Note: Page numbers followed by f and t indicate figures and tables, respectively.
accounts, 60
ACEs. See access control entries
ACLs. See access control lists
activity coordination, 321
AD. See Active Directory
administration. security administration
administrative controls, 4
Advanced Encryption Standard (AES), 66
AES. See Advanced Encryption Standard
A-I-C triad, 4–6. confidentiality-integrity-availability (C-I-A) triad
“allow” ACE, 54
analysis step, 14
Animal (Trojan), 89
anti-malware software, 91–93, 96, 97, 199, 209t, 225, 250, 265, 267t, 268t, 275, 333
anti-spyware software, 93
application backup and recovery
application security. application software security
application software security
applications
apply encryption, 44
asymmetric algorithms, 80
audit file access, 44
auditing
AUPs. See acceptable use policies
authentication, 25, 26t, 43–44, 199, 200, 211, 212t, 225, 242–244, 252–253, 255, 271t, 277, 278, 316
authorized users, 4
backup
backup administration
Backup and Restore utility, with Windows, 156–160, 166–171, 217
BCP. See business continuity plan
best evidence rule, 300
best practices
“Bitcoin Baron”, 6
Bluetooth, 184
boot devices, 64
BSIMM. See Building Security in Maturity Model
buffer overflow, 88
business continuity plan (BCP), 167, 168, 175, 214t, 274, 285, 327
business drivers, 225
CA. See Certificate Authority
California Consumer Privacy Act (CCPA), 225
campus area network (CAN), 181
CAN. See campus area network
CAPEC. See Common Attack Pattern Enumeration and Classification
CCB. See Configuration Control Board
CCPA. See California Consumer Privacy Act
change control, 321
checklists, 287
cipher, 77
classification, 26
classified data, 44
clearance, 26
CLI tools. See command-line interface tools
client systems, 7
cloud-based software, 279
cmd.exe, 57
code analyzer, 312
code execution, 316
code generation phase, 308
cold site, 167
command-line server backups, 162
command-line workstation backups, 159
Common Attack Pattern Enumeration and Classification (CAPEC), 14t
Common Criteria for Information Technology Security Evaluation, 41
Common Vulnerabilities and Exposures (CVE), 14t
Common Weakness Enumeration (CWE), 14t
communication, 321
compensating controls, 161
compiler option, 312
complete system backup, 172
compliance, 225
computer environment, 3
computer security incident response team (CSIRT), 285, 288–289
computer virus, 88
confidentiality-integrity-availability (C-I-A) triad, 4–6, 189, 200, 210–213, 261, 269, 274, 290
configuration
Configuration Control Board (CCB), 322
connection security rules, 215
contacts and hierarchy, CSIRT communication, 289
containers, 112
control, 19
control file access, 44
controlling access, 21
cookie settings, 264t
cooperative agreement, 167
corrective controls, 4
Creator Group ID, 28t
Creator Owner ID, 28t
Creeper virus, 88
critical incidents, 289
cross-site scripting, 15t
cryptocurrency, 90
cryptojacking, 90
CSIRT. See computer security incident response team
customer-facing systems, 7
CVE. See Common Vulnerabilities and Exposures
CWE. See Common Weakness Enumeration
cyber attackers, 6
DAC. See discretionary access control; dynamic access control
DACL. See discretionary access control list
Darwin (game), 87
data at rest, 63
data classification/identification, 44
Data Collector Sets, 215
data in transit, 63
data reconstruction, 153
data storage, 188
Datacenter edition
DC. See domain controller
DDoS attack. See distributed denial of service attack
decomposition, 307
decryption keys, 65
default ports, 277
default users, 277
deliverables, 306
“deny” ACE, 54
deployment domain, 315
design SDL phase, 312
desktop network security, 198
detective controls, 4
developer security training, 315
device driver programs, 20
device security, 182
DHCP Client service program, 240
direct file or resource access, 261
directory services, 29
directory traversal and listing, 271t
disasters, 213
discretionary access control (DAC), 26
discretionary access control list (DACL), 42, 43f, 44, 46, 54, 57, 210, 211–212, 211t, 212t, 221–222, 222f, 331
disk volume encryption, 67
disposition phase, 308
DMZ. See demilitarized zone
documented plans, 227
domain admin account, 195
DoS attack. See denial of service attack
DRP. See disaster recovery plan
DSRM. See Directory Service Restore Mode
DumpEvt utility, 145t
DumpReg utility, 145t
DumpSec utility, 145t
dynamic code execution, 316
eavesdropping, 198
ECC algorithms. See Elliptic Curve Cryptography algorithms
EFS. See Encrypting File System
Elliptic Curve Cryptography (ECC) algorithms, 66
securing, 267t
employees, 256t
encapsulating protocol, 254
encrypted data transmission, 76f
Encrypting File System (EFS), 65–66, 68t, 72, 82, 211t, 223, 223f, 267t, 268t, 275, 276, 328
encryption, 209t, 211t, 223–225, 253–255, 271t, 274, 276, 316
encryption tools/technologies
ENISA website. See European Network and Information Security Agency website
Enterprise edition, of Windows Server 2008 R2, 8
Enterprise Resource Planning (ERP) software, 278
entry points, 335
environment network services, securing
environment subsystem, 24t
environmental issues, 152
ERP software. See Enterprise Resource Planning (ERP) software
error detection and alerts service, 22t
error handling, 316
escalation confirmation, 45
Essentials edition
EternalBlue, 13
EULA. See End-User License Agreement
European Network and Information Security Agency (ENISA) website, 297
European Union
General Data Protection Regulation (GDPR), 255
event log, 103t
Event Viewer, 56
events, 284
evidence collection rules, 301
Exabeam, 290
executive (kernel mode program), 24t
exploits, 31
Expression-Based Security Audit Policy, 57
extra-application data access, 262
faulty installation procedure, 318
FCI. See File Classification Infrastructure
FDE. See Full Disk Encryption
Federal Information Security Management Act (FISMA), 255
fiber optic cable, 184t
file authentication, 212t
File Classification Infrastructure (FCI), 44
file system, 103t
service, 22t
File Transfer Protocol (FTP), 268
file transfer software, 268
files backup, 162
FISMA. See Federal Information Security Management Act
folders backup, 162
Foundation edition
frequency expectations, 289
FTP. See File Transfer Protocol
Full Disclosure, 14t
Full Disk Encryption (FDE), 70
full interruption test, 176
Full Volume Encryption (FVE), 70
FVE. See Full Volume Encryption
GAN. See global area network
gateway, 187
and routers, 7
GDPR. See General Data Protection Regulation
GLBA. See Gramm-Leach-Bliley Act
global area network (GAN), 181
gMSA. See group managed service accounts
GNessUs, 137
governance domain, 314
GPMC. See Group Policy Management Console
GPOs. See Group Policy Objects
Gramm-Leach-Bliley Act (GLBA), 225
graphical user interface (GUI), 234
group-based ACLs, 60
group managed service accounts (gMSA), 195
Group Policy Management Console (GPMC), 111–112, 111f, 220, 221f, 247, 247f, 269
Group Policy Objects (GPOs), 101, 102, 212, 244, 255, 329, 330
Group Policy Update tool, 117
group security policy objects, 42
GSA. See Greenbone Security Assistant
GUI. See graphical user interface
GUIDs. See globally unique identifier
hackers, 261
hacktivists, 6
HAL. See Hardware Abstraction Layer
hardening, 233
Hardware Abstraction Layer (HAL), 24t
hardware errors, 151
harvesting stored data, 263
hash rules, 269
Health Information Technology for Economic and Clinical Health (HITECH) Act, 225
Health Insurance Portability and Accountability Act (HIPAA), 225, 255, 301
heuristics, 92
based software, 94
HIPAA. See Health Insurance Portability and Accountability Act
HITECH Act. See Health Information Technology for Economic and Clinical Health Act
hot site, 167
HTTP. See Hypertext Transfer Protocol
HTTPS. See Hypertext Transfer Protocol Secure
hub (legacy device), 186
hybrid malware, 91
Hyper-V technology, 174
IDE. See Integrated Development Environment
identity spoofing, 261
IDS. See intrusion detection system
IIS. See Internet Information Services
implementation phase, 308
in SDL, 312
inbound rules, 215
information availability, 150
information leakage, 316
initiation phase, 307
injection attacks, 15t
input and output service, 22t
input validation, 316
installation procedure, 318
Institute of Electrical and Electronics Engineers (IEEE), 183
integral subsystem, 24t
Integrated Development Environment (IDE), 312
intelligence domain, 315
intercept communication, 263
interfaces with other programs, 318
International Telecommunications Union (ITU-T) standard, 80
Internet backups, 165
Internet-based services, 10t
Internet gateway, 187
Internet of Things (IoT), 197
Internet Options dialog box, in Internet Explorer 11, 264, 265f
Internet Protocol Security (IPSec), 77, 192, 246, 250, 254, 332
Internet Service Providers (ISPs), 253
interruptions, 213
intrusion detection system (IDS), 214t
intrusion prevention system (IPS), 214t
IoT. See Internet of Things
IPS. See intrusion prevention system
IPSec. See Internet Protocol Security
IPv4 versus IPv6, 202
ISPs. See Internet Service Providers
IT infrastructure
IT liaison on CSIRT, 288t
Itanium edition, of Windows Server 2008 R2, 9
junk filter function, 267t
L2FP. See Layer 2 Forwarding Protocol
L2TP. See Layer 2 Tunneling Protocol
LAN. See local area network
laptop computer backups, 166
Layer 2 Forwarding Protocol (L2FP), 254
layered protocols, 193
least privilege user accounts (LUAs), 41
LGPO tool, 238
LGPO.zip, 237
lightweight database, 266
limited warranty, 10t
Livedemo, OpenVAS, 137
LOB software. See line of business software
Local Group Policies, 102
local groups, 60
Local Policy Tool (LPT), 330
local resource, 181
local security identifier, 28t
Local Security Policy maintenance tool, 55
local users and groups section, 27
Locky, 12
logging mode, of RSOP, 120
logical access, 182
logical controls, 4
LPT. See Local Policy Tool
LUAs. See least privilege user accounts
MAC. See mandatory access control; Media Access Control (MAC)
Madison 911 Emergency Services, 6
mail server, 161t
maintenance phase, 308
malformed input, 261
MAN. See metropolitan area network
man-in-the-middle attack, 263
management role, on CSIRT, 288t
mandatory access control (MAC), 26
Marriott Starwood hotels incident, 285
maximum password age, setting, 105
maximum privilege mode, 20
MBSA utility. See Microsoft Baseline Security Analyzer utility
Media Access Control (MAC)
address filtering, 198
media security, backup, 153
media server, 161t
memory-resident kernel code, 20
message digest, 212t
Microsoft Baseline Security Analyzer (MBSA) utility, 128–136, 145t, 219, 257, 330
Microsoft Malicious Software Removal Tool (MSRT), 97
Microsoft OneDrive, 279
Microsoft Security Assessment Tool (MSAT), 145t
Microsoft Windows, 6–9. See also under Windows
mitigation, 32
MMC. See Microsoft Management Console
monitor system performance measurements, 209t
monitoring, 215
Morris worm, 88
MSA. See managed service accounts
MSAT. See Microsoft Security Assessment Tool
multifactor authentication, 25
NAC. See network access control
NAS. See Network Attached Storage
NAT. See network address translation
National Cybersecurity and Communication Integration Center (NCCIC), 293
National Vulnerability Database, 14t
natural disasters, 152
NCCIC. See National Cybersecurity and Communication Integration Center
need to know (NTK) basis, 5
Nessus, 137
NetChk Protect Limited, 139f
network, 179
network address translation (NAT), 189
Network Attached Storage (NAS), 188
network bandwidth, 165
network data storage, 188
network devices, 7
network infrastructure, hardening, 244
network print server, 188
controls, 181
network traffic filtering, server network security, 201
nodes, 190
non-Microsoft services, 195
nonrepudiation, 77
null security identifier, 28t
Office-2016-baseline.zip, 237
OneDrive, 279
Open Systems Interconnection (OSI) Reference Model, 190, 191f
Open Vulnerability Assessment System (OpenVAS), 137–138, 138–139f
Open Web Application Security Project (OWASP), 262
OpenVAS. See Open Vulnerability Assessment System
OpenVPN protocol, 254
operating system
operating system security
OSI Reference Model. See Open Systems Interconnection Reference Model
OUs. See organizational units
outbound rules, 215
outbound traffic filtering, workstation network security, 199–200
OWASP. See Open Web Application Security Project
packet sniffing, 15t
PAN. See personal area network
partial security, 210
password, 25
path rules, 269
PDCA process. See Plan-Do-Check-Act process
penetration testing, 319
PerfMon toolset, 214t
performance, 213
personal area network (PAN), 181
Phase Identification, 320
Phase Transition, 320
phishing attacks, 15t
physical and logical access, 182
physical security, 209t
PKI. See public key infrastructure
planning phase, 307
PolicyAnalyzer.zip, 237
powershell.exe, 57
PPP. See Point-to-Point Protocol
PPTP. See Point-to-Point Tunneling Protocol
pre-shared key (PSK) mode, 80
presentation, 266
primary copy, 151
print server, 188
printer actions auditing, 147
private data disclosure, 266
privilege escalation, 261
privileged mode, 23
proactive plan, 208
process table, 20
productivity software, 266–267
securing, 268t
Program Files folder, 147
program/process management service, 22t
project management, 266
PSK mode. See pre-shared key mode
public key, 48
cryptography, 77
public relations representative, on CSIRT, 288t
publisher rules, 269
publishing, 266
pull technology, 102
RA. See registration authority
RADIUS. See Remote Authentication Dial In User Service
RAID. See redundant array of independent disks
RBAC. See role based access control
Read/List access auditing, 147
real evidence, 299
Reaper program, 88
recovery keys, 82
recovery plan, 175
redundant array of independent disks (RAID), 161
registration authority (RA), 81
Registry, 103t
Registry.pol file, 238
regression testing, 317
release SDL phase, 312
remediation
Remote Authentication Dial In User Service (RADIUS), 252–253
remote clients, 336
Remote Group Policy Update, 102
Remote Registry service, 240
remote resources, 181
remote system access, 316
remote users and systems, 335
remote workstations, 199
removable storage device, 70
repeatable process, 321
replay attack, 200
requirements, SDL phase, 312
response. incident response
responsibilities, CSIRT communication, 289
restore
Restore All Users’ Files link, 169
Restore My Files button, 169
restricted groups, 103t
Resultant Set of Policy (RSOP) tool, 120
Rights Management Services (RMS), 44
risk, 6
management plan, 287
RMS. See Rights Management Services
robocopy CLI utility, 59
role based access control (RBAC), 26
RSOP tool. See Resultant Set of Policy tool
RTO. See recovery time objective
run modes, 23
Salesforce.com, 202
SAN. See Storage Area Network
SAT. See Security Access Token
SCA tool. See Security Configuration and Analysis tool
scanner, 95t
schemas, 318
Schneier, Bruce, 226
SCM. See software configuration management
scope of restore operation, 169
scripts, 271t
SCT. See Security Compliance Toolkit
SCW. See Security Configuration Wizard
SDL. See Security Development Lifecycle
SDLC model. See System Development Life Cycle model
secedit.exe, 145t
securable objects, 48
secure connections, 267t
Secure File Transfer Protocol (SFTP), 268
Secure Hash Algorithm (SHA), 66
secure libraries, 312
Secure Software Development Lifecycle (SSDL) touchpoints, 315
Secure Web application connection, 78f
Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption, 265
Security. application security; application software security; network security
Security and Configuration Analysis (SCA) snap-in, 145t
Security Configuration and Analysis (SCA) tool, 127–128, 330
Security information and event management (SIEM) tools, 14, 33
Security Orchestration, Automation and Response (SOAR) tools, 297
sensitive data, 63
separation of duties, 318
separator, 270t
Server Core, 32
installation option, 234
Server Message Block (SMB) protocol, 13
server network security
servers, types of, 161t
service pack administration, 219
Services Microsoft Management Console (MMC) snap-in, 195, 196
session hijacking and credential reuse, 15t
SHA. See Secure Hash Algorithm
shielded twisted pair (STP) cable, 184t
SIDs. See security identifiers
SIEM tools. See Security information and event management tools
SLA. See service level agreement
smart card, 72
SMB protocol. See Server Message Block protocol
SMEs. See subject matter experts
SOAR tools. See Security Orchestration, Automation and Response tools
social engineering, 337
software configuration management (SCM), 321–323
tools, 323t
software control, 321
software development, 306
software errors, 151
software license agreement, 9
software project scope, 311t
software requirement analysis, 307
solid disaster recovery plan, 167
SomarSoft utilities, 145t
source code, OpenVAS, 137
SOX. See Sarbanes-Oxley Act
special Windows object permissions, 52t
spoofing, 261
spreadsheet, 266
sprints, 309
SQL. See Structured Query Language
SRP. See Software Restriction Policies
SSDL touchpoints. See Secure Software Development Lifecycle touchpoints
SSF. See Software Security Framework
SSH. See Secure Shell
SSID. See Service Set Identifier
SSL. See Secure Sockets Layer
SSTP. See Secure Socket Tunneling Protocol
stakeholders, 227
standalone firewalls, 201
Standard edition
Startup type value, 240
Storage Area Network (SAN), 188
STP cable. See shielded twisted pair cable
subject, 26
supervisor mode, 21
switch, 186
symmetric algorithms, 80
symmetric key, 66
system configuration information, 33
System Development Life Cycle (SDLC) model, 306–309, 306f, 311
system services, 103t
system/information engineering and modeling, 307
T-Mobile incident, 285
targets, 106
TDE. See Transparent Data Encryption
team lead on CSIRT, 288t
technical controls, 4
technical security controls, 331
Telnet protocol, 192t
Terminal Access Controller Access-Control System Plus (TACACS+), 253
test scenarios, 317
thick clients, 7
thin clients, 7
threats, 11
time-tested strategy, 39
TLS. See Transport Layer Security
Top 10 Web Application Security Risks, 281
TPM. See Trusted Platform Module
traditional software development management, 309
traffic flow, 182
training, on security development, 312
Transmission Control Protocol/Internet Protocol (TCP/IP) Reference Model, 190, 191, 191f, 192t, 268
Transparent Data Encryption (TDE), 276
Transport Control Protocol (TCP), 244
Transport Layer Security (TLS), 77
Truecrypt, 65
Trusted Platform Module (TPM), 67
trusted sites, 264t
trusted source, 81
Tucker, Charles, 6
tunneling, concept of, 253
UAC. See user account control
UDP. See User Datagram Protocol
UML. See Unified Modeling Language
unauthorized users, 4
Unified Modeling Language (UML), 307
uniform resource locator (URL), 270
individual parts of, 270t
United States Computer Emergency Readiness Team (US-CERT), 14t, 293
universally unique identifier (UUID), 52
unprotected windows share, 15t
unshielded twisted pair (UTP) cable, 184t
unused services, 196
URL. See uniform resource locator
user actions, 152
User Configuration category, 108
user identification, 211
user mode, 21
user rights, 42
assignment, 103t
username (or user ID), 25
UTP cable. See unshielded twisted pair cable
UUID. See universally unique identifier
UUIDGEN.EXE program, 53
vault, 95t
VCSs. See version control systems
Veracrypt, 65
verification SDL phase, 312
virtual appliance, OpenVAS in, 137
virtual images, 165
virtual PC, 174
virtualBox, 174
Visual Studio Code, 312
VMs. See virtual machines
VMWare, 174
Volume Shadow Copy Service (VSS), 155
VPNs. See virtual private networks
VSS. See Volume Shadow Copy Service
vulnerabilities
WAN. See wide area network
warm site, 167
warranty, 10t
securing, 264t
Web edition, of Windows Server 2008 R2, 9
web proxies, 79
web servers, 31, 161t, 270–274
securing, 271t
WebServ01, 233
WEP. See Wired Equivalent Privacy
Wi-Fi jacking, 196
Windows BitLocker, 251
Windows boot media, 173
Windows clients, 8
Windows computers, securing, 233
Windows Encrypting File System (EFS), 251
Windows Firewall with Advanced Security, 213, 214, 215f, 244, 245f, 246f
Windows Group Policy, 251
Windows High Performance Computing server, 9
Windows Management Instrumentation (WMI) filters, 116–117, 118f, 121, 330
Windows NT code base, 22
Windows OS. See operating system
Windows Server 2008, 214
Windows Server 2012 R2, 9
Windows services, 191
Windows Subsystem for Linux (WSL), 137
Windows workstation backups, 217
wireless local area network (WLAN), 183
WLAN. See wireless local area network
WMI filters. See Windows Management Instrumentation filters
WMI Query Language (WQL), 116
word processing, 266
workgroups, 29
environments, 30
workstation
world security identifier, 28t
WPA. See Wi-Fi Protected Access
WQL. See WMI Query Language
WSL. See Windows Subsystem for Linux
X.509 standard, 80
18.222.110.183