 270
for password cracking, 1292
password management and, 193
PBX systems susceptible to, 625
BSA (Business Software Alliance)
combating software piracy, 1005
licensing and, 1249
BSI (British Standards Institute)
BS 7799 for security program development, 36–37
business continuity management standard (BS 25999), 891, 893
BSI (Build Security In) initiative, DHS (Department of Homeland Security), 1110–1111
BSS (Basic Service Set), 716
buffer overflows, 332–336
attack on routing protocols, 611
bounds checking and, 334
defined, 340
memory stacks and, 333–335
overview of, 332
vulnerabilities, 336, 1303–1304
Build and Fix model, for software development, 1111, 1119
Build Security In (BSI) initiative, DHS (Department of Homeland Security), 1110–1111
building codes, facility construction and, 446
bulletproof doors, options for physical security, 450
Burst EDO DRAM (BEDO DRAM), 326
bus topology
defined, 578
business continuity
BS7799 and, 37
CBK security domains, 5
management. See BCM (business continuity management)
plan. See BCP (business continuity plan)
business continuity coordinator, 897, 903
Business Continuity Institute, 892
business, data classification and, 110–111
business enablement, in enterprise security architecture, 52–53
business impact analysis. See BIA (business impact analysis)
business interruption insurance, 945
business perspective, vs. technology perspective, 44
business process recovery, in disaster recovery, 918–919
Business Software Alliance (BSA)
combating software piracy, 1005
licensing and, 1249
C
C&A (certification and accreditation)
accreditation, 406–407
certification, 406
system implementation and, 1092
C&C (command-and-control) servers, 1205
cable modems
in broadband communication, 555
defined, 701
overview of, 700
cabling
coaxial, 557
connectors, 560
Ethernet, 568–569
fiber-optic, 558–560
fire ratings, 562
network diagramming, 625
overview of, 556–557
physical controls, 244–245
problems, 560–561
twisted-pair, 557–558
cache memory
defined, 339
memory management and, 322
overview of, 328
Caesar cipher defined, 781
as example of substitution cipher, 778
in history of cryptography, 761–762
call-processing manager, smart phones, 686–687
Capability Maturity Model Integration (CMMI). See CMMI (Capability Maturity Model Integration)
Capability Maturity Models (CMMs). See also CMMI (Capability Maturity Model Integration), 1122
capability tables, 229–230, 233
capacitance detectors, IDSs (intrusion detection systems), 496
card badges, personnel access control and, 484
care-of addresses, IP addresses, 238
carrier sense multiple access with collision avoidance. See CSMA/CA (carrier sense multiple access with collision avoidance)
carrier sense multiple access with collision detection. See CSMA/CD (carrier sense multiple access with collision detection)
carriers, steganography, 775
CAs (certificate authorities)
defined, 848
Kerberos, 212
PKI, 834–837
CASE (computer-aided software engineering) tools, 1102, 1108
CAT 5 cable, 569
catastrophes, 919
CBC (Cipher Block Chaining) mode, DES, 803–805
CBC-MAC (cipher block chaining message authentication code)
CMAC variation on, 824–825
defined, 833
overview of, 823–824
CBK (Common Body of Knowledge)
CISSP domains and, 2–3
policies, standards, and guidelines corresponding to discipline tiers of, 894–895
security domains in, 4–6
CBR (Constant Bit Rate), QoS and, 680
CCD (charged-coupled devices), in surveillance devices, 491
CCMP (CCM Protocol), WLAN security and, 720
CCTV (closed-circuit TV)
components of, 494
depth of field of, 492
focal length of, 491–492
iris of, 492–493
mounting, 493
overview of, 490–491
CDDI (Copper Distributed Data Interface), 572
CDIs (constrained data items), in Clark-Wilson security model, 374–375
CDMS (code division multiple access), 732–733
CDs
media controls, 1254
protecting audit data, 251
for secondary storage, 337
ceilings, facility construction and, 447
cell phone cloning attacks, 736
cell phones. See mobile wireless communication
cell suppression, database security and, 1185, 1191
cells, database, 1174
Central Computing and Telecommunications Agency Risk Analysis and Management Method (CRAMM), 84–85
central processing units. See CPUs (central processing units)
CEO (chief executive officer)
executive succession planning, 933
liability under SOX, 1011
responsibilities of, 116
in security governance, 132–133
on security steering committee, 120
CER (crossover error rate), in biometrics, 188–189
CERT (Computer Emergency Response Team), 1037
certificate authorities. See CAs (certificate authorities)
certificate revocation lists. See CRLs (certificate revocation lists)
certificates. See digital certificates
certification. See also C&A (certification and accreditation)
defined, 412
system implementation and, 1092, 1095
vs. degrees, 131
CFB (Cipher Feedback) mode, DES, 805–806
CFO (chief financial officer)
executive succession planning, 933
liability under SOX, 1011
responsibilities of, 116
in security governance, 133
on security steering committee, 120
chain of custody of evidence, 1032, 1050–1052
Challenge Handshake Authentication Protocol. See CHAP (Challenge Handshake Authentication Protocol)
change control
defined, 1125
overview of, 1252–1254
software configuration management, 1124
software development and, 1122–1124
change control analyst, 124
channel for an attack, 521
Channel Service Unit/Data Service Unit (CSU/DSU), 673, 677
channels, as WLAN component, 716
CHAP (Challenge Handshake Authentication Protocol)
as AAA protocol, 233
overview of, 710
PPP and, 683
PPP authentication, 703
character devices. See I/O (input/output) devices
charged-coupled devices (CCD), in surveillance devices, 491
checklist test, business continuity and disaster recovery, 955
chief executive officer. See CEO (chief executive officer)
chief financial officer. See CFO (chief financial officer)
chief information officer. See CIO (chief information officer)
chief information security officer (CISO), 120, 133
chief privacy officer (CPO), 118–119
chief security officer (CSO), 119–120
Chinese Wall (Brewer and Nash) security model, 383–384, 386
chipping code, in DSSS, 714–715
chosen-ciphertext attacks, 869
chosen-plaintext attacks, 869
CIDR (classless interdomain routing), 543, 549
CIO (chief information officer)
executive succession planning, 933
responsibilities of, 118
in security governance, 133
on security steering committee, 120
Cipher-Based Message Authentication Code (CMAC), 824–825, 833
Cipher Block Chaining (CBC) mode, DES, 803–805
cipher block chaining-message authentication code. See CBC-MAC (cipher block chaining message authentication code)
Cipher Feedback (CFB) mode, DES, 805–806
cipher locks, 480
ciphers. See also algorithms
block ciphers, 787–788
concealment ciphers, 773–774
defined, 770
running key ciphers, 773
stream ciphers, 788–790
substitution ciphers, 778
transposition ciphers, 778–780
types of, 777
ciphertext
chosen-ciphertext attacks, 866
ciphertext-only attacks, 865, 869
transforming plaintext to, 765
CIR (committed information rate), Frame Relay, 677
circuit-level proxy firewalls
comparing firewall types, 642
circuit switching
data link protocols, 684
dedicated links and, 674–675
PSTN using, 685
circumstantial evidence, 1055
CISO (chief information security officer), 120, 133
CISSP (Certified Information Systems Security Professional)
brief history of, 6–7
CBK security domains and, 4–6
exam for, 2–3
how to sign up for exam, 7
overview of, 1
reasons for becoming CISSP professional, 1–2
review answers for assessing exam readiness, 18–20
review questions for assessing exam readiness, 10–18
tips for taking exam, 8–9
civil (code) law systems, 994
civil (tort) law, 995–997
Clark-Wilson security model, 374–376, 386
classes, IP address, 541
classification, of information. See information classification
classless interdomain routing (CIDR), 543, 549
clean power, electric power, 462
Cleanroom model, in software development, 1120
cleanup rule, firewalls, 652
cleartext, not making private and symmetric keys available in, 799
client-side validation
defined, 1168
input validation attacks, 1162–1163
clipping level
auditing and, 249
as baseline in investigation of suspicious activity, 1239–1240
logon attempts and, 194
closed-circuit TV. See CCTV (closed-circuit TV)
closed computer systems
comparing open systems with, 408
defined, 412
cloud computing
overview of, 657–658
service models, 658–659
SOA (service oriented architecture) and, 1151–1152
technologies using, 678
clustering, for availability and load balancing, 1272–1273
CMAC (Cipher-Based Message Authentication Code), 824–825, 833
CMM block cipher mode, 833
CMMI (Capability Maturity Model Integration)
for incremental process improvement, 62–68
maturity levels of, 1120–1121
uses of, 1122
CMMs (Capability Maturity Models), 1122
CMWs (compartmented mode workstations), 388
CO2, as fire suppressant, 472
coaxial cable, 557
BNC (British Naval Connector) connectors for, 560
cable modems and, 700
use with 10base2 Ethernet, 568
CobiT (Control Objectives for Information and Related Technology)
defined, 68
derived from COSO framework, 59
domains of, 55–57
overview of, 40
code division multiple access (CDMS), 732–733
Code of Ethics, (ISC)2, 7, 1061–1062
CoE (Council of Europe), 991
cognitive passwords, 195
cohesion
defined, 1141
in OOP, 1138–1139
cold sites, offsite facility options, 921–922
collection stage, of investigative process, 1047
collision domains, media sharing and, 576–577
collisions
attacks on one-way hash functions, 827
CSMA/CD and, 575
defined, 833
collusion
defined, 127
planning physical security and, 432
separation of duties and, 126
COM (Component Object Model), 1146–1147, 1153
combination locks, 479–480
command-and-control (C&C) servers, 1205
commercial software licenses, 1004
commit operations, database integrity and, 1182
committed information rate (CIR), Frame Relay, 677
Committee of Sponsoring Organizations. See COSO (Committee of Sponsoring Organizations)
Common Body of Knowledge. See CBK (Common Body of Knowledge)
Common Criteria
components of, 404
defined, 411
EAL (Evaluation Assurance Level), 402
ISO/IEC 15408 and, 405
moving from Orange Book to, 394
protection profiles in, 403
common law systems, 994–996
Common Object Request Broker Architecture (CORBA), 1143–1145, 1152
Common Weakness Enumeration (CWE), MITRE, 1110
communication
between applications (session layer), 524–525
BS7799 and, 37
between computer systems (transport layer), 524–525
communities, SNMP, 589
community strings, SNMP, 589–590
compartmented mode workstations (CMWs), 388
compartmented security mode, 387–390
compensating controls, 30–31, 34
completeness, of evidence, 1056
compliance
BS7799 and, 37
CBK security domains, 5
with laws and regulations, 1030–1032
compression
presentation layer and, 523
techniques for improving cryptographic strength of algorithms, 791
compression viruses, 1199, 1213
computer-aided software engineering (CASE) tools, 1102, 1108
computer-assisted crime, 981–982
Computer Emergency Response Team (CERT), 1037
Computer Ethics Institute, 1062–1063
Computer Fraud and Abuse Act, 1013–1014
computer programs, protected under copyright law as literary works, 1000
computer rooms, in physical security, 453–456
Computer Security Institute (CSI), 7
Computer Security Technology Planning
Study (U.S. government), 359
computer surveillance, 1057
computer-targeted crime, 981–982
computers
hardware architecture. See hardware architecture
physical controls, 244
security of, 298–299
concealment ciphers
defined, 781
overview of, 773–774
steganography and, 776–777
conclusive evidence, 1055
concrete with rebar, facility construction and, 449
concurrency issues, database integrity and, 1180
confidentiality
access control and, 160
AIC triad. See AIC (availability, integrity, confidentiality) triad
Bell-LaPadula model enforcing, 369, 373
computer security and, 298
controls related to, 25
data classification and, 110–111
PKI and, 833
Red Book, 398–399
security principles, 24
services of cryptosystems, 769
configuration management
change control, 1252–1254
data leakage, 1262
MTBF (mean time between failures) and, 1264
MTTR (mean time to repair) and, 1264–1265
network and resource availability, 1263–1264
overview of, 1251–1252
configuration standards, 1243
confusion attribute, of block cipher, 787–788, 792
connection-oriented protocols, 534–538
connectionless protocols, 534–538
connectivity technologies. See remote connectivity technologies
connectors, cabling, 560
consistent state, CDIs (constrained data items), 375
Constant Bit Rate (CBR), QoS and, 680
constrained data items (CDIs), in Clark-Wilson security model, 374–375
contact smart cards, 200
contactless smart cards, 200–201
containment, incident response procedures, 1039
content-dependent access control
database security and, 1184–1185
defined, 233
overview of, 231
content-filtering
firewalls for, 643
context-dependent access control
database security and, 1184–1185
defined, 233
overview of, 231–232
contingency planning, 1276–1277
continuity of operations, Red Book, 398
continuous lighting, 489
continuous protection, Orange Book, 393
contractual agreements, liability related to, 1029
control unit, CPU, 305–306, 311
control zones
countermeasures in emanation security, 255
physical controls, 245
controlled lighting, 489
controls
characteristics in selection of, 95–96
compensating controls, 31
defined, 26–28
evaluating functionality and effectiveness of countermeasures, 94–95
selecting, 93–94
convergence, responsibilities of CSO, 120
cookies
defined, 864
Internet security, 858–859
persistent and session, 1165
cooperative multitasking, 313, 319
Copper Distributed Data Interface (CDDI), 572
CORBA (Common Object Request Broker Architecture), 1143–1145, 1152
corporate governance
COSO model for, 59–60
overview of, 40
corporation ethics programs, 1064–1065
corrective controls, 30, 32–34
corroborative evidence, 1055
COSO (Committee of Sponsoring Organizations)
defined, 68
as model for corporate governance, 59–60
overview of, 40
SOX-compliance and, 1011
cost/benefit comparisons
control selection and, 93
Counter (CTR) mode, DES, 807
counter-synchronization, between token device and authentication service, 196
countermeasures. See also attacks; controls
access control threats, 269–270
covert channels, 380
in emanation security, 255
evaluating functionality and effectiveness of, 94–96
maintenance hooks, 410
man-in-the-middle attacks, 835
phishing attacks, 273
planning physical security and, 434–435
in risk mitigation, 26–27
SNMP attacks, 590
TOC/TOU (time-of-check/time-of-use) attacks, 411
wormhole attacks, 612
covert channels
countermeasures, 380
overview of, 378
types of, 378–379
covert storage channels, 378–379
covert timing channels, 379
CPO (chief privacy officer), 118–119
CPTED (Crime Prevention Through Environmental Design)
natural access control, 437–440
natural surveillance, 440–441
natural territorial reinforcement, 441–442
overview of, 435–436
target hardening, 436–437
CPUs (central processing units)
absolute, logical, and relative addresses and, 330–331
address and data buses, 307–308
ALU (arithmetic logic unit), 304–305
architecture, 342–345
control unit, 305–306
defined, 310
memory mapping and, 328–332
memory stacks and, 309
multiprocessing, 309–311
operation modes, 346
overview of, 304
registers, 306–307
time multiplexing, 321
Crack program, for password cracking, 1292
CRAMM (Central Computing and Telecommunications Agency Risk Analysis and Management Method), 84–85
cramming attacks, 1294
credit card fraud, 1016–1017
Crime Prevention Through Environmental Design. See CPTED (Crime Prevention Through Environmental Design)
crime scene, controlling, 1048
crimeware toolkits, 1207
criminal behavior, 1044–1045
criminal law. See also legality, 995, 997–998
CRLs (certificate revocation lists)
defined, 848
overview of, 836–837
securing WLAN implementations, 723
cross certification process, in PKI, 835
cross-site scripting (XSS), 1164, 1168
crossover error rate (CER), in biometrics, 188–189
crosstalk, cabling problems, 561, 578
cryptography. See also encryption
AES (Advanced Encryption Standard), 809
asymmetric, 784–786
asymmetric systems, 812
attacks and, 865–869
attacks on one-way hash functions, 827–829
Blowfish, 810
CBC-MAC, 823–825
CBK security domains, 4
CMAC, 825
defined, 770
definitions and concepts in, 765–767
DES (Data Encryption Standard). See DES (Data Encryption Standard)
Diffie-Hellman algorithm, 812–814
digital signatures, 829–831
DSS (Digital Signature Standard), 831
email standards, 849
El Gamal algorithm, 818
elliptic curve systems, 818–819
encryption methods, 781
hardware vs. software systems for, 848
hashing algorithms, 826–827
history of, 760–765
HMAC, 821–823
hybrid methods using asymmetric and symmetric algorithms, 792–796
IDEA (International Data Encryption Standard), 809–810
IVs (initialization vectors) and, 790–791
Kerckhoff s principle, 767–768
key management, 840–843
knapsack algorithm, 819
link encryption vs. end-to-end encryption, 845–848
message integrity and, 820
MIME (Multipurpose Internet Mail Extensions), 849–850
notation, 811
numbers in, 816–817
one-time pads, 771–773
one-way functions, 817–818
one-way hash functions, 820–821
overview of, 759–760
PGP (Pretty Good Privacy), 850–851
PKI (public key infrastructure). See PKI (public key infrastructure)
quantum cryptography, 851–853
quick tips, 871–874
RC algorithms, 810
review answers, 880–883
review questions, 874–880
RSA algorithm, 815–816
security through obscurity and, 35
services of cryptosystems, 769–770
session keys, 796–799
steganography, 774–777
strength of cryptosystems, 768–769
summary, 870
symmetric, 782–783
symmetric systems, 800
TPM (Trusted Platform Module), 843–845
transformation techniques, 791
zero knowledge proof, 819–820
cryptology, 770
cryptosystems
components of, 767
services of, 769–770
strength of, 768–769
synchronous vs. asynchronous, 807
CSI (Computer Security Institute), 7
CSMA/CA (carrier sense multiple access with collision avoidance)
defined, 579
overview of, 576
CSMA/CD (carrier sense multiple access with collision detection)
defined, 579
Fast Ethernet using, 568
overview of, 575–576
technologies, 570
CSO (chief security officer), 119–120
CSU/DSU (Channel Service Unit/Data Service Unit), 673, 677
CTR (Counter) mode, DES, 807
customary law systems, 996
CWE (Common Weakness Enumeration), MITRE, 1110
cyber squatting, DNS attacks, 597–598
cyberlaw. See also legality
common types of Internet crime schemes, 989
complexities of cybercrime, 983–984
computer crime laws, 981–983
evolution of cybercrime attacks, 986–989
facets of, 980
cybersquatting attacks, 1061
D
DAC (discretionary access control)
access control matrices and, 229
compared with RBAC and MAC, 227
overview of, 220–221
DAC (dual-attached concentrator), FDDI devices, 573
damage assessment, in disaster recovery, 946–947
DAS (dual-attachment station), FDDI devices, 573
DASD (Direct Access Storage Device). See also RAID (redundant array of independent disks), 1267–1268
data analyst, responsibilities of, 124
data bus, CPU component, 307–308, 311
Data Circuit-Terminating Equipment (DCE), in Frame Relay, 673, 677–678
data classification. See information classification
data control language (DCL), for relational databases, 1177
data custodian (information custodian), 122, 127
data definition language (DDL), for relational databases, 1177
data dictionaries
database and, 1174
defined, 1191
overview of, 1178–1179
data diddling attack, 1059
Data Encryption Algorithm (DEA), 800, 811
Data Encryption Standard. See DES (Data Encryption Standard)
data execution prevention (DEP), 336–337, 340
data hiding
defined, 354
encapsulation providing, 320, 1134
in layered operating systems, 349
data leakage, 1262
data link layer (layer 2)
circuit switching protocols, 684
link encryption at, 846–847
overview of, 528–529
PPTP (Point-to-Point Tunneling Protocol) for encryption at, 846–847
protocols, 531–532
security standards, 547–548
data loss/misuse, risk management and, 71
data manipulation language (DML), 1177–1178
data mining, 1188–1191
data modeling, in OOP, 1138, 1141
data origin authentication, in CBC-MAC, 823
Data-Over-Cable Service Interface Specifications (DOCIS), 700
data owner (information owner), 121–122, 127
Data Processing Management Association (DPMA), 6
data remanence, erasing media and, 1256
Data Service Unit (DSU), 673, 677
Data Source Name (DSN), 1159
data structures
defined, 1141
in OOP, 1139–1140
in TCP/IP suite, 540–541
data throughput, compared with bandwidth, 552
data transmission. See transmission of data
data warehousing, 1188–1191
database management
data dictionaries, 1178–1179
data warehousing and data mining, 1188–1191
database models, 1170–1171
database views, 1185–1186
hierarchical data model, 1171–1172
integrity and, 1180–1182
network database model, 1172–1173
object-oriented database, 1173–1174
OLTP (online transaction processing), 1187–1188
ORD (object-relational database), 1175
overview of, 1168–1169
polyinstantiation, 1186–1187
primary and foreign keys, 1179–1180
programming interfaces, 1176–1177
relational database concepts, 1177–1178
relational database model, 1171
security issues, 1183–1185
software for, 1170
database management system (DBMS), 1168, 1170, 1191
database views, 229, 1174, 1185–1186
databases
defined, 1191
models, 1170–1171
overview of, 1170
datagrams, data structures in TCP/IP suite, 540–541
DBMS (database management system), 1168, 1170, 1191
DCE (Data Circuit-Terminating Equipment), in Frame Relay, 673, 677–678
DCE (Distributed Computing Environment), 1142–1143, 1152
DCL (data control language), for relational databases, 1177
DCOM (Distributed Component Object Model), 1142, 1146–1147
DDL (data definition language), for relational databases, 1177
DDoS (distributed denial of service) attacks
DSL lines and cable modems and, 700
firewalls and, 651
techniques for amplifying damage potential of, 1287
DDR (dial-on-demand), ISDN and, 698
DDR SDRAM (Double data rate DRAM), 326
DEA (Data Encryption Algorithm), 800, 811
deadlocks, process vulnerabilities and, 318
decentralized administration, of access control, 240–241
decipher, 770
dedicated links (leased lines/port-toport links)
characteristics of WAN technologies, 694
overview of, 669
packet switching and circuit switching, 674–675
dedicated security mode, 387, 389–390
dedicated (special) registers, CPU components, 306, 311
default settings, software implementation issues related to, 1086–1087
degaussing media, 1256–1257
degrees (education), vs. certification, 131
delayed loss, loss potential of risks and, 77
delaying mechanisms
designing physical security program and, 444
planning physical security and, 432
reinforced walls as, 449
Delphi method, in risk analysis, 89, 99
demilitarized zones. See DMZs (demilitarized zones)
denial-of-service. See DoS (denial-of-service) attacks
DEP (data execution prevention), 336–337, 340
Department of Defense. See DoD (Department of Defense)
Department of Homeland Security (DHS), 1110–1111
dependability, computer security and, 298
depth of field, of CCTV devices, 492
DES Cracker, 801
DES (Data Encryption Standard)
CBC (Cipher Block Chaining) mode, 803–805
CFB (Cipher Feedback) mode, 805–806
comparing algorithm functions, 831
CTR (Counter) mode, 807
defined, 811
ECB (Electronic Code Book) mode, 803
history of cryptography, 764
how it was broken, 801–802
how it works, 801
modes, 802
OFB (Output Feedback) mode, 806–807
overview of, 800–801
Triple-DES. See 3DES (Triple-DES)
design
CBK security domains, 5
computer security and, 299
system design phase, 300
design phase, software development life cycle, 1098–1102
designing physical security program
computer and equipment rooms, 453–456
door options, 450–451
entry points, 449–450