Sign in  |  Register
Advanced search
Publication Cover

CITATION

Rhodes-Ousley, Mark. Information Security The Complete Reference, Second Edition. US: McGraw-Hill Osborne Media, 2013.

Information Security The Complete Reference, Second Edition

Authors: Mark Rhodes-Ousley

Published:  April 2013

eISBN: 9780071784368 0071784365 | ISBN: 9780071784351
Open eBook
  • Cover
  • About the Author
  • About the Contributors and Technical Reviewers
  • Title Page
  • Copyright Page
  • Contents at a Glance
  • Contents
  • Preface
  • Acknowledgments
  • Introduction
  • Part I: Foundations
  • Chapter 1: Information Security Overview
  • The Importance of Information Protection
  • The Evolution of Information Security
  • Justifying Security Investment
  • Business Agility
  • Cost Reduction
  • Portability
  • Security Methodology
  • How to Build a Security Program
  • Authority
  • Framework
  • Assessment
  • Planning
  • Action
  • Maintenance
  • The Impossible Job
  • The Weakest Link
  • Strategy and Tactics
  • Business Processes vs. Technical Controls
  • Summary
  • References
  • Chapter 2: Risk Analysis
  • Threat Definition
  • Threat Vectors
  • Threat Sources and Targets
  • Types of Attacks
  • Malicious Mobile Code
  • Advanced Persistent Threats (APTs)
  • Manual Attacks
  • Risk Analysis
  • Summary
  • References
  • Chapter 3: Compliance with Standards, Regulations, and Laws
  • Information Security Standards
  • COBIT
  • ISO 27000 Series
  • NIST
  • Regulations Affecting Information Security Professionals
  • The Duty of Care
  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act
  • HIPAA Privacy and Security Rules
  • NERC CIP
  • PCI DSS: Payment Card Industry Data Security Standard
  • Laws Affecting Information Security Professionals
  • Hacking Laws
  • Electronic Communication Laws
  • Other Substantive Laws
  • Summary
  • References
  • Chapter 4: Secure Design Principles
  • The CIA Triad and Other Models
  • Confidentiality
  • Integrity
  • Availability
  • Additional Concepts
  • Defense Models
  • The Lollipop Model
  • The Onion Model
  • Zones of Trust
  • Best Practices for Network Defense
  • Secure the Physical Environment
  • Harden the Operating System
  • Keep Patches Updated
  • Use an Antivirus Scanner (with Real-Time Scanning)
  • Use Firewall Software
  • Secure Network Share Permissions
  • Use Encryption
  • Secure Applications
  • Back Up the System
  • Implement ARP Poisoning Defenses
  • Create a Computer Security Defense Plan
  • Summary
  • References
  • Chapter 5: Security Policies, Standards, Procedures, and Guidelines
  • Security Policies
  • Security Policy Development
  • Security Policy Contributors
  • Security Policy Audience
  • Policy Categories
  • Frameworks
  • Security Awareness
  • Importance of Security Awareness
  • Objectives of an Awareness Program
  • Increasing Effectiveness
  • Implementing the Awareness Program
  • Enforcement
  • Policy Enforcement for Vendors
  • Policy Enforcement for Employees
  • Software-Based Enforcement
  • Example Security Policy Topics
  • Acceptable Use Policies
  • Computer Policies
  • Network Policies
  • Data Privacy Policies
  • Data Integrity Policies
  • Personnel Management Policies
  • Security Management Policies
  • Physical Security Policies
  • Security Standards
  • Security Standard Example
  • Security Procedures
  • Security Procedure Example
  • Security Guidelines
  • Security Guideline Example
  • Ongoing Maintenance
  • Summary
  • References
  • Chapter 6: Security Organization
  • Roles and Responsibilities
  • Security Positions
  • Security Incident Response Team
  • Managed Security Services
  • Services Performed by MSSPs
  • Services That Can Be Monitored by MSSPs
  • Security Council, Steering Committee, or Board of Directors
  • Interaction with Human Resources
  • Summary
  • References
  • Chapter 7: Authentication and Authorization
  • Authentication
  • Usernames and Passwords
  • Certificate-Based Authentication
  • Extensible Authentication Protocol (EAP)
  • Biometrics
  • Additional Uses for Authentication
  • Authorization
  • User Rights
  • Role-Based Authorization (RBAC)
  • Access Control Lists (ACLs)
  • Rule-Based Authorization
  • Compliance with Standards
  • NIST
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Part II: Data Security
  • Chapter 8: Securing Unstructured Data
  • Structured Data vs. Unstructured Data
  • At Rest, in Transit, and in Use
  • Approaches to Securing Unstructured Data
  • Databases
  • Applications
  • Networks
  • Computers
  • Storage (Local, Removable, or Networked)
  • Data Printed into the Physical World
  • Newer Approaches to Securing Unstructured Data
  • Data Loss Prevention (DLP)
  • Information Rights Management (IRM)
  • Summary
  • References
  • Chapter 9: Information Rights Management
  • Overview
  • The Difference Between DRM and IRM
  • What’s in a Name? EDRM, ERM, RMS, IRM
  • Evolution from Encryption to IRM
  • IRM Technology Details
  • What Constitutes an IRM Technology?
  • Architecture
  • Going Offline
  • Unstructured Data Formats
  • Getting Started with IRM
  • Classification Creation
  • User Provisioning
  • Rights Assignment
  • Securing Content
  • Distributing Content
  • Installing and Configuring the IRM Client
  • Authentication
  • Authorization
  • Rights Retrieval and Storage
  • Content Access and Rights Invocation
  • Access Auditing and Reporting
  • Rights Revocation
  • Summary
  • References
  • Chapter 10: Encryption
  • A Brief History of Encryption
  • Early Codes
  • More Modern Codes
  • Symmetric-Key Cryptography
  • Key Exchange
  • Public Key Cryptography
  • Key Exchange
  • Public Key Infrastructure
  • Structure and Function
  • CA Hierarchy
  • Certificate Templates and Enrollment
  • Revocation
  • Role Separation
  • Cross-Certification
  • Compliance with Standards
  • NIST
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Chapter 11: Storage Security
  • Storage Security Evolution
  • Modern Storage Security
  • Storage Infrastructure
  • Administration Channel
  • Risks to Data
  • Risk Remediation
  • Confidentiality Risks
  • Integrity Risks
  • Availability Risks
  • Best Practices
  • Zoning
  • Arrays
  • Servers
  • Staff
  • Offsite Data Storage
  • Summary
  • References
  • Chapter 12: Database Security
  • General Database Security Concepts
  • Understanding Database Security Layers
  • Server-Level Security
  • Network-Level Security
  • Operating System Security
  • Understanding Database-Level Security
  • Database Administration Security
  • Database Roles and Permissions
  • Object-Level Security
  • Using Other Database Objects for Security
  • Using Application Security
  • Limitations of Application-Level Security
  • Supporting Internet Applications
  • Database Backup and Recovery
  • Determining Backup Constraints
  • Determining Recovery Requirements
  • Types of Database Backups
  • Keeping Your Servers Up to Date
  • Database Auditing and Monitoring
  • Reviewing Audit Logs
  • Database Monitoring
  • Summary
  • References
  • Part III: Network Security
  • Chapter 13: Secure Network Design
  • Introduction to Secure Network Design
  • Acceptable Risk
  • Designing Security into a Network
  • Designing an Appropriate Network
  • The Cost of Security
  • Performance
  • Availability
  • Security
  • Wireless Impact on the Perimeter
  • Remote Access Considerations
  • Internal Security Practices
  • Intranets, Extranets, and DMZs
  • Outbound Filtering
  • Compliance with Standards
  • NIST
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Chapter 14: Network Device Security
  • Switch and Router Basics
  • MAC Addresses, IP Addresses, and ARP
  • TCP/IP
  • Hubs
  • Switches
  • Routers
  • Network Hardening
  • Patching
  • Switch Security Practices
  • Access Control Lists
  • Disabling Unused Services
  • Administrative Practices
  • Internet Control Message Protocol (ICMP)
  • Anti-Spoofing and Source Routing
  • Logging
  • Summary
  • References
  • Chapter 15: Firewalls
  • Overview
  • The Evolution of Firewalls
  • Application Control
  • Must-Have Firewall Features
  • Core Firewall Functions
  • Network Address Translation (NAT)
  • Auditing and Logging
  • Additional Firewall Capabilities
  • Application and Website Malware Execution Blocking
  • Antivirus
  • Intrusion Detection and Intrusion Prevention
  • Web Content (URL) Filtering and Caching
  • E-Mail (Spam) Filtering
  • Enhance Network Performance
  • Firewall Design
  • Firewall Strengths and Weaknesses
  • Firewall Placement
  • Firewall Configuration
  • Summary
  • References
  • Chapter 16: Virtual Private Networks
  • How a VPN Works
  • VPN Protocols
  • IPSec
  • PPTP
  • L2TP over IPSec
  • SSL VPNs
  • Remote Access VPN Security
  • Authentication Process
  • Client Configuration
  • Client Networking Environment
  • Offline Client Activity
  • Site-to-Site VPN Security
  • Summary
  • References
  • Chapter 17: Wireless Network Security
  • Radio Frequency Security Basics
  • Security Benefits of RF Knowledge
  • Layer One Security Solutions
  • Data-Link Layer Wireless Security Features, Flaws, and Threats
  • 802.11 and 802.15 Data-Link Layer in a Nutshell
  • 802.11 and 802.15 Data-Link Layer Vulnerabilities and Threats
  • Closed-System SSIDs, MAC Filtering, and Protocol Filtering
  • Built-in Bluetooth Network Data-Link Security and Threats
  • Wireless Vulnerabilities and Mitigations
  • Wired Side Leakage
  • Rogue Access Points
  • Misconfigured Access Points
  • Wireless Phishing
  • Client Isolation
  • Wireless Network Hardening Practices and Recommendations
  • Wireless Security Standards
  • Temporal Key Integrity Protocol and Counter Mode with CBC-MAC Protocol
  • 802.1x-Based Authentication and EAP Methods
  • Wireless Intrusion Detection and Prevention
  • Wireless IPS and IDS
  • Bluetooth IPS
  • Wireless Network Positioning and Secure Gateways
  • Summary
  • References
  • Chapter 18: Intrusion Detection and Prevention Systems
  • IDS Concepts
  • Threat Types
  • First-Generation IDS
  • Second-Generation IDS
  • IDS Types and Detection Models
  • Host-Based IDS
  • Network-Based IDS (NIDS)
  • Anomaly-Detection (AD) Model
  • Signature-Detection Model
  • What Type of IDS Should You Use?
  • IDS Features
  • IDS End-User Interfaces
  • Intrusion-Prevention Systems (IPS)
  • IDS Management
  • IDS Logging and Alerting
  • IDS Deployment Considerations
  • IDS Fine-Tuning
  • IPS Deployment Plan
  • Security Information and Event Management (SIEM)
  • Data Aggregation
  • Analysis
  • Operational Interface
  • Additional SIEM Features
  • Summary
  • References
  • Chapter 19: Voice over IP (VoIP) and PBX Security
  • Background
  • VoIP Components
  • Call Control
  • Voice and Media Gateways and Gatekeepers
  • MCUs
  • Hardware Endpoints
  • Software Endpoints
  • Call and Contact Center Components
  • Voicemail Systems
  • VoIP Vulnerabilities and Countermeasures
  • Old Dogs, Old Tricks: The Original Hacks
  • Vulnerabilities and Exploits
  • The Protocols
  • Security Posture: System Integrators and Hosted VoIP
  • PBX
  • Hacking a PBX
  • Securing a PBX
  • TEM: Telecom Expense Management
  • Summary
  • References
  • Part IV: Computer Security
  • Chapter 20: Operating System Security Models
  • Operating System Models
  • The Underlying Protocols Are Insecure
  • Access Control Lists
  • MAC vs. DAC
  • Classic Security Models
  • Bell-LaPadula
  • Biba
  • Clark-Wilson
  • TCSEC
  • Labels
  • Reference Monitor
  • The Reference Monitor Concept
  • Windows Security Reference Monitor
  • Trustworthy Computing
  • International Standards for Operating System Security
  • Common Criteria
  • Summary
  • References
  • Chapter 21: Unix Security
  • Start with a Fresh Install
  • Securing a Unix System
  • Reducing the Attack Surface
  • Install Secure Software
  • Configure Secure Settings
  • Keep Software Up to Date
  • Place Servers into Network Zones
  • Strengthen Authentication Processes
  • Require Strong Passwords
  • Use Alternatives to Passwords
  • Limit Physical Access to Systems
  • Limit the Number of Administrators and Limit the Privileges of Administrators
  • Use sudo
  • Back Up Your System
  • Subscribe to Security Lists
  • Compliance with Standards
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Chapter 22: Windows Security
  • Securing Windows Systems
  • Disable Windows Services and Remove Software
  • Securely Configure Remaining Software
  • Use Group Policy to Manage Settings
  • Computer Policies
  • User Policies
  • Security Configuration and Analysis
  • Group Policy
  • Install Security Software
  • Application Whitelisting
  • Patch Systems Regularly
  • Segment the Network into Zones of Trust
  • Blocking and Filtering Access to Services
  • Mitigating the Effect of Spoofed Ports
  • Strengthen Authentication Processes
  • Require, Promote, and Train Users in Using Strong Passwords
  • Use Alternatives to Passwords
  • Apply Technology and Physical Controls to Protect Access Points
  • Modify Defaults for Windows Authentication Systems
  • Limit the Number of Administrators and Limit the Privileges of Administrators
  • Applications that Require Admin Access to Files and the Registry
  • Elevated Privileges Are Required
  • Programmers as Administrators
  • Requiring Administrators to Use runas
  • Active Directory Domain Architecture
  • Logical Security Boundaries
  • Role-Based Administration
  • A Role-Based Approach to Security Configuration
  • Compliance with Standards
  • NIST
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Chapter 23: Securing Infrastructure Services
  • E-Mail
  • Protocols, Their Vulnerabilities, and Countermeasures
  • Spam and Spam Control
  • Malware and Malware Control
  • Web Servers
  • Types of Attacks
  • Web Server Protection
  • DNS Servers
  • Install Patches
  • Prevent Unauthorized Zone Transfers
  • DNS Cache Poisoning
  • Proxy Servers
  • HTTP Proxy
  • FTP Proxy
  • Direct Mapping
  • POP3 Proxy
  • HTTP Connect
  • Reverse Proxy
  • Summary
  • References
  • Chapter 24: Virtual Machines and Cloud Computing
  • Virtual Machines
  • Protecting the Hypervisor
  • Protecting the Guest OS
  • Protecting Virtual Storage
  • Protecting Virtual Networks
  • NIST Special Publication 800-125
  • Cloud Computing
  • Types of Cloud Services
  • Cloud Computing Security Benefits
  • Security Considerations
  • Cloud Computing Risks and Remediations
  • Summary
  • References
  • Chapter 25: Securing Mobile Devices
  • Mobile Device Risks
  • Device Risks
  • Application Risks
  • Mobile Device Security
  • Built-in Security Features
  • Mobile Device Management (MDM)
  • Data Loss Prevention (DLP)
  • Summary
  • References
  • Part V: Application Security
  • Chapter 26: Secure Application Design
  • Secure Development Lifecycle
  • Application Security Practices
  • Security Training
  • Secure Development Infrastructure
  • Security Requirements
  • Secure Design
  • Threat Modeling
  • Secure Coding
  • Security Code Review
  • Security Testing
  • Security Documentation
  • Secure Release Management
  • Dependency Patch Monitoring
  • Product Security Incident Response
  • Decisions to Proceed
  • Web Application Security
  • SQL Injection
  • Forms and Scripts
  • Cookies and Session Management
  • General Attacks
  • Web Application Security Conclusions
  • Client Application Security
  • Running Privileges
  • Application Administration
  • Integration with OS Security
  • Application Updates
  • Remote Administration Security
  • Reasons for Remote Administration
  • Remote Administration Using a Web Interface
  • Authenticating Web-Based Remote Administration
  • Custom Remote Administration
  • Summary
  • References
  • Chapter 27: Writing Secure Software
  • Security Vulnerabilities: Causes and Prevention
  • Buffer Overflows
  • Integer Overflows
  • Cross-Site Scripting
  • SQL Injection
  • Whitelisting vs. Blacklisting
  • Summary
  • References
  • Chapter 28: J2EE Security
  • Java and J2EE Overview
  • The Java Language
  • Attacks on the JVM
  • The J2EE Architecture
  • Servlets
  • JavaServer Pages (JSP)
  • Enterprise JavaBeans (EJB)
  • Containers
  • Authentication and Authorization
  • J2EE Authentication
  • J2EE Authorization
  • Protocols
  • HTTP
  • HTTPS
  • Web Services Protocols
  • IIOP
  • JRMP
  • Proprietary Communication Protocols
  • JMS
  • JDBC
  • Summary
  • References
  • Chapter 29: Windows .NET Security
  • Core Security Features of .NET
  • Managed Code
  • Role-Based Security
  • Code Access Security
  • AppDomains and Isolated Storage
  • Application-Level Security in .NET
  • Using Cryptography
  • .NET Remoting Security
  • Securing Web Services and Web Applications
  • Summary
  • References
  • Chapter 30: Controlling Application Behavior
  • Controlling Applications on the Network
  • Access Control Challenges
  • Application Visibility
  • Controlling Application Communications
  • Restricting Applications Running on Computers
  • Application Whitelisting Software
  • Application Security Settings
  • Summary
  • References
  • Part VI: Security Operations
  • Chapter 31: Security Operations Management
  • Communication and Reporting
  • Change Management
  • Acceptable Use Enforcement
  • Examples of Acceptable Use Enforcement
  • Proactive Enforcement
  • Administrative Security
  • Preventing Administrative Abuse of Power
  • Management Practices
  • Accountability Controls
  • Security Monitoring and Auditing
  • Keeping Up with Current Events
  • Incident Response
  • Summary
  • References
  • Chapter 32: Disaster Recovery, Business Continuity, Backups, and High Availability
  • Disaster Recovery
  • Business Continuity Planning
  • The Four Components of Business Continuity Planning
  • Third-Party Vendor Issues
  • Awareness and Training Programs
  • Backups
  • Traditional Backup Methods
  • Backup Alternatives and Newer Methodologies
  • Backup Policy
  • High Availability
  • Automated Redundancy Methods
  • Operational Redundancy Methods
  • Compliance with Standards
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Chapter 33: Incident Response and Forensic Analysis
  • Incident Response
  • Incident Detection
  • Response and Containment
  • Recovery and Resumption
  • Review and Improvement
  • Forensics
  • Legal Requirements
  • Evidence Acquisition
  • Evidence Analysis
  • Compliance with Laws During Incident Response
  • Law Enforcement Referrals—Yes or No?
  • Preservation of Evidence
  • Confidentiality and Privilege Issues
  • Summary
  • References
  • Part VII: Physical Security
  • Chapter 34: Physical Security
  • Classification of Assets
  • Physical Vulnerability Assessment
  • Buildings
  • Computing Devices and Peripherals
  • Documents
  • Records and Equipment
  • Choosing Site Location for Security
  • Accessibility
  • Lighting
  • Proximity to Other Buildings
  • Proximity to Law Enforcement and Emergency Response
  • RF and Wireless Transmission Interception
  • Utilities Reliability
  • Construction and Excavation
  • Securing Assets: Locks and Entry Controls
  • Locks
  • Entry Controls
  • Physical Intrusion Detection
  • Closed-Circuit Television
  • Alarms
  • Compliance with Standards
  • ISO 27002
  • COBIT
  • Summary
  • References
  • Glossary
  • Index