Index

Note: Page numbers followed by b indicates boxes, f indicates figures and t indicates tables.

A

Abstraction 52
Acceptance testing 202–203
Access aggregation 125–126
Access control defensive categories 21b
compensating 22
corrective 21
detective 21
deterrent 21–22
preventive 21
recovery 21
Access control matrix 52
Access control models 
content-dependent 131
context-dependent 131
discretionary access control (DAC) 130
mandatory access control (MAC) 130
nondiscretionary 130–131
rule-based 130–131
Access control technologies 
access review 125–126
audit 125–126
centralized access control 125
decentralized access control 125
Federated identity management (FIdM) 126
identity as service 126–127
Kerberos 127–128
lightweight directory access protocol (LDAP) 127
protocols and frameworks 128–130
security association markup language (SAML) 126
SESAME 128
single sign-on (SSO) 125
user entitlement 125–126
Accountability 4–5
Account lockouts 118–119 See also Passwords
Accreditation 40
Acquisitions 14
Address space location randomization (ASLR) 58
Addy inherits 198
Addy object 198, 198f
Administrative law 7
Administrative personnel controls 
background checks 148
job rotation 147
least privilege/minimum necessary access 147
mandatory leave/forced vacat 148
nondisclosure agreement (NDA) 148
separation of duties 147
Advanced encryption standard (AES) 67, 71, 72t
Agile software development 
extreme programming 190
scrum 189–190
Annualized loss expectancy (ALE) 24–25, 25t
ARO 24
AV 24
EF 24
SLE 24
Annual rate of occurrence (ARO) 24
Antivirus 156
Application-layer, OSI model 99–100
Application-layer TCP/IP protocols 
DNS 103
FTP 102
HTTP and HTTPS 103
IMAP 102
POP 102
SMTP 102
SSH 102
Telnet 102
Application programming interface (API) 193
Application whitelisting 156
Arithmetic logic unit (ALU) 55
Assembly language 187
Assessing access control 
log reviews 138
penetration testing 136–137
security assessments 138
security audits 138
vulnerability testing 137
Asset management 
change management 157–158
configuration management 157
Asset security, domain 2 
classifying data 34–35
data destruction 39–40
data security control determination 40–44
memory and remanence 37–39
ownership 36–37
Asset value (AV) 24
cost approach 24
income approach 24
market approach 24
Asymmetric encryption 
Diffie-Hellman key agreement protocol 73
discrete logarithm 73
ECC 73
factoring prime numbers 72–73
tradeoffs 73
Asynchronous dynamic token 120
Attackers 28–29
bots and botnets 29
hackers 28
insiders 29
outsiders 28
phishers and spear phishers 29
Attestation 13
Audit records 158
Authentication, authorization, and accountability (AAA) 4
Authentication methods 
type 1 118–120
type 2 120
type 3 120–124
Authentication protocols and frameworks 
802.1X and EAP 111–112, 111b
Authentication server (AS) 120
Authorization 4, 125–126
Availability  See Denial of service (DoS)

B

Background checks 19, 148
Backups and availability 
electronic backups 174–176
hardcopy data 174
Backup storage 35
Baselining 157 See also Configuration management
Basic input/output system (BIOS) 38, 57
Bell-LaPadula model 49
rules and properties 50, 50b
Best evidence rule 9
Biba model 51
Binary images 148 See also Forensics
Biometrics 120
control, types of 122–124
enrollment 121
systems, accuracy of 121
throughput 121
Black-box testing 139
Black hats hackers 137
Bluetooth 107
Bots and botnets 29
Brewer-Nash  See Chinese Wall model
Bridges, layer 2 device 108
Brute-force attacks 119
BS-25999 and ISO 22301 180
Budget and metrics 26
Buffer overflows 201
Business Continuity Institute (BCI) 180–181
Business Continuity Management System (BCMS) 180
Business continuity planning (BCP) 
business impact analysis (BIA) 167–169
call trees 173
critical state, assessing 167
disaster recovery plan (DRP) 162–163, 163f
Emergency Operations Center (EOC) 173
plans 171–173, 171t
preventive controls 169
project initiation 166–167
recovery strategy 169–170
Business impact analysis (BIA) 
BCP/DRP-focused risk assessment 168
critical assets 167
failure and recovery metrics 168–169
maximum tolerable downtime (MTD) 168
Business owners 36
Business recovery plan (BRP) 172
Bytecode 187

C

Cable modems 113
Cache memory 38
register file 38
SRAM 38
Call trees 165, 173 See also Disaster recovery process
Candidate keys 194
Carnegie Mellon University’s (CMU) 202
Centralized access control 125
Central processing unit (CPU) 54–56, 186–187
ALU 55
CISC and RISC 56
control unit 55
fetch and execute 55
interrupts 56
multitasking and multiprocessing 56
pipelining 55–56
processes and threads 56
Cerberus  See Kerberos
Certificate authorities (CAs) 77
key management issues 77
Certificate revocation lists (CRL) 77
Certification 40
Chain of custody 9
Challenge-handshake authentication protocol (CHAP) 130
Change management 157–158, 178–179
Chinese Wall model 51
Cipher block chaining (CBC) 70
Cipher feedback (CFB) 70
Circuit-switched networks 
drawback of 97
point-to-point connections 97
Civil law 7
legal system 6
Clark-Wilson model 51
Client-side attacks 63
Cloud computing 
benefits of 60
goal of 59
service levels 60, 60t
Code repository security 192
Cold site 170
Collusion 147
Combinatorial software testing 140
Commercial off-the-shelf (COTS) software 203
Common law 6
administrative 7
civil 7
criminal 7
Communication and network security, domain 4 
network architecture and design 96–107
secure communications 111–115
secure network devices and protocols 107–111
Compartmentalization 34, 147 See also Administrative personnel controls
Compensating control 22
Compilers 187
Complex instruction set computer (CISC) 56
Computer-aided software engineering (CASE) 187
Computer bus 54, 55f
Computer crime 9–10, 10b
import/export restrictions 13
international cooperation 12
Computer Ethics Institute 16
Confidentiality, integrity, and availability (CIA) 3–4
Configuration management 
baselining 157
vulnerability management 157
Conflict of interest categories (CoIs) 51
Constrained user interface 196
Content delivery networks 114–115
Content-dependent access control 131
Content distribution networks (CDN) 114–115
Context-dependent access control 131
Continuity of operations 
fault tolerance 158–162
service level agreement (SLA) 158
Continuity of operations plan (COOP) 163, 172
Continuity of support plan 172
Contraband checks 82
Contractor security 20
Control unit 55
Converged protocols 104–105
DNP3 104
storage protocols 104–105
VoIP 105
Copyright 11, 11f
Cornerstone cryptographic concepts 
confidentiality, integrity, authentication, and nonrepudiation 67
confusion, diffusion, substitution, and permutation 67
cryptographic strength 67
data at rest and in motion 68
monoalphabetic and polyalphabetic ciphers 67–68
protocol governance 68
XOR 68
Cornerstone information security concepts 3–5
availability 3–4, 3f
confidentiality 3–4, 3f
DAD 4
integrity 3–4, 3f
Corrective controls 21
Council of Europe Convention on Cybercrime 12
Counter (CTR) 70, 71t
Credential set 118
Crime scene 148 See also Forensics
Criminal law 7
Crisis communications plan 172–173
Crisis management plan (CMP) 172
Crossover error rate (CER) 121, 122f
Cross-site request forgery (CSRF) 201
Cryptanalysis 66
Cryptographic attacks 74–75
adaptive chosen ciphertext 75
adaptive chosen plaintext 75
brute-force attack 74
chosen ciphertext 75
chosen plaintext 75
differential cryptanalysis 75
known-key attack 75
known plaintext 74
linear cryptanalysis 75
side-channel attacks 75
social engineering 74
Cryptographic strength 67
Cryptography 66, 68–74
asymmetric encryption 72–73
hash functions 73–74
implementation of 76–79
symmetric encryption 69–72
Cryptology 66
CTR  See Counter (CTR)
Custodian 36
Customary law 6
Custom-developed third-party products 203
Cyberincident response plan 172

D

Data 
in motion 68
at rest 68
Database integrity 195, 197
Database journal 197
Database management system (DBMS) 194
Database normalization 196
Database replication 197
Databases 
data warehousing and data mining 197–198
entity integrity 195, 195t
foreign keys 195
hierarchical 196–197
integrity 197
normalization 196
object-oriented 197
query languages 196
referential 195
relational 194–196
replication and shadowing 197
semantic 195
views 196
Database security 65–66
data mining 65–66
inference and aggregation 65
polyinstantiation 65
Database shadowing 175
Datacenter flood 170
Data classification 34–35
clearance 34
formal access approval 35
labels 34
need to know 35
sensitive information/media security 35
Data collection limitation 37
Data controllers 37
Data definition language (DDL) 196
Data destruction 
degaussing 40
destruction 40
dumpster diving 39
object reuse 39
overwriting 39–40
shredding 40
Data encryption standard (DES) 69–71
CBC 70
CFB 70
CTR 70, 71t
ECB 70
modes of 69–70, 70b
OFB 70
single 71
triple 71
Data execution prevention (DEP) 58
Data integrity 4, 137
Data link layer 98
Data loss prevention (DLP) 155–156
Data manipulation language (DML) 196
Data mining 65–66, 197
Data owners 36
Data processors 37
Data protection 
drive and tape encryption 44
media storage and transportation 44
in motion 43–44
at rest 43–44
Data remanence 37
overwriting 39
Data retention policies 150
Data security controls 
certification and accreditation 40
determination of 40
protecting data 43–44
scoping and tailoring 43
standards and control frameworks 40–43
Data warehouse 197
Decentralized access control 125
Decryption 66
Defense in depth 5
Degaussing 40
Delegation 198
Denial of service (DoS) 4
Desktop and application virtualization 113
Detection phase 151 See also Incident response management
Detective controls 21
Deterrent controls 21–22
Dictionary attack 119
Differential backups 174
Differential linear analysis 75
Diffie-Hellman key agreement protocol 73
Digital signatures 76–77
creation of 76, 76f
verification of 76, 76f
Digital subscriber line (DSL) 112–113
speeds and modes 113, 113t
types of 112–113
Direct-sequence spread spectrum (DSSS) 106
Disassembler 187
Disaster recovery plan (DRP) testing 
business interruption 178
parallel processing 177–178
read-through 177
review 177
simulation test/walkthrough drill 177
walkthrough/tabletop 177
Disaster recovery process 
activate team 165
assess 166
communicate 165
reconstitution 166
respond 165
Disclosure, alteration, and destruction (DAD) 4
Discrete logarithm 73
Disk encryption 156–157
Disruptive events 164–165, 165t
Distributed network protocol (DNP3) 104
Divestitures 14
Domain name system (DNS) 103
Drive and tape encryption 44
Due care 
and due diligence 8
gross negligence 8
Dumpster diving 39
Duress warning systems 87
Dynamic passwords 118
Dynamic random-access memory (DRAM) 38
Dynamic signature 124
Dynamic testing tests 139

E

EAP-Transport Layer Security (EAP-TLS) 111
EAP Tunneled Transport Layer Security (EAP-TTLS) 111
eDiscovery  See Electronic discovery
802.1X protocols 111–112, 111b
802.11 abgn 106, 106t
802.11i 107
Electronic backups 
database shadowing 175
differential backups 174
electronic vaulting 175
full system 174
HA options 175–176
incremental backups 174
remote journaling 175
tape rotation methods 174–175
Electronic code book (ECB) 70
Electronic discovery 149–150
Electronic vaulting 175
Elliptic curve cryptography (ECC) 73
Embedded device forensics 149
Emergency Operations Center (EOC) 173
Employee termination 19
Encryption 66
Endpoint security 
antivirus 156
application whitelisting 156
disk encryption 156–157
removable media controls 156
End-user license agreements (EULAs) 11
Enticement and entrapment 9
Environmental controls 85–90
ABCD fires and suppression 88
electricity 85–86, 85b
electromagnetic interference (EMI) 86
fire suppression agents 88–90, 89t
portable fire extinguishers 90
sprinkler systems 90
surge protectors 86
ups and generators 86
Equal error rate (EER) 121
Erasable programmable read-only memory (EPROM) 38
Escrowed encryption 79
Ethernet 98
Ethics 15–17
(ISC)2® code of 15–16
Computer Ethics Institute 16
IAB and Internet 16–17
Ethics and the Internet 16–17
European union (EU) privacy 11–12
Data Protection Directive 12
US-based organizations 12
Evaluation assurance level (EAL) 41
Evidence 9
best evidence rule 9
integrity 9
types of 9
Exclusive OR (XOR) 68, 68t
Executive Order 12356-National Security Information 34
Exposure factor (EF) 24
Extended unique identifier-64 (EUI-64) 100
Extensible authentication protocol (EAP) 111
EAP-TLS 111
EAP-TTLS 111
LEAP 111
PEAP 111
Extensible markup language (XML) 64, 126
Extranet 96

F

Facial scan 124
False accept rate (FAR) 121
False reject rate (FRR) 121
Fault tolerance 
redundant array of inexpensive disks (RAID) 158–162
system redundancy 162
Federated identity management (FIdM) 126
Fetch and execute cycle 55
Fibre Channel over Ethernet (FCoE) 104–105
Fibre Channel over IP (FCIP) 104–105
File allocation table (FAT) 39
File transfer protocol (FTP) 102
Financial damages 7, 8t
Fingerprints 122
Firewalls 109–110
packet filter 109, 110f
proxies 110
stateful firewalls 109–110, 110f
Firmware 
flash memory 38
PLD 38
ROM, types of 38
Flame detectors 87
Flash memory 38
Forensics 
electronic discovery 149–150
embedded device 149
media analysis 148–149
network 149
Formal access approval 35
Frame relay 104
Frequency-hopping spread spectrum (FHSS) 106
Full disclosure 202
Full-duplex communication 96
Full system backup 174
Fuzzing 140 See also Black-box testing

G

GitHub 192
Global area network (GAN) 96
Global positioning system (GPS) 124
Good Practice Guidelines (GPG) 180–181
Google Map 193
Greatest lower bound (GLB) 50
Grid computing 60

H

Hackers 28
Half-duplex communication 96
Halon extinguishers 89–90
Hand geometry 123–124
Hardcopy data 174
Hardware segmentation 57
Hash functions 73–74
collisions 74
MD5 74
SHA 74
Hashing 119
Heat detectors 87
Heating, ventilation, and air conditioning (HVAC) 86
static and corrosion 86
Heavyweight process (HWP) 56
Heuristic-based antivirus 63
Hierarchical databases 196–197
High-availability cluster 
active-active 162
active-passive 162
Host-based intrusion detection systems (HIDS) 155
Host-based intrusion prevention systems (HIPS) 155
Host-to-host transport layer 100
Hot site 170
Hybrid attack 119
Hybrid risk analysis 27
Hypertext transfer protocol (HTTP) 103
Hypertext transfer protocol secure (HTTPS) 103
Hypervisor 59

I

Identity and access management 
access control 
models 130–131
technologies 124–130
authentication methods 118–124
exam objectives 131–132
Identity and authentication 4
Identity as a service (IDaaS) 126
Identity management 126
Immunity Canvas 136
Incident handling checklist 150–151, 151f
Incident response management 
methodology 150–153
root-cause analysis 153
Incremental backups 174
Inference and aggregation 65
Information owner  See Data owners
Information security attestation 13 See also Attestation
Information security governance 17–20
baselines 18
documents 17–18
guidelines 18
procedure 17–18
security policy 17–18
standards 18
Information security professionals 2
Information security program 
business owners and mission owners 36
Information Systems Audit and Control Association (ISACA) 43
Information Technology Infrastructure Library (ITIL) 43
Infrastructure as a service (IaaS) 60
Instant messaging 
chat software 114
IRC 114
Integrated circuit card (ICC) 81
Integrated product team (IPT) 192
Integrity 3–4, 3f, 50–51
Biba model 51, 51b
Clark-Wilson model 51
types of 4
Intellectual property 10–11
copyright 11, 11f
licenses 11
patent 10–11
trademark 10, 10f
trade secrets 11
Interface testing 141
International Common Criteria 41–42
EALs 42
evaluation, levels of 42
International cooperation 12
import/export restrictions 13
International data encryption algorithm (IDEA) 71
International Organization for Standardization 42
International Software Testing Qualifications Board (ISTQB) 202–203
Internet 96, 100
Internet Activities Board’s (IAB) ethics 16–17
Internet control message protocol (ICMP) 99, 101
Internet message access protocol (IMAP) 102
Internet protocol security (IPsec) 78–79, 112
authentication header (AH) 78
encapsulating security payload (ESP) 78
internet security association and key management protocol (ISAKMP) 78
security association (SA) 78
tunnel and transport mode 78–79
Internet protocol version 4 (IPv4) 100–101
Internet protocol version 6 (IPv6) 101
Internet relay chat (IRC) 114
Internet service provider (ISP) 84
Internet small computer system interface (iSCSI) 104–105
Interpreted languages 187
Interrupts 56
Intranet 96
Intrusion detection system (IDS) 153–154
Intrusion prevention system (IPS) 153–154
Investigations, legal aspects of 8–9
entrapment and enticement 9
evidence integrity 9
Iris scan 123
(ISC)2® code of ethics 15–16, 16b
canons 15–16
ISO/IEC 17799:2005 42
ISO/IEC 27001:2005 42
ISO/IEC-27031 179–180

J

Java Virtual Machine (JVM) 64
Job rotation  See Rotation of duties

K

Kerberos 127–128
operational steps 127–128, 129f
Kernel, operating system 58–59
Keyboard dynamics 124
Key Distribution Center (KDC) 128
Known-good binaries 156 See also Application whitelisting

L

Labels 34
Large-scale parallel data systems 60–61
Lattice-based access control 50
Laws and regulations 6
Layered defense  See Defense in depth
Layering 52
Leadership 3
Least privilege 5, 147
Least upper bound (LUB) 50
Legal and regulatory issues 5–13
administrative law 7
civil law 7
compliance with 6
criminal law 7
liability 7–8
major legal systems 6
Legitimate traffic 155
Liability 7–8
Licenses 11
Lightweight directory access protocol (LDAP) 127
Lightweight extensible authentication protocol (LEAP) 111
Lightweight process (LWP) 56
Local-area network (LAN) 96, 103
Ethernet 103
Logical link control (LLC) 98
Log reviews 138

M

Machine code 186–187
Magnetic stripe cards 81
Maintenance hooks 62
Major legal systems 6
civil law (legal system) 6
common law 6
religious and customary law 6
Malicious code (malware) 62–63
antivirus software 63
computer viruses 62
logic bombs 63
packers 63
rootkits 62
Trojans 62
worms 62
Malware infection 163
Mandatory access control 147
Mandatory leave/forced vacation 148
Mantraps 82
Maximum allowable downtime (MTD) 168
Mean time between failures (MTBF) 168–169
Mean time to repair (MTTR) 168–169
Media access control (MAC) 98
addresses 100, 100b
EUI-64 100
Media storage and transportation 44
Meeting point leader 87
Memory 37–39
basics of 37–39
cache memory 38
data remanence 37
DRAM and SRAM 38
firmware 38
flash memory 38
protection of 56–57
hardware segmentation 57
process isolation 57
virtual memory 57
WORM storage 57
RAM and ROM 38
and remanence 37–39
SSD 39
Message Digest algorithm 5 (MD5) 74
Metropolitan area network (MAN) 96
Minimum operating requirements (MOR) 168–169
Minutiae 122 See also Fingerprints
Mission owners 36
Misuse case testing 141
Mitigation phase 152
Mobile device attacks 66
defenses 66
full disk encryption 66
Mobile sites 170
Modem 111
Monoalphabetic cipher 67–68
Montreal Protocol 90
Multiprotocol label switching (MPLS) 104
Multipurpose Internet mail extensions (MIME) 79
Multitasking and multiprocessing 56

N

Nessus 137
Network access layer 99–100
Network architecture and design 
application-layer TCP/IP protocols and concepts 101–103
converged protocols 104–105
fundamental concepts 96–97
LAN technologies and protocols 103
OSI model 97–99
RFID 107
SDN 105
TCP/IP model 99–101, 99t
WAN technologies and protocols 103–104
WLANs 105–107
Network attacks 136, 172
Network-based intrusion detection system (NIDS) 154–155, 154f
Network-based intrusion prevention system (NIPS) 154–155, 155f
Network concepts 96–97
circuit-switched networks 97
Extranet 96
full-duplex communication 96
GANS 96
half-duplex communication 96
Internet 96
Intranet 96
LANS 96
MANS 96
packet-switched networks 97
PANS 96
QoS 97
simplex communication 96
WANS 96
Network forensics 149
Network layer 98
The New New Product Development Game 189–190
Nexus 6 196
NIST SP 800-34 166, 171t, 179
Nondisclosure agreement (NDA) 148
Nondiscretionary access control 
role-based 130
task-based 131
Nonrepudiation 5
Nontechnical stake holders 152

O

Object labels 34
Object-oriented databases 197
Object-oriented programming (OOP) 198–200
cornerstone 198–200
Object request brokers (ORBs) 200
Object reuse 39
Occupant emergency plan (OEP) 163, 172
Offshoring 20
One-time passwords 118
One-way hash functions 73
Online Certificate Status Protocol (OCSP) 77
Open and closed systems 54, 54b
OpenFlow 105
Open-source Metasploit 136
Open system interconnection (OSI) 98t
application layer 99
data link layer 98
network layer 98
physical layer 97–98
presentation layer 99
session layer 98–99
transport layer 98
vs. TCP/IP 99, 99t
OpenVAS 137
Open Web Application Security Project (OWASP) 64
Operating systems 49
Operational expenses (OPEX) 153
Operationally Critical Threat, Asset, and Vulnerability Evaluationsm 41
Operational preventive and detective controls 
data loss prevention 155–156
endpoint security 156–157
HIDS and HIPS 155
IDS and IPS 153–154
NIDS and NIPS 154–155
security information and event management 155
Organisation for Economic Co-operation and Development (OECD) 12, 37
Organizational registration authorities (ORAs) 77
Orphaned software 192
Orthogonal frequency-division multiplexing (OFDM) 106
Output feedback (OFB) 70
Outsiders 28
Outsourcing 20
Overwriting 39–40
data remanence 39
Ownership 
business/mission owners 36
custodian 36
data collection limitation 37
data controllers and data processors 37
data owners 36
information security roles 36
system owner 36
users 36

P

Packet filter firewall 109, 110f
Packet-switched networks 97
advantages of 97
QoS 97
Pairwise testing 140
Partial-knowledge tests 136
Passphrases 118
Password authentication protocol (PAP) 130
Passwords 118
dynamic passwords 118
guessing 118–119
hashes and cracking 119–120
one-time passwords 118
passphrases 118
static passwords 118
Patent 10–11
Payment Card Industry Data Security Standard (PCI DSS) 40–41, 138
core principles of 41
security standard 41
Peer-to-peer (P2P) networks 61
Penetration testing 
confidentiality 137
data integrity 137
system integrity 137
tests 136
tools and methodology 136–137
Pen testers 136
Perimeter defenses 79–83
CCTV 80–81
combination locks 81
dogs 83
doors and windows 82–83
fences 80
gates 80
guards 83
key locks 81
lights 80
locks 81
smart cards and magnetic stripe cards 81
tailgating/piggybacking 81
walls, floors, and ceilings 83
Permanent virtual circuit (PVC) 104
Personal area networks (PAN) 96
Personal digital assistants (PDAs) 114
Personal identification number (PIN) 82, 118
Personally identifiable information (PII) 3, 61
Personnel safety 87–88
Personnel security 19–20
background checks 19
employee termination 19
outsourcing and offshoring 20
security awareness and training 19
vendor, consultant, and contractor security 20
Phishers and spear phishers 29
Photoelectric motion sensor 82
Physical layer 97–98
Piggybacking  See Tailgating
Pipelining 55–56
Platform as a service (PaaS) 60
Point-to-point protocol (PPP) 112
Polyalphabetic cipher 67–68
Polyinstantiation 65, 199
Polymorphism 199
Port-based network access control (PNAC) 111
Power-on self-test (POST) 57
P2P networks  See Peer-to-peer (P2P) networks
Presentation layer 99
Pretty Good Privacy (PGP) 79
Primary memory 37
Privilege escalation 201
Processes and threads 56
Process isolation 57
Procurement 14
Programmable logic device (PLD) 38
Programmable read-only memory (PROM) 38
Protected EAP (PEAP) 111
Protection profile 41
Protocol governance 68
Proxy firewalls 110
application-layer 110
Prudent Man Rule 7
Public key infrastructure (PKI) 77
Publicly released software 
crippleware 188
free software 188
open-source and closed-source software 187
shareware 188

Q

Qualitative risk analysis 27
risk analysis matrix 27
Quality of service (QoS) 97
Quantitative risk analysis 27
ALE calculation 27

R

Radio frequency identification (RFID) 81, 107
Random-access memory (RAM) 37–38
Rapid application development (RAD) 190
Reading down and writing up model 50
Read-only memory (ROM) 37–38
Read-through test 177
Real-time transport protocol (RTP) 105
Reciprocal agreements 170
Recovery controls 21
Recovery phase 152
Recovery point objective (RPO) 168
Recovery strategy 
cold site 170
hot site 170
mobile sites 170
reciprocal agreements 170
redundant site 169
warm site 170
Recovery time objective (RTO) 168
Reduced instruction set computer (RISC) 56
Redundant array of inexpensive disks (RAID) 
Hamming code 159–160
mirrored set 159, 160f
striped set 
dedicated parity 160
distributed parity 160, 161f
dual-distributed parity 161
Redundant hardware 162
Reference monitor 43, 59
Regulatory law  See Administrative law
Relational databases 194–196, 194t
Religious law 6
Remediation 152–153
Remote access 112–115
cable modems 113
desktop and application virtualization 113
instant messaging 114
PDAs 114
remote desktop console access 113
remote meeting technology 114
screen scraping 113–114
Remote authentication dial in user service (RADIUS) protocol 128–129
Remote desktop protocol (RDP) 113
Remote journaling 175
Removable media controls 156
Repeaters and hubs 108
Requirements traceability matrix (RTM)  See Traceability matrix
Response phase 151–152 See also Incident response management
Responsible disclosure 202
Retina scan 122–123
Return on investment (ROI) 3, 25–26
loss expectancy 26, 26t
Right to penetration test/right to audit 14
Rinbow table 119
Ring model 
CPU 53
hypervisor mode 53
schematic diagram of 53, 53f
usage of 53
Risk acceptance criteria 27
Risk analysis 
accept the risk 27
assets 22
impact of 23
mitigating risk 27
quantitative and qualitative 27
risk avoidance 27
TCO and ROI 26
threat 22
transferring risk 27
vulnerability 22
Risk analysis matrix 23, 23t
Risk management process 28
risk analysis process 28
Robust security network (RSN) 107, 107b
Role-based access control (RBAC) 130
Root-cause analysis 153
Rotation of duties 147
Routers 109

S

Safeguards 2
procedures 18
Safety awareness 87–88
Safety training 87–88
Safety warden 87
Sashimi model 188, 189f
Screen scraping 113–114
Scrum development model 189–190
Secondary memory 37
Secure communications 111–115
authentication protocols and frameworks 111–112
remote access 112–115
VPN 112
Secure European system for applications in a multivendor environment (SESAME) 128
Secure hardware architecture 54–58
ASLR 58
computer bus 54, 55f
CPU 54–56
DEP 58
memory protection 56–57
system unit and motherboard 54
TPM 58
Secure hash algorithm (SHA) 73–74
Secure network devices and protocols 107–111
bridges 108
firewalls 109–110
modem 111
repeaters and hubs 108
routers 109
switches 108–109, 108f
VLANs 109
Secure operating system and software architecture 58–59
kernel 58–59
reference monitor 59
Secure shell (SSH) 102
Secure sockets layer (SSL) 78, 112
Secure system design concepts 52–54
abstraction 52
layering 52
open and closed systems 54
ring model 53, 53f
security domains 52
Security and third parties 13–14
acquisitions 14
divestitures 14
procurement 14
service provider contractual security 13–14
vendor governance 14
Security architecture layers 52
Security assessment and testing 
assessing access control 136–138
software testing methods 138–141
Security association markup language (SAML) 126
Security audit 138
Security awareness 19
Security documentation 18, 19t
Security domains 52
Security engineering, domain 3 
cornerstone cryptographic concepts 66–68
cryptographic attacks 74–75
cryptography 68–74, 76–79
environmental controls 85–90
perimeter defenses 79–83
secure hardware architecture 54–58
secure operating system and software architecture 58–59
secure system design concepts 52–54
security models 49–52
site selection, design, and configuration 83–84
system defenses 85
system vulnerabilities, threats, and countermeasures 61–66
virtualization and distributed computing 59–61
Security Information and Event Management (SIEM) 155
Security models 
access control matrix 52
Bell-LaPadula model 50, 50b
Chinese Wall model 51
integrity models 50–51
lattice-based access control 50
operating systems 49
reading down and writing up 50
Security operations 
administrative security 146–148
asset management 157–158
backups and availability 173–176
BCP and DRP 
developing 166–173
frameworks 179–181
maintenance 178–179
process 162–166
testing, training, and awareness 176–178
continuity of operations 158–162
forensics 148–150
incident response management 150–153
operational preventive and detective controls 153–157
Security policy 17–18 See also Information security governance
Security risk management, domain 1 2
access control defensive 20–22
ALE 24–25
attackers 28–29
budget and metrics 26
computer crime 9–10
cornerstone information security concepts 3–5
defense in depth 5
due care and due diligence 8
ethics 15–17
gross negligence 8
identity and AAA 4–5
import/export restrictions 13
information security governance 17–20
intellectual property 10–11
international cooperation 12
investigations 8–9
least privilege 5
legal and regulatory issues 5–13
nonrepudiation 5
personnel security 19–20
privacy 11–12
risk analysis 22–28, 23t
ROI 25–26, 26t
security and third parties 13–14
subjects and objects 5
TCO 25
Security target 41
Security training 19
Sensitive information/media security 35
Sensitive media 35
Separation of duties 147
Server-side attacks 63
Service level agreement (SLA) 13, 158, 203
Service Management Practices-Core Guidance 43
Service-oriented architecture (SOA) 
heterogeneous applications 65
web services 65
Service provider contractual security 13–14
attestation 13
right to penetration test/right to audit 14
SLA 13
Service-side attacks  See Server-side attacks
Session initiation protocol (SIP) 105
Session layer 98–99
Shadow database 197
Shredding 40
Signature-based antivirus software 63
Simple mail transfer protocol (SMTP) 102
Simplex communication 96
Single-loss expectancy (SLE) 24
Single sign-on (SSO) 125–126
Site design and configuration issues 84
media storage facilities 84
shared demarc 84
shared tenancy and adjacent buildings 84
site marking 84
Site selection issues 83–84
crime 84
utility reliability 83–84
Smart card 81
Smoke detectors 87
Social engineering 136
Software as a service (SaaS) 60
Software capability maturity model 202
Software-defined networking (SDN) 105
Software development security 193
application development methods 188–194
databases 194–198
effectiveness of 200–203
object-oriented programming 198–200
programming concepts 186–188
Software Engineering Institute (SEI) 202
Software escrow 192
Software licenses 11
Software testing methods 
combinatorial 140
fuzzing 140
interface testing 141
levels 140
misuse case testing 141
static and dynamic testing 139
synthetic transactions 140
test coverage analysis 141
traceability matrix 139, 139f
Software vulnerabilities 200–202
Solid-state drives (SSDs) 34
ATA Secure Erase and destruction 39
garbage collection 39
vs. magnetic drive 39
TRIM command 39
Source code 186–187
Spiral model 190
Standards and control frameworks 40–43
COBIT 43
International Common Criteria 41–42
ISO 17799 and the ISO 27000 Series 42
ITIL® 43
OCTAVE® 41
PCI-DSS 41
Stateful firewalls 109–110, 110f
Static passwords 118
Static random-access memory (SRAM) 38
Static testing tests 139
Storage area network (SAN) 104
Storage protocols 104
Structured query language (SQL) 194
Switches, layer 2 device 108
network switch 108, 108f
Symmetric encryption 69–72
AES 71
blowfish and twofish 71–72
DES 69–71
IDEA 71
initialization vectors and chaining 69
RC5 and RC6 72
stream and block ciphers 69
Synchronous dynamic token 120
counter-based 120
time-based 120
Synthetic transactions 140
System defenses 85
asset tracking 85
port controls 85
System integrity 4, 137
System owner 36
System redundancy 162
Systems development life cycle (SDLC) 191–192
System unit and motherboard 54
System vulnerabilities, threats, and countermeasures 61–66
backdoors 61–62
client-side attacks 63
covert channels 61
database security 65–66
malicious code (malware) 62–63
mobile device attacks 66
server-side attacks 63
web architecture and attacks 63–65

T

Tailgating 81
Tailoring, of organization 43
Tape rotation methods 174–175
Target of evaluation (ToE) 41
Task-based access control 131
Telnet 102
Terminal access controller access control system (TACACS) 129
Test coverage analysis 141
Thin clients 61
Third-party payroll company 45
Threat 22
Ticket Granting Service’s (TGS) 128
Time of check/time of use (TOC/TOU) 201
Tort law 7
Total cost of ownership (TCO) 3, 25
outsourcing and offshoring 20
Traceability matrix 139, 139f
Trademark 10, 10f
Trade secrets 11
Transmission control protocol/Internet protocol (TCP/IP) 96
application-layer 100–103
host-to-host transport layer 100
ICMP 101
internet layer 100
IPv4 100–101
IPv6 101
MAC addresses 100
network access layer 99–100
vs. OSI model 99, 99t
reserved and ephemeral ports 101
UDP 101
Transport layer security (TLS) 78, 98
Triple data encryption algorithm (TDEA) 71
Triple Data Encryption Standard (TDES) 67
Trojan horse 62
Trusted platform module (TPM) 58
Tunneling 101b
Turnstiles 82
Type 1 authentication 118–120
Type 2 authentication 120
Type 3 authentication 120–124
Type I error  See False reject rate (FRR)
Type II error  See False accept rate (FAR)

U

Ultrasonic and microwave motion detectors 82
Unified Modeling Language (UML) 141
UNIX operating system 119–120
Unshielded twisted pair (UTP) 98
US Department of defense (DoD) 50
User datagram protocol (UDP) 98–99, 127
Users, information security roles 36
US National Institute of Standards and Technology (NIST) 71

V

Vendor governance 14
Virtualization and distributed computing 59–61
cloud computing 59–60
grid computing 60
large-scale parallel data systems 60–61
P2P networks 61
security issues 59
thin clients 61
Virtualization escape (VMEscape) 59
Virtual LAN (VLANs) 109
Virtual memory 57
BIOS system 57
swapping and paging 57
Virtual network computing (VNC) 113
Virtual private networks (VPNs) 112
IPsec 112
PPP 112
SSL and TLS 112
Voice over Internet protocol (VoIP) 105
Voiceprint 124
Vulnerability 22, 137, 157

W

War dialing 136
WarGames 136
Warm site 170
Waterfall model 188
Web 2.0 63
Web architecture and attacks 63–65
ActiveX 64
applets 64
Java 64
OWASP 64
SOA 65
XML 64
White-box software testing 139
Whole-disk encryption 44
Wide area network (WAN) 96, 103–104
frame relay 104
MPLS 104
T1s, T3s, E1s, and E3s 103–104, 103b
Wi-Fi Protected Access 2 (WPA2)  See Robust security network (RSN)
Wired equivalent privacy protocol (WEP) 106–107
Wireless local-area networks (WLANs) 105–107
Bluetooth 107
DSSS 106
802.11 abgn 106, 106t
802.11i 107
FHSS 106
OFDM 106
Work recovery time (WRT) 168
Write once, read many (WORM) storage 57

X

Z

Zed Attack Proxy (ZAP) 64
Zero-day exploits 157
Zero-day vulnerabilities 157
Zero-knowledge test 136
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.210.83.132