INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
Numbers
802.1X authentication, 189, 205
A
AAA (authentication, authorization, and auditing) protocol, 72
abstract machine (or reference kernel), 102
abstraction, in object-oriented programming, 379
acceptance testing, 364
access control
access control matrix, 47, 73–74
answer key, 52
Brewer-Nash model of dynamic, 109
centralized protocols for, 46, 71–72
as delay countermeasure, 150, 168
identity management, 47, 74–75
industrial control systems, 45, 65
intrusion detection systems, 45, 66–67
lattice-based, 112–113
memory manager responsibilities, 111
models for, 118–119
one-time passwords for, 49, 78–79
overview of, 41
password synchronization, 55
privacy-aware role-based, 41, 56–57
questions, 41–51
reference monitor, 119–120
RFID vulnerability, 50
separation of duties/job rotation, 46, 69–70
side-channel attacks and, 41, 55–56
for user groups with different privileges, 21–22
virtual directories, 42, 58–59
web services with SAML, SOAP and HTTP, 50, 80–81
access control lists (ACLs), 69, 73
access path, hierarchical databases, 364
access triple, Clark-Wilson access model, 100–101
account lock-out, for brute-force attacks, 416
account takeover identity theft, 68
accreditation process, C&A, 360
ACID test, OLTP and, 360–361
acoustical detection systems, 156
ad hoc WLANs, 207
address buses, 123
address space layout randomization (ASLR), 126
administration
audit log protection, 64
directory services and, 53
guidelines for remote, 419, 425
preventive controls, 38–39
protective controls, 39
administrative (regulatory) law, 342
Advisory type of policy, 33
AES (Advanced Encryption Standard)
as block cipher, 239
encrypting bulk data with, 242
in TKIP encryption process, 207
aggregation, 107
ALE (Annualized Loss Expectancy), 22, 38
analysis stage, incident response, 335
ANNs (artificial neural networks), 371
Annualized Rate of Occurrence (ARO), 38
annunciator system, CCTVs, 148
anomaly-based IDS, 67–68
antivirus software, 18
ANZ 4360, 28
application binding, Clark-Wilson access model, 100–101
applications, accessing as subjects or objects, 69
approval process
change control policy, 403
configuration management change control, 392
architecture
backup technologies, 422–423
design vs., 124
security. See security architecture and design
stakeholder concerns, 24–26
ARO (Annualized Rate of Occurrence), 38
artificial neural networks (ANNs), 371
AS (autonomous system), 196, 197
ASLR (address space layout randomization), 126
assessment controls, 150, 167, 168
assisted password reset, 55
asymmetric algorithms
calculating number of required keys, 238
elliptic curve cryptosystem and, 235–236
not necessarily causing randomness, 257
as public key cryptography, 234
RSA, 239
symmetric vs., 231–232
asynchronous tokens, 79
ATM (Asynchronous Transfer Mode), 208–209
atomicity, database software ACID test, 360
attack surface analysis, software development, 374
attributes, SAML assertions for, 58
audio evidence, 329
audit committee, 16
audit logs
as detective controls, 169
for physical access, 143–144
protecting, 64
scrubbing to cover tracks of intruder, 64–65
auditing, AAA protocol, 72
authentication
AAA protocol, 72
administrative activities requiring strong, 419
data and voice network, 193
digital signatures for, 240–241, 250–251
EAP, 205
mantraps for, 169
one-time passwords for, 78–79
at primary entrance doors, 157
race conditions and, 79–80
SAML assertions for, 57–58
authorization
AAA protocol, 72
enforcing integrity, 19
of individuals at crime scene, 336
at primary entrance doors, 157
race conditions and, 79–80
SAML assertions for, 57–58
auto-iris lenses, CCTVs, 146, 151
automatic locks, doorways, 142
autonomous objects, object-oriented programming, 377
autonomous system (AS), 196, 197
availability
clustering for, 424
compensating control and, 40
information custodian verifying, 16
awareness training, 34–35
B
backup
business continuity/disaster recovery, 280–281
disaster recovery plan, 287
electronic vaulting solution, 291
installing uninfected version of patched file, 418
in key management, 237
via SANs, 410
bank walls, constructing, 146–147, 156
banners, fingerprinting countermeasures, 423
Basic Rate Interface (BRI) ISDN, 210
BCP committee, 293
BCP team, 290
behavior blocking, antivirus software, 376
Bell-LaPadula model
Biba model vs., 119
enforcing confidentiality, 109
read up and write down rules, 101
BGP (Border Gateway Protocol), 197
BIA (business impact analysis)
continuity planning policy statement, 274
developing BCP, 293
as first step in disaster recovery, 279–280, 285–286
identifying dependencies, 293–294
identifying preventive controls, 274
management support for BCP, 284
overview of, 292–294
binding
hard disk drive with TPM, 255–256
SAML specification for, 58
biometric readers, server room entry doors, 156–157
blacklists, 202
blind SQL injection attack, 114
blind test, penetration testing, 411–412
bloated programming code, 128
block ciphers
encryption and decryption process, 239
modes used, 252–254
Bluejacking, 191–192
board of directors, security governance, 28
Border Gateway Protocol (BGP), 197
boundary operators, ordered sets, 112–113
Brewer-Nash model, 109
BRI (Basic Rate Interface) ISDN, 210
bridge-mode virtual firewalls, 215–216
broadband transmission, satellite, 203
browsing attacks, 125
brute-force attacks
audit logs as, 169
overview of, 415–416
on passwords, 60–61
BS 7799 standard, 386
buffer overflow attacks
C language susceptible to, 125
illustration of, 381
overview of, 114
reducing, 412
bulk data, encrypting with AES, 242
business boundaries, federated identity across, 60
business case, for BCP, 284
business continuity coordinator, 275, 293
business continuity/disaster recovery
answer key, 273
backups, 280–281
business continuity planning, 264, 283–284
business impact analysis. See BIA (business impact analysis)
business interruption insurance, 271, 303–304
continuity of operations plan, 263, 281–282
differential backup process, 263
evaluating/ranking threats, 267, 293–294
executive succession planning, 266, 291–292
high availability, 270, 301–303
hot, warm, cold sites, 268, 295–297
ISO/IEC 27031 standard, 271, 303
management support, 264, 284–285
MTD. See MTD (Maximum Tolerable Downtime)
outlining basic functions/systems and, 265, 286–287
overview of, 261
questions, 262–272
quick answer key, 273
reciprocal agreements, 263, 278–279
reconstitution phase, 265, 269, 288–289, 298–300
RPO. See RPO (Recovery Point Objective)
RTO. See RTO (Recovery Time Objective)
what to move first into restored site, 285
business functions. See business continuity/disaster recovery
business impact analysis. See BIA (business impact analysis)
business interruption insurance, 291, 304
business resumption plan, BCP, 300
C
C&A (certification and accreditation) process, 360
CA (certificate authority)
cross-certification, 250
digitally signing certificate with private key, 232
revoking certificates, 243–244
and routing, 196
cable modems, 209–210
calling tree (communication structure), 150
Capability Maturity Model Integration. See CMMI (Capability Maturity Model Integration)
capacitance detector (or proximity detector) IDS, 154–156
Carrier Sense Multiple Access with Collision Detection (CSMA/CD), 212
categories, physical security program design, 150–151
cathode ray tubes (CRTs), CCTVs, 147, 148
CBC (Cipher Block Chaining) Mode, block ciphers, 254
CCD (charged-coupled devices), CCTVs, 147
CCD chips in, 133
field of view on zoom lens, 149–150
lenses, 145–146
manual iris vs. auto-iris, 151–152
centralized access control
protocols, 70–71
systems, 414
certificate authority. See CA (certificate authority)
certificate revocation list (CRL), 243–244, 250
certification and accreditation (C&A) process, 360
challenge/response scheme, asynchronous tokens, 79
change log, 403
change management process, BCP integration with, 282–283
charged-coupled devices (CCD), CCTVs, 147
Chief Privacy Officer (CPO), 26
Cipher Block Chaining (CBC) Mode, block ciphers, 254
circuits, increase in, 98
circumstantial evidence, 329
civil law
within common law system, 342
enforcing copyright law, 324
examples of, 334
overview of, 318
Clark-Wilson access model, 100–101, 109
classes of fire, 138
classification
in business impact analysis, 275
data. See data classification
gate, 160–161
Cleanroom method, 369
clients
filtering spam on, 186
instant messaging, 204
client-server architecture, 187
clipping levels, reducing brute-force attacks, 416
closed head (wet pipe) sprinkler systems, 148–149
closed-circuit TVs. See CCTVs (closed-circuit TVs)
cloud computing
choosing solution, 407–408
service models, 214–215
clustering, 422–424
CMMI (Capability Maturity Model Integration)
defined, 104
levels of, 115–116
overview of, 22–23
process improvement approach, 36
sequence of levels in, 22–26
software development life cycle, 359
CobiT (Control Objectives for Information and related Technology), 2, 13
Code of Ethics for CISSP, 339–340
Code of Fair Information Practice, 324
codified civil law systems, 318
CoE (Council of Europe) Convention on Cybercrime, 341
combination locks, 156–157
combustible metal fires (Class D), 165
commit operations, 383
Committee of Sponsoring Organizations of the Treadway Commission (COSO), 13, 15
Common Criteria
components of, 116–118
global recognition and benefits of, 97
protection profiles, 105
common law system, 318, 342–343
computer crimes. See legal, regulations, investigations, and compliance
Computer Ethics Institute, 332, 339–340
Computer Fraud and Abuse Act, 322
“computer is incidental” crime, 316
computer-assisted crime, 316
conclusive evidence, 329
concrete walls/support beams, exterior bank walls, 146
concurrency controls, 348, 361–362, 388
confidentiality
AES enforcing, 242
Bell-LaPadula model enforcing, 109, 119
compensating controls and, 40
encrypting data with key for, 255
encryption algorithms enforcing, 240–241
inference attacks related to, 362
integrity of data vs., 19
memory manager responsibilities, 111
noninterference model enforcing, 119
one-time pad enforcing, 247
securing database for user groups with different privileges, 21
three-tiered architecture for Internet, 187
connected storage systems, SANs, 410–411
consistency, database software ACID test, 360
constrained interfaces, 74
construction materials
exterior bank walls, 146–147
types of, 164–165
contact information, Bluejacking, 191–192
containment stage, incident response, 335
contamination, forensics investigation, 336
continuity of operations plan (COOP), 282, 300
continuous lighting, 143
continuous monitoring, 414
Control Objectives for Information and related Technology (CobiT), 2, 13
controlled lighting, 143
controls
administrative, technical and physical, 39
defense in depth, 39
separation of duties and job rotation, 70
software development security, 372–373
types of, 38–39
convergence, VoIP, 203
cookies, 100
COOP (continuity of operations plan), 282, 300
COSO (Committee of Sponsoring Organizations of the Treadway Commission), 13, 15
cost
determining asset value, 21
of preaction and dry pipe systems, 148
in risk assessment, 18
VoIP benefits, 202–203
Council of Europe (CoE) Convention on Cybercrime, 341
Council of Europe, Convention of Cybercrime, 317
Counter (CTR) Mode, block ciphers, 253
counter synchronous tokens, 78–79
countermeasures
physical security program, 150–151, 158, 159
port scanning/OS fingerprinting, 423–424
remote administration, 425
coupling, software development security, 368–369
covert channel attacks
description of, 382
noninterference intended to prevent, 107
requiring computer expertise, 416
CPO (Chief Privacy Officer), 26
CPTED (Crime Prevention Through Environmental Design), 153–154, 161–163
CPUs
accessing via multitasking, 99
cache memory and, 122
containing registers, 123
hardware and software interrupts, 122
credit cards, PCI Data Security Standard, 321–322
crime. See legal, regulations, investigations, and compliance
Crime Prevention Through Environmental Design (CPTED), 153–154, 161–163
crime rate
evaluating site location, 155
reducing through environmental design, 153–154
CRL (certificate revocation list), 243–244, 250
cross-certification, PKI, 250
cross-sectional beams, 154
cross-site request forgery (CSRF) attack, 114
cross-site scripting (XSS), 194, 258, 374–375
CRTs (cathode ray tubes), CCTVs, 147, 148
cryptography
answer key, 228
for authentication, non-repudiation, and integrity, 220–221, 241–242
CA in PKI environment, 218, 232–233
calculating number of keys, 220, 238
digital signatures, 240–241, 251–252
elliptic curve cryptosystem, 219, 235–236
end-to-end vs. link encryption, 221, 244–245
Heartbleed SSLTLS vulnerability, 227, 258
initialization vectors, 227, 257–258
Kerberos, 77
Key Derivation Functions, 219, 234–235
number generators, 227, 256–257
one-time pad and stream ciphers, 220, 239
one-time pad for confidentiality, 223, 247–248
one-time pad, implementing, 236
overview of, 217
public key cryptography/infrastructure, 219, 233–234
public key infrastructure architectures, 224, 249–250
questions, 218–227
SA values in IPSec, 222, 245–246
SESAME, 76–77
SSL and TLS relationship, 218, 229–230
SSL connection setup, 221, 242–243
steganography, 218, 229, 230–231
symmetric ciphers, block, 225–226, 252–254
symmetric ciphers, block and stream, 220, 240
symmetric key systems, 218, 231–232
Trusted Platform Modules, 226, 254–255
zero-knowledge proof, 226, 254
CSMA/CD (Carrier Sense Multiple Access with Collision Detection), 212
CSRF (cross-site request forgery) attack, 114
CTR (Counter) Mode, block ciphers, 253
customary law, 318
cybercrime. See legal, regulations, investigations, and compliance
cyber-incident response plan, 282
cybersquatting, 201
D
DAC (discretionary access control), 56–57, 77
damage assessment phase, BCP, 281, 289–290, 300
DASD (Direct Access Storage Device), 406, 421
data classification
criteria vs. levels, 29
information owner responsibility for, 16
program for, 29
securing database for user groups with different privileges and, 21–22
data dictionary, 384
data diddling, 334
data entities, relational databases, 364
data execution prevention (DEP), 126
data hiding, object-oriented programming, 379
data link layer (Layer 2 OSI model), 185, 232
data processing center, sprinkling system, 148–149
Data Protection Directive, EU, 342
data validation errors, 80
database
securing for user groups with different privileges, 21
data-gathering techniques, business impact analysis, 279
DCE (Distributed Computing Environment), 371
DCS (distributed control systems), 65–66
debugging
with regression testing, 373
virtual machines providing powerful, 108
defense in depth
compensating control may help with, 40
as delay countermeasure, 150, 168
deferred commitment, object-oriented programming, 377
Defined level, CMMI, 22–24, 116
degaussing, 404
delay countermeasures
physical security program, 150
strong locks, 168
tools for, 167
deluge sprinkler systems, 149
Denial of Service (DoS) attacks, 100, 334
DEP (data execution prevention), 126
Department of Defense Architecture Framework (DoDAF), 104
dependency identification, BIA, 293–294
deployment teams, incident response, 344
deputy roles, executive succession planning, 292
descriptive elements, Common Criteria protection profiles, 105
design
architecture vs., 124
physical security program, 158–159
detective controls
delay countermeasures vs., 168
external/internal intruder sensors, 150
intrusion detection systems as, 39
overview of, 167
security policies not effective as, 415
deterrence countermeasures, 150, 167–168
DevID (per-device identifiers), IEEE 802.1AR, 213–214
DHS (U.S. Department of Homeland Security), 387
dial-up connections, VPN tunneling protocols, 190
Diameter protocol, 72
differential backup process, 280–281
differential power analysis (DPA), 56
digital evidence collection tools, forensics deployment teams, 344
Digital Light Processing (DLP), 147
Digital Millennium Copyright Act (DMCA), 324
digital signatures, 240–241, 250–251, 254–255
Digital Subscriber Line (DSL), 210
dips, electric power, 159
Direct Access Storage Device (DASD), 406, 421
direct memory access (DMA) I/O, 98
directories, not spread across different businesses, 75
directory services, 53
disaster recovery. See also business continuity/disaster recovery
business impact analysis in, 285
declaring disaster, 281
moving into restored site, 285
not developing plan for, 286–287
discretionary access control (DAC), 56–57, 77
disinfecting virus-infected files, 418
disk duplexing, 421
distance-vector routing protocols, 196
distinguished names (DNs), 53
Distributed Computing Environment (DCE), 371
distributed control systems (DCS), 65–66
DLP (Digital Light Processing), 147
DMA (direct memory access) I/O, 98
DMCA (Digital Millennium Copyright Act), 324
DMZs, mail relays in spam prevention, 417
DNs (distinguished names), 53
DNS poisoning, pharming attacks, 61–62
DNS servers
in cache poisoning, 192–193
DNSSEC extension to, 215
in SPF validation, 188–189
splitting up naming zones on internal, 200–201
DNSSEC, 215
document object model (DOM)–based XSS vulnerability, 374
documentation
of business impact analysis, 275
of contamination at crime scene, 336
of emergency changes, 413
at end of disaster recovery/contingency planning, 286
DoDAF (Department of Defense Architecture Framework), 104
dogs, as deterrence countermeasure, 150
DOM (document object model)–based XSS vulnerability, 374
domain litigation, 193
domains
isolation protection, 126
understanding, 120
DOM-based XSS vulnerability, 194
doors
locks for server room, 156–157
natural access control with, 154
physical security for, 132, 142
DoS (Denial of Service) attacks, 100, 334
double-blind penetration testing, 411–412
downstream liability, 323
DPA (differential power analysis), 56
drag-and-drop questions, 430
dry pipe sprinkler systems, 148
DSL (Digital Subscriber Line), 210
due care
chain of custody vs., 327
overview of, 322–323
protecting audit logs, 64
role of data user in, 27
due diligence, 323
dumpster diving, 332–333
durability, database software ACID test, 360
E
EALs (evaluation assurance levels), Common Criteria, 105, 117–118
EAP (Extensible Authentication Protocol), 205
eavesdropping
dumpster diving vs., 334
on VoIP networks, 193
wiretapping as legal form of, 333
ECB (Electronic Code Book), block ciphers, 253–254
ECC (elliptic curve cryptosystem), 235–236
e-commerce, three-tiered architecture for confidentiality, 187
education, learning objectives, 34–35
EGP (Exterior Gateway Protocol), 197
EJB (Enterprise JavaBeans), 372
electric power
line conditioners/voltage regulators, 170–171
physical/environmental security, 159–160
in-rush currents, 170
through smart grids, 166
electrical fires, 165
electromagnetic analysis, 56
electromagnetic interference (EMI), 170
electromechanical systems, IDS, 152–153
Electronic Code Book (ECB), 253–254
elliptic curve cryptosystem (ECC), 235–236
countermeasures against spam, 186
phishing attacks using, 61–62
sender-policy framework preventing, 187–188
emanations capturing, 337–338
embedded architecture, 129
emergency responses
after incident, 413
developing disaster recovery plan, 287
EMI (electromagnetic interference), 170
encapsulation of objects, process isolation, 109–110
encryption
with AES, 242
confidentiality with, 240
data and voice network, 193
polymorphic viruses and, 366
RFID vulnerability, 81
with TKIP, 206–207
unique/strong keys with KDFs, 235
end-to-end encryption, 232, 244–245
enterprise architecture, 103
Enterprise JavaBeans (EJB), 372
enticement, 331
entity integrity, database software, 368
entrapment, 331
environmental security. See physical and environmental security
EPL (Evaluated Products List), 117–118
error containment, virtualization, 108
ethics
Code of Ethics for CISSP, 339–340
Computer Ethics Institute role, 332
dumpster diving and, 333
enticement and, 331
hacking and, 331
Internet Architecture Board role in, 331–332
European Union
Data Protection Directive, 342
laws on privacy, 14
Principles on Privacy, 317, 341–342
Safe Harbor regulations with U.S., 2, 13–14
Evaluated Products List (EPL), 117–118
evaluation assurance levels (EALs), Common Criteria, 105, 117–118
evidence
categories of, 329
chain of custody for, 327, 328
forensics deployment teams, 344
forensics investigation process, 336
legally admissible, 330
protecting image during forensics, 336–337
seizing to protect destruction of, 330–331
exclusive-OR (XOR) function, 239, 247
execution domain switching, TCB, 102
executive succession planning, 291–292
exigent circumstances, 330–331
expert systems, 371
Exploratory Model, system development, 370
extensibility, TLS vs. SSL, 230
eXtensible Access Control Markup Language (XACML), 63
Extensible Authentication Protocol (EAP), 205
Extensible Markup Language (XML), 63, 71
Exterior Gateway Protocol (EGP), 197
external marketplace, asset value in, 21
extreme programming, 365
F
failover protection, 288, 302–303
fail-safe configuration, 142
fail-secure configuration, 142
fail-soft configuration, 142, 144–145
fault containment, virtualization, 108
fault tolerance
defining, 287–288
high availability and, 302–303
technologies for, 404–405
via SANs, 410
FDDI (Fiber Distributed Data Interface), 212
federal regulations, 322
Federal Sentencing Guidelines, 332
FHSS (frequency hopping spread spectrum), 205
Fiber Distributed Data Interface (FDDI), 212
field of view, zoom lens, 133–134, 149–150
file descriptor attacks, 412
file transfer, instant messaging risk, 204
filters, spam, 186
fingerprint (or signature-based) detection, antivirus software, 376
fingerprinting countermeasures, 423–424
fire
classes of, 165
construction materials resistant to, 146–147, 164
detectors, 161–162
sprinkler systems, 148–149
fire stations, site location near, 155
first-generation programming languages, 372
fixed CCTV cameras, 151
fixed focal length lenses, CCTVs, 145–146
fixed lighting, CCTVs, 146, 151
flexibility
IPv6, 213
VoIP, 203
fluorescent lighting, RFI/electric power issues, 160
focal length of lens, CCTVs, 151
follow-up or recovery stage, incident response, 335
footcandles, 150
footprint, satellite links, 203
forensics
experts, 325
field kits for, 344
fourth-generation programming languages, 372
fragmentation, reducing with TOGAF, 104
frame, 190
frequency hopping spread spectrum (FHSS), 205
frequency-division multiplexing, 209
full backup process, 281
full knowledge penetration testing, 411
full-interruption tests, 274–275
garbage collector, 111
generators, in power outages, 171
generic approach to privacy, 342
glare protection, 143
GML (Generalized Markup Language), 63
Graham-Dening model, 108–109
grid computing, 422–423
guest, virtual machine as, 106
H
HA (high availability), business continuity, 301–303
hacking, ethical fallacies on, 331
hardened architecture, 129
hardware
hot-swapping, 405
virtual machines running on, 106
virtualization, 424
hashing original image, forensics, 337
headers, end-to-end vs. link encryption, 245
heartbeat packets, Watchdog timers, 72
Heartbleed SSLTLS vulnerability, 257
heat-activated fire detectors, 161
heavy timber construction material, office buildings, 146–147, 164–165
help-desk call volume, password synchronization reducing, 55
heuristics
antivirus software detections, 376
fourth-generation programming languages, 372
IDS based on, 68
hierarchical database model, 364, 385
hierarchical storage management (HSM), 410–411, 422
high availability (HA), business continuity, 301–303
HIPAA (Health Insurance Portability and Accountability Act), 14, 322
honeypots, as enticement, 331
horizontal enactment, generic approach to privacy, 342
hosts file, 192
hotspot questions, 429
HSM (hierarchical storage management), 410–411, 422
HTML (Hypertext Markup Language), 63, 71
HTTP (HyperText Transfer Protocol) connection, 80–81, 370–371
human intervention, in physical security IDSs, 145, 157
human language, third-generation programming languages, 372
hybrid microkernel architecture, 128–129
hypervisors, virtual firewalls integrated with, 215–216
I
IaaS (Infrastructure as a Service), 214, 407
IAB (Internet Architecture Board), 331–332, 339–340
ICSs (industrial control systems), 65–66
identify theft, 68
identity management, 74–75
identity store, 59
IDSs (intrusion detection systems)
as detective controls, 39
electromechanical vs. volumetric, 152–153
evaluation criteria for, 97
log files and, 82
misuse-detection, 66–67
physical security, 144–145
protocol anomaly-based, 67
proximity detectors, 156
rule-based, 67–68
state-based, 66
stateful matching, 67
statistical anomaly–based, 66
volumetric, 154
IEC (International Electrotechnical Commission)
ISO/IEC 27000, 36
ISO/IEC 27001, 386
ISO/IEC 27001:2005, 386
ISO/IEC 27002, 360
ISO/IEC 27031, 303
IEEE (Institute of Electrical and Electronic Engineers)
802.1AE, 214
802.1AR, 213–214
IETF (Internet Engineering Task Force), 215, 331
if-then logic units, expert systems, 371
IGP (Interior Gateway Protocol), 196
IGRP (Interior Gateway Routing Protocol), 196, 197
illumination requirements
amount of light present in environment and, 151
CCTV cameras and lenses, 149–150
IM (instant messaging), risk assessment, 204
imaging software, forensics, 336–337, 344
impact, risk management scorecard for, 31–32
incident response
building deployment teams, 344
containment strategy, 326
developing procedures, 343
first steps of team, 325
investigation, 327
reviewing/documenting emergency changes, 413
stages of, 335
incremental backup process, 280
independent modules, component-based system development, 365
industrial control systems (ICSs), 65–66
information, business impact analysis, 275
information custodian, 16
information owner, 16–17
information security continuous monitoring (ISCM), 414
information security governance
answer key, 11
assigning asset value, 3–4, 20–21
Chief Privacy Officer role, 5, 26
information owner role, 2–3, 16–17
ISO/IEC 27000 standards, 10, 36
learning objectives, 8–9, 34–35
overview of, 1
questions, 2–11
relationship between CobiT and ITIL, 2, 13
Safe Harbor requirements, 2, 13
stakeholder concerns, 5, 24–26
storage management system, 11, 39
for user groups with different privileges, 4, 21–22
information security management. See ISMS (information security management systems)
information systems auditor, 27
Information Technology Infrastructure Library. See ITIL (Information Technology Infrastructure Library)
Information Technology Security Evaluation Criteria (ITSEC), 97
informative type of policy, 33
infrared flame detectors, fire, 162
Infrastructure as a Service (IaaS), 214, 407
infrastructure cloud computing, 304
Initial level, CMMI, 23, 115–116
initialization vectors (IVs), 257
input/output (I/O) operations, 102, 123
instant messaging (IM), risk assessment, 204
Institute of Electrical and Electronic Engineers. See IEEE (Institute of Electrical and Electronic Engineers)
insulated ground wires, 171
insurance coverage, and asset value, 20–21
Integrated Services Digital Network (ISDN), 210
integration testing, software development, 365
integrity of data
Biba model enforcing, 119
Clark-Wilson model protecting, 109
concurrency problems in database reducing, 362
digital signatures providing, 240–241, 250–251
ensuring for audit logs, 64
hashing algorithms providing, 240
memory manager responsibilities, 111
normalization for, 362
overview of, 19
two-phase commit ensuring, 383
integrity rules, OLTP and ACID enforcing database, 361
integrity services, database software, 368
intellectual property laws, 319, 324
Interior Gateway Routing Protocol (IGRP), 196, 197
interleaved method, time multiplexing, 110
Intermediate System to Intermediate System (IS-IS), 196
International Electrotechnical Commission. See IEC (International Electrotechnical Commission)
International Organization for Standardization. See ISO (International Organization for Standardization)
Internet Architecture Board (IAB), 331–332, 339–340
Internet Engineering Task Force (IETF), 215, 331
internet relay chat (IRC) server, and botnet, 375
Internet Standards Process, 331
interrupts, 122
interviews, business impact analysis, 275, 279
intranet, 195
intruder detection, IDS, 152–153
intrusion detection systems. See IDSs (intrusion detection systems)
investigation stage, incident response, 327, 335, 337
I/O (input/output) operations, 102, 123
IOCE (International Organization on Computer Evidence), 343
ionization detectors, smoke, 162
IP addresses, 190
IP softphones, 199–200
IPSec (Internet Protocol Security)
function of, 212
IPv6 integration with, 213
L2TP combined with, 191, 199, 211
network layer protection with, 212
SA values in, 245–246
as VPN tunneling protocol, 190
IPv6 characteristics, 212–213
IRC (internet relay chat) server, and botnet, 375
ISCM (information security continuous monitoring), 414
ISDN (Integrated Services Digital Network), 210
IS-IS (Intermediate System to Intermediate System), 196
Islamic countries, religious law systems in, 318
ISMS (information security management systems)
BS 7799 standard for, 386
building security program within organization, 360
ISO/IEC as, 36
ISO (International Organization for Standardization)
defined, 15
ISO/IEC 27000 standard, 36
ISO/IEC 27001, 386
ISO/IEC 27001:2005, 386
ISO/IEC 27002, 360
ISO/IEC 27031, 303
isolation, database software ACID test, 360
IT contingency plans, 282
Iterative Development, 370
ITIL (Information Technology Infrastructure Library)
CMMI vs., 37
relationship between CobiT and, 2, 13
Service Strategy as core of, 90, 114–115
ITSEC (Information Technology Security Evaluation Criteria), 97
IVs (initialization vectors), 257
J
jukeboxes, HSM, 410–411
JVM (Java Virtual Machine), executing Java applets, 367
K
KDFs (Key Derivation Functions), 234–235
Kerberos, 76–77
kernel flaws, 413
key clustering, 255
key exchange protocol, ECC as, 235
keys
AES generating/using, 242
calculating number of required, 238
secure management principles for, 237
keyword filtering, suppressing spam, 202
L
L2TP (Layer 2 Tunneling Protocol)
tunneling PPP traffic over network, 198
as VPN tunneling protocol, 190
for WAN connections, 211–212
landscaping, as natural access control, 154
lattice-based access control, 112–113
Layer 2 OSI model (data link layer), 185, 232
layered defense model, 153
layered operating system architecture, 127, 128
LDAP (Lightweight Directory Access Protocol), 53
least significant bit (LSB), steganography, 230
legacy applications, virtual machines allowing, 106
legal, regulations, investigations, and compliance
answer key, 315
approaches to regulation, 309, 321–322
capturing electrical signals, 337–338
categories of computer crimes, 308, 316
categories of evidence, 310, 329
Code of Ethics for CISSP, 339–340
containment strategy to mitigate damage, 309, 326
Council of Europe Convention on Cybercrime, 313, 341
criminal law, 334
different legal systems, 308, 318
Digital Millennium Copyright Act, 309, 324
exigent circumstances, 330–331
first steps of incident response team, 309, 325
forensics investigation, 311–312
incident response stages, 311, 335
intellectual property laws, 308, 319
Internet Architecture Board, 311, 331–332
legally admissible evidence, 330
Locard’s Principle of Exchange, 312, 340
OECD guidelines for protection of data, 308, 316
overview of, 307
preventing emanations capturing, 312
questions, 308–314
Service Organization Controls, 308–309, 320
wiretapping, 311
legally admissible evidence, 330
lenses, CCTV, 145–146, 149–150
data classification. See data classification
RAID, 408
lifespan, key management, 237
light frame construction material, 164
light meter, measuring illumination, 150
lighting
auto-iris CCTV lens for changes in, 146, 151
configuring physical security, 142–143
manual iris CCTV lens for fixed, 146, 151
natural access control, 154
unimportant when choosing site location, 155
Lightweight Directory Access Protocol (LDAP), 53
line conditioners, clean distribution of power, 170–171
line of sight requirement, satellite links, 203
link encryption, 244–245
link-state routing protocols, 196
liquid fires (Class C), 165
LLC (Logical Link Control) sublayer, Layer 2 OSI model, 185
load balancing, 288
Locard’s Principle of Exchange, 340
location, choosing site, 155
lock out accounts, brute-force attacks, 416
locks
as delay countermeasures, 150–151
delaying intruders with strong, 168
for server room entry doors, 156–157
logical blocks, structured programming development, 365
long periods of no repeating patterns, stream ciphers, 240
LSB (least significant bit), steganography, 230
lux value, illumination measurements, 150
M
MAC (mandatory access control)
functionality of, 77–78
noninterference in, 106–107
overview of, 56–57
MAC (Media Access Control), Layer 2 OSI, 185
machine language, first-generation programming languages, 372
MACSec (MAC Security standard), IEEE 802.1AE, 214
magnetic fields, proximity detectors, 156
MAID (massive array of inactive disks), 406, 421
mail relays, and spam prevention, 417
maintenance hooks, 80
MAN connections, FDDI used for, 212
Managed level, CMMI, 22–24, 116
management
business continuity planning, 284–285
business continuity team members, 275
establishing after disasters, 282
review by, 415
mandatory access control. See MAC (mandatory access control)
mandatory tokens, 79
mantraps, 169
manual iris lenses, CCTVs, 146, 149, 151
masquerading, 20
massive array of inactive disks (MAID), 406, 421
master symmetric keys, 257
mathematical functions, symmetric vs. asymmetric algorithms, 232
matrix, access control, 73–74
maximum tolerable downtime (MTD), 294, 301, 304–305
MD5, hashing original image in forensics, 337
mean time between failures (MTBF), 295, 405
mean time to repair (MTTR), 294–295, 405
Media Access Control (MAC) sublayer, Layer 2 OSI model, 185
media files, steganography, 231
media gateways, IP telephony, 193
memory
data execution prevention for, 126
isolation, 126
mapping, 103
memory manager, 111
menus, as restricted interfaces, 74
mesh topology, 363
meta-directory, virtual directory vs., 59
methods, object-oriented programming, 378–379
microkernel architecture, 127–129
microprobing analysis, 55–56
microprocessor technology, attacks from, 98
mirroring, RAID
disk duplexing vs., 420–421
levels, 408
when data is written to two drives at once, 410
misuse-detection system, 66–67
MO (Modus Operandi), 340
mode transitions, 128
Modified Prototype Method, system development, 369
monitoring
continuous, 414
with transparency, 62–63
monolithic architecture, 127–129
Motive, Opportunity, and Means, crime suspect, 327–328, 340–341
mounting CCTV cameras, 151
MTBF (mean time between failures), 295, 405
MTD (maximum tolerable downtime), 294, 301, 304–305
MTTR (mean time to repair), 294–295, 405
multiplexing, 208
multiprogramming, 98
multitasking operating systems, 122–123
mutation engines, polymorphic viruses, 366
mutual aid (reciprocal agreement), 278, 291, 296
N
namespaces, 53
naming distinctions, 110–111
naming zones, splitting, 200–201
NAS (network access servers), 189
national infrastructure protection, 161
natural access control, 154, 163
natural disaster occurrence, evaluating site location, 155
natural surveillance, CPTED, 162–163
“Neighborhood Crime Watch” signs, 150
network access servers (NAS), 189
network database model, 385
network security. See telecommunications/network security
NIST (National Institute of Standards and Technology)
continuity plan best practices, 274
NIST SP 800-30, 28
NIST SP 800-66, 14
“No output” reports, 418
nondiscretionary access control, RBAC as, 74
Noninterference model, 106–107, 118–119
noninvasive attacks, 55–56
nonpersistent (or reflected) XSS vulnerabilities, 186, 194, 375
non-repudiation, from digital signatures, 240–241, 250–251
normalization, 362
number generators, randomness and, 256
O
object classes, 353
object-oriented programming, 377, 378
objects
accessing available, 120
ACLs and, 69
developing access rights, 108–109
encapsulation of, 109–110
obscurity, steganography as security through, 231
occupant emergency plan, 282
OCSP (Online Certificate Status Protocol), 244, 250
OCTAVE, 28
ODBMS (object-oriented database), 363–364, 385
OECD (Organisation for Economic Co-operation and Development), 14, 317, 341
OFB (Output Feedback) Mode, block ciphers, 254
OFDM (orthogonal frequency-division multiplexing), 205
offsite backup facilities
determining, 286
hot, cold and warm site options, 278–279
reciprocal agreement for, 278
remote journaling transmitting data to, 297–298
OLTP (online transaction processing), acid test, 360–361
one-time pad
as perfect, 236
providing confidentiality, 247
similar to stream ciphers, 239
one-way hash, 251
Online Certificate Status Protocol (OCSP), 244, 250
Open Group Architecture Framework (TOGAF), 104
open mail relay servers, and spam, 186, 202
open network architecture, 195
Open Shortest Path First (OSPF), 196, 197
Open Software Foundation (OSF), 371
open system authentication (OSA), 207
operating systems
fingerprinting countermeasures, 423–424
multitasking, 122–123
preemptive multitasking and, 99
process tables, 124
time multiplexing of, 110
virtual machine as virtual instance of, 106
virtualization issues with patching, 108
operations team, responsibility for backup, 280
optical jukeboxes, HSM, 410–411
Optimized level, CMMI, 116
oral evidence, 329
Orange Book, 97–98
ordered sets, and boundary operators, 112–113
Organisation for Economic Co-operation and Development (OECD), 14, 317, 341
orthogonal frequency-division multiplexing (OFDM), 205
OSA (open system authentication), 207
OSF (Open Software Foundation), 371
OSPF (Open Shortest Path First), 196, 197
outdated business impact process, 282–283
out-of-band communication, 257
Output Feedback (OFB) Mode, block ciphers, 254
oversight, security governance program, 29
PaaS (Platform as a Service), 214, 407
packets, sockets directing, 189–190
PACs (Privileged Attribute Certificates), 77
parallel tests, 274–275
parity, RAID
levels, 408
rebuilding lost or corrupted data, 410
use of information, 419–420
partial knowledge, penetration testing, 411–412
PAS (Privileged Attribute Server), 77
passive infrared (PIR) IDS, 154
password management, 55
password sniffing, 338
password synchronization, 55
passwords
brute-force attacks on, 60–61, 415–416
dictionary attacks on, 60
replay attacks on, 59–60
patched files
installing uninfected version of, 418
virtualization issues with OS, 108
patents, 319
payload, steganography, 229
Payment Card Industry Data Security Standard (PCI DSS), 321–322
PCCIP (President’s Commission on Critical Infrastructure Protection), 161
PCI DSS (Payment Card Industry Data Security Standard), 321–322
penetration testing, 373, 411–412
per-device identifiers (DevID), IEEE 802.1AR, 213–214
performance
measuring security governance program, 29
metrics for physical security program, 158
mode transitions and, 128
perimeter fences, 167
Perimeter Intrusion Detection and Assessment System (PIDAS) fencing, 160–161
permissions, database user groups with granular, 21
persistent XSS vulnerabilities, 194
perspectives, Zachman Architecture Framework, 103
phishing attacks
identity theft following, 68
as masquerading, 20
vs. pharming, 61
photoelectric IDS (or photometric) system, 154, 156
physical and environmental security
answer key, 141
auditing physical access, 132, 143–144
categories and countermeasures for, 150–151
CCD chips in CCTVs, 133, 147–148
CCTV zoom lens and field of view, 133–134, 149–150
CCTVs with manual iris vs. auto-iris, 134, 151–152
choosing site location, 135, 155
construction materials, 133, 137–138, 146–147, 164–165
CPTED components, 137, 161–162
Crime Prevention Through Environmental Design, 134, 153–154
delay countermeasures, 139, 168
detectors on fencing, 136, 160–161
electric power issues, 136, 159–160
electrical power through smart grids, 138, 166
first step in creating program for, 136, 158–159
IDS intruder detection, 134, 152–153
intrusion detection systems for, 132–133, 144–145
line conditioners, 140, 170–171
locks for server room entry doors, 135, 156–157
overview of, 131
perimeter fences and warning signs, 139, 167
physical security program design, 134, 150–151
questions, 132–140
smoke and fire detectors, 136, 161–162
for specific objects with proximity detectors, 135, 155–156
sprinkling systems, 133, 148–149
physical layer technologies, OSI, 233
physically constrained interfaces, 74
PID (process identification), naming distinctions, 111
PIDAS (Perimeter Intrusion Detection and Assessment System) fencing, 160–161
PIR (passive infrared) IDS, 154
PKI (public key infrastructure)
CA signing user certificate in, 232–233
calculating number of required keys, 238
cross-certification, 250
vs. public key cryptography, 233–234
plaintext messages, one-time pads, 247
Platform as a Service (PaaS), 214, 407
PLCs (programmable logical controllers), 65–66
PoE (Power over Ethernet), 166
point-to-point protocol (PPP), 198–199, 205
Point-to-Point Tunneling Protocol. See PPTP (Point-to-Point Tunneling Protocol)
police stations, and site location, 155
policy statement, continuity planning, 274
polyinstantiation, 352
polymorphic viruses, 366
pop-up windows, phishing attacks, 62
port scanning countermeasures, 423–424
ports, disabling as fingerprinting countermeasure, 424
power line interference, 170
power line monitors, 159
Power over Ethernet (PoE), 166
power supplies, and IDSs, 145, 157
PPP (point-to-point protocol), 198–199, 205
PPTP (Point-to-Point Tunneling Protocol)
in dial-up connections, 190–191
encryption at data link layer, 232
over IP networks, 211
as VPN tunneling protocol, 190
preaction sprinkler systems, 148
preemptive multitasking mode, 87, 98–99
preplanned business continuity procedures, 283–284
presentation, in configuration management change control, 392
President’s Commission on Critical Infrastructure Protection (PCCIP), 161
preventive controls
audit logs not effective as, 415
business impact analysis of, 274
management review of access rights, 415
two-factor identification/authentication as, 415
PRI (Primary Rate Interface) ISDN, 210
primary control, 39
primary entrance doors, 156–157
PRINCE2 (PRojects IN Controlled Environments), 37
privacy, threats on, 342
privacy law
European Union Principles on Privacy, 317, 341–342
Privacy Act of 1974, 324
privacy-aware role-based access control, 56–57
private keys. See digital signatures; PKI (public key infrastructure)
Privileged Attribute Certificates (PACs), 77
Privileged Attribute Server (PAS), 77
privileges, elevation of, 20
probability, 31–32
procedures, as administrative protective controls, 39
process deactivation, 102
process identification (PID), 111
process tables, 124
production operations, determining asset value, 21
profiling (or psychological crime scene analysis), 340
program, physical security design phase, 150–151
project initiation phase, business continuity plan, 289, 293
PRojects IN Controlled Environments (PRINCE2), 37
proprietary interior protocols, 197
proprietary protocols, 230
protection mechanisms
data classification levels, 29
software development, 379–380
protection profiles, Common Criteria, 105, 117
protocol anomaly-based IDS, 67
proximity detector (capacitance detector) IDS, 155–156
pseudorandom number generators, KDFs, 234
psychological crime scene analysis (profiling), 340
public key encryption
RSA, 239
SSL, 243
public key infrastructure. See PKI (public key infrastructure)
purging, 403–404
Q
QoS (Quality of Service), IPv6, 213
qualitative risk analysis, 35–36
quantitative risk analysis, 35–36, 83
questionnaires, business impact analysis, 279
R
RA (registration authority), 232, 250
race condition attack, 79–80, 382
radio frequency identification (RFID), 81–82
radio frequency interference (RFI), 160, 170
RADIUS (Remote Authentication Dial-In User Service), 72, 189
RAID (redundant array of independent disks)
as DASD, 406
for fault tolerance/system performance, 424
levels of, 408
RAIT (redundant array of independent tapes), 406
RAM
address buses hardwired to, 123
memory manager responsibilities, 111
virtual mapping and, 110
virtual storage security issues, 99–100
random-number generator, polymorphic viruses, 366
RAS (remote access servers), RADIUS using, 189
rate-of-rise temperature detectors, fire, 161–162
RBAC (role-based access control), 56–57, 74
read up rule, Bell-LaPadula/Biba models, 101
rebar construction material, 150, 164
reciprocal agreement (mutual aid), 278, 291, 296
reconstitution phase, business continuity plan, 288–289, 298–300
recovery phase, business continuity plan, 276–277, 289–290
Recovery Point Objective (RPO), 276–278, 305
recovery strategies, after BIA, 274
Recovery Time Objective. See RTO (Recovery Time Objective)
recursive queries, DNS poisoning, 192–193
Red Book, 97
redundancy
as failover protection, 287–288
high availability and, 302
with mirroring, 410
normalization eliminating, 362
with RAID. See RAID (redundant array of independent disks)
redundant sites, 298
with SANs, 410
tape vaulting, 297
redundant array of independent disks. See RAID (redundant array of independent disks)
reference kernel (or abstract machine), 102
reference monitor, 101–102, 120
referential integrity, database software, 368
reflected XSS vulnerabilities, 186, 194, 375
regions of nodes, routing, 196
registers, 123
registration authority (RA), 232, 250
regulation by industry, privacy, 342
regulatory laws, 335
Regulatory type of policy, 33
relational database model, 364, 385
reliability, via SANs, 410
religious law systems, 318
remote access servers (RAS), RADIUS using, 189
remote administration guidelines, 419, 425
Remote Authentication Dial-In User Service (RADIUS), 72, 189
remote journaling, 297–298
Remote Procedure Calls (RPCs), SOAP, 370
Repeatable level, CMMI, 116
replay attacks, 59–60
replication, fault tolerance and, 287–288
residual risk, 22
resource records, 215
response countermeasures, 151
responsive (or trip) lighting, 143
restoration team, 290
retention of data, information owner, 16–17
reusability, object-oriented programming, 377
RFCs (Request for Comments), 331
RFI (radio frequency interference), 160, 170
RFID (radio frequency identification), 81–82
RIP (Routing Information Protocol), 196–197
risk acceptance, 18
risk assessment
in business impact analysis, 279–280
instant messaging, 204
risk assignment vs., 31
risk management
answer key, 11
determining asset value, 3–4, 20–21
qualitative vs. quantitative, 9–10, 35–36
residual risk calculation, 4, 22
risk assessment methodologies, 6, 27–28
security steering committee, 2, 15–16
risk management committee, 16
risk rejection, 31
risk transference, 19, 30, 303–304
rogue devices, 193
role-based access control (RBAC), 56–57, 74
rollbacks, database software and ACID test, 361
rootkits, 426–427
Routing Information Protocol (RIP), 196–197
RPCs (Remote Procedure Calls), SOAP, 370
RPO (Recovery Point Objective), 276–278, 305
RSA, asymmetric algorithms, 239
RTO (Recovery Time Objective)
defining, 276–278
example scenario, 304–305
vs. MTD, 301
rule-base programming, 371
rule-based IDS, 67–68
running key cipher, 248
SA (security association) values, IPSec
overview of, 245–246
tracking with SPI, 246
SaaS (Software as a Service)
cloud computing model, 214–215
definition and mapping of cloud-based solution, 407–408
SABSA (Sherwood Applied Business Security Architecture), 37
safety
business continuity plan for, 284
occupant emergency plan for, 282
restoring primary site after disaster, 285
sags, electrical power, 159
salami attacks, 338
SAML (Security Assertion Markup Language), 57–58, 80–81
sanitizing media, 404
SANs (storage area networks), 410–411
Sarbanes-Oxley Act (SOX), 322
SAS 70 (Statement on Auditing Standards No. 70), 309–310
satellite links, communication over, 203–204
SCADA (supervisory control and data acquisition) systems, 65–66
scalability, clustering for, 424
SCAP (Security Content Automation Protocol), 414
schedule, change control, 403
schema, database, 363
SCM (software configuration management), 389
scoped addresses, IPv6, 213
scorecard, risk management, 7, 31–32
scrubbing audit logs, 64–65
SDLC (system development life cycle), 359
sealing system state, TPM, 255–256
secondary doors, physical security, 156–157
secondary evidence, 329
secondary feeder line, redundancy, 171
second-generation programming languages, 372
second-order XSS vulnerability, 194, 374
secret values, KDFs, 234
Secure European System for Applications in a Multivendor Environment (SESAME), 76–77
Secure Shell (SSH), 425
Secure Sockets Layer. See SSL (Secure Sockets Layer)
security architecture and design
answer key, 96
buffer overflow attacks, 93–94, 125
buffer overflow protection with ASLR, 94, 126
Chinese Wall access control model, 91, 118
Clark-Wilson access model, 86, 100–101
Common Criteria components, 90–91, 116–118
Common Criteria overview, 86, 97
Common Criteria protection profiles, 87, 105
data execution prevention, 94, 125–126
defining virtual machine, 88, 106
Graham-Dening access rights model, 88, 108–109
hybrid microkernel architecture, 95, 128–129
ISO/IEC 42010 standard, 93, 124–125
ITIL, core set of, 90, 114–115
lattice-based access control, 89, 112–113
microkernel architecture performance, 95, 127
multitasking operating systems, 92–93, 122–123
overview of, 85
preemptive multitasking mode, 86, 98–99
process isolation methods, 88, 109–111
questions, 86–95
reducing fragmentation with TOGAF, 87, 104
reference monitor, 91–92, 119–120
risks of increases in processing power, 86, 98
security kernel and reference monitor, 87, 101
time-of-check/time-of-use vulnerability, 89, 113–114
trusted computing base, 87, 102–103
virtual storage concerns, 86, 99–100
Zachman Architecture Framework, 87, 103
Security Assertion Markup Language (SAML), 57–58, 80–81
Security Content Automation Protocol (SCAP), 414
security event correlation management tools, 82
security event management (SEM), 82
security guards
as assessment control, 150, 167, 168
as deterrence countermeasure, 150, 167
security information and event management (SIEM), 82
security kernel, 101–102
security operations
answer key, 401
backup architectures, 422–423
brute-force attacks, 395, 415–416
buffer overflow attacks, 394, 412
change control policy, 392, 402–403
clustering for availability/scalability, 399, 424
configuration management change control, 392, 402
definition/mapping of cloud-based solutions, 393, 407–408
Direct Access Storage Device, 393, 406
fault-tolerant technologies, 392, 404–405
HSM vs. SANs, 410–411
IP spoofing/session hijacking, 394, 409
mail relays to prevent spam, 396, 417
management review, 415
overview of, 391
penetration testing, 411–412
port scanning/OS fingerprinting, 399, 423–424
questions, 392–400
RAID, and parity information, 397, 419–420
RAID, mirroring of drives, 397–398, 420–421
remote administration, 396, 419, 425
response to dangerous virus infection, 396, 418
servers infected with rootkits, 400, 425–426
shoulder surfing attacks, 396, 416
Trojaned programs, 400, 426–427
Unified Threat Management, 395, 413–414
security parameter index (SPI), 246
security perimeter, 120
security personnel, audit logs, 64
security policy
committee, 15
directory services enforcing, 53
as preventive, not detective, 415
role of data user, 27
senior management enforcing, 26
specifying IM usage restrictions, 204
XACML sharing, 63
security steering committee, 15
security targets, Common Criteria, 105, 117
self-regulation, PCI Data Security Standard, 321–322
self-service password reset, 55
SEM (security event management), 82
semantic integrity, database software, 368
sender policy framework (SPF), 188–189
senior executives, succession planning for, 291–292
separation of duties, access control, 45, 69–70
Sequential Access Storage Device, 406
server room, door locks, 156–157
servers
infected with rootkits, 426
instant messaging, 204
server-side includes (SSI) injection attacks, 388
Service Design, ITIL, 114–115
Service Operation, ITIL, 114–115
Service Provisioning Markup Language (SPML), 63, 70–71
Service Set IDs (SSIDs), 207
Service Strategy, as core of ITIL, 114–115
Service Transition, ITIL, 114–115
service-level agreements (SLAs), 404–405
service-oriented architecture (SOA), TOGAF, 104
services, disabling as fingerprinting countermeasure, 424
SESAME (Secure European System for Applications in a Multivendor Environment), 76–77
session hijacking, 409
SGML (Standard Generalized Markup Language), 63, 71
SHA-256, hashing original image in forensics, 337
shallow depth of focus, CCTV lenses, 145
shells, as restricted interfaces, 74
shielded cabling, 160
shoulder surfing attacks, 416
side-channel attacks, 100
SIEM (security information and event management), 82
signature-based IDS, 66–67
Simple Mail Transfer Protocol (SMTP), 188–189, 201–202
Simple Object Access Protocol. See SOAP (Simple Object Access Protocol)
Single Loss Expectancy (SLE), calculating, 37–38
single sign-on protocols/technologies, 76–78
site location, choosing, 155
skeleton crew, 291
SLAs (service-level agreements), 404–405
SLE (Single Loss Expectancy), calculating, 37–38
smart card readers, 156, 169–170
smart grids, 166
smoke detectors, 161–162
SMTP (Simple Mail Transfer Protocol), 188–189, 201–202
sniffers, rootkit, 427
SOA (service-oriented architecture), TOGAF, 104
SOAP (Simple Object Access Protocol)
Remote Procedure Calls and, 370
Web services with SAML, HTTP and, 80–81
XML schema, 388–389
social engineering attacks
not involved in poisoning DNS server cache, 192–193
overview of, 60
phishing and pharming as, 62
sociology, and environmental design, 153–154
software configuration management (SCM), 389
answer key, 358
buffer overflow attacks, 381
cohesion and coupling, 350, 368–369
component-based system development, 349, 365
concurrency controls, 348, 361–362
database types, 354–355, 384–385
executing Java applets with JVM, 349, 367
identifying security controls, 351, 372–373
international standard compliance, 356, 386
object-oriented database, 349, 363–364
object-oriented programming deferred commitment, 352, 377
object-oriented programming messages, 378
OLTP and acid test, 348, 360–361
overview of, 347
protection methods, 352–353, 379–380
questions, 348–357
SOAP/Remote Procedure Calls, 350, 370
software configuration management, 357, 389
system development methods, 350, 369–370
testing methods, 348, 349, 364–365
third-generation programming languages, 351, 372
Web Application Security Consortium, 356, 387
XSS vulnerabilities, 351, 374–375
zero day vulnerabilities, 356, 387–388
software escrow framework, 290–291, 389
software performance regression, 373
SONET (Synchronous Optical Networks), 209
SOPA (Stop Online Piracy Act), 324–325
SOX (Sarbanes-Oxley Act), 322
spam
botnets sending, 375
countermeasures, 186
e-mail spoofing and, 201–202
mail relays and prevention of, 417
open mail relay servers not effective against, 186
sender-policy framework combating, 187–188
SPF (sender policy framework), 188–189
SPI (security parameter index), 246
spiral method of system development, 365
SPML (Service Provisioning Markup Language), 63, 70–71
sprinkler systems, 148–149
SSH (Secure Shell), 425
SSI (server-side includes) injection attacks, 388
SSIDs (Service Set IDs), 207
SSL (Secure Sockets Layer)
connection setup process, 242–243
Heartbleed SSLTLS vulnerability, 257
relationship between TLS and, 230
securing transactions over untrusted networks, 242
working at Transport Layer, 233
stakeholders, concerns of, 24–26
Standard Generalized Markup Language (SGML), 63, 71
standardized modules, 365
standby lighting, 143
state-based IDS, 66
stateful matching IDS, 67
Statement on Auditing Standards No. 70 (SAS 70), 309–310
statistical anomaly-based IDS, 66, 68
statistically unbiased keystreams, stream ciphers, 240
steel rod construction materials, 146, 147
stego-medium, 229
Stop Online Piracy Act (SOPA), 324–325
storage area networks (SANs), 410–411
storage management
as compensating control, 39
HSM vs. SANs, 410–411
for keys, 237
strong authentication, administrators, 419
structured programming development, 365
subject binding, Clark-Wilson access model, 100–101
subjects
capability lists and, 69
developing access rights with, 108–109
domains defining objects for, 120
subkeys, 257
supervisory control and data acquisition (SCADA) systems, 65–66
surge protectors, 160
surges, 170
surveys, business impact analysis, 279
symbolic link attacks, 412
symbols, second-generation programming languages, 372
symmetric algorithms
AES as, 242
asymmetric vs., 231–232
block ciphers. See block ciphers
block vs. stream ciphers as, 240
drawback of, 231
number of required keys, 238
randomness and, 257
Synchronous Optical Networks (SONET), 209
synchronous tokens, 78–79
Sys Trust, 309
system development life cycle (SDLC), 359
system development methods, 369–370
T
TACACS+, 73
tape drives, 406
tape jukeboxes, HSM, 410–411
tape vaulting, 297
target of evaluation (ToE), Common Criteria, 117
TCB (trusted computing base), 101, 102, 120
TCP hijacking attacks, 257–258
TCP wrappers, 424
TCSEC (Trusted Computer System Evaluation Criteria), 97–98
teams, business continuity plan, 274–275, 289–290
telecommunications/network security
802.1X authentication, 205–206
answer key, 184
architecture for confidentiality, 174, 186–187
authentication technologies, 179
bridge-mode virtual firewalls, 183, 216
cloud computing models, 182–183, 214–215
cross-site scripting, 176, 194
encryption with TKIP, 206–207
grouping computers logically with VLANs, 176, 195
IEEE 802.1AR standard, 182, 213–214
IGRP, 197
IP telephony, 176, 178, 193, 199–200
Layer 2 OSI model sublayers/IEEE standards, 174, 185
overview of, 173
questions, 174–183
resolving internal host names, 178, 200–201
satellite link prerequisites, 179, 203–204
security encryption components, 180
sender policy framework/DNS server, 174–175, 187–188
spam countermeasures, 174, 186
telecommunication technologies, 181, 209–210
VPN tunneling with PPTP, 190–191
WAN protocols, 177–178, 198–199
WAN tunneling protocols, 181–182, 211–212
Temporal Key Integrity Protocol (TKIP), 207
territorial reinforcement, CPTED, 163
testing
in configuration management change control, 392
penetration, 373
software development methods, 364–365
systems after restoring primary site, 285
thermal-fusible links, sprinkler heads, 148
third-generation programming languages, 372
threads, multitasking operating systems, 123
threats
evaluating and ranking, 293–294
identifying in BIA, 279
identifying in risk assessment, 18
Unified Threat Management, 413–414
three-tiered architecture, e-commerce, 187
time multiplexing, 110
time stamps, incident response, 337
time-of-check/time-of-use (TOC/TOU) attack, 113–114
timing analysis, 56
timing attacks, 416
TKIP (Temporal Key Integrity Protocol), 207
TLS (Transport Layer Security), 230, 257
TOC/TOU (time-of-check/time-of-use) attack, 113–114
ToE (target of evaluation), Common Criteria, 117
TOGAF (Open Group Architecture Framework), 104
tort law. See civil law
total risk, 22
TPMs (Trusted Platform Modules), 255–256
tracking stage, incident response, 335
trade secret law, 319
trademarks, 319
traffic analysis, 382
traffic anomaly-based IDS, 68
trailers, end-to-end vs. link encryption, 245
training, learning objectives, 34–35
transparency, 62–63
transponder, satellite, 203–204
Transport Layer Security (TLS), 230, 257
trespassing laws, dumpster diving, 333
triage stage, incident response, 335
trip (responsive) lighting, 143
Trojaned programs, 426–427
true name identity theft, 68
Trusted Computer System Evaluation Criteria (TCSEC), 97–98
trusted computing base (TCB), 101, 102, 120
Trusted Network Interpretation, 97
Trusted Platform Modules (TPMs), 255–256
tunneling protocols, and dial-up, 190
tunneling viruses, 366
two-dimensional, Zachman Architecture Framework as, 103
two-factor identification/authentication, 415
two-phase commit, 383
U
UDDI (Universal Description, Discovery and Integration), 388
unit testing, 364
untreated lumber, physical security, 147
URLs, in phishing attacks, 61
U.S. Department of Homeland Security (DHS), 387
user provisioning, 75
users
role of data, 27
and transparency, 63
UTM (Unified Threat Management), 413–414
V
VAN (value-added network), 195
varifocal lenses, CCTVs, 145–146
Vernam, Gilbert, 236
Vernam cipher. See one-time pad
vertical enactment, regulation of privacy, 342
vibration sensors, risk of false positives, 156
virtual container, virtual directory as, 58
virtual directory, 58–59
virtual firewalls, 215–216
virtual mapping, 110
virtual memory, 111
viruses
polymorphic, 366
response to dangerous infection, 418
tunneling, 366
visual evidence, 329
VLANs (virtual LANs), 195, 211
VoIP (Voice over Internet Protocol)
eavesdropping threat on, 193
voltage regulators, 159, 170–171
volumetric systems, IDS, 152–153
VPNs (virtual private networks)
implementing with PPTP, 232
tunneling protocols, 190–191
vulnerabilities
identifying towards end of business impact analysis, 279
RFID, 81–82
of smart grids for electrical power, 166
threat modeling vs., 83
W
walls, as delay countermeasure, 150
WAM (web access management), 53–54, 75
warning signs, as deterrent, 150, 167
WASC (Web Application Security Consortium), 387
Watchdog timers, 72
water damage, sprinkler systems, 149
wave-pattern motion detectors, IDSs, 154
WDS (Web Services Description Language), 388
web sites, phishing/pharming attacks using fake, 61
WebTrust, 309–310
WEP (wired equivalent privacy), TKIP, 207
wet pipe (or closed head) sprinkler systems, 148–149
wide-angle lenses, CCTVs, 145–146
wiretapping, 333
WLANs
ad hoc, 207
tunneling protocols, 211
write down rule, Bell-LaPadula/Biba models, 101
WRT (Work Recovery Time), 304–305
X
X.500 standard, directory services, 53
XACML (eXtensible Access Control Markup Language), 63
XML (Extensible Markup Language), 63, 71
XOR (exclusive-OR) function, 239, 247
XSS (cross-site scripting), 194, 258, 374–375
Z
Zachman Architecture Framework, 103
zero day vulnerabilities, 387–388
zero knowledge, penetration testing, 412
zeroization, 403–404
zero-knowledge proof, 255
zone transfers, DNS server, 215
zoom lens, CCTVs, 149–150