INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
Numbers
2.4-GHz ISM band
ANT, 383
Bluetooth, 381
household devices, 385
2G mobile networks, 377
3DES (Triple Data Encryption Standard)
full drive encryption and, 306
PGP encryption and, 587
S-MIME encryption and, 585
security of, 95
SSH 2.0 support for, 361
SSL/TLS and, 598
symmetric encryption and, 108
weak keys in, 147
WTLS protocol support for, 377
3G mobile networks, 377, 379–380
A
A fire extinguishers, 226
AAA (authentication, authorization and accounting)
RADIUS protocol, 351–353
remote access, 336
TACACS+, 353–356
AACS (Advanced Access Content System), Blu-ray Discs, 125
ABC fire extinguishers, 226
Acceptable use policy. See AUP (acceptable use policy)
Acceptance, risk, 689
Access-Challenge response, RADIUS, 352
Access control
authentication vs., 349
in authorization, 349
Bell-LaPadula security model, 38–39
Brewer-Nash security model, 39
demoted and promoted employees, 55
least privilege principle in, 630
mobile device management with, 407
need to know principle in, 50
networks and, 294–295
physical. See Physical security
remote, 335–336
retired, separated, or terminated employees, 55–56
security policies, 48
tokens used in, 341
Access control matrix, 328–329
Access points. See APs (access points)
Access principles, PII, 819
Access-Reject message, RADIUS, 352
Access-Request message, RADIUS, 352, 353
Account maintenance policy, 333
Account policies
account expiration, 335
account maintenance, 333
account recertification, 334
credential management, 332
disablement, 52
disabling accounts, 335
enforcement of, 332
expiration, 52
former employee accounts, 55
group policy, 332–333
lockout, 52–53
overview of, 332
recovery, 52
retired or terminated employees, 55–56
standard naming convention, 333
time-of-day restrictions, 334–335
usage auditing/review of, 334
Accountability, PII, 819
Accounting
RADIUS, 353
remote access, 336
TACACS+, 356
Accounts
device security and default, 278
hardening OS/NOS by disabling default, 469
level control for applications, 470
ACK (Acknowledgement) packet
how port scanners work, 452
spoofing and sequence numbers, 546
SYN flooding, 539
ACLs (access control lists)
authorization and, 349
data security controls for, 503
in discretionary access control, 329–330
errors/exceptions in, 633
establishing/maintaining, 285
firewalls and, 289
network security and, 283–284
overview of, 327–329
routers using, 285
in rule-based access control, 331
in SIEM, 446
Acoustical-seismic (audio) detection, alarms, 211
Acquisition, CMMI-ACQ for, 729
Active HIDSs, 440–441
Active logging, digital forensic analysis, 779, 780
Active NIDSs, 434–435
Active Server Pages (ASP), code vulnerabilities, 611
Actors. See Threat actors
Ad hoc networks, 238
Add-ons, 614–616
Address notation, IPv6, 248
Address Resolution Protocol. See ARP (Address Resolution Protocol)
Address space, IPv6 vs. IPv4, 248
Address system attacks, 552–553
ADK (Additional Decryption Key), PGP, 588–589
Administrative controls, 691
Administrative law, 795
Administrator accounts
defined, 320
disabling accounts from, 335
hardening in Linux OS, 478–479
Administrators, responsible for backups, 661
Advanced Access Content System (AACS), Blu-ray Discs, 125
Advanced Encryption Standard. See AES (Advanced Encryption Standard)
Advanced malware tools, 456
Advanced persistent threats. See APTs (advanced persistent threats)
Adverse actions policy, 56–57
AES (Advanced Encryption Standard)
in AACS for Blu-ray discs, 125
in Bitlocker, 126
in current version of S/MIME, 131
in full drive encryption, 306
overview of, 108–109
as symmetric encryption standard, 108
in WPA2, 389–391
Affinity grouping tools, risk management, 711
After-action reports, BCP, 671
Aggregation
analyzing security data in SIEM, 446
switches, 271
weakness in WAP, 378
AH (Authentication Header) protocol, IPsec, 140
AI (artificial intelligence), heuristic model of IDS, 428
Air conditioning, HVAC for, 223, 513–514
Aircraft/UAVs, hardening, 517
ALE (annualized loss expectancy), 687, 704
Algorithms, cryptographic
attacks on weaknesses in, 147–150
comparative strengths/performance of, 95
history of, 97–98
in operations, 94
selecting, 133
substitution ciphers using, 98–100
using only approved, 630–631
weakness and errors in, 93, 128
All-glass cockpit, modern jets, 517
Alteration, protecting digital evidence from, 776
Alternate data streams, NTFS on Windows, 783
Alternative sites, BCP, 671–672
Amplification attacks, 555
Analysis, computer forensics
active logging, 780
recovery, 779
steps in, 778–779
strategic intelligence/counterintelligence, 779–780
tracking man hours, 780
using copies of evidence, 776
Analysis engine
HIDS, 436–437
IDS, 426–427
NIDS, 432
Analytics, detecting events, 445
Analyze, SEI risk management model, 698
Anderson, James, 425
Android, hardening, 510–511
Annualized loss expectancy (ALE), 687, 704
Annualized rate of occurrence (ARO), 687, 703–704
Anomaly detection model, IDS, 418, 427–428
Anonymizing proxy, 297
ANT, wireless connectivity with, 383
Antennas, configuring, 396–397
Anti-Phishing Working Group (APWG), 549
Anti-XSS libraries, 638
Antimalware programs
antispam products, 484–485
antispyware products, 485
antivirus. See AV (antivirus) products
antivirus software for servers, 483
antivirus software for workstations, 483–484
avoiding detection with polymorphic malware, 532
detection of malware by, 531
hardening Windows Server with ELAM, 473
need for, 480–481
pop-up blockers, 486–487
secure baseline, 480–487
Windows Defender, 485–486
Antispam products, 484–485
Antispyware, 485
Antivirus products. See AV (antivirus) products
Anycast message, IPv6, 248
App stores, mobile device usage policies, 410
Apple store, mobile device usage policies, 410
AppleTalk, network protocol, 239
Applets, code vulnerabilities of signed, 616
Appliances, 466
Application attacks
arbitrary/remote code execution, 642
attachments as vector of, 641
avoiding coding with, 632
buffer overflow, 640–641
client-side attacks, 641
code injections, 638–640
cross-site request forgery (XSRF), 641–642
cross-site scripting, 637–638
directory traversal/command injection, 640
integer overflow, 641
locally shared objects (LSOs), 641
malicious code, 537–538
Open Vulnerability and Assessment Language (OVAL), 643
zero day, 641
Application cells/containers, virtualization, 280
Application configuration baseline, hardening, 494–495, 644
Application control
HIDS, 439
HIPSs, 441
Application hardening
application configuration baseline, 494–495, 644
application vulnerability scanners, 500
code reuse/dead code, 646
code signing, 645
data exposure, 647
encryption, 645
host software baselining, 498
host vulnerability scanners, 498–500
in Linux OS, 478
memory management, 646
network vulnerability scanners, 498
NoSQL databases vs. SQL databases, 644
obfuscation/camouflage, 645–646
overview of, 494
patch management, 495–498, 644
patches, 495
server-side vs. client-side validation, 644–645
in software development, 643–647
use of third-party libraries and SDKs, 646–647
vulnerability scanners, 500
Application layer proxies, 289–290
Application level rootkits, 533
Application servers, 520
Applications
AppLocker and, 488–489
cryptographic, 126–127
development of mobile device, 403
security for mobile device, 408–410
web-based vulnerabilities of, 617–619
whitelisting vs. blacklisting, 469–470, 487–488
Applied cryptography
authentication, 124
cipher suites. See Cipher suites
confidentiality, 123
cryptographic applications, 126–127
cryptographic attacks, 147–150
digital rights management (DRM) securing, 125–126
digital signatures, 124–125
HTTP Secure (HTTPS), 140
integrity, 123
IP Security (IPsec), 140
nonrepudiation, 124
other information security standards, 151–152
overview of, 122
Pretty Good Privacy (PGP), 137–140
review, 153–155
secure protocol use cases, 145–147
secure protocols, 142–144
steganography, 140–142
using proven technologies, 127
APs (access points)
802.11 and, 385
802.11 attacks using, 386–387
ad hoc network advantages, 238
configuring antennas, 396–397
configuring wireless systems, 394
controller based vs. standalone, 394
fat vs. thin, 394
rogue, 400
in wireless networks, 238, 386
APTs (advanced persistent threats)
attack model, 741–742
attacks, 562–563
overview of, 4–5
penetration testing for, 711
poor choices for, 556
signs of, 563
stealth, and continuous presence of, 561
APWG (Anti-Phishing Working Group), 549
Arbitrary/remote code execution attack, 643
Architectures
BYOD connections to corporate, 417–418
network, 235–236
non-regulatory reference, 518
regulatory bodies for industry, 518
Argon systems, clean-agent fire suppression, 225
Ariane rocket program, 648
Armored viruses, 530
ARO (annualized rate of occurrence), 687, 703–704
ARP (Address Resolution Protocol)
attacks, 251–252
finding MAC address for another system, 251
in IPv6, 248–249
poisoning, 285
Artificial intelligence (AI), IDS, 428
AS (authentication server), Kerberos, 339
ASA (Attack Surface Analyzer), 475
ASCII text, code vulnerabilities of cookies, 611
Asian privacy laws, 830–831
ASP (Active Server Pages), code vulnerabilities, 611
ASP.NET, code vulnerabilities, 611
Asset value (AV), risk calculation, 703
Assets
defined, 686
identifying in risk management, 696
mobile device management and, 406
Association, 802.11 standard and, 385
Assurance, as something proven as true, 94
Asymmetric encryption
Diffie-Hellman variations, 114
digital signatures based on, 124–125
ElGamal, 115–116
elliptic curve cryptography (ECC), 116–117
key management in, 100
limited for confidentiality, 123
nonrepudiation based on, 124
overview of, 112–114
RSA algorithm, 115
S/MIME e-mail, 586
software tokens using, 341
summary of, 117
symmetric encryption vs., 117–118
as time consuming, 138
Atabash cipher, 100
ATM (Asychronous Transfer Mode), 239
ATMs (automated teller machines)
protecting passwords at, 81
shoulder surfing at, 79
Attachments, e-mail
as attack vector, 641
AV program and, 578
MIME message delivery with, 574
spread of viruses via, 576–577
structure for, 572
Attack surface, 37
Attack Surface Analyzer (ASA), 475
Attack surface area minimization, software development, 628, 632–633
Attacks
802.11, 386–387
anatomy of, 740–743
application-level. See Application attacks
auditing and, 564–566
avenues of, 527
Bluetooth, 382
common targets of, 15–16
cryptographic, 147
firewalls mitigating network-based, 290
malware. See Malware (malicious code) attacks
minimizing avenues of, 527–528
network/computer system. See Network and computer system attacks
overview of, 527
PBX vulnerabilities, 293
reducing surface area of, 471
review, 567–569
tools, 563–564
wireless, 398–402
Attributes
threat actor, 13–14
UPS system, 229
Audio (acoustical-seismic) detection, alarms, 211
Audit logs, defense in depth, 36
Audit trails, in HIDS, 436–441
Auditability, defined, 24
Auditing
attacks, 564–566
computer security, 564–566
configuration, 726
usage and access control logs, 334
user accounts, group membership and password strength, 320
AUP (acceptable use policy)
content-filtering proxies and, 297
enforcing with proxies, 298
organizational e-mail policies similar to, 578
overview of, 57–58
Authentication. See also AAA (authentication, authorization and accounting)
802.11, 385
access control vs., 349
account policies for, 332–335
basic, 338
certificates, 340
configuring SSID for wireless, 395
cryptography supporting, 124, 134
digest authentication, 338
domain passwords and, 323–324
electronic access control system, 217–218
flaws in WTLS, 378
HOTP/TOTP for, 341
Kerberos, 338–340
methods of, 337–338
mobile device application, 409–410
mobile device context-aware, 406
multifactor, 342–343
mutual authentication, 340
preventing data loss or theft, 335
RADIUS, 351–352
remote access, 336
review, 367–373
S/MIME e-mail encryption, 586
single sign-on (SSO), 324–325
smart cards for, 342
software tokens for, 341
SSL/TLS, 597–598
TACACS+, 354–355
tokens, 340–341
user, group, and role management, 319–323
in WEP-based systems, 391
wireless protocols for, 391–392
in WPA vs. WPA2, 391
Authentication, controls and permissions
access control lists (ACLs), 327–329
attribute-base access control (ABAC), 332
discretionary access control (DAC), 329–330
mandatory access control (MAC), 329
overview of, 325–327
role-based access control (RBAC), 331
rule-based access control, 331
Authentication Header (AH) protocol, IPsec, 140
Authentication protocols
CHAP, 359
EAP, 359
NTLM, 359–360
OAuth, 362
OpenID Connect, 362
PAP, 360
PPP, 358–359
remote access methods, 356–363
SAML, 361–362
secure token, 362–363
Shibboleth, 362
SSH, 360–361
Telnet, 360
tunneling, 356–358
Authentication server (AS), Kerberos, 339
Authenticode, ActiveX, 609–610, 616
Authorities
collecting PII, 819
provisioning and deprovisioning, 652
in social engineering, 74–75
Authorization. See also AAA (authentication, authorization and accounting)
penetration testing, 706
RADIUS, 353
TACACS+, 355–356
vulnerability testing, 706
Autofill, as browser risk, 619
Automated teller machines (ATMs), risk, 79, 81
Automation
of alerts in SIEM, 446
of policy enforcement, 48
of probes roaming Internet, 481
reducing errors, 504
security, 650–651
Automation and scripting
automated courses of action, 504
configuration validation, 505
continuous monitoring, 504–505
distributive allocation, 508
elasticity, 507
hardening systems with, 504–508
master images, 506
nonpersistence, 506–507
scalability, 508
TCP wrappers, 506–507
templates, 505–506
Autoplay feature, disabling on CD/DVDs, 220–221
AV (antivirus) products
antimalware, 481–483
antivirus software for, 483–484
BYOD and, 416
as defense against malware, 537
not a panacea for e-mail protection, 577
AV (asset value), risk calculation, 703
Availability
BCP. See BCP (business continuity plan)
as CIA security goal, 24
DRP. See DRP (disaster recovery plan)
of host/hypervisor in virtual environment, 281
importance of, 277
patch, 496–497
redundancy for. See Redundancy
Avenues of attack, minimizing, 527–528
B
BackTrack tool, 563
Backup generators, emergencies, 672
Backups
backout plan for complete system restore via, 727
lifetimes for magnetic media, 308
policies for data, 49
power source, 229
spam reduction improving e-mail, 583
VM snapshots as, 281
Backups, DRP/BCP
cloud, 673–674
delta backups, 663
differential backups, 663
frequency and retention of, 664–665
full backups, 662–663
geographic considerations, 666–667
offsite, 666–667
onsite storage and, 665
overview of, 661
review, 679–682
snapshots, 663–664
storage of, 666
strategies for, 662
types of, 662
what needs to be backed up, 661–662
Badging system, physical access control, 217–218
Band selection/width, wireless configuration, 396
Banking
Basel Committee on Banking Supervision, 685–686, 692
U.S rules and regulations for, 825
user actions to protect information, 834
Banner grabbing, network security tools, 454
Barbed wire, chain-link fencing, 209–210
Bare-metal hypervisors, 280
Barricades, physical security, 210
Basel Committee on Banking Supervision, 685–686, 692
Baseline
application configuration, 494–495
host software, 498
identifying/analyzing in risk management, 711
overview of, 461
secure. See Secure baseline
Baseline, secure
antimalware, 480–487
in change management, 732
change management, 731
hardening Microsoft OS, 472–477
hardening UNIX- or Linux-based OSs, 477–480
hardware security, 491
host-based firewalls, 488–491
machine hardening, 471–472
overview of, 470–471
whitelisting vs. blacklisting applications, 487–488
Baselining
defined, 461
establishing base security state of software, 732
security automation via, 651
Basic authentication, 338
Batch mode, HIDS in, 436
BC (business continuity)
incident response and, 739
incident response plan and, 747
overview of, 668
BCP (business continuity plan)
after-action reports, 670
alternative sites, 671–672
business impact analysis (BIA), 669
continuity of operations, 670
exercises/tabletop, 670
failover, 670
identifying critical systems and components, 669
order of restoration, 672
overview of, 668–669
removing single points of failure, 669
review, 679–682
risk assessment, 669
secure recovery, 673
succession planning, 669–670
test, exercise and rehearse, 659–660
utilities, 672–673
Bcrypt, 130–131
Behavior, testing software for undesired, 628–632
Bell-LaPadula security model, 38–39, 40
Benchmarks, and secure configuration guides, 519–521
Berners-Lee, Tim, 594–595
Best evidence rule, using in court, 769
Best practices
incident response, 757–761
incident response investigations, 753–754
risk management, 713–715
security awareness training, 65
separation of duties in IT organizations, 723–724
BHOs (browser helper objects), malicious add-ons, 615–616
BIA (business impact analysis)
adds objectivity to qualitative risk assessment, 701–703
categories of business functions, 658–659
in diaster recovery plan, 658
sources of risk, 692
Big data
computer forensics, 787
security controls, 502
Binary assessment, qualitative risk assessment, 700
Binary conditions, early days of computer security, 14
Biometric factors
crossover error rate (CER), 347
facial recognition, 345
false acceptance rate (FAR), 346–347
false positives and false negatives, 345–346
false rejection rate (FRR), 347
fingerprint scanner, 344
iris scanner, 345
remote access, 344–348
retinal scanner, 344
understanding, 344
voice recognition, 345
Biometrics
access control for mobile devices, 406
authentication using, 218
calculation example, 348
mobile device management, 405
as something you are authentication, 337, 342
BIOS (basic input/output system)
and hardware/firmware security, 462
physical security policies/procedures for, 219
UEFI security advantages over, 219
BIS (Bureau of Industry and Security), 802
Bit-level error-correcting code (RAID 2), 678
BitLocker
file system encryption, 126
hardening Microsoft OSs, 472
hardening Windows Server, 472
Bitwise AND operation, 255
Black-box testing
in software development, 632
in systems testing, 708
Blacklisting
with antispam products, 484
controlling applications on mobile devices, 409
hardening OS/NOS by application, 469–470
spam filtering via, 580
vs. whitelisting applications, 487–488
Blacklists, fighting spam, 583
Block ciphers
AES as, 108–109
DES as, 107
IDEA as, 111
stream ciphers vs., 113
Twofish as, 110–111
Block lists, fighting spam, 583
Block-striped with error check (RAID 5), 678
Blocking, data loss prevention with USB, 448
Blowfish cipher
Bcrypt using, 131
in symmetric encryption, 110
weak keys in, 147
Blu-ray Discs, Advanced Access Content System (AACS), 125
Blu-ray discs, data storage, 307
Bluebugging attack, 401
Bluebugging DoS attack, 401
Bluejacking attack, 400
Bluesnarfing, 400
Bluetooth
data rates, 382
requiring connections to be undiscoverable, 408
wireless security and, 381–382
Bollards, physical security, 209, 210
Boot sector viruses, 529
Bootdisk attacks, 206, 220–221
Bootdisks, creating, 207
Botnets
famous, 535
great risk of, 481
malware attacks via, 535
spreading criminal spam, 575
Brand-name attacks, 12–13
Brewer-Nash security model, confidentiality, 39
Bring your own device. See BYOD (bring your own device)
British thermal units (BTUs), environmental controls, 223
Broadcast addresses, 256
Broadcast domain, 265
Browser
ActiveX components for, 610–611
code vulnerabilities in plug-ins, 614–615
JavaScript code vulnerabilities in, 608–609
malicious add-ons, 615–616
plug-ins for, 614–615
pop-up blockers for, 609
scripting, 611
securing, 610
session hijacking with takover of, 618
Browser helper objects (BHOs), as malicious add-ons, 615–616
Brute-force attacks
in hybrid attacks on passwords, 557–558
key stretching protection against, 130–131
offline vs. online, 149–150
as password-guessing attacks, 149, 323, 556–557
BTUs (British thermal units), environmental controls and, 223
Buffer overflow attacks
as application attacks, 640–641
overview of, 559
from poor coding practices, 606
Bugs
as remote access vulnerability, 365
software exploitation attacks using, 558
tracking in secure development, 636
Bump key attacks, preventing, 212
Bureau of Industry and Security (BIS), 802
Burning, data destruction via, 816
Burp Suite penetration test tools, 564
Bus topology, 236–237
Business
continuity. See BC (business continuity)
continuity management, 691, 692
continuity plan. See BCP (business continuity plan)
impact analysis. See BIA (business impact analysis)
risks, 691–694
technology risks, 692
Business functions
basing initial incident response on, 749
incident response team responsible for, 746
recovering essential, 755
Business partners
on-boarding/off-boarding policies with, 56
business partnership agreements (BPAs), 67
interoperability agreements with, 66–67
BYOD (bring your own device)
human resources policies for, 59
mobile device deployment model, 415–418
using mobile device management (MDM), 511
Byte-striped with error check (RAID 3), 678
C
C2 (command and control) servers, botnets, 535
Cable locks, portable equipment, 213, 216
Cable modems, 292–293
Cable shielding, 229
Cables
coax, 301
fiber-optic, 303–304
protected distribution/protected cabling between systems, 215
USBs connecting devices to, 383
UTP/STP, 301–302
CAC (Common Access Card) smart cards, DoD, 340
Cache poisoning, 553–555
Caching proxy, 297
Caesar’s cipher, 98–99
CAINE Computer Forensics Linux Live Distro and SANS Investigative Forensic Toolkit (SIFT), 779
California Senate Bill 1386 (SB 1386), disclosure of lost PII, 825
Callback verification, spam filtering via, 581
Cameras
CCTV, 214
hardening systems, 512
infrared (IR) detection, 214
usage policies for mobile devices, 412
Camouflage, application hardening via, 645–646
Campus area networks (CANs), 235
CAN bus (controller area network bus), vehicles, 516–517
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003), 798
Canadian law
digital signatures, 804
privacy, 830
Canonicalization, defined, 634
Canonicalization errors, 634
CANs (campus area networks), 235
Capability Maturity Model Integration (CMMI) process models, 729–730
Capacitance detectors, alarm systems, 211
CAPEC (Enumeration and Classification), 760
CAPI (Microsoft CryptoAPI), algorithm selection, 133
Captive portals, wireless configuration, 398
Cards, physical access control, 217–218
Carrier unlocking, mobile device usage, 411
Case law (or common law), 795
CAST (Carlisle Adams and Stafford Tavares) algorithm
how PGP works, 138
PGP e-mail encryption, 587
in symmetric encryption, 109
Catalog of controls, NIST, 691
Categories
business functions for DRP, 658–659
data classification, 49–50
IDS models, 428
NIST catalog of controls, 691
proxy server, 297–298
shared secrets for authentication, 337
twisted-pair lines, 302
Cause-and-effect analysis, risk management, 711
CBC (Cipher Block Chaining), mode operation, 111
CC (Common Criteria), 151, 466–467
CCB (Change control board), purpose of, 727–729
CCMP (Counter Mode with Cipher Block Chaining–Message Authentication Codes Protocol), 388, 393
CCTV (closed-circuit television) cameras
computer forensic evidence, 774
monitoring workplace, 214
CDIs (constrained data items), Clark-Wilson security model, 41
CDs (compact discs)
attackers gaining physical access via, 207–208
data storage using CD-Rs/CD-RWs, 307
disabling autoplay on, 220–221
Ceilings, and physical security, 209
Cells, application, 280
Cellular connections, 381
Cellular phones, 381
CER (crossover error rate), biometrics, 347
CERT (computer emergency response team), 739–740
Certificates
asymmetric keys distributed by digital, 113
authentication with, 340
code signing and, 616
Kerberos, 340
SSL/TLS, 598–599
TLS configuration, 131
transport encryption and, 131–132
CFAA (Computer Fraud and Abuse Act)
computer misuse convictions, 795, 799
overview of, 797–798
protecting privacy of computer records, 822
CGI (Common Gateway Interface), 610, 611
Chain-link fencing, for physical security, 209–210
Chain of custody
in forensic investigation, 777–778
protecting digital forensic evidence, 776
steps in, 780–781
transporting evidence and, 776
Challenge-Handshake Authentication Protocol (CHAP), 359
Change control board (CCB), purpose of, 727–729
Change management
Capability Maturity Model Integration, 729–730
change control board, 727–729
code integrity, 729
as critical management tool, 685
elements of, 724–726
environment, 730–731
implementing, 726–727
integrity measurement, 733
mitigating risk via, 694–695
overview of, 720–721
policies, 48–49
reasons for, 721–723
review, 734–737
sandboxing, 731–732
secure baseline, 731
in secure software development, 652
separation of duties in, 723–724
technology risks associated with, 692
types of changes in, 722
Change requests, change control board process, 728
Changes, defined, 722
CHAP (Challenge-Handshake Authentication Protocol), 359
Checksums, protecting from program viruses, 529
Children’s Online Privacy Protection Act (COPPA), 822–824
China
nation-state hacking by, 7
poor privacy practices/eavesdropping of, 831
Chinese Wall security model, 39
chmod command, Linux OS permissions, 479
Choice, collecting PII, 819
Choose your own device (CYOD) model, 414
Christmas attack, as scanning attack, 551
CIA (confidentiality, integrity and availability), 24, 277
CIP (Critical Infrastructure Protection) standards, NERC, 518, 519
Cipher Block Chaining (CBC), mode operation, 111
Cipher locks, physical access control, 212–213
Cipher modes of operation, 109, 111–112
Cipher Suite Registry, TLS, 124–125, 127
Cipher suites
common uses of, 133–135
comparing asymmetric encryption to, 117–118
data at rest, 132
data in transit, 132
data in use, 132
defined, 127
ephemeral keys, 130
hash message authentication code (HMAC), 133–135
key escrow, 129–130
key exchange, 129
key stretching, 130–131
overview of, 127
proper TLS configuration, 131
secret algorithms, 128–129
session keys, 130
strong vs. weak ciphers, 128
transport encryption, 131–132
weak/deprecated algorithms, 128
Ciphers, defined, 92
Ciphertext
cryptanalysis and, 92–93
defined, 92
as encrypted output, 97
encrypting plaintext into, 551
known attacks on, 147
CIS Critical Security Controls, 521
Citibank, 1994 security incident, 2
Clark-Wilson security model, 40–41
Classifications
Bell-LaPadula security model, 38–39
of bugs, 636
fire, 225–226
information, 49–50
network address spaces, 256
network topology, 236–237
of threats in risk management, 696–697
Clean-agent fire suppression systems, physical security, 225
Cleartext, remote access vulnerability, 364–365
Click fraud, 793
Clickjacking, client-side attack, 561
Client/server networks
defined, 236
Kerberos authentication for, 338–340
TACACS+ protocol for, 354
Client-side attacks
application-based weaknesses, 618–619
clickjacking, 561
on computer systems/networks, 560–561
drive-by download attacks, 561
header manipulations, 560
injection attacks, 560
overview of, 560
typo squatting/URL hijacking, 560–561
watering hole attacks, 561
Client-side validation, for application hardening, 644–645
Client-to-server (or service) ticket, Kerberos, 339
Closed-circuit television (CCTV) cameras
in computer forensic evidence, 774
monitoring workplace, 214
Closed ports, port scanner response, 452
Cloud-based DLP, 448
Cloud computing
automation/scripting elasticity in, 506
cloud access security brokers for, 314
data security controls, 502
forensics and e-discovery, 787
infrastructure security, 311–312
national vs. international reference architecture, 518–519
overview of, 673–674
on-premises or hosted security vs., 313
risk management best practices, 714–715
secure backups to, 673–674
service models, 312–313
Clusters
host forensics on file systems, 781–782
and load balancing, 676
for redundancy, 675
CMMI (Capability Maturity Model Integration) process models, 729–730
Coaxial cable, 301
Cobalt Strike tool, 564
COBO (corporate-owned business-only) model, 414–415
Code. See also Web components, code vulnerabilities
compiled vs. runtime, 650
integrity, in change management, 729
quality/testing in software development, 647–649
reusing for application hardening, 646
secure. See Software engineering process
Code of ethics policy, 54
Code Red worm, 3
Code signing
application hardening via, 645
purpose of, 616
signed applets, 616
using Authenticode for, 609–610
Coding phase, software development, 628–632
COFEE (Computer Online Forensics Evidence Extractor), 771
Cold aisle/hot aisle layout, data center, 223
Cold sites, 671
Collectors, network technology, 269
Collision attacks, 103–105, 150
COM-SEC (communication security), 23
Comité Consultatif International Téléphonique et Télégraphique (CCITT), X.25A protocol, 239
Command and control (C2) servers, botnets, 535
Command injection attacks, 640
Comment Crew malware, 13
Common Access Card (CAC) smart cards, DoD, 340
Common Criteria (CC), 151, 466–467
Common Gateway Interface (CGI), 610, 611
Common law (or case law), 795
Communication, and redundancy, 673
Communication security (COM-SEC), 23
Community cloud system, 312
Compact discs. See CDs (compact discs)
Company Confidential data classification, 49–50
Compensating controls, 690
Competent evidence, computer forensics, 769
Compiled vs. runtime code, 650
Complete mediation principle, 32
Complexity
key stretching using computational, 130–131
as problem in security, 31
Compliance, security training/awareness, 64
Components
BCP identifying critical, 669
IDS, 426–427
network. See Network components
NIDS, 431–432
Web. See Web components
Computer crime, in 21st century, 793–794
Computer emergency response team (CERT), 739–740
Computer forensics
analysis, 778–780
big data, 787
BYOD and, 416
chain of custody, 780–781
cloud, 787
cyber first responders and, 750
device forensics, 784
duplication of drives in, 754
e-discovery, 786–787
evidence, 767–769
host forensics, 781–784
incident containment/eradication and, 750
initial incident response and, 749–750
legal hold process, 785
message digest and hash, 781
network forensics, 785
overview of, 766–767
review, 788–791
Computer forensics process
acquiring evidence, 771–775
conducting investigation, 777–778
identifying evidence, 775
protecting evidence, 776
steps in, 770–771
storing evidence, 777
transporting evidence, 776
Computer Fraud and Abuse Act. See CFAA (Computer Fraud and Abuse Act)
Computer ID, in remote access, 336
Computer mischief, as criminal activity, 795
Computer Online Forensics Evidence Extractor (COFEE), 771
Computer security
approaches to, 16–18
concept of, 23
current threat environment, 4–8
defined, 1
ethical issues, 18
historical incidents, 1–4
importance of physical security, 205
threats to. See Threats
Computer security, general concepts
additional references, 41
basics, 23–24
CIA of, 24
complete mediation principle, 32
Cybersecurity Framework model, NIST, 25–27
defense in depth principle, 34–36
diversity of defense principle, 36
economy of mechanism principle, 31–32
encapsulation principle, 36
fail-safe defaults principle, 31
fortress model, 24
host security, 28
least common mechanism principle, 33
least privilege principle, 29–30
network security, 28–29
open design principle, 32–33
operational model, 24–25
overview of, 22
psychological acceptability principle, 33–34
review, 42–45
security models, 37–41
security principles, 29–37
security tenets, 27–28
separation of privilege principle, 30–31
terminology, 23
time-based security, 25
trust relationships, 37
Computer system attacks. See Network and computer system attacks
Computer trespass, as criminal activity, 795
Concentrators, network security and, 291
Concept virus, 529–530
Conduits, in control networks, 267
Conficker (Downadup worm), 3
Confidential data classification
handling sensitive data, 814
overview of, 50–51
U.S. government multilevel security, 330
Confidentiality
as CIA security goal, 24
cryptography protecting, 94–95, 123, 134
security models enforcing, 38–39
WEP not trusted to provide, 387
Confidentiality, integrity and availability (CIA), 24, 277
Confidentiality models, 38–39
Configuration
application configuration baseline, 494–495
auditing, 726
automation/scripting validation for, 505
hardening Microsoft OS, 474
hardening OS/NOS, 468–469
platform/vendor-specific guides for, 519–521
proper TLS, 131
risk mitigation by controlling, 694–695
testing for misconfiguration, 707
Conflict of interest, Brewer-Nash model, 39
Confusion, cryptographic, 96
Congestion Window Reduced (CWR) packet flag, TCP, 245
Connection-oriented protocol, TCP, 243–244
Connection protocol, SSH, 361
Connectionless protocols
ICMP, 245–246
RADIUS, 351
UDP, 243
Connections
cable/DSL designed for continuous, 293
in complex networks, 263
managing with proxies, 296–298
securing remote access, 336
SSL/TLS, 598
testing network, 285
Connectivity, mobile device
Bluetooth, 381–382
mobile phones, 377–380
near field communication (NFC), 382
other means of, 382–383
SATCOM, 381
Connectors, USB-based wireless, 292
Consensus, in social engineering, 75
Consent requirements, GDPR, 830
Consent, when collecting PII, 819
Constrained data items (CDIs), Clark-Wilson model, 41
Constraints, cryptographic vs. security, 135
Contactless access cards, 212
Containerization, mobile device management, 405–406
Containers, application, 280
Containment, incident response process, 750–752
Content
Internet content filters, 299
managing for mobile devices, 404
spam regulations in CAN-SPAM Act, 798
unified threat management inspection of, 300
web security gateways monitoring, 298
Content-based signatures, IDS, 429
Content filtering
with antispam products, 484
spam filtering via, 580
of spam using statistical, 581
Content-filtering proxy, 297
Content Scramble System (CSS), DVDs, 125
Context-aware authentication, mobile device management, 405
Context-based signatures, IDS, 429–430
Continuing education, in security training, 64
Continuity of operations, BCP, 671
Continuous integration, security automation via, 651
Continuous lighting, as physical deterrent, 209
Continuous monitoring, hardening system, 504–505
Continuous risk management, 687–688
Contract management, as business risk, 691
Contractors, in social engineering, 76
Controller-based access points, wireless systems, 394
Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM), 798
Controls
defined, 686
designing/evaluating in risk management, 698
mitigating risk through configuration, 695
in SEI risk management model, 698
testing in virtual environment, 281
types of security, 690–691
Controls and permissions
access control lists (ACLs), 327–329
attribute-based access control (ABAC), 332
discretionary access control (DAC), 329–330
mandatory access control (MAC), 329–330
mobile applications, 408
overview of, 325–327
role-based access control (RBAC), 331
Convention on Cybercrime, 796
Convergence, preventing cloned credentials, 218
Cookie cutters, as privacy-enhancing technology, 831
Cookies
code vulnerabilities in, 611–614
disabling, 614
locally shared objects used by Flash, 642
Web privacy issues, 833–834
COPPA (Children’s Online Privacy Protection Act), 822–824
Copper prices, HVAC theft due to rising, 223
Core Impact, penetration test tools, 564
Core, NIST Cybersecurity Framework, 518
Corporate-owned business-only (COBO) model, 414–415
Corporate security officers, role of, 86
Corrective controls, 690
Correctness, system defense approach, 16
Correlation, analyzing SIEM security data, 446
Correlation engines, as network technology, 269
Cost
802.11 attacks and, 386
adding objectivity to qualitative risk assessment, 701–703
calculating backup strategy, 664–665
as drawback of fiber cables, 303
HIDS disadvantages, 440
separation of duties adding to, 31
Cost/benefit analysis, risk management, 711
Cost-effectiveness modeling, risk management, 711–712
Counter Mode with Cipher Block Chaining–Message Authentication Codes Protocol (CCMP), 388, 393
Counterintelligence gathering, digital forensic analysis, 779–780
Countermeasures, as controls, 686
Covering tracks, as old school attack method, 740–741
Cozy Bear malware, 13
CRAs (credit reporting agencies), types of, 826
Credential Guard, hardening Windows Server with, 474
Credentialed vulnerability scans, 707–708
Credentials
authentication through previously shared, 124
digest authentication and, 338
managing with account policies, 332
mobile application security protecting, 408
privilege management with, 321
as remote access vulnerability, 365
single sign-on, 324–325
Credit cards
FACTA protecting information on receipts, 826
privacy practices for users, 834
Credit reporting agencies (CRAs)
privacy practices for users, 834–835
types of, 826
Crimeware, data breach patterns, 835
Criminal organizations
attributes of threat actors in, 13–14
as security threat, 11
Critical infrastructure, as target of information warfare, 3, 12
Critical Infrastructure Protection (CIP) standards, NERC, 518, 519
Critical Security Controls, CIS, 521
Critical vulnerabilities, bugs tracking, 636
Cross-site request forgery (XSRF) attacks, 641–642
Cross-site scripting attacks. See XSS (cross-site scripting) attacks
Crossover error rate (CER), biometrics, 347
CrowdStrike, 7
Cryptanalysis
attempting to break cryptographic system, 551
differential, 93
linear, 93
overview of, 92–93
Crypto-malware attacks, 536
Crypto modules, and algorithm selection, 133
CryptoAPI (CAPI), algorithm selection, 133
Cryptographic applications, 126–127
Cryptographic attacks, 147–150
Cryptographic failures in coding, 629–630
Cryptography. See also Applied cryptography
additional references, 119
asymmetric encryption, 112–117
comparing algorithms, 95
cryptographic methods, 95–97
defined, 92
failure of creating own encryption scheme, 129
fundamental methods of, 94–95
hashing functions, 102–106
historical perspectives, 97–102
overview of, 92–93
in practice, 93–94
quantum cryptography, 119
restrictions on commercial products, 801–803
review, 119–121
smart card authentication using, 218
symmetric vs. asymmetric encryption, 117–118
using FDE/SED on hard drives, 461
CryptoLocker ransomware threat, 537
Cryptosystem, examining strength of, 93–94
CSS (Content Scramble System), DVDs, 125
CTM (Counter Mode) operation, 112
Cultural norms, privacy laws varying with, 827
Custodial staff
physical access by non-employees, 85
unauthorized access by, 83
Custodian, role of data, 815
Custom firmware, security holes in, 411
CVE (Common Vulnerabilities and Exposures) list
application-level vulnerabilities, 537–538
making security measurable, 760
reducing code vulnerabilities, 628–629
scripts and automation, 504
CWE (Common Weakness Enumeration)
making security measurable, 760
reducing code vulnerabilities, 628–629
in secure development, 643
CWE/SANS Top 25 Most Dangerous Software Errors list, 629
Cyber-espionage, data breach patterns, 835
Cyber first responders, 750
Cyber-incident response teams, 747
Cyber kill chain, attack model, 16–17, 742–743
Cybercrime, Convention on, 796
Cybercrime laws. See U.S. cybercrime laws
Cybercrime, types of, 793–794
Cybersecurity, defined, 23
Cybersecurity Framework, NIST, 25–27, 518
Cyberwar, security incident, 3
CybOX (Cyber Observable eXpression), 758, 760–761
CYOD (choose your own device) model, 414
D
DAC (discretionary access control), 329–330, 331
Daemons
as services in UNIX, 478
SSH, 361
DAP (Directory Access Protocol), 350, 603
Data
APT attack creating unknown, 563
Bell-LaPadula security model enforces confidentiality of, 38–39
mitigating risk of loss/theft of, 695
proper handling of, 84
roles, 815
security controls for, 500–501
web security gateways protecting, 299
Data-based security controls
analyzing security data in SIEM, 447
cloud storage, 502
data at rest, 500–501
data encryption, 501–502
data in transit, 500
data in use, 501
handling big data, 502
as network protocol, 239
permissions/ACLs, 503
storage area networks (SANs), 502
Data Breach Investigation Reports. See DBIR (Data Breach Investigation Reports), Verizon
Data breaches
current threat of, 6
distinct patterns in, 835
getting information on recent, 835
incident at OPM, 7
mitigating through minimization/encryption, 759–760
Data classification, hardening Windows Server, 474
Data destruction methods, 815–817
Data Encryption Standard. See DES (Data Encryption Standard)
Data exposure, application hardening and, 647
Data loss prevention. See DLP (data loss prevention)
Data minimization, mitigating data breaches, 759–760
Data Over Cable Service Interface Specification (DOCSIS), 292
Data owner
BYOD blurring lines of, 415
discretionary file permissions in UNIX, 330
high cost of HIDs for, 440
policies, 49
role of, 815
security training for, 63
Data policies, 49–51
Data Protection Directive, EU, 828
Data Protection Officer, GDPR, 829
Data protection statutes, European privacy law, 827–830
Data rates, Bluetooth, 382
Data retention
backups, 664–665
issues about, 812
PCI DSS guidelines for, 801
periodic audits of, 566
Data section, IP packets, 241–243
Data sensitivity. See Sensitive information
Data sovereignty, and data storage, 667–668
Data steward/custodian role, 815
Data storage. See Storage
Data volatility, forensic evidence and order of, 772–773
Databases
application hardening using NoSQL vs. SQL, 644
data encryption for, 126–127, 501
remote access security, 365–366
Datagrams, as IP packets, 241
Daubert standard of evidence, 768
DBIR (Data Breach Investigation Reports), Verizon
on discovery of hacks by internal employees, 85
patterns in data breaches, 835
security trends, 14–15
DDoS (distributed denial-of-service) attacks, 290, 539–540
DDoS mitigators, 271
Dead code elimination, application hardening, 646
Deauthentication frame, disassociation attacks on wireless systems, 402
Decision trees, IDS, 437
Decryption algorithms, 97
Dedicated parity drive (RAID 4), 678
Default accounts
hardening OS/NOS by disabling, 469
security vulnerabilities of devices, 278
switches subject to attacks on, 284
Default deny, fail-safe defaults and, 31
Defense in depth principle, 34–36, 67–68
Degaussing
data destruction via, 816–817
destroying files from storage media, 51
Delay-based filtering, spam filtering via, 580
Delta backups, 663
Demilitarized zones. See DMZs (demilitarized zones)
Demonstrative evidence, 768
Denial-of-service. See DoS (denial-of-service) attacks
Denning, Dorothy, 427
Department of Justice, cyber incident best practices, 757
Deployment models, mobile device, 414–418
Deprecated cryptographic algorithms, 128
Deprovisioning, removing permissions/authorities, 652
DES (Data Encryption Standard)
breaking of, 95
L2TP using, 357
in symmetric encryption, 107–108
WTLS protocol supporting, 377
Design phase, software development, 628
Desired State Configuration (DSC), hardening Microsoft OS, 474–475
Destruction, data
methods, 815–817
policy for, 50–51
Detection
incident response process, 748–749
NIST Cybersecurity Framework, 26
operational model of computer security, 25
preparing for incident, 745
Detective controls, 690
Development environment
change management in, 721, 731
CMMI-DEV in, 729–730
hardening, 503
Device access control, mobile device management, 406
Device Guard, hardening Windows Server, 474
Devices. See also Mobile devices
configuring network infrastructure devices, 520–521
digital forensic principles for, 784
infrastructure security for, 277–279
locks for, 213
network security. See Network security devices
overview of, 277
placement of security, 268–271
properly configuring network, 492–493
remote access vulnerability of, 365
removal, in incident response, 752
wiping, 405
wireless, 291–292
DevOps, Secure, 650
DH (Diffie-Hellman) protocol
asymmetric encryption used by, 114
how PGP works, 138–140
key exchange security in, 129
DH groups, 114
DHCP (Dynamic Host Configuration Protocol)
cable/DSL security, 293
network address allocation, 146
remote packet delivery, 254–255
DHE (Diffie-Hellman Ephemeral), 114
DHTML (Dynamic HTML), hover ads, 487
Diagnostics, network security devices for, 295–296
Dial-in connections, with PPP, 358
Diameter AAA protocol suite, replacing RADIUS, 353
Dictionary attacks, on passwords, 149, 556, 557–558
Differential backups, 663
Differential cryptanalysis, 93
Diffie-Hellman. See DH (Diffie-Hellman) protocol
Diffie-Hellman Ephemeral (DHE), 114
Diffie, Whitfield, 114
Diffusion, in cryptography, 96
Digest authentication, 338
Digital camera systems, hardening, 512
Digital certificates
asymmetric keys distributed by, 113
authentication with, 340
Digital cryptography, benefits, 93
Digital duplication of data, forensic investigation, 777
Digital linear tape (DLT) cartridges, 306–307
Digital Millennium Copyright Act (DMCA), 805–806
Digital rights management (DRM), 125–126, 805–806
Digital sandboxes, as honeypots, 444–445
Digital satellite TV, securing, 125–126
Digital signature agreements, 804
Digital Signature Algorithm (DSA) , SHA-1, 104
Digital signature laws, 803–805
Digital Signature Standard (DSS), SHA-1 and, 104
Digital signatures
in asymmetric encryption, 113
authentication via, 124
Authenticode for ActiveX controls using, 609–610
code vulnerabilities of signed applets, 616
DES issues with weak, 107
in DNSSEC, 253
ElGamal algorithm used for, 115–116
for nonrepudiation in cryptography, 94
in PGP, 137
providing integrity with, 123
RSA algorithm used for, 115
in S/MIME, 136
Direct evidence, 768
Direct-sequence spread spectrum (DSSS), 802.11, 384
Directories
Linux OS, 480
understanding, 350
Directory Access Protocol (DAP), 350, 603
Directory services
securing with DAP and LDAP, 603
X.500 standard for, 350
Directory traversal attacks, 640
Disablement
account, 52
of default accounts/passwords, 469
of unnecessary ports/services, 468
of unused features in mobile devices, 407
Disassociation attacks, against wireless systems, 402
Disaster recovery plan. See DRP (disaster recovery plan)
Discretionary access control (DAC), 329–330, 331
Diskettes, data storage using, 306
Displays, hardening computer, 509
Disposal
policy for data, 50–51
rule for consumer reports, FTC, 826
Distance, protecting against eavesdropping, 228
Distributed denial-of-service (DDoS) attacks, 290, 539–540
Distributed network IDS components, 432
Distributive allocation, automation/scripting of, 508
Diversity of defense principle, 34–36
DKIM (DomainKeys Identified Mail), e-mail spoofing detection, 584
DLP (data loss prevention)
cloud-based, 448
e-mail, 448
network security and, 447
in outgoing e-mail, 572–573
preventing data loss or theft, 335
removable storage devices and, 407
as security device, 299
USB blocking, 448
DLT (digital linear tape) cartridges, 306–307
DMCA (Digital Millennium Copyright Act), 805–806
DMZs (demilitarized zones)
for diversity of defense, 36
duplicating information from intranet onto machines in, 262
network segmentation via enclaves in, 264–265
overview of, 259–261
DNS (Domain Name System)
address system attacks on, 552–553
DNSSEC extensions to, 143
domain hijacking attacks on, 555–556
how e-mail works, 571
how it works, 254
how SPF works, 584
overview of, 142–143
record types, 253
remote packet delivery, 252–253
reverse DNS lookups blocking bogus e-mails, 583
S/MIME v3, 136–137
spam filtering via reverse checks in, 580
DNS kiting attack, 552–553
DNS poisoning, 553–554
DNS spoofing, 554
DNSSEC (DNS Security Extensions)
in domain name resolution, 146
hardening Windows Server, 473
overview of, 143
remote packet delivery, 253–254
S/MIME v3 specifications for, 136–137
securing DNS infrastructure, 554
DOCSIS (Data Over Cable Service Interface Specification), 292
Documentary evidence, 768
Documented incident types
incident management, 739–740
incident response plan, 747
DoD (Department of Defense)
CAC smart cards, 340
concept of IDS from, 425
S/MIME v2 and S/MIME v3 for, 136–137
DOM-based XSS attacks, 638
Domain controller, for domain password policy, 323
Domain field, cookies, 611
Domain hijacking attacks, 555–556
Domain name resolution, DNSSEC securing, 146
Domain Name System. See DNS (Domain Name System)
Domain Name System Security Extensions. See DNSSEC (DNS Security Extensions)
Domain password policy, 323–324
DomainKeys Identified Mail (DKIM), e-mail spoofing detection, 584
Domains, understanding, 323
Doors
electronic access control for, 217–218
layered access control for, 212
lock types for, 212–213
mantrap/turnstile, 213
physical access control for, 213
physical security and, 209
DoS (denial-of-service) attacks
on Bluetooth, 401
in Cyberwar incident, 3
Evil Twin attacks on wireless as, 399
overview of, 538–539
as pattern in data breaches, 835
smurf attack as, 540
spoofing using trusted relationships, 545
DoS (denial-of-service) attacks, defense
with edge blocking ICMP, 247
with firewalls, 290
with IPS, 442
overview of, 540–541
war-driving and war-dialing attacks, 541
Downadup worm (Conficker), 3
Downgrade attacks, on passwords, 150
Dragonfly group, nation-state hacking via, 7
Drive-by download attacks, client-side attacks, 561
Drive imaging
forensic-based, 778
through physical access, 207–208
Driver manipulation attacks, 562
Drives, in forensic investigations, 777–778
DRM (digital rights management), 125–126, 805–806
DRP (disaster recovery plan)
backups. See Backups, DRP/BCP
BCP vs., 668
categorizing business functions, 658–659
common causes of disasters, 657
exercises/tabletop, 660
IT contingency planning, 659
overview of, 657–658
recovery point objective (RPO), 661
recovery time objective (RTO), 660
review, 679–682
Dry contact switches, alarm systems, 211
DSA (Digital Signature Algorithm) , SHA-1, 104
DSC (Desired State Configuration), hardening Microsoft OS, 474–475
DSL modems, 292–293
DSS (Digital Signature Standard), SHA-1 and, 104
DSSS (Direct-sequence spread spectrum), 802.11, 384
Due care, 60
Due diligence, 60
Due process, 60
Duplication
of data in digital forensics, 777–778
of drives in incident responses, 754
Duqu, state-sponsored malware, 5
DVDs
attacker gaining physical access via, 207–208
Content Scramble System (CSS), 125
data storage via, 307
disabling autoplay on, 220–221
Dynamic code analysis, 648–649
Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol)
Dynamic HTML (DHTML), hover ads, 487
Dynamic Nat, 258
E
E-discovery
big data forensics and, 787
cloud computing forensics and, 787
computer forensics, 786–787
defined, 785
spam reduction impacting, 583
antispam products, 484–485
data loss prevention, 448
encrypting, 585–589
encrypting/decrypting with PGP, 137
history of, 571
how it works, 571–574
mail gateways, 579–585
malicious code in, 576–578
phishing using fraudulent, 549
review, 591–593
S/MIME security services for, 136, 145
scanning with antivirus products, 482
security of, 574–575
spam as bulk, unsolicited, 78, 549, 575–576
spoofing, 544
usage policy, 58–59
vishing attacks using, 550
E-Sign law (Electronic Signatures in Global and National Commerce Act), 803–804
EAL (Evaluation Assurance Level), CC, 151
EAP (Extensible Authentication Protocol)
authentication protocol, 359
EAP-FAST, EAP-TLS, and EAP-TTLS, 392
LEAP, 391–392
PEAP, 392
Radius Federation and, 393
wireless network authentication, 391
EAPOL (Extensible Authentication Protocol over LAN), 802.1X, 350
Early Launch Anti-Malware (ELAM), hardening Windows Server, 473
Eavesdropping
and electromagnetic emanations, 227–228
modern means of, 228
against RFID tags, 402
on switches, 284
EBay
as frequent target of fraud, 793–794
phishing attacks using, 77
ECB (Electronic Codebook), 111
ECC (elliptic curve cryptography), asymmetric encryption, 116–117
ECDH (Elliptic Curve Diffie-Hellman), 114, 117
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral), 114, 130
ECE (ECN-Echo) packet flag, TCP, 245
Economy of mechanism principle, 31–32
ECPA (Electronic Communications Privacy Act), 769, 796–797, 799
Edge browser, add-on extensions for, 614–615
EDH (Ephemeral Diffie-Hellman), key exchange, 130
EDR (Enhanced Data Rate), Bluetooth 2.0, 381
EDUROAM project, using RADIUS Federation, 393
EER (equal error rate), biometrics, 347–348
EER (equal error rate), in biometrics, 347–348
EF (exposure factor), risk calculation, 687, 703
EFS (Encrypting File System), with Bitlocker, 126
Egress filtering, of spam, 485, 581
Eight-core System on a Chip (SoC) technologies, 516
ELAM (Early Launch Anti-Malware), hardening Windows Server, 473
Elasticity
automation/scripting of, 507
in virtual environment, 281
Electric power
emergency backup for, 672–673
Ukraine electric grid cyberattack, 7
U.S. Electric Power Grid cyberattack, 3–4
Electrical equipment, minimizing water-based fire suppression damage to, 224
Electro-mechanical detection, alarm systems, 211
Electromagnetic interference. See EMI (electromagnetic interference)
Electromagnetic pulse (EMP), 463–464
Electronic access control systems, 217–218
Electronic Codebook (ECB), 111
Electronic Communications Privacy Act (ECPA), 769, 796–797, 799
Electronic Discovery Reference Model, 786
Electronic key exchange, 115
Electronic media, removable memory, 308–310
Electronic Signatures in Global and National Commerce Act (E-Sign law), 803–804
Electronics, water-based fire suppression and, 224
ElGamal algorithm, asymmetric encryption, 115–116
Elite hackers, defined, 10
Elliptic curve cryptography (ECC), asymmetric encryption, 116–117
Elliptic Curve Diffie-Hellman (ECDH), 114, 117
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), 114, 130
Emanations, eavesdropping and electromagnetic, 227–228
Embedded hypervisors, 280
Embedded systems, hardening, 511–512
Emergency changes, 722
Emergency lighting, 209
Emergency power, backup, 672–673
Emergency power-off (EPO) switch, cable shielding, 229
EMI (electromagnetic interference)
hardware/firmware security and, 463–464
physical security and, 227–228
protecting evidence from, 776
shielding with Faraday cage, 215–216
EMP (electromagnetic pulse), 463–464
Employees. See Human resource policies
Encapsulating Security Payload (ESP) protocol, IPsec, 140
Encapsulation, as security principle, 36, 244
Encrypting File System (EFS), with Bitlocker, 126
Encryption
in 3G mobile networks, 380
algorithms, 97
antivirus products combatting, 482
application hardening on mobile devices, 409
application hardening via, 645
attacks on, 551–552
for confidentiality, 94
as cryptographic algorithm, 97
cryptography is much more than, 93
data security controls for, 501–502
defense in depth using, 35–36
drive imaging prevention with, 208
e-mail, 585–589
export/import restrictions on, 801–803
full device, 403–404
full disk, 501
hardening Microsoft OS with BitLocker, 472
hashing functions for, 102–106
HIDS advantages, 439
IPS and weakness of traffic, 442–443
IPsec using, 242
Kerberos using strong, 339
NIDS ineffective for traffic, 434
as privacy-enhancing technology (PET)., 831
remote access, 336
as remote access vulnerability, 365
S/MIME for e-mail messages, 136
for session hijacking protection, 618
in site-to-site communication links, 268
steganography advantages over, 141
storing keys using HSMs, 462
storing passwords using reversible, 324
WPA vs. WPA2, 391
WTLS support for, 377
End-to-end security, 378–379
Endpoints
secure, 24
tunnel, 356
VPN, 364
Enforcement, mobile device usage policies, 410–414
Enhanced Data Rate (EDR), Bluetooth 2.0, 381
Enhanced security services (ESS), S/MIME, 136–137
Enterprise management, HIPSs integrating, 441
Enterprise Mode, PSK and Open System vs., 389–391
Entropy
as level or amount of randomness, 100–101
password length and, 53
Enumeration
as old school attack method, 740–741
of software weaknesses, 628–629
Enumeration and Classification (CAPEC), 760
Environmental controls
digital evidence, 776
fire, 224
physical security, 223
storing evidence, 777
Environmental Protection Agency (EPA), halon-based fire suppression, 225
Environments
change management, 730–731
risk management, 691
Environments, hardening
development system, 503
production environment, 504
staging environment, 503–504
test environment, 503
Environments, hardening alternative
camera systems, 512
embedded systems, 511–512
game consoles, 512
HVAC, 513–514
mainframes, 512–513
methods, 508
overview of, 508
peripherals, 508–509
phones and mobile devices, 510–511
SCADA/ICS, 513
smart devices/IoT, 514–515
special-purpose systems, 515–517
static environments, 511–512
EPA (Environmental Protection Agency), halon-based fire suppression, 225
Ephemeral Diffie-Hellman (EDH), key exchange, 130
EPO (emergency power-off) switch, cable shielding, 229
Equal error rate (EER), biometrics, 347–348
Equation Group, malware by, 12
Eradication phase, incident response, 747, 750–751, 754
Error messages, in software exploitation attacks, 559
Errors
handling for secure coding, 633
reducing with automation and scripting, 504
Escalation of privilege
in APT attacks, 742
as old school attack method, 740–741
penetration testing for, 711
Escalation phase, incident response process, 752
Escape protection, VM, 281
ESP (Encapsulating Security Payload) protocol, IPsec, 140
ESS (enhanced security services), S/MIME, 136–137
Ethernet
breaching via open jacks on, 206
local packet delivery with, 250
as most common NIC, 283
as network protocol, 239
security weaknesses of, 250
Ethics
computer security issues, 18
establishing codes of, 54
IT Code of Ethics, 807–808
overview of, 806–807
review, 809–811
European laws
digital signature, 804
EU and U.S. Privacy Shield Framework, 519
privacy, 827–830
Evaluation Assurance Level (EAL), CC, 151
EVDO (Evolution Data Optimized)
in 3G mobile networks, 380
replacing Wireless Application Protocol, 376
Event deduplication, SIEM, 447
Evidence
challenges of computer, 768
standards for, 768–769
types of, 768
Evidence control log book, 775
Evidence, forensics process for
acquiring, 771–775
conducting investigation, 777–778
identifying, 775
protecting, 776
storing, 777
transporting, 776
Evil Twin attacks, against wireless systems, 399
Exception handling, secure coding, 633
Exception management, 27
Exclusionary rule, use of evidence in court, 769
Executable files, program viruses attaching to, 529
Executive user, security training for, 63–64
Exemptions, DMCA, 806
Exercises, tabletop
business continuity plan, 670
disaster recovery plan, 659–660
incident response plan, 748
Exit interview policy, human resources, 56
Expires field, cookies, 611
Explicit deny principle, ACLs, 349
Export/import, encryption restrictions, 801–803
Exposure factor (EF), risk calculation, 687, 703
EXtensible Access Control Markup Language (XACML), 332
Extensible Authentication Protocol. See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol over LAN (EAPOL), 802.1X, 350
Extensions, Microsoft Edge, 614–615
External media, mobile device usage policies, 412
External threat actors, vs. internal, 13
Extranet, 262
F
Facial recognition, biometrics, 345
Fail-safe defaults principle, 31
Fail-secure door locks, 213
Fail-soft (or fail-safe) door locks, 213, 217
Failback, business continuity plan, 671
Failover, business continuity plan, 671
Fair and Accurate Credit Transactions Act, 826
Fair Credit Reporting Act (FCRA), 826
False acceptance rate (FAR), biometrics, 346–347, 348
False negatives
in biometrics, 345–347
in intrusion detection systems, 430
False positives
in biometrics, 345–347
HIDS advantages, 439
in intrusion detection systems, 430
Familiarity, in social engineering, 75
Family Education Records and Privacy Act (FERPA), 822
Fancy Bear malware, 13
FAR (false acceptance rate), biometrics, 346–347, 348
Faraday cage (or shield), 215–216, 228
Farms, load balancing and server, 676
Fat (or thick) access points, wireless systems, 394
Fault tolerance
with clustering, 675
failure and recovery timing, 676–677
increasing with load balancing, 296, 675
and redundancy, 674
FC (Fibre Channel) protocol, SANs, 272
FCC (Federal Communications Commission), EMI, 216
FCoE (Fibre Channel over Ethernet) protocol, SANs and, 272
FCRA (Fair Credit Reporting Act), 826
FDDI (Fiber Distributed Data Interface), 239
FDE (full device encryption), 403–404
FDE (full drive encryption), 306, 461
Federal Communications Commission (FCC), EMI, 216
Federal Information Processing Standards. See FIPS (Federal Information Processing Standards)
Federal Risk and Authorization Management Program (FedRAMP), 518–519
Federal Trade Commission. See FTC (Federal Trade Commission)
Federated identity management, 336, 362
FedRAMP (Federal Risk and Authorization Management Program), 518–519
Fences, 209–210
FERPA (Family Education Records and Privacy Act), 822
fgets() function, string handling, 636
Fiber Distributed Data Interface (FDDI), 239
Fiber-optic cable, 239, 303–304
Fibre cable cuts, security attack, 4
Fibre Channel (FC) protocol, SANs, 272
Fibre Channel over Ethernet (FCoE) protocol, SANs and, 272
File systems
encryption, 126
host forensics and, 781–783
File time stamps, as computer forensic evidence, 771
File Transfer Protocol. See FTP (File Transfer Protocol)
Files
access control lists for, 328
APT attacks creating unknown, 563
data encryption security for, 501–502
Linux OS system, 479
permissions in UNIX, 330
safeguarding using permissions, 326–327
Filters
antispam, 484–485
Internet content, 299
packet, 269
port, 453
switches as traffic, 284
URL, 300
Finance, as business risk, 693–694
Fingerprint readers, 218
Fingerprint scanners, 344
Fingerprints, as something you are authentication, 337, 342
FIPPs (Fair Information Practice Principles), 819–820
FIPS (Federal Information Processing Standards)
data communication, 151
event impact, 705
SHA standard, 104
Fire detection devices, 226–227
Fire drills, 224
Fire suppression
clean-agent systems for, 225
halon-based systems for, 224–225
handheld fire extinguishers for, 225–226
physical security and, 224–227
water-based systems for, 224
Firefox
certificate options, 598–599
HTTPS connections in, 601
NoScript plug-in securing, 610
Firewalls
access control list for, 327–328
breaching via open Ethernet jacks, 206
defense in depth using, 34–36
defined, 285
diversity of defense using, 36
e-mail and, 571
host-based, 488–491
how they work, 288–290
integrated into HIPSs, 441
as network technology, 270
next-generation, 290–291
overview of, 285–288
PBX telecommunication, 293
periodic audits of rules, 566
placing NIDS sensors in relation to, 433
placing on either side of DMZ, 260
programming with software-defined networking, 259
software, 488–491
spoofing trusted relationships and, 545
between trusted network and Internet, 261
web application vs. network, 291
Windows Firewall, 472
Firmware. See also Hardware/firmware security
over the air updates, 411
rootkits, 533
security holes in custom, 411
updates, 492
version control, 463
Fixed-temperature (fixed point) fire detectors, 227
Flags
DNSSEC header, 253
IP4v packet, 242
TCP packet, 245
Flame activated fire detectors, 227
Flame, state-sponsored malware, 5
Flash drives, attackers gaining access via, 207–208
Flood lighting, as physical deterrent, 209
Floppy disks, data storage, 306
FM-200 (heptafluoropropane), clean-agent fire suppression, 225
Folders
ACLs for, 328
safeguarding using permissions, 326–327
Foothold, in APT attacks, 741–742
Footprinting, as old school attack method, 740–741
For Internal Use Only data classification, 49–50
For Official Use only classification, 330
Forensic workstation, 777
Forensics. See Computer forensics
Fortress model, computer security, 24
Forward secrecy protection, WPA lacking, 388
Fourth Amendment to U.S. Constitution, exclusionary rule of evidence, 769
Fragmentation packet, 240–241
Fraud
as business risk, 691
crime of computer-based, 793–794
SOX Section 404 to prevent, 799
Free space, host forensics on, 782
Freedom of Information Act (FOIA), 821
Frequency analysis, cipher text, 99
Frequency, optimal backup, 664–665
FRR (false rejection rate), biometrics, 347
FTC (Federal Trade Commission)
disposal rule, 826
Fair Information Practice Principles (FIPPs), 819–820
intellectual property and theft, 795
red flag rules, 826
FTP (File Transfer Protocol)
SFTP. See SFTP (Secure FTP)
FTPS (FTP Secure)
defined, 143
historical incidents involving, 2–3
overview of, 605
remote access methods, 363
securing file transfer, 145
Full backups, 662–663
Full Control permissions, NTFS, 326
Full device encryption (FDE), 403–404
Full disk encryption, 501
Full drive encryption (FDE), 306, 461
Full duplex, 284
Functional configuration audit, 726
Functionality, testing software code, 628
Functions, NIST Cybersecurity Framework, 26
Funding, threat actor, 14
Fuzzing, code quality/testing, 632, 633, 648–649
G
Gaining access, old school attack method, 740–741
Games
avoid installing unauthorized, 84
hardening consoles, 512
Gantt charts, in risk management, 711
Garbage collection, application hardening via, 646
Gateways, web security, 298–299
GCM (Galois Counter Mode), 112
GDPR (General Data Protection Regulation), EU, 829–830
General-purpose guides to information security, 521
General risk management model, 696–698
Generations, mobile phone
3G mobile networks, 379–380
4G mobile networks, 380
overview of, 377
understanding, 377
WAP, 377–379
what the difference is, 379
Generators, backup power with, 229, 672–673
Generic Routing Encapsulation (GRE), PPTP, 358
Geo-tagging, mobile device management, 405
Geofencing, mobile devices management, 404
Geolocation, mobile device management, 404
German Enigma machine, 98, 147
gets() function, as unsafe, 636
GhostNet, APT attack, 5
Glare projection lighting, as physical deterrent, 209
GLBA (Gramm-Leach-Bliley Act), privacy, 799, 824–825
Globalization, network communication
computer trespass and, 795
Convention on Cybercrime and, 796
Globally unique identifier (GUID), 475
GNU Privacy Guard (GPG), 137
Goals, incident response, 740
Google store, mobile device usage policies, 410
GPG (GNU Privacy Guard), 137
GPMC (Group Policy Management Console), hardening Microsoft OS, 476–477
GPOs (group policy objects)
account policy for, 332–333
domain password policy, 323–324
hardening Microsoft OS, 474, 475–477
GPS (Global Positioning System), 404, 413
GPUs, password cracking with, 557
Gramm-Leach-Bliley Act (GLBA), privacy, 799, 824–825
Gratuitous ARP, ARP poisoning, 555
Gray box testing, 709
GRE (Generic Routing Encapsulation), PPTP, 358
Grey-box testing, software development, 632
Greylisting, combatting spam, 583
Group policies, hardening Microsoft OS, 475–477
Group Policy Management Console (GPMC), hardening Microsoft OS, 476–477
Group policy objects. See GPOs (group policy objects)
Groups
applying permissions to specific, 326
built-in, 321
concept of, 320–321
Diffie-Hellman, 114
discretionary file permissions in UNIX, 330
in Linux OS, 479
managing access/privileges, 321–322
Guards, security, 210
Guest accounts, 321
Guest zones, wireless networks, 263
GUID (globally unique identifier), 475
Guidelines, policy, 47
H
Hackers
attributes of, 13–14
criminal groups vs., 11
defined, 9
issues on hiring, 55
levels of intruders, 9–10
preventing data loss or theft from, 335
Hacking
defined, 9
discovered mostly by internal employees, 85
Hactivists, defined, 15
Halon-based fire suppression systems, 224–225
Handheld fire extinguishers, 225–226
Handshake, TLS, 597–598
Hard drives
data storage using, 305
destroying files on, 51
full drive encryption securing, 306
Hardening, defined, 460
Hardening systems
alternative environments, 508–517
application hardening, 494–500, 643–647
automation and scripting, 504–508
baselines overview, 461
benchmarks and secure configuration guides, 519–521
data-based security controls, 500–503
in DMZ, 260
environment, 503–504
hardware/firmware security, 461–464
industry-standard frameworks/reference architectures, 517–519
Microsoft OS, 472–477
network hardening, 491–494
operational model of computer security, 16
OS and network OS hardening, 464–470
overview of, 460
review, 522–525
secure baseline. See Secure baseline
UNIX- or Linux-based OSs, 477–480
Hardware
avoid installing unauthorized, 83–84
protecting, 491
root of trust, 462
secure baseline, 491
security advantages of virtualization, 279–282
succession planning for, 670–671
Type 1 hypervisors running on system, 280
Hardware/firmware security
EMI/EMP, 463–464
FDE/SED, 461
firmware version control, 463
hardware root of trust, 462
HSM, 462
integrity measurement, 463
overview of, 461
secure boot and attestation, 462–463
supply chain, 464
TPM, 461
UEFI/BIOS, 462
Hash algorithms
in cryptography, 102–106
defined, 97
Message Digest (MD), 103–104
RIPEMD, 104–105
Secure Hash Algorithm (SHA) series, 104–105
Hash-based message authentication code. See HMAC (hash-based message authentication code)
Hash value, defined, 102
Hashing
authentication through, 124
for cryptographic integrity, 94
digital signatures based on, 124–125
Hazard, defined, 687
Header
e-mail, 572–573
filtering with antispam products, 484
flags in DNSSEC, 253
section of ICMP packets, 245
section of IP packets, 241–243
Header manipulation attacks, 560, 618
Health Information Technology for Economic and Clinical Health Act (HITECH Act), 824
Health Insurance Portability and Accountability Act (HIPAA), 823–824
Healthcare insurance accounts, privacy practices, 835
Hearsay rule, evidence in court, 769
Heartbleed incident, 2014, 325, 724
Heat, activating fire detectors, 227
Heating, ventilation, and air conditioning (HVAC)
environmental control for data center, 223
hardening, 513–514
selecting physical storage location, 667
Hellman, Martin, 114
Help desk, social engineering, 76
Heptafluoropropane (FM-200), clean-agent fire suppression, 225
Heuristic model, IDS, 428
Heuristic scanning, of antivirus products, 481–482
Hidden fields, as risk in browsers, 619
Hidden files, host forensics on, 782–783
Hidden messages, in steganography, 140–142
HIDS (host-based IDS)
active vs. passive, 440–441
advantages and disadvantages, 439–440
defined, 426
history of, 425
overview of, 436–439
resurgence and advancement of, 441
verifying executable code integrity, 729
Hierarchy
software update, 467–468
Windows policies, 477
High availability
identifying single points of failure, 675–676
and redundancy, 674–675
High-resiliency systems, cryptography in, 134
High-security locks, 212
High Speed Packet Access (HSPA), 376, 380
Highly-structured threats, 11–12
HIPAA (Health Insurance Portability and Accountability Act), 823–824
HIPSs (host-based IPSs)
advantages of, 441
analytics in, 445
categories of, 428
Hiring, policy for employee, 55
Historical perspectives, cryptography
algorithms, 97–98
key management, 101
one-time pads, 101
random numbers, 101–102
substitution ciphers, 98–100
transposition ciphers, 97
Historical security incidents, 1–4
History
of intrusion detection systems, 424–425
HITECH Act (Health Information Technology for Economic and Clinical Health Act), 824
HITECH CSF (Common Security Framework), 519
HMAC-based One-Time Password (HOTP), 341
HMAC (hash-based message authentication code)
determining authenticity, 135
overview of, 102
PBKDF2 using, 131
TLS using, 132
HMAC-MD5, NT LAN Manager version 2, 102
HMI (human machine interface), SCADA systems, 513
Hoaxes
in common use, 103
social engineering, 79–80
virus, 530–531
Home automation, hardening IoT, 514–515
Home Depot, 2014 data breach, 6
Hong Kong privacy laws, 831
Host-based firewalls, 488–491
Host-based IDS. See HIDS (host-based IDS)
Host-based IPSs. See HIPSs (host-based IPSs)
Host forensics
defined, 781–784
file systems, 781–783
Linux metadata, 784
Windows metadata, 783–784
Host machine, as virtualization hardware, 279
Host OS
availability/elasticity in virtual environment, 282
Type 2 hypervisors running on, 280
virtualization and, 279
Host sensors, 269
Host software baselining, application hardening, 498
Host vulnerability scanners, application hardening, 498–500
Hosts
approach to network protection, 28
calculating subnets and, 257
defense in depth for, 36
disadvantages of HIDS, 440
limiting trusted relationships between, 545
man-in-the-middle attacks between, 547–548
NIDS does not see activity on, 434
port scanners searching network for live, 452
on-premises or cloud security vs., 313
Hot aisle/cold aisle layout, data center, 223
Hot sites, BCP, 671
Hotfixes, application patches as, 467, 495
HOTP (HMAC-based One-Time Password), 341
HOTP/TOTP, authentication, 341
Hover ads, as pop-up variants, 487
HSPA (High Speed Packet Access), 376, 380
HSTS (HTTP Strict Transport Security), 602–603
HTTP (Hypertext Transfer Protocol)
code vulnerabilities of cookies, 611
in header manipulation attacks, 560
overview of, 601–602
HTTP Secure. See HTTPS (HTTP Secure)
HTTP Strict Transport Security (HSTS), 602–603
HTTPS (HTTP Secure)
in basic authentication, 338
HTTPS Everywhere movement, 602
overview of, 140
as secure protocol, 144
for secure web connections, 145
Hub-and-spoke wireless network topology, 237–238
Hubs
network security and, 283
replacing with switches, 284
Human machine interface (HMI), SCADA, 513
Human resource policies
acceptable use policy (AUP), 57–58
account recovery via, 52
adverse actions, 56–57
on-boarding/off-boarding business partners, 56
Bring-Your-Own-Device (BYOD), 59
clean desk, 59
code of ethics, 54
e-mail usage, 58–59
employee hiring and promotions, 55
employee retirement, separation and termination, 55–56
exit interviews, 56
Internet usage, 58
job rotation, 54
mandatory vacations, 57
overview of, 53–54
privacy, 59–60
separation of duties, 54–55
social media networks, 57
Humans, halon-based fire suppression dangerous to, 225
Humidity, controlling data center, 223
Hurricane Panda, 7
HVAC (heating, ventilation, and air conditioning), 223, 513–514
Hybrid clouds, 312
Hybrid password attacks, 150, 557–558
Hypertext Markup Language (HTML), WWW and, 594
Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)
Hypervisor server OSs, 465
Hypervisors
availability/elasticity of, 281
defined, 279
enabling virtualization, 279
Type 1 and 2, 279–280
I
IaaS (Infrastructure as a Service), 313, 505–506
IC3 (Internet Crime Complaint Center), 794
ICMP (Internet Control Message Protocol)
to block or not block, 247
message codes, 246–247
overview of, 245
ping of death and, 433
preventing DoS and DDoS attacks by edge blocking, 540
ICSs (industrial control systems)
under attack, 835
hardening, 513
ID (identification) badges, personnel
with picture, 218
preventing physical access by non-employees, 84
RFID-based contactless entry card behind, 217
ID (identification) checks, mitigating social engineering, 76–77
ID (identification), user, 336
IDEA (International Data Encryption Algorithm)
in PGP e-mail encryption, 138, 587
in symmetric encryption, 111
WTLS protocol supporting, 377
Identification of critical systems, business risk, 693
Identify
computer forensic evidence, 775
NIST Cybersecurity Framework, 26
SEI risk management model, 698
Identity theft, preventing, 335
IDES (Intrusion Detection Expert System), 427
IdP (identity provider), SAML, 362
IDSs (intrusion detection systems)
advanced malware tools, 456
analytics, 445
in-band vs. out-of-band NIDS/NIPS, 450–451
banner grabbing and, 454
breaching via open Ethernet jacks, 206
data loss prevention (DLP) in, 447–448
decision trees in, 437
defense in depth with, 34–36
detection vs. prevention controls, 443
false positives/negatives, 430
history of, 424–425
honeypots and honeynets, 444–445
host-based IDS (HIDS), 436–441
indicators of compromise (IOC), 454–455
introduction to, 425
intrusion prevention system (IPSs), 441–443
mobile device usage policies for external, 412
models, 427–428
network-based IDSs (NIDSs), 430–435
network placement tools, 449–450
network security monitoring (NSM), 443
passive vs. active tools, 453–454
port scanners, 451–453
protocol analyzers, 448–449
review, 457–459
security information and event management (SIEM), 446–447
in security perimeter, 68
signatures, 429–430
Switched Port Analyzer (SPAN), 451
IEEE 802.11 series
attacking, 386–387
authentication protocols, 391–393
current security methods, 388–391
as family of protocols, 384
individual standards, 385–386
WEP, 387–388
IEEE 802.15.4 (Zigbee), 375
IEEE 802.16 (WIMAX), 375
IEEE 802.1X (remote access), 349–350
IETF (Internet Engineering Task Force)
S/MIME standard, 135–137
TLS working group, 131
Transport Layer Security (TLS), 596
IIS management interface, hardening Windows Server, 473
ILOVEYOU worm, 2
IM (instant messaging)
e-mail has similar process as, 572
in modern systems, 589–590
overview of, 589
phishing attacks in, 77–78, 549
review, 591–593
spim delivery through, 78, 549
Image files, encoding steganography into, 141
IMAP (Internet Message Access Protocol), e-mail, 571
IMC (Internet Mail Consortium), 135
Immutable systems, security automation via, 651
Impact
adding objectivity to qualitative risk assessment, 701–703
business risk as, 693–694
defined, 686
determining/quantifying in risk management, 697
in qualitative risk assessment, 699–701
risk calculation, 705
Impersonation, in social engineering, 75–76
Implementation, change management, 726–727
Implementation plan, algorithm selection in, 133
Implicit deny
applied to firewall rulesets, 289, 349
principle of, 31
Import/export, encryption restrictions on commercial products, 801–803
Important vulnerabilities, bugs tracking, 636
In-band communication, in Diffie-Hellman key exchange, 129
In-band vs. out-of-band NIDS/NIPS, 450–451
In-flight entertainment systems, aviation computing safety, 517
Incident detection, incident response process, 748–749
Incident management
in change management process, 729
definition of, 728
methodology for, 739–740
mitigating risk through, 695
Incident Object Description Exchange Format (IODEF) standard, 758
Incident response
anatomy of attacks, 740–743
best practices, 757–761
forensics often associated with, 767
foundations of, 739–743
goals of, 740
incident management, 739–740
for more information, 761
NIST definition of, 743
overview of, 738
review, 762–765
standards, 756–757
Incident response plan, 744, 746–748
Incident response policy, 61, 743
Incident response process
containment/incident isolation, 750–752
eradication, 754
incident identification/detection, 748–749
incident response plan, 746–748
initial response, 749–750
investigation, 753–754
lessons learned, 756
overview of, 743–744
preparation, 744–746
recovery, 754–755
reporting, 755–756
strategy formulation, 752–753
Incident response team
cyber-incidents, 747
establishing for incident response process, 745–746
reporting after restoration, 755–756
roles and responsibilities of, 747
Incidental involvement, of computers in crime, 794
Incidents, historical security, 1–4
Increased data center density, environmental controls, 223
Incremental backups vs. differential, 663
Indicators of compromise. See IOCs (indicators of compromise)
Indirect attacks, on encryption, 552
Individual participation, collecting PII, 819
Industrial control systems (ICSs)
under attack, 835
hardening, 513
Industry specific frameworks, 519
Industry-standard frameworks, and reference architectures, 517–519
Inergen systems, clean-agent fire suppression, 225
Information assurance, 1
Information collection threat
Flame/Duqu as, 5
of instant messaging, 590
Shamoon attack at Saudi Aramco, 6
Information criticality, incident response, 739, 747, 749
Information security, 1
Information Sharing and Analysis Centers (ISACs), 17–18
Information Sharing and Analysis Organizations (ISAOs), 17–18
Information Systems Audit and Control Association (ISACA), 688
Information systems testing, technology risks, 692
Information technology. See IT (information technology)
Information warfare, 11–12
Infrared. See IR (infrared)
Infrastructure as code, automation via, 651
Infrastructure security
BYOD issues, 417–418
cloud computing, 311–313
devices, 277–279
media for, 301–305
network components. See Network components
network devices. See Network security devices
overview of, 276
physical security concerns, 310–311
on-premises vs. hosted vs. cloud, 313
removable media for, 305–310
review, 315–317
Security as a Service, 314
transmission media concerns, 310
virtualization, 279–282
Initial exploitation, penetration testing, 711
Initial response phase
common technical mistakes in, 750
cyber first responders, 750
incident response process, 749
Initialization vectors. See IVs (initialization vectors)
Injection attacks
on applications, 638–639
as client-side attack, 560
directory traversal/command injection, 640
LDAP injection, 640
SQL injection, 639
XML injection, 640
Inline sensors, IPS, 442
Inline traffic, IPS and, 442
Inlining, hijacking signed applets, 616
Input validation attacks
code injection, 638–640
directory traversal/command injection, 640
normalization used in, 635–636
in secure coding, 633–634
XSS attacks, 638–639
Insider threats, 10–11
Integer overflow errors, 559–560, 641
Integrated Services Digital Network (ISDN), 358
Integrity
Bell-LaPadula security model and, 38–39
change management and, 729
as CIA security goal, 24
collecting PII, 819
cryptography securing, 95, 123–124, 134
for digital signatures, 124–125
ensuring with hash functions, 102
hashing in cryptographic operations and, 94
importance in digital commerce, 123
of S/MIME e-mail encryption, 135–137, 586
security models enforcing, 39–41
of WTLS protocol i, 377
Integrity measurement
change management, 733
hardware/firmware security, 463
Integrity verification processes (IVPs), Clark-Wilson model, 41
Intellectual property, 125–126, 805–806
Interconnection Security Agreement (ISA), 67
Internal threat actors, vs. external, 13
International Data Encryption Algorithm. See IDEA (International Data Encryption Algorithm)
International frameworks, 518–519
International privacy laws
EU GDPR invalidating, 829–830
European vs. U.S, 827–829
OECD Fair Information Practices, 827
overview of, 827
Safe Harbor principles, 828
International Telecommunication Union (ITU), X.500 standard, 351
Internet
birth of, 594–595
consumer demand for access. See Mobile phones
DMZ as buffer zone between network and, 260–261
emergency backup power for, 673
making requests from intranet to, 262
security zones, 261
usage policy, 58
Web 2.0 and, 619
Internet content filters, as security devices, 299
Internet Control Message Protocol. See ICMP (Internet Control Message Protocol)
Internet Engineering Task Force. See IETF (Internet Engineering Task Force)
Internet Explorer
certificate options, 598–599
HTTPS connections in, 601
security setting issues, 608
Internet Mail Consortium (IMC), 135
Internet of Things (IoT), 512, 514–515
Internet (or Morris) worm, 2
Internet Protocol. See IP (Internet Protocol)
Internet Protocol version 4. See IPv4 (Internet Protocol version 4)
Internet Protocol version 6. See IPv6 (Internet Protocol version 6)
Internet service providers (ISPs), 571, 798
Internet Small Computer System Interface (iSCSI) protocol, SANs, 272
Internetwork Packet Exchange (IPX), 239
Internetworking Operating System (IOS), Cisco, 465, 492
Interoperability agreements, organizational security, 66–67
Interpreters, creating runtime code, 650
Interrelationship digraphs, risk management, 711
Intimidation, in social engineering, 75
Introduction to this book
additional references, 18
approaches to computer security, 16–18
attributes of threat actors, 13–14
computer security. See Computer security
ethical issues, 18
review, 19–21
security trends, 14–15
threats to security. See Threats
Intruders, as security threat, 9–10
Intrusion Detection Expert System (IDES), 427
Intrusion detection systems. See IDSs (intrusion detection systems)
Intrusion prevention systems (IPSs), 441–443
Intrusive tests, vulnerability scanners, 707
Investigation
in computer forensics, 772, 777–778
incident response phase, 753–754
IOCs (indicators of compromise)
list of, 758
as network security tool, 454–455
overview of, 757
standards, 758–759
IODEF (Incident Object Description Exchange Format) standard, 758
Ionization smoke detector, 227
iOS, hardening phones/mobile devices, 510–511
IOS (Internetworking Operating System), Cisco, 465, 492
IoT (Internet of Things), 512, 514–515
IP addresses
DNS poisoning and, 553–554
spoofing, 544–545
and subnetting, 255–257
IP-based CCTV camera systems, 214
IP (Internet Protocol)
cable/DSL security and, 293
ICMP, 245–247
IPv4 vs. IPv6, 247–250
as network protocol, 239
packets, 241–243
remote packet delivery, 252–255
suite components, 241
TCP vs. UDP, 243–244
IPchains, Linux software firewall, 489
IPcomp (IP Payload Compression Protocol), 140
ipconfig/displaydns command, DNS poisoning, 554
IPSec (IP Security)
Diffie-Hellman (DH) protocol and, 114
L2TP using, 357
IPsec (IP Security)
overview of, 140
VPN implementation, 293–294
IPSs (Intrusion prevention systems), 441–443
IPv4 (Internet Protocol version 4)
IP packets in, 241–242
packet fragmentation in, 240
IPv6 (Internet Protocol version 6)
avoiding packet fragmentation in, 240–241
disabling if not using, 494
IP packets in, 242–243
IPX (Internetwork Packet Exchange), 239
IR (infrared)
detection, 214
as unguided media, 304
wireless connectivity with, 383
Iris scanners, in biometrics, 345
ISA (Interconnection Security Agreement), 67
ISACA (Information Systems Audit and Control Association), 688
ISACs (Information Sharing and Analysis Centers), 17–18
ISAOs (Information Sharing and Analysis Organizations), 17–18
iSCSI (Internet Small Computer System Interface) protocol, SANs, 272
ISDN (Integrated Services Digital Network), 358
ISO 17799, deprecated, 151–152
ISO/IEC 27002, security policies, 151–152
Isolation
approach to system defense, 16
incident response for containment, 750–751
incident response for quarantine, 752
least common mechanism principle and, 33
network, 263–267
Qakbot worm and, 751
as security principle, 36–37
via sandboxing, 470
ISPs (Internet service providers), 571, 798
IT Code of Ethics, SANS Institute, 807–808
IT (information technology)
DRP contingency planning for, 659
project risk management, 692
as risk, 692
separation of duties best practices, 723–724
ITU (International Telecommunication Union), X.500 standard, 351
IVPs (integrity verification processes), Clark-Wilson model, 41
IVs (initialization vectors)
attacks against wireless systems, 399
how TKIP works, 389
weakness in WAP, 378
weakness in WEP, 387–388
J
Jailbreaking
mobile device usage, 410–411
patch management in BYOD, 416
Jamming attack, wireless systems, 400
Japanese privacy laws, 830–831
Java, code vulnerabilities, 607–608, 611
JavaScript, 608–609
Jester security incidents, 2
Job rotation policy, 54
JPMorgan Chase, 2014 data breach, 6
Judge, materials declared as evidence by, 768
Junos NOS, 465
JVM (Java Virtual Machine), 607
K
Kali Linux tool, 563
Kaminsky attack, 554
Kaminsky, Dan, 253
KASUMI cryptographic standard, 3G, 380
KDC (key distribution center), Kerberos, 339
Kerberos realm, 339
Kernel
hardening in Linux OS, 478
rootkits, 533
Key distribution center (KDC), Kerberos, 339
Key escrow, 129–130
Key exchange
electronic, 115
Ephemeral Diffie-Hellman (EDH), 130
man-in-the-middle attacks defeating, 129
Key generation, 147
Key management
cryptography, 101
physical access control with, 216–217
symmetric encryption, 106–107
Key pairs, and asymmetric algorithms, 97
Key space, decryption using, 552
Key stretching, 130–131
Keyloggers, eavesdropping via USB, 228
Keypads
infrared (IR) detection, 214
layered access control with, 212
using locks with, 212–213
Keys
access tokens vs., 218
avoiding coding failures by managing, 631
in Caesar’s cipher, 98
in cryptographic operations, 94
encryption and decryption, 97
ephemeral, 130
master, 217
number needed in symmetric encryption, 107
PGP e-mail encryption, 587–588
protecting mobile applications, 408
public algorithms and encryption, 129
quantum key distribution, 117
security of algorithms rely on complexity of, 100
session keys, 130
storing Bitlocker decryption, 126
Keyspace, comparisons, 95
Keystroke loggers, online banking/stock trading, 793–794
Keyword filtering, 580
Kill chain, 16–17
Kill command, Linux OS, 479
Kiosk OS, 466
Klíma, Vlastimil, 104
Known plaintext/ciphertext attacks, 147