Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Index

A

absolute addressing, 178
abstraction, 181, 465
abuse/misuse case testing, 368–369
acceptability, 339
acceptable use policies (AUPs), 149
acceptance testing, 446–447, 465
access aggregation, 355
access control, 159–162, 180, 229, 349–353
access control attacks, 353–355
access control list (ACL), 352, 465
access management, 438
Access Matrix model, 161, 465
Access Points (APs), 272–273
access provisioning lifecycle, 355–356
access rights/permissions, 352
accessibility, as a consideration for choosing locations, 226
accidents, in disaster recovery (DR) plan, 416
account management, 371–372
accountability
1. about, 343
2. as a basic control requirement, 164–165
3. defined, 465
accreditation, 167–169, 465
acquisitions, 46, 136–138, 465
active hubs, 278
active IDS, 289
active-active, 465
active-passive, 465
ActiveX, 466
activities, logging and monitoring, 391–394
ad hoc, 273
Adaptive Chosen Ciphertext Attack (ACCA), 223
Adaptive Chosen Plaintext Attack (ACPA), 223
adaptive exam, 17
address bus, 176
Address Resolution Protocol (ARP), 264, 466
address space, 466
addressing personnel safety and security concerns, 428
Adleman, Len (Dr), 211, 214
administrative controls, 126, 466
administrative laws, 55, 56, 466
administrative management and control
1. about, 111–112
2. compliance, 115–116
3. consultant controls, 115
4. contractor controls, 115
5. employment agreements and policies, 114
6. employment candidate screening, 112–114
7. employment termination processes, 115
8. privacy, 116
9. vendor controls, 115
Advanced Encryption Standard (AES), 211, 466
advisory policies, 86
adware, 466
African Network Information Centre (AFRINIC), 258
age, as a criteria for commercial data classification, 144
agent, 466
agent of change, 32
aggregation, 187, 397, 466
Agile, 434–436, 466
Agile Maturity Model (AMM), 437, 466
Agile Project Management For Dummies (Layton), 436
American Accounting Association (AAA), 48
American Bar Association (ABA), 391
American Council on Education's College Credit Recommendation Service (ACE CREDIT), 14
American Institute of Certified Public Accountants (AICPA), 48
American National Standards Institute (ANSI), 10, 207
American Registry for Internet Numbers (ARIN), 257–258

American Society for Industrial Security (ASIS), 25, 30, 35
American Standard Code for Information Interchange (ASCII), 248
analog signaling, 277
analysis, 376, 386
analytic attack, 221
Annualized Loss Expectancy (ALE), 120, 466
Annualized Rate of Occurrence (ARO), 120, 466
anomaly-based endpoint protection, 293
anomaly-based IDS, 392
anti-malware, 411
antivirus software, 466
Anton Piller order, 385
applet, 466
application firewall, 467
Application Layer (Layer 7) (OSI Reference Model), 245–247, 467
Application Layer (TCP/IP Model), 279, 467
application penetration test, 363, 467
application programming interfaces (APIs), 317, 450, 467
application scan, 467
application software, 467
application state, 174
application virtualization, 309
application whitelisting, 293, 467
application-level gateway, 284–285
applications, 395
apprenticeship program, 140
archive, 220, 467
ARCnet, 264
area identifiers, 254
Arithmetic Logic Unit (ALU), 173
artificial intelligence (AI), 467
Asia-Pacific Network Information Centre (APNIC), 257
aspirating devices, 236
asset check-in/check-out log, 230
asset inventory, 394, 467
Asset Security domain
1. about, 143
2. classifying information, 143–146
3. determining data security controls, 151–153
4. determining ownership, 146–147
5. establishing handling requirements, 154
6. maintaining ownership, 146–147
7. protecting privacy, 148–149
8. retention, 150
9. supporting assets, 143–146
assets
1. about, 117
2. controlling physical and logical access to, 316–318
3. defined, 467
4. supporting, 143–146
5. valuation of, 117–118, 129–130, 355, 467
Associate of (ISC)² certification, 33
assurance, 164, 166
asymmetric algorithm, 467
asymmetric algorithm cryptography. See asymmetric key cryptography
Asymmetric Digital Subscriber Line (ADSL), 267
asymmetric key cryptography
1. about, 212–214
2. Diffie-Hellman key exchange, 215, 476
3. El Gamal, 215
4. Elliptic Curve (EC), 216
5. Merkle-Hellman (Trapdoor) Knapsack, 215–216
6. RSA algorithm, 214–215
asymmetric key system, 467
asynchronous communication, 271
Asynchronous Transfer Mode (ATM), 268, 467
attack tree, 134
attacks, 221–222. See also specific attacks
attenuation, 275, 278
attestation, as a function of TPM, 181
attribute-based access control (ABAC), 352–353, 467
audit trail, 468
audits/auditing, 165, 377, 438, 444–445, 467
augmented reality (AR), 468
authenticated scans, 360, 468
authentication
1. cryptography and, 196
2. defined, 328, 468
1. improper, 449
2. single factor, 330–335
Authentication Header (AH), 307, 468
authorization
1. as a data integrity measure, 158
2. defined, 468
3. implementing and managing mechanisms for, 348–353
automatic controls, 126, 468
autonomous system (AS), 255
availability, 52, 159, 414, 468
awareness, 138–139, 375, 423

B

backdoor, 468
background check, 468
backup media encryption, 413
backup verification data, 374–375, 406
backups, 92–94, 154, 413
bare metal hypervisors, 309
base addressing, 178
baseband signaling, 274
baselines, 87, 152, 468
Basic Input-Output System (BIOS), 178
bastion host, 286
beam devices, 236
Beaver, Kevin (author)
1. Hacking For Dummies, 364
2. Hacking Wireless Networks For Dummies, 282
behavior-based endpoint protection, 293
Bell-LaPadula model, 160–161, 468
best evidence, 380, 468
best evidence rule, 381, 468
Best Practices in Internal Investigations, 391
Biba integrity model, 161, 468
binding, as a function of TPM, 181
biometrics, 337–343, 468
Birthday Attack, 222, 468
birthright access, 345
bit error ratio (BER), 275
Bitcoin, 299
black-box testing, 469
blacklisting, 410, 469
blackout, 469
block ciphers, 202–203, 469
Blowfish Algorithm, 211
bluejacking, 310–311
bluesnarfing, 310–311
Bluetooth, 469
bollards, 230, 318, 469
“boot camps,” 15
bootkit, 469
Border Gateway Protocol (BGP), 255
bot, 469
botnet, 469
bounce site, 311
breach, 469
bridge, 271, 469
bridge mode, 273
bring your own device (BYOD), 469
broadband signaling, 274
broadcast, 265, 469
broadcast storm, 271
brownout, 469
brute-force attack, 221, 353, 469
buffer overflow, 301, 353–354, 449, 469
Building Security in Maturity Model (BSIMM), 157, 437, 469
buildings, in disaster recovery (DR) plan, 416
burden of proof, 54
bus, 469, 470
Bus Interface Unit (BIU), 173
Bus topology, 274
Business Continuity Plan (BCP)
1. about, 89, 90, 375–376
2. developing, 106–110
3. implementing, 110–111
4. participating in, 427
5. requirements for, 87–111
Business Impact Analysis (BIA)
1. about, 88, 90, 98–99
2. Criticality Assessment, 100–101
3. defined, 470
4. determining Maximum Tolerable Outage (MTO), 102
1. establishing Maximum Tolerable Downtime (MTD), 101–102
2. establishing recovery targets, 102–105
3. identifying key players, 101
4. Resource Requirements portion, 106
5. Vulnerability Assessment, 99–100
business records exception, 382
business strategy, aligning security function to, 44–45

C

CAE-CD programs, 12
California Security Breach Information Act (SB-1386), 81
Callback feature, 304
Caller ID, 303, 470
caller ID spoofing, 470
campus area network (CAN), 243
The Candy-from-a-Baby Fallacy, 82
Capability Maturity Model Integration (CMMI), 437, 470
carbon dioxide (CO₂), 237
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), 263
Carrier Sense Multiple Access with Collision Detection (CSMA/CD), 263
case law, 53
cash reserves, 420
ceilings, as a building design consideration, 227
Center for Cyber Safety and Education, 27
Center for Internet Security (CIS) (website), 170, 434
Central Processing Unit (CPU), 173–176, 470
Certificate Authority (CA), 220, 470
certificate programs, 140
Certification and Accreditation Professional (CAP), 33, 433
certifications. See also CISSP certification
1. Check Point Security Administration, 36
2. choosing, 37–38
3. defined, 470
4. earning, 32–38
5. networking, 456
6. non-(ISC)2, 34–37
7. non-technical/non-vendor, 34–36
8. technical/vendor, 36–37
9. writing exam questions, 26
Certified Business Continuity Planner (CBCP), 35
Certified Chief Information Security Officer (C|CISO), 35
Certified Cloud Security Professional (CCSP), 33
Certified Ethical Hacker (C|EH), 36
Certified in Risk and Information Systems Control (CRISC), 34
Certified in the Governance of Enterprise IT (CGEIT), 34
Certified Information Privacy Professional (CIPP), 35
Certified Information Privacy Professional/Europe (CIPP/E), 35
Certified Information Security Manager (CISM), 34
Certified Information Systems Auditor (CISA), 34
Certified Information Systems Security Professional (CISSP). See CISSP
Certified Protection Professional (CPP), 35
Certified Secure Software Lifecycle Professional (CSSLP), 33, 440
chain of custody, 383–386, 470
chain of evidence, 382, 383–386, 470
Challenge Handshake Authentication Protocol (CHAP), 304, 325, 470
change management, 395, 412, 439, 442–443, 470
character conversion, 247
Cheat Sheet (website), 4
Check Point Security Administration certifications, 36
checklist test, of disaster recovery (DR) plan, 424
Children's Online Privacy Protection Act (COPPA) (1998), 77
choose your own device (CYOD), 470
Chosen Ciphertext Attack (CCA), 223
Chosen Plaintext Attack (CPA), 223, 470
Chosen Text Attack (CTA), 223
CIA Triad, 51–52, 157–159, 470
Cipher Block Chaining (CBC), 208–209, 470–471
Cipher Block Chaining Message Authentication Code Protocol (CCMP), 282
Cipher Feedback (CFB) mode, 209, 471

ciphers, 199, 210–205, 470
ciphertext, 199, 471
Ciphertext Only Attack (COA), 222–223
circuit-level gateway, 284
circuit-switched networks, 267–268, 471
circumstantial evidence, 381, 471
Cisco certifications, 11
CISSP certification
1. about, 1–2, 9–10
2. concentrations in, 33–34
3. domains of, 10
4. exam overview, 17–20
5. exam preparation, 12–16
6. exam registration, 16–17
7. post-exam, 20–21
8. promoting, 30–31
9. renewing, 20–21
10. requirements for, 10–12
11. uses for, 23–39
12. using as an agent of change, 32
CISSP Certification Exam Outline, 12, 13
CISSP training, 14
civil disturbances, in disaster recovery (DR) plan, 416
Civil Law systems, 54–55, 57, 471
civil requirements, for investigations, 391
cladding, 276
Clark-Wilson integrity model, 161–162, 471
classifications, 54, 143–146, 471
classroom training, 139
clearance level, 146
client-based systems, assessing and mitigating vulnerabilities in, 185–186
climatology, as a consideration for choosing locations, 226
Clipper Chip, 221
closed systems, 182, 471
closed-head system, 236
cloud, 471
cloud access security broker (CASB) systems, 291–292, 395, 471
cloud assets, 395
cloud backup, 93
cloud communications, 296
Cloud Security Alliance (CSA), 192
cloud-based access controls, 327–328
cloud-based malware detection, 410
cloud-based spam filtering, 410
cloud-based systems, assessing and mitigating vulnerabilities in, 190–192
cluster(ing), 471
coaxial cable, 274–275, 471
COBIT, 48, 153, 472
code coverage analysis, 370
code of ethics, 472
code repositories, 443–444
code review and testing, 368, 472
coding, secure practices for, 448–452
coercion, 382
cold site, 97, 98, 413, 472
collecting security process data, 371–376
collision, 218
collision domain, 471
commercial data classification, 144–145
commercial software, 448
Committed Access Rate (CAR), 312
Committee of Sponsoring Organizations of the Treadway Commission (COSO), 48–49
Common Body of Knowledge (CBK), 10, 26
Common Criteria for Information Technology Security Evaluation, 167, 472
common law, 53, 472
common vulnerability scoring system (CVSS), 362, 472
common-mode noise, 232
Communication and Network Security domain
1. about, 239
2. designing secure communication channels, 295–310
3. implementing design principles in network architectures, 239–279
4. Open Systems Interconnection (OSI) Reference Model, 241–278
5. preventing/mitigating network attacks, 310–313
6. secure network components, 280–295
7. TCP/IP Model, 241–243
communication channels
1. data communications, 308
2. email, 296–300
3. facsimile, 302
4. multimedia collaboration, 302–303
5. remote access, 303–308
6. virtualization, 309–310
7. virtualized networks, 309
8. voice, 295–296
9. Web, 300–302
communications, 228, 417, 421–422
communications management, 179, 416
community cloud computing, 191, 472
compensating controls, 126, 472
compensatory damage, 54, 272
Complex-Instruction-Set Computing (CISC), 175, 472
compliance
1. about, 53
2. administrative management and control, 115–116
3. defined, 472
4. legislative and regulatory, 53–57
5. privacy requirements, 57–58
6. rewarding, 47
Component Object Model (COM), 472
CompTIA Security, 11, 36–37, 456
computer architecture
1. about, 173
2. firmware, 178
3. hardware, 173–176
4. main memory, 176–178
5. software, 179–180
computer crimes, 58–63
Computer Emergency Response Team (CERT), 472
Computer Ethics Institute (CEI), 84–85
Computer Incident Response Team (CIRT), 472
Computer Technology Investigators Network (CTIN) (website), 30
computer-adaptive testing, 15, 20
computer-generated records, 381
computer-stored records, 381
The Computer Game Fallacy, 82
The Computer Misuse Act (1990) (U.K.), 70
concealment cipher, 473
concentrator. See hub
concept development, in engineering process, 156
conclusive evidence, 381, 473
conduit, 281
Confidential government data classification, 146
confidentiality, 51–52, 158, 196, 473
confidentiality agreement, 473
configuration management, 164, 395, 412, 439, 442–443, 473
connection establishment, 248
connection release, 249
connection-oriented protocol, 250
consensual surrender, of evidence, 385
console login, 317
constrained data item (CDI), 162
consultant controls, 115
container, 310, 472
container-based endpoint protection, 293
containerization, 180, 472
content-distribution networks (CDNs), 294, 473
contention-based networks, 263
context-based access control (CBAC), 284
continual improvement, 473
continuing education requirements, 140
continuing professional education (CPE), 473
Continuity of Operations Planning (COOP), 89, 473
continuous improvement, in risk management, 130–131
continuous monitoring, 393, 473
contractor controls, 115
contributing, to ISC² publications, 27
contribution to revenue, as an asset value element, 118
control assessment, 127–129
control bus, 176
control frameworks, 48–50, 473
Control Unit, 173
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) (2003), 69
controls, 125–126, 162–172, 473

converged protocols, 260
cooperation, importance of, 89
copyright, 74, 473
Copyright Act (1976), 74
corrective controls, 126, 473
corroborative evidence, 380, 473
corroborative inquiry, as a control assessment technique, 128
cost-effectiveness, risk management and, 123–124
The Council of Europe's Convention on Cybercrime (2001), 70
counter reset, 333
counter threshold, 333
countermeasure selection, 123–124
countermeasures, 473
covert channels, 164, 184, 473
covert storage channel, 164
covert timing channel, 164
crash gates, 230, 318
Creation stage, of ILM, 151
credential management systems, 346–347
crime, in disaster recovery (DR) plan, 416
Crime Prevention Through Environmental Design (CPTED), 224–225
criminal law, 53–54, 474
criminal requirements, for investigations, 391
critical support areas, 100
Criticality Assessment, 100–101, 474
cross-frame scripting (XFS). See frame injection
Crossover Error Rate (CER), 338, 474
Cross-site request forgery (CSRF), 301, 474
Cross-site scripting (XSS), 301, 474
crosstalk, 275
cryptanalysis, 198, 474
cryptocurrency, 299, 474
cryptographic algorithm, 201
cryptographic systems, assessing and mitigating vulnerabilities in, 189
cryptography
1. about, 153, 196–198
2. alternatives to, 205–206
3. ciphertext, 199
4. decryption, 199–205
5. defined, 474
6. encryption, 199–205
7. lifecycle of, 198
8. maintaining communication security using, 279
9. plaintext, 199
cryptology, 198, 474
cryptosystem, 201–202, 474
cryptovariable, 201, 203–204, 474
culpable negiligence, 50
culpable negligence, 474
custodian, 147, 474
customary law systems, 57
cutover, of disaster recovery (DR) plan, 426–427
cyber attacks, in disaster recovery (DR) plan, 416
cyber warfare, in disaster recovery (DR) plan, 416
Cybercrime Act (2001) (Australia), 70
CyberSecurity Forensic Analyst (CSFA), 36

D

Daemen, Joan (Dr), 211
daily standup, 436
damage assessment, 91–92
data, 75, 187
data access controls, 316, 349
data breaches, 80–81
data bus, 176
Data Carrier Equipment (DCE), 272, 475
data classification, 474
data communications, 308
Data Communications Equipment (DCE), 277
data compression, 247
data controller, 80, 474
data destruction, 474
data dictionary, 475
data encapsulation, 475
data encryption, 247
data encryption key (DEK), 475
Data Encryption Standard (DES), 204, 207–209, 475
data hiding, 182
data import/export, 351
data integrity, 158–159, 375

Data Link Layer (Layer 2) (OSI Reference Model), 261–273, 475
data loss prevention (DLP), 291, 394, 475
Data Over Cable Service Interface Specification (DOCSIS), 267, 475
data ownership, 351–352
data processing continuity planning, 97–98
data processor, 80, 475
Data Protection Act (DPA), 75
data protection officer (DPO), 80, 475
data recovery, 374–375
data remanence, 149, 163, 475
data replication, 171, 413
data representation, 247
data retention, 475
data security controls, 151–153
data storage requirements, 339
Data Terminal Equipment (DTE), 272, 277, 475
data transfer, 249
data warehouse, 475
database administrator, 11
database management system (DBMS), 475
database systems, assessing and mitigating vulnerabilities in, 187
database table permissions, 316
datagram, 251
Davis, Peter T. (author)
1. Hacking Wireless Networks For Dummies, 282
2. Wireless Networks For Dummies, 266
DCID 6/3, 169
DDos mitigation, 410
decentralized access control systems, 328
deciphering. See decryption
Decode Unit, 173
decommissioning, in engineering process, 157
decryption, 199–205, 475
dedicated security mode, 183
deep packet inspection (DPI), 475
defense in depth, 170, 476
Defense Information Technology Security Certification and Accreditation Process (DITSCAP), 168–169, 476
deluge system, 237
demilitarized zone (DMZ), 287
demonstrative evidence, 380, 476
Denial of Service (DoS), 289, 296, 301, 333, 476
Department of Commerce, 69
Department of Homeland Security (DHS), 12, 68
design documentation, 165
design specification and verification, 164
desktop virtualization, 309
Destination IP address, 307
destruction, 154, 406
destructware, 476
detective controls, 125, 476
deterrence, under criminal law, 53
deterrent controls, 125, 476
development, 106–110, 156
device drivers, 179
devices, controlling access to, 316–317
DevOps, 439–440, 476
DevSecOps, 476
Diameter protocol, 305, 326, 476
dictionary attack, 353, 476
Diffie-Hellman key exchange, 215, 476
digital certificates, 337, 476
digital forensics, 389–390
digital signaling, 277
Digital Signature Standard (DSS), 216–217, 476
digital signatures, 343
Digital Subscriber Line (DSL), 267, 476
digital watermarking, 206
direct addressing, 178
direct evidence, 380, 476
Directive 95/46/EC on the protection of personal data (1995, EU), 69
directory harvest attack (DHA), 476
directory level permissions, 316
disaster recovery (DR), 88, 89, 374–376, 415–427
Disaster Recovery Certified Expert (DRCE), 35
Disaster Recovery Institute International (DRII) (website), 30, 35
discovery sampling, 128
discretionary access control (DAC), 163, 351–352, 476
discretionary security property, 160

disk mirroring, 477
disk striping, 477
disk striping with parity, 477
disposable ciphers, 203
Disposition stage, of ILM, 152
distance-vector protocol, 253
distributed application, 477
distributed denial of service (DDoS), 477
Distributed Network Protocol (DNP3), 260, 477
distributed systems, assessing and mitigating vulnerabilities in, 188–189
Distribution stage, of ILM, 151
divestitures, 46
DNS cache poisoning, 477
DNS hijacking, 477
DNS Server attacks, 311
documentary evidence, 380, 477
documentation, 96–97, 165, 386–387
domain homograph attack, 477
domain name system (DNS), 477
domain name system security extensions (DNSEEC), 477
domains, 10, 477
doors, as a building design consideration, 227
dormant VMs, 310
drag and drop questions, 18
DREAD technique, 133–134
drive-by-download, 477
drug screen, 477
dry-pipe system, 237
dual-homed gateways, 286
due care, 50, 55, 477
due diligence, 50, 477
Dummies (website), 4
dumpster diving, 478
dwell time, 478
dynamic application scanning tool (DAST), 478
dynamic link library (DLL), 478
dynamic packet-filtering firewall, 284
dynamic password, 335, 478
Dynamic RAM (DRAM), 176
dynamic routing protocol, 253

E

earning certifications, 32–38
eavesdropping, 296, 313, 362, 478
ECMAScript, 478
edge computing, 478
education, 138–141
egress monitoring, 394
EIA/TIA-232-F standard, 277
El Gamal, 215
electrical anomalies, 232
electrical hazards, 232–233
electrical noise, 232
Electrically Erasable Programmable Read-Only Memory (EEPROM), 177
electricity, 228, 231–232
Electromagnetic Interference (EMI), 232, 478
Electronic Code Book (ECB), 208, 478
electronic discovery, 478
electronic health records (EHRs), 78
electronic protected health information (ePHI), 148, 478
electronic signatures, 343
electrostatic discharge (ESD), 232, 478
Elliptic Curve (EC), 216
email communication, 296–300
emanations, 185
embedded devices, assessing and mitigating vulnerabilities in, 195–196
Emergency Power Off (EPO) switch, 231, 234
emergency response, 91
emergency supplies, 421
employment agreements and policies, 114, 478
employment candidate screening, 112–114, 478
employment termination processes, 115, 478
Encapsulating Security Payload (ESP), 307, 479
encapsulation, 479
enciphering. See encryption
encryption, 199–205, 449, 479
endpoint security, 292–294, 479
end-to-end encryption, 199, 479
end-user, 47–48
Enigma Machine, 197

Enterprise Risk Management - Integrated Framework, 132
enticement, 382, 479
entitlement, 397, 479
entrapment, 382
equipment, 228, 416
Erasable Programmable Read-Only Memory (EPROM), 177
error checking/recovery, 250
escorts, 318
Escrowed Encryption Standard (EES), 221, 479
espionage, 479
essential practices, 112
Ethernet, 264, 276, 479
ethics. See professional ethics
European Information Technology Security Evaluation Criteria (ITSEC), 166–167, 479
European Union (EU), 72, 402
European Union General Data Protection Regulation (GDPR), 57–58, 80
evacuation plans, 416, 421
evaluation assurance levels (EALs), 167
evaluation criteria, for selecting controls, 163–165
e-vaulting, 93
event management, 438
events, speaking at, 26–27
evidence collection/handling
1. about, 379–380
2. admissibility of evidence, 382–383
3. defined, 479
4. rules of evidence, 381–382
5. types of evidence, 380–381
evidence lifecycle, 479
evidence storage, 229–230
exams
1. after the, 20–21
2. fee for, 16
3. overview of, 17–20
4. planning tips for, 455–459
5. practice, 15
6. preparing for, 12–16
7. question types, 18–19
8. registering for, 16–17
9. re-scheduling, 16
10. tips for test-day, 461–464
11. weighting of questions, 19
Exclusive Or (XOR) function, 209, 479
Execute (X) access, 352
executive oversight, 45–46
exhaustion attack, 221
exigent circumstances, 385, 480
expectation of privacy, 149
expert system, 480
exploit, 480
Exposure Factor (EF), 120, 480
Extended Binary-Coded Decimal Interchange Code (EBCDIC), 248
Extensible Authentication Protocol (EAP), 304, 325, 480
Extensible Markup Language (XML), 508
Exterior Gateway Protocol (EGP), 255
exterior walls, as a building design consideration, 227
External Affairs, 95
external assessment, 127
external audit, 378
external communications, 94
external value, as an asset value element, 118
extradition, 57
Extranet, 241, 480

F

facial recognition systems, 340
facilities
1. applying security principles to design of, 224–229
2. controlling access to, 317–318
3. designing, 226–229
4. implementing security controls for, 229–238
facsimile communication, 302
Factor Analysis of Information Risk (FAIR), 131
Fagan inspection, 368, 480
fail closed, 480
fail open, 480
failover systems, 184, 480

fail-safe systems, 184, 480
fail-soft systems, 184, 480
fallacies, computer use and, 82
False Accept Rate (FAR), 338, 480
False Reject Rate (FRR), 338, 480
fault tolerance, 415, 480
fault-tolerant systems, 184, 480
Fed. R. Evid., 56
Fed. Reg., 56
Federal Information Processing Standard (FIPS), 207, 216, 481
federal interest, 64
federal interest computer, 64
Federal Risk and Authorization Management Program (FedRAMP), 169, 481
Federal statutes, 56
Federal Trade Commission (FTC), 69
federated identity management (FIM), 346, 481
fees, 16, 21
felony, 54
fences, 318
Fiber Distributed Data Interface (FDDI), 264, 273, 481
fiber-optic cable, 276, 277, 481
Fibre Channel over Ethernet (FCoE), 481
field permissions, 316
50-year flood plain, 415
file level permissions, 316
file management, as an operating system function, 179
file ownership, 351–352
file transfer protocol (FTP), 246
final disposition, of evidence, 386
financial attacks, as a category of computer crime, 61
Financial Executives International (FEI), 48
financial readiness, in disaster recovery (DR) plan, 420–421
finger scan systems, 340
fingerprint recognition, 340
fire prevention/detection/suppression, 234–238
fire protection, 96
fire suppression, 229
fire triangle, 234–235
firewalls, 283–288, 409, 481
firmware, 481
first aid, 421, 481
fixed-temperature detectors, 236
flame-sensing fire detection, 236
Flash Memory, 177
Floating-Point Unit (FPU), 173
floors, as a building design consideration, 227
flow control, 250
forensics, 481
formal education, 140
formal training programs, 139–140
Fraggle attack, 311
frame injection, 481
Frame Relay, 269, 481
frameworks, in risk management, 131–132
fraud, 481
The Free Information Fallacy, 82
frequency, in assessment, 127
full interruption, of disaster recovery (DR) plan, 426–427
full-duplex mode, 248, 250
“fun” attacks, as a category of computer crime, 61
functionality, 166
fuzzing, 369, 481

G

gaming, 449
gas discharge systems, 237–238
gates, 318
gateways, 261, 481
General Data Protection Regulation (GDPR), 402, 481
generating reports, 376
geolocation, 303
German Enigma Machine, 197
GI Bill, 17
Global Information Assurance Certification (GIAC), 36
global positioning system (GPS), 482
goals, aligning security function to, 44–45, 482

governance committees, 45–46, 482
government data classification, 145
Graphics Interchange Format (GIF), 248
gray-box testing, 482
Gregory, Peter H. (author)
1. IT Disaster Recovery Planning For Dummies, 111, 416
grudge attacks, 61–62
guard dogs, 230, 318
guards, 318
guest operating systems, 180, 310, 482
guidelines, developing and implementing, 85–87, 482

H

The Hacker's Fallacy, 82
Hacking For Dummies (Beaver), 364
Hacking Wireless Networks For Dummies (Beaver and Davis), 282
hacktivism, as a category of computer crime, 62, 482
half-duplex mode, 248
half-open connections, 312
halon, 238
hand geometry systems, 341
handling, 154, 406
hands-on experience, 13–14
hard drive forensics, 389
hardening standard, 87, 482
hardware, 137, 173–176, 280, 482
hardware address, 263
hardware asset management, 407
hardware segmentation, 482
hash function, 482
Hashed Message Authentication Code (HMAC), 219
HealthCare Information Security and Privacy Practitioner (HCISSP), 33
hearsay evidence, 381–382, 482
heating, ventilation, and air conditioning (HVAC), 233–234
heat-sensing fire detection system, 236
heterogeneous environment, 171, 482
heuristics-based endpoint protection, 293
hidden code, 482
High Technology Crime Investigation Association (HTCIA) (website), 30
High-level Data Link Control (HDLC), 270–271
High-rate Digital Subscriber Line (HDSL), 267
High-Speed Serial Interface (HSSI), 278, 482
holddown timers, 254
home, 257
homogeneous environment, 482
honeynets, 411, 483
honeypots, 411, 483
hop count, 254
host-based intrusion detection (HIDS), 289, 391, 483
hosted hypervisors, 309
hot site, 97, 413, 483
hotspot questions, 18–19
hub, 278, 483
humidity, 232, 233–234
hybrid cloud computing, 191, 483
hybrid risk analysis, 122
HyperText Markup Language (HTML), 300–302
HyperText Transfer Protocol (HTTP), 246, 300–302, 483
HyperText Transfer Protocol Secure (HTTPS), 246, 301, 483
HyperText Transport Protocol Secure (HTTPS), 301
hypervisors, 180, 309–310, 483

I

ICMP flood attack, 311
icons, explained, 4
identification and authentication (I&A), 164, 328, 483
identity and access management (IAM)
1. about, 315–316, 319
2. cloud-based access controls, 327–328
3. controlling physical and logical access to assets, 316–318
4. decentralized access controls, 328
5. defined, 483
6. implementing and managing authorization mechanisms, 348–353
7. integrating identity-as-a-service, 347–348
1. integrating third-party identity services, 348
2. managing identification and authentication, 319–347
3. managing identity, 355–356
4. managing identity and access provisioning lifecycle, 355–356
5. preventing and mitigating access control attacks, 353–355
6. single sign-on (SSO), 319–327
identity fraud, in voice communication, 296
Identity-as-a-Service, 347–348, 483
ideological attacks, as a category of computer crime, 62
IETF, 258–259
illegal search and seizure, 382
implementation attack, 222
import/export controls, 74–75
inactivity timeouts, 344, 483
incident management, conducting, 407–409
indexed addressing, 178
indicators of compromise (IOCs), 483
indirect addressing, 178
indoctrination, to raise security awareness, 139
industrial control system (ICS), assessing and mitigating vulnerabilities in, 189–190, 317, 483
industrial espionage, as a category of computer crime, 60–61
inference, 484
inference channel, 484
inference engine, 484
information, 143–146, 316, 402
Information Assurance Support Environment (website), 170
information custodian, 484
Information Flow model, 162, 484
Information Lifecycle Management (ILM), 151–152
information owner, 484
Information Security Journal, 27
information security management system (ISMS), 484
Information Security Scholarship Program, 27
Information Systems Audit and Control Association (ISACA), 48, 437
Information Systems Security Architecture Professional (ISSAP), 33
Information Systems Security Engineering Professional (ISSEP), 34
Information Systems Security Management Professional (ISSMP), 34
Information Technology Act (2000) (India), 70
Information Technology Infrastructure Library (ITIL), 49–50, 407, 485
informative policies, 86
InfraGard (website), 30
Infrastructure as a Service (IaaS), 191, 483
inherent vulnerability, 201
initial cost, as an asset value element, 118
initialization vector (IV), 209
injection attacks, 449, 484
injuries, in disaster recovery (DR) plan, 418
input control, as a data integrity measure, 159
inquiry, as a control assessment technique, 127
inrush, 484
INSIGHTS (online magazine), 27
inspection, as a control assessment technique, 128
instant messaging (IM), 303
Institute of Electrical Engineers (IEEE), 484
Institute of Internal Auditors (IIA), 48
Institute of Management Accountants (IIMA), 48
insurance, 420
integrated product team, 439–440
Integrated Services Digital Network (ISDN), 268, 484
integrity, 52, 158–159, 196, 484
*-integrity property (star integrity property), 161
integrity verification procedures (IVP), 162
intellectual property, 72–74, 484
interface testing, 370–371
interfaces, types of, 277–278
interior walls, as a building design consideration, 227
Intermediate System to Intermediate System (IS-IS), 255
internal audit, 378
internal value, as an asset value element, 118

International Association of Privacy Professionals (IAPP) (website), 30, 35
International Council of E-Commerce Consultants (EC-Council) (website), 36
International Data Encryption Algorithm (IDEA) Cipher, 212
International Electrotechnical Commission (IEC), 10, 484
International Information System Security Certification Consortium (ISC)², 9–10
International law, 55–57
International Organization for Standardization (ISO), 10, 484
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC 27002), 49
International Systems Security Association (ISSA) (website), 29
International Telecommunications Union (ITU), 484
Internet, 485
Internet Architecture Board (IAB), 84, 241
Internet Assigned Numbers Authority (IANA), 255
Internet Control Message Protocol (ICMP), 261, 485
Internet Engineering Task Force (IETF), 485
Internet Key Exchange (IKE), 307
Internet Layer (TCP/IP Model), 279, 485
Internet Message Access Protocol (IMAP), 246
Internet of Things (IoT), 52, 192, 295, 485
Internet Protocol (IP), 255, 485
Internet Protocol Security (IPsec), 306–307, 485
Internet Relay Chat (IRC), 485
Internet Security Association and Key Management Protocol (ISAKMP), 307
Internet Small Computer Systems Interface (iSCSI), 485
Internetwork Packet Exchange (IPX), 255, 485
internetworks, 252
Intranet, 241, 485
intrusion detection and prevention systems (IDPSs), 288–290, 391–392, 409
intrusion detection systems (IDS), 288–290, 485
intrusion prevention systems (IPSs), 288–290, 485
investigations, 379–391
I/O device management, as an operating system function, 179
ionization devices, 236
IP reputation services, 410
IP spoofing, 312
iris pattern, 341
ISC²
1. attending events, 25
2. being an active member of, 25–26
3. focus groups, 28
4. helping at conferences, 27
5. joining a chapter, 26
6. online store (website), 31
7. volunteer opportunities, 26–29
8. voting in elections, 25
9. website, 457
ISC² Congress, 25, 27
ISC² publications
1. contributing to, 27
2. reading, 27
(ISC)² Blog, 27
(ISC)² Code of Professional Ethics, 83
(ISC)² community, 28
ISO/IEC 17024 standard, 10
ISO/IEC 27002, Information Technology - Security Techniques - Code of Practice for Information Security Management, 86
ISO/IEC 27005, 132
IT Disaster Recovery Planning For Dummies (Gregory), 111, 416
IT Governance Institute (ITGI), 48

J

Japanese Government Information Security Professional (JGISP), 33
Japanese Purple Machine, 197
JavaScript, 485
jitter, 251
job description, 485
job rotation, 400–402, 485
joining local security chapters, 29–30
Joint Photographic Experts Group (JPEG), 248

joint tenants, as a consideration for choosing locations, 226
JScript, 485
judgmental sampling, 128
juvenile laws, 59

K

Kerberos, 320–324, 486
kernel, 179
key card access systems, 317
key change, 221
key clustering, 202, 471
key control, 221
key disposal, 221
key distribution, 220
key encryption key (KEK), 486
key escrow, 221
key generation, 220
key installation, 220
key logging, 486
key management functions, 220–221
key perfomance indicators (KPIs), 373–374, 486
key recovery, 221
key risk indicators (KRIs), 373–374, 486
key storage, 220
key transport, 214–215
keyed invoices, 104, 201
keystroke dynamics, 342
knowledge-based IDS, 289–290
Known Plaintext Attack (KPA), 223, 486
KryptoKnight, 327, 486

L

labels, 163
large-scale parallel data systems, assessing and mitigating vulnerabilities in, 187–188
latency, 201
Latin America and Caribbean Network Information Centre (LACNIC), 257
lattice model, 351, 486
The Law-Abiding Citizen Fallacy, 82
Layer 2 Forwarding Protocol (L2F), 266, 306, 486
Layer 2 Tunneling Protocol (L2TP), 266, 306–307, 486
Layton, Mark (author)
1. Agile Project Management For Dummies, 436
2. Scrum For Dummies, 436
leading by example, 47
learning style, knowing your, 455
least privilege concept, 396–397, 486
legal and regulatory issues
1. about, 58
2. computer crimes, 58–72
3. data breaches, 80–81
4. import/export controls, 74–75
5. licensing and intellectual property, 72–74
6. privacy, 75–80
7. trans-border data flow, 75
legal liability, risk management and, 124
legislative and regulatory compliance, 53–57
letters of agreement, 420
Lewis, Barry (author)
1. Wireless Networks For Dummies, 266
liability, under civil law, 55
licensing, 72–74
life safety, controlling access to, 318
lifecycle, cryptographic, 198
lighting, as a building design consideration, 227
lightning strikes, 228
Lightweight Directory Access Protocol (LDAP), 324, 486
limited access security mode, 183
line of credit, 420
link encryption, 200–201, 486
Link (Network Access) Layer (TCP/IP Model), 279, 486
link states, 254
link-state protocol, 254
live forensics, 390, 486
local area networks (LANs), 240–241, 264–265
local security chapters, joining, 29–30
locations, choosing, 226
log reviews, 365–366, 486
logging, 391–394, 444–445
logical access control, 337

Logical Link Control (LLC), 262
logistics, in disaster recovery, 95–96
loopback network, 257
loss of life, in disaster recovery (DR) plan, 418
Lowe, Doug (author)
1. Networking All-In-One For Dummies, 239

M

machine learning (ML), 486
magnetic fields, 228
magnetic tape, 93
main memory, 176–178
main storage, 176–178
maintenance and support
1. detective and preventive measures, 409–411
2. in engineering process, 157
3. firewalls, 409
4. intrusion detection and prevention systems (IDPSs), 409
5. ownership, 146–147
6. of software, 438–439
7. third-party security services, 410
maintenance cost, as an asset value element, 118
maintenance fees, 21
maintenance hooks, 172, 487
Maintenance stage, of ILM, 151–152
malicious input, 171
malware, 487
Man in the Browser (MITB), 301, 487
Man in the Middle (MITM), 301, 311–312
managed change, hardware operation and, 280
managed security services (MSS), 410, 497
management review, 372–373, 487
mandatory access control (MAC), 163, 350–351
mandatory vacations, 401
Manifesto for Agile Software Development (website), 434
Man-in-the-Middle Attack, 223, 301, 311–312, 354, 487
man-made threats, 119
mantraps, 318, 487
manual controls, 126, 487
marking, 154, 406
maturity models, 437–438, 487
Maximum Tolerable Downtime (MTD), 101–102, 103, 487
Maximum Tolerable Outage (MTO), 102, 103, 487
Maximum Tolerable Period of Disruption (MTPD), 101–102, 487
Media Access Control (MAC), 262
media management, 406–407
media storage, 92–94
media storage facilities, 229–230
medical devices, 317
Meet-in-the-Middle Attack, 223, 487
memory addressing, 177, 487
memory leaks, 449, 487
memory management, as an operating system function, 179
Memory Management Unit (MMU), 173
memory space, 177, 178, 488
mentors, 38
mergers, integrating security risk considerations into, 136–138
Merkle-Hellman (Trapdoor) Knapsack, 215–216
mesh mode, 273
Mesh topology, 274
message authentication, 216–219
Message Digest (MD), 218–219, 488
message digests, 217–219
metadata, 488
metamorphism, 488
metropolitan area network (MAN), 243, 488
Microsoft certifications, 11
military intelligence attacks, as a category of computer crime, 62
MIME Object Security Services (MOSS), 300, 488, 489
minimum security requirements, 137
mischief, in disaster recovery (DR) plan, 416
misdemeanor, 54
mission, aligning security function to, 44–45
mission statement, 44–45, 488
misuse case testing, 368–369
mixed law systems, 57

mobile app, 488
mobile device, 488
mobile device management (MDMI), 488
mobile systems, assessing and mitigating vulnerabilities in, 194
modes of operation, 181–182, 208
monoalphabetic substitution, 197, 488
monoalphabetic substitution cipher, 204
Moore's Law, 222
Motion Picture Experts Group (MPEG), 248
Motive, Opportunity, and Means (MOM), 389
movement, 228
multicast, 265, 485
multi-factor authentication, 304, 335–343, 485
multi-factor key card entry, 230
multilevel security mode, 183
multilevel system, 350, 485
multimedia collaboration, 302–303
multipayer protocols, 260
multiple data centers, 97
multiple processing sites, 413
multiple-choice questions, 18
multiplexing, 250
multiprocessing functionality, of systems, 175, 485
multiprogramming functionality, of systems, 175, 488
Multi-Protocol Label Switching (MPLS), 269, 489
multistate systems, 175
multitasking functionality, of systems, 175, 489
multiuser systems, 175

N

Napoleonic code, 57
National Computer Security Center (NCSC), 163, 489
National Information Assurance Certification and Accreditation Process (NIA-CAP), 169, 489
National Institute for Standards and Technology (NIST), 48, 65, 207, 216, 489
National Security Agency (NSA), 12, 65, 207
native hypervisors, 309
natural access control, as a strategy of CPTED, 224–225
natural disasters, as a consideration for choosing locations, 226
natural surveillance, as a strategy of CPTED, 225
natural threats, 119
near-field communications (NFC), 489
need-to-know concept, 146, 396–397, 489
NetBIOS, 249
network access control (NAC) devices
1. about, 282
2. cloud access security broker (CASB) systems, 291–292
3. data loss prevention (DLP), 291
4. firewalls, 283–288
5. intrusion detection and prevention systems (IDSs/IPSs/IDPSs), 288–290
6. Web content filters, 290–291
Network Access (Link) Layer (TCP/IP Model), 279, 489
Network Address Translation (NAT), 257, 489
network administrator, 11
network attacks, 310–313
network components
1. about, 280
2. content distribution networks, 294
3. endpoint security, 292–294
4. hardware, 280
5. network access control (NAC) devices, 282–292
6. physical devices, 294–295
7. transmission media, 280–282
Network File System (NFS), 249
network interface cards (NICs), 278, 489
Network Layer (Layer 3) (OSI Reference Model), 252–261, 489
network penetration test, 361–363, 489
network sprawl, 261, 489
network virtualization, 309
network visibility, 310
network-based IDS (NIDS), 289
network-based intrusion detection (NIDS), 289, 391, 489
Networking All-In-One For Dummies (Lowe), 239
networking certification, 456
networks, 24–25, 273–274, 309

neural network, 489
next-generation firewalls (NGFWs), 288, 490
NIST Cyber Security Framework (CSF), 153
NIST SP800-37, 132
NIST SP800-53, 153
NIST SP800-171 Revision 1, 153
no write down (NWD), 160
nonce, 327
non-compete agreement, 490
non-disclosure agreement (NDA), 490
non-interference model, 162, 490
non-(ISC)2 certifications, 34–37
non-repudiation, 343, 490
non-technical/non-vendor certifications, 34–36

O

Oakley Key Exchange Protocol, 307
object, 180, 490
Object Linking and Embedding (OLE), 490
object reuse, 149, 163, 490
objectives, aligning security function to, 44–45, 490
observation, as a control assessment technique, 127
octets, 255–256
odd-parity bit, 208
omni-directional antennas, 272
one-time pad, 203, 490
one-time passwords, 335, 490
one-way function, 214, 218, 490
one-way hash function, 217
one-way hashing algorithm, 218
online business networking, 24
online orders, RPOs and, 104
online practice (website), 4, 12, 13
on-premises, 490
on-the-job training, 140
open message format, 490
open networkers, 24
open relay, 490
Open Shortest Path First (OSPF), 254
open source software, 447, 490
Open Study Group (website), 458
Open System authentication, 282
open systems, 182, 490
Open Systems Interconnection (OSI) Reference Model, 241–278, 491
Open Web Application Security Project (OWASP), 30, 369, 452, 491
OpenFAIR, 131
operating states, for CPUs, 174
operating system (OS), 179, 448, 491
operation, of software, 438–439
operational assurance requirements, 164
operational impact, risk management and, 124
operational requirements,, for investigations, 391
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), 131
Orange Book, 163–165, 491
organization, for exam, 457
organizational awareness, promoting, 110
organizational processes, 45–46
organizational value, as an asset value element, 118
orientation, to raise security awareness, 139
output control, as a data integrity measure, 159
Output Feedback (OFB) mode, 209, 491
outsourcing, 491
over-the-top (OTT) services, 296
ownership, determining and maintaining, 146–147, 491

P

packet sniffing, 354, 363, 491
packet-filtering firewall, 283–284, 491
packet-switched networks, 268–270, 491
pair programming, 368
pandemics, 418
parabolic antennas, 272
parallel test, of disaster recovery (DR) plan, 425–426
parity bit, 208
passive hubs, 278
passive IDS, 289
passphrases, 330–335, 491

Password Authentication Protocol (PAP), 304, 325, 491
password sniffing, 354
passwords, 330–335, 491
patches, managing, 411–412, 491
Patent Cooperation Treaty (PCT), 73
patents, 73, 492
path-vector protocol, 255
Payment Card Industry Data Security Standard (PCI DSS), 70–72, 75, 150, 492
Payment Card Industry Internal Security Assessor (PCI-ISA), 35
Payment Card Industry Qualified Security Assessor (PCI-QSA), 35
Payment Card Industry Security Standards Council (website), 35
payroll, during disasters, 101
P-boxes, 205
Pearson VUE (website), 16, 456
peer programming, 368
peer review, 368
pen register, 67
penalties, 53–54
penetration testing, 361–365, 492
pen/trap device, 67
performance management, 438
periodic reviews, for content relevancy, 141
Permanent Virtual Circuits (PVCs), 269
permutation ciphers, 204–205
personal area network (PAN), 242
personal health information (PHI), 51–52, 494
personal identification numbers (PINs), 335, 492
Personal Information Protection and Electronic Documents Act (PIPEDA), 492
personally identifiable information (PII), 51–52, 148, 492
personnel, in disaster recovery (DR) plan, 229, 416, 421
personnel notification, 92
personnel safety, 92
personnel security policies. See administrative management and control
pharming, 298, 365, 492
phishing, 298, 364–365, 492
phone taps, 382
photoelectric devices, 236
physical access control, 281, 337
physical address, 263
physical assets, 395
physical controls, 492
physical devices, 294–295
physical evidence, 380, 492
Physical Layer (Layer 1) (OSI Reference Model), 273–278, 493
physical memory, 176–177
physical penetration test, 363–364
physical security, 427
Physical Security Professional (PSP), 35
pipes, 228
Plain Old Telephone Systems (POTS), 295–296
plaintext, 199, 493
Platform as a Service (PaaS), 191, 491
plenum, 228
Pluralistic law systems, 57
point-to-point links, 266–267
Point-to-Point Protocol (PPP), 266, 492
Point-to-Point Tunneling Protocol (PPTP), 266, 306, 492
policies, 492
Policy Decision Point (PDP), 353
Policy Enforcement Point (PEP), 353
political intelligence attacks, as a category of computer crime, 62
polling, 263
polyalphabetic substitution cipher, 204
polyinstantiation, 492
polymorphism, 493
port hopping, 493
port level access control, 316
port scan, 359, 493
Post Office Protocol Version 3 (POP3), 246
PowerShell, 493
practice exams, 15, 458
preaction system, 237
Pre-Fetch Unit, 173

prepared statement, 493
pre-purchased assets, 420
Presentation Layer (Layer 6) (OSI Reference Model), 247–248, 493
presentations, 139, 386
preservation of evidence, 386
Pretty Good Privacy (PGP), 300, 493
preventive controls, 125, 493
printed materials, to raise security awareness, 139
privacy, 75–76. See also specific privacy acts
Privacy and Electronic Communications Regulations of 2003 (U.K.), 70
Privacy Enhanced Mail (PEM), 246, 300, 493
privacy requirements compliance, 57–58
Private Branch Exchange (PBX), 295–296
private cloud computing, 191, 493
private key cryptography. See symmetric key cryptography
private network address, 493
privilege creep, 397, 493
privileged account management, 398–399
Privileged Attribute Certificates (PACs), 326–327
Privileged Attribute Server (PAS), 326–327
privileges, escalation of, 449, 493
problem state, 174
procedures, 85–87, 280, 493
Process for Attack Simulation & Threat Assessment (PASTA), 136
process isolation, 493
process management, as an operating system function, 179
process table, 494
product backlog, 435
professional ethics, 82, 83–85, 479
Programmable Read-Only Memory (PROM), 177
Project Management Institute (website), 35
Project Management Professional (PMP), 35
project plan. developing and documenting, 90–98
project scope, developing and documenting, 90–98
project teams, membership in, 90
promiscuous mode, 363, 494
proofing of identity, 344–346
*-property (star property), 160
protected computer, 64
Protected Extensible Authentication Protocol (PEAP), 494
protection domain, 177, 406, 494
protection of privacy, 345
protection rings, 183, 494
Protection Test Unit (PTU), 174
Protocol Data Unit (PDU), 251, 494
provisioning resources, 394–395
proximate causation, 494
proxy server, 284, 494
prudent man rule, 494
pseudo flaw, 494
public cloud computing, 191, 494
Public Company Accounting Oversight Board (PCAOB), 68
Public Company Accounting Reform and Investor Protection Act, 371
public key cryptography, 467, 494. See also asymmetric key cryptography
Public Key Infrastructure (PKI), 219–220, 494
Public Switched Telephone Network (PSTN), 266
public value, as an asset value element, 118
punishment, under criminal law, 53
punitive damages, under civil law, 54, 494
Purple Machine, 197
pursuit of excellence, 38–39

Q

qualification program, 140
qualitative asset value, 117
qualitative impact, of disasters, 98
qualitative risk analysis, 120–121, 494
quality of service, 415
Quality of Service (QoS), 494
quantitative asset value, 117
quantitative impact, of disasters, 98
quantitative risk analysis, 121–122, 495
quarantine, 495
question types, 18–19
quizzes, to measure effectiveness of security training, 141

R

race conditions, 184–185, 449, 495
radiation monitoring, 362
radio frequency (RF) emanations, 362, 495
Rainbow table, 222, 353, 495
Random Access Memory (RAM), 176
ransomware, 495
rate-of-rise detectors, 236
Read (R) access, 352
Read-Only Memory (ROM), 176
read-through, of disaster recovery (DR) plan, 424
real evidence, 380, 495
real-time blackhole lists (RBLs), 297
reciprocal site, 97
records, in disaster recovery (DR) plan, 416
recovery, in disaster recovery (DR) plan, 420
recovery controls, 495
Recovery Point Objective (RPO), 104–105, 495
recovery procedures, 184
recovery sites, strategies for, 413
recovery strategies, implementing, 412–415
recovery targets, establishing, 102–105
Recovery Time Objective (RTO), 103–105, 495
Reduced-Instruction-Set Computing (RISC), 175, 495
reduction analysis, 135, 495
redundant array of independent disks (RAID), 495
redundant components, 172, 495
reference monitor, 180, 182, 495
referential integrity, 495
registers, 174
registration, for test, 456
Registration Authority (RA), 220, 495
registration processes, 344–346
regulatory policies, 86
regulatory requirements
1. as a criteria for commercial data classification, 144
2. for investigations, 391
reliability, 339
Religious law systems, 57
remediating threats, 135
Remember icon, 4
remote access, 303–308
Remote Access Service (RAS), 304, 325, 495
remote access trojan (RAT), 496
Remote Authentication Dial-In User Service (RADIUS), 304–305, 324–325, 496
remote backup, 496
remote console login, 317
remote desktop protocol (RDP), 496
Remote Procedure Call (RPC), 249
renewing CISSP certification, 20–21
repeater, 278, 496
repeater mode, 273
reperformance, as a control assessment technique, 128
Replay Attack, 224
replication, 93, 496
reports, generating, 376
Repository, 220, 496
repudiation, 196
reputation-based IDS, 392
requirements, 10–12, 156
re-scheduling exams, 16
Réseaux IP Européens Network Coordination Centre (RIPE NCC), 257
resilient systems, 184
resource management, as an operating system function, 179
resource protection, applying techniques for, 405–407
Resource Requirements portion (BIA), 106
resources, provisioning, 394–395
response, to disasters, 419–421
restoration, in disaster recovery (DR) plan, 423
restricted address, 303
restricted algorithm, 201
restricted area security, 230
retention, 150, 406
retina patterns, 341
return on investment (ROI), 89
Reverse Address Resolution Protocol (RARP), 265, 496
RG8, 275, 277

RG11, 275, 277
RG58, 275, 277
Rijmen, Vincent (Dr), 211
Rijndael Block Cipher, 211, 496
Ring topology, 274, 496
risk acceptance, 123, 496
risk analysis, 119–122, 445–446, 496
Risk and Insurance Management Society (RIMS) (website), 30
risk assessment/analysis (treatment), 117–119, 131, 154, 496
risk assignment, 123, 496
risk avoidance, 123, 496
risk framework, 132
risk identification, 117
risk management, 116–136, 138–141, 496
Risk Management Framework (RMF), 132
risk mitigation, 122–123, 445–446, 496
risk reduction, 497
risk tolerance, 497
risk transference, 123, 496, 497
risk treatment, 116, 122–123, 497
risk-based authentication, 496
Rivest, Ron (Dr), 211, 214, 497
Rivest Ciphers, 211–212
RJ-type connectors, 276
role-based access control (RBAC), 349–350, 497
roles and responsibilities, 46–48, 147, 397–398
root mode, 273
rootkits, 184, 497
rotation of duties, 400–402, 497
round, 208
route poisoning, 254
routed protocols, 252, 255–260
routers, 261, 497
Routing Information Protocol (RIP), 253–254
routing loops, 253
routing protocols, 252, 253–255, 497
row permissions, 316
RSA algorithm, 214–215
“rubber hose” attack, 224
rule-based access control, 350, 497
run state, 174

S

sabotage, 228
sacrificial lamb, 286
Safe and Secure Online program, 27
Safe Harbor (1998), 69
safeguard, 497
sag, 497
sally ports, 318, 497
salvage, in disaster recovery (DR) plan, 419–420
sampling, 378
sampling techniques, 128
sandboxing, 410, 497
SANS GIAC certifications, 11
SB-1386 (California Security Breach Information Act), 81
S-boxes, 204
scan, 497
scareware, 497
scope creep, 91
scoping, 152–153
screen savers, 344, 498
screened-host gateways, 287
screened-subnet, 287–288
screening router, 283–284, 285–286, 498
script injection, 301, 369, 498
script kiddie, 498
Scrum For Dummies (Layton), 436
Scrum methodology, 436, 498
sealing, as a function of TPM, 181
search and seizure, 382
search warrant, 385
Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (3rd edition, 2009) publication, 384
secondary evidence, 380, 498
secondary memory, 177–178
secondary storage, 177–178
Secret government data classification, 146
secret key cryptography. See symmetric key cryptography
sectorized antennas, 272
secure and signed message format, 213, 498

secure design principles, implementing and managing engineering processes using, 155–157
Secure Electronic Transaction (SET), 498
Secure European System and Applications in a Multi-vendor Environment (SESAME), 326–327, 498
Secure Hash Algorithm (SHA), 219
Secure Hypertext Transfer Protocol (S-HTTP), 246, 498
Secure Key Exchange Mechanism (SKEME), 307
secure message format, 498
secure modes of operation, 181–182
Secure Multipurpose Internet Mail Extensions (S/MIME), 247, 300, 498
secure offsite storage, 413
Secure Remote Procedure Call (S-RPC), 249
Secure Shell (SSH/SSH-2), 249, 498
Secure Sockets Layer (SSL), 308, 498
Secure Sockets Layer/Transport Layer Security (SSL/TLS), 252
security analyst, 11
Security and Risk Management domain
1. about, 43
2. applying concepts of confidentiality, integrity, and availability, 51–52
3. applying risk management concepts, 116–132
4. applying security governance principles, 44–50
5. applying threat modeling, 132–136
6. business continuity requirements, 87–111
7. compliance, 53–58
8. global legal and regulatory issues, 58–81
9. integrating security risk considerations, 136–138
10. managing information security education, training, and awareness, 138–141
11. personnel security policies, 111–116
12. policies, standards, procedures, and guidelines, 85–87
13. professional ethics, 82–85
security architect, 11
Security Architecture and Engineering domain
1. applying cryptography, 196–224
2. applying security principles to site and facility design, 224–229
3. fundamental concepts of security models, 157–162
4. implementing site and facility security controls, 229–238
5. secure design principles, 155–157
6. security capabilities of information systems, 173–185
7. selecting controls, 162–172
8. vulnerabilities in embedded devices, 195–196
9. vulnerabilities in mobile systems, 194
10. vulnerabilities in Web-based systems, 193–194
11. vulnerabilities of security architecture, designs, and solution elements, 185–192
security architectures, 185–192
Security Assertion Markup Language (SAML), 320, 499
security assessment and testing
1. about, 357
2. analyzing test output, 376
3. collecting security process data, 371–376
4. conducting security audits, 376–378
5. conducting security control testing, 359–371
6. designing and validating strategies for, 357–358
7. generating reports, 376
security association (SA), 307
security auditor, 11
security audits, conducting, 376–378
security awareness, 499
security capabilities, of information systems, 173–185
security consultant, 11
security control assessment (SCA), 499
security controls, 169–172, 359–371
security countermeasures, 169–172
security engineer, 11, 499
security executive oversight, 45–46
Security Features User's Guide (SFUG), 165
security gates, 230
security governance principles, 44–50
security guards, 230
security incident management. See incident management
security information and event management (SIEM) systems, 366, 393, 410, 499

security kernel, 181, 182, 499
security lighting, 230
security manager, 11
security models, 157–162
security modes, 183, 499
security operation center (SOC), 499
Security Operations domain
1. about, 46, 379
2. addressing personnel safety and security concerns, 428
3. applying foundational security operations concepts, 396–405
4. applying resource protection techniques, 405–407
5. conducting incident management, 407–409
6. conducting logging and monitoring activities, 391–394
7. implementing disaster recovery (DR) processes, 415–423
8. implementing patch and vulnerability management, 411–412
9. implementing physical security, 427
10. implementing recovery strategies, 412–415
11. maintaining detective and preventive measures, 409–411
12. participating in Business Continuity (BC) planning, 427
13. participating in change management processes, 412
14. provisioning resources, 394–395
15. requirements for investigation types, 390–391
16. supporting investigations, 379–390
17. testing disaster recovery plans, 423–427
Security Parameter Index (SPI), 307
security perimeter, 180, 499
security policies
1. about, 46
2. as a basic control requirement, 163
3. developing and implementing, 85–87
security posture, 46, 499
security process data, 371–376
security program metrics, to measure effectiveness of security training, 141
Security Protocol ID, 307
security scanners, 445
security testing, 164
security walls/fences, 230
Security|5, 37
segregation of duties and responsibilities, 397–398, 499
self assessment, 127
self-paced training, 140
self-study, 12–13
senior management, 89–90, 110
senior management policies, 86
Sensitive but Unclassified (SBU) government data classification, 145, 499
sensitivity labels, 350–351, 499
separation of duties and responsibilities, 397–398, 499
Sequenced Packet Exchange (SPX), 252
Serial Line IP (SLIP), 267, 499
server rooms, 229–230
server-based systems, assessing and mitigating vulnerabilities in, 186–187
Service Set Identifier (SSID), 281, 499
service-level agreements (SLAs), 137–138, 402–404, 499
services, 137
session hijacking, 312, 354, 500
Session Initiation Protocol (SIP), 249
session key, 323
Session Layer (Layer 5) (OSI Reference Model), 248–249, 500
session management, 344, 449
session token interception, 312
severe weather, 228
Shamir, Adi (Dr), 211, 214
Shared Key authentication, 282
The Shatterproof Fallacy, 82
shielded twisted-pair cable (STP), 275, 277
shoulder surfing, 363, 500
side-channel attacks, 211
signature dynamics, 342
signature-based IDS, 289–290, 392
signature-based software, 292–293
simple integrity property, 161, 500

Simple Key Management for Internet Protocols (SKIP), 261, 500
Simple Mail Transfer Protocol (SMTP), 247, 297, 500
Simple Network Management Protocol (SNMP), 247
simple security property (ss property), 160, 500
simplex mode, 248
simulation, of disaster recovery (DR) plan, 424–425
single factor authentication, 330–335, 500
single key cryptography. See symmetric key cryptography
Single Loss Expectancy (SLE), 120, 500
single sign-on (SSO), 319–327, 500
Single-line Digital Subscriber Line (SDSL), 267
single/multi-factor authentication, 328–343
site accreditation, 169
site design, applying security principles to, 224–229
site security controls, implementing, 229–238
The Site Security Handbook, 86
60-day study plan, 456–457
S/Key protocol, 335
smartphone passwords, 336, 500
smishing, 365
smoke-sensing fire detection, 236
SMS passwords, 336
SMTP over TLS, 299–300
Smurf attack, 311, 500
sniffing, 500
social engineering, 354, 364–365, 500
Society for Information Management (SIM) (website), 30
Society of Information Risk Auditors (IIA) (website), 30
socket, 251, 501
soda acid, 237
soft tokens, 336
software
1. about, 137, 179
2. acquired, 447–448
3. assessing effectiveness of security of, 444–447
4. containerization, 180
5. defined, 501
6. environments for, 440–442
7. operating systems, 179
8. virtualization, 180
Software as a Service (SaaS), 190, 501
software asset management, 407
Software Assuarnce Maturity Model (SAMM), 437, 501
software developer, 11
software development
1. about, 429
2. applying secure coding guidelines and standards, 448–452
3. applying security controls in development environments, 440–444
4. assessing effectiveness of software security, 444–447
5. assessing security impact of acquired software, 447–448
6. software development lifecycle (SDLC), 429–440
software development lifecycle (SDLC)
1. about, 429–430
2. change management, 439
3. defined, 501
4. development methodologies, 430–436
5. integrated product team, 439–440
6. maturity models, 437–438
7. operation and maintenance, 438–439
software development methodology (SDMI). See software development lifecycle (SDLC)
software escrow agreements, 94, 501
software libraries, 448
software-defined networks (SDNs), 260–261, 501
solution elements, vulnerabilities of, 185–192
source code review, 355, 501
source code scanning tools, 446
source-code, 448–450, 501
speaking, at events, 26–27
spear phishing, 298, 365, 501
Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations, 48
speed, 338–339
spike, 501

SPIM, 501
SPIT, 501
split horizon, 254
spoofing, 312, 501
sprint planning, 435, 501
sprint retrospective, 436
sprint review, 436
spyware, 502
SQL injection, 502
ss property (simple security property), 160
SSL hiding, 502
stack overflow, 353–354
stack overflow attack, 469
staging environments, 375
stand-alone power system (SPS), 95, 502
standard operating environments, 87
Standard Operating Procedures (SOPs), 87
Standard Practice for Computer Forensics, 391
standards, 85–87, 153, 280, 448–452, 502
standby assets, 421
star integrity property (*-integrity property), 161, 502
star property (*- property), 160, 502
Star topology, 273, 502
stare decisis, 53
state attacks, 185, 502
state machine, 161, 502
stateful inspection firewall, 284, 502
static application scanning tool (SAST), 502
static password, 335, 502
Static RAM (SRAM), 176
static routing protocol, 253
statistical attack, 222
statistical sampling, 128
statutory damages, under civil law, 54, 502
steganography, 205, 502
storage, 154, 386, 406
storage area network (SAN), 242
storage virtualization, 309
stored procedure, 502
stream ciphers, 203, 503
Stream Control Transmission Protocol (SCTP), 252
STRIDE technique, 133–134, 446
strong authentication, 503
Structured Query Language (SQL), 503
structured walkthough, of disaster recovery (DR) plan, 424
study groups, 13, 28, 458
subject, 503
subpoena, 385
substitution ciphers, 203–204, 503
Sun Network File System (NFS), 320
Supervisory Control and Data Acquisition (SCADA), 503
supervisory state, 175, 503
supplies, in disaster recovery, 95–96
supply chain management, integrating security risk considerations into, 136–138
surge protectors, 233, 503
surge suppressors, 233
switch, 503
Switched Multimegabit Data Service (SMDS), 269, 503
Switched Virtual Circuits (SVCs), 269
symmetric algorithm. See symmetric key cryptography
symmetric key cryptography
1. about, 206–207
2. Advanced Encryption Standard (AES), 211
3. Blowfish Algorithm, 211
4. Data Encryption Standard (DES), 207–209
5. defined, 503
6. International Data Encryption Algorithm (IDEA) Cipher, 212
7. Rivest Ciphers, 211–212
8. Triple DES (3DES), 209–211
9. Twofish Algorithm, 211
SYN Defender, 312
SYN flood attack, 312, 503
synchronous communication, 271
Synchronous Data Link Control (SDLC), 271
Synchronous Digital Hierarchy (SDH), 269
Synchronous Optical Network (SONET), 269, 503
synthetic transactions, 367–368

system access controls, 316, 503
system accreditation, 169
system architecture, 164
system certification, 167–169
system hardening, 170–171, 443
system high mode, 182, 503
system high security mode, 183
system integrity, 164
system isolation, 443
system messages, 333–334
system resilience, 171–172, 414
system test, 503
systems administrator, 11, 316–317
systems development lifecycle. See software development lifecycle (SDLC)
Systems Security Certified Professional (SSCP), 33

T

tabletop walkthrough, of disaster recovery (DR) plan, 424
tactics, techniques, and procedures (TTPs), 504
tailgating, 365
tailoring, 152–153
Take-Grant systems, 161, 504
TCP Intercept, 312
teaching, about data security, 28–29
Teardrop attack, 312, 504
technical factors, risk management and, 124
Technical Stuff icon, 4
technical support, 5
technical training, 140
technical/vendor certifications, 36–37
techniques, for control assessment, 127–128
telephone calls, 365
Telnet, 247, 504
temperature, 233–234
TEMPEST project, 172, 276
Temporal Key Integrity Protocol (TKIP), 282
temporary credentials, 345
Terminal Access Controller Access Control System (TACACS), 305, 325–326, 504
termination of employment, 401
territorial reinforcement, as a strategy of CPTED, 225
terrorism, 62, 228, 416, 417
test coverage analysis, 370
test documentation, 165
testing
1. analyzing output, 376
2. Business Continuity Plan (BCP), 110–111
3. disaster recovery (DR) plans, 423–427
4. in engineering process, 156
text messaging, 422
theft, 228
thicknet, 275, 277
thinnet, 275, 277
third-party, 504
third-party assessment/monitoring, 137
third-party audit, 378
third-party identity services, 348
third-party security services, 410
Threat Agent Risk Assessment (TARA), 131
threat analysis, 118–119
threat modeling, 133–135, 354, 446, 504
threats, identifying, 116–117, 133–134, 504
3DES (Triple DES), 465
three-way handshake, 250, 504
throughput, 338–339
Tip icon, 4
Token Ring, 264, 504
token-passing networks, 263
tokens, 336, 504
toll fraud, 296
tools, 179
Top Secret government data classification, 146
topologies, network, 273–274
tort law, 471
total cost of ownership (TCO), 123–124
trade secrets, 74, 504
Trademark Law Treaty Implementation Act, 73
trademarks, 73, 504
Trade-Related Aspects of Intellectual Property Rights (TRIPs), 72
traffic analysis, 504

training, 138–141, 280, 375, 423
Training Seminar, 458
transaction latency, 368
trans-border data flow, 75, 505
transformation procedures (TP), 162
transitive trust, 397, 505
Transmission Control Protocol (TCP), 250–251, 505
Transmission Control Protocol/Internet Protocol (TCP/IP) Model, 278–279, 504
transmission media, 280–282
Transport Layer (Layer 4) (OSI Reference Model), 249–252, 505
Transport Layer (TCP/IP Model), 279, 505
Transport Layer Security (TLS), 505
transport mode, 307
transport via secure courier, 413
transportation, 317, 386, 416, 418
transposition ciphers, 204–205, 505
trap and trace device, 67
trap door, 505
Trapdoor (Merkle-Hellman) Knapsack, 215–216
traverse-mode noise, 232
Triple Data Encryption Standard (3DES), 209
Trivial File Transfer Protocol (TFTP), 247
Trojan horse, 505
trust model, 300
trusted computer system, 505
Trusted Computer System Evaluation Criteria (TCSEC), 163–165, 505
Trusted Computing Base (TCB), 180–181, 505
trusted distribution, 164
trusted facility management, 164
Trusted Facility Manual (TFM), 165
Trusted Network Interpretation (TNI), 166, 505
trusted path, 164, 505
Trusted Platform Module (TPM), 181, 505
trusted recovery, 164, 505
trusted subject, 160
tunnel mode, 307
twinaxial cable, 275, 506
twisted-pair cable, 275–276, 506
two-factor authentication, 506
Twofish Algorithm, 211
Type 1 error, 338
type accreditation, 169
Type II error, 338
typing dynamics, 342

U

UDP flood attack, 313
UDP small servers, 311
U.K. Data Protection Act (DPA), 78–79
unauthenticated scans, 360, 506
Unclassified government data classification, 145
unconstrained data item (UDI), 162
unicast, 265, 506
Unified Communications as a Service (UCaaS), 296
unified threat management devices (UTMs), 288, 506
Uninterruptible Power Supply (UPS), 95, 231–232, 506
unit test, 506
United Nations Commission on International Trade Law (UNCITRAL), 72
unsecured protected health information (PHI), 78
unshielded twisted-pair cable (UTP), 275, 277
U.S. CAN-SPAM Act (2003), 69
U.S. Child Pornography Prevention Act (CPPA) (1996), 66
U.S. Computer Fraud and Abuse Act (1986), 63–65, 68
U.S. Computer Security Act (1987), 65
U.S. Defense Information Security Agency, 170
U.S. Department of Defense (DoD), 145, 160–161, 163
U.S. Economic Espionage Act (EEA) (1996), 64, 66
U.S. Electronic Communications Privacy Act (ECPA) (1986), 65, 68
U.S. Federal Emergency Management Agency (FEMA), 89
U.S. Federal Information Systems Management Act (FISMA) (2002), 69
U.S. Federal Privacy Act (1974), 75, 76
U.S. Federal Sentencing Guidelines (1991), 55, 66
U.S. Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) (1999), 75, 77

U.S. Health Information Technology for Economic and Clinical Health Act (HITECH) (2009), 75, 78
U.S. Health Insurance Portability and Accountability Act (HIPAA) (1996), 52, 75–77, 482
U.S. Homeland Security Act (2002), 68
U.S. Identity Theft and Assumption Deterrence Act (2003), 69
U.S. Intelligence Reform and Terrorism Prevention Act (2004), 69
U.S. Patent and Trademark Office (PTO), 73
U.S. Sarbanes-Oxley Act (SOX) (2002), 48, 68, 371, 378, 497
USA PATRIOT Act (2001), 64, 66–68, 506
use case testing, 368–369
Use stage, of ILM, 151
useful life, as a criteria for commercial data classification, 144
user, 506
user acceptance testing (UAT), 446–447, 506
user and entity behavior analytics (UEBA), 506
User Datagram Protocol (UDP), 251, 506
user entitlement, 506
user identity, 345
user mode, 506
user stories, 435
users, as a security role and responsibility, 47–48
utilities, 95, 226, 228, 231–233, 416, 417

V

v. (versus), 56
V.24 ITU-T standard, 277
V.35 ITU-T standard, 277
validating strategies for assessment and testing, 357–358
value, as a criteria for commercial data classification, 144
value-added network (VAN), 243
vandalism, 228
vendor controls, 115
vendor training, 140
Vernam cipher, 506
version control, 375
Very high Data-rate Digital Subscriber Line (VDSL), 267
veterans, 17
vibration, 228
video surveillance, 229
view, 506
view permissions, 316
violation analysis, 506
virtual addressing, 178
virtual assets, 395
virtual circuit management, 250
virtual desktop infrastructure (VDI), 507
virtual local area network (VLAN), 242, 507
virtual machine, 507
virtual memory, 177, 178, 507
Virtual Private Network (VPN), 305, 507
virtual reality (VR), 507
Virtual Tape Library (VTL), 93, 507
virtualization, 180, 309–310, 414, 507
virtualized networks, 309
virus, 507
visibility, as a consideration for choosing locations, 226
visitor logs, 230, 318
Visual Basic Script (VBScript), 507
VM sprawl, 310, 507
voice communication, 295–296
Voice over Internet Protocol (VoIP), 295–296, 507
Voice over Long-Term Evolution (VoLTE), 296
Voice over Wi-Fi (VoWiFi), 296
voice recognition, 342
voluntary surrender, of evidence, 385
volunteer opportunities, 26–29
volunteering, reasons for, 29
VOMIT, 507
voting, in ISC² elections, 25
vulnerabilities, 116–117, 184–196, 355, 359–360, 411–412, 507
Vulnerability Assessment, 99–100, 119, 507
vulnerability management services, 410, 438, 507
vulnerability scan, 359–360, 507
vulnerability scanning tool, 507

W

wait state, 175
waivers, 11
walkthrough, of disaster recovery (DR) plan, 424
walls, 318
war, 416
war dialing, 361, 508
war driving, 362, 508
warm site, 97, 228, 413, 508
Warning icon, 4
water issues, 234
water protection, 96
water sprinkler systems, 236–237
waterfall model, 430–434, 508
watering hole attacks, 301, 508
wearables, 317
web application firewall (WAF), 285, 508
web communication, 300–302
web content filters, 290–291, 508
Web filtering, 410
web site security tools, 445
Web-based systems, assessing and mitigating vulnerabilities in, 193–194
websites. See specific websites
weighting, of questions in exam, 19
well-formed transaction, 162
wet-pipe system, 236
whaling, 298, 365
white-box testing, 508
whitelisting, 410, 508
wide area networks (WANs), 240–241, 266–271
Wi-Fi, 508
Wi-Fi Calling, 296
Wi-Fi networks, protecting, 281–282
Wi-Fi Protected Access (WPA/WPA2), 282, 508
Wired Equivalent Privacy (WEP), 281–282, 508
wired networks, protecting, 281
Wireless Access Points (APs), 272–273
wireless campus area network (WCAN), 243
wireless intrusion detection (WIDS), 392
wireless local area network (WLAN), 243, 265–266
wireless metropolitan area network (WMAN), 243
wireless network interface cards, 272
Wireless Networks For Dummies (Lewis and Davis), 266
wireless personal area network (WPAN), 242
Wireless Transport Layer Security (WTLS), 508
wireless wide area network (WWAN), 243
wiretaps, 382
wiring, as a building design consideration, 227
wiring closets, 229–230
work area security, 230
work factor, 222, 508
World Customs Organization (WCO), 72
World Intellectual Property Organization (WIPO), 72
World Trade Organization (WTO), 72
worm, 508
Write (W) access, 352
writing certification exam questions, 26

X

X (Execute) access, 352
X.21bis. ITU-T standard, 278
X25, 270, 508

Y

Yagi antennas, 272

Z

Zigbee, 508

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Index

Create new playlist

Sign In

Sign Up

Index

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

Table of Contents for
Index