Index

Note: Page numbers followed by “f”, “t” and “b” refers to figures, tables and boxes, respectively.

A

Abelian group, 42
Abstract Syntax Notation (aka ASN.1), 91–92
Access control subsystem, 126
Access controls, 269
authentication systems, 273b, 275–278
Challenge-Handshake Authentication Protocol (CHAP), 276–277
discretionary access control (DAC), 269
Kerberos, 276–277
logical access controls tools, 273
mandatory access control (MAC), 270–271
physical access control, 273–275
role-based access control (RBAC), 271–272
wireless security access controls, 277–278
Adaptation, 164–165
Additive cipher, 37
Address Resolution Protocol (ARP), 257–258
Advanced data encryption, 325
mathematical concepts, 325–332
cyclic group, 328–329
Discrete Logarithm, 326–328
Fermat’s Little Theorem, 325–326
Primitive Roots, 326–327
RSA cryptosystem, 333–342
Discrete Logarithm Problem (DLP), 336
Factorization Attack, 334–335
Key Generation, 339–340
Lattice-based Cryptography, 336
NTRU Cryptosystem, 337–338
NTRU Decryption, 340–341
NTRU Encryption, 340
NTRU Parameters and Keys, 339
Truncated Polynomial Rings, 338
Advanced Encryption Standard (AES), 41, 304–305
Advanced Encryption System, 316
Aggregation switches (AggS), 5–7
Agreement replicas, 15
Algebraic structure, data encryption, 42–48
Algorithms, 248, 304–305
Alphanumeric symbols, 32
Application security, 242–243
ASN.1 Object Identifier (OID), 95
Assessments and audits, 281, 290b
penetration testing and vulnerability assessments, 281–287
OVAL, 285, 286
port scanning and password cracking, 283–285
quantitative risk measurements, 287–290
auditing and logging, 288–289
baseline, establishing, 288
policy settings, reviewing, 289–290
Asymmetric encryption, 56
Attacks and countermeasures, 259–264
network firewall, 259–261
proxies, 261–264
Audit trail creation, 288
Auditing and logging, 288–289
Authentication, 165, 166–167
Authentication systems, 273b, 275–278
Authority key identifier, 93
Azapo case, 228

B

Backbone networks, 248, 248
Basic Interoperable Scrambling System (BISS), 315
Basson case, 228
Biometrics, 126
adaptation, 164–165
architecture, 155–165
data capture, 155–157
data storage subsystem, 160
decision subsystem, 160–164
matching subsystem, 159
signal processing subsystem, 155, 155, 158–159
current ISO/IEC standards for, 154t
defined, 151
designing of, 153
main operations of
authentication, 165, 166–167
enrollment, 165–166
identification, 167–168
relevant standards, 153–154
security considerations, 168–174
birthday attacks, 171–172
comparison of selected biometric technologies, 172–174
Doddington’s Zoo, 170–171
error rates, 169–170
storage of templates, 174
Birthday attacks, 171–172
Black box testing, 281–282
BlackBerry, 29
Block ciphers, 304–305
Boneh, D., 103
Bridge CA, 90–91
and revocation modeling, 104
Bring your own device (BYOD), 235–236
Bushfire, 114–115
Business impact assessment, 139–146
business-critical activities, 139–140
configuration and acquisition, 142–143
disaster recovery site, establishing, 142
equipment, 146
in-house versus third party, 143–145
IT support from technical staff, 140
recovery solutions, 140–142
Business process execution language (BPEL), 20–21
Business-critical activities, 139–140
Byzantine Agreement, 14
Byzantine faults, 7

C

California Office of Information Security and Privacy Protection (OISPP), 194
Callas, Jon, 102
Caller ID spoofing, 254
Cardholder unique identifier (CHUID), 126
Certificate
PGP, 98–99
delta CRL, 87, 104
OCSP, 87–88
validation, 83–85
X.509 V1 format, 92
X.509 V2 format, 92
X.509 V3 format, 92–93
Certificate authorities (CA), 80
Certificate Practice Statement (CPS), 95
Certificate Revocation List (CRL), 85, 104
data fields in, 86t
delta, 87, 104
format of revocation record in, 86t
Challenge-Handshake Authentication Protocol (CHAP), 276–277
Chassis switch, 249–250, 249f
Checks parameter, 88
Chemical, radiological, and biological hazards, 115–116
Chosen-ciphertext attack, 62b
Cipher block chaining (CBC), 56
Cipher feedback (CFB), 55
Cipher text, 247
Classical cryptography, 32–38
Cloud computing, 1
architecture of, 3f
fault model, 2–7
architecture, 3
network, failure behavior of, 5–7
servers, failure behavior of, 4–5
fault tolerance, 7–9
against byzantine failures in, 14–17
Byzantine faults, 7
against crash failures in, 12–14
Crash faults, 7
different levels of, 10–11
as service in cloud computing, 17–24
fault tolerance and resilience in, 1
Common vulnerabilities and exposures (CVE), 286–287, 287
Communication security goals, 247–259
ARP poisoning, 257–258
denial of service, 255–256
distributed denial of service, 256–257
DNS poisoning, 258–259
intercepting traffic, 254–255
network design and components, 247–248
packet capturing, 255
ports and protocols, 250–253
spoofing, 253–254
switching and routing, 248–250
threats, 253
Computer Emergency Response Team (CERT), 319–320
Confidentiality
integrity, and availability (CIA) model, 299–304
Congruence, 34
defined, 36–37
Connect scan, 284
Convergence example, 128f
Corporate or facilities security, 109
Counter (CTR) modes, 55
Crash faults, 7
Creech Air Force Base
malware attack, 311–312
CRLSign, 94
Crossover error rate (CER), 164
Cryptanalysis of RSA
discrete logarithm problem, 61–63
factorization attack, 61
Cryptographic algorithms, PKI
digital signatures, 76
public key encryption, 75–77
Cryptographic hash function, 67–68
Cryptographic keys, 126
Cryptographic protocols
authentication, 30
confidentiality, 30
integrity, 30
nonrepudiation, 30
Cryptography, 29, 30, 247, 295
classical, 32–38
congruence, 34
congruence relation defined, 36–37
Euclidean algorithm, 32
fundamental theorem of arithmetic, 35
inverses, 34–35
modular arithmetic, 33
residue class, 34
substitution cipher, 37–38
transposition cipher, 38
confidentiality, integrity, and availability (CIA) model, 299–304
encryption, assuring privacy with, 295–305
mathematical prelude to, 30–32
complexity, 31–32
functions, 31
mapping, 31
probability, 31
physical versus logical security, 297–299
standards and protocols, 304–305
Cyber security, improving, 316–320
Cyber warfare (CW), 205
defensive strategies, 220–222
definition of, 207–208
holistic view of, 229–230
legal aspects of, 222–229
liability under international law, 223–225
terrorism and sovereignty, 222–223
model, 206
myth or reality, 208–212
offensive strategies, 215–220
psychological weapons, 215–216
technical weapons, 216–220
perspectives of, 206f
preparation for, 213–215
reconnaissance, 214
research, 213–214
vulnerability enumeration, 214–215
Cyclic group, defined, 43

D

Data encryption
See also Encryption
algebraic structure, 42–48
cryptography, 29, 30
classical, 32–38
mathematical prelude to, 30–32
mathematical concepts, 325–332
Discrete Logarithm, 326–328
Fermat’s Little Theorem, 325–326
modern symmetric ciphers, 38–41
Data storage subsystem, 160
DataEncipherment, 94
DecipherOnly, 94
Decision subsystem, 160–164
Decryption, 29
Defense Information Systems Network (DISN) Satellite Transmission Services Global (DSTS-G), 316–317
Delegated Path Discovery (DPD), 88
Delegated Path Validation (DPV), 88
Denial-of-service (DoS) attack, 255–256
Department of Homeland Security (DHS)
subcomponents, 192
Determined Encoding Rules (DER), 91–92
Differentiating security threats, 233–235
considering a holistic view, 234
controlling notifications and alerts, 234
corroborating remediation events, 235
integrating thresholds and procedures, 235
slashing false positives, 234–235
Diffie-Hellman algorithm
problem, 63–64
Diffusion, 39
DigiCipher 2 (DCII), 316
Digital signature, 76
for message authentication, 68
Direct broadcast satellites (DBS), 315–316, 316
Disaster recovery (DR), 135
business impact assessment (BIA), 139–146
business-critical activities, 139–140
configuration and acquisition, 142–143
designing recovery solutions, 140–142
disaster recovery site, establishing, 142
equipment, 146
in-house versus third party, 143–145
IT support from technical staff, 140
measuring risk and avoiding disaster, 135–138
enterprise, assessing risk in, 136–137
risk process, steps in, 137–138
threat, matching response to, 138
Discrete exponentiation, 62, 335
Discrete logarithm, 61–63, 326–328
primitive roots, 326–327
Discrete Logarithm Problem, 336
Discretionary access control (DAC) model, 269
DoD Information Assurance Certification and Accreditation Process (DIACAP), 316–317
Doddington’s Zoo, 170–171
Domain Name Service (DNS), 252
poisoning, 258–259
Dust, 116

E

E-Government Act of 2002 (PL 107–347), 188–189
Electricity Sector Information Sharing and Analysis Center (ESISAC), 194, 201
Electromagnetic interference (EMI) as threat, 117
Electronic Code Book (ECB), 55
Electronic Communications and Transactions (ECT) Act, 229
Electronic Document Interchange (EDI), 94
Elliptic curve
cryptosystems, 64–66
Diffie-Hellman algorithm, 63–64
security, 66
Email
spoofing, 254
EncipherOnly, 94
Encryption, 284–285
assuring privacy with, 295–305
Enhanced Border Security and Visa Entry Reform Act of 2002 (PL 107-173), 183
Enrollment, 165–166
Enterprise Risk Management (ERM), 136
Environmental conditions and data capture subsystem, 155, 155–156
Environmental threats to physical security prevention and mitigation measures
fire and smoke, 118–119
inappropriate temperature and humidity, 114
other environmental threats, 119
water damage, 119
Environmental threats to service of information systems and data
chemical, radiological, and biological hazards, 115–116
dust, 116
fire and smoke, 114–115
inappropriate temperature and humidity, 114
infestation, 116
water damage, 115
Equal error rate (EER), 164
Error rates, 169–170
eth roots problem, 63b
Euclidean algorithm, 32
Examination, defined, 290
Execution replicas, 15
Extended Key Usage, in SCVP, 88

F

Factorization attack, 61–63, 334–335
Failure to enroll rate (FER), 166
False acceptance, 161–162
False match, 161–162
False nonmatch rate (FNMR), 161, 163–164
False rejection, 161
Fault logging and analysis, 288
Fault tolerance, 7–9
against byzantine failures in, 14–17
byzantine faults, 7
against crash failures in, 12–14
crash faults, 7
different levels of, 10–11
as service in cloud computing, 17–24
Fault Tolerance Manager (FTM), 20–21
Feistel cipher, 41
Fermat’s Little theorem, 57–58, 325–326
Field, defined, 44
File transfer spoofing, 254
FIN Stealth scan, 284
Finite fields, 44–45
Finite groups, defined, 42
FIPS, 126
system model, 127f
Fire damage, 114–115
Firewalls
security controls and, 241–242
Forristal, J., 129
Foundations of security, 233–241
differentiating security threats, 233–235
considering a holistic view, 234
controlling notifications and alerts, 234
corroborating remediation events, 235
integrating thresholds and procedures, 235
slashing false positives, 234–235
hardware and peripheral security, 235–238
patch management and policies, 238–241
Fraggle, 255
Franklin, M., 103
Fujita Tornado Intensity Scale, 112t
Fundamental theorem of arithmetic, 35

G

Galois field, 45
finite field, 47
with generator element, 46
General packet radio service (GPRS), 312–313
Gnu Privacy Guard (GPG), 98–99
Governor’s Office of Homeland Security (OHS), 193–194
Graphic processing units (GPUs), 284–285
Gray box testing, 281–282
Ground-based threat, 314–315
Group, defined, 42
Gutmann, Peter, 102

H

Hacks, interference, and jamming, 310–320
Hardening
and minimization, 243–244
Hardware
and peripheral security, 235–238
Hash Functions, 300
Hierarchical Identity-Based Encryption (HIBE), 103
High-density infrastructure, 140
Hijacking, 253
Homeland security, 179
E-Government Act of 2002 (PL 107–347), 188–189
Enhanced Border Security and Visa Entry Reform Act of 2002 (PL 107-173), 183
Homeland Security Act of 2002 (PL 107-296), 185–187
Homeland Security Presidential Directives (HSPD), 190–191, 200–201
California Office of Information Security and Privacy Protection (OISPP), 194
Department of Homeland Security subcomponents, 192
Governor’s Office of Homeland Security (OHS), 193–194
private sector organizations for information sharing, 194–199
state and federal organizations, 193
Human-caused physical threats to physical security prevention and mitigation measures, 120
Human-caused threats to service of information systems and data
misuse, 117
theft, 117
unauthorized physical access, 117
vandalism, 117
Humidity, 114

I

Identification, 167–168
Identity-Based Encryption (IBE), 102
IETF RFC 2440, 98
Imagination and accurate ranking, 299b
Incident containment, 288
Infestation, 116
Infinite groups, defined, 42
Information
assets, 110
Information system hardware, 110
Information technology (IT), 135
Infrastructure, securing, 247
attacks and countermeasures, 259–264
network firewall, 259–261
proxies, 261–264
communication security goals, 247–259
ARP poisoning, 257–258
denial of service, 255–256
distributed denial of service, 256–257
DNS poisoning, 258–259
network design and components, 247–248
packet capturing, 255
ports and protocols, 250–253
spoofing, 253–254
switching and routing, 248–250
threats, 253
traffic interception, 254–255
security tasks checklist, 264–266, 264b
Infrastructure security, 109
Infrastructure-as-a-service (IaaS) layer, 3
InhibitPolicyMapping, 89
Intelsat satellite, 310
Interception hacking, 313–314
Interference-oriented threats, 314–315
IntermediateCerts, 89
International Telecommunications Union Telecommunications Standardization Sector (ITU-T), 79–80
Inverses, 34–35

J

Jet Propulsion Laboratory (JPL), 310–311
JTC 1/SC 37 technical committee, 153

K

Kaufman, C., 102
Kerberos, 276–277
KeyAgreement, 94
KeyCertSign, 94
KeyEncipherment, 94
KeyUsage, 85

L

Lagrange’s theorem, 58
Lampson, Butler, 97–98
Land, 256
Landsat-7, 310
Latent fingerprints, 168–169
Lattice-based Cryptography, 336
Law enforcement agencies and biometrics, 152–153
Liability under international law, for cyber warfare, 223–225
developing countries response, 228–229
individual liability, 224–225
remedies under international law, 225–228
international criminal court (ICC), 226–227
other remedies, 227–228
self-defense, 225–226
state responsibility, 223–224
Lightweight Directory Access Protocol (LDAP), 103–104
Logical access controls tools, 273
Logical security, 109, 297–299

M

MAC, See Message authentication code; Mandatory access control
Mandatory access control, 270–271
Matching subsystem, 159
Mathematical prelude, cryptography, 30–32
Mesh PKI, 90–91
Message
integrity, 32
Hash function in signing message, 68
Message authentication code, 68
Mobile Device Manager, 278
Mobile system, 110–111
Mobile Wireless VLAN, 277–278
Modern block ciphers
CBC, 56
ECB, 55
Modern encryption algorithms, 42
Modern symmetric ciphers, 38–41
Modular arithmetic, 33
Modular polynomial arithmetic, 45–46

N

National Commission on Terrorist Attacks Upon the United States (The 9/11 Commission), 195b
National Council of Information Sharing and Analysis Centers (ISAC), 317–318
National Electric Reliability Council, 194, 201
National Institute of Standards and Technology (NIST), 68
National Reconnaissance Office (NRO), 309
National Security Agency (NSA), 309
Natural disasters, 111–113
characteristics of, 112t
Network design and components, 247–248
Network firewall, 259–261
Network Mapper (NMAP), 283–284, 283f
Nonrepudiation, 30, 68, 94
Null scan, 284
Number theory, asymmetric-key encryption
cardinality of primes, 56–57
coprimes, 56
discrete logarithm, 58
Fermat’s little theorem, 57–58
primitive roots, 58–60

O

Office of Management and Budget (OMB) guidance, 304–305
Online Certificate Status Protocol (OCSP), 86, 87–88
Online documentation, 288
Open Vulnerability and Assessment Language (OVAL), 285, 286
OpenPGP, 99–100
Output feedback (OFB), 55
Overvoltage, effect on IS equipment, 116–117

P

Package management systems, 239
Packet capturing, 255
Password cracking, 283–285
Patch management and policies, 238–241, 239f, 240f
P-box, 40–41
Penetration testing and vulnerability assessments, 281–287
OVAL and CVE, 285–287
port scanning and password cracking, 283–285
Periodic audits, 302
Perlman, R., 102
Permutations, 38
Personal identification number (PIN), 126
Personnel and information systems, 110
PGP PKI systems, 99–100
Physical access control, 273–275
Physical and logical security, integration of, 123–129
Physical facility, 109
Physical security, 109, 129b, 298–299, 298f, 299
breaches, recovery from, 120–121
checklist, 129–130
policy, a corporate example, 123
Physical versus logical security, 297–299
Ping flood, 255
Ping/Smurfing, 255
PIV card, 126
issuance and management subsystem, 126
Platform-as-a-service (PaaS), 3
Platt, elements of IS security by, 109
Policy settings, reviewing, 289–290
Port scanning, 283–285
Portable systems, 110–111
Ports
and protocols, 250–253
PowerVu, 315
Premises security, 109
Pre-Shared Key (PSK), 278
Pretty Good Privacy (PGP), 79, 98
certificate formats, 98–99
Private Sector Organizations for Information Sharing, 194–199
Proactive protection of environment, 288
Product ciphers, 41
Protocol filtering, 259–260
Proxy servers, 261–264
Public Health Security, Bioterrorism Preparedness & Response Act of 2002 (PL 107-188), 184–185
Public Key Cryptography (PKC), 300, 303
Public key encryption, 76–77
Public Key Infrastructure (PKI), 303b
alternative key management models, 101
architecture, 101
Callas’s self-assembling, 102
cryptographic algorithms, 75–77
overview, 78–79
plug and play, 102
policy description, 96
standards organizations, 97–98
user-centric, 102
Public-key cryptography, 56–60
Purposeful Interference Response Team (PIRT), 319–320

Q

Quantitative risk measurements, 287–290
auditing and logging, 288–289
baseline, establishing, 288
policy settings, reviewing, 289–290
Quantum cryptography, 29
Quantum cryptology, 71
QueriedCerts, 88

R

Ranking, 299b
Real-time alert configuration, 287
Receiver operating characteristic (ROC), 163–164
Recovery point objective (RPO), 139
Recovery Time Objective (RTO), 139
Registration authority (RA), 81, 81–82
Research In Motion (RIM), 29
Residue class, 34
ResponseFlags, 89
RevInfos, 89
Rijndael algorithm, 42
in AES implementation
mathematical preliminaries, 48
state, 48–54
Rings
defined, 43–44
Risk
assessment, 136–137, 136f
measuring, 135–138
process, steps in, 137–138
Risk management, 287–290
auditing and logging, 288–289
baseline, establishing, 288
policy settings, reviewing, 289–290
Rivest, Ron, 97–98
Rivest, Shamir, and Adleman (RSA)
cryptosystem, 60b
Role-based access control (RBAC), 271–272
Routing, 248–250
RSA cryptosystem, 333–342
Discrete Logarithm Problem (DLP), 336
Factorization Attack, 334–335
Key Generation, 339–340
Lattice-based Cryptography, 336
NTRU Cryptosystem, 337–338
NTRU Decryption, 340–341
NTRU Encryption, 340
NTRU Parameters and Keys, 339
Truncated Polynomial Rings, 338
Inverses in, 338–339
RSA digital signature, 68–69
RSA Rivest, Shamir, and Adleman (RSA)

S

Saffir/Simpson Hurricane Scale, 113t
Salted hashes, 285
Satellite cyber attack search and destroy, 309
communicating with satellites, 315–316
hacks, interference, and jamming, 310–320
identifying threats, 314–315
improving cyber security, 316–320
Satellite Internet Protocol Security (SatIPSec), 317
S-boxes, 40
Secret Key Cryptography (SKC), 300
Secret keys, 247
Secure hash algorithm (SHA), 68
Secure Socket Layer (SSL), 80–81
Security tasks checklist, 264–266, 264b
Security-enhanced Linux (SELinux), 270
Server-based Certificate Validity Protocol (SCVP), 84
in X.509 certificates, 88–89, 89
Shamir, A., 102
Signal processing subsystem, 155, 155, 158–159
Simple distributed security infrastructure (SDSI), 97–98
Simple Network Management Protocol (SNMP), 252, 253
Simple public key infrastructure (SPKI), 79, 97–98
See also Public key infrastructure (PKI)
Single-key cryptography, See Symmetric-key cryptography
SkyGrabber, 312–313
Smart cards, 123–126
S/MIME standards
for secure email, 79
Smoke damage, 114–115
Space-based threats, 314–315
Spoofing, 253–254
Standards organizations, PKI
IETF OpenPGP, 98
IETF PKIX, 97
SDSI/SPKI, 97–98
State, in AES implementation
MixColumns transformation, 52, 52–53
round keys in reverse order, 54, 55t
S-box, 49–51
ShiftRows, 52
Subkey addition, 53–54
State and federal organizations, 193
SubByte transformation, 49t
Subgroup, defined, 43
Subject alternative name, 94
Subject key identifier, 93
Substitution cipher, 37–38
Supervisory Control and Data Acquisition (SCADA), 219–220
Supporting facilities to information systems, 110
Switching, 248–250
Symmetric-key cryptography, 300
SYN flooding attack, 255
SYN Stealth scan, 284
System security, 233
basic countermeasures, 241–244
application security, 242–243
hardening and minimization, 243–244
security controls and firewalls, 241–242
foundations of security, 233–241
differentiating security threats, 233–235
hardware and peripheral security, 235–238
patch management and policies, 238–241

T

TCP handshake process, 254
TCP/IP hijacking, 253
Teardrop, 256
Technical threats to service of information systems and data
electrical power, 116–117
electromagnetic interference (EMI), 117
Technical weapons, of cyber warfare, 216–220
control consoles, 220
deployment tools, 219
payloads, 219–220
vulnerability databases, 218–219
Temperature
inappropriate, 114
thresholds for damage to computing resources, 114
Template storage in biometric system, 174
Testing, defined, 290
The Aviation and Transportation Security Act of 2001 (PL 107-71), 179–182
Threat assessment, 121–122
planning and implementation, 122
Threats, 137b, 138
Threshold value, 160–161
Time nesting, 84–85
TLS/SSL protocols
for secure internet, 79
Top-of-rack switch (ToR), 5–7
Tracking telemetry and control (TT&C) links, 314
Traffic interception, 254–255
Transposition cipher, 38
Triple data encryption algorithm (TDEA) block cipher, 69–70
TrustAnchors parameters, 89
Tygar, Doug, 101

U

UDP scan, 284
Undervoltage, effect on IS equipment, 116
Unified threat management (UTM), 241
United States Cyber Command (USCYBERCOM), 207
USA PATRIOT Act of 2001 (PL 107-56), 179
USA PATRIOT Act Titles, 179b, 182f
UserPolicySet, 88–89

V

Validation authority (VA), 81, 82–83
ValidationPolicy parameter, 88–89
ValidationTime, 89
Very Small Aperture Terminals (VSATs), 310
Virtual machines, 1
Vulnerability assessment (VA), 281–287
Vulnerability(ies)
defined, 286–287

W

WantBack parameter, 88
Water damage, 115
Web of Trust (WoT), 98
Web spoofing, 254
White-box test, 281–282
Whitten, Alma, 101
Wildfires, 114–115
Wireless security access controls, 277–278
World Wide Web Consortium (W3C), 100

X

X.509 certificates, 126
X.509 model
bridge certification systems, 90–91
certificate format, 91–95
certificate model, 80–81
certificate policy extensions, 95
certificate revocation, 86–88
certificate validation, 83–85
history of, 79–80
implementation architectures, 81–83
modified architechture, 101–102
policy extensions, 95
SCVP, 88–89, 89
X.509 Revocation Protocols, 82–83
X.509 V3 extensions
authority key identifier, 93
key usages, 93
subject alternative name, 94
subject key identifier, 93
X.509 V1 format, 92
X.509 V2 format, 92
X.509 V3 format, 92–93
XML Key Information Service Specification (X-KISS), 100
XML Key Management Specification (XKMS), 100
XML Key Registration Service Specification (X-KRSS), 100

Z

Zimmermann, Philip, 98
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.235.188