1G cell phone technology, 306
2G cell phone technology, 306
3DES (3Data Encryption Standard), 206, 215–216
3G cell phone technology, 306
4G cell phone technology, 306
5G cell phone technology, 307
10 Commandments of Computer Ethics, 139–140
10 Steps to Cyber Security, 86
802.1AE (MACsec) security standard, 259–260
802.1AR security standard, 260
802.11 wireless networks/standards
802.11a wireless standard, 310
802.11ac wireless standard, 310
802.11b wireless standard, 310
802.11g wireless standard, 310
802.11i wireless standard, 310
802.11n wireless standard, 310
802.16 wireless standard, 310
1998 Directive on Data Protection, 76
AAL (Authenticator Assurance Levels), 360
ABAC (Attribute-Based Access Control), 387–388
absolute addressing, 163
acceptance testing/implementation, SDLC, 569–571
attacks/threats, 438
unauthorized access, 438
NAT, 325
packet filters, 322
stateful firewalls, 322
zero trust, 325
operational security, 471
CHAP, 326
PAP, 326
PPP, 326
RADIUS, 328
restricted access/work area security, 241
access/identity management, 342, 358–359, 377
accountability, 343
authentication, 342–343, 358–361
AAL, 360
card-based authentication, 369–370
CHAP, 390
digital certificates, 370
EAP, 390
IAL, 360
MS-CHAPv2, 390
multifactor authentication, 375
OAuth, 362
OpenID, 362
PAP, 390
strong authentication, 375
two-factor authentication, 375
CDAC, 389
centralized access control, 390–393
decentralized access control, 393–394
IDS, 396–401, 510–511, 512–513
LBAC, 389
rule-based access control, 388
SIEM, 401
employee access control, 355
silent hostage (duress) alarms, 356
smart/dumb cards, 356
federation, 377
least privilege, 343
lifecycles, 376
perimeter physical control systems, 344
deadman doors, 346
dogs, 350
fences, 343
guards, 350
mantraps, 346
turnstiles, 346
physical access controls, 342–343, 344–348
profile management, 377
SESAME, 381
SPML, 378
user provisioning, 376
WS-Security, 377
XML, 377
access logs, 416
account management, 469
access controls, 471
database administrators, 469
job rotation, 471
least privilege, 471
network administrators, 469
quality assurance specialists, 469
reasonably prudent person rule, 472–473
security architects, 469
separation of duties, 469–470, 471
system administrators, 469
systems analysts, 469
ace locks, 352
ACL (Access Control Lists), 382–383, 388
acquisition, digital forensics, 516, 517–519
active sniffing, 432
ActiveX programming language, 590
activity blockers, 484
adhesion, contracts of, 53
administrative controls, 128
administrative (regulatory) law, U.S. legal system/laws, 71
administrators, system, 469
advisor groups, security, data management, 34
advisory policies, 125
AES (Advanced Encryption Standard), 217
aggregation
agile development, software, 577–578
aging, passwords, 364
AH (Authentication Headers), 329
AI (Artificial Intelligence), 587–588
AIC. See CIA triad
silent hostage (duress) alarms, 356
ALE (Annual Loss Expectancy), 97, 98–99, 106
algorithms
asymmetric cryptography, 207
symmetric algorithms, 207
hashing algorithms, 205, 231–233, 237
CBC-MAC, 234
CMAC, 235
HAVAL, 234
HMAC, 234
SHA-1, 233
SHA-2, 233
SHA-3, 234
IDEA, 210
LUC algorithm, 222
MD algorithms, 233
Rivest cipher algorithms, 210–211, 218
RSA algorithm, 222
alpha testing, 570
ALU (Arithmetic Logic Units), 158
analytics
MTD, 122
potential loss assessments, 119–122
risk reduction process, 121–122
comparative analysis, passwords, 439
cost-benefit analysis of risk management, 106
data analytics, 37
digital forensics, 517, 520–521
FRAP, 102
frequency analysis, 299
MITRE Risk Matrix, 106
payback analysis, 564
risk factor analysis, 87
root causes analyses, 415
traffic analysis, 437
answers, CISSP exams
drag-and-drop questions, 26
hotspot questions, 26
multiple-choice questions, 26
strategies for answering, 27
anti-malware, telecommunications control, 483–484
antivirus software, 60
applets, 595
application layer
OSI network model, 256
TCP/IP network model, 267–271, 316–320
application-level proxies, 323–324
application servers, 169
applications
logs, 416
security testing, 420
transaction monitoring, 489–490
whitelisting, 60
APT (Advanced Persistent Threats), 450
architecture security and engineering, 152, 170
accreditation, 195
computer/device configurations, 168–170
cryptography, 203
AES, 217
asymmetric encryption, 205, 207, 218–224, 237
authentication, 203–204, 230–231
ciphertext, 204
confidentiality, 203
cryptanalysis, 205
CSS, 238
digital signatures, 205, 235–236, 237
DRM, 205
hashing algorithms, 205, 231–236, 237
Kerckhoff’s Principle, 238
key management, 205
keys, 204
MD algorithms, 233
nonrepudiation, 204
plaintext, 204
s-boxes, 208
steganography, 205
symmetric encryption, 205, 208–211, 223–224, 237
defense in depth design process, 152–153
fundamentals, overview, 158
open/closed systems, 175
CA, 226
CRL, 227
process isolation, 179
product security evaluation models, 189
Common Criteria (ISO 15408), 192–194
CTCPEC, 190
recovery procedures, 178, 486–487
regulatory compliance, 157–158
Brewer and Nash model, 188
Clark-Wilson model, 187
Graham-Denning model, 188
Harrison-Ruzzo-Ullman model, 188
information flow model, 182
Lattice model, 188
Lipner model, 188
noninterference model, 182
Take-Grant model, 188
security modes of operation, 176–177
site/facility controls, 240–241
storage media, 163
CD, 165
direct-access storage, 165
DVD, 166
flash memory storage, 166
optical media, 165
sequential storage, 165
software, 165
SSD, 166
system validation, 194
TPM chips, 154
VM, 168
backdoors, 197
buffer overflows, 196, 200, 595–596
data diddling, 198
incremental attacks, 198
maintenance hooks, 197
mobile system vulnerabilities, 202–203
salami attacks, 198
state attacks, 197
web-based vulnerabilities, 199–202
wireless vulnerabilities, 202
architectures
CORBA, 592
area concerns, facility/site security controls, 497
ARO (Annual Rate of Occurrence), 97, 98–99
ARP (Address Resolution Protocol), 260
poisoning, 436
assemblers, 589
assessing
risk. See separate entry
security, 412
application security testing, 420
blackbox testing, 420
code reviews, 425
DAST, 425
DoS testing, 420
Fagan inspections, 426
fuzz testing, 426
graybox testing, 420
IAST, 425
KRI, 415
misuse case testing, 426
outsider testing, 420
physical security testing, 420
RASP, 425
root causes analyses, 415
SAST, 425
social engineering testing, 421
stress testing, 420
synthetic transactions, 426
vulnerability scanning, 419
whitebox testing, 420
wireless network testing, 420
vulnerabilities, 419
assessing risk, 88
hacker insurance, 93
losses, 94
probabilistic risk assessment, 87
qualitative assessments, 102, 103–104
Delphi technique, 102
FRAP, 102
IAM, 102
performing, 103
steps of, 101
quantitative assessments, 97, 103–104
SATAN vulnerability assessment tool, 138–139
steps of assessment, 90
threats, 89
Asset Protection Triad (CIA triad), 30, 31–32
availability, 31
confidentiality, 30
integrity, 31
assets
“CACPA”, 48
change management, change management, 474–475
configuration management, 474–475
remote access, 476
placement, facility/site security controls, 501–502
risk assessments, 88
assisted password resets, 365
asymmetric encryption, 205, 207, 218–220, 237
Diffie-Hellman key exchanges, 220–222
ECC, 223
El Gamal, 223
Knapsack, 223
LUC algorithm, 222
RSA algorithm, 222
XTR public key cryptosystem, 222
asymmetric mode, processors, 160
ATA (Advanced Technology Attachments), 166
ATBASH, 299
ATM (Asynchronous Transfer Mode), 291
ATO (Authorization To Operate), 111
attacks/threats, 431
access controls, 438
unauthorized access, 438
APT, 450
ARP poisoning, 436
booters, 434
brute-force cracking, 441
database attacks, 437
DNS spoofing, 437
DoS attacks, 433
dumpster diving, 444
eavesdropping, 442
email bombing, 437
exploit kits, 450
hybrid attacks, 440
identity theft, 443
impersonation attacks, 444
IOC, 597
APT, 450
exploit kits, 450
packers, 448
success attacks, 450
worms, 446
wrappers, 448
methodologies of attacks, 430–431
packers, 448
pharming attacks, 437
phishing, 443
phreaking, 492
piggybacking, 444
sniffing, 432
social engineering attacks, 443–444
spear phishing, 443
success attacks, 450
tailgating, 444
traffic analysis, 437
vectors, computer crime/hackers, 77
virus hoaxes, 444
war driving, 437
whaling, 443
wrappers, 448
zero-day vulnerabilities, 437
attenuation, cabling, 280
attributes, databases, 583
auditors, data management, 35
audits
data, 39
employees, 548
identity/access management, 394–396
logs, 416
penetration testing/assessments, 412–415
AUP (Acceptable Use Policies), 128, 471
authentication, 342–343, 358–361
AAL, 360
AH, 329
CER, 372
facial recognition, 373
FAR, 371
fingerprint recognition, 373–374
FRR, 371
hand geometry recognition, 372
iris recognition, 373
retina pattern recognition, 373
Type I errors, 371
Type II errors, 371
voice recognition, 373
card-based authentication, 369–370
cryptography, 203–204, 230–231
digital certificates, 370
digital forensics, 516–517, 520
encryption, 58
IAL, 360
IMAP, 269
CBC-MAC, 234
CMAC, 235
HMAC, 234
MFA, 202
MS-CHAPv2, 390
OAuth, 362
OpenID, 362
aging, 364
assisted password resets, 365
attempts, 364
clipping levels, 364
complexity, 364
composition, 364
cracking, 366
history, 364
length, 364
OTP, 367
passphrases, 365
self-service password resets, 365
session management, 364
storing, 364
synchronization, 365
threshold levels, 364
strong authentication, 375
tokens, 367
CDAC, 389
centralized access control, 390
CHAP, 390
Diameter, 393
EAP, 390
MS-CHAPv2, 390
PAP, 390
TACACS, 392
decentralized access control, 393–394
IDS, 396–397, 510–511, 512–513
rule-based IDS, 400
signature-based IDS, 399
LBAC, 389
rule-based access control, 388
SIEM, 401
AS (Autonomous Systems), 289
availability
backups, 31
CIA triad, 31
avoiding risk, 105
disaster recovery plans, 545
ethics training/awareness, 137–138
10 Commandments of Computer Ethics, 139–140
Computer Ethics Institute, 139–140
(ISC)2 Code of Ethics, 138–139
regulatory requirements, 142–143
background checks, 131
backups, 31
cloud computing, 539
continuous backups, 538
data replication, 538
database shadowing, 538
electronic vaulting, 539
full backups, 536
incremental backups, 537
remote journaling, 539
SAN, 539
tape rotation schemes, 537–538
validating, 458
badges, employee access control, 355–356
banners, warning, 489
baseband transmissions, cabling, 275
baselines
risk management, 126
supplementation, 62
bastion hosts, 324
BCP (Business Continuity Plans)
MTD, 122
potential loss assessments, 119–122
risk reduction process, 121–122
corrective controls, 117
detective controls, 117
preventive controls, 117
project management/initiation, 116–117
BEAST cryptographic attack, 240
Bell-LaPadula security model, 182–184
beta/pilot testing, 570
BIA (Business Impact Analysis), 117–119
MTD, 122
potential loss assessments, 119–122
risk reduction process, 121–122
biometrics, 358, 370–371, 374–375
CER, 372
facial recognition, 373
FAR, 371
fingerprint recognition, 373–374
FRR, 371
hand geometry recognition, 372
iris recognition, 373
retina pattern recognition, 373
Type I errors, 371
Type II errors, 371
voice recognition, 373
birthday attacks, 239
blacklists, 480
blockers, activity, 484
Blowfish, 210
blue boxes, 482
BlueBorne, 312
Bluejacking, 312
Bluetooth technologies, 311–312
bollards, perimeter physical control systems, 346–347
bombing email, 437
Boolean operators, 208
booters, 434
BootP (Bootstrap Protocol), 269
bot herders, 435
BPA (Business Partnership Agreements), 112
BREACH cryptographic attack, 240
Brewer and Nash security model, 188
bridges, 282
broadband transmissions, cabling, 275
broken configuration management, database vulnerabilities, 586
browsers, unpatched browsers, mobile system vulnerabilities, 203
brute-force cracking, 441
buffer overflows, 196, 200, 586, 595–596
bulletproof hosting, 450
Bullrun, 331
bump keys, 354
Burp Proxy Attack tool, 200
bus topologies, 272
buses
FireWire (IEEE 1394) interfaces, 167
HBA, 41
ISA, 166
northbridges, 166
PCI, 166
PCIe, 166
SATA, 166
SCSI, 167
southbridges, 166
Thunderbolt interfaces, 167
USB, 167
business process recovery strategies, 524–525
business reference model, FEA frameworks, 156
BYOD policies, 169
bytecode, 595
C programming language, 590
C# programming language, 590
C+ programming language, 590
C++ programming language, 590
CA (Certificate Authorities), 226
CaaS (Communication-as-a-Service), 477
cable Internet access, 293–294
cabling
attenuation, 280
baseband transmissions, 275
broadband transmissions, 275
fiber-optic cables, 277
multimode fiber cables, 277
plenum-grade cables, 277
single-mode cables, 277
“CACPA”, 48
CAIN. See CIA triad
CALEA (Communications Assistance for Law Enforcement Act), 433
call trees, 542
caller ID spoofing, 308
CAM (Content-Addressable Memory), 283
Camellia, 211
CAN (Campus Area Networks), 278
capability tables, 388
card keys, employee access control, 355–356
card-based authentication, 369–370
CASE model, software development, 576–577
CAST (Carlisle Adams/Stafford Tavares), 211
categorization
record retention policies, 45
threats, 107
CBC mode, DES, 213
CBC-MAC (Cipher Block Chaining-MAC), 234
CBK (Common Body of Knowledge), 21
CCTV cameras, perimeter physical control systems, 348–349
CD (Compact Discs), 165
CDAC (Content-Dependent Access Control), 389
CDN (Content Delivery Networks), 324
ceilings, facility/site security controls, 498–501
centralized access control, 390
CHAP, 390
Diameter, 393
EAP, 390
MS-CHAPv2, 390
PAP, 390
TACACS, 392
CER (Crossover Error Rates), 372
certificates, digital, 227–229, 370
certification
architecture security and engineering, 194–195
CISSP exams, 20
(ISC)2 website, 28
software development, 571
X.509 certificates, 370
CFAA (Computer Fraud and Abuse Act) of 1986, 72
CFB mode, DES, 213
change control, 36
change detection, 597
change management, 474–475, 580–582
changeovers, software, 572
CHAP (Challenge-Handshake Authentication Protocol), 326, 390
checklists, disaster recovery, 521–522
chief security officers, data management, 34
chosen ciphertext, 238
chosen plaintext, 238
availability, 31
confidentiality, 30
integrity, 31
ciphers, 205
s-boxes, 208
ciphertext, 204
chosen ciphertext, 238
ciphertext-only attacks, 238
CIR (Committed Information Rates), 290
circuit switching, WAN, 291–294
circuit-level proxies, 323
CISC (Complex Instruction Set Computers), 160
CISSP exams
answering
drag-and-drop questions, 26
hotspot questions, 26
multiple-choice questions, 26
strategies for answering, 27
CBK, 21
certification, 20
fees, 20
online resources, 28
passing score, 20
questions, types of, 24
answer strategies, 27
drag-and-drop questions, 24, 26
multiple-choice questions, 24, 26
terminology, 28
topics, 21
civil law, U.S. legal system/laws, 71
Clark-Wilson security model, 187
classification approach, knowledge management, 38
classification, record retention policies, 45
classifying
commercial data, 51
private data, 51
public data, 51
sensitivity, 50
click-wrap license agreements, 53
clipping levels, 364, 365, 471–472
clock speeds, CPU, 159
cloning cell phones, 307
closed/open systems, 175
backups, 539
CSA, STAR ratings, 85
clustering
keys, 239
CMAC (Cipher-based MAC), 235
CMMI model, software development, 578–579
COBIT (Control Objectives for Information and Related Technologies), 39, 413
coding
assemblers, 589
compilers, 589
interpreters, 590
mobile code, 595
programming languages, 588–590
reviewing, 425
scripting languages, 590
cold sites, disaster recovery, 527
collaboration, multimedia, 331–332
commercial data classification, 51
Common Criteria (ISO 15408), product security evaluation models, 192–194
common law, 71
communications
attacks, 77
CaaS, 477
frequency analysis, 299
full duplex communication, 280
half duplex communication, 280
loss, 495
security, 298
802.11 wireless networks/standards, 308–316
ATBASH, 299
Bluetooth technologies, 311–312
concealment ciphers, 302
DECT, 315
Enigma machine, 303
Feistel network, 303
frequency analysis, 299
polyalphabetic ciphers, 299–300
quantum cryptography, 304
Vernam ciphers, 303
simplex communication, 280
telecommunications equipment, 281
community clouds, 478
comparative analysis, passwords, 439
compartmentalized systems, MAC, 385
compartmented operation mode, 176
compilers, 589
completeness checks, 562
compliance, data governance policies, 33
computer crime/hackers, 76
attack vectors, 77
communications attacks, 77
corporate spies, 78
cyberterrorists/cybercriminals, 78
disgruntled employees, 78
insurance, 93
investigating computer crimes, 452, 459, 513
incident response, 453–458, 514
interviews/interrogations, 459–460
search and seizure/surveillance, 459
IOCE, 516
law enforcement/security conferences, 79
logical attacks, 77
nation-state hackers, 78
organized crime, 428
personnel security attacks, 77
physical security attacks, 77
script kiddies, 78
skilled hackers, 428
social engineering attacks, 77
threat actors, 78
computer/device configurations, 168–170
Computer Ethics Institute, 139–140
computer forensics, 515
continuous lighting, 349
concealment ciphers, 302
conferences
security conferences, computer crime/hackers, 79
web conferencing, 331
confidentiality
CIA triad, 30
cryptography, 203
security models, 182
configurations
broken configuration management, database vulnerabilities, 586
lockdowns, 60
sealing, 56
construction, facility/site security controls, 498
contact smart cards, 369
contactless smart cards, 369
BCP
corrective controls, 117
detective controls, 117
preventive controls, 117
project management/initiation, 116–117
continuous backups, 538
contracts of adhesion, 53
control units, 158
administrative controls, 128
corrective controls, 568
data center controls, 241
detective controls, 568
employee access control, 355
silent hostage (duress) alarms, 356
smart/dumb cards, 356
environmental controls/HVAC, 241, 501
fire prevention/detection/suppression controls, 241, 501, 505–506
fire-detection equipment, 506–507
logical security controls, 152
perimeter physical control systems, 344, 493
deadman doors, 346
dogs, 350
fences, 343
guards, 350
mantraps, 346
turnstiles, 346
physical access controls, 240, 342–343, 495–496
perimeter physical control systems, 344–348, 493
preventive controls, 568
security policies, levels of control, 124
server room controls, 241
site/facility security controls, 240–241
technical controls, 129
convergence, network, 304
COOP (Continuity Of Operations Plan), 111
copyrights
intellectual property, 74
CORBA (Common Object Request Broker Architecture), 592
cordless phones, 308
Corpus Juris Civilis, 73
COSO (Committee for Sponsoring Organizations of Treadway Commission), 142
costs
cost-benefit analysis, risk management, 106
data governance policies, 33
risk versus levels of control, 105–106
countermeasures, risk management
avoiding risk, 105
cost of risk versus levels of control, 105–106
mitigating risk, 105
risk reports, 106
coverage, penetration testing, 413–414
“CP SOW”, 47
CPTED (Crime Prevention Through Environmental Design), 496–497
CPU (Central Processing Units), 158
advancements, 159
ALU, 158
categorizing, 160
CISC, 160
clock speeds, 159
control units, 158
input, 160
interrupts, 162
memory, 159
MIPS, 159
multiprocessor systems, 160
multithreaded programs, 161
PID, 161
processes, 161
ready state, 159
RISC, 160
scalar processors, 160
superscalar processors, 160
threads, 161
transistors, 159
wait state, 159
cracking passwords, 366, 439–442
credential stuffing, 439
credit/debit cards, PCI-DSS, 42–43
CRIME cryptographic attack, 240
crime triangles, 452
criminal law, U.S. legal system/laws, 71
CRL (Certificate Revocation Lists), 227
Cross-Site Scripting (XSS), 199, 200
cryptanalysis, 205
differential cryptanalysis, 238
linear cryptanalysis, 238
AES, 217
asymmetric cryptography, 207
symmetric algorithms, 207
asymmetric encryption, 205, 207, 218–220, 237
Diffie-Hellman key exchanges, 220–222
ECC, 223
El Gamal, 223
Knapsack, 223
LUC algorithm, 222
RSA algorithm, 222
XTR public key cryptosystem, 222
ATBASH, 299
authentication, 203–204, 230–231
ciphertext, 204
concealment ciphers, 302
confidentiality, 203
cryptanalysis, 205
CSS, 238
CFB mode, 213
OFB mode, 214
digital signatures, 205, 235–236, 237
DRM, 205
AES, 217
asymmetric encryption, 207, 218–224, 237
end-to-end encryption, 320–321
link-to-link encryption, 321
OSI network model, 256
RC2, 218
swIPe, 320
symmetric encryption, 205, 208–211, 223–224, 237
tunneling protocols, 57–58, 319, 320
U.S. Government, 237
Enigma machine, 303
Feistel network, 303
frequency analysis, 299
hashing algorithms, 205, 231–233, 237
CBC-MAC, 234
CMAC, 235
HAVAL, 234
HMAC, 234
SHA-1, 233
SHA-2, 233
SHA-3, 234
Kerckhoff’s Principle, 238
key management, 205
keys, 204
MD algorithms, 233
nonrepudiation, 204
CA, 226
CRL, 227
plaintext, 204
polyalphabetic ciphers, 299–300
quantum cryptography, 304
s-boxes, 208
steganography, 205
symmetric cryptography, 207
symmetric encryption, 205, 208–211, 223–224, 237
TPM chips, 154
Vernam ciphers, 303
Cryptolocker cryptographic attack, 240
CSA (Cloud Security Alliance), STAR ratings, 85
CSMA/CA (Carrier-Sense Multiple Access/Collision Avoidance), 273
CSMA/CD (Carrier-Sense Multiple Access/Collision Detection), 273–274
CSRF (Cross-Site Request Forgery), 199, 200
CSS (Content Scrambling System), 238
CTCPEC (Canadian Trusted Computer Product Evaluation Criteria), 190
customary law, 73
Cyber Security, 10 Steps to, 86
Cybersecurity Strategy of the European Union, 86
cyberterrorists/cybercriminals, 78
DAC (Discretionary Access Control), 382–383
DASD (Direct Access Storage Devices), 532
DAST (Dynamic Application Security Testing), 425
data analytics, 37
data and information recovery strategies, 534
data at rest, encryption, 55–57
data audits, 39
data center controls, 241
commerical data, 51
private data, 51
public data, 51
sensitivity, 50
data controls, 36
data diddling, 198
data disposal, 46
data documentation, 36
data governance policies, 32–33
data in transit, encryption, 57–59
data labeling, 44
data lifecycle control, 38
data link layer, OSI network model, 253–254
data management, 32
auditors, 35
chief security officers, 34
data audits, 39
data documentation, 36
data governance policies, 32–33
data lifecycle control, 38
data mining, 37
data organization, 36
data owners, 34
data standards, 38
data warehouses, 37
developers, 34
information security steering committees, 34
knowledge management, 38
security advisor groups, 34
senior management, 34
users, 34
data mining, 37
data organization, 36
data owners
data management, 34
identification, 36
ILM, 35
data ownership, 35
Data Protection Authority, 75
data purges, 46
data recovery procedures, 178, 486–487
data reference model, FEA frameworks, 156
data replication, 538
data sanitization, 46–47, 476–477
data security
authentication, 58
defense in depth, 56
email protocols, 58
encryption, 55
authentication, 58
end-to-end encryption, 59
SED, 56
FTP, 57
HTTP, 57
insecure protocols, 57
ISO/IEC 17799, 42
Privacy Rights Clearinghouse, 42
SMTP, 57
Telnet, 57
zero-trust environments, 59
data standards, 38
data storage, 364
DASD, 532
data disposal, 46
evidence storage controls, 241
information handling requirements, 44–45
labeling data, 44
record retention policies, 45
SASD, 532
data warehouses, 37
database servers, 169
administrators, 469
attributes, 583
change detection, 597
CORBA, 592
integrity, 585
mobile code, 595
programming languages, 588–590
transaction processing, 585
fields, 583
foreign keys, 583
granularity, 583
hierarchical database management systems, 582
knowledge bases, 587
network database management systems, 582
object-relational database systems, 583
primary keys, 584
relations, 583
shadowing, 538
schemas, 584
scripting languages, 590
tuples, 583
unpatched databases, 586
views, 584
DCS (Distributed Control Systems), 169
DDP (Data De-Duplication), 42
DDR (Double Data Rates), 164
deadman doors, perimeter physical control systems, 346
debit/credit cards, PCI-DSS, 42–43
decentralized access control, 393–394
decommissioning hardware, 46–47
DECT (Digital Enhanced Cordless Telecommunication), 315
dedicated (single-state) operating systems, 177
dedicated operation mode, 176
de-encapsulation, OSI network model, 258
default routes, 288
Delphi technique, qualitative assessments, 102
deprovisioning/provisioning, identity/access management, 376
DES (Data Encryption Standard), 206, 210, 211–212
CBC mode, 213
CFB mode, 213
OFB mode, 214
DES EDE2, 216
DES EDE3, 216
DES EEE2, 216
DES EEE3, 216
design guidelines, architecture security, 152–155
design specifications, software, 566
destroying media/hardware, 477
detective controls, BCP, 117
developers, data management, 34
development methodologies, software
IDEAL model, 579
incremental development, 575
JAD model, 575
MPM model, 576
RAD model, 575
spiral model, 574
waterfall model, 573
development security, databases, 583–585
change detection, 597
CORBA, 592
integrity, 585
mobile code, 595
programming languages, 588–590
transaction processing, 585
development security, software, 560
change detection, 597
CORBA, 592
mobile code, 595
programming languages, 588–590
scheduling, 580
SDLC, 563
acceptance testing/implementation, 569–571
design specifications, 566
development methodologies, 573–579
disposal, 572
functional requirements/planning, 565–566
operations/maintenance, 571–572
reverse engineering, 569
system failure, avoiding, 561–562
avoiding system failure, 562
device/computer configurations, 168–170
device locks, 353
diagramming, potential attacks, 107
dialing systems, outband, 542
Diameter, centralized access control, 393
differential cryptanalysis, 238
Diffie-Hellman key exchanges, 220–222
digital certificates, 227–229, 370
procedures, 516
stages of, 515
digital signatures, 205, 235–236, 237
direct OS commands, web-based vulnerabilities, 199
direct-access storage, 165
Directive on Data Protection, 1998, 76
directory traversal attacks, 199
disaster recovery, 458–459, 493–494
awareness, 545
business process recovery strategies, 524–525
cold sites, 527
data and information recovery strategies, 534
facility recovery strategies, 525–528
insurance, 544
interfacing with external groups, 542–543
monitoring recovery plans, 547–548
operations recovery strategies, 529–532
organizational functions and recovery times, 535–536
personnel mobilization, 542
plan design/development, 541–544
reciprocal agreements, 528
redundant sites, 527
subscription services, 525–527
supply recovery strategies, 525–528
teams/responsibilities, 523
tertiary sites, 525
testing recovery plans, 546–547
user recovery strategies, 528–529
warm sites, 526
discovery scans, networks, 418
disgruntled employees, computer crime/hackers, 78
disk encryption, 60
disposal
software, 572
distance-vector protocols, 288–289
distributed computing, 533–534
diving, dumpster, 444
DMA, I/O using DMA, 162
DMCA (Digital Millennium Copyright Act), 53–54
DMZ (Demilitarized Zones), 324–325
DNS (Domain Name System), 268
DNS spoofing, 437
DNSSEC (Domain Name System Security), 268
documentation
ATO, 111
BCP
corrective controls, 117
detective controls, 117
preventive controls, 117
project management/initiation, 116–117
BPA, 112
COOP, 111
data, 36
IA, 111
ISA, 110
MOU, 111
NDA, 112
OLA, 111
risk reports, 106
security policies, 124
UA, 111
dogs, perimeter physical control systems, 350
doors, facility/site security controls, 498–501
DoS (Denial of Service)
testing, 420
doxing, 428
drag-and-drop questions, CISSP exams, 24, 26
DRAM (Dynamic Random-Access Memory), 163–164
DREAD, threat modeling, 109
driving, war, 437
DRM (Digital Rights Management), 205
DROWN cryptographic attack, 240
DRP (Disaster Recovery Plans), 113–115
DSA (Digital Signature Algorithms), 236, 237
DSL (Digital Subscriber Line), 293
DSSS (Direct-Sequence Spread Spectrum), 308
dumb cards, employee access control, 356
dumpster diving, 444
duplicate checks, 562
duress (silent hostage) alarms, 356
duties, separation of, 131–132, 469–470, 471
DVD (Digital Video Discs), 166
dwell time, 308
dynamic NAT, 325
dynamic routing, 288
EA (Enterprise Architectures), 155
FEA frameworks, 156
ISO 27000 series standards, 157
EAL (Evaluation Assurance Levels), 192–193
EAP (Extensible Authentication Protocol), 320, 326–328, 390
EAP-FAST, 327
EAP-LEAP, 327
EAP-MD5, 327
EAP-PEAP, 327
EAP-SIM, 327
EAP-TTLS, 327
ECC (Elliptical Curve Cryptosystem), 223
Economic Espionage Act of 1996, 72
EGP (Exterior Gateway Protocol), 289
El Gamal, 223
electric lock pick guns, 355
electrical power, facility/site security controls, 503–504
electronic vaulting, 539
asset management, 478
bombing attacks, 437
IMAP, 479
POP, 479
standard email protocols, data security, 58
EMI (Electromagnetic Interference), 503
employees
access control, 355
silent hostage (duress) alarms, 356
smart/dumb cards, 356
audits, 548
awareness, disaster recovery, 545
disaster recovery services, 543–544
disgruntled employees, computer crime/hackers, 78
job descriptions, 547
performance reviews, 548
personnel security, 130
background checks, 131
ethics training/awareness, 137–143
job rotation, 132
mandatory vacations, 133
NDA, 131
new-hire agreements/policies, 131
social networking, 131
termination of employees, 133–134
training, disaster recovery, 545
enabled features (unnecessary), database vulnerabilities, 586
encapsulation
OOP, 591
OSI network model, 256, 257–258
AES, 217
asymmetric encryption, 207, 218–220, 237
Diffie-Hellman key exchanges, 220–222
ECC, 223
El Gamal, 223
Knapsack, 223
LUC algorithm, 222
RSA algorithm, 222
XTR public key cryptosystem, 222
ATBASH, 299
authentication, 58
Blowfish, 210
Camellia, 211
CAST, 211
concealment ciphers, 302
CBC mode, 213
CFB mode, 213
OFB mode, 214
disk encryption, 60
end-to-end encryption, 59, 320–321
Enigma machine, 303
Feistel network, 303
frequency analysis, 299
link-to-link encryption, 321
MARS, 211
OSI network model, 256
polyalphabetic ciphers, 299–300
RC2, 218
SAFER, 211
SED, 56
Skipjack, 211
swIPe, 320
symmetric encryption, 205, 208–211, 223–224, 237
L2TP, 320
PPTP, 320
SSTP, 319
Twofish, 210
U.S. Government, 237
Vernam ciphers, 303
end-of-life provisions, 36
end-to-end encryption, 59, 320–321
engineering and architecture security, 152, 170, 172–175
accreditation, 195
computer/device configurations, 168–170
cryptography, 203
AES, 217
asymmetric encryption, 205, 207, 218–224, 237
authentication, 203–204, 230–231
ciphertext, 204
confidentiality, 203
cryptanalysis, 205
CSS, 238
digital signatures, 205, 235–236, 237
DRM, 205
hashing algorithms, 205, 231–236, 237
Kerckhoff’s Principle, 238
key management, 205
keys, 204
MD algorithms, 233
nonrepudiation, 204
plaintext, 204
s-boxes, 208
steganography, 205
symmetric encryption, 205, 208–211, 223–224, 237
defense in depth design process, 152–153
fundamentals, overview, 158
open/closed systems, 175
CA, 226
CRL, 227
process isolation, 179
product security evaluation models, 189
Common Criteria (ISO 15408), 192–194
CTCPEC, 190
recovery procedures, 178, 486–487
regulatory compliance, 157–158
Brewer and Nash model, 188
Clark-Wilson model, 187
Graham-Denning model, 188
Harrison-Ruzzo-Ullman model, 188
information flow model, 182
Lattice model, 188
Lipner model, 188
noninterference model, 182
Take-Grant model, 188
security modes of operation, 176–177
site/facility controls, 240–241
storage media, 163
CD, 165
direct-access storage, 165
DVD, 166
flash memory storage, 166
optical media, 165
sequential storage, 165
software, 165
SSD, 166
system validation, 194
TPM chips, 154
VM, 168
backdoors, 197
buffer overflows, 196, 200, 595–596
data diddling, 198
incremental attacks, 198
maintenance hooks, 197
mobile system vulnerabilities, 202–203
salami attacks, 198
state attacks, 197
web-based vulnerabilities, 199–202
wireless vulnerabilities, 202
Enigma machine, 303
environmental controls/HVAC, 241, 501, 502–503
EPO (Emergency Power Off), 504
equipment failure, 495
equipment lifecycles, 54–55, 505
ERD (Entity Relationship Diagrams), 565–566
escalation of privilege, 431, 586
ESP (Encapsulating Security Payloads), 329
Ethernet
FCoE, 41
ethics training/awareness, 137–138
10 Commandments of Computer Ethics, 139–140
Computer Ethics Institute, 139–140
(ISC)2 Code of Ethics, 138–139
regulatory requirements, 142–143
EU (Eurpoean Union)
1998 Directive on Data Protection, 76
Cybersecurity Strategy of the European Union, 86
Data Protection Authority, 75
right to be forgotten, 75
event logs, 416
evidence
hearsay evidence, U.S. legal system/laws, 72
storage controls, 241
exams, CISSP
CBK, 21
certification, 20
drag-and-drop questions, 24, 26
fees, 20
multiple-choice questions, 24, 26
online resources, 28
passing score, 20
terminology, 28
topics, 21
types of questions, 24
existence checks, 562
exploit kits, 450
extensive privileges, database vulnerabilities, 586
exterior gateway protocols, 289
external audits, 413
external groups (disaster recovery), interfacing with, 542–543
facial recognition, 373
facility recovery strategies, 525–528
facility/site security controls, 240–241, 495–496
area concerns, 497
construction, 498
environmental controls/HVAC, 502–503
equipment lifecycles, 505
location, 498
Fagan inspections, 426
failure states, 562
failures (system), avoiding, 561–562
FAIR (Factor Analysis of Information Risk), 87
FAR (False Acceptance Rates), 371
Fast-Flux botnets, 435
fast-injection viruses, 597–598
fault tolerance, 486
faxes, operational security, 482
FCoE (Fibre Channel over Ethernet), 41
FCPA (Foreign Corrupt Practices Act), 142
FDA Resources of Data Management, 38
FEA frameworks, 156
Federal Sentencing Guidelines of 1991, 72
federation, identity/access management, 377
fees, CISSP exam, 20
Feistel network, 303
fences, perimeter physical control systems, 344–345
FHSS (Frequency-Hopping Spread Spectrum), 308
fiber-optic cables, 277
field devices, 169
fields, databases, 583
filters, packet, 322
FIM (Federated Identity Management), 361
final testing, 570
fingerprint recognition, 373–374
FIPS (Federal Information Processing Standards), 82
fire detectors, 501
fire escapes, 501
fire prevention/detection/suppression controls, 241, 501, 505–506
fire-detection equipment, 506–507
FireWire (IEEE 1394) interfaces, 167
FISMA (Federal Information Security Management Act), 81
flash memory storage, 166
flat tires, disaster recovery, 522–523
foot-candles, 349
foreign government agents, threat actors, 429
foreign keys, databases, 583
procedures, 516
stages of, 515
FOUO, data classification, 50
frame relays, 290
frameworks
governance frameworks, 154–155
ITIL, 155
NIST Risk Management Framework, 87
Protection of Information in Computing Systems, The [ital]154
FRAP (Facilitated Risk Analysis Process), 102
fraud, CFAA of 1986, 72
FREAK cryptographic attack, 240
frequency analysis, 299
Fresnel lenses, 349
Friedman, William, 304
FRR (False Rejection Rates), 371
FSTP (FTP Secure), 317
FTP (File Transfer Protocol), 57, 267–268, 324
full backups, 536
full duplex communication, 280
fully connected topologies, 275
function testing, 570
functional requirements/planning, SDLC, 565–566
fuzz testing, 426
G8 (Group of Eight), 473
GAN (Global Area Networks), 278
Gannt chart, 580
gates, perimeter physical control systems, 345–346
gateways, 287
gateway-to-gateway architectures, 330
gateway-to-gateway tunneling protocols, 58
generic smart cards, 369
GFS tape-rotation schemes, 537
glare protection, 350
GLBA (Gramm-Leach-Bliley Act), 80
global legal/regulatory issues, 74–75
Data Protection Authority, 75
right to be forgotten, 75
governance, security, 70
computer crime/hackers, 76
attack vectors, 77
communications attacks, 77
corporate spies, 78
cyberterrorists/cybercriminals, 78
disgruntled employees, 78
hactivism, 142
law enforcement/security conferences, 79
logical attacks, 77
nation-state hackers, 78
personnel security attacks, 77
physical security attacks, 77
script kiddies, 78
social engineering attacks, 77
threat actors, 78
global legal/regulatory issues, 74–75
Data Protection Authority, 75
right to be forgotten, 75
holistic enterprise security systems, 71
international legal system/laws, 72–73
1998 Directive on Data Protection, 76
Corpus Juris Civilis, 73
customary law, 73
halakha law, 73
mixed law systems, 73
Napoleonic law, 73
religious law, 73
sharia law, 73
sexual harassment, 79
U.S. legal system/laws
administrative (regulatory) law, 71
CFAA (Computer Fraud and Abuse Act) of 1986, 72
civil law, 71
common law, 71
criminal law, 71
due care, 72
due diligence, 72
Economic Espionage Act of 1996, 72
Federal Sentencing Guidelines of 1991, 72
hearsay evidence, 72
Identity Theft and Assumption Deterrence Act of 1998, 76
personal information websites, 76
Privacy Act of 1974, The, 75
stare decis, 71
U.S. Child Pornography Prevention Act of 1996, 72
U.S. Patriot Act of 2001, 72
governance frameworks, 154
ITIL, 155
Protection of Information in Computing Systems, The [ital]154
governance policies, data, 32–33
Graham-Denning security model, 188
granularity, databases, 583
graybox testing, 420
graylists, 480
guards, perimeter physical control systems, 350
guidelines, risk management, 127
hackers/computer crime, 76
attack vectors, 77
communications attacks, 77
corporate spies, 78
cyberterrorists/cybercriminals, 78
disgruntled employees, 78
insurance, 93
investigating computer crimes, 452, 459, 513
incident response, 453–458, 514
interviews/interrogations, 459–460
search and seizure/surveillance, 459
IOCE, 516
law enforcement/security conferences, 79
logical attacks, 77
nation-state hackers, 78
organized crime, 428
personnel security attacks, 77
physical security attacks, 77
script kiddies, 78
skilled hackers, 428
social engineering attacks, 77
threat actors, 78
halakha law, 73
half duplex communication, 280
halon fire suppression, 508–509
hand geometry recognition, 372
Hanoi, Tower of, 538
hard changeovers, software, 572
hard drives, SED, 56
hardware
bridges, 282
configuration lockdowns, 60
degaussing, 477
destroying, 477
disk encryption, 60
equipment lifecycles, 54–55, 505
forensics, 515
gateways, 287
hubs, 281
keystroke loggers, 403
mirrored ports, 284
network taps, 284
repeaters, 281
routine maintenance, 54
SED, 56
zeroization, 477
zero-trust environments, 59
Harrison-Ruzzo-Ullman security model, 188
hashing algorithms, 205, 231–233, 237
HAVAL, 234
CBC-MAC, 234
CMAC, 235
HMAC, 234
SHA-1, 233
SHA-2, 233
SHA-3, 234
HAVAL, 234
HBA (Hot Bus Adapters), 41
HDLC (Hugh-Level Data Link Control), 294
headers, 257
AH, 329
hearsay evidence, U.S. legal system/laws, 72
heuristic scanning, 483
HIDS (Host-Based Intrusion Detection Systems), 398, 512
hierarchical database management systems, 582
hierarchical designs, MAC, 385
HIPAA (Health Insurance Portability and Accountability Act), 79–80
HMAC (Hash-based Message Authentication Code), 234
hoaxes, virus, 444
holistic enterprise security systems, 71
honeypots/honeynets, operational security, 484–485
hopping, VLAN, 285
host-to-gateway architectures, 330
host-to-host architectures, 330
host-to-host (transport) layer, TCP/IP network model, 259–260, 318–319
Host-to-LAN tunneling protocols, 58
hot fixes, 595
hot sites, disaster recovery, 525–526
hotspot questions, CISSP exams, 25, 26
HR, need for, 128
HSSI (High-Speed Serial Interface), 294
HTML programming language, 590
HTTP (HyperText Transfer Protocol), 269, 324
data security, 57
S-HTTP, 317
hubs, 281
HVAC/environmental controls, 241, 501, 502–503
hybrid attacks, 440
hybrid clouds, 478
hybrid designs, MAC, 385
IA (Interoperability Agreements), 111
IaaS (Infrastructure-as-a-Service), 294–295, 478
IAB (Internet Architecture Board), ethics training/awareness, 140–141
IAL (Identity Assurance Levels), 360
IAM (INFOSEC Assessment Methodology), 102
IAST (Interactive Application Security Testing), 425
ICMP (Internet Control Message Protocol), TCP/IP network model, 263
ICS (Industrial Control Systems), 169
IDaaS (Identity as a Service), 362–363
IDEA (International Data Encryption Algorithm), 210, 218
IDEAL model, software development, 579
identifying assets, 91–93, 107
identity theft, 443
Identity Theft and Assumption Deterrence Act of 1998, 76
identity/access management, 342, 358–359, 377
accountability, 343
authentication, 342–343, 358–361
AAL, 360
card-based authentication, 369–370
CHAP, 390
digital certificates, 370
EAP, 390
IAL, 360
MS-CHAPv2, 390
multifactor authentication, 375
OAuth, 362
OpenID, 362
PAP, 390
strong authentication, 375
two-factor authentication, 375
CDAC, 389
centralized access control, 390–393
decentralized access control, 393–394
IDS, 396–401, 510–511, 512–513
LBAC, 389
rule-based access control, 388
SIEM, 401
employee access control, 355
silent hostage (duress) alarms, 356
smart/dumb cards, 356
federation, 377
least privilege, 343
lifecycles, 376
perimeter physical control systems, 344
deadman doors, 346
dogs, 350
fences, 343
guards, 350
mantraps, 346
turnstiles, 346
physical access controls, 342–343, 344–348
profile management, 377
SESAME, 381
SPML, 378
user provisioning, 376
WS-Security, 377
XML, 377
IDS (Intrusion Detection Systems), 396–397, 510–511
rule-based IDS, 400
signature-based IDS, 399
IEEE 1394 (FireWire) interfaces, 167
IGMP (Internet Group Management Protocol), TCP/IP network model, 264
IKE (Internet Key Exchange), 329–330
ILM (Information Lifecycle Management), 35
IM (Instant Messaging), 331
images, digital forensics
primary images, 520
working images, 520
IMAP (Internet Message Authentication Protocol), 269, 479
impact scale, qualitative assessments, 100–101
impersonation attacks, 444
implementing disaster recovery plans, 544–545
incident response, computer crime investigations, 453–458, 514
incremental attacks, 198
incremental backups, 537
incremental development, software, 575
inference
attacks, 321
information flow security model, 182
information handling requirements, data storage, 44–45
information security steering committees, data management, 34
insecure protocols, data security, 57
insecure/jailbroken devices, 203
insiders/disgruntled employees, 428
insurance
disaster recovery, 544
hackers/computer crime, 93
integrity
checking, 483
CIA triad, 31
databases, 585
digital forensics, authentication, 520
intellectual property
copyrights, 74
international legal system/laws, 73–74
service marks, 73
trademarks, 73
interface testing, 569
interfacing with external groups, disaster recovery, 542–543
internal audits, 413
international governance standards, 86
10 Steps to Cyber Security, 86
Cybersecurity Strategy of the European Union, 86
STAR ratings, CSA, 85
international legal system/laws, 72–73
1998 Directive on Data Protection, 76
Corpus Juris Civilis, 73
customary law, 73
halakha law, 73
IOCE, 516
mixed law systems, 73
Napoleonic law, 73
religious law, 73
sharia law, 73
Internet layer, TCP/IP network model, 260, 319–320
ICMP, 263
IGMP, 264
interpreters, 590
interrogations/interviews, investigating computer crimes, 459–460
interrupt-driven I/O, 162
interrupts, CPU, 162
interviews/interrogations, investigating computer crimes, 459–460
intrusion detection, IDS, 396–397, 510–511
rule-based IDS, 400
signature-based IDS, 399
investigating computer crimes, 452
incident response, 453–458, 514
IOCE, 516
operational security, 513
I/O
interrupt-driven I/O, 162
I/O using DMA, 162
memory-mapped I/O, 162
port-mapped I/O, 162
programmed I/O, 162
IOC (Indicators of Compromise), 597
IOCE (International Organization of Computer Evidence), 516
IoT (Internet of Things), 169–170
IP (Internet Protocol)
SKIP, 319
swIPe, 320
IPS (Intrusion Prevention Systems), 384, 401
IPsec (IP Security), 57–58, 329–330
iris recognition, 373
ISA (Interconnection Security Agreements), 110, 166
(ISC)2
iSCSI (Internet Small Computer System Interface), 40–41
ISDN (Integrated Services Digital Network), 291–292
ISO (International Organization for Standardization)
ISO 9001, 84
ISO 15408 (Common Criteria), 192–194
ISO 27003, 157
ISO 27799, 84
ISO/IEC 17799, 42
ISO/IEC 27002, sexual harassment, 79
ISOC (Internet Society), ethics training/awareness, 140–141
isolating processes, 179
ITIL (Information Technology Infrastructure Library), 82–83, 155
ITSEC (Information Technology Security Evaluation Criteria), 191–192
JAD model, software development, 575
jailbroken/insecure devices, 203
Java programming language, 590, 595
JFK Records Act, 45
jobs
descriptions, 547
joins, LBAC, 389
journaling, remote, 539
jurisdictions, computer crime investigations, 452–453
kanban, 578
Kerckhoff’s Principle, 238
kernels, security, 174
key cards, employee access control, 355–356
keys
bumping, 354
clustering, 239
cryptographic keys, 204
Diffie-Hellman key exchanges, 220–222
foreign keys, databases, 583
managing, 205
primary keys
databases, 584
ERD, 565
SKIP, 319
space, 206
symmetric encryption, 210
XTR public key cryptosystem, 222
keystroke monitoring, 402–403, 491–492
Knapsack, 223
knowledge bases, 587
knowledge management, 38
classification approach, 38
probabilistic approach, 38
statistical approach, 38
known plaintext attacks, 238
KPI (Key Performance Indicators), 414–415
KRI (Key Risk Indicators), 415
L2TP (Layer 2 Tunneling Protocol), 320
labeling data, 44
LAN (Local Area Networks), 271, 278
communication protocols, 271–272
tokens, 272
LAN-to-LAN tunneling protocols, 58
laptops, 169
Lattice security model, 188
law enforcement, computer crime/hackers, 79
law/legal compliance, data governance policies, 33
laws/legal systems
global legal/regulatory issues, 74–75
Data Protection Authority, 75
right to be forgotten, 75
international legal system/laws, 72–73
1998 Directive on Data Protection, 76
Corpus Juris Civilis, 73
customary law, 73
halakha law, 73
IOCE, 516
mixed law systems, 73
Napoleonic law, 73
religious law, 73
sharia law, 73
U.S. legal system/laws
administrative (regulatory) law, 71
CALEA, 433
CFAA (Computer Fraud and Abuse Act) of 1986, 72
civil law, 71
common law, 71
criminal law, 71
due care, 72
due diligence, 72
Economic Espionage Act of 1996, 72
FCPA, 142
Federal Sentencing Guidelines of 1991, 72
FIPS, 82
FISMA, 81
GLBA, 80
hearsay evidence, 72
Identity Theft and Assumption Deterrence Act of 1998, 76
keystroke monitoring, 492
NIST, 82
personal information websites, 76
Privacy Act of 1974, The, 75
stare decis, 71
U.S. Child Pornography Prevention Act of 1996, 72
U.S. Patriot Act of 2001, 72
U.S. Securities Act of 1933, 472
LBAC (Lattice-Based Access Controls), 389
LDAP (Lightweight Directory Access Protocol), 270
leaks, memory, 164
least privilege, 132–133, 343, 468, 471
levels of control, security policies, 124
liability, data governance policies, 33
click-wrap license agreements, 53
contracts of adhesion, 53
master license agreements, 53
shrink-wrap license agreements, 53
lifecycles
acceptance testing/implementation, 569–571
design specifications, 566
functional requirements/planning, 565–566
operations/maintenance, 571–572
reverse engineering, 569
lifestyle control, data, 38
lifetimes, session, 202
lighting, perimeter physical control systems, 349–350
limit checks, 562
linear cryptanalysis, 238
link-state protocols, 289
link-to-link encryption, 321
Lipner security model, 188
location
facility/site security controls, 498
redundancy, 41
44.213.75.78