Index
A
access control policies, 263-264
AccessData FTK
Forensics Toolkit, 363
ACK (ACKnowledge) bits, 41
active code scanning, virus scanners, 223
active IDS, 230
active scanning techniques, hacking
vulnerability assessment, 142
activities, IDS, 231
Address Resolution Protocol (ARP), 291
CIDR (classless interdomain routing), 37-39
loopback addresses, 36
NAT (network address translation), 37
packets, 40
private, 36
public, 37
subnetting, 37
URLs (uniform resource locators), 39-40
AddRoundKey step (AES), 198
Adlema, Len, 202
advance-fee scam, 59
Advanced Encryption Standard (AES), 197-199
Blowfish, 199
cipher-block chaining, 200
electronic codebook, 200
math, 199
RC4, 199
Serpent, 199
Skipjack, 200
advanced persistent threats (APTs), 126, 312
Advanced Research Projects Agency (ARPA), 41
AFCC (Air Force Cyber Command), 311
age, passwords, 283
Agent.btz worm, 311
Agnitum firewalls, 227
AHs (Authentication Headers), IPsec, 243
Air Force Cyber Command (AFCC), 311
alerts, IDS, 231
algorithms, 193
Atbash cipher, 189
Caesar cipher, 188
multi-alphabet substitution, 189-190
PGP (Pretty Good Privacy), 205-206
single-key encryption, 194
DES (Data Encryption Standard), 194-196
triple DES, 197
Allen, James, 67
analyzers, IDS, 230
AND operation, 192
Android, computer forensics, 377-378
Anonymous DDoS attacks, 98
antivirus software, 221-224, 250
application gateway, firewalls, 226
Application log (Windows), 365
applications, patching, 277
Applications and Services log (Windows), 365
APTs (advanced persistent threats), 126, 312
armored viruses, 110
ARP (Address Resolution Protocol), 291
ARPA (Advanced Research Projects Agency), 41
ARPANET, 41
AS (authentication server), Kerberos, 238
Assange, Julian, 99
assessing systems, 277
probing, 284
asset identification, 163
asymmetric cryptography, 185
asymmetric encryption, 201
digital signatures, 207
Elliptic Curve, 205
PGP (Pretty Good Privacy), 205-206
Atbash cipher, 189
attachments, email, 255
scanning, virus scanners, 222
attack phase (NIST 800-115 security assessment), 151
advanced persistent threats (APTs), 126
brute force, 188
chosen plaintext, 213
ciphertext-only, 213
cross-site scripting, 146
DoS (denial of service), 6-9, 86-89
ICMP flood attacks, 96
land attack, 97
LOIC (low orbit ion cannon), 89
ping of death (PoD), 96
security policies, 262
Stacheldraht tool, 91
teardrop attack, 96
TFN (Tribal Flood Network), 90-91
UDP flood attacks, 96
weaknesses, 91
general, 318
hacking, 338
identifying, 6
identity theft, 338
known plaintext, 212
malicious web-based code, 125
malware
logic bombs, 7
login as system, 150
pass the hash, 149
spyware, 7
Trojan horses, 7
viruses, 6
related-key, 213
rootkits, 124
social engineering, 170
spam, 126
spyware
detection and elimination, 127-129
legal uses, 121
target delivery, 122
viruses
armored, 110
Bagle, 114
CryptoLocker, 111
CryptoWall, 112
detection and elimination, 127-129
FakeAV, 112
Flame, 115
Gameover ZeuS, 111
MacDefender, 112
macro, 110
memory-resident, 110
Mimail, 114
Morris worm, 115
multi-partite, 110
MyDoom, 116
polymorphic, 111
Rombertik, 111
sparse infector, 110
Troj/Invo-Zip, 112
virus scanners, 116
W32/Netsky-P, 112
auditing, 17
audit monitors, cloud, 384
Authentication Headers (AHs), IPsec, 243
authentication server (AS), Kerberos, 238
Autostart locations, Windows Registry, 374
AVG AntiVirus, 224
AVG virus scanner, 116
Aykroyd, Dan, 16
B
Back Orifice Trojan horse, 117
backbones, 34
background checks, 338
civil court records, 344
employees, 173
prospective employees, general searches, 339-342
respecting privacy, 342
sex offender registries, 342-344
state court records, 345
backup media, handling old, 288-289
backups, types, 267
Bagle virus, 114
bandwidth, 30
BCP (business continuity plan), 266
Bellaso, Giovan Battista, 190
Berners-Lee, Tim, 42
BIA (business impact analysis), 266-267
bid shielding, auctions, 63
bid siphoning, auctions, 63
BitLocker, 173
black hat hacking, 15
reconnaissance phase, 137
BlackEnergy malware, 315
block ciphers, 194
blocking ICMP packets, 99
Bloomberg, Inc., industrial espionage, 167
Bloomberg, Michael, 167
Blowfish block cypher, 199
Bogachev, Evgeniy, 111
Bosselaers, Antoon, 208
breaches, system administration policies, 261
Briney, Andrew, 171
browsers
finding evidence in, 364
brute force attacks, 188
buffer-overflow attacks, 119-120
buffers, 119
bugs, industrial espionage, 172
business continuity plan (BCP), 266
business impact analysis (BIA), 266-267
BYOD (bring your own device), security policies, 256-257
C
CA (certificate authority), 239
Caesar cipher, 188
Cain and Abel enumeration tool, 143-144
carriers, steganography, 210
CASP (Certified Advanced Security Practitioner), 5
Category 6 cable, 30
CBC (cipher-block chaining), 200
Cellebrite tool, 364
CENTCOM (Central Command), 311
Center for Internet Security, 285
Central Command (CENTCOM), 311
Cerf, Vince, 41
CERT (Computer Emergency Response Team), 21, 115
Information Assurance in Small Organization workbook, 163-165
certificate authority (CA), 239
certificates, digital, 238
certification
CASP (Certified Advanced Security Practitioner), 5
Certified Cyber Forensics Professionals, 300
Certified Ethical Hacker, 300
Certified Forensics Analyst (GCFA), 381
Certified Forensics Examiner (GCFE), 381
Certified Hacking Investigator, 300
CISSP (Certified Information System’s Security Professional), 5
CNE (Certified Novel Engineer), 299
IT (information technology), 299-300
penetration testing, 136
Security+, 5
chain of custody, computer forensics, 360
Challenge Handshake Authentication Protocol (CHAP), 236
Chang, Jeremy, 166
change requests, system administration policies, 259-261
channel, steganography, 210
CHAP (Challenge Handshake Authentication Protocol), 236
checklists, policies, 283
children, cyber stalking, 70-71
China Eagle Union, 312
Chinese Military, APTs, 126
chosen plaintext attacks, 213
Christenson, Kai, 68
CIA triangle, 18
CIDR (classless interdomain routing), 37-39
cipher-block chaining (CBC), 200
cipher text, encryption, 193
ciphertext-only attacks, 213
CISA (Certified Information Systems Auditor), 5
Cisco Systems
certifications, 299
firewalls, 227
CISSP (Certified Information System’s Security Professional), 5, 300
Citrix firewalls, 282
civil court record searches, 344
classes, networks, 35
classification, data, 265
classless interdomain routing (CIDR), 37-39
client errors, 39
cloud forensics, 384
CNE (Certified Novel Engineer), 299
commands
Fc, 370
ipconfig, 43
net sessions, 369
Netcat, 356
netstat, 46
Netstat, 370
nslookup, 47
Openfiles, 369
Snort, 234
SQL, 9
traceroute, 39
WhoIS, 33
Computer Crime Acts, 20
Computer Emergency Response Team (CERT), 21, 115
chain of custody, 360
documentation, 359
EU guidelines, 362
finding evidence in browser, 364
finding evidence in system logs, 365-366
handling suspect drive, 355-356
Locard’s principle of transference, 363
network, 382
operating system utilities, 369-370
retrieving deleted files, 366-369
securing evidence, 359
SWGDE (Scientific Working Group on Digital Evidence), 362-363
U.S. Secret Service guidelines, 361-362
Computer Security Act of 1987, 20
Computer Security Institute survey, 14
computer systems. See system security
configuration
desktop, security policies, 256
connect scans (Nmap), 140
connection speeds, Internet, 32
cookies, 7
RST, 93
spyware, 121
co-prime numbers, 202
corporate espionage. See industrial espionage
costs, cybercrime, 3
Counterpane Internet Security, 324
Cox, William, 68
crackers, 137
cracking, 7
credibility, cyber stalking, 69
CRL (certificate revocation list), 240
cross-site scripting, 10-11, 146
cryptography, 184
asymmetric, 185
decryption, 185
distinguishing algorithm, 212
Atbash cipher, 189
Caesar cipher, 188
cipher text, 193
digital signatures, 207
keys, 193
MAC (Message Authentication Code), 208-209
multi-alphabet substitution, 189-190
PGP (Pretty Good Privacy), 205-206
plain text, 193
triple DES, 197
global deduction, 212
information deduction, 212
instance deduction, 212
Internet, 213
symmetric, 185
total breaks, 212
Cryptography.org, 187
CryptoLocker virus, 111
CryptoWall virus, 112
CSNET, 42
crimes against children, 70-71
Agent.btz worm, 311
APT (Advanced Persistent Threat), 312
China Eagle Union, 312
general attacks, 318
India/Pakistan, 313
military operations attacks, 317-318
recruiting, 330
Russia, 313
SCADA (Supervisory Control and Data Acquisitions), 318
TOR (The Onion Router), 330-331
general attacks, 318
military operations attacks, 317-318
SCADA (Supervisory Control and Data Acquisitions), 318
cybercrime. See attacks
Cybersecurity Research and Education Act of 2002, 326-327
Cyberterrorism Preparedness Act of 2002, 326-327
D
Daemen, Joan, 197
DAM (database activity monitoring), 235
DAMP (database activity monitoring and prevention), 235
DARPA (Defense Advanced Research Projects Agency), 41
data classification, 265
Data Encryption Standard (DES), 194-196
data partitions, iOS, 377
data sources, IDS, 231
data transmission, networks, 32-34
databases, 235
relational, SQL script injection, 144-146
Daubert standard, expert witnesses, 382
DBMS (database management system), 235
DDoS (distributed denial of service) attacks, 97
decryption, 185
DefCon convention, war-driving contest, 8
Defense Advanced Research Projects Agency (DARPA), 41
deleted files, retrieving, 366-369
demilitarized zone (DMZ), 289-290
denial of service (DoS) attacks. See DoS (denial of service) attacks
departing employees, system administration policies, 258-259
DES (Data Encryption Standard), 194-196
desktop configuration, security policies, 256
developmental policies, 264
differential backups, 267
Diffie, Whitfield, 204
Diffie-Hellman encryption, 204-205
digital forensics. See computer forensics
digital signatures, 207
PGP (Pretty Good Privacy), 239
disaster recovery plan (DRP), 266
disaster recovery policies, 266-268
discovery phase (NIST 800-115 security assessment), 151
disinformation, 322
DiskDigger, retrieving deleted files, 366-369
disks, RAID levels, 268
distinguished names, X.509 certificates, 239
distributed denial of service (DDoS). See DDoS (distributed denial of service) attacks
DMZ (demilitarized zone), 289-290
DNS (Domain Name Service), 33, 42
Dobbertin, Hans, 208
documentation, computer forensics, 359
documents, shredding, 173
DOD attacks, clearances, 265
Domain Name Service (DNS), 33, 42
doomjuice virus, 116
DoS (denial of service) attacks, 6-9, S86
land, 97
LOIC (low orbit ion cannon), 89
ping of death (PoD), 96
security policies, 262
Stacheldraht tool, 91
teardrop, 96
TFN (Tribal Flood Network), 90-91
UDP flood, 96
weaknesses, 91
download scanning, virus scanners, 222
doxing, 13
drives
handling for forensics, 355-356
DRP (disaster recovery plan), 266
dual-homed host firewalls, 226
Duronio, Roger, 125
E
EAP (Extensible Authentication Protocol), 237
Easttom, Chuck, contact information, 342
corollary, 206
EC Council, penetration testing certifications, 136
ECB (electronic codebook), 200
economic espionage. See industrial espionage
EDGE (Enhanced Data Rates for GSM Evolution), 376
Edwards, John, 326
EFS (Encrypted File System), 173-175
electronic codebook (ECB), 200
eLiTeWrap, 118
EliteWrapper, 117
Elliptic Curve encryption, 205
Ellison, Larry, 168
scanning, 222
employees
access control policies, 263-264
civil court records, 344
respecting privacy, 342
sex offender registries, 342-344
state court records, 345
developmental policies, 264
disaster recovery policies, 266-268
nondisclosure and noncompete agreements, 162
BYOD (bring your own device), 256-257
desktop configuration, 256
installing/uninstalling software, 255
system administration policies, 258
new employees, 258
Encapsulating Security Payloads (ESPs), IPsec, 243
EnCase tool, 364
Encrypted File System, 173-175
asymmetric, 185
Atbash cipher, 189
Caesar cipher, 188
cipher text, 193
digital signatures, 207
Internet, 213
key schedules, 195
keys, 193
MAC (Message Authentication Code), 208-209
multi-alphabet substitution, 189-190
PGP (Pretty Good Privacy), 205-206
plain text, 193
public key, 201
Elliptic Curve, 205
single-key, 194
AES (Advanced Encryption Standard), 197-200
DES (Data Encryption Standard), 194-196
triple DES, 197
symmetric, 185
Enhanced Data Rates for GSM Evolution (EDGE), 376
Error 404: File Not Found, 39
espionage, industrial, 160-162
Bloomberg, Inc., 167
FBAR technology, 165
General Motors, 166
Houston Astros, 165
Industrial Espionage Act, 175
Interactive Television Technologies, Inc., 167
phone taps and bugs, 172
spyware, 171
steganography, 171
VIA Technology, 166
ESPs (Encapsulating Security Payloads), IPsec, 243
ethical hacking, 16
EU guidelines, computer forensics, 362
events, IDS, 231
evidence, 361
evidence, securing, 359
exit interviews, 162
expert witnesses, computer forensics, 381-382
Extensible Authentication Protocol (EAP), 237
F
background checks, 340
productivity, 258
FakeAV virus, 112
false negatives, virus scanners, 223
false positives, virus scanners, 222-223
Fannie Mae, logic bomb attack, 126
FastMail, DDoS attacks, 99
FBAR technology, industrial espionage, 165
FBI guidelines, computer forensics, 360-361
FBI state registry of sex offenders, 342-344
Fc command, 370
federal rule 702, expert witnesses, 381
Feistel ciphers, 194
file scanning, virus scanners, 222
File Transfer Protocol (FTP), 33
files, retrieving deleted, 366-369
FIN (FINish) bits, 41
FIN scans (Nmap), 140
FinFisher spyware, 314
application gateway, 226
limitations, 224
logs, 228
packet filtering, 225
stateful packet inspection, 225
footprinting, 316
chain of custody, 360
documentation, 359
EU guidelines, 362
finding evidence in browser and system logs, 364-366
handling suspect drive, 355-356
Locard’s principle of transference, 363
network, 382
operating system utilities, 369-370
retrieving deleted files, 366-369
securing evidence, 359
SWGDE (Scientific Working Group on Digital Evidence), 362-363
U.S. Secret Service guidelines, 361-362
Forensics Toolkit (FTK), 363
ForwardedEvents log (Windows), 365
phishing, 65
protecting against, 73
investment offers
Nigerian advance-fee scam, 59
protecting against, 72
laws against, 72
frequency analysis, cryptanalysis, 212
frequency, cyber stalking, 69
F-Secure website, 21
FTK (Forensics Toolkit), 363
FTP (File Transfer Protocol), 33
full backup, 267
G
Gameover ZeuS virus, 111
GCFE (Certified Forensics Examiner), 381
General Motors, industrial espionage, 166
GIAC (Global Information Assurance Certification), 300
global deduction, cryptography, 212
Global System for Mobile Communications (GSM), 376
GM (General Motors), industrial espionage, 166
Gonzalez, Amy, 68
guidelines, security policies, 264
H
hackers, 338
Certified Ethical Hacker certification, 300
hacktivists, 323
Jack, Barnaby, 14
Mitnick, Kevin, 8
slang, 15
cross-site scripting, 146
ethical, 16
Bloomberg, Inc., 167
FBAR technology, 165
General Motors, 166
Houston Astros, 165
Industrial Espionage Act, 175
Interactive Television Technologies, Inc., 167
phone taps and bugs, 172
spyware, 171
steganography, 171
VIA Technology, 166
malware, 148
login as system, 150
pass the hash, 149
password cracking, 148
reconnaissance phase
social engineering, 8
war-driving, 8
white hat, 136
hacktivists, 323
half-open scans (SYN), 140
Hao Zhang, 165
harassment, 67
hardening computer systems, 286
hash values, 93
headers, packets, 40
Hebert’s cryptography website, 187
heuristic scanning, virus scanners, 222
HIPAA (Health Insurance Portability and Accountability Act), 269
history, passwords, 283
hives, Windows Registry, 371-372
hosts, 41
Houston Astros, industrial espionage, 165
HTML (Hypertext Markup Language), 42
HTTP (Hypertext Transfer Protocol), 33, 42
HTTPS (Hypertext Transfer Protocol Secure), 33
hubs, networks, 31
Hutchinson, Shawn Michael, 67
hypervisors, cloud, 384
I
ICCI (integrated circuit card identification), 375
ICMP (Internet Control Message Protocol), 33
packets, 94
blocking, 99
iDEN (integrated Digitally Enhanced Network), 376-377
identifying threats, 6
identity theft, 63-64, 79, 338
laws against, 72
phishing, 65
protecting against, 73
IDS (intrusion detection system), 17, 229, 281-282
active, 230
activities, 231
alerts, 231
analyzers, 230
DAM (database activity monitoring), 235
data sources, 231
events, 231
honey pots, 235
intrusion identification, 230
managers, 230
notification, 231
operators, 230
passive, 229
sensors, 230
IETF (Internet Engineering Task Force), 42
IKE (Internet key exchange), IPsec, 243
IMEI (International Mobile Equipment Identity), 375
Imitation Game, The, 192
IMSI (international mobile subscriber identity), 375
incremental backups, 267
Bloomberg, Inc., 167
FBAR technology, 165
General Motors, 166
Houston Astros, 165
Industrial Espionage Act, 175
Interactive Television Technologies, Inc., 167
phone taps and bugs, 172
spyware, 171
steganography, 171
VIA Technology, 166
Industrial Espionage Act of 1996, 175
Infobel, 341
Information Assurance in Small Organization workbook (CERT), 163-165
information deduction, cryptography, 212
Information Systems Security Architecture Professional (ISSAP), 300
Information Systems Security Engineering Professional (ISSEP), 300
Information Systems Security Management Professional (ISSMP), 300
installing software, security policies, 255
instance deduction, cryptography, 212
instant messaging, security policies, 255-256
integrated circuit card identification (ICCI), 375
integrated Digitally Enhanced Network (iDEN), 376-377
intensity, cyber stalking, 70
Interactive Television Technologies, Inc., industrial espionage, 167
International Mobile Equipment Identity (IMEI), 375
Internet
connection speeds, 32
cryptography, 213
establishment of, 41
expansion, 3
ISPs (Internet service providers), 34
Internet Control Message Protocol (ICMP). See ICMP (Internet Control Message Protocol)
Internet Engineering Task Force (IETF), 42
Internet Explorer, secure settings, 74-78
Internet fraud. See fraud
Internet key exchange (IKE), IPsec, 243
Internet Relay Chat (IRC), 33
Internet Security Association and Key Management Protocol (ISAKMP), 243
Internet service providers (ISPs), 34
intrusion detection system (IDS). See IDS (intrusion detection system)
intrusion deterrence, 236
investment offers, fraudulent, 59-61, 72
iOS computer forensics, 377
IP addresses
CIDR (classless interdomain routing), 37-39
loopback addresses, 36
NAT (network address translation), 37
packets, 40
private, 36
public, 37
subnetting, 37
URLs (uniform resource locators), 39-40
ipconfig command, 43
IRA (Irish Republican Army), 319
IRC (Internet Relay Chat), 33
Irish Republican Army (IRA), 319
ISAKMP (Internet Security Association and Key Management Protocol), 243
ISPs (Internet service providers), 34
ISSAP (Information Systems Security Architecture Professional), 300
ISSEP (Information Systems Security Engineering Professional), 300
ISSMP (Information Systems Security Management Professional), 300
issuer, X.509 certificates, 239
J
Jack, Barnaby, 14
Johnson, Jeffery, 14
Kane, Heather, 68
Kapersky antivirus software, 224
Kaspersky virus scanner, 116
KDC (key distribution center), Kerberos, 238
Kerckhoff, Auguste, 206
Kerckhoff’s principle, 206
key distribution center (KDC), Kerberos, 238
key loggers, 7
key schedules, 195
key space, 188
keyed cryptographic hash function, 209
keys, encryption, 193
Knight, Scott, 68
known plaintext attacks, 212
Koblitz, Neil, 205
L
L2TP (Layer 2 Tunneling Protocol), 243
land attacks, 97
Lauffenburger, Michael, 125
laws against fraud, 72
Layer 2 Tunneling Protocol (L2TP), 243
layered security approach, 18
LEAP (Lightweight Extensible Authentication Protocol), 237
letter frequency distribution, 188
Lightweight Extensible Authentication Protocol (LEAP), 237
LinkedIn, background checks, 340
Linux logs, finding evidence in, 366
listing USB devices, 373
live machines, conducting forensics, 358-359
local deduction, cryptography, 212
Locard, Edmond, 363
Locard’s principle of transference, 363
logical network perimeter, cloud, 384
login as system attacks, 150
logs
firewalls, 228
routers, 291
system, finding evidence in, 365-366
LOIC (low orbit ion cannon), 8, 89
Long Term Evolution (LTE), 376
loopback addresses, 36
Lopez, Inaki, 166
Low Earth Orbit Ion Cannon tool, 16
low orbit ion cannon (LOIC), 8, 89
low-tech industrial espionage, 168-171
LsaLogonUser, 149
LTE (Long Term Evolution), 376
Luhnow, Jeff, 165
M
MAC (Message Authentication Code), 208-209
MacDefender virus, 112
macro viruses, 110
Makwana, Rajendrasinh, 126
malicious web-based code, 125
advanced persistent threats (APTs), 126
BlackEnergy, 315
buffer-overflow attacks, 119-121
cyber warfare, 313
FinFisher, 314
Flame, 314
login as system, 150
malicious web-based code, 125
NSA ANT Catalog, 315
pass the hash, 149
rootkits, 124
spam, 126
detection and elimination, 127-129
industrial espionage, 171
legal uses, 121
target delivery, 122
StopGeorgia.ru, 314
armored, 110
Bagle, 114
CryptoLocker, 111
CryptoWall, 112
detection and elimination, 127-129
FakeAV, 112
Flame, 115
Gameover ZeuS, 111
MacDefender, 112
macro, 110
memory-resident, 110
Mimail, 114
Morris worm, 115
multi-partite, 110
MyDoom, 116
polymorphic, 111
Rombertik, 111
sparse infector, 110
Troj/Invo-Zip, 112
virus scanners, 116
W32/Netsky-P, 112
Malwarebytes antivirus software, 224
managers, IDS, 230
Matusiewicz, David, 68
Matusiewicz, Lenore, 68
maximum tolerable downtime (MTD), 267
MBSA (Microsoft Baseline Security Analyzer), 291-293
antivirus software, 224
Personal Firewall, 281
virus scanner, 116
MCITP (Microsoft Certified Information Technology Professional), 299
MD5 encryption, 208
mean time to repair (MTTR), 267
Medico, Joseph, 67
memory-resident viruses, 110
Message Authentication Code (MAC), 208-209
micro blocks, TCP SYN flood attack, 92
microdots, 211
Microsoft Baseline Security Analyzer (MBSA), 291-293
Microsoft Outlook viruses, 109
Microsoft Security Advisor website, 21
military operations attacks, 317-318
Miller, Victor, 205
Mimail virus, 114
Mitnick, Kevin, 8
MixColumns step (AES), 198
mobile malicious code, 125
mono-alphabet substitution method, 188
Morris, Robert Tappan, 11, 115
Mosaic browser, 42
MS Exchange templates, 285
MTD (maximum tolerable downtime), 267
MTTR (mean time to repair), 267
multi-alphabet substitution, 189-190
multi-partite viruses, 110
Murphy, Robert James, 66
MyDoom attacks, 97-99, 116, 311
N
NAPs (network access points), 34
National Center for State Courts, 345
National Security Agency (NSA). See NSA (National Security Agency)
NAT (network address translation), 37
Nessus vulnerability scanner, 293-298
net sessions command, 369
NetBIOS, 33
netcat command, 356
network access points (NAPs), 34
network address translation (NAT), 37
network administrators, background checks, 339
network host-based firewalls, 226
network interface cards (NICs), 29
Network News Transfer Protocol (NNTP), 33
network utilities, 42
ipconfig, 43
netstat, 46
nslookup, 47
ping, 45
networks, 29
backbones, 34
cellular, computer forensics, 376-377
classes, 35
DMZ (demilitarized zone), 289-290
forensics, 382
Internet connection speeds, 32
NAPs (network access points), 34
OSI (Open Systems Interconnection) model, 48-49
system security, 277, 285, 289-291
hardening systems, 286
individual workstation, 285-287
probing, 284
technologically secured, 250
VPNs (virtual private networks), 242-244
new employees, system administration policies, 258
New Hacker’s Dictionary, 16
NICs (network interface cards), 29
Nigerian advance-fee scam, 59
NIST 800-115 security assessments, 151
NNTP (Network News Transfer Protocol), 33
nodes, 41
nondisclosure and noncompete agreements, 162
Norton antivirus, 6
Norton antivirus software, 127-128, 224
Norton Personal Firewall, 281
Norton virus scanner, 116
notification, IDS, 231
NSA (National Security Agency), 285
information assessment methodology, 151-152
NSA ANT Catalog, 315
nslookup command, 47
O
Offensive Security, 300
penetration testing certifications, 136
OMB Circular A-130, 20
on-demand virus scanners, 222
ongoing virus scanners, 222
The Onion Router (TOR), 330-331
online security resources, 21
Openfiles command, 369
operating system utilities, computer forensics, 369-370
Operation Ababil, 325
operators, IDS, 230
OphCrack password cracker, 147-148
OR operation, 192
Oracle Virtual Box, 383
OSForensics tool, 364
OSI (Open Systems Interconnection) model, 48-49
Outlook viruses, 109
Oxley, Michael, 269
Oxygen tool, 364
P
filtering and Inspection, firewalls, 225
headers, 40
ICMP, 94
blocking, 99
Pakistan Cyber Army, 312
PAP (Password Authentication Protocol), 236
pass the hash attacks, 149
passive IDS, 229
passive scanning techniques, hacking, 137-138
Password Authentication Protocol (PAP), 236
passwords
age, 283
history, 283
patches, checking for, 277-278
payload, steganography, 210
Payment Card Industry Data Security Standards (PCI DSS), 269
Payment Card Industry (PCI) penetration testing standard, 152-153
PCI (Payment Card Industry) penetration testing standard, 152-153
PCI DSS (Payment Card Industry Data Security Standards), 269
PEAP (Protected Extensible Authentication Protocol), 237
penetration testers, 16
penetration testing, 136
NIST 800-115, 151
NSA information assessment methodology, 151-152
Professional Penetration Tester, 300
perimeter security approach, 18
PGP (Pretty Good Privacy)
certificates, 239
phishing, 65
phone taps, industrial espionage, 172
physical connections, local networks, 29-31
ping of death (PoD), 96
ping scans (Nmap), 140
plain text, 193
planning phase (NIST 800-115 security assessment), 151
plug-ins, Nessus, 296
PoD (ping of death), 96
Point-to-Point Tunneling Protocol (PPTP), 242-243
Poitier, Sidney, 16
policies, security, 250-251, 282-284
checklists, 283
data classification, 265
developmental, 264
guidelines, 264
Nessus, 296
passwords, 283
procedures, 264
severity, 283
standards, 264
system administration, 258
DoS attacks, 262
new employees, 258
security breaches, 261
BYOD (bring your own device), 256-257
desktop configuration, 256
installing/uninstalling software, 255
termination/expulsion, 257
polymorphic viruses, 111
POP3 (Post Office Protocol version 3), 33, 39
ports, 31
routers, 278
PPTP (Point-to-Point Tunneling Protocol), 242-243
Preneel, Bart, 208
Pretty Good Privacy (PGP) encryption, 205-206
prime numbers, 202
principal, Kerberos, 238
private information, data classification, 265
private IP addresses, 36
procedures, security policies, 264
professional help, system security, 298-301
Professional Penetration Tester certification, 136
Professional Penetration testers, 300
propaganda, 319
prospective employees, background checks, 338
civil court records, 344
respecting privacy, 342
sex offender registries, 342-344
state court records, 345
Protected Extensible Authentication Protocol (PEAP), 237
protocols, 33, 41. See also specific protocols
public information, data classification, 265
public IP addresses, 37
public key encryption, 201
digital signatures, 207
Elliptic Curve, 205
PGP (Pretty Good Privacy), 205-206
X.509 certificates, 239
pump and dump, online stock bulletins, 60
Q-R
Quick Stego, 171
QuickStego, 211
RA (registration authority), 240
Radio Free Europe, 320
RAID levels, 268
Rand Corporation cyber terrorism report, 328
ransomeware, 111
RC4 block cypher, 199
reconnaissance phase, hacking, 137
active scanning, 139
vulnerability assessment, 142
recovering deleted files, 366-369
recruiting, cyber terrorism, 330
Redford, Robert, 16
Rejewsky, Marrian, 191
related-key attacks, 213
relational databases, SQL script injection, 144-146
repeaters, networks, 31
reporting phase (NIST 800-115 security assessment), 151
reports (MBSA), 293
resources, online, 21
retrieving deleted files, 366-369
Richardson, Edward, 68
Rijmen, Vincent, 197
Rijndael block cipher, 197-200
RipeMD, 208
Rivest, Ron, 199, 202, 208-209
RJ-11 jacks, 29
Rombertik virus, 111
rootkits, 124
router-based firewalls, 227
routers
hardening, 286
logging, 291
networks, 31
ports on, 278
TOR (The Onion Router), 330-331
Rozycki, Jerzy, 191
RST cookies, TCP SYN flood attack, 93
Rubin, Andy, 378
Rutkowsky, Benjamin, 68
S
SAs (Security Associations), IPsec, 243
sandbox approach, virus scanners, 223
SANS Institute, 285
penetration testing certifications, 136
website, 21
Sarbanes-Oxley Act, 269
Sasser virus/buffer overflow, 120-121
s-boxes, 196
SCADA (Supervisory Control and Data Acquisitions), 318
scams. See fraud
scareware, 112
Scherbius, Arthur, 191
Scientific Working Group on Digital Evidence (SWGDE), 362-363
screened host firewalls, 227
Sears, Nick, 378
Secure Sockets Layer (SSL), 240-242
security alerts, 116
Security Associations (SAs), IPsec, 243
Security log (Windows), 365
checklists, 283
data classification, 265
developmental, 264
guidelines, 264
password quality, 283
procedures, 264
severity, 283
standards, 264
system administration, 258
DoS attacks, 262
new employees, 258
security breaches, 261
BYOD (bring your own device), 256-257
desktop configuration, 256
installing/uninstalling software, 255
termination/expulsion, 257
Security+ certifications, 5
sensors, IDS, 230
serial number, X.509 certificates, 239
Serpent block cypher, 199
server rooms, securing, 284
servers
errors, 39
hardening, 286
services, Windows, shutting down, 279-281
sex offender registries, 342-344
SHA (Secure Hash Algorithm), 208
Shamir, Adi, 202
Shannon, Claude, 206
ShiftRows step (AES), 198
shill bidding, auctions, 62-63
Shiva Password Authentication Protocol (SPAP), 236
signature algorithm identifier, X.509 certificates, 239
Silk Road, 332
SillyFDC worm, 312
SIM (subscriber identity module), 375
Simple Mail Transfer Protocol (SMTP), 33
single-key encryption, 194
AES (Advanced Encryption Standard), 197-200
DES (Data Encryption Standard), 194-196
triple DES, 197
Sinn Fein, 319
Skipjack block cypher, 200
Sleuth Kit tool, 364
SMTP (Simple Mail Transfer Protocol), 33, 39
Sneakers, 16
Snow tool, 211
Snowden, Edward, 12
software. See also malware
IDS (intrusion detection system), 229-235
security policies, 255
spam, 126
SPAP (Shiva Password Authentication Protocol), 236
sparse infector viruses, 110
specificity, cyber stalking, 69
Specter, 235
spying, industrial. See industrial espionage
detection and elimination, 127-129
industrial espionage, 171
legal uses, 121
target delivery, 122
Troj/Invo-Zip, 112
TSPY_FAREIT.YOI, 112
SQL (Structured Query Logic)
commands, 9
script injection, 9-10, 144-146
SSL (Secure Sockets Layer), 240-242
Stacheldraht tool, 91
stack tweaking, TCP SYN flood attack, 93-94
standards, security policies, 264
Stanford University cryptography history website, 187
state court record searches, 345
stateful packet inspection, firewalls, 225
Stealth Files 4, 211
steganography, 210
industrial espionage, 171
tools, 211
StegVideo, 211
stocks, pump and dump, 60
StopGeorgia.ru forum, 314
stream ciphers, 194
SubBytes step (AES), 198
subnetting, 37
subscriber identity module (SIM), 375
substitution alphabet, 188
Supervisory Control and Data Acquisitions (SCADA), 318
SWGDE (Scientific Working Group on Digital Evidence), 362-363
switches, networks, 31
Symantec
cryptography, 185
viruses, 6
symmetric encryption, 194
AES (Advanced Encryption Standard), 197-198
Blowfish, 199
cipher-block chaining, 200
electronic codebook, 200
math, 199
RC4, 199
Serpent, 199
Skipjack, 200
DES (Data Encryption Standard), 194-196
triple DES, 197
SYN (SYNchronize) bits, 41
SYN cookies, TCP SYN flood attack, 92-93
SYN scans (Nmap), 140
system administration policies, 258
DoS attacks, 262
new employees, 258
security breaches, 261
System log (Windows), 365
system logs, finding evidence in, 365-366
hardening systems, 286
individual workstation, 285-287
probing, 284
T
teardrop attacks, 96
technologically secured networks, 250
Telnet, 33
Terminate and Stay Resident (TSR) program, 221
terminators, 29
terrorism. See cyber terrorism
testing, penetration, 136, 151-153
TFN (Tribal Flood Network), 90-91
TFTP (Trivial File Transfer Protocol), 33
The Onion Router (TOR), 330-331
threats. See attacks
ticket-granting server (TGS), Kerberos, 238
TLS (Transport Layer Security), 240-242
EAP (Extensible Authentication Protocol), 237
Tomlinson, Ray, 41
TOR (The Onion Router), 330-331
total breaks, cryptography, 212
traceroute command, 39
Transport Layer Security (TLS). See TLS (Transport Layer Security)
triple DES, 197
Trivial File Transfer Protocol (TFTP), 33
Back Orifice, 117
eLiTeWrap, 118
EliteWrapper, 117
MyDoom, 116
Troj/Invo-Zip, 112
TrueCrypt, 173
TSG (ticket-granting server), Kerberos, 238
TSPY_FAREIT.YOI spyware, 112
TSR (Terminate and Stay Resident) program, 221
Turing, Alan, 192
U
UDP flood attacks, 96
Ugray, Zolt, 14
Ulbricht, Ross, 332
UMTS (Universal Mobile Telecommunications Systems), 376
uniform resource locators (URLs), 39-40
uninstalling software, security policies, 255
unique name of issuer, X.509 certificates, 239
Universal Mobile Telecommunications Systems (UMTS), 376
UNIX operating system, 42
unshielded twisted-pair (UTP) cable, 30
URLs (uniform resource locators), 39-40
USB devices, listing, 373
user security policies, 251
BYOD (bring your own device), 256-257
desktop configuration, 256
installing/uninstalling software, 255
termination/expulsion, 257
U.S. Secret Service guidelines, computer forensics, 361-362
UTP (unshielded twisted-pair) cable, 30
V
validity period, X.509 certificates, 239
VIA Technology, industrial espionage, 166
Vigenere cipher, 190
Virtual Box (Oracle), 383
Virtual PC, 383
virtual private networks (VPNs). See VPNs (virtual private networks)
virtual servers, 384
virtualization, forensics, 382-384
virulence, 113
virus scanners, 116, 127, 221-224, 250
armored, 110
Bagle, 114
BlackEnergy, 315
CryptoLocker, 111
CryptoWall, 112
detection and elimination, 127-129
FakeAV, 112
Gameover ZeuS, 111
MacDefender, 112
macro, 110
memory-resident, 110
Mimail, 114
Morris worm, 115
multi-partite, 110
polymorphic, 111
Rombertik, 111
sparse infector, 110
system administration policies, 261-262
Troj/Invo-Zip, 112
versus worms, 117
virus scanners, 116
W32/Netsky-P, 112
VMware Workstation, 383
VPNs (virtual private networks), 242
L2TP (Layer 2 Tunneling Protocol), 243
PPTP (Point-to-Point Tunneling Protocol), 242-243
vulnerability assessments, 142
W
W32/Netsky-P virus, 112
war-driving, 8
weapons, cyber warfare, 313
BlackEnergy, 315
FinFisher, 314
Flame, 314
NSA ANT Catalog, 315
StopGeorgia.ru, 314
web-based mobile code, 125
WEP (Wired Equivalent Privacy), 244
white hat hacking, 136
WhoIS command, 33
Wi-Fi Protected Access (WPA), 244
Wi-Fi Protected Access2 (WPA2), 244
Wi-Fi security, 244
Wi-Fi sniffing, 8
Williamson, Malcolm J., 205
Windows
computer forensics, 378
finding evidence in logs, 365
shutting down services, 279-281
Windows Security templates, 285
Wired Equivalent Privacy (WEP), 244
wireless communication, 29
workstations, securing, 284-287
World Wide Web, 42
Agent.btz, 311
Morris, 115
SillyFDC, 312
Troj/Invo-Zip, 112
versus viruses, 117
W32/Netsky-P, 112
WPA (Wi-Fi Protected Access), 244
WPA2 (Wi-Fi Protected Access2), 244
X-Y
X.509 digital certificates, 239-240
Yahoo!
news boards, information control, 321
People Search, 340
Z
Zezev, Oleg, 167
Zhang, Hao, 165
Zimmerman, Phil, 205
Zone Labs firewalls, 227
zone transfers, DNS, 50
ZoneAlarm Security Suite, 227
Zygalski, Henryk, 191