A
AAA (authentication, authorization, and accounting), 358
AACS (Advanced Access Content System), 151
ABAC (attribute-based access control), 377
acceptable use policies (AUPs)
content-filtering proxies, 336
e-mail, 678
mobile devices, 469
overview, 67–68
acceptance response for risk, 765–766
access control
auditing, 640
authorization, 371
data compromise factor, 870
electronic systems, 249–250
layered access, 39
mobile devices, 456–457
access control lists (ACLs)
authorization, 374–375
description, 550
firewalls, 325–326
Linux, 531
routers, 321
SIEM, 498
access control matrices, 374–375
access points (APs)
description, 329
placement, 443–444
rogue, 449
test, 340
wireless security, 439–441, 445
access tokens, 249
accounting
configuration status, 822
functions, 370–371
RADIUS, 402–403
TACACS+, 405–406
accounts
auditing, 368
authentication, 359–361
disabling, 61, 65, 369, 521–522
generic, 360
lockouts, 61
maintenance, 367
onboarding and offboarding, 361
recertifying, 368
recovery, 60–61
vulnerabilities, 642
ACLs. See access control lists (ACLs)
active/active load balancer schemes, 334–335
active defense model, 31
active HIDSs, 489–490
active logging, 893
active NIDSs, 483–484
active/passive load balancer schemes, 335
active reconnaissance testing, 632
Active Server Pages (ASP), 663
active tools
network security, 505
penetration testing, 632
actor attributes, 14–16
ad hoc networks, 272
add-ons, malicious, 666
Additional Decryption Key (ADK), 688
Address Resolution Protocol (ARP)
arp command, 619–620
neighbor discovery, 291
poisoning attacks, 601–602
switch attacks, 321
vulnerabilities, 294–295
address space in IPv4 vs. IPv6, 290–291
ADK (Additional Decryption Key), 688
Adleman, Leonard, 137
administrator accounts
credential policies, 60
default settings, 643
description, 360
disabling, 364
admissibility of evidence, 882
Adobe data breach, 7
Adult Friend Finder data breach, 7
Advanced Access Content System (AACS), 151
advanced persistent threats (APTs)
Cyber Kill Chain, 840
description, 4
groups, 5
incident response, 839–840
overview, 605
persistence, 633
adverse actions, 66–67
adware, 583
AEAD (Authenticated Encryption with Associated Data), 130
RC4, 132
symmetric encryption, 134
AES algorithm
AACS, 151
BitLocker, 453
CBC, 132
CCMP, 439
IEFT, 163
key length, 115
overview, 129–130
passwords, 179, 609
WPA2, 433
affinity-based load balancer scheduling, 334
affinity grouping, 790
after-action reports in business continuity, 803
agentless NAC, 332
agents in NAC, 332
aggregation in SIEM, 498
aggregation switch placement, 342
agile software development model, 721
aircraft, 564–565
aisles, hot and cold, 256
alarms, 241–242
ALE (annualized loss expectancy)
defined, 763
alerts in SIEM, 497–498
all-glass cockpits, 564
all nines keys, 244
alternate data streams, 896
alternative sites for business continuity, 810–811
amplification attacks, 602
analysis
computer forensics, 891–894
evidence, 881
logs, 487
Registry, 897–898
risk, 784–790
social media, 69
analysis engines
HIDSs, 485–486
IDSs, 475–476
NIDSs, 480–481
analyst-driven log analysis, 487
analytics, 495–496
annualized loss expectancy (ALE)
defined, 763
annualized rate of occurrence (ARO)
defined, 763
risk calculations, 788
anomaly-based IDS model, 477
anomaly detection models, 476
anonymity
anonymization, 953
anonymizing proxies, 336
wireless attacks, 446–447
anonymous FTP, 659
Anonymous group, 14
antenna types and placement, 442
anti-malware
BYOD model, 467
overview, 535
antivirus (AV) products
BYOD model, 467
overview, 533–535
anycast messages, 291
Anything as a Service (XaaS), 699
API (application programming interface)
cloud computing, 714
digital certificates, 200
inspection and integration, 706
app stores for mobile devices, 460–461
appliances
all-in-one, 338
firewalls, 328
NIDSs, 481
operating systems, 518
UTM, 339
application attacks, 735
attachments, 740
buffer overflow, 738–739
cross-site request forgery, 739–740
cross-site scripting, 735–736
directory traversal, 738
injections, 736–738
integer overflow, 739
locally shared objects, 740
OVAL, 741
remote code execution, 741
zero day, 740
application cells in virtualization, 314
application layer proxies in firewalls, 325
application-level attacks, 586
application programming interface (API)
cloud computing, 714
digital certificates, 200
inspection and integration, 706
application server guides, 567–568
applications
authentication, 389
cloud computing, 709
cryptographic, 152–153
log files, 861
patches, 543–545
vulnerabilities, 645
vulnerability scanners, 546–547
vulnerability testing, 635–636
weaknesses, 668–670
applied cryptography, 148
applications, 152–153
cipher suites, 153–162
cryptographic attacks, 174–179
key terms, 181–182
lab projects, 183
PGP, 165–167
quizzes, 182–183
review, 181
S/MIME, 162–164
secure protocol use cases, 172–174
secure protocols, 169–172
standards, 179–180
steganography, 167–168
uses, 149–153
APTs. See advanced persistent threats (APTs)
arbitrary code execution, 741
architecture considerations in BYOD model, 468
archive bit, 805
archiving keys, 218–219
ARLs (authority revocation lists), 211
armored viruses, 580
ARO (annualized rate of occurrence)
defined, 763
risk calculations, 788
ARP. See Address Resolution Protocol (ARP)
arp command, 619–620
artifacts in forensics, 896
ASA (Attack Surface Analyzer), 527
Asia, privacy laws in, 951
ASP (Active Server Pages), 663
ASP.NET, 663
assertion service in XKMS, 228
assertion status service in XKMS, 228
asset value (AV) in risk calculations, 788
assets
defined, 762
management policies, 55
mobile devices, 456
risk management, 780
assurance, 114
asymmetric encryption, 135–140
Asynchronous Transfer Mode (ATM), 281
Atbash cipher, 121
attachments, 740
Attack Surface Analyzer (ASA), 527
attack surfaces
description, 41
minimization, 722–723
attacks, 574
address, 599
advanced persistent threats, 605
amplification, 602
application. See application attacks
avenues, 575–576
brand-name, 13–14
cache poisoning, 599–602
client-side, 603–604
cryptographic, 174–179
domain hijacking, 602
DoS, 587–590
driver manipulation, 604–605
encryption, 597–598
frameworks in incident response, 838–842
key terms, 610–611
lab projects, 613
malicious code, 576
malware. See malware
man-in-the-browser, 596
man-in-the-middle, 595–596
pass-the-hash, 602–603
quizzes, 611–613
replay, 597
review, 610
scanning, 597
sniffing, 591
social engineering, 90–99
spoofing, 592–595
TCP/IP hijacking, 595
transitive access, 597
attribute-based access control (ABAC), 377
attributes
actor, 14–16
certificates, 202–205
identity, 378
multifactor authentication, 398–399
auditability in CIA of security, 28
auditing
accounts, 367–368
cloud, 703–704
configuration, 822
overview, 639–640
usage, 367–368
Authenticated Encryption with Associated Data (AEAD), 130
RC4, 132
symmetric encryption, 134
authentication, 358–359
vs. access control, 371
account policies, 363–370
accounts, 360
attestation, 388
authorization, 370–378
basic, 382
biometric efficacy rates, 393–396
biometric factors, 391–393
certificates, 385
CIA of security, 28
cloud vs. on-premises requirements, 416
connections, 416–417
data loss and theft prevention, 415
databases, 415
digest, 382–383
directory services, 387
federation, 387–388
groups, 361–362
identity, 378–380
Kerberos, 383–384
key terms, 419–420
knowledge-based, 386–387
lab projects, 423
logs, 862
methods, 381–387
multifactor, 396–399
mutual, 384–385
protocols, 406–413
quizzes, 420–422
RADIUS, 401
references, 417
remote access. See remote access
review, 418–419
roles, 362–363
single sign-on, 365–366
TACACS+, 404
technologies, 388–390
tokens, 385–386
transitive trusts, 388
users, 359–360
wireless security, 437–439
authentication, authorization, and accounting (AAA), 358
authentication servers (ASs), 383
Authenticode system, 666–667
authority factor in social engineering, 89
authority revocation lists (ARLs), 211
authorization
access control, 371
access control lists, 374–375
attribute-based access control, 377
conditional access, 377–378
description, 370–371
discretionary access control, 376
mandatory access control, 375–376
penetration testing, 631–632
permissions, 371–374
RADIUS, 402
role-based access control, 376–377
rule-based access control, 377
social engineering factor, 90–91
TACACS+, 404–405
autofill fields, 670
automation, 551–555
home, 561–562
policy enforcement, 55
SIEM, 498
software development, 750
autonomous systems (ASs), 303
AutoPlay feature, 252–253
Autopsy tool, 629
availability
business risks, 775
CIA of security, 28
cloud, 704–705
risk management, 767
avoidance response for risk, 765
B
Back Orifice (BO) trojan, 578
backdoors
incident response, 839
backout plans in change management, 824
backup generators
business continuity, 812
power protection, 261
backup power, 261
backups
business continuity, 804–810
data, 56
frequency and retention, 806–808
lifetime, 350
restoration order, 811
storage, 808–810
strategies, 805
types, 805–806
badges, 250
bandwidth
band selection, 441
coaxial cable, 344
fiber-optic cable, 346
hubs, 317
IPv6, 292
monitoring, 864
packets, 282
QoS, 305
wireless communications, 441–442
banking rules and regulations, 946
banner grabbing, 505–506
barricades, 240
Basel Committee on Banking Supervision, 761–762
baselines
application configuration, 742
change management, 821–822
controls, 767
host software, 546
machine hardening, 523–524
operating system hardening, 524–525
risk assessment, 790
software development, 753, 828–829
Unix, 529–530
basic authentication, 382
Basic Input/Output System (BIOS)
boots, 237
hardening, 514
settings, 251
basic packet filtering in firewalls, 325
basic service set identifiers (BSSIDs), 440
batch mode in HIDSs, 485
BCPs (business continuity plans), 801–802
Bcrypt key-stretching mechanism, 157
beacon frames for access points, 440
behavior based IDS model, 477
Bell-Lapadula security model, 43–44
benchmarks, 566–568
Bernstein, Daniel, 132
best evidence rule, 879
best practices
Critical Security Controls, 568
incident response, 867–868
investigations, 854
risk management, 791–792
training for, 76
BGP (Border Gateway Protocol), 303
BIA (business impact analysis), 772, 802
Biba security model, 44–45
big data
analytics, 495–496
e-discovery, 901
handling, 549
binary diversity in software development, 749
binary risk assessment, 784
binding corporate rules (BCRs) in GDPR, 950
biometrics
authentication, 391–393
description, 250
efficacy rates, 393–396
mobile devices, 455
BIOS (Basic Input/Output System)
boots, 237
hardening, 514
settings, 251
birthday attacks, 175, 608–609
BIS (Bureau of Industry and Security), 918
Bitcoin, 153
BitLocker
filesystem encryption, 152
full disk encryption, 453
system hardening, 524–525
black-box testing
software development, 728–729
system tests, 638
black hat hacking, 639
blacklisting
e-mail, 680
BLE (Bluetooth Low Energy), 426
blind FTP, 657–658
block ciphers, 128
block lists for spam, 683
block symmetric encryption, 134
blockchains, 153
blocking, USB, 499–500
Blowfish ciphers, 131–132
Blu-ray discs, 350
Bluebugging, 450
Bluejacking, 449
Bluesnarfing, 450
Bluetooth
attacks, 449–450
connections, 425–426
disabling, 457
mobile devices, 558
Bluetooth Low Energy (BLE), 426
bollards, 239–240
boot sector viruses, 579
bootdisks, 236–237
booting
measured boot method, 515
Border Gateway Protocol (BGP), 303
Bork, Robert, 944
Bosch, Robert, 564
botnets
description, 582
DNS sinkholes, 495
spam, 675
BPAs (business partnership agreements), 80
BPDU (Bridge Protocol Data Unit) guards, 319
brand-name attacks, 13–14
breaches
business risks, 773
consequences, 931–932
examples, 6–7
privacy, 957
Brewer-Nash security model, 44
Bridge Protocol Data Unit (BPDU) guards, 319
bridges, 317
bring-your-own-device (BYOD)
mobile devices, 465–469
in offboarding, 66
policies, 69–70
British thermal units (BTUs), 255
broad network access in cloud computing, 698
broadcast domains, 274
broadcast storm prevention, 319
broadcasts
hubs, 501
IP addresses, 300
microwave media, 348
browser helper objects (BHOs), 666
browsers
code-based vulnerabilities, 660
plug-ins, 665–666
vulnerabilities, 662–663
brute force passwords attacks, 177–178, 607–609
BTUs (British thermal units), 255
bug tracking in software development, 734–735
bump keys, 243–244
Bureau of Industry and Security (BIS), 918
burning data, 938
Burp Suite tools, 630
bus topologies, 270
business continuity, 800
after-action reports, 803
alternative sites, 810–811
backups, 804–810
business continuity plans, 801–802
business impact analysis, 802
COOP, 813
critical systems identification, 802
failover, 803–804
key terms, 831
quizzes, 832–834
recovery, 812–813
restoration order, 811
review, 830–831
risk assessment, 803
single points of failure, 802–803
succession planning, 803
utilities, 812
business continuity plans (BCPs), 801–802
business impact analysis (BIA), 772, 802
business partners
onboarding and offboarding, 66
risk management, 79
business partnership agreements (BPAs), 80
business risks, 770–775
busses, 563–564
BYOD (bring-your-own-device)
mobile devices, 465–469
in offboarding, 66
policies, 69–70
C
CA certificates, 202–203
cabinets, secure, 247
cable
coaxial, 344
fiber-optic, 346–347
protected, 247
shielding, 261
UTP/STP, 345
cable locks, 248
cable modems, 330
caches
DNS queries, 676
forensics, 897
poisoning, 599–602
caching proxies, 336
CACs (Common Access Cards), 380, 385
California Senate Bill 1386 (SB 1386), 946
call detail records (CDRs), 863
call managers, 862–863
callback verification for e-mail, 680
Cambridge Analytica breach, 932
cameras
cell phones, 104
metadata, 866
protecting, 559
camouflage
industrial, 242
software development, 744
campus area networks (CANs), 269
CAN bus (controller area network bus), 563–564
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act), 680, 914–915
Canada
computer trespass, 912
digital signature laws, 921
privacy laws, 950
canonicalization errors, 732–733
CANs (campus area networks), 269
Capability Maturity Model Integration (CMMI), 826–827
CAPI (Cryptographic Application Programming Interface) environment, 213
Capone, Al, 910
captive portals, 446
capture-the-flag events, 73
cards for physical access, 249–250
Carlisle Adams and Stafford Tavares (CAST) algorithm
description, 130
carrier unlocking for mobile devices, 461–462
CAs. See certificate authorities (CAs)
CASBs (Cloud Access Security Brokers), 708–709
case law for cybercrime, 911
CAST (Carlisle Adams and Stafford Tavares) algorithm
description, 130
cat command, 623
Category x cable, 345
cause-and-effect risk analysis, 790
CBC (Cipher Block Chaining), 133
CC (Common Criteria), 179–180
CCBs (change control boards), 824–826
CCMP (Counter Mode/CBC-MAC Protocol), 439
CCTV (closed-circuit television) cameras, 245, 885
CDs (compact discs), 350
cellular connections, 425
centralized infrastructures in PKI, 215–220
CER (crossover error rate) in biometrics, 395
.cer file extension, 206
certificate authorities (CAs), 186–187
in-house, 189
internal, 213
online vs. offline, 191
outsourced, 189–191
PKIX, 222
public, 188–189
root, 196
subordinate, 194
trust models, 193–195
trust relationships, 193
certificate chaining, 193–194
Certificate Enrollment Protocol (CEP), 228
Certificate Management Protocol (CMP), 226
certificate policies (CPs), 188–189
certificate revocation lists (CRLs), 209–211, 215
certificate servers, 187
certificate signing requests (CSRs), 208
certificates
attributes, 202–205
authentication, 385
classes, 198–200
extensions, 200–201
fields, 197–198
formats, 206–207
identity, 379
life cycles, 207–212
paths, 195–197
PKI, 186–187
repositories, 212–215
threats, 220–221
TLS, 654
validating, 215
certification practices statements (CPSs), 187
CERTs (computer emergency response teams), 837
CFAA (Computer Fraud and Abuse Act), 911, 914–915, 943
ChaCha20 cipher, 132
chain of custody for evidence, 880
Challenge-Handshake Authentication Protocol (CHAP), 409
change control, 54
change control boards (CCBs), 824–826
change management, 800–801
backout plans, 824
change control boards, 824–826
CMMI, 826–827
code integrity, 825–826
elements, 821–822
implementing, 823–824
key terms, 831
lab projects, 835
overview, 817–819
policy, 54
quizzes, 832–834
review, 830–831
risk strategies, 778–779
scope, 819
separation of duties, 819–821
software development, 752–753
channel overlays in wireless security, 443
CHAP (Challenge-Handshake Authentication Protocol), 409
checksums, 887
Children’s Online Privacy Protection Act (COPPA), 943–944
chip cards, 390
chmod command, 624
choice factor in PII, 935
choose your own device (CYOD) deployment model, 465
chosen cipher text attacks, 175
Christmas attacks, 597
CIA of security, 28
CIP (Critical Infrastructure Protection) standards, 565
Cipher Block Chaining (CBC), 133
cipher locks, 244
cipher modes in symmetric encryption, 133–134
cipher suites, 153–154
common use cases, 161–162
ephemeral keys, 157
implementation vs. algorithm selection, 160–161
key escrow, 156
key exchange, 155–156
key stretching, 157
secret algorithms, 155
session keys, 156–157
strong vs. weak, 154
transport encryption, 157–160
weak/deprecated algorithms, 154–155
ciphertext, 117
CIRTs (cyber incident response teams), 837–838, 848–849, 857–858
Citibank incident, 2
Clark-Wilson security model, 45–46
classes of digital certificates, 198–200
classification of information, 56
clean-agent fire suppression systems, 257
click fraud, 909
clickjacking, 604
client-side attacks, 603–604, 669–670
client-side validation in software development, 743
client-to-server tickets, 383
clients, network, 270
Clipper chip, 220
closed-circuit television (CCTV) cameras, 245, 885
closed ports, 504
Cloud Access Security Brokers (CASBs), 708–709
cloud-based DLPs, 500
cloud-based vulnerabilities, 641
cloud computing, 696–697
application security, 709
authentication requirements, 416
characteristics, 697–698
Cloud Access Security Brokers, 708–709
cloud-native controls vs. third-party solutions, 710–711
cloud service providers, 701–702
compute aspects, 706–707
containers, 714
edge computing, 713
firewalls, 709–710
fog computing, 713
forensics, 901–902
key terms, 716
lab projects, 719
level of control, 699–700
microservices, 714
networks, 705–706
quizzes, 717–718
review, 716
risks, 793–794
Security as a Service, 707–708
security controls, 702–707
serverless architecture, 715
service models, 698–699
services integration, 700
thin clients, 713
types, 700–701
VDI/VDE, 712
virtualization, 711–712
cloud-native controls vs. third-party solutions, 710–711
cloud service providers (CSPs), 701–702
CMF (collection management framework), 867
CMMI (Capability Maturity Model Integration), 826–827
CMS (Cryptographic Message Syntax), 164
coaxial cable, 344
Cobalt Strike application, 630
COBIT (Control Objectives for Information and Related Technologies), 766
COBO (corporate-owned business-only) deployment model, 465
code
change management, 825–826
injection attacks, 736–738
malicious, 576
quality and testing, 745–748
reuse, 744
third-party risks, 777
code analysis, 745–746
code-based vulnerabilities, 660
add-ons, 666
browser, 662–663
code signing, 666–667
cookies, 663–665
Java, 661
JavaScript, 661–662
plug-ins, 665–666
server-side scripts, 663
code signing
certificates, 204
overview, 666–667
software development, 743
codes of ethics, 63
coding phase in software development, 724–725
Codoso Group, 5
COFEE (Computer Online Forensics Evidence Extractor), 883
cold aisles, 256
cold sites, 811
collection inventory matrix (CIM), 866
collection management framework (CMF), 867
collection of evidence, 881
collector placement, 340
collision domains, 317
command-and-control servers, malware in, 581
command injection attacks, 738
Common Access Cards (CACs), 380, 385
Common Criteria (CC), 179–180
common Internet crime schemes, 911
common law, 911
Common Name (CN) field for certificates, 203–204
Common Vulnerabilities and Exposures (CVE), 636–637, 725
Common Vulnerability Scoring System (CVSS), 636–637
Common Weakness Enumeration (CWE), 725
communication plans in incident response, 860
community clouds, 701
community strings in SNMP, 541
compact discs (CDs), 350
company-issued, personally enabled (COPE) deployment model, 465
compensating controls, 770
competent evidence, 879
compiled code and compilers, 748–749
complete mediation, 36–37
complexity of passwords, 60, 364
compliance
CAN-SPAM, 914
DPOs, 937–938
GDPR, 949
ISO/IEC 27002, 180
privacy, 953
SCM, 526
SCT, 527
training for, 76–77
web security gateways, 337
computer-based training (CBT), 74
computer certificates, 204
computer emergency response teams (CERTs), 837
computer forensics, 876–877
analysis, 891–894
BYOD model, 467
data recovery, 882
devices, 899
evidence. See evidence
filesystems, 894–896
hosts, 894–899
investigations, 889–890
key terms, 904
lab projects, 907
legal holds, 900–902
message digest and hash, 890–891
networks, 899–900
process, 880–882
quizzes, 905–907
review, 903–904
tools, 627–629
Computer Fraud and Abuse Act (CFAA), 911, 914–915, 943
Computer Online Forensics Evidence Extractor (COFEE), 883
computer security problem, 1–4
computer trespass, 912
COMSEC, 27
concentrators, VPN, 328–329
Concept virus, 579–580
conditional access, 377–378
conduits for networks, 276
Conficker worm, 3–4
confidentiality
CIA of security, 28
models based on, 42–43
configuration
auditing, 822
change management, 778–779, 821–822
guides, 566–568
hardening, 520–521
identification, 821
network devices, 540–541
status accounting, 822
validation, 552–553
configuration management, 32, 801
confusion in cryptography, 116
connections
authentication, 416–417
SSH, 411
wireless security, 425–429
consensus factor in social engineering, 89
consent factor in PII, 935
constrained data items (CDIs), 45–46
constraints in cryptography, 162
contactless access cards, 243
containers
mobile devices, 456
virtualization, 314
containment in incident response, 851–852
content-based signatures, 478
content filters
e-mail, 680
Internet, 338
proxies, 336
content inspection, 339
content management for mobile devices, 453
content monitoring by web security gateways, 337
Content Scramble System (CSS), 151
context-aware authentication, 456
context-based signatures, 478–479
contingency planning, 816
continuing education, 76
continuity of operations planning (COOP), 813
continuous lighting, 241
continuous monitoring, 552, 750
continuous operations in software development, 750–751
continuous risk management, 764
contractors in social engineering attacks, 91
Control Objectives for Information and Related Technologies (COBIT), 766
control systems for networks, 276
controller area network bus (CAN bus), 563–564
controller-based access points, 441
controllers
data, 937
domain, 363
wireless security, 445
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 680, 914–915
controls
cloud computing, 702–707
defined, 763
risk management, 767–770, 781–782
testing, 316
vulnerability testing, 637
Convention on Cybercrime, 912–913
convergence, 250
cookies
cookie cutters, 951–952
disabling, 665
Flash, 740
ISAKMP, 225
privacy issues, 955–956
vulnerabilities, 663–665
COOP (continuity of operations planning), 813
Coordinated Universal Time (UTC), 899
COPE (company-issued, personally enabled) deployment model, 465
COPPA (Children’s Online Privacy Protection Act), 943–944
copyright issues, 922–923
Core Impact tools, 630
corporate-owned business-only (COBO) deployment model, 465
corrective controls, 770
correctness considerations in security, 18
correlation
correlation engines, 341
SIEM for, 497–498
cost/benefit risk analysis, 790
cost considerations for firewalls, 709–710
cost-effectiveness risk modeling, 791
Counter Mode (CTM), 133–134
Counter Mode/CBC-MAC Protocol (CCMP), 439
counterintelligence gathering, 893
countermeasures, 763
Cozy Bear group, 14
CPSs (certification practices statements), 187
Credential Guard, 526
credentials
authentication, 360
harvesting, 97
managing, 366
mobile devices, 458
policies, 58–60
vulnerability scans, 635
credit cards
breaches, 6–7
card verification code, 872
data masking, 952
data minimization, 870
FACTA, 947
PCI DSS, 916
criminal organizations, 12–13
critical bugs in software development, 734
critical certificate extensions, 202
critical data, 934
Critical Infrastructure Protection (CIP) standards, 565
critical infrastructure threats, 13
critical systems
business risks, 772
identifying, 802
CRLs (certificate revocation lists), 209–211, 215
cross-certification certificates, 203
cross-site request forgery (XSRF) attacks, 739–740
cross-site scripting (XSS), 669, 735–736
crossover error rate (CER) in biometrics, 395
cryptanalysis, 112–113
crypto-malware, 582
crypto modules, 161
cryptocurrencies, 153
Cryptographic Application Programming Interface (CAPI) environment, 213
Cryptographic Message Syntax (CMS), 164
cryptographic service providers (CSPs), 160–161
cryptographically random numbers, 727
Cryptographically Secure Random Number Generator (CSPRNG) algorithms, 122
cryptography, 112–113. See also encryption
algorithms, 115
applied. See applied cryptography
asymmetric encryption, 135–140
attacks, 174–179
failures, 726–728
fundamental methods, 114–115
hashing functions, 123–127
historical perspectives, 117–123
homomorphic encryption, 141–142
key length, 115–116
key management, 122
key terms, 144
lab projects, 147
lightweight, 141
objectives, 116–117
one-time pads, 121
post-quantum, 140–141
in practice, 113–114
quantum, 140
quizzes, 145–146
random numbers, 122–123
references, 142
review, 143–144
symmetric encryption, 127–134
CryptoLocker ransomware, 577
cryptomalware, 577
CSF (Cyber Security Framework), 565
CSPRNG (Cryptographically Secure Random Number Generator) algorithms, 122
CSPs (cloud service providers), 701–702
CSPs (cryptographic service providers), 160–161
CSRs (certificate signing requests), 208
CSS (Content Scramble System), 151
Cuckoo sandbox, 622
curl command, 620–621
current threat environment, 4–8
curves in elliptic curve cryptography, 138–139
custodians of data, 937
custom firmware for mobile devices, 461
customer data, PII in, 936
CVE (Common Vulnerabilities and Exposures), 636–637, 725
CVSS (Common Vulnerability Scoring System), 636–637
CWE (Common Weakness Enumeration), 725
cyber incident response teams (CIRTs), 837–838, 848–849, 857–858
cyber kill chain model, 840–841
Cyber Observable Expression (CybOX), 869, 871–872
Cyber Security Framework (CSF), 565
cybercrime, 909–910
common Internet schemes, 911
computer trespass, 912
Convention on Cybercrime, 912–913
digital rights management, 922–923
digital signature laws, 920–922
encryption debate, 910–911
import/export encryption restrictions, 918–919
key terms, 927
PCI DSS, 916–917
quizzes, 927–929
review, 926
Cybersecurity Framework model, 29–30
cybersecurity kill chains, 18–19
Cybersecurity Unit, 868
cyberwar, 3
CybOX (Cyber Observable Expression), 869, 871–872
CYOD (choose your own device) deployment model, 465
D
DAC (discretionary access control), 373, 376
daemons, 530
dashboards in SIEM, 496
data
backups. See backups
classification, 526
collection models in incident response, 866–867
disposal and destruction, 57–58, 938–940
exfiltration, 773
governance, 57
labeling and handling, 57, 931, 933–936
need to know principle, 57–58
policies, 55–58
poor practices, 103
privacy. See privacy
recovery. See recovery
data at rest
protecting, 548
transport encryption, 160
data-based security controls, 547–550
Data Breach Investigations Report (DBIR), 16
data breaches
business risks, 773
consequences, 931–932
examples, 6–7
privacy, 957
Data Encryption Standard (DES)
keys in, 115
symmetric encryption, 128–129
Data Execution Prevention (DEP), 517
data exposure in software development, 745
data in transit
protecting, 548
transport encryption, 160
data in use
protecting, 548
transport encryption, 160
data loss prevention (DLP)
authentication, 415
cloud-based, 500
description, 338
hardening, 535–536
USB blocking, 499–500
data masking, 952
data minimization, 952
Data Over Cable Service Interface Specification (DOCSIS), 330
data owners
BYOD model, 466
defining, 56
privacy, 936
role-based training, 74
data privacy officers (DPOs), 937–938
data processors, 937
data protection
European statutes, 948–950
web security gateways, 337
data roles in privacy, 936–938
data sharing, unauthorized, 56
data sources in incident response, 860
data sovereignty of backups, 810
databases
protecting, 415
datagrams, 284–285
Daubert standard, 878–879
DBIR (Data Breach Investigations Report), 16
DCSs (distributed control systems), 560
dd command, 627–628
DDoS (distributed denial-of-service) attacks
firewalls for, 326
mitigators, 341
overview, 588–589
de Guzman, Onel, 3
dead code, 744
decentralized infrastructures in PKI, 215–220
deception and disruption technologies, 493–495
decision trees, 486
defaults
fail-safe, 35–36
settings, 643
defense in depth, 38–39
defenses for social engineering, 90
delay-based filters for e-mail, 680
delivery phase in software development, 751
delta backups, 806
demilitarized zones (DMZs)
intranets, 279
networks, 277–278
segments, 272–273
demonstrative evidence, 878
denial-of-service (DoS) attacks
Bluetooth, 449–450
defending against, 589–590
ICMP, 288
overview, 587–588
smurf, 589
war-dialing and war-driving, 590
DEP (Data Execution Prevention), 517
Department of Justice, incident response best practices, 868
deployment models for mobile devices, 465–469
deployment phase in software development, 729, 751
deprecated algorithms and functions
cipher suites, 154–155
software development, 728
deprovisioning in software development, 753–754
DER (distinguished encoding rules) format, 206
DES (Data Encryption Standard)
keys in, 115
symmetric encryption, 128–129
design phase in software development, 724
Desired State Configuration (DSC), 526–527
destruction
certificate keys, 212
detection in incident response, 849–850
detective controls, 770
deterrent controls, 769–770
development environments. See software development
devices
credential policies, 59
fire detection, 258–259
forensics, 899
locks, 244
mobile. See mobile devices
placing, 340–342
protecting, 311–313
removal in incident response, 853
theft, 253–255
wireless, 329
DevOps, 749–751
DH (Diffie-Hellman) algorithm, 136
ECDH, 136–137
groups, 136
PGP, 165
DHCP (Dynamic Host Configuration Protocol)
modems, 330
overview, 298–299
snooping, 320
DHE (Diffie-Hellman Ephemeral) algorithm, 137
diagnostics for networks, 332–333
Diameter suite, 403
Diamond Model of Intrusion Analysis, 842
dictionary password attacks, 177, 606–607
differential backups, 805–806
differential cryptanalysis, 113
Diffie, Whitfield, 135
Diffie-Hellman (DH) algorithm, 136
ECDH, 136–137
groups, 136
PGP, 165
Diffie-Hellman Ephemeral (DHE) algorithm, 137
diffusion in cryptography, 116
dig command, 615–616
digest authentication, 382–383
digital certificates. See certificates
Digital Millennium Copyright Act (DMCA), 922–923
digital rights management (DRM)
cryptography, 151–152
overview, 922–923
digital sandboxes, 493
Digital Signature Algorithm (DSA), 125
digital signatures
applied cryptography, 150–151
asymmetric encryption, 136
IDSs, 478–479
laws, 920–922
digital video discs (DVDs), 350
direct evidence, 878
direct-sequence spread spectrum (DSSS), 430
directory services
description, 387
web, 657–658
directory traversal, 738
disabling
accounts, 61, 65, 369, 521–522
administrator accounts, 364
AutoPlay, 253
Bluetooth, 457
cookies, 665
e-mail, 66
passwords, 521–522
ports and services, 520
SSL, 154
unused features, 457
USB support, 252
disassociation attacks, 451
disaster recovery, 800, 813–814
business functions, 815
IT contingency planning, 816
key terms, 831
process, 814–815
quizzes, 832–834
review, 830–831
RTO and RPO, 817
testing, 816–817
disaster recovery plans (DRPs), 801–802, 814–815
discovery tools, 615–622
discretionary access control (DAC), 373, 376
diskettes, 349
displays, 557
disposal of data, 57–58, 938–940
Disposal Rule, 947
distance issues for backups, 810
distinguished encoding rules (DER) format, 206
Distinguished Names, 213
distributed control systems (DCSs), 560
distributed denial-of-service (DDoS) attacks
firewalls for, 326
mitigators, 341
overview, 588–589
distribution, protected, 247
distributive allocation, 555
diversity
defense, 40–41
software, 748–749
DKIM (DomainKeys Identified Mail), 684
DLLs (dynamic link libraries), 738
DLP. See data loss prevention (DLP)
DMCA (Digital Millennium Copyright Act), 922–923
DMZs. See demilitarized zones (DMZs)
DNS. See Domain Name System (DNS) protocol
DNS over HTTPS (DoH), 297–298
dnsenum tool, 622
DNSSEC (Domain Name System Security Extensions), 169, 296–297, 601
DOCSIS (Data Over Cable Service Interface Specification), 330
document integrity, cryptography for, 150
documentary evidence, 878
documented incident types and categories in incident response, 848
DoH (DNS over HTTPS), 297–298
DOM-based XSS attacks, 736
Domain Name System (DNS) protocol
DNS over HTTPS, 297–298
e-mail checks, 680
kiting, 599
logs, 862
operation, 297
poisoning, 599–601
queries, 676
remote packet delivery, 295–296
secure protocol, 173
sinkholes, 495
Domain Name System Security Extensions (DNSSEC), 169, 296–297, 601
DomainKeys Identified Mail (DKIM), 684
domains
cookies, 664
hijacking, 602
passwords, 363–365
validating, 205
doors, 244
DoS attacks. See denial-of-service (DoS) attacks
Downadup worm, 3–4
downgrade attacks, 176
DPOs (data privacy officers), 937–938
drills, emergency, 257
drive-by download attacks, 604
driver manipulation attacks, 604–605
DRM (digital rights management)
cryptography, 151–152
overview, 922–923
DRPs (disaster recovery plans), 801–802, 814–815
DSA (Digital Signature Algorithm), 125
DSC (Desired State Configuration), 526–527
DSSS (direct-sequence spread spectrum), 430
dual control in PKI, 219
dual power supplies, 261–262
due care and due diligence policies, 70–71
due process policies, 71
dump files, 862
duplication of drives in incident response, 855
Duqu malware, 5–6
duties, separation of, 35, 46, 64, 819–821
DVDs (digital video discs), 350
dynamic code analysis, 746–747
Dynamic Host Configuration Protocol (DHCP)
modems, 330
overview, 298–299
snooping, 320
dynamic learning in port security, 319
dynamic link libraries (DLLs), 738
dynamic NAT, 302
dynamic resource allocation, 706
Dynamite Panda group, 5
E
e-discovery (electronic discovery), 900–901
antivirus scanning, 534
certificates, 205
DKIM, 684
encryption, 685–689
e-mail (Cont.)
gateways, 679–685
greylisting, 682–683
hoaxes, 678–679
key terms, 692
lab projects, 695
malicious code, 676–678
metadata, 865
MIME, 673–674
operation, 670–672
popularity, 650
quizzes, 693–694
relaying, 682
review, 691–692
secure protocol, 173
security, 674–679
SPF, 683–684
spoofing, 592
structure, 672–673
usage policies, 68
E-Sign law (Electronic Signatures in Global and National Commerce Act), 920
EAP (Extensible Authentication Protocol)
description, 408
wireless security, 437
WPS, 433
EAP-FAST protocol, 437
EAP-TLS protocol, 437
EAP-TTLS protocol, 438
EAPOL (Extensible Authentication Protocol over LAN), 400
EAR (Export Administration Regulations), 918
Early Launch Anti-Malware (ELAM), 525–526
east-west traffic, 279
eavesdropping, 259–260
eBay
data breach, 7
fraud target, 909
ECB (Electronic Codebook), 133
ECC (elliptic curve cryptography), 138–139
ECDH (Elliptic Curve Diffie-Hellman) algorithm, 137
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) algorithm, 137
Eck, Wim van, 259
Eck phenomenon, 259
economy of mechanism, 36
ECPA (Electronic Communications Privacy Act), 913–914
edge computing, 713
EDRM (Electronic Discovery Reference Model), 901
EER (equal error rate) in biometrics, 395
EFS (Encrypting File System), 152
Egghead breach, 932
egress e-mail filtering, 681
802.1X standards. See IEEE 802.1X standards
ELAM (Early Launch Anti-Malware), 525–526
elasticity
cloud computing, 698
description, 555
software development, 751–752
virtualization, 316
electrical power protection, 260–262
electromagnetic environments, 259–260
electromagnetic interference (EMI)
Faraday cages, 247–248
shielding, 516
electromagnetic pulse (EMP), 516
electronic access control systems, 249–250
Electronic Codebook (ECB), 133
Electronic Commerce Directive, 922
Electronic Communications Privacy Act (ECPA), 913–914
electronic discovery (e-discovery), 900–901
Electronic Discovery Reference Model (EDRM), 901
electronic media, 351–352
electronic medical records (EMR) systems, 945
Electronic Signatures in Global and National Commerce Act (E-Sign law), 920
Elfin group, 5
ElGamal algorithm, 138
eliciting information in social engineering, 95
elite hackers, 11
elliptic curve cryptography (ECC), 138–139
Elliptic Curve Diffie-Hellman (ECDH) algorithm, 137
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) algorithm, 137
embedded systems, 558–559
emergency changes, 819
emergency lighting, 241
emergency power-off (EPO) switches, 261
EMI (electromagnetic interference)
Faraday cages, 247–248
shielding, 516
EMP (electromagnetic pulse), 516
employees
insider threats, 11–12
policies. See human resources security policies
EMR (electronic medical records) systems, 945
enclaves, network, 273–274
enclosures, secure, 247
Encrypting File System (EFS), 152
encryption. See also cryptography
applications, 458–459
attacks, 597–598
BitLocker, 524–525
cloud, 704
cybercrime debate, 910–911
e-mail, 685–689
homomorphic, 141–142
import/export restrictions, 918–919
man-in-the-middle attacks, 596
methods, 548–549
passwords, 364
software development, 743
transport, 157–160
vulnerabilities, 642–643
web, 652
WPA3, 436
end-entities
certificates, 202–203
PKIX, 222
end of service life (EOSL), 81, 777
endpoint detection and response (EDR), 535
endpoints
protecting, 532–539
VPN, 413–414
Energetic Bear group, 14
Enforce password history setting, 61, 363
enhanced data rate (EDR), 426
entanglement in quantum cryptography, 140
Enterprise mode in WPA, 435
entropy in cryptography, 122
environmental controls, 255–256
environments
camera systems, 559
embedded systems, 558–559
game consoles, 559
HVAC, 560–561
mainframes, 559–560
peripherals, 556–558
phones and mobile devices, 558
SCADA/ICS, 560
smart devices, 561
special-purpose systems, 562–565
ephemeral keys, 157
EPO (emergency power-off) switches, 261
Epoch time, 898–899
equal error rate (EER) in biometrics, 395
equipment failures, 781
eradication phase in incident response, 851–852, 855
errors
software development, 731
vulnerabilities, 642
escalating privileges
incident response, 839
penetration testing, 633
escalation in incident response, 853
escape protection in virtual machines, 315, 712
EternalBlue vulnerability, 577
Ethernet protocol
cable, 344–346
description, 281
hubs, 318
jacks, 236
NICs, 317
packet delivery, 293
switches, 318
codes of ethics, 63
IT code, 924–925
Europe
computer trespass, 912
Convention on Cybercrime, 912–913
digital signature laws, 921–922
DPOs, 938
privacy laws, 948–950
Qualified Certificate, 223
EU–U.S. Privacy Shield Framework, 566
event deduplication in SIEM, 499
event logs in computer forensics, 897
Event Viewer, 861
evidence, 877–878
acquiring, 882–884
chain of custody, 880
hashes, 886–887
identifying, 887
network traffic and logs, 885
protecting, 888
record time offset, 886
rules, 879
screenshots, 887
standards, 878–879
storing, 888–889
system images, 885
tags, 880
transporting, 888
types, 878
video, 885–886
volatility, 884–885
witness interviews, 887
evil twin attacks, 448–449
evolutionary software development model, 721
examination of evidence, 881
exceptions
managing, 31–32
software development, 731
exclusionary rule, 879
exclusive OR (XOR) function in cryptography, 118
executive users, role-based training for, 75–76
exercises for incident response, 849, 858–859
exfiltration, data, 773
exit interviews, 66
expiration
certificates, 209
cookies, 663
passwords, 59–60
explicit FTPS, 659
Export Administration Regulations (EAR), 918
exposure factor (EF)
defined, 763
risk calculations, 788
extended service sets (ESSs), 440
extended validation (EV) certificates, 205
eXtensible Access Control Markup Language (XACML), 377
Extensible Authentication Protocol (EAP)
description, 408
wireless security, 437
WPS, 433
Extensible Authentication Protocol over LAN (EAPOL), 400
extensions
browser, 665–666
certificates, 200–201
external media
mobile devices, 463
storage devices, 557
external threat actors, 15
externalities, 763
extranets, 280
F
Facebook breach, 932
facial recognition, 392
FACTA (Fair and Accurate Credit Transactions Act), 947
fail-safe defaults, 35–36
fail-soft locks, 244
failover process, 803–804
failure to enroll rate (FER) in biometrics, 396
Fair and Accurate Credit Transactions Act (FACTA), 947
Fair Credit Reporting Act (FCRA), 947
Fair Information Practice Principles (FIPPs), 941
fake telemetry, 495
false acceptance rate (FAR) in biometrics, 394–396
false negatives
biometrics, 393–394
IDSs, 479
vulnerability testing, 635
false positives
biometrics, 393–394
IDSs, 479
vulnerability testing, 634
false rejection rate (FRR) in biometrics, 395–396
familiarity factor in social engineering, 89
Family Education Records and Privacy Act (FERPA), 943
Faraday cages, 247–248
fat access points, 441
FBI (Federal Bureau of Investigation)
cybercrime, 910–911
Internet Crime Complaint Center, 911
FC (Fibre Channel) technology, 344
FCC (Federal Communications Commission), 248
FCoE (Fibre Channel over Ethernet) protocol, 344
FCRA (Fair Credit Reporting Act), 947
FDDI (Fiber Distributed Data Interface), 281
Federal Bureau of Investigation (FBI)
cybercrime, 910–911
Internet Crime Complaint Center, 911
Federal Communications Commission (FCC), 248
Federal Information Processing Standards Publications (FIPS), 179
Federal Risk and Authorization Management Program (FedRAMP), 766
federation, 387–388
Felten, Edward, 923
fences, 240
Ferguson, Niels, 132
Fiber Distributed Data Interface (FDDI), 281
fiber-optic cable
cut incident, 4
overview, 346–347
Fibre Channel (FC) technology, 344
Fibre Channel over Ethernet (FCoE) protocol, 344
FIDO Alliance, 393
File Transfer Protocol (FTP), 413, 657
fileless malware, 580
files
encryption, 549
manipulation tools, 623–624
metadata, 865–866
permissions, 371–374
filesystems
computer forensics, 894–896
encryption, 152
filtered ports, 504
filters
firewalls, 325
Internet, 338
MAC, 320–321
placing, 341
screen, 248
spam, 679–681
switches, 318
URL, 339
wireless security, 445–446
financial business risks, 774
financial PII, 935–936
fines for breaches, 932
fingerprint scanners, 391
FIPPs (Fair Information Practice Principles), 941
FIPS (Federal Information Processing Standards Publications), 179
fire suppression, 256–259
firewalls, 322–324
auditing, 640
cloud computing, 709–710
DMZs, 277–278
e-mail, 670
HIPSs, 490
host-based, 536–538
NGFW, 327
operation, 325–326
placement, 327
stateless vs. stateful, 324
WAFs, 327–328
Windows Firewall, 524
firmware
forensics, 896
hardening, 513–516
mobile devices, 461
version control, 515–516
vulnerabilities, 644
first responders in incident response, 851
fishbone diagrams, 790
flame-activated fire detectors, 259
Flame malware, 5–6
Flash cookies, 740
flash memory–based storage devices, 427
flat networks, 281
floodlights, 241
floods
broadcast storms, 319
MAC, 321
ping, 477–478
spam, 681
floppy disks, 349
fog computing, 713
FOIA (Freedom of Information Act), 942
folder permissions, 371–374
footprinting, 839
for official use only security level, 376
force majeure, 763
forensic images, 238
forensics. See computer forensics
formal security models, 42–46
formats for certificates, 206–207
fortress model, 28
forward proxies, 336–337
fragmentation, packet, 283
Frame Relay, 283
Framework for Improving Critical Infrastructure Cybersecurity, 30
free space on media, 894–895
Freedom of Information Act (FOIA), 942
frequency of backups, 806–808
Friend Finder Network data breaches, 957
FTK Imager, 628–629
FTP (File Transfer Protocol), 413, 657
full backups, 805
full control permission, 371
full device encryption (FDE), 453, 513, 548
full duplex switching, 318
funding for actors, 15
G
gait analysis, 393
Galois Counter Mode (GCM), 130, 133–134
game consoles, 559
gamification, 73
Gantt charts, 791
garbage collection, 745
gateways
cloud, 702
e-mail, 679–685
web security, 337
GCM (Galois Counter Mode), 130, 133–134
General Data Protection Regulation (GDPR), 766, 949–950
general-purpose guides, 568
general risk management model, 779–780
generation of certificates, 207–208
generators
business continuity, 812
power protection, 261
generic accounts, 360
geo-tagging, 454
geofencing, 453
geographic backup considerations, 809
geolocation, 454
GhostNet, 5
glare projection lighting, 241
GLBA (Gramm-Leach-Bliley Act), 915, 940, 945–946
Global Positioning System (GPS)
description, 428
geo-tagging, 454
tagging in mobile devices, 463
globally unique identifiers (GUIDs), 527
GNU Privacy Guard (GPG), 165
governance data, 57
government PII data, 936
GPG (GNU Privacy Guard), 165
GPMC (Group Policy Management Console), 528–529
GPOs (group policy objects), 366, 527
GPS (Global Positioning System)
description, 428
geo-tagging, 454
tagging in mobile devices, 463
GPUs for password cracking, 607
Gramm-Leach-Bliley Act (GLBA), 915, 940, 945–946
gratuitous ARP, 602
gray-box testing
software development, 729
system tests, 638
grep utility, 623–624
greylisting e-mail, 682–683
group policies, 527–529
Group Policy Management Console (GPMC), 528–529
Group Policy Object Editor, 528
group policy objects (GPOs), 366, 527
groups
authentication, 361–362
cloud, 706
Diffie-Hellman, 136–137
Linux, 531
permissions, 373
guards, 239–240
guest accounts, 361
guest zones, 280
guidelines, 53–54
GUIDs (globally unique identifiers), 527
H
hackers
description, 10–11
hiring, 64
hacktivist attacks, 17
Hall, Chris, 132
halon-based fire suppression systems, 257
handheld fire extinguishers, 257–258
handling data, 57
handshakes
CHAP, 409
IP, 286
TCP, 594
hard drives, 348–349
hardened operating systems for networks, 277
hardening. See system hardening
hardware
hardening, 513–516
root of trust concept, 514
security, 539
unauthorized, 102–103
hardware firewalls, 328
hardware security modules (HSMs)
authentication, 389
hardening, 514
mobile devices, 459
PKI, 217
harvesting
credentials, 97
passwords, 100
hash message authentication code (HMAC), 162
hashes
algorithms, 886
cryptography, 123–127
evidence, 886–887
forensics, 890–891
hazards, 763
head utility, 623
header manipulations, 603, 669–670
Health Information Technology for Economic and Clinical Health Act (HITECH Act), 945
Health Information Trust Alliance (HITRUST), 766
Health Insurance Portability and Accountability Act (HIPAA), 935, 944–945
hearsay rule, 879
Heartbleed incident, 366
Heartland Payment Systems data breach, 7
heat-activated fire detectors, 259
heat maps
risk assessment, 785–786
wireless security, 444–445
heating, ventilating, and air conditioning (HVAC) systems, 255, 560–561
Hellman, Martin, 135
help desk in social engineering attacks, 91
heuristic IDS model, 477
heuristic scanning, 533
hidden fields, 670
hidden files, 895–896
HIDSs. See host-based IDS (HIDSs)
hierarchical trust model, 194–195
high availability in cloud, 702, 704–705
high-end locks, 243–244
high resiliency systems, cryptography in, 161
highly structured threats, 13
hijacking
domain, 602
session, 669
TCP/IP, 595
URLs, 603–604
HIPAA (Health Insurance Portability and Accountability Act), 935, 944–945
HIPSs (host-based intrusion prevention systems), 490, 536
hiring employees, 64–65
historical perspectives on cryptography, 117–123
historical security incidents, 1–4
history, password, 61–62
HITECH Act (Health Information Technology for Economic and Clinical Health Act), 945
HITECH CSF framework, 566
HITRUST (Health Information Trust Alliance), 766
HMAC (hash message authentication code), 162
HMAC-based One-Time Password (HOTP) algorithm, 150, 386
HMIs (human machine interfaces), 560
hoaxes
social engineering, 98
virus, 580–581
home automation, 561–562
homomorphic encryption, 141–142
honeyfiles, 495
honeyrecords, 495
host-based firewalls, 328, 536–538
host-based IDS (HIDSs)
active vs. passive, 489–490
advantages, 488
disadvantages, 489
overview, 485–488
resurgence, 490
host-based intrusion prevention systems (HIPSs), 490, 536
host software baselines, 546
hosted systems vs. cloud, 701
hosts
cloud computing models, 699–700
computer forensics, 894–899
security, 32–33
virtualization, 316
vulnerability scanners, 546–547
hot aisles, 256
hot sites, 810
hotfixes, 520
HOTP (HMAC-based One-Time Password) algorithm, 150, 386
hotspots
description, 464
securing, 446
hping tool, 618–619
HSMs. See hardware security modules (HSMs)
HSTS (HTTP Strict Transport Security), 657
HTML (Hypertext Markup Language), 650, 656, 677
HTTP (Hypertext Transfer Protocol)
header manipulations, 603, 669–670
overview, 655–656
HTTP Strict Transport Security (HSTS), 657
HTTPS (Hypertext Transfer Protocol Secure), 171, 656
hubs, 317
human machine interfaces (HMIs), 560
human resources security policies, 63
acceptable use policies, 67–68
adverse actions, 66–67
bring-your-own-device, 69–70
business partners, 66
clean desk, 69
codes of ethics, 63
credentials, 59
due care and due diligence, 70–71
due process, 71
e-mail usage, 68
employee hiring and promotions, 64–65
exit interviews, 66
incident response, 71–72
Internet usage, 68
job rotation, 63
mandatory vacations, 67
privacy, 70
retirement, separation, and termination, 65–66
separation of duties, 64
social media analysis, 69
humidity control, 255
HVAC (heating, ventilating, and air conditioning) systems, 255, 560–561
hybrid clouds, 701
hybrid e-mail filters, 681
hybrid password attacks, 178, 608
hybrid topologies, 270–271
hybrid trust model, 195
hybrid warfare, 99
Hypertext Markup Language (HTML), 650, 656, 677
Hypertext Transfer Protocol (HTTP)
header manipulations, 603, 669–670
overview, 655–656
Hypertext Transfer Protocol Secure (HTTPS), 171, 656
I
IaaS (Infrastructure as a Service), 698–699
IAM (identity access management) systems, 704
IC3 (Internet Crime Complaint Center), 911
ICCs (integrated circuit cards), 390
ICMP (Internet Control Message Protocol), 287–290, 478–479
ICSs (industrial control systems), 560
ID badges, 250
IDEA (International Data Encryption Algorithm), 132, 165
identification
authentication, 378–380
evidence, 887
identity access management (IAM) systems, 704
identity fraud in social engineering, 96
identity providers (IdPs), 378
identity theft
banking regulations, 946
breaches, 932
business risks, 773–774
Identity Theft and Assumption Deterrence Act, 940
IdPs (identity providers), 378
IDSs. See intrusion detection systems (IDSs)
IEEE 802.1X standards
attacks, 446–448
authentication, 399–400
implementing, 438
individual, 430–431
wireless protocols, 429–430
IETF (Internet Engineering Task Force)
history, 163–164
Transport Layer Security, 158, 652
ifconfig command, 617
IKE (Internet Key Exchange) protocol, 225
ILOVEYOU worm
damages, 2–3
e-mail, 677
IM (instant messaging), 650, 689–690
images
master, 553
IMAP (Internet Message Access Protocol)
e-mail, 671
secure, 171
immutable systems in software development, 753
impact
business risks, 772–773
defined, 762
PIAs, 954–955
risk calculations, 789
risk management, 781
impersonation factor in social engineering, 90–91
implementation vs. algorithm selection for cipher suites, 160–161
implicit FTPS, 659
import/export encryption restrictions, 918–919
important bugs in software development, 734
impossible travel time, 369
in-band NIDSs, 502
in-house certificate authorities, 189
Incident Object Description Exchange Format (IODEF), 869
incident response, 836
attack frameworks, 838–842
communication plans, 860
containment, 851–853
data collection models, 866–867
data sources, 860
detection, 849–850
eradication, 855
exercises, 858–859
foundations, 837
goals, 838
identification, 850
incident management, 837–838
initial, 850–851
investigation, 854–855
key terms, 873–874
lessons learned, 857
log files, 860–864
metadata, 864–866
packet flow information, 864
incident response (Cont.)
plans, 847–849
preparation, 845–847
procedures, 71–72
process overview, 844–845
quizzes, 874–875
recovery, 855–856
references, 872
reporting, 856–857
review, 873
security measures, 871–872
stakeholder management, 859
standards and best practices, 867–872
strategy formulation, 853–854
teams, 857–858
threat intelligence, 842–844
increased data center density, 255
incremental backups, 806
indicators of compromise (IOCs)
network security, 506–507
standards, 869–871
indirect encryption attacks, 598
industrial camouflage, 242
industrial control systems (ICSs), 560
industry-standard frameworks, 565–566
influence campaigns, 99
information
classification, 56
criticality, 837
information assurance, 1
Information Sharing and Analysis Centers (ISACs), 19
Information Sharing and Analysis Organizations (ISAOs), 19
Information Systems Audit and Control Association (ISACA), 764
information warfare, 13
infrared (IR)
connections, 427
detection, 245
media, 347
Infrastructure as a Service (IaaS), 698–699
Infrastructure as Code
description, 700
software development, 751
infrastructure security, 310
attacks, 8
BYOD model, 468
data loss prevention, 338
devices, 311–313
firewalls, 322–328
Internet content filters, 338
intrusion detection systems, 331
key terms, 355
lab projects, 357
load balancers, 333–335
media, 344–348
modems, 329–330
network access control, 331–332
network monitoring, 332–333
networking, 316–322
physical, 352–353
proxies, 335–337
quizzes, 355–357
removable media, 348–352
review, 354
storage area networks, 343–344
technology placement, 340–342
telephony, 330–331
tunneling, 342–343
unified threat management, 338–339
virtualization, 313–316
VPN concentrators, 328–329
web security gateways, 337
wireless devices, 329
initial exploitation in penetration testing, 633
initial response for incidents, 850–851
initialization vectors (IVs)
hashes, 123
WEP, 431–432
wireless security, 448
Initiator Cookie, 225
injection attacks, 736–738
inline network devices, 491
inlining, 667
input validation, 731–732
insider threats, 11–12
instance awareness in cloud, 707
instant messaging (IM), 650, 689–690
integer overflow, 739
integrated circuit cards (ICCs), 390
integration
software development, 751
vendor management, 776
integrity
CIA of security, 28
models based on, 44–46
software development, 754
integrity verification processes (IVPs), 45–46
intelligence, threat, 19
intent of actors, 15–16
inter-networking, 303
interconnection security agreements (ISAs), 80
interfaces
human-machine, 560
IDSs, 475
securing, 541
intermediate certificates, 193
internal CAs, 213
internal threat actors, 15
international architectures, 565
international banking risk management example, 761–762
International Data Encryption Algorithm (IDEA), 132, 165
international privacy laws, 947–951
Internet, 278–279
content filters, 338
crime schemes, 911
description, 269
usage policy, 68
Internet Control Message Protocol (ICMP), 287–290, 478–479
Internet Crime Complaint Center (IC3), 911
Internet Engineering Task Force (IETF)
history, 163–164
Transport Layer Security, 158, 652
Internet Key Exchange (IKE) protocol, 225
Internet Message Access Protocol (IMAP)
e-mail, 671
secure, 171
Internet of Things (IoT), 561
Internet Protocol Flow Information Export (IPFIX) protocol, 864
Internet Protocol (IP), 282–284
addresses. See IP addresses
ICMP, 287–290
IPv4 vs. IPv6, 290–293
packets, 284–285
TCP vs. UDP, 285–287
Internet Security Association and Key Management Protocol (ISAKMP), 225–226
Internet Small Computer System Interface (iSCSI) protocol, 343
Internetwork Operating System (IOS), 540
interoperability agreements, 79–81
interrelationship digraphs, 791
interviews as evidence, 887
intimidation factor in social engineering, 89
intruders, 10–11
intrusion detection systems (IDSs), 474
analytics, 495–496
deception and disruption technologies, 493–495
description, 331
HIDSs, 485–490
history, 475
key terms, 509
lab projects, 511
models, 476–477
NIDSs, 479–484
overview, 475–476
quizzes, 510–511
references, 508
review, 509
SIEM, 496–499
signatures, 478–479
intrusion prevention systems (IPSs), 490–492
intrusive vulnerability testing, 635
investigations
forensics, 889–890
incident response, 854–855
invoice scams, 96
IOCs (indicators of compromise)
network security, 506–507
standards, 869–871
IODEF (Incident Object Description Exchange Format), 869
ionization smoke detectors, 259
IOS (Internetwork Operating System), 540
IoT (Internet of Things), 561
IP. See Internet Protocol (IP)
IP addresses
attacks, 599
DHCP, 320
NAT, 301–303
routers, 321
scanners, 619
spoofing, 592–593
subnetting, 299–301
IP Security (IPSec), 171–172, 225
IP theft, 932
ipchains, 537
IPFIX (Internet Protocol Flow Information Export) protocol, 864
IPSec (IP Security), 171–172, 225
IPSs (intrusion prevention systems), 490–492
IR (infrared)
connections, 427
detection, 245
media, 347
iris scanners, 392
ISACA (Information Systems Audit and Control Association), 764
ISACs (Information Sharing and Analysis Centers), 19
ISAKMP (Internet Security Association and Key Management Protocol), 225–226
ISAOs (Information Sharing and Analysis Organizations), 19
ISAs (interconnection security agreements), 80
iSCSI (Internet Small Computer System Interface) protocol, 343
Ishikawa, Kaoru, 790
ISO 27001 standard, 766
ISO/IEC 27002 standard, 180
isolation
incident response, 851–853
least common mechanism, 38
network, 272–276
IT contingency planning, 816
IVPs (integrity verification processes), 45–46
IVs (initialization vectors)
hashes, 123
WEP, 431–432
wireless security, 448
J
jailbreaking, 461
jamming, 449
Java language, 661
JavaScript language, 661–662
“Jester” (hacker), 2
job rotation, 63
journalctl command, 863
JPMorgan Chase, 6–7
jurisdiction in forensics, 902
K
Kali tools, 629
Kaminsky, Dan, 296
KDCs (key distribution centers), 383
Kelsey, John, 132
Kerberos authentication, 383–384
key destruction in certificates, 212
key distribution centers (KDCs), 383
key escrow
cipher suites, 156
PKI, 219–220
KEY file for certificates, 206
key performance indicators (KPIs), 780
key risk indicators (KRIs), 780
key stores in certificates, 213
key stretching in cipher suites, 157
keyboards, wireless, 556
keyloggers, 583–584
keys
cipher suites, 155–156
cryptography, 115–116, 118, 122
identity, 380
mobile devices, 458
PGP, 165
physical, 248–249
PKI. See public key infrastructure (PKI)
quantum cryptography, 140
WPA3, 436
keyspace in cryptography, 115
kill chains, 18–19
Kim, Gene, 524
kiosks, 518–519
Klíma, Vlastimil, 124
knowledge-based authentication, 386–387
known plaintext/ciphertext attacks, 175
KPIs (key performance indicators), 780
KRIs (key risk indicators), 780
L
L2TP (Layer 2 Tunneling Protocol), 406–407
labeling data, 57, 931, 933–936
lack of vendor support, 776–777
language-specific failures in software development, 728
LANs (local area networks), 269
laptops, securing, 251
last mile problem in microwave media, 347–348
latency, cryptography in, 161
lateral movement in APTs, 840
laws
digital signature, 920–922
import/export encryption restrictions, 918–919
privacy, international, 947–951
privacy, U. S., 940–947
training for, 76
Layer 2 Tunneling Protocol (L2TP), 406–407
layered access, 243
layered security, 38
LDAP. See Lightweight Directory Access Protocol (LDAP)
LDAPS (Lightweight Directory Access Protocol Secure), 170
Leahy, Patrick, 944
LEAP (Lightweight Extensible Authentication Protocol), 437
least common mechanism principle, 38
least privilege principle
description, 33–34
software development, 725–726
least significant bit (LSB) encoding, 168
legacy platform vulnerabilities, 645
legal issues, 908–909
backups, 810
BYOD model, 468–469
cybercrime. See cybercrime
length of passwords, 62
lessons learned in incident response, 857
level of control in cloud computing, 699–700
Levin, Vladimir, 2
life cycles
certificates, 207–212
information, 938
software development, 722–729
life risks, 775
lights, 241
lightweight cryptography, 141
Lightweight Directory Access Protocol (LDAP)
directory services, 387, 657–658
injection, 738
PGP, 687
remote access, 400
Lightweight Directory Access Protocol Secure (LDAPS), 170
Lightweight Extensible Authentication Protocol (LEAP), 437
likelihood of occurrence in risk calculations, 789
linear cryptanalysis, 113
Linear Tape Open (LTO) format, 349
LinkedIn data breach, 7
Linux operating systems
hardening, 530–532
metadata, 898
permissions, 373
list folder contents permission, 371
live boot media, 554–555
load balancers, 333–335
local area networks (LANs), 269
local packet delivery, 293–294
local registration authorities (LRAs), 188
Local Security Policy utility, 528
locally shared objects (LSOs), 740
location-based printing, hardening, 529
lockouts
accounts, 61
locks
cable, 248
types, 243–244
logger command, 624
logic bombs, 582–583
logical networks, 274–275
logins, risky, 369
logs
analyst-driven log analysis, 487
evidence, 885
incident response, 860–864
physical, 249
SIEM, 499
usage, 367–368
vulnerability testing, 635
long-term backup storage, 808–809
loop prevention, 319
Love Letter virus, 2–3
low latency, cryptography in, 161
low-level bugs in software development, 734
low-power devices, cryptography in, 161
Low-Water-Mark policy, 44–45
LRAs (local registration authorities), 188
LSB (least significant bit) encoding, 168
LSOs (locally shared objects), 740
LTO (Linear Tape Open) format, 349
LulzSec group, 6
Lyon, Gordon, 617
M
MAC (mandatory access control), 375–376
MAC (Media Access Control) addresses. See Media Access Control (MAC) addresses
machines
certificates, 204
hardening, 523–524
macro viruses, 579–580
magic numbers for files, 895
magnetic media, 348–350
mail. See e-mail
mail delivery agents (MDAs), 672
mail transfer agents (MTAs), 672
mail user agents (MUAs), 672
mainframes, 559–560
maintenance
accounts, 367
software development, 729
Making Security Measurable techniques, 871
malicious add-ons, 666
malicious code, 576
malware, 576
adware, 583
anti-malware products, 535
antivirus products, 533–535
application-level attacks, 586
backdoors and trapdoors, 585
botnets, 582
browsers, 666
command-and-control servers, 581
crypto-malware, 582
defenses, 586–587
description, 10
detecting, 339
e-mail, 676–678
HIPSs for, 490
keyloggers, 583–584
logic bombs, 582–583
network tools, 507
polymorphic, 581
PUP, 581
ransomware, 576
RATs, 584
rootkits, 584–585
spyware, 583
trojans, 577–578
viruses, 578–581
web security gateways for, 337
worms, 578
MAM (mobile application management), 452, 460
man-hours tracking, 893
man-in-the-browser (MITB) attacks, 596
man-in-the-middle attacks, 156, 595–596
man-made disasters, 780
managed power distribution units, 262
managed security service providers (MSSPs), 708
managed service providers (MSPs), 708
management interfaces, securing, 541
managerial controls in risk management, 768–769
mandatory access control (MAC), 375–376
mandatory vacations, 67
Manning, Chelsea, 12
MANs (metropolitan area networks), 269
mantraps, 244
manual scanning by antivirus products, 534
Marriott International data breach, 7
Mars Rover crash, 923
masks
data, 952
subnet, 299–301
Master Boot Records (MBRs), 579
master images, 553
master keys, 249
Maximum password age setting, 61, 364
maximum transmission units (MTUs), 283
MBRs (Master Boot Records), 579
MD (Message Digest)
forensics, 890–891
hashing functions, 124–125
MDAs (mail delivery agents), 672
MDM (mobile device management), 452–457
measured boot method, 515
measured services in cloud computing, 698
measurement systems analysis (MSA), 80
media
coaxial cable, 344
electronic, 351–352
fiber, 346–347
magnetic, 348–350
mobile devices, 463
optical, 350
removable, 348–352
sanitization, 938–940
scanning, 534
transmission, 352
unguided, 347–348
UTP/STP, 345
Media Access Control (MAC) addresses
ARP attacks, 294–295
disassociation attacks, 451
NICs, 317
packet delivery, 293–294
spoofing, 595
switches, 318
wireless security, 445–446
mediation, complete, 36–37
medical devices, 562–563
meet-in-the-middle attacks, 176
Melissa virus, 2
memdump command, 628
memoranda of understanding (MOUs), 79–80
memory
software development, 744–745
Message Digest (MD)
forensics, 890–891
hashing functions, 124–125
message integrity, cryptography for, 149
metadata
forensics, 897–898
incident response, 864–866
Metasploit tools, 629
metrics, training, 77
metropolitan area networks (MANs), 269
MFDs (multifunction devices), 557
mice, wireless, 556–557
microphones in mobile devices, 463
MicroSD cards, 558
MicroSD HSMs, 459
microservices in cloud computing, 714
microwave media, 347–348
MIME (Multipurpose Internet Mail Extensions), 673–674
MIMO (multiple-input and multiple-output) technology
benefits, 430
minimization, data, 952
minimizing avenues of attack, 17
Minimum password age setting, 61, 364
Minimum password length setting, 364
mission-essential functions, 772
misuse detection models, 477
MITB (man-in-the-browser) attacks, 596
mitigation
defined, 763
risk management response, 765
risk strategies, 778–779
Mitnick, Kevin, 2
MITRE
ATT&CK framework, 841–842
Making Security Measurable techniques, 871
STIX, 871
TAXII, 871
mixed topologies, 270–271
MLD (Multicast Listener Discovery), 289
MLEC (Model Law on Electronic Commerce), 921
MMS (Multimedia Messaging Service), 462
mobile application management (MAM), 452, 460
mobile device management (MDM), 452–457
mobile devices, 424
application security, 457–459
BYOD model, 465–469
connection methods and receivers, 425–429
deployment models, 465–469
discoverable mode, 558
encryption, 549
key terms, 471
lab projects, 471–473
managing, 459–460
metadata, 865
operating systems, 519
physical security, 254
policies, 460–464
protecting, 312
quizzes, 471–473
review, 470
model contract clauses (MCCs), 950
Model Law on Electronic Commerce (MLEC), 921
model verification, 748
modems
rogue, 590
wireless devices, 329–330
moderate bugs in software development, 734
modify permission, 371
moisture detection, 246–247
monitoring
bandwidth, 864
content, 337
incident response, 855
productivity, 337
software development, 750
moral hazards, 763
Morris, Robert, 2
Morris worm, 2
motion detection, 245–246
motivation of actors, 15–16
MOUs (memoranda of understanding), 79–80
MPLS (multi-protocol label switching), 303
MSA (measurement systems analysis), 80
MSPs (managed service providers), 708
MSSPs (managed security service providers), 708
MTAs (mail transfer agents), 672
MTUs (maximum transmission units), 283
MUAs (mail user agents), 672
multi-protocol label switching (MPLS), 303
Multicast Listener Discovery (MLD), 289
multicast messages, 291
multifactor authentication
attributes, 398–399
factors, 397–398
overview, 396–397
multifunction devices (MFDs), 557
multilevel security, 376
Multimedia Messaging Service (MMS), 462
multipartite attacks, 576
multiple encryption, 129
multiple-input and multiple-output (MIMO) technology
benefits, 430
Multipurpose Internet Mail Extensions (MIME), 673–674
mutual aid agreements, 811
mutual authentication, 384–385
My Fitness Pal data breach, 7
MySpace data breach, 7
18.188.40.207