index [media.wiley.com] · index note to reader: bolded page numbers refer to defi nitions and main...

IndexNote to Reader: Bolded page numbers refer to defi nitions and main discussions of a topic. Italicized page numbers refer to illustrations.d

Symbols® symbol, for trademarks, 135™ symbol, for copyrights, 135

Numbers1GL (first-generation languages), 840

1NF (first normal form), database normalization, 864

2GL (second-generation languages), 840

2NF (second normal form), database normalization, 864

3DES. See Triple DES (3DES)3GL (third-generation languages), 840

3NF (third normal form), database normalization, 864

4GL (fourth-generation languages), 840

5-4-3 rule, Ethernet, 4775GL (fifth-generation languages), 840

10Base2 (thinnet coax), 474–47510Base5 (thicknet coax), 474–47510Base-T cable, 475100Base-T/100Base-TX, 475802.1x, securing wireless networks, 258802.1X/EAP, 459802.11

shared key authentication (SKA) standard, 458wireless standards, 455

802.11i (WPA2), 459802.15 (Bluetooth), 4841000Base-T, 475

Aabstraction

essential security protection mechanisms, 365–366

overview of, 12–13abuse, voice communication threat, 505–507

acceptable use policydefined, 26

for email, 509–510access aggregation attacks, 610

access control

access provisioning lifecycle, 582–583

for assets, 556

authorization and accountability in, 561–562badges for, 411Brewer and Nash model (Chinese Wall), 287centralized and distributed options, 573CIA triad and, 560in datacenter security, 398

deploying physical controls, 413–414designing in systems development life cycle, 845

for devices, 355for email, 510keys and locks in, 410

lattice-based, 282–283motion detection systems and intrusion alarms,

411–413

perimeter controls, 407–409

for physical assets, 672

port-based, 439preventing malicious code, 894

preventing unauthorized access to data, 164proximity readers, 397for servers, 393–394single sign-on in, 573–574

smartcards in, 396–397

between subjects and objects (transitive trusts), 271, 557

thwarting storage threats, 870

trusted computing base (TCB) and, 276types of, 557–559

access control attacksaggregation attacks, 610

crackers vs. hackers vs. attackers, 604–605

denial-of-service (DoS) attacks, 619

exam topics, 622–623overview of, 604

password attacks, 610–615, 615protection methods, 619–621

review answers, 938–939review questions, 625–628risk elements, 605–610

smartcard attacks, 619

social engineering attacks, 616–619

spoofing attacks, 615–616

summary, 621–622

COPYRIG

HTED M

ATERIAL

968 written lab – DevOps model aligned with

written lab, 624written lab answers, 962

access control lists (ACLs)access control matrix and, 280–281, 595

active response of IDS to, 718capability tables vs., 595

in discretionary access control, 598

firewalls and, 725recovery step in incident response, 703

access control matrixas authorization mechanism, 595

Graham-Denning model, 288overview of, 280–282

access control modelsattribute-based access controls (ABAC), 601–602

authorization mechanisms, 595–596

defense in depth, 597, 77 597–598

discretionary access controls (DAC), 274, 598

exam topics, 593, 622–623mandatory access controls (MAC), 274, 283, 602,

602–604

nondiscretionary access controls (non-DAC), 598–602

permissions, rights, and privileges, 594–595

requirements defined from security policy, 596–597

review answers, 937–938review questions, 625–628role-based access control (role-BAC), 599, 599–601

rule-based access control (RBAC), 274, 601

summary, 621–622written lab, 624written lab answers, 962

access control triple, in Clark-Wilson model, 286access logs, 398access review audits

assessing effectiveness of access controls, 745

overview of, 743–744

account lockout controls, protecting against access control attacks, 620

account management reviews, 649–650

accountabilityAAA protocols, 580–581in access control system, 561–562

defined, 10–11

mechanisms of security policies, 368–369monitoring and, 735

nonrepudiation and, 11–12

accounting, AAA. See accountabilityaccounts


reviewing periodically, 583

revoking, 584

separation of privileges in service accounts, 664

accreditation, of security systems, 300–302

ACID model, database transactions, 865–866

ACK (acknowledge) packetsSYN flood attacks, 707in TCP three-way handshake, 440

ACLs. See access control lists (ACLs)acquisitions

integrating risk considerations into acquisition strategies and practices, 35–36

organizational processes and, 16–17Acting phase, IDEAL model, 851

active responses, intrusion detection systems, 718–719

ActiveX controls, 338, 894

ad hoc mode, configuring wireless access points, 455Address Resolution Protocol (ARP)

cache poisoning, 339, 447man-in-the-middle attacks, 713resolving domain names to IP addresses, 451resolving IP addresses to MAC addresses, 432spoofing attacks, 542–543

administrative access controlsimplementing defense in depth, 598

nondiscretionary access controls (non-DAC), 599, 599–601

selecting and assessing countermeasures, 74–75types of access control, 559violating principle of least privilege, 662–663

administrative law, 126–127

administrative physical security controls, 389administrators

audits of dual accounts for, 745

audits of high-level groups of, 744–745

configuring wireless security, 462security roles and responsibilities, 177–178

admissible evidence, 806–807

Adobe Digital Experience Protection Technology(ADEPT), 254

Adobe Reader, for this book, 968Advanced Access Content System (AACS), 253Advanced Encryption Standard (AES), 218–219

overview of, 173securing email data, 163storing sensitive data, 167–168supported by S/MIME, 249

advanced persistent threats (APTs)as highly effective and sophisticated, 814


advisory security policies, 26adware, as malicious code, 893

affected users, in DREAD rating system, 35aggregation

access aggregation attacks, 610

least privilege problem and, 663

vulnerabilities in database security, 341–342

Agile software developmentDevOps model aligned with, 856

many variants of – access control 969

many variants of, 850overview of, 849–850

agreements, employment, 53–54

AH (Authentication Header), in IPsec, 174, 256, 521alarms

intrusion alarms, 411–413

intrusion detection systems (IDS), 397–398algorithms

cryptographic keys, 208–209

cryptography relying on, 195symmetric key, 209–210

Amazon Kindle, encryption technology used by, 254amplifiers, network devices, 470analog communication, subtechnologies supported by

Ethernet, 487analysis

of business organization, 96

of risks, 64–65

analytic attacks, types of cryptographic attacks, 258

AND operation, Boolean logic, 196–197Andersen, Arthur, 633

Android devices, vulnerabilities, 351annualized cost of safeguard (ACS)

calculating cost/benefit analysis of safeguard, 68formula, 69

annualized loss expectancy (ALE)assessing impact of risks, 105elements of quantitative risk analysis, 65–69

formula, 69annualized rate of occurrence (ARO)

elements of quantitative risk analysis, 65–67

formula, 69identifying for risks, 104

anomaly analysis, 717

anomaly detection, 717

antennas, managing placement and power levels, 461

anti-malware softwaredetecting potential incidents, 700

incident response and, 723–724

installing malware using fake, 712as preventive measure, 705protecting against botnets, 709

using sandboxing, 726antivirus mechanisms/programs

BYOD devices and, 358as countermeasure to malicious code, 893–895


rogue antivirus software as Trojan, 888

API keysnot including in code repositories, 859

similarities to passwords, 856–857

APIPA (Automatic Private IP Addressing), 528–530

Apple iOS. See iOS

AppleTalk, alternatives to IP protocol, 433applets


types of, 338application attacks

back doors, 900

buffer overflows, 899–900

escalation of privilege and rootkits, 900–901

exam topics, 909masquerading, 907–908

reconnaissance, 905–907

review answers, 950–951review questions, 911–914summary, 908time-of-check-to-time-of-use (TOCTTOU or TOC/

TOU), 900

on web applications, 901–905, 903written lab, 910written lab answers, 965

application control, mobile device security, 353–354application firewalls, 362–363Application layer (layer 7), in OSI model, 436–437

Application layer protocols, of TCP/IP suite, 447–448

application- level gateway firewall, 726application logs, 733

application programming interfaces (APIs)interface testing of, 648

software development security, 856–857

application securitymobile devices, 355–357

role-based access controls in, 601application whitelisting, mobile device security, 357application-level gateway firewalls, 466applications, mobile device security, 355architecture

bring-your-own-device (BYOD) and, 359computer architecture. See computer architecturedatabase management system (DBMS), 861, 861–862

vulnerabilities. See vulnerabilities, in securityarchitecture

arithmetic logic unit (ALU), 329ARP. See Address Resolution Protocol (ARP)artificial intelligence, learning by experience, 872

AS (authentication service), Kerberos, 575assembly languages, 839–840

assessmentof business impact of threat. See business impact

assessment (BIA)of disaster recovery efforts, 787

of risks. See risk assessmentof security systems. See security assessment and testingof vulnerabilities. See vulnerability assessment

asset securityaccess control, 556

970 administrative controls – attribute-based access controls (ABAC)

administrative controls, 74–75administrator roles, 177–178

business/mission owner role, 176

custodian role, 178

data owner role, 174–175

data processors role, 176–177

defining data classifications, 160–163

defining data security requirements, 163–164

defining risk terminology, 61

defining sensitive data, 158–160

destroying sensitive data, 168–171, 170employment termination processes, 55exam topics, 157, 182–183handling sensitive data, 167

identifying threats by focus on assets, 30marking sensitive data, 165–167

physical controls, 75protecting physical assets, 672

protecting privacy, 178–179

protecting sensitive data using symmetric encryption, 172–173

protecting sensitive data using transport encryption, 173–174

retaining assets (data, records, etc), 171–172

review answers, 922–924review questions, 184–187scoping and tailoring, 180

selecting standards and, 180–181

storing sensitive data, 167–168

summary, 181–182system owner role, 175–176

threat modeling with focus on, 607

types of controls, 75–769understanding data states, 164–165

user role, 178

using security baselines, 179–180

written lab, 183written lab answers, 956–957

asset valuation (AV)defining risk terminology, 61


in formula for total risk, 73quantitative decision making in impact analysis,

101in risk analysis, 77–78, 605–607

assetsidentifying, 605–606

managing cloud-based, 673–674

managing virtual, 672

tracking, 354assurance

of confidence in security, 274–275

evaluation assurance levels (EALs), 297–299

Information Technology Security Evaluation Criteria (ITSEC), 295–296

procedures, 841

asymmetric key cryptographydigital signatures. See digital signaturesin distribution of symmetric keys, 220El Gamal, 235

elliptic curve cryptography, 235–236

exam topics, 231, 261–263hash functions. See hash functionsmanaging asymmetric keys, 246–247

nonrepudiation and, 194overview of, 210–212, 211, 232, 233public and private keys, 232–233

public key infrastructure (PKI). See public keyinfrastructure (PKI)

review answers, 926–927review questions, 265–268Rivest, Shamir, and Adleman (RSA) algorithm, 218,

233–234

smartcards and, 566–567strengths of, 212–213summary, 261symmetric key cryptography compared with, 213written lab, 264written lab answers, 958

asynchronous communication, subtechnologies supported by Ethernet, 487

asynchronous dynamic password tokens, 567asynchronous transfer mode (ATM), WAN connections,

535–536ATO (authorization to operate), in security governance,

59–60atomicity, consistency, isolation, and durability (ACID),

865–866

atomicity, in ACID model of database transactions, 865

attachments, blocking email attachments, 512attackers

advanced persistent threats of, 608–609

crackers vs. hackers vs., 604–605

identifying threats by focus on, 30patch Tuesday, exploit Wednesday and, 685


using vulnerability scanners, 686attacks. See also by individual types


determining and diagramming potential, 32–33, 33focused on violation of availability, 7focused on violation of confidentiality, 4focused on violation of integrity, 6understanding, 705–706

attribute-based access controls (ABAC), 601–602

audio – storing sensitive data 971

audiocopyright protection of streaming media, 135streaming with UDP, 443

audit logs, retaining, 171audit trails

for access control, 398accountability and, 562designing, 845

auditorsprotecting, distributing, and reporting audit results,

746–747

roles and responsibilities, 23, 742

working with external, 747–748

audits/auditingaccess review, 743–744

accountability and, 562in assessing effectiveness, 742

defined, 10, 742

employment review, 54external auditors in, 747–748


inspection, 743

logging vs., 732

of privileged groups, 744–745

reporting results of, 746–747

retaining audit logs, 171security audits, 632–633, 745–746

user entitlement, 744

when they go wrong, 633

authenticated scans, network vulnerability scanning with, 638–639

authentication. See also identity managementAAA services, 8–12, 580–581for access control, 164API requirements, 856–857

biometric error ratings, 570–571, 571biometrics, 568–570

captive portals and, 462centralization of, 517

cognitive passwords in, 566

comparing identification with, 560–561

configuring wireless security, 462defined, 10

of devices, 572–573

with encrypted passwords, 564factors, 563

goals of cryptography, 193–194, 194integrating identity services, 579Kerberos for, 574–576

of mobile devices, 356multifactor, 572

passwords in, 564–565

planning remote access security, 516

session management and, 579–580


tokens in, 567–568

of wireless access points, 458–460authentication, authorization, and accounting (AAA)

accountability, 10–11

auditing, 10

authentication, 8–10

authorization, 9–10

identification, 8, 8, 10

nonrepudiation, 11–12

overview of, 9protocols, 580–581

Authentication Header (AH), in IPsec, 174, 256, 521authentication service (AS), Kerberos, 575authority levels, bounds and, 273authorization

AAA services, 9–10, 580–581for access control, 164mechanisms, 595–596


automated recovery, 774

automated recovery without undue loss, 775

Automatic Private IP Addressing (APIPA), 528–530

availabilitycategories of IT loss, 560in CIA triad, 7designing in systems development life cycle, 846

goals of cryptography, 192–194

techniques for ensuring, 272–274

unauthorized changes directly affecting, 681avalanches, disaster recovery planning for, 765awareness

in disaster recovery plan, 792–793

establishing and managing information security, 81–82

B

back doorsapplication attacks and, 900

due to coding flaws, 370maintenance hooks and, 372vulnerability assessments of, 816–817

background checks, in screening employment candidates,52

backup tapesformats, 789

handling sensitive data, 167rotation strategies, 790

storing sensitive data, 168

972 backups – recent examples

backupsfault tolerance vs., 771

offline or standby UPS battery, 773

protecting log data, 734

restoring data, 787–790

scheduling, 788of software escrow arrangements, 790

verifying, 650

badges, in physical security, 411

bandwidth, quality of service controls, 775

bar codes, in hardware inventory, 671

Barracuda Networks, 726base+offset addressing, of memory, 330baseband cable

overview of, 474

subtechnologies supported by Ethernet, 487–488baselines

in behavior-based IDSs, 717

configuration management with, 678

images deployed as, 678–680, 679in security and risk management, 26–27

using security baselines, 179–180

Basic Input/Output System (BIOS), 336

Basic Rate Interface (BRI), ISDN, 534basic service set identifier (BSSID)

securing, 456–457wireless access points and, 455–456

bastion host, multihomed firewalls and, 467battery backup system, offline or standby UPS, 773

BCI Good Practices Guideline, documenting businesscontinuity plan, 785

BCP Development phase, in business continuity planning,98

BCP Implementation phase, in business continuity planning, 99

BCP Testing, Training, and Maintenance phase, in business continuity planning, 99

beacon frames, in SSID broadcast, 457behavior-based IDSs

overview of, 717–718response, 718–719

behaviors, object-oriented programming, 841

Bell-LaPadula modelBiba model compared with, 284–285as information flow model, 279overview of, 282–284, 283

best evidence rule, in documentary evidence, 807

best-effort communication, with UDP, 443beyond a reasonable doubt standard, in criminal

investigations, 805

Biba modelas information flow model, 279limitations of, 286overview of, 284–285, 285

Big Four firms, for external audits, 633

binary code, programming languages and, 839–840binary numbers, converting, 529biometrics

authentication factors, 563error ratings, 570–571, 571overview of, 568–570

proximity readers, 397registration, 571–572

BIOS (Basic Input/Output System), 336

birthday attacksoverview of, 613–614

types of cryptographic attacks, 260bit size, of key space, 194–195BitLocker, encrypting Windows portable devices, 248bits, of data, 430black boxes

approach to abstraction, 365–366, 840–841

in penetration testing, 643

as phreaker tool, 507in software quality testing, 857–858

blacklisting applications, 724

block ciphersBlowfish, 217

International Data Encryption Algorithm, 217

overview of, 207

Rijndael, 218Rivest Cipher 5, 218Twofish, 218

Blowfishas block cipher, 217

comparing symmetric algorithms, 219overview of, 173

blue boxes, as phreaker tool, 507Blue Screen of Death (BSOD), 843

Bluetooth (IEEE 802.15), 484

Boiler Room film (2000), cold site in, 779bombings, disaster recovery planning for, 766

book ciphers, 206Boolean mathematics

logical operations, 196NOT operation, 198AND operation, 196–197OR operation, 196–197overview of, 196XOR (exclusive OR) operation, 198

boot sector, in master boot record (MBR), 884

bot herders, 709

botnetscreating with Trojan horse, 890

launching DDoS attacks, 706

overview of, 709

protecting against, 709

recent examples, 709–710

bounds – conductors 973

bounds, CIA techniques, 273breaches


reporting to upper management, 702Brewer and Nash model (Chinese Wall), 287

BRI (Basic Rate Interface), ISDN, 534bridge infrastructure mode, in wireless access points,

455–456bridge routers (brouters)

as network device, 471operating at Network layer of OSI model, 434

bridges, network devices, 471bring-your-own-device (BYOD)

authentication, 572–573

mobile device security, 354policies, 357–360, 677

broadband cableoverview of, 474

subtechnologies supported by Ethernet, 488broadcast domains, 470broadcasts

collisions compared with, 469subtechnologies supported by Ethernet, 488

brouters (bridge routers)as network device, 471operating at Network layer of OSI model, 434

brownouts, power issues, 400, 773

browsers, protecting against botnets, 709

brute force attacksoverview of, 612–613

types of cryptographic attacks, 258BSOD (Blue Screen of Death), 843

BSSID (basic service set identifier)securing, 456–457wireless access points and, 455–456

buffer overflowattacks, 370–372vulnerabilities, 710, 899–900

buildings. See facilitiesBureau of Industry and Security, export controls, 139burglar alarms, 397–398bus topology, 478–479, 479business attacks, computer crime, 814

business continuity planning (BCP)analyzing business organization, 96

assessing business impact, 101

assessing risk impact, 104–106, 105assessing risk likelihood, 104

benefits of, 99

disaster recovery planning compared with, 95

documenting, 110

emergency-response guidelines, 113

environment and life safety, 414exam topics, 93, 115–116getting approval of plan, 109

goals in, 111

identifying priorities, 101–102

identifying risks, 102–103

implementing plan, 110

legal and regulatory requirements, 100

maintaining, testing, and performing exercises, 114

man-made natural disasters, 766–769overview of, 94–95prioritizing resources, 106

Professional Practices library for, 785project scope, 95–96

provisions and processes phase, 108–109

regional natural disasters, 765resource requirements, 98–99

review answers, 918–920review questions, 118–121risk assessment and risk acceptance/mitigation

sections, 112

senior management and, 98

statements of importance, priorities, organizational responsibility, and urgency and timing,111–112

strategy development phase, 107

subtasks in, 107

summary, 114–115team selection, 96–97

as template for recovery efforts, 795vital record program, 113


business impact assessment (BIA)assessing risk impact, 104–106

assessing risk likelihood, 104

disaster recovery strategy, 776–777

identifying priorities, 101–102

identifying risks, 102–103

overview of, 101

prioritizing resources, 106

business organization, analyzing, 96

business units, functional priorities for disaster recovery,776–777

business/mission owner role, security roles andresponsibilities, 176

BYOD. See bring-your-own-device (BYOD)

CC3 cipher, 190–191cables, network

baseband and broadband, 474

characteristics of, 475

coaxial, 473–474

conductors, 476–477

974 overview of – Chinese Wall (Brewer and Nash model)

overview of, 473

twisted-pair, 475–476

cache, local, 339–341

cache poisoningARP and RARP and, 447overview of, 339

cache RAM, 328caching DNS server, 340CACs (Common Access Cards), 567Caesar cipher

historical milestones in cryptography, 190–191stream ciphers, 207substitution ciphers, 203

Cain & Abel, CPU-based password-cracker, 612–613CALEA (Communications Assistance for Law

Enforcement Act)in U.S. privacy laws, 141wiretaps and, 483–484

California Online Privacy Protection Act (COPA), 179callback security, as war dialing countermeasure, 714Candidate Information Bulletin (CIB), CISSP, 699,

715–716

candidate keys, in relational databases, 863

capabilities listsin access control matrix, 280security attributes and, 275

Capability Maturity Model for Software, 850captive portals, 462

cardinality, of database rows, 862–863

Carlisle Adams/Stafford Tavares (CAST), 249Carrier-Sense Multiple Access (CSMA), 488Carrier-Sense Multiple Access with Collision Avoidance

(CSMA/CA), 488–489Carrier-Sense Multiple Access with Collision Detection

(CSMA/CD), 489CAs (certificate authorities), 243–244

cascading, type of composition theory, 280CAST (Carlisle Adams/Stafford Tavares), 249Cat 5/Cat5e UTP cable, 476cathode ray tube monitors, radiation from, 334CBC (Cipher Block Chaining), in DES, 215CBK (Common Body of Knowledge)

CISSP Study Guide, 716Security and Risk Management domain, 3

CBK (Common Body of Knowledge), Security and Risk Management domain, 3

CCCA (Comprehensive Crime Control Act), 128CCTV. See closed circuit TV (CCTV)CDI (constrained data item), in Clark-Wilson model, 286CDNs (content distribution networks), 453–454

cell phonesgenerations of, 481–482

security issues, 507Wireless Application Protocol and, 483–484

cell suppression, DBMS granular control with, 867

cells, wireless, 454central processing unit (CPUs)

accessing secondary memory, 330interrupts and, 335large-scale parallel data systems and, 344operating modes, 326operating states, 321–322overview of, 315

processing types, 318–319

registers, 329

static vs. dynamic RAM and, 329CER (crossover error rate), in biometrics, 571certificate authorities (CAs), 243–244

certificate path validation (CPV), 244certificate practice statement (CPS), 246certificate revocation list (CRL)

revoking digital certificates, 246verification of certificates and, 245

certificates. See digital certificatescertification, in evaluation of security systems, 300–302

CFAA (Computer Fraud and Abuse Act)amendments, 128–130

provisions, 128

CFB (Cipher Feedback), in DES, 215CFR (Code of Federal Regulations), 127chain of evidence (or chain of custody), 807–808

Challenge Handshake Authentication Protocol (CHAP)planning remote access security, 516PPP support, 537types of authentication protocols, 502

challenge-response authentication, 194, 194change logs, 733

change managementoverview of, 680–682, 681process of, 853–854

security audits reviewing, 746

security governance and, 17–18

security impact analysis in, 682–683

as security tool, 853

systems development life cycle, 847

updating disaster recovery plan, 795

versioning, 683

channel service unit/data service unit (CSU/DSU), 534channels, wireless, 456CHAP. See Challenge Handshake Authentication Protocol

(CHAP)checklists

creating baseline with, 678

disaster, 785–786

checksums, integrity verification and, 537Children’s Online Privacy Protection Act (COPPA),

142–143, 179Chinese Wall (Brewer and Nash model), 287

chosen ciphertext attacks – Security and Risk Management domain 975

chosen ciphertext attacks, 259chosen plaintext attacks, 260CIA triad. See confidentiality, integrity, availability (CIA)CIB (Candidate Information Bulletin), CISSP, 699,

715–716

CIDR (Classless Inter-Domain Routing), 445CIFS (Common Internet File System), 433Cipher Block Chaining (CBC), in DES, 215Cipher Feedback (CFB), in DES, 215ciphers

in American Civil War, 191art of creating/implementing, 195block ciphers, 207

codes vs., 202

confusion and diffusion operations, 207

one-time pads, 205–206

running key ciphers, 206–207

stream ciphers, 207

substitution ciphers, 203–205

transposition ciphers, 202–203

ciphertext, plaintext compared with, 194ciphertext only attacks, 259CIR (committed information rate), in Frame Relay, 535circuit switching


packet switching compared with, 531circuit-level gateway firewalls, 466, 726CIRTs (computer incident response teams), 701, 820

civil lawinvestigations, 805

overview of, 126

Clark-Wilson modelconstrained interfaces and, 304overview of, 286, 286–587

classes, IP address, 444–445classes, object-oriented programming

abstraction and, 366overview of, 841

classification labelsmandatory access control (MAC), 602, 602–604

multilevel security database security, 866–868

protecting audit results, 747

classification of data. See data classificationClassless Inter-Domain Routing (CIDR), 445click-through licenses, types of license agreements, 138client systems, implementing antivirus software, 893

client-based vulnerabilities. See vulnerabilities, client-based

closed circuit TV (CCTV)for access control, 398intrusion alarms and, 412monitoring access to servers, 394secondary verification mechanisms, 412–413

closed ports, network discovery with nmap, 635–638, 636–638

closed source, vs. open source, 272closed systems, vs. open systems, 271–272

cloud computingbusiness impact assessment and, 102as disaster recovery option, 782

managing cloud-based assets, 673–674


types of license agreements, 138cloud service providers (CSPs), 673

CNSS (Committee on National Security Systems), 302CO2, fire suppression systems, 405–406coaxial cables, 473–474

COBIT (Control Objectives for Information and Related Technology), 24, 176

codeattacks based on flaws in, 370

checking for buffer overflows, 371code review phase in systems development life cycle,

846

repositories, 858–859

software for reviewing, 644–645, 645Code of Ethics, ISC, 827–828

Code of Federal Regulations (CFR), 127Code Red worm, 890–891

code words or phrases, for personnel safety, 670codes, ciphers contrasted with, 202

cognitive passwords, 566

cohesiveness, object-oriented programming, 841

cold sites, as disaster recovery option, 778–779

collaboration. See multimedia collaborationcollision attacks, types of cryptographic attacks, 260collision domains, 470collisions

in birthday attacks, 613–614

in brute force attacks, 612vs. broadcasts, 469

collusiondefined, 52

job rotation protecting against, 51mandatory vacations detecting, 666–667separation of duties protecting against, 50two-person control reducing, 666–667

columnar transposition, transposition ciphers, 202columns, database, 862–863

combination locks, physical security, 410committed information rate (CIR), in Frame Relay, 535Committee on National Security Systems (CNSS), 302Common Access Cards (CACs), 567Common Body of Knowledge (CBK)

CISSP Study Guide, 716Security and Risk Management domain, 3

976 Common Criteria – processing types

Common Criteriaoverview of, 296recognition of, 296–297

security standards, 290structure of, 297–299

trusted recovery, 774–775

Common Internet File System (CIFS), 433common mode noise, 401common routers, 466Common Vulnerability and Exposures (CVE) dictionary,

688

communication disconnects, 373–374

communication securityARP spoofing attacks, 542–543

authentication protocols in, 502


centralization of authentication, 517

circuit switching, 530–531

denial of service/distributed denial of service attacks, 540–541

dial-up encapsulation protocols, 536–537

dial-up protocols, 516–517

disaster recovery planning, 786–787, 77 791

DNS poisoning, spoofing, and hijacking attacks, 543–544

eavesdropping attacks, 541–542

email security goals, 509–510

email security issues, 510–511

email security solutions, 511–512

emergency preparation, 777–778

exam topics, 499, 546–548fax security, 512–513

fraud and abuse, 505–507

hyperlink spoofing attacks, 544

instant messaging, 508

IPsec protocol in, 521–522

Layer 2 Tunneling Protocol (L2TP), 521

managing remote access, 513–515

masquerading/impersonation attacks, 542

modification attacks, 542

multimedia collaboration and, 507

network address translation (NAT), 525–526

overview of, 500–501packet switching, 531–532

planning remote access security, 515–516

Point-to-Point Tunneling Protocol (PPTP), 520–521

preventing/mitigating network attacks, 539–540

private IP addresses, 526–527

remote meetings, 508

replay attacks, 542

review answers, 933–934review questions, 550–553

secure protocols, 501–502

secure voice communications, 503

security boundaries, 539

security control characteristics, 537–538

social engineering attacks, 504–505

stateful NAT, 527–528

static and dynamic NAT, 528

summary, 545–546switching technologies, 530

tunneling and, 518–519

virtual applications/software, 523–524

virtual circuits, 532

virtual LANs (VLANs), 522

virtual networking, 524–525

virtual private networks (VPNs), 519–520

virtualization and, 523

Voice over IP (VoIP), 503–504

WAN connections, 534–536

WAN technologies, 532–534


Communications Assistance for Law Enforcement Act (CALEA)

in U.S. privacy laws, 141wiretaps and, 483–484

community cloud deployment model, 674

companion viruses, 885

compartmentalized environment, in mandatory access control (MAC), 604

compartmented mode, 324

compartmented mode workstations (CMWs), 324compatibility tables, as authorization mechanism, 595

compensation access control, 76, 559compiled languages, security implications of, 839–840

compilers, 839compliance

with government regulations, 146–147

personnel security and, 57

composition theories, 279–280Comprehensive Crime Control Act (CCCA), 128compromise incidents, 819

computer architecturecentral processing units (CPUs), 315

execution options, 316–318

firmware, 336–337

hardware, 315

input and output devices, 333–335

input/output (I/O) operations, 335–336

memory, 327

memory addressing, 329–330

memory security issues, 331

operating modes, 326

process (operating) states, 321–322, 322processing types, 318–319

protection rings – strategy development phase 977

protection rings, 319–321, 320random access memory, 328–329

read-only memory, 327–328

registers, 329

secondary memory, 330–331

security modes, 323–325

storage, 331–333

computer crimebusiness attacks, 814

categories, 812–813

Computer Fraud and Abuse Act, 128–129

Computer Security Act, 129–130

Federal Information Security Management Act, 132

Federal Sentencing Guidelines for computer crimes, 130

financial attacks, 814–815

Government Information Security Reform Act, 131

grudge attacks, 815–817

military and intelligence attacks, 813–814

National Information Infrastructure Protection Act, 130

overview of, 127Paperwork Reduction Act, 130

terrorist attacks, 815

thrill attacks, 817Computer Fraud and Abuse Act (CFAA)

amendments, 128–130

provisions, 128

computer incident response teams (CIRTs), 701, 820

Computer Security Act (CSA), 129–130

computer security incident, defining requirements with,698–699

computer security incident response team (CSIRT), 701

computer security incident response teams (CSIRTs), 820

computers, export controls, 139concealment, aspects of confidentiality, 5concentrators

cable runs and, 477network devices and, 470

conceptual definition phase, of systems development life cycle, 845

concurrency (edit) control, in multilevel database security,867

conductors, network cable, 476–477

Conficker, 685

confidential (proprietary) datacommercial classification of data, 21, 162defining sensitive data, 159–160

governmental classification of data, 20, 160nondisclosure agreements (NDAs), 171securing email data, 163

confidentialityBell-LaPadula model and, 284business attacks on, 814

categories of IT loss, 560confidentiality principle in CIA, 4–5

goals of cryptography, 192–193mutual assistance agreements and, 783

NIST guidelines, 415principle of least privilege for, 662–663

protecting with encryption, 172–174thwarting attacks on database, 868

confidentiality, integrity, availability (CIA)availability principle, 7, 68177

categories of IT loss, 560

confidentiality principle, 4–5

goals of cryptography, 192–194

integrity principle, 5–6

overview of, 3–4security and risk management, 3techniques for ensuring, 272–274

configuration managementbaselining for, 678

derived from ITIL, 682

documentation of, 683

process of, 854–855

security audits reviewing, 746

as security practice, 679using images for baselining, 678–680

versioning control in, 683

Configuration Manager (ConfigMgr), 672confinement, CIA techniques, 273confiscation of evidence, incident response, 822

conflict of interests, segregation of duties preventing, 664–666

confusion operations, in obscuring plaintext messages, 207

connection technologies, WANs, 534–536

connectionless protocol, UDP as, 443connectivity, planning remote access security, 515consistency, in ACID model of database transactions, 865

constrained data item (CDI), in Clark-Wilson model, 286constrained interfaces, as authorization mechanism, 596

consultants, controlling, 56–57

content distribution networks (CDNs), 453–454

content filters, implementing antivirus programs, 893

Content Scrambling System (CSS), in movie DRM, 253content-dependent access controls

as authorization mechanism, 596

DBMS security, 867

context-dependent access controlsas authorization mechanism, 596

DBMS security, 867

continuity planning. See also business continuity planning (BCP)

getting approval of plan, 109

implementing plan, 110

provisions and processes phase, 108–109

strategy development phase, 107

978 subtasks in – email

subtasks in, 107

continuous improvement principle, personnel security and, 78

contractors, controlling, 56–57

contracts, types of license agreements, 138Control Objectives for Information and Related

Technology (COBIT), 24, 176control specifications development phase, systems

development life cycle, 845–846

control zonesprotecting against EM radiation eavesdropping, 375securing electrical signals and radiation, 399

controlled security mode, 324

controlsfor access. See access controlcharacteristics of, 537–538

frameworks, 23–24

monitoring and measuring, 76–77

for perimeter security, 407–409, 408for personnel security, 74–75

for physical security, 389–390

redundancy and diversity of, 363types of, 75–76

controls gap, residual risk and, 73converged protocols, 452

COPPA (Children’s Online Privacy Protection Act), 142–143, 179

copyrights. See also intellectual propertyDigital Millennium Copyright Act, 134–135

protecting trade secrets, 137works qualifying for, 133

cordless phones, 484

corporate policies, for BYOD devices, 359corrective access control, 76, 558cost-benefit analysis, in valuation of assets, 610Counter (CTR), in DES, 215Counter Mode Cipher Block Chaining Message

Authentication Control Protocol (CCMP), 459, 460–461

countermeasuresto availability attacks, 7certification and accreditation as, 300–302

Common Criteria and, 296–299

to confidentiality attacks, 4effectiveness of, 77implementing for personnel security, 74–75

industry and international security implementationguidelines, 299–300

to integrity attacks, 6ITSEC classes and required assurance and

functionality, 295–296

to malicious code, 893–895

Orange book, 290–292, 291Orange book limitations, 294–295

to password attacks, 898–899

rainbow series for security standards, 290, 293–294Red and Green books, 293residual risk and, 73selecting and assessing, 73–74, 289

counterstrikes/counter attacksnot included in incident response, 700

risk of launching, 720

coupling, object-oriented programming, 841

covert channelsattacking data storage resources, 870

types of, 369

CPS (certificate practice statement), 246CPTED (crime prevention through environmental design),

389CPUs. See central processing unit (CPUs)CPV (certificate path validation), 244crackers, hackers and attackers compared with,

604–605

CRCs (cyclic redundancy checks), 537credential management

Kerberos, 574mobile device security, 356overview of, 578–579

Credential Manager, in Windows OSs, 579credit cards, industry standard, 146creeping privilege, 583crime

criminal investigations, 805

securing evidence storage facility, 395crime prevention through environmental design (CPTED),

389criminal law

cybercrime, 131overview of, 124–126

United States Code (USC), 126crisis management, disaster recovery strategy for, 777

critical path analysis, in developing physical security plan, 387

criticality, aspects of confidentiality, 5CRL (certificate revocation list)

revoking digital certificates, 246verification of certificates and, 245

crossover error rate (CER), in biometrics, 571cross-site scripting (XSS) attacks, on web applications,

901–902

cross-training, as alternative to job rotation, 52CRT monitors, radiation from, 334cryptanalysis

algorithms and, 208–209defined, 195

cryptographic applicationsdigital rights management, 252–254

email, 248

networking – implementing 979

networking, 255–257

overview of, 247portable devices and, 247–248

Pretty Good Privacy (PGP), 248–249

Secure Multipurpose Internet Mail Extensions (S/MIME), 249

steganography and watermarking, 250–252, 251–252

web applications, 249–250

wireless networking, 257–258

cryptography. See also encryptionAdvanced Encryption Standard (AES), 218–219

asymmetric. See asymmetric key cryptographyattacks, 258–260

block ciphers, 207

Blowfish block cipher, 217

Boolean mathematics in, 196–198

codes vs. ciphers, 202

concepts in, 194–195

confusion and diffusion operations, 207

Data Encryption Standard (DES), 214–215

defined, 195

exam topics, 189, 223–224goals of, 192–194

hashing algorithms. See hash functionshistorical milestones, 190–192International Data Encryption Algorithm (IDEA), 217

key creation and distribution, 219–221

key escrow and recovery, 221–222

key storage and destruction, 221

keys, 208–209

lifecycle of, 222modulo function, 199

nonce, 200

one-time pads, 205–206

one-way functions, 199–200


review answers, 924–926review questions, 226–229running key ciphers, 206–207

Skipjack algorithm, 217–218

split knowledge, 201

stream ciphers, 207

substitution ciphers, 203–205

summary, 222–223symmetric. See symmetric key cryptographytransposition ciphers, 202–203

Triple DES, 216–217

work function (work factor), 201

written lab, 225written lab answers, 958zero-knowledge proof, 200, 200–201

Cryptolocker ransomwarebotnets distributing, 709

overview of, 890

cryptovariables, 195CSA (Computer Security Act), 129–130

CSMA (Carrier-Sense Multiple Access), 488CSMA/CA (Carrier-Sense Multiple Access with Collision

Avoidance), 488–489CSMA/CD (Carrier-Sense Multiple Access with Collision

Detection), 489CSPs (cloud service providers), 673

CSS (Content Scrambling System), in movie DRM, 253CSU/DSU (channel service unit/data service unit), 534CTR (Counter), in DES, 215custodian role, security roles and responsibilities, 178

CVE (Common Vulnerability and Exposures) dictionary, 688

cybercrimelaw, 131securing evidence storage facility, 395

cyber-physical systems, 361cyclic redundancy checks (CRCs), 537

DD2D (disk-to-disk) backups, 789

DAC. See discretionary access controls (DAC)damage potential, in DREAD rating system, 34darknets, 721

DARPA model. See also Open Systems Interconnection(OSI), 427, 437

dataanalytics, 343

asset security, 164–165

formats, 435–436information life cycle management, 668–669

managing media, 675–678

protecting logs, 733–734

recovery planning for theft of, 759–760

retaining assets, 164–165

sensitive. See sensitive datastates of, 163–164

data at rest (stored)confidentiality and, 193understanding data states, 164

data breachesaccess control attacks, 606–607

notification rule, 142preventing, 165

data classificationBell-LaPadula model and, 282–283benefits of, 18–19Biba model and, 285commercial/business, 21, 21, 161, 161–163

governmental/military, 20, 20, 160–161, 161implementing, 19

980 information life cycle management – decomposing. See reduction analysis

information life cycle management, 668

marking sensitive data, 165overview of, 18

ownership and, 22security governance and, 20–21

data custodians (owners)discretionary access control (DAC) by, 598

security roles and responsibilities, 23Data Definition Language (DDL), SQL, 864

data dictionaries, 342data diddling, in incremental attacks, 372data emanations

defined, 454

securing electrical signals and radiation, 398–399

Data Encryption Standard (DES)comparing symmetric algorithms, 219cryptanalysis defeating, 209overview of, 173in symmetric cryptography, 214–215

data flowpaths in reduction analysis, 34server-based vulnerabilities, 341

data hidingessential security protection mechanisms, 366–367

protection mechanisms, 13

data in transit or in motionconfidentiality and, 193protecting, 173–174understanding data states, 164

data integrity. See also integrityDBMS security, 867

incident handling, 825

principle of least privilege for, 662–663

relational database transactions ensuring, 864–866

Data Link layer (layer 2), in OSI model, 431–432

data loss prevention (DLP)detecting watermarks, 741

egress monitoring with, 740–741

marking sensitive data, 166protecting email data, 164

Data Manipulation Language (DML), SQL, 864

data mart, storing metadata in, 343data mining, vulnerabilities in database security,

342–343

data owner rolebring-your-own-device (BYOD) and, 357

security roles and responsibilities, 23, 174–175

data processors role, security roles and responsibilities,176–177

Data Protection Directive (EU), 58data remanence

destroying sensitive data and, 168physical security of media storage and, 394storage security issues, 333

data stream, in OSI model, 430data terminal equipment/data circuit-terminating

equipment (DTE/DCE)in Frame Relay, 535WAN connections, 534

data warehousing, 342–343

database management system (DBMS)distributed data model, 862

hierarchical data model, 861, 861–862

overview of, 861

security mechanisms, 867–868

database recoverydisaster recovery plans for, 783

electronic vaulting for, 783–784

remote journaling for, 784

remote mirroring for, 784

database securityaggregation, 341–342

data analytics, 343

data mining and data warehousing, 342–343

inference attacks, 342

large-scale parallel data systems, 344

for multi-level databases, 866–868

overview of, 341

protecting data at rest, 164–165databases

DBMS architecture, 861, 861–862

key escrow database, 201normalization of tables, 864

Open Database Connectivity, 868, 868

overview of, 860–861relational, 862, 862–864

transactions, 864–866

datacenter securityaccess abuses, 398

intrusion detection systems (IDS), 397–398

overview of, 396proximity readers in, 397


smartcards, 396–397

date stamps, DBMS data integrity, 867

DBMS. See database management system (DBMS)DCSs (distributed control systems), for industrial control,

348–349DDL (Data Definition Language), SQL, 864

DDoS. See distributed denial-of-service (DDoS) attacksdead zones, network segments, 433decision-making process

decision-support systems, 872–873

expert systems, 870–872

neural networks, 872

decision-support systems (DSS), 872–873

declassification, of media, 170decomposing. See reduction analysis

dedicated (leased) lines – e-book DRM 981

dedicated (leased) lines, WAN technologies, 532dedicated mode, security modes, 323–324

Defense Information Technology Security Certification and Accreditation Process (DITSCAP), 302

defense-in-depthIDS intended as part of, 715implementing, 74implementing access control with, 597, 77 597–598

preventing access aggregation attacks, 610

protecting large-scale parallel data systems, 346Defined phase, SW-CMMM, 851

degaussingdestroying sensitive data, 168media, 170–171

degrees, of database columns, 862–863

delegation, object-oriented programming, 841

deleting files, as antivirus mechanism, 886

Delphi techniques, in qualitative risk analysis, 71Delta rule (learning rule), learning by experience in neural

networks, 872

deluge fire suppression system, 405demilitarized zones (DMZ)

defined, 464

firewall deployment and, 468–469multihomed firewalls and, 467

denial of service (DoS) attackscountermeasures, 540–541

email security issues, 510–511overview of, 540in STRIDE threat categorization system, 31

denial-of-service (DoS) attackscategorizing incidents as, 819

detecting with IDSs, 715distributed denial-of-service (DDoS) attack, 706

distributed reflective denial-of-service (DRDoS) attack, 706

Gibson Research on, 821–822

overview of, 619, 706

SYN flood attack, 706–707

Department of Commerceexport controls, 139Safe Harbor program of, 177

Department of Defense (DoD)advanced persistent threat (APT) on, 609Bell-LaPadula model developed by, 282DoD Information Assurance Certification and

Accreditation Process (DIACAP), 302DoD Information Technology Security Certification

and Accreditation Process (DITSCAP), 324TCSEC standards, 290

departments, analyzing business organization, 96

DES. See Data Encryption Standard (DES)design

of facility, 388–389

flaws, 370

review phase in systems development life cycle, 846

design security principlesaccess control between subjects and objects (transitive

trusts), 271

CIA techniques, 272–274

open vs. closed systems and, 271–272


trust and assurance and, 274–275

destroying dataafter backup media reaches its MTTF, 678information life cycle management, 669

destroying media, 171detection phase, incident response, 822

detective access control, 75–76, 558deterrent access control, 75, 558–559Devakumar, Vijay, 612–613

device fingerprinting, 573devices

access control, 355, 556authentication, 572–573

examples of embedded and static systems, 360–362input and output devices, 333–335

input/output (I/O) operations, 335–336mobile device security, 352–355

network devices, 431, 470–472operating at Network layer of OSI model, 434securing wireless, 470–472

storage devices, 331–333

wireless networking, 485

DevOps model, 855, 855–856

DHCP (Dynamic Host Configuration Protocol), 529Diagnosing phase, IDEAL model, 851

diagramming potential attacks, 32–33



Diameter, 581dictionary attacks

birthday attacks, 613–614

hybrid attacks, 612overview of, 611, 896–897

differential backups, in disaster recovery plan, 787–788

differential power analysis attacks, smartcards, 619

Diffie-Hellman key exchange algorithmin distribution of symmetric keys, 219–221El Gamal based on, 235use by OpenPGP, 249

diffusion operations, in obscuring plaintext messages, 207

digital certificatesgenerating and destroying, 245–246

obtaining, 243–244

overview of, 243

smartcards and, 566–567SSL and, 250

digital communication, subtechnologies supported by Ethernet, 487

Digital Millennium Copyright Act (DMCA), 134–135

digital rights management (DRM)document DRM, 254e-book DRM, 253–254

982 movie DRM – DITSCAP (Defense Information Technology Security Certification and Accreditation Process)

movie DRM, 253music DRM, 252–253overview of, 252

video game DRM, 254Digital Signature Algorithm (DSA)

key length, 235overview of, 242

Digital Signature Standard (DSS), 242

digital signaturesasymmetric key algorithms supporting, 212Digital Signature Standard, 242

Hashed Message Authentication Code (HMAC), 241–242

implementing partial, 241message digests in implementation of, 237overview of, 240–241

preventing malicious code, 894

digital subscriber line (DSL), WAN technologies, 533digital watermarking, 742

direct addressing, memory addressing, 330direct evidence, as testimonial evidence, 808

Direct Inward System Access (DISA), 506Direct Memory Access (DMA), 336Direct Sequence Spread Spectrum (DSSS), 481directed graph, Take-Grant model, 281directional antennas, 461directive access control, 76, 559directory services, 574DISA (Direct Inward System Access), 506disaster recovery planning (DRP)

assessment, 787

backups and offsite storage, 787–790

business continuity planning compared with, 95

business unit and functional priorities, 776–777

cloud computing, 782

cold sites, 778–779

crisis management, 777

database recovery, 783

electronic vaulting, 783–784

emergency communications, 777–778

emergency response, 785–786

exam topics, 759, 795–796external communications, 791

hot sites, 779–780

logistics and supplies, 791

maintenance, 794–795

man-made disasters, 765–770

mobile sites, 781

mutual assistance agreements (MAAs), 782–783

natural disasters, 761–762, 761–765

nature of disaster and, 760–761overview of, 760, 775–776, 784–785personnel and communications, 786–787

recovery vs. restoration, 791–792

remote journaling, 784

remote mirroring, 784

review answers, 946–947review questions, 798–801service bureaus, 781–782

software escrow arrangements, 790–791

summary, 795system resilience and fault tolerance, 770–775,

772testing, 793–794

training, awareness and documentation,792–793

utilities, 791

warm sites, 780–781

workgroup recovery, 778


disastersman-made, 765–770

natural, 761–765

nature of, 760–761discoverability, in DREAD rating system, 35discretion, aspects of confidentiality, 5discretionary access controls (DAC)


role-based access control compared with, 600disinfecting files, as antivirus mechanism, 886, 905

disk drivesdestroying sensitive data on solid state drives, 169hard disk drives (HDDs), 333solid state drives (SSDs), 169, 333, 678

storing sensitive data, 168disk-to-disk (D2D) backups, 789

distance vector routing protocols, 434distributed control systems (DCSs), for industrial control,

348–349distributed data model, DBMS architecture, 862

distributed denial of service (DDoS) attackscountermeasures, 540–541

overview of, 540distributed denial-of-service (DDoS) attacks

detecting with IDSs, 715overview of, 706

in ping flood attack, 706–707

Distributed Network Protocol (DNP3), 450distributed reflective denial-of-service (DRDoS) attack,

706

distributed systemscloud computing and, 346–347

grid computing, 347–348


peer-to-peer (P2P) system, 348

DITSCAP (Defense Information Technology Security Certification and Accreditation Process), 302

DKIM (DomainKeys Identified Mail) – in malicious software 983

DKIM (DomainKeys Identified Mail), 511DLP. See data loss prevention (DLP)DMA (Direct Memory Access), 336DMCA (Digital Millennium Copyright Act), 134–135

DML (Data Manipulation Language), SQL, 864

DMZ. See demilitarized zones (DMZ)DNP3 (Distributed Network Protocol), 450DNS. See Domain Name System (DNS)DNS poisoning, spoofing, and hijacking attacks

cache poisoning, 339on communication network, 543–544

query spoofing, 340DNS servers, 340DNSChanger (Esthost botnet), 710

document exchange and review, acquisition strategies and practices, 36

documentary evidence, using in court of law, 807

documentationof business continuity plan, 110

in change management, 683

in configuration management, 683

of disaster recovery plan, 793

of disaster recovery procedures, 785

in incident handling, 825–826

of incident response steps, 700

of penetration test results, 730

recovery step in incident response, 703Documentation review, in security governance, 59–60documents, digital rights management, 254DoD. See Department of Defense (DoD)DOD model. See TCP/IP suitedogs, as perimeter control, 409domain name, resolving to IP addresses, 450–451

Domain Name System (DNS)attacks on communication network, 543–544

cache poisoning attacks, 339DRDoS attacks, 706

NIDS discovering source of attack with DNS lookup, 720

query spoofing attacks, 340resolving domain names to IP addresses, 451

domain of attributes, relational databases, 862

DomainKeys Identified Mail (DKIM), 511domains of protection. See layeringDoS attacks. See denial-of-service (DoS) attacksDRDoS (distributed reflective denial-of-service) attack, 706

DREAD (Probability x Damage Potential) system, in threat prioritization and response, 34–35

drive-by downloadsdistributing malware with, 712overview of, 617

DRM. See digital rights management (DRM)DRP. See disaster recovery planning (DRP)dry pipe fire suppression system, 405DSA. See Digital Signature Algorithm (DSA)

DSL (digital subscriber line), WAN technologies, 533DSS (decision-support systems), 872–873

DSS (Digital Signature Standard), 242

DSSS (Direct Sequence Spread Spectrum), 481DTE/DCE (data terminal equipment/data circuit-

terminating equipment)in Frame Relay, 535WAN connections, 534

DTMF (dual-tone multifrequency) generator, 507dual-tone multifrequency (DTMF) generator, 507due care, security governance and, 24

due diligence, security governance and, 24

dumb (mutation) fuzzing, of software, 646, 647dumpster diving, as reconnaissance attack, 906–907

durability of database transactions, in ACID model, 866

duress systems, for personnel safety, 670Dynamic Host Configuration Protocol (DHCP), 529dynamic NAT, IP addressing and, 528

dynamic packet filtering firewalls, 467dynamic RAM, 329dynamic testing, of software, 646, 858

dynamic web applications, 902–903, 903

EEAC (electronic access control) lock, 410EALs (evaluation assurance levels), 297–299EAP. See Extensible Authentication Protocol (EAP)earthquakes

disaster recovery planning for, 761–762

seismic hazard levels, 761–762eavesdropping (sniffer/snooping) attacks

eavesdropping on communication network, 541–542

eavesdropping with, 541faxes and, 513as man-in-the-middle attacks, 713overview of, 614–615

preventing with switches, 720

protecting against, 375, 454e-books, digital rights management, 253–254ECB (Electronic Codebook Mode), in DES, 214ECC (elliptic curve cryptography), 235–236

ECDSA (elliptic curve DSA), 242Economic and Protection of Proprietary Information Act,

privacy laws in U.S., 141Economic Espionage Act, protecting trade secrets, 137ECPA (Electronic Communications Privacy Act), privacy

laws in U.S., 140eDiscovery investigations, 806

educationBCP implementation and, 110establishing and managing information security, 82in malicious software, 724

984 education verification – implementing need to know and least privilege

education verification, screening employment candidates, 52

EEPROM (electronically erasable programmable read-onlymemory), 327–328

EF. See exposure factor (EF)EFS (Encrypting File System), 248EFS (Escrowed Encryption Standard), 217–218, 222egress monitoring

incident response, 740–742


El Gamal, 235

electro-magnetic (EM) radiationintercepting and processing, 374–375


electromagnetic interference (EMI), 401electromagnetic pulse (EMP), 399electronic access control (EAC) lock, 410Electronic Codebook Mode (ECB), in DES, 214Electronic Communications Privacy Act (ECPA), privacy

laws in U.S., 140Electronic Discovery Reference Model, 806

electronic flashcards, for this book, 968electronic serial numbers (ESNs), cell phone security

issues, 507electronic vaulting, database recovery with, 783–784

electronically erasable programmable read-only memory (EEPROM), 327–328

elevation of privilege, in STRIDE threat categorization system, 31

elliptic curve cryptography (ECC), 235–236

elliptic curve DSA (ECDSA), 242EM (electro-magnetic) radiation

intercepting and processing, 374–375


emailanti-malware software, 723

avoiding phishing, 617–618

cryptographic applications for, 248

distributing malware with, 712securing email data, 163securing with PGP, 217security goals, 509–510

security issues, 510–511

security solutions, 511–512

spoofing attacks, 616

emanations. See data emanationsembedded and static systems

examples of, 360–362

securing, 362–363

embedded devices, forensic evidence collection, 810

emergency communications, 777–778

emergency response. See also disaster recovery planning(DRP)

disaster planning, 785–786guidelines, 113

EMI (electromagnetic interference), 401EMP (electromagnetic pulse), 399employment. See also personnel

account revocation and termination process, 584agreements and policies, 53–54

being alert to threats from employees, 32job descriptions, 50–52

sabotage by employees, 714screening candidates, 52–53

termination processes, 54–56

Encapsulating Security Payload (ESP), in IPsec, 174, 256, 521encapsulation


in OSI model, 428–429, 428–429

in TCP/IP, 449encrypted viruses, 888

Encrypting File System (EFS), 248encryption. See also cryptography

controlling USB flash drives, 676

designing in systems development life cycle, 845

export controls, 139mobile device security, 352, 356networking techniques, 255–257

of password files, 620of passwords, 564preventing sniffing attacks, 615protecting data confidentiality, 164–165protecting sensitive data using symmetric encryption,

172–173

protecting sensitive data using transport encryption, 173–174


securing email data, 163smartcards and, 566–567storing sensitive data, 167–168thwarting storage threats, 870

of wireless access points, 458–460

end users. See also usersdelegating incident response to, 704detecting potential incidents, 700

endpointsendpoint-based DLP, 741

securing, 469

end-to-end encryption, in networking, 255Enigma code machine, 192enrollment

account provisioning and, 582biometric registration, 571of digital certificates, 245

enterprise extended infrastructure mode, wireless access points (WAPs) and, 455

enticement, honeypots, 722

entitlementauditing user, 744

implementing need to know and least privilege, 663

entrapment – external communications 985

entrapment, honeypots, 722

environmentcontrolling temperature, humidity, and static, 401penetration testing in vulnerability assessment, 727

protecting facility, 414

environmental controls, storing sensitive data, 168EPROM (erasable programmable read-only memory), 327equipment, preparing for failure of, 390–391

erasable programmable read-only memory (EPROM), 327erasing media, 169escalation of privilege attacks, on applications, 900–901

Escrowed Encryption Standard (EFS), 217–218, 222ESNs (electronic serial numbers), cell phone security

issues, 507ESP (Encapsulating Security Payload), in IPsec, 174, 256,

521espionage, 714–715

ESSID (extended service set identifier)securing, 456–457wireless access points, 455–456

Establishing phase, IDEAL model, 851

Esthost botnet (DNSChanger), 710

Ethernet (802.3)5-4-3 rule, 477Carrier-Sense Multiple Access with Collision

Detection, 489Data Link layer (layer 2) and, 431LAN technologies, 485–486subtechnologies supported, 486–487

ethical hacking, as penetration testing, 730–731

ethicsInternet and, 828

ISC Code of Ethics, 827–828


Ten Commandments of Computer Ethics, 828–829

EU Data Protection Directive (95/46/EC), 178–179EUI (Extended Unique Identifier), MAC addresses and,

432Europe

advanced persistent threat on French government,609

General Data Protection Regulation, 179online privacy policies, 178–179privacy law, 145–146

restrictions on data transfer, 177evaluation assurance levels (EALs), 297–299Event Viewer, 731–732events, in incident handling, 817

evidenceadmissible, 826–829

beyond a reasonable doubt standard of, 805

chain of, 807–808

collection and forensic procedures, 809–810

gathering in incident response, 823–824

physical security of evidence storage, 395

preponderance of the evidence standard, 805

requirements in types of investigations, 805

in scanning attacks, 818–819

types of, 807–808

excessive privilege, 583Exchange servers, Microsoft, 509exclusive OR (XOR) operation

Boolean logical operations, 198in DES, 214

executable filesfile infector viruses using, 884–885

programming languages and, 839execution options

multiprocessing, 316–317

multiprogramming, 317

multitasking, 316

multithreading, 317–318

exit conference, external auditor, 748

exit interviewsaccount revocation and termination process,

584employment termination processes, 56organizational processes and, 16–17

expert opinion, as testimonial evidence, 808

expert systemsbacking decision-support systems, 873

behavior-based IDSs as, 717


security applications of, 873

exploit Wednesday, 685

exploitability, in DREAD rating system, 34explosions, disaster recovery planning for, 766

export/import, laws and regulations, 139exposure, defining risk terminology, 62

exposure factor (EF)assessing impact of risks, 104formula, 69in quantitative risk analysis, 65–66

extended service set identifier (ESSID)securing, 456–457wireless access points, 455–456

Extended Unique Identifier (EUI), MAC addresses and,432

Extensible Access Control Markup Language (XACML), 578

Extensible Authentication Protocol (EAP)IEEE 802.1X/EAP, 459–460planning remote access security, 516PPP support, 537types of authentication protocols, 502–503

extensible markup language (XML)types of markup languages, 577vulnerabilities in web-based systems, 349

external auditors, working with, 747–748

external communications, disaster recovery plan for, 791

986 face scans – detection and extinguishers

Fface scans, biometric factors, 569facilities

controlling access, 556designing, 388–389

environment and life safety, 414

overview of, 386planning security, 387

provisions and processes phase of continuity plan, 108securing evidence storage facility, 395securing media storage facility, 394selecting site for, 387–388

factorsauthentication factors, 563biometric factors, 568

Fagan inspection, code review with, 644–645

fail-open systemavoiding/mitigating system failure, 843

defined, 774

when to implement, 843

failover clusters, protecting servers, 772

fail-secure systemavoiding/mitigating system failure, 842–843

defined, 774

failureavoiding/mitigating system, 841–844, 844initialization and failure states, 370

fair cryptosystems, for key escrow, 221false acceptance rate (FAR), biometric error ratings,

570–571false alerts, behavior-based IDSs creating, 717–718

false negatives, network vulnerability scanners creating,636

false positivesbehavior-based IDSs creating, 717

network vulnerability scanners creating, 638

false rejection rate (FRR), biometric error ratings, 570–571Family Educational Rights and Privacy Act (FERPA), 143FAR (false acceptance rate), biometric error ratings,

570–571Faraday cages, securing electrical signals and radiation,

375, 399fault analysis attacks, smartcards, 619

fault tolerancedesigning in systems development life cycle, 846


protecting hard drives, 771–772

protecting power sources, 773

protecting servers, 772, 772–773

quality of service, 775


fax, 512–513

FBI. See Federal Bureau of Investigations (FBI)

FCoE (Fibre Channel over Ethernet), 452FDDI (Fiber Distributed Data Interface), LAN

technologies, 485features, disabling unused, 355Federal Bureau of Investigations (FBI)

InfraGard program, 826

National Computer Crime Squad, 811

reporting serious security incidents to, 702Federal Information Processing Standard (FIPS)

Digital Signature Standard (DSS), 242Secure Hash Standard (FIPS 180), 237–238Security Requirements for Cryptographic Modules,

195use of Skipjack algorithm by, 217–218

Federal Information Security Management Act (FISMA),132

federal laws, role of legislature in, 125Federal Sentencing Guidelines, for computer crimes, 130

federated management, of identity, 576–578

feedback, type of composition theory, 280FEMA’s National Flood Insurance Program, 762–763fences, as perimeter control, 407FERPA (Family Educational Rights and Privacy Act), 143FHSS (Frequency Hopping Spread Spectrum), 481Fiber Distributed Data Interface (FDDI), LAN

technologies, 485fiber-optic cable

characteristics of, 475overview of, 477

Fibre Channel over Ethernet (FCoE), 452fields (attributes), relational databases, 862

fifth-generation languages (5GL), 840

file infector viruses, 884–885

File Transfer Protocol (FTP), 174files

cache-related issues in Internet files, 340comparing subjects and objects, 557disinfecting as antivirus mechanism, 886, 905

executable, 839, 884–885

formats, 435–436FileVault, encryption on portable devices (Mac OS X), 248filtered ports, network discovery with nmap, 635–638,

636–638filtering traffic, with firewalls, 725–726FIN (finish) packets

TCP reset attacks, 708

TCP sessions, 440financial attacks, computer crime, 814–815

Finger vulnerability, spread of Internet worm, 891–892

fingerprints, biometric factors, 568–569finite state machine (FSM), 278FIPS. See Federal Information Processing Standard (FIPS)fire

damage assessment, 406

detection and extinguishers, 404–406

fire triangle and fire stages – global positioning satellite (GPS) 987

fire triangle and fire stages, 403overview of, 402–404

recovery planning from bombings/explosions, 766

recovery planning from man-made, 765

recovery planning from natural, 764

fire extinguisher classes, 404fire triangle, 403fires stages, 403firewalls

blocking malware, 723

deployment architectures, 467–469

designed to be fail-secure, 774


logs, 733

methods of securing embedded and static systems,362–363

multihomed, 467

overview of, 465–466in rule-based access control, 601types of, 466–467

wireless networking, 468firmware (microcode)

stored on ROM chip, 336–337

version control, 363first normal form (1NF), database normalization, 864

first responders, for IT incidents, 700

first-generation languages (1GL), 840

FISMA (Federal Information Security Management Act), 132

flash floods, disaster recovery planning for, 762–763

flash memory, 328flashing the BIOS, 336flooding attacks, email security issues, 511floods


physical security, 402

floppy disks, distributing malware with, 712flow control

data flow paths in reduction analysis, 34server-based vulnerabilities, 341

foreign keys, relational databases, 863

foreign words, password-cracking, 611

forensicsbring-your-own-device (BYOD) and, 358evidence collection, 809–810

formatsbackup tape, 789

file, 435–436Fourth Amendment of the U.S. Constitution

privacy rights and, 140on valid search warrants, 811

fourth-generation languages (4GL), 840

FQDN (fully qualified domain names), 339fraggle attacks, 708

Frame Relay, WAN connections, 535frames, data at Data Link layer of OSI model, 430

fraudjob rotation detecting, 666mandatory vacations detecting, 666–667two-person control reducing, 666voice communication threats, 505–507

frequenciescordless phones, 484measuring in Hertz, 480

frequency analysisapplying to Caesar cipher, 191period analysis, 205types of cryptographic attacks, 259

Frequency Hopping Spread Spectrum (FHSS), 481FRR (false rejection rate), biometric error ratings,

570–571FSM (finite state machine), 278FTP (File Transfer Protocol), 174full backups, 787

full duplex communicationSession layer of OSI model and, 435with TCP, 439–440

full-interruption tests, disaster recovery plan, 794

fully qualified domain names (FQDN), 339function recovery, trusted recovery as, 775

functional requirements determination phase, systems development life cycle, 845

fuzz testingoverview of, 29software, 646, 647

fuzzy logic, inference engines of expert systems, 871–872

Ggame consoles/game systems, 360–361Gameover Zeus (GOZ) botnet, 709–710

Gantt charts, in project-scheduling, 853, 853

GAO (Government Accountability Office), 632

gas discharge fire suppression systems, 405–406gates, as perimeter control, 407–408gateway firewalls, 466gateways, network devices, 471GDPR (General Data Protection Regulation), 179General Data Protection Regulation (GDPR), 179generational (intelligent) fuzzing, of software, 646

generators, powering systems during outages, 773

geotagging, mobile device security, 356GFS (Grandfather-Father-Son) strategy, backup tape

rotations, 790

Gibson, Steve, 821–822

GISRA (Government Information Security Reform Act), 131

GLBA (Gramm-Leach-Bliley Act), privacy regulations, 58, 143

global positioning satellite (GPS)

988 geotagging – types of hashing algorithms

geotagging, 356mobile device security, 353

global rules, rule-based access controls (rule-BAC), 601goals

aligning security functions to, 14–16, 15BCP (business continuity planning), 111

cryptographic, 192–194, 194email security, 509–510

Goguen-Meseguer model, 288

Good Times virus warning, hoax, 888

Google, advanced persistent threat (APT) on, 609governance, security. See security governanceGovernment Accountability Office (GAO), 632

Government Information Security Reform Act (GISRA), 131

GOZ (Gameover Zeus) botnet, 709–710

GPS (global positioning satellite)geotagging, 356mobile device security, 353

GPU (graphic processing unit)-based password cracker, 612–613

Graham-Denning model, 288

Gramm-Leach-Bliley Act (GLBA), privacy regulations, 58, 143

Grandfather-Father-Son (GFS) strategy, backup taperotations, 790

granular object control, DBMS security, 867

graphic processing unit (GPU)-based password cracker, 612–613

gray-box testingpenetration testing, 643, 729

software quality, 858

Green book, in rainbow series, 293grid computing, as parallel distributed system, 347–348

groupsaudits of privileged, 744–745

role-based access control (role-BAC), 599, 599–601

grudge attacks, 815–817

guard dogs, as perimeter control, 409guidelines

BCI Good Practices Guideline, 785for designing PBX security, 505–506emergency response, 113


industry and international security implementationguidelines, 299–300

privacy guidelines, 415in security and risk management, 26–27

TCSEC guidelines relative to trusted paths, 277Gumblar, as drive-by download, 712

Hhackers

crackers and attackers compared with, 604–605

ethical, 730–731

hacktivism, 817

hailstorms, disaster recovery planning for, 764half-duplex communication, 435halon, fire suppression systems, 406hand geometry, biometric factors, 569hard disk drives (HDDs), 333hardening provisions, of continuity plan, 108–109hardware

alternate processing sites and, 781

asset management, 671–672

central processing unit (CPUs), 315

denial of service (DoS) attacks exploiting, 540devices operating at Network layer of OSI model,

434disaster recovery planning for, 767–768

fail safe/fail secure electrical locks, 774

forensic evidence collection, 810

integrating risk considerations into acquisition strategies and practices, 35

inventorying, 671

overview of, 315

RAID solutions, 771–772

replacement in disasters, 781retaining until sanitized, 171securing wireless, 470–472

segmentation, 367hardware security module (HSM), 304hash functions

detecting steganography attempts, 741

Hashed Message Authentication Code, 241–242

implementing digital signatures, 240–241

integrity verification and, 537–538Message Digest 2, 238–239

Message Digest 4, 238–239

Message Digest 5, 239–240


preventing birthday attacks, 613–614Secure Hash Algorithm, 237–238, 240

security packages with antivirus functionality using,887

types of hashing algorithms, 213

Hashed Message Authentication Code (HMAC)comparing hashing algorithms, 239overview of, 241–242

types of hashing algorithms, 213

hashed passwords – authentication factors 989

hashed passwordsin birthday attacks, 613–614

in brute force attacks, 612in rainbow table attacks, 614

HDDs (hard disk drives), 333HDLC (High-Level Data Link Control), WAN

connections, 536Health Information Technology for Economic and Clinical

Health (HITECH), privacy laws in U.S., 141–142Health Insurance Portability and Accountability Act

(HIPAA)definition of protected health information (PHI), 159online privacy policies, 178privacy regulations, 58, 141–142

hearsay evidence, testimonial evidence vs., 808

heartbeat sensor, in intrusion detection system, 398heart/pulse patterns, biometric factors, 569Hertz (Hz), measuring frequency, 480heuristic-based mechanisms, of antivirus packages, 887

heuristics-based detection, behavior-based IDSs as, 717

HIDS (host-based IDS), 719

hierarchical data model, DBMS architecture, 861, 861–862

hierarchical environment, mandatory access control and, 604

hierarchical storage management (HSM) system, backup tape rotations, 790

High Speed Serial Interface (HSSI), WAN connections, 536high-level administrator groups, audits of, 744–745

High-Level Data Link Control (HDLC), WAN connections, 536

hijacking attacks, 543–544

HIPAA. See Health Insurance Portability and Accountability Act (HIPAA)

HITECH (Health Information Technology for Economicand Clinical Health), privacy laws in U.S., 141–142

HMAC. See Hashed Message Authentication Code(HMAC)

hoaxes, virus, 888–889

honeypots/honeynets, 721–722

hookup, type of composition theory, 280host-based IDS (HIDS), 719

HOSTS file, cache poisoning, 339hot sites, as disaster recovery option, 779–780

HSM (hardware security module), 304HSM (hierarchical storage management) system, backup

tape rotations, 790

HSSI (High Speed Serial Interface), WAN connections, 536HTML (Hypertext Markup Language), 577HTTPS (Hypertext Transfer Protocol over Secure Sockets

Layer)encryption protocol underlying, 173SSL and, 250

hubscable runs and, 477network devices, 470

humidity, physical security, 401

hurricanesdisaster recovery planning for failure of, 764power outages during Hurricane Katrina, 766

HVAC systems, in environmental control, 401hybrid attacks, 612

hybrid environment, mandatory access control and, 604

hyperlink spoofing attacks, on communication network, 544

Hypertext Markup Language (HTML), 577Hypertext Transfer Protocol over Secure Sockets Layer

(HTTPS)encryption protocol underlying, 173SSL and, 250

hypervisor, managing virtual assets, 673

Hz (Hertz), measuring frequency, 480

II Love You virus, 885

IaaS. See Infrastructure-as-a-Service (IaaS)IAB (Internet Advisory Board), 828–829

IANA (Internet Assigned Numbers Authority), 439, 725ICMP. See Internet Control Message Protocol (ICMP)ICS (industrial control system), 348–349

ICs (integrated circuits), smartcards, 396IDaaS (Identity and Access as a Service), 579IDEA. See International Data Encryption Algorithm

(IDEA)IDEAL model

memorization of level names in, 852

software development security, 851–852, 852identification

AAA services, 8comparing authentication with, 560–561

defined, 10

identification (ID) cardsphysical security, 411


identification phase, incident response, 822

Identity and Access as a Service (IDaaS), 579Identity as a Service (IaaS), 579identity management. See also authentication

AAA protocols, 580–581


authentication factors, 563

990 authorization and accountability and – penetration testing

authorization and accountability and, 561–562

biometric error ratings, 570–571, 571biometric registration, 571–572

biometrics, 568–570

CIA triad and, 560

comparing identification and authentication, 560–561

comparing subjects and objects, 557

controlling access to assets, 556

credential management, 578–579

device authentication, 572–573

exam topics, 555, 586–587examples of single sign-on, 578

federated management, 576–578

integrating services for, 579

Kerberos and, 574–576

Lightweight Directory Access Protocol (LDAP) and, 574

managing sessions, 579–580

multifactor authentication, 572

passwords, 566

registration, 561

review answers, 935–937review questions, 589–592reviewing accounts periodically, 583

revoking accounts, 584

single sign-on (SSO), 573–574


summary, 585tokens, 567–568

types of access control, 557–559


Identity Theft and Assumption Deterrence Act, 144Identity Theft Resource Center (ITRC), tracking data

breaches, 165IdP (SecureAuth Identity Provider), for device

authentication, 573IDPSs (intrusion detection and prevention systems), 715,

720

IDSs. See intrusion detection systems (IDSs)IEEE 802.1x, securing wireless networks, 258IEEE 802.1X/EAP, 459IEEE 802.11

shared key authentication (SKA) standard, 458wireless standards, 455

IEEE 802.11i (WPA2), 459IEEE 802.15 (Bluetooth), 484IETF (Internet Engineering Task Force), 255–256IGMP (Internet Group Management Protocol), 447IM (instant messaging)

overview of, 508

vishing attacks on, 618–619

images, baseline, 678–680

IMAP (Internet Message Access Protocol), 508–509

immediate addressing, types of memory addressing, 330impersonation attacks

on communication network, 542

defined, 610

implementation attacks, types of cryptographic attacks, 258

implicit deny ruleas authorization mechanism, 595

firewalls and, 725import/export, laws and regulations, 139

incident handlingadmissible evidence, 806–807

categories of computer crime. See computer crimeethics and, 826–829

evidence collection and forensic procedures, 809–810

evidence types, 807–808

exam topics, 803, 830–831incident data integrity and retention, 825

interviewing individuals, 824

investigation process, 810–812

investigation types, 804–806

metadata and reports, 343overview of, 804, 817–818

reports and documentation, 825–826

response process, 821–824

response teams, 820–821

review answers, 948–949review questions, 833–836summary, 829types of incidents, 818–819


incident prevention and responseanti-malware, 723–724

auditing to assess effectiveness, 742–748

basic preventive measures, 705

botnets, 709–710

defining incident, 698–699

denial-of-service (DoS) attack, 706

egress monitoring, 740–742

espionage, 714–715

exam topics, 697, 750–75377

firewalls, 725–726


intrusion detection and prevention systems, 715–721, 721

land attack, 711

logging techniques, 731–734, 732malicious code, 712

man-in-the-middle attacks, 713, 713monitoring, 734–740

overview of, 698padded cells, 722

penetration testing, 727–731

ping flood attack – instances 991

ping flood attack, 708–709

ping-of-death attack, 710

pseudo flaws, 722

review answers, 943–946review questions, 755–758sabotage, 714

sandboxing, 726

smurf and fraggle attacks, 708

summary, 748–750SYN flood attack, 706–708, 707teardrop attack, 710–711

third-party security services, 726

understanding attacks, 705–706

war dialing, 713–714

warning banners, 723

whitelisting and blacklisting, 724

written lab, 754written lab answers, 963–964zero-day exploit, 711–712

incident response stepsdetection, 700–701

lessons learned, 703–704

mitigation, 701–702

overview of, 699, 699–700

recovery, 703

remediation, 703

reporting, 702

response, 701

incidents, in incident handling, 817–818

incremental attacks, 372–373

incremental backups, 787–788

indirect addressing, types of memory addressing,330

industrial control system (ICS), 348–349

industrial espionage computer crimes, 814

industry security guidelines, 299–300

inference attackspolyinstantiation as defense against, 868

vulnerabilities in database security, 342

inference engines, expert systems, 871

informationcontrolling access to assets, 556establishing and managing education, training, and

awareness, 81–82

life cycle management, 668–669

information disclosure, in STRIDE threat categorizationsystem, 31

information flow modelsBell-LaPadula model, 282–284, 283Bell-LaPadula model based on, 283Biba model, 284–286, 285composition theories, 279–280noninterference model loosely based on, 279overview of, 279

Information Systems Audit and Control Association(ISACA), 24

information systems, security capabilities offault tolerance and, 304

interfaces and, 304

memory protection, 303

overview of, 303Trusted Platform Module (TPM), 303–304

virtualization, 303

Information Technology Infrastructure Library (ITIL), 682

Information Technology Security Evaluation and Criteria(ITSEC)

classes and required assurance and functionality,295–296

classifications B2, B3, and A1 governing change management, 17

defining incident, 698

replaced by Common Criteria, 290security standards and baselines and, 27

informative security policies, 26InfraGard program, FBI, 826

infrastructurebring-your-own-device (BYOD) and, 359disaster recovery planning for failure of, 767

failure due to theft, 759

provisions and processes phase of continuity plan, 109infrastructure mode, configuring wireless access points, 455Infrastructure-as-a-Service (IaaS)

and code repositories, 859

definition of cloud computing concepts, 346

as disaster recovery option, 782

managing cloud-based assets, 674

software development security, 860

inheritance, object-oriented programming, 840–841

in-house hardware replacements, 781Initial phase, SW-CMMM, 850

initialization, failure states and, 370

Initiating phase, IDEAL model, 851

input, checking, 370–372

input points, in reduction analysis, 34input validation

avoiding/mitigating system failure, 842

protecting against cross-site scripting, 902

protecting against SQL injection, 905

vulnerability scanners checking for, 686input/output (I/O)

operations, 335–336

types of I/O devices, 333–335

insidersmobile system vulnerabilities and, 350threats, 816

inspection audits, 743

instances, object-oriented programming, 841

992 instant messaging (IM) – defined

instant messaging (IM)overview of, 508

vishing attacks on, 618–619

insurancecoverage for acts of terrorism, 766

coverage for flooding, 762–763

selecting disaster recovery, 776

integrated circuits (ICs), smartcards, 396Integrated Services Digital Network (ISDN), WAN

technologies, 533integrity. See also data integrity

Biba model and, 284–285categories of IT loss, 560Clark-Wilson model and, 286goals of cryptography, 193Goguen-Meseguer model, 288integrity-checking software, 894

Sutherland model, 288verification, 537

integrity principle, CIA triad, 5–6

integrity verification procedures (IVP), in Clark-Wilson model, 287

intellectual propertycopyright law, 133–135

Economic Espionage Act, 137licensing, 138

overview of, 132–133patents, 136

trade secrets, 136–137

trademarks, 135–136

Uniform Computer Information Transactions Act, 138intelligence attacks, computer crime, 813–814

intent to use application, for trademarks, 136interconnection security agreements (ISAs), as security

practice, 669

interfacesconstrained or restricted, 304

testing software interfaces, 646–648

testing user interfaces, 648

interference, quality of service controls for, 775

interim reports, by auditors, 748

internal audits, of security, 633

International Criminal Police Organization (INTERPOL), 702

International Data Encryption Algorithm (IDEA)as block cipher, 217

comparing symmetric algorithms, 219use by PGP, 249

International Information Systems Security Certification Consortium (ISC), Code of Ethics, 827–828

International Organization for Standardization (ISO)Common Criteria and, 296international standards, 299–300OSI model, 426

International Organization on Computer Evidence (IOCE), 809–810

International Telecommunications Union-Radio (ITU-R), 483Internet, ethics and, 828–829

Internet Advisory Board (IAB), 828–829

Internet Assigned Numbers Authority (IANA), 439, 725Internet Control Message Protocol (ICMP), 709

blocking in ping flood attack, 709

overview of, 445–446in smurf attacks, 708

Internet Engineering Task Force (IETF), 255–256Internet files, cache-related issues, 340Internet Group Management Protocol (IGMP), 447Internet Message Access Protocol (IMAP), 508–509Internet Protocol (IP). See also IP addresses

alternatives to, 433Automatic Private IP Addressing (APIPA), 526–527

IPv4 vs. IPv6, 444, 725private IP addresses, 526–527

voice over. See Voice over Internet Protocol (VoIP)Internet Protocol security (IPsec)

Diameter support for, 581encryption protocols used by VPNs, 174establishing VPNs, 439for secure communications over network, 255–256as VPN protocol, 521–522

Internet Security Association and Key Management Protocol (ISAKMP), 257

Internet Service Providers (ISPs), 580Internet Small Computer System Interface (iSCSI), 452Internetwork Packet Exchange (IPX), 433INTERPOL (International Criminal Police Organization),

702interpreted languages, 839

interrupt (IRQ), in device management, 335interviews

exit interviews, 16–17, 56, 584incident handling, 824

intrusion alarms, physical security, 411–413

intrusion detection and prevention systems (IDPSs), 715, 720

intrusion detection systems (IDSs)behavior-based, 716–717

darknets, 721

detecting potential incidents, 700


host-based, 719

intrusion prevention systems vs., 720–721

knowledge-based, 716

monitoring network for sniffers, 615network-based, 719–720

overview of, 397–398, 715

padded cells, 722

preventing cache-related attacks, 340as preventive measure, 705response, 718–719

intrusion prevention systems (IPSs)defined, 715

IDSs using active response as – Kerchoff principle 993

IDSs using active response as, 719


as preventive measure, 705inventories, hardware, 671

inventory control, mobile device security, 354investigations, incident

data integrity and retention, 825

gathering forensic evidence, 806–810

incident handling, 817–821

interviewing individuals, 824

process of, 810–812

reporting and documenting incidents, 825–826

response process, 821–824

types of, 804–806

I/O (input/output)devices, 333–335

operations, 335–336

iOSremoving restrictions on iOS devices, 725vulnerabilities of iOS mobile system, 351

IP. See Internet Protocol (IP)IP addresses


cache poisoning, 339classes of addresses, 444–445configuring wireless security, 462converting binary numbers, 529darknets, 721

network discovery scanning of, 634–637, 77 636–637Network layer of OSI model and, 433private IP addresses, 526–527

resolving domain names to, 450–451

resolving IP addresses to MAC addresses, 432, 447stateful NAT and, 527–528static and dynamic NAT and, 528

subnet masks, 445IP probes (or sweeps or ping sweeps), in reconnaissance

attacks, 905–906

IP spoofing attacksdefined, 616

as masquerading attacks, 907–908

iPad, vulnerabilities, 351iPhone, vulnerabilities, 351iPod, vulnerabilities, 351IPsec. See Internet Protocol security (IPsec)IPSs. See intrusion prevention systems (IPSs)IPX (Internetwork Packet Exchange), 433iris scans, biometric factors, 569IronKey flash drives, 676

IRQ (interrupt), in device management, 335ISACA (Information Systems Audit and Control

Association), 24ISAKMP (Internet Security Association and Key

Management Protocol), 257ISAs (interconnection security agreements), as security

practice, 669

ISC (International Information Systems Security Certification Consortium), Code of Ethics, 827–828

iSCSI (Internet Small Computer System Interface), 452ISDN (Integrated Services Digital Network), WAN

technologies, 533ISO. See International Organization for Standardization

(ISO)isolation

in ACID model of database transactions, 865

aspects of confidentiality, 5CIA techniques, 273–274

isolation and containment phase, incident response, 822

ISPs (Internet Service Providers), 580ITIL (Information Technology Infrastructure Library),

682

ITRC (Identity Theft Resource Center), tracking data breaches, 165

ITSEC. See Information Technology Security Evaluation and Criteria (ITSEC)

ITU-R (International Telecommunications Union-Radio), 483

IVP (integrity verification procedures), in Clark-Wilson model, 287

Jjailbreaking, removing restrictions on iOS devices,

725jamming, protecting against EM radiation eavesdropping,

375Java applets, 338Java Virtual Machines (JVM), 338jitter, quality of service controls for, 775

job descriptionsimportance of, 50in personnel security, 50–51, 50–52

screening employment candidates, 52–53job responsibilities, 51job rotation

personnel security and, 51–52as security practice, 666

John the Ripper, password cracker, 897

judiciary, in U.S. legal system, 125, 144JVM (Java Virtual Machines), 338

KKDC (key distribution center), 575Keccak algorithm, 238KeePass, in credential management, 579Kerberos, 574–576

Kerchoff principle, 195

994 kernel – methods of securing embedded and static systems

kerneldefined, 319

in four-ring model, 320, 320program executive or process scheduler, 322–323, 323

key distribution center (KDC), 575key escrow

database, 201example of split knowledge, 201recovery and, 221–222

key space, 194keyboards, security vulnerabilities, 334keys, cryptographic. See also asymmetric key

cryptography; symmetric key cryptographydetermining which to use, 241distribution weakness in symmetric key cryptography,

210importance of key length as security parameter, 234–235managing, 246–247

mobile device security, 355–356overview of, 194

keys, database, 863

keys, physical, 410

keystroke monitoring, 739

keystroke patterns, biometric factors, 570knowledge base, expert systems, 871

knowledge-based IDSsoverview of, 716–717

response, 718–719

knowledge-based systemsdecision-support systems (DSS), 872–873

expert systems, 870–872

neural networks, 872

overview of, 870


known plaintext attacks, 259KryptoKnight, 578

LL2TP. See Layer 2 Tunneling Protocol (L2TP)L-3 Communications, advanced persistent threat (APT)

on, 609labels

assigning to audit reports, 747

information life cycle management, 668

mandatory access control (MAC) classification, 602–604

security attributes and, 275LAN extenders, 472LAND attacks, 711

LANs. See local area networks (LANs)last logon notification, protection from access control

attacks, 621

latency, quality of service controls for, 775

lattice-based access controlmandatory access control (MAC) as, 602, 602–604

overview of, 282–283law enforcement

computer crime investigation by, 811

establishing relationship with before incidents, 825–826

intelligence attacks against, 813

laws and regulationsadministrative law, 126–127

bring-your-own-device (BYOD) and, 359civil law, 126

compliance, 146–147

computer crime and, 127

Computer Fraud and Abuse Act, 128–129

Computer Security Act, 129–130

copyright law, 133–135

criminal law, 124–126

Economic Espionage Act, 137European privacy law, 145–146

exam topics, 123, 149–150Federal Information Security Management Act, 132


Government Information Security Reform Act, 131

import/export, 139

incident handling, 818

intellectual property and, 132–133

legal requirements in business continuity plan, 100

licensing, 138

National Information Infrastructure Protection Act, 130

Paperwork Reduction Act, 130

patents, 136

physical security regulations, 415

privacy, 139–140, 414–415

review answers, 920–922review questions, 152–155summary, 148



Uniform Computer Information Transactions Act, 138U.S. privacy law, 140–144

vendor governance review, 147–148

wiretaps and, 483–484written lab, 151written lab answers, 956

Layer 2 Tunneling Protocol (L2TP)establishing VPNs, 439IPsec combined with, 174, 256tunneling, 521

layering. See also defense-in-depthmethods of securing embedded and static systems, 362

protection mechanisms – mainframes 995


types of essential security protection mechanisms,364–365

layersof OSI model, 429–430, 430of TCP/IP suite, 438, 438–439

LCD monitors, radiation from, 334LDAP (Lightweight Directory Access Protocol), 574

LEAP. See Lightweight Extensible Authentication Protocol (LEAP)

learning phase, IDEAL model, 851, 852learning rule (Delta rule) learning by experience in neural

networks, 872

leased (dedicated) lines, WAN technologies, 532least privilege principle. See principle of least privilegelegally defensible security, 11lessons learned step, incident response, 703–704, 824

levels of protection. See layeringlicensing

agreements, 138

software, 671–672

life cyclemanaging information, 668–669

managing media, 677–678

models, 847

spiral model, 848–849, 849systems development, 844–847

waterfall model, 847–848, 848life safety, physical security, 414

lighting, as perimeter control, 408–409lightning, disaster recovery planning for, 764Lightweight Directory Access Protocol (LDAP), 574

Lightweight Extensible Authentication Protocol (LEAP)overview of, 460planning remote access security, 516types of authentication protocols, 502–503

link encryption, 255link state routing protocols, 434Linux OS, encryption on portable devices, 248LLC (Logical Link Control), sublayers of Data Link layer,

432local area networks (LANs)

main technologies, 485–486

media access technologies, 488–489subtechnologies, 486–489

wide area networks compared with, 473Lockheed Martin, advanced persistent threat (APT) on,

609lockout, mobile device security, 352locks

fail safe/fail secure electrical hardware, 774

physical, 410

locks, database concurrency with, 867

logic bombs, as malicious code, 889

logical (technical) access controls, 559

logical access controls. See technical access controlsLogical Link Control (LLC), sublayers of Data Link layer,

432logical operations, Boolean mathematics

NOT operation, 198AND operation, 196–197OR operation, 196–197overview of, 196XOR (exclusive OR) operation, 198

logistics, disaster recovery, 791

logoncredentials, 574process with Kerberos, 575scripts, 578session management and, 579–580using notification of last, 621

logs/logging. See also monitoringfor access control, 398accountability and, 562auditing compared with, 732

common log types, 732, 732–733

forensic evidence collection of log files, 810

incident detection using, 700

protecting log data, 733–734

retaining audit logs, 171reviewing, 649

techniques, 731–732

transmission, 538loopback addresses, 529

MMAAs (mutual assistance agreements), as disaster recovery

option, 782–783

MAC. See mandatory access controls (MAC)MAC (Media Access Control) sublayer, of Data Link layer,

432MAC addresses. See Media Access Control (MAC)

addressesMAC filter

configuring wireless security, 462listing of authorized MAC addresses, 460

Mac OS Xencryption on portable devices, 248less vulnerable to viruses, 886

machine languages, 839

macrosemail security issues, 510proliferation of macro viruses, 885

magnetic fields, managing tape media, 676main (real/primary) memory, types of RAM, 328mainframes, examples of embedded and static systems,

361

996 maintenance – mobile devices

maintenancedisaster recovery plan for, 794–795

documenting business continuity plan, 114

systems development life cycle, 847

maintenance hooks, 372

malicious code. See also malwarecleaning, 894

countermeasures, 893–895

email security issues, 511exam topics, 881, 909incidents, 819

logic bombs, 889


password attacks, 895–899

review answers, 950–951review questions, 911–914spyware and adware, 893

summary, 908Trojan Horses, 889–890

viruses. See virusesworms, 890–893

written lab answers, 965malicious insiders, 350malware

installing on infected computer in botnet,709

installing on system with phishing email, 617methods of installing, 712

principle of least privilege and, 663Managed phase, SW-CMMM, 851

managementaligning security functions to strategies, goals,

mission, and objectives, 14–16

change. See change managementconfiguration. See configuration managementidentity. See identity managementmedia. See media managementpatch. See patchesrisk. See risk managementsecurity tasks, 649–650

senior management, senior managementmandatory access controls (MAC)

access control models, 602in Bell-LaPadula model, 283overview of, 274, 602–604

mandatory vacations, as security practice, 666–667

Mandiant APT1, 608

Manifesto for Agile Software Development, principles of,849–850

man-in-the-middle attacksincident response, 713overview of, 713

securing voice communication and, 504types of cryptographic attacks, 260

man-made disastersacts of terrorism, 765–766

bombings/explosions, 766

fires, 765

hardware/software failures, 767–768

other utility/infrastructure failures, 767

overview of, 765power outages, 766–767

strikes/picketing, 768–769

theft/vandalism, 769–770

man-made risks, identifying in BIA, 101–102mantraps, as perimeter control, 408manual recovery, 774

manual updates, 363marking (labeling) data, information life cycle

management, 668

markup languages, 577–578masquerading (spoofing) attacks

access abuses, 398on communication network, 542


masquerading attacks. See spoofing (masquerading)attacks

massively parallel multiprocessing (MPP), 316–317

master boot record (MBR) virusesspread of, 884

stealth viruses and, 888

McAfee VirusScan, 886

MD2 (Message Digest 4). See Message Digest 2 (MD2)MD4 (Message Digest 4). See Message Digest 4 (MD4)MD5 (Message Digest 5). See Message Digest 5 (MD5)MDM (mobile device management), 354mean time between failures (MTBF), 391, 678

mean time to failure (MTTF)media management, 677–678

preparing for equipment failure, 391mean time to recovery (MTR), 777

mean time to repair (MTTR), 391measurement, security, 76–77, 8277

Media Access Control (MAC) addressesARP and RARP and, 447cache poisoning, 339Data Link layer (layer 2) and, 431–432MAC filter, 460resolving domain names and, 451

Media Access Control (MAC) sublayer, of Data Link layer, 432

media forensic analysis, evidence collection, 809

media managementclearing/overwriting, 169degaussing, 170–171labeling portable media, 671

life cycle, 677–678

mobile devices, 677

overview of – monsoons 997

overview of, 675tapes, 675–676

USB flash drives, 676

media players, examples of embedded and static systems, 360

media storage facilities, physical security of, 394

mediated-access model, 320meet-in-the-middle attacks, 260Melissa virus, 885

memorandum of understandings (MOUs), as securitypractice, 669

memorymemory addressing, 329–330

overview of, 327protection as core security component, 303

random access memory, 328–329

read-only memory, 327–328

registers, 329


security issues, 331

memory cardsauthentication factors, 563smartcards, 397

memory-mapped I/O, 335mergers, organizational processes and, 16–17Merkle-Hellman Knapsack algorithm, 234mesh topology, 480, 480Message Digest 2 (MD2)

comparing hashing algorithms, 239overview of, 238–239

types of hashing algorithms, 213Message Digest 4 (MD4)

comparing hashing algorithms, 239overview of, 238–239

Message Digest 5 (MD5)comparing hashing algorithms, 240not collision free, 613overview of, 239–240

types of hashing algorithms, 213use by PGP, 249

message digests, generallycombining HMAC with, 242defined, 237

types of, 213messages, object-oriented programming, 841

metadata, data mining and, 343Metasploit, penetration testing with, 642, 643methods, object-oriented programming, 840–841

mice, security vulnerabilities, 334Michelangelo virus, 888

microcode (firmware)stored on ROM chip, 336–337

version control, 363Microsoft Security Essentials, antivirus programs,

886

Microsoft WindowsBitLocker encryption on portable devices, 248Credential Manager, 579vulnerable to viruses, 886

military attacks, computer crime, 813–814

MIME Object Security Services (MOSS), email securitysolutions, 511

MINs (mobile identification numbers), cell phone security issues, 507

mirroring, RAID-1, 771

mission, aligning security functions to, 14–16, 15mission-critical systems, GISRA criteria for, 131misuse (or abuse) case testing, software, 648

mitigationincident response, 701–702

network attacks, 539–540

mobile device management (MDM), 354mobile devices. See also portable electronic devices (PEDs)

labeling media, 671

managing, 677

securing, 354system vulnerabilities. See vulnerabilities, in mobile

systemswireless networking, 485

mobile identification numbers (MINs), cell phone securityissues, 507

mobile phones. See smartphones/mobile phonesmobile sites, as disaster recovery option, 781

modemsnetwork devices, 470security vulnerabilities, 334–335war dialing using, 713–714

modification attacks, on communication network, 542

modulo function, in cryptography, 199

monitoringaccountability and, 562, 735

activity, 735

with audit trails, 737–738

with clipping levels, 738–739egress, 740–742

investigation and, 736

key performance and risk indicators, 650

keystrokes, 739

with log analysis, 736–737

perimeter controls and, 407problem identification and, 736

role of, 734with sampling, 738

security controls, 76–77

with Security Information and Event Management (SIEM), 737

storms in hurricane-prone areas, 764

traffic and trend analysis, 740

monitors (displays), security vulnerabilities, 334monsoons, disaster recovery planning for, 765

998 Moore’s Law – Network Access Control (NAC)

Moore’s Law, 235, 315MOSS (MIME Object Security Services), email security

solutions, 511motion detection/motion sensor systems, in physical

security, 411–413

MOUs (memorandum of understandings), as security practice, 669

movies, digital rights management, 253MPLS (Multiprotocol Label Switching), 452MPP (massively parallel multiprocessing), 316–317

MTBF (mean time between failures), 391, 678

MTD (maximum tolerable downtime)quantitative decision making in impact analysis, 101strategy development phase of continuity plan, 107

MTO (maximum tolerable outage), 101MTR (mean time to recovery), 777

MTTF (mean time to failure)media management, 677–678

preparing for equipment failure, 391MTTR (mean time to repair), 391mudslides, disaster recovery planning for, 765multicasts, subtechnologies supported by Ethernet, 488multifactor authentication. See also two-factor

authenticationoverview of, 572

preventing password attacks, 898

protecting against access control attacks, 620multilevel mode, security modes, 325

multilevel security database security, 866–868

multimedia collaborationinstant messaging, 508

overview of, 507


multipartite viruses, 888

multiprocessing, 316–317

multiprogramming, 317

Multiprotocol Label Switching (MPLS), 452multistate system, processing types, 318multitasking, 316

multithreading, 317–318

music, digital rights management, 252–253mutation (dumb) fuzzing, of software, 646, 647mutual assistance agreements (MAAs), as disaster recovery

option, 782–783

NNAC (Network Access Control)

planning remote access security, 516as security policy, 464–465

NAT. See network address translation (NAT)National Computer Security Center (NCSC), role in

development of the Orange book, 290

National Flood Insurance Program, FEMA, 762–763National Information Assurance Certification and

Accreditation Process (NIACAP), 302National Information Infrastructure Protection Act, 130

National Institute of Standards and Technology (NIST)on acceptable digital signature algorithms, 242on computer security incidents, 698–699

definition of personally identifiable information,158–159

Government Information Security Reform Act and, 131

managing use of Skipjack algorithm, 218privacy guidelines, 415on responsibilities of business/mission owners, 176on responsibilities of information owners, 175on responsibilities of system owners, 175–176responsibility for computer standards, 129on security control baselines, 179–180standard hash functions, 237–238

National Interagency Fire Center, 764National Security Agency (NSA)

on destroying sensitive data, 169Government Information Security Reform Act and,

131responsibility for classified systems, 129VENONA project, 206

natural disastersearthquakes, 761–762, 761–762factors in facility site selection, 388fires, 764

floods, 762–763

other regional events, 785

overview of, 761

storms, 763–764

natural languages, 4GL attempting to approximate, 840

natural risk, identifying in BIA, 101NBF (NetBIOS Frame) protocol, 433NBT (NetBIOS over TCP/IP), 433NCAs (noncompete agreements), 53–54NCSC (National Computer Security Center), role in

development of the Orange book, 290NDAs. See nondisclosure agreements (NDAs)need to know principle

defined, 596

mandatory access control (MAC) model enforcing, 603

overview of, 662

preventing access aggregation attacks, 610

Nessus vulnerability scanner, 639, 639, 686NetBEUI (NetBIOS Extended User Interface), 433NetBIOS Extended User Interface (NetBEUI), 433NetBIOS Frame (NBF) protocol, 433NetBIOS over TCP/IP (NBT), 433Network Access Control (NAC)

planning remote access security – goals of cryptography 999

planning remote access security, 516as security policy, 464–465

network address translation (NAT)Automatic Private IP Addressing (APIPA), 528–530


private IP addresses, 526–527

stateful NAT, 527–528

static and dynamic NAT, 528

network attacksARP spoofing attacks, 542–543

denial of service/distributed denial of service attacks, 540–541

DNS poisoning, spoofing, and hijacking attacks, 543–544

eavesdropping attacks, 541–542

hyperlink spoofing attacks, 544

masquerading/impersonation attacks, 542

modification attacks, 542

preventing/mitigating, 539–540

replay attacks, 542

network components, securing wireless, 463–464

network discovery scans, 634–637,77 636–638network forensic analysis, evidence collection, 809–810

network interface cards (NICs), 455Network layer (layer 3), in OSI model, 433–434

Network layer protocols, of TCP/IP suite, 444–447

network load balancing, providing fault tolerance forservers, 772

network operations centers (NOCs), IDS alerts displayedin, 718

network segmentsbenefits of, 464methods of securing embedded and static systems, 362

network topologies, 477–480, 478–480network traffic

denial of service (DoS) attacks flooding, 540filtering with firewalls, 725–726monitoring using traffic analysis, 740

network traffic, denial of service (DoS) attacks flooding, 540network vulnerability scans

overview of, 637–640, 639–640web vulnerability scans vs., 641

network-based DLP, 741–742

network-based IDS (NIDS), 719–720

networkingcabling. See cables, networkcontent distribution networks (CDNs), 453–454

converged protocols, 452

encryption techniques used in, 255–257

exam topics, 425, 490–493LAN main technologies, 485–486

LAN subtechnologies, 486–489

network topologies, 477–480, 478–480OSI model. See Open Systems Interconnection (OSI)

review answers, 932–933review questions, 495–498securing wireless networks, 257–258

summary, 490TCP/IP model. See TCP/IP suitewireless. See wireless networkingwireless networking, 454


neural networksoverview of, 872


New York City blackout, 767next-generation firewall, 726Next-Generation Intrusion Detection Expert System

(NIDES), 873

NGOs (nongovernmental organizations), data classification, 161

NIACAP (National Information Assurance Certification and Accreditation Process), 302

NICs (network interface cards), 455NIDES (Next-Generation Intrusion Detection Expert

System), 873

NIDS (network-based IDS), 719–720

NIST. See National Institute of Standards and Technology(NIST)

nmap toolnetwork discovery with, 635–638, 636–638overview of, 905–906

NOCs (network operations centers), IDS alerts displayed in, 718

noisepower issues, 400protecting against electronic, 401

thwarting database confidentiality attacks, 868

use of white noise in securing emanations, 399noise generators, protecting against EM radiation

eavesdropping, 375nonce, in cryptography, 200

noncompete agreements (NCAs), 53–54nondisclosure agreements (NDAs)

employment agreements and policies, 53employment termination process and, 56protecting proprietary data, 171protecting trade secrets, 137

nondiscretionary access control (non-DAC)overview of, 598–599

role-based access control (role-BAC), 599, 599–601

rule-based access control (rule-BAC), 601

nongovernmental organizations (NGOs), data classification, 161

noninterference model, 279–280

nonrepudiationgoals of cryptography, 194

1000 HMAC not providing for – data classification and

HMAC not providing for, 241overview of, 11–12

symmetric key cryptography not implementing, 210nonvolatile storage

compared with volatile, 332overview of, 869

normalization, database, 864

Norton AntiVirus, 886

NOT operation, Boolean logic, 198notification, last logon, 621NSA. See National Security Agency (NSA)

Oobject (real) evidence, using in court of law, 807

objectives, aligning security functions to, 14–16

object-oriented databases (OODBs), 862

object-oriented programming (OOP)abstraction in, 365–366and databases, 862

software development security, 840–841

objectsabstraction, 12–13, 365–366access control between subjects and, 271, 557

in Clark-Wilson triple, 286in Graham-Denning model, 288

OCSP (Online Certificate Status Protocol), 246ODBC (Open Database Connectivity), 868, 868OFB (Output Feedback), in DES, 215OFDM (Orthogonal Frequency-Division Multiplexing),

481Office 365, integrating identity services, 579Office of Management and Budget (OMB), managing

public information, 130offline UPS, 773

offsite storage, disaster recovery plan for, 787–790

OMB (Office of Management and Budget), managing public information, 130

omnidirectional antennas, 461on-board cameras/video, BYOD devices and, 359on-boarding/off-boarding, BYOD devices and, 358one-time pads, 205–206

one-time passwords, 568, 615one-upped-constructed passwords, 611–612

one-way functions, in cryptography, 199–200

Online Certificate Status Protocol (OCSP), 246on-site assessment, integrating risk considerations into

acquisition strategies and practices, 36OODBs (object-oriented databases), 862

OOP. See object-oriented programming (OOP)Open Database Connectivity (ODBC), 868, 868

open ports, discovery with nmap, 635–638, 636–638open relay agents, SMTP servers and, 509

open source, vs. closed source, 272open system authentication (OSA), 458Open Systems Interconnection (OSI)

Application layer (layer 7), 436–437

comparing with TCP/IP model, 437–438Data Link layer (layer 2), 431–432

encapsulation mechanism, 428–429, 428–429functionality of, 427, 77 427–428

layers of, 429–430, 430Network layer (layer 3), 433–434

overview and history of, 425–426

Physical layer (layer 1), 430–431

Presentation layer (layer 6), 435–436

Session layer (layer 5), 435

Transport layer (layer 4), 434–435

open systems, vs. closed systems, 271–272

Open Web Application Security Project (OWASP), community focused on improving web security,349–350

OpenPGP standard, 249operating modes, 326

operating states. See process (operating) statesoperation centers (work areas), physical security of, 395Operation Tovar, protecting against GOZ botnet, 709–710

operational investigations, 804–805

operational planning, 15, 15–16Optimizing phase, SW-CMMM, 851

OR operation, Boolean logic, 196–197Orange book (TCSEC)

classes and required functions, 290–292, 291limitations, 294–295

on trusted computing base (TCB), 276organizational processes, security governance and, 16–17

Organizationally Unique Identifiers (OUIs), registering, 431–432

organizations, analyzing business organization, 96

Orthogonal Frequency-Division Multiplexing (OFDM),481

OSA (open system authentication), 458OSI model. See Open Systems Interconnection (OSI)OUIs (Organizationally Unique Identifiers), registering,

431–432outages

avoiding in penetration testing, 727

change management to prevent, 680–683

output devices, 333–335

Output Feedback (OFB), in DES, 215OWASP (Open Web Application Security Project),

community focused on improving web security,349–350

ownershipbring-your-own-device (BYOD) and, 357

business/mission owner role, 176

data classification and, 22

data owner role – Payment Card Industry Data Security Standard (PCI DSS) 1001

data owner role, 174–175

discretionary access control (DAC) by, 598

security roles and responsibilities, 23system owner role, 175–176

PP2P (peer-to-peer) system, networking and sharing with,

348

PaaS (Platform-as-a-Service)definition of cloud computing concepts, 346


packet (protocol) analyzereavesdropping attacks, 541sniffer attacks, 614–615

Packet (Protocol or Payload) Data Units (PDUs), 434packet filtering firewall, 466–467packet switching


virtual circuits, 532packets

converting into segments at Transport layer of OSI model, 434

data at Network layer of OSI model, 430quality of service controls for loss of, 775

padded cells, incident response and, 722

Padding Oracle On Downgraded Legacy Encryption (POODLE), 250

paging, disk paging, 330palm scans, biometric factors, 569PANs (personal area networks), 484PAP. See Password Authentication Protocol (PAP)Paperwork Reduction Act

amended by Government Information Security Reform Act, 131

provisions of, 130

parallel data systems, large-scale, 344

parallel tests, disaster recovery plan, 794

parameters, checking security vulnerabilities, 370–372

parol evidence rule, in documentary evidence, 807

partitionsdatabase, 867

preventing inference attacks, 342partners, being alert to threats from, 32parts inventory

disaster recovery planning for hardware failures,766–767

recovery planning for theft, 760

passive responses, intrusion detection systems, 718

passphrasesin authentication, 8authentication factors, 563overview of, 565

password attacks, 895–899

brute force, 612–613

countermeasures, 898–899

dictionary, 611, 896–897

Internet worm using, 891–892

most common passwords, 895–896

overview of, 610–611, 895

password guessing, 895–896

rainbow table, 614

sniffer, 614–615

Password Authentication Protocol (PAP)planning remote access security, 516PPP support, 537types of authentication protocols, 502

password masking, as social engineering attack, 617Password-Based Key Derivation Function 2 (PBKDF2),

564passwords

API keys similar to, 857authenticating users, 561authentication factors, 563cognitive, 566configuring wireless security, 462creating strong, 564–565

masking, 620most common, 895–896

one-time, 568overview of, 564

phrases, 565

policy for, 564protection from access control attacks, 619–621

restrictions, 564tokens and, 567–568vulnerability scanners checking for, 686

patchesbring-your-own-device (BYOD) and, 358deploying, 685overview of, 684–685

preventing escalation of privilege attacks, 901


as preventive measure, 705protecting against botnets, 709protecting against buffer overflow errors, 710protecting against man-in-the-middle attacks, 713protecting against teardrop attacks, 711protecting against zero-day exploits, 711security audits reviewing management of, 746

vulnerability scanners checking for, 686–687

patentsoverview of, 136

protecting trade secrets, 137paths in reduction analysis, data flow, 34Payload (Protocol or Packet) Data Units (PDUs), 434Payment Card Industry Data Security Standard (PCI DSS)

1002 credit card standards – voice communication threats

credit card standards, 146, 180–181privacy regulations, 58security guidelines, 299third-party security services, 726

pay-per-install, distributing malware with, 712PBX. See private branch exchange (PBX)PCI DSS. See Payment Card Industry Data Security

Standard (PCI DSS)PDF (Portable Document Format), 254PEAP. See Protected Extensible Authentication Protocol

(PEAP)PEDs. See portable electronic devices (PEDs)peer auditing, job rotation and, 51peer-to-peer (P2P) system, networking and sharing with,

348

PEM (Privacy Enhanced Mail), 511penetration testing

documenting results, 730

incident response using, 727–731

obtaining permission for, 728

overview of, 642–643, 643preventing incidents with, 727

risks of, 728

techniques, 728–730

people, provisions and processes phase of continuity plan, 108

performance, monitoring key indicators of, 650

perimetercontrols, 407–409, 408security perimeters, 277, 77 277

perimeter networks, 464

period analysis, frequency analysis, 205permanent virtual circuits (PVCs), 532permissions


rights and privileges compared with, 594–595

personal area networks (PANs), 484personal identification numbers (PINs)

in authentication, 8authentication factors, 563smartcards and, 567

Personal Identity Verification (PIV) cards, 567personally identifiable information (PII)

defining sensitive data, 158–159

laws governing protection of, 702NIST guidelines, 415privacy and, 58

personnelapplying risk management concepts, 60–61

asset valuation, 77–78

compliance, 57

continuous improvement and, 78

controlling access to assets, 556cost functions associated with quantitative risk

analysis, 66–70

disaster recovery plan for contacting, 786–787

disaster recovery plan for strikes/picketing by, 768–769

disaster recovery plan for training, 792–793


employment agreements and policies, 53–54

employment termination processes, 54–56, 55establishing and managing information security

education, training, and awareness, 81–82

exam topics, 47–48, 84–87grudge attacks by former, 815–816

identifying threats and vulnerabilities, 63–64

implementing controls, countermeasures, and safeguards, 74–75

implementing defense in depth with, 598

job descriptions, 50–51, 50–52

managing the security function, 82–83

monitoring and measuring, 76–77

overview of, 49–50privacy, 57–58

qualitative risk analysis, 70–71

review answers, 917–918review questions, 89–92risk assessment and analysis, 64–65

risk assignment/acceptance, 72–73

risk frameworks, 78–81

risk terminology, 61–63

role-based access control (role-BAC) for frequentchanges in, 600

sabotage by, 714safety of, 670

screening employment candidates, 52–53

security governance and, 59–60

selecting and assessing countermeasures, 73–74

summary, 83–84types of controls, 75–76

vendor, consultant,and contractor controls, 56–57


PERT (Program Evaluation Review Technique), project-scheduling tool, 853

perturbation, thwarting database confidentiality attacks, 868

PHI (protected health information), 159

phishing attackshyperlink spoofing attacks, 544overview of, 617–619

as password attacks, 897–898

phlashing attacks, 336The Phoenix Project: A Novel about IT, DevOps, and

Helping Your Business Win (IT Revolution Press, 2013), 856

phone number spoofing attacks, 616

phreakersfinancial attacks using phone phreakers, 814–815

voice communication threats, 505–507

physical access controls – POODLE (Padding Oracle On Downgraded Legacy Encryption) 1003

physical access controlsimplementing defense in depth, 598

protection from access control attacks, 619

selecting and assessing countermeasures, 75types of access control, 559

physical assets, protecting, 672

physical interfaces, testing, 648

Physical layer (layer 1), in OSI model, 430–431

physical media, storing, 168physical security

access abuses, 398

access control, 413–414badges and ID cards, 411

of datacenters, 396

designing facility, 388–389

environment and life safety, 414

of evidence storage, 395

exam topics, 385, 416–419fail safe/fail secure electrical hardware locks, 774

fire damage assessment, 406

fire detection and extinguishers, 404–406

fire issues, 402–404

intrusion detection systems (IDS), 397–398

keys and locks, 410

of media storage facilities, 394

motion detection systems and intrusion alarms, 411–413

overview of, 386, 403perimeter controls, 407–409, 408planning secure facility, 387

of power utilities, 399–400

preparing for equipment failure, 390–391

preventing sniffing attacks, 615privacy responsibilities and requirements, 414–415

protecting against electronic noise, 401

protecting physical assets, 672

proximity readers in, 397

regulatory requirements, 415

review answers, 931–932review questions, 421–424securing electrical signals and radiation, 398–399

selecting site, 387–388

of server rooms, 393–394


summary, 415–416temperature, humidity, and static, 401

types of controls and order of use, 389–390

water/flooding issues, 402

of wiring closets, 391–393

of work areas (operation centers), 395


picketing/strikes, disaster recovery planning for, 768–769

piggybacking, access abuses, 398PII. See personally identifiable information (PII)

ping, in smurf attacks, 708

ping flood attacksIDS active response to, 718incident response, 708–709

ping-of-death attacks, 710

pink slips, employment termination processes, 56PINs. See personal identification numbers (PINs)piracy, software licensing preventing, 671PIV (Personal Identity Verification) cards, 567PKCS (Public Key Cryptography Standard), 511PKI. See public key infrastructure (PKI)plain old telephone service (POTS)

circuit switching, 530telephony options, 513–514

plaintextciphertext compared with, 194confusion and diffusion operations, 207

planningaligning security functions to strategies, goals,

mission, and objectives, 14–16

business continuity. See business continuity planning (BCP)

disaster recovery. See disaster recovery planning (DRP)secure facility, 387

Platform-as-a-Service (PaaS)definition of cloud computing concepts, 346


platforms, vulnerable to viruses, 885

PLCs (programmable logic controllers), 348–349plenum cable, 476plug and play (PnP) devices, 335Point-to-Point Protocol (PPP)

dial-up encapsulation protocols, 536–537dial-up protocols, 516–517

Point-to-Point Tunneling Protocol (PPTP)establishing VPNs, 439tunneling, 520–521

poisoning attacks, DNS and, 543–544

policies. See also security policiesasset retention, 172bring-your-own-device (BYOD), 357–360

compliance, 57developing, 25–26

employment, 53–54

handling sensitive data, 167online privacy, 178passwords, 564protection mechanisms, 367–369

political motivations, in thrill attacks, 817

polling, LAN media access technologies, 489polyinstantiation, DBMS security, 868

polymorphic viruses, 888

polymorphism, object-oriented programming, 841

POODLE (Padding Oracle On Downgraded Legacy Encryption), 250

1004 POP3 (Post Office Protocol version 3) – privileged mode

POP3 (Post Office Protocol version 3), 508port mirroring, used by IDS, 720

port scans, as reconnaissance attacks, 906

Portable Document Format (PDF), 254portable electronic devices (PEDs). See also mobile devices

cryptographic applications for, 247–248

overview of, 352vulnerabilities. See vulnerabilities, in mobile systems

port-based access control, 439ports

IANA list of protocols matched to well-known, 725learning TCP, 639–640, 639–640network discovery of closed ports, 635–638, 636–638network vulnerability scans of, 637–639, 639Transport layer protocols, in TCP/IP suite, 439web vulnerability scans of, 640–642, 641

POST (power-on-self-test), 327Post Office Protocol version 3 (POP3), 508postmortem review, incident response team, 822

postwhitening technique, in Twofish, 218POTS (plain old telephone service)

circuit switching, 530telephony options, 513–514

power monitoring attacks, smartcards, 619

power supplyadding fault tolerance for, 773

physical security of, 399–400

recovery planning for outages, 766–767

terminology of power issues, 400power-on-self-test (POST), 327PPP (Point-to-Point Protocol)

dial-up encapsulation protocols, 536–537dial-up protocols, 516–517

PPs (protection profiles), Common Criteria, 296–297PPTP (Point-to-Point Tunneling Protocol)

establishing VPNs, 439tunneling, 520–521

preaction fire suppression system, 405premises wire distribution rooms, physical security of,

391–393

preponderance of the evidence standard, in civil investigations, 805

Presentation layer (layer 6), in OSI model, 435–436

pretexting attacks, 544Pretty Good Privacy (PGP)

email security solutions, 511–512example of use of IDEA, 217overview of, 248–249

preventive access control, 75, 558preventive measures, incident prevention and response, 705

prewhitening technique, in Twofish, 218PRI (Primary Rate Interface), ISDN options, 534primary (main/real) memory, types of RAM, 328primary (or “real”) memory, data storage, 869

primary keys, relational databases, 863

Primary Rate Interface (PRI), ISDN options, 534primary storage, compared with secondary, 332prime numbers, factoring, 234principle of least privilege

blocking malware, 724

defined, 596

excessive and creeping privileges and, 583mechanisms of security policies, 368preventing access aggregation attacks, 610

role-based access control (role-BAC) enforcing, 600

as security practice, 662–663

in segregation of duties, 664–666

separation of privilege built on, 664

principlesapplying security governance, 13–14

authorization mechanisms, 596

printersexamples of embedded and static systems, 360security vulnerabilities, 334

prioritizationin business impact assessment, 101–102

CIA priorities, 6–7of resources in business impact assessment, 106

threat modeling and, 34–35

privacyaspects of confidentiality, 5bring-your-own-device (BYOD) and, 358defined, 57–58

European privacy law, 145–146

overview of, 139–140protecting, 178–179

responsibilities and requirements, 414–415

U.S. privacy law, 140–144

in workplace, 144Privacy Act of 1974, 140–141Privacy Enhanced Mail (PEM), 511private

commercial classification of data, 21, 162securing email data, 164

private branch exchange (PBX)designing security guidelines, 505–506Direct Inward System Access (DISA), 506secure voice communications and, 503telephony options, 513voice communication threats, 505

private cloud deployment model, 674

private IP addresses, NAT and, 526–527

private key cryptography. See symmetric key cryptographyprivate keys, in asymmetric cryptography, 232–233

privileged entities, monitoring, 667–668

privileged groups, audits of, 744–745

privileged mode

in four-ring model – pseudo-artificial intelligence systems 1005

in four-ring model, 320types of operating modes, 326

privileged programs, 372

privilegesabuses of, 52audits of privileged groups, 744–745

capability tables identifying, 595

constrained interfaces identifying, 596

elevation of, 31escalation of privilege attacks, 900–901

excessive and creeping, 583least privilege principle. See principle of least privilegelimiting to protect against SQL injection, 905

mechanisms of security policies and, 368monitoring special, 667–668

rights vs. privileges vs., 594–595

separation of, 664

Probability x Damage Potential (DREAD) system, in threat prioritization and response, 34–35

probable cause, search warrants based on, 811–812

problem (running) state, types of operating states, 322procedures

handling sensitive data, 167security, 27–28, 28wireless networking security, 462–463

process (operating) statesoverview of, 321–322

process scheduler and, 322process integration, 374

process isolationCIA techniques, 273–274types of essential security protection mechanisms,

366–367

processors. See central processing unit (CPUs)process/policy review, integrating risk considerations into

acquisition strategies and practices, 36Professional Practices library, documenting planning for

BCP, 785Program Evaluation Review Technique (PERT), project-

scheduling tool, 853

program executive (process scheduler) kernel, 322–323, 323

programmable logic controllers (PLCs), 348–349programmable read-only memory (PROM), 327–328programming

flaws, 373

languages, 839–840

object-oriented, 840–841, 862

relational databases using SQL language, 863–864

project scope, business continuity planning and, 95–96

PROM (programmable read-only memory), 327–328proofing, of identity, 561propagation techniques, of viruses, 883–885

proprietary data. See confidential (proprietary) data

Protected Extensible Authentication Protocol (PEAP)overview of, 460planning remote access security, 516types of authentication protocols, 502–503

protected health information (PHI), 159

protection mechanismsabstraction, 12–13, 365–366

data hiding, 13, 366–367

encryption, 13

layering (defense in depth), 12, 364–365

overview of, 364

policy mechanisms, 367–369

process (operating) states, 321–322, 322protection rings, 319–321, 320security modes, 323–325

technical mechanisms, 364

protection profiles (PPs), Common Criteria, 296–297protection rings

four ring model, 320overview of, 319–321

protocol (packet) analyzereavesdropping attacks, 541sniffer attacks, 614–615

Protocol (Packet or Payload) Data Units (PDUs), 434protocols

AAA protocols, 580–581

Application layer of OSI model, 436Application layer of TCP/IP model, 447–448authentication protocols, 502

converged protocols, 452

Data Link layer of OSI model, 431–432denial of service (DoS) attacks exploiting, 540dial-up encapsulation protocols, 536–537


disabling unneeded as preventive measure, 705discovery of protocols in use on TCP/IP network, 443implications of multilayer protocols in TCP/IP model,

448–450

Network layer of OSI model, 433, 445–447secure communication protocols, 501–502

Session layer of OSI model, 435Transport layer of OSI model, 435WAN connections, 536

provisioningaccount access provisioning lifecycle, 582–583

in continuity planning, 108–109

proxies, network devices, 472proximity readers, in datacenter security, 397

proxy firewalls, 466proxy logs, 733

prudent man rule, responsibility of senior management fordue care, 130

pseudo flaws, incident response and, 722

pseudo-artificial intelligence systems, 717

1006 PSTN (public switched telephone network) – recovery phase

PSTN (public switched telephone network)circuit switching, 530telephony options, 513–514

publiccommercial classification of data, 21, 163securing email data, 164

public cloud model, 674

public key algorithms. See asymmetric key cryptographyPublic Key Cryptography Standard (PKCS), 511public key infrastructure (PKI)

certificate authorities, 243–244

digital certificates, 243

exam topics, 261–263generating and destroying certificates, 245–246

LDAP and, 574managing asymmetric keys, 246–247

overview of, 242

review answers, 926–927review questions, 265–268written lab, 264written lab answers, 958

public keys, in asymmetric cryptography, 232–233

public switched telephone network (PSTN)circuit switching, 530telephony options, 513–514

purging media, 170PVCs (permanent virtual circuits), 532

QQoS (quality of service) controls, adding fault tolerance

with, 775

qualitative decision makingassessing impact of risks, 106in business impact analysis, 101

qualitative risk analysiscomparing with quantitative, 71overview of, 70–71

quality of service (QoS) controls, adding fault tolerance with, 775

quantitative risk analysiscomparing with qualitative, 71cost functions associated with, 66–70

elements of, 65, 65–66

quarantining files, as antivirus mechanism, 886

Rradio frequency identification (RFID)

hardware inventory, 671

proximity readers, 397radio frequency interference (RFI), 401

RADIUS. See Remote Authentication Dial-In User Service(RADIUS)

RAID (redundant array of inexpensive disks)fault tolerance and, 304protecting hard drives, 761–762

RAID 1 + 0 (RAID-10), 771

rainbow serieslist of publications, 293–294Orange book classes and required functions, 290–292

Orange book limitations, 294–295

Orange book on trusted computing base (TCB), 276overview of, 290Red and Green books, 293security standards, 290

rainbow table attacks, one-upped-constructed passwordsin, 611

random access memory (RAM)data storage, 869

keeping computers turned on when containing incident, 701


security issues, 331troubleshooting programs for this book, 969–970

random storagecompared with sequential, 332–333random access storage of data, 869

ransomware, as Trojan variant, 890

RARP. See Reverse Address Resolution Protocol (RARP)RAs (registration authorities), issuing digital certificates,

244RDBMSs. See relational database management systems

(RDBMSs)read-only memory (ROM)

firmware (microcode) stored on ROM chip, 336security issues, 331types of, 327–328

read-through test, disaster recovery plan, 793–794

ready state, types of operating states, 321real (main/primary) memory, types of RAM, 328real (object) evidence, using in court of law, 807

reasonableness check, in software testing, 857

reciprocal agreements, as disaster recovery option, 782–783

reconnaissance attacksdumpster diving, 906–907

IP probes, 905–906


port scans, 906

vulnerability scans, 906

recordsidentifying database, 863

retaining, 164–165, 171recovery, trusted recovery, 370recovery access control, 76, 559recovery phase, incident response, 824

recovery steps – resolving IP addresses to MAC addresses 1007

recovery steps, incident response, 703

recovery time objective (RTO), 101Red book, in rainbow series, 293red boxes, phreaker tools, 507reduction analysis, 33–34

redundancyof controls, 363fault tolerance and, 304

redundant array of inexpensive disks (RAID)fault tolerance and, 304protecting hard drives, 761–762

redundant failover servers, 766–767

reference monitors, 277, 77 277–278

reference profile (template), of biometric factor, 571references, screening employment candidates, 52referential integrity, relational databases, 863

register addressing, types of memory addressing, 329registers, CPUs and, 329

registrationaccount provisioning and, 582of users, 561

registration authorities (RAs), issuing digital certificates, 244regulations (government). See also laws and regulations

applying security governance principles, 13–14Code of Federal Regulations (CFR), 127compliance, 57, 146–147


privacy, 58regulatory investigations, 805

regulatory requirements, in business continuity plan, 100

regulatory security policies, 26relational database management systems (RDBMSs)

object-oriented programming (OOP) and, 862


security, 866–868

transactions, 864–866

relational databases, establishing, 862, 862–864

relationships between tables, databases, 863

relay agents, SMTP servers and, 509release control, change management process, 854

remediation phase, incident response, 703, 824

remote accesscentralization of remote authentication services, 517

managing, 513–515

planning security for, 515–516

techniques, 514war dialing countermeasures, 714

Remote Authentication Dial-In User Service (RADIUS)AAA protocols, 580–581centralizing remote authentication services, 517planning remote access security, 516

remote journaling, database recovery with, 784


remote mirroring, database recovery with, 784

remote user assistance, 516

remote wipefailures of, 677mobile device security, 352

removable storage, mobile device security, 355Repeatable phase, SW-CMMM, 851

repeaterscable runs and, 477network devices, 470

replay attackson communication network, 542

types of cryptographic attacks, 260reports

audit, 746–747

incident, 824

incident handling, 825–826

on lessons learned, 704on penetration test results, 730

protecting audit results, 747

as step in incident response, 702

reproducibility, in DREAD rating system, 34repudiation, in STRIDE threat categorization system,

31request control, change management process, 854

reset packets. See RST (reset) packetsresidual risk, 73resources, provisioning and managing

assessing requirements in business continuity plan, 98–99

cloud-based assets, 673–674

hardware inventories, 671

media assets, 675–678

overview of, 670physical assets, 672

prioritizing in business impact assessment, 106

software licensing, 671–672

virtual assets, 672–673

responsechoosing appropriate, 822–824

incident, 701

of intrusion detection systems, 718–719

process for, 821–824

teams for, 820–821

threat modeling and, 34–35

restorationdisaster recovery tasks compared with, 791–792

process, after incident, 824

restricted interface model, 287retention, of data from incidents, 825

retina scans, biometric factors, 569return on investment (ROI), 16–17Reverse Address Resolution Protocol (RARP)

NIDS discovering source of attack with, 720

overview of, 447resolving domain names to IP addresses, 451resolving IP addresses to MAC addresses, 432

1008 reverse hash matching attacks – rows

reverse hash matching attacks, 260revocation, digital certificates, 246RFI (radio frequency interference), 401RFID (radio frequency identification)

hardware inventory, 671

proximity readers, 397rights

permissions and privileges compared with, 594–595


Rijndael block cipher, 218–219ring topology, 478, 478rings of protection. See layeringrisk acceptance


overview of, 72risk analysis

continuous improvement and, 78

defined, 61

risk assessmentdocumenting business continuity plan, 112

overview of, 64–65qualitative risk analysis, 70–71quantitative risk analysis, 65–70vulnerability assessment indicating, 687–688

risk managementidentifying assets, 605–607

identifying threats, 607–609

identifying vulnerabilities, 609–610

overview of, 605

Risk Management Framework (RMF)certification and accreditation systems, 302characteristics of, 79overview of, 78–79steps in, 79–80types of, 80–81

risk mitigationdocumenting business continuity plan, 112

overview of, 72risk rejection, 72risks

applying risk management concepts, 60–61

assessment and analysis, 64–65

assignment, 72assignment/acceptance, 72–73

basing audits on associated, 743code repositories, 859

cost functions associated with quantitative risk analysis, 66–70

defined, 605


elements of, 63elements of quantitative risk analysis, 65, 65–66

evaluating based on CIA triad, 4flooding, 763

identifying risks in business impact assessment, 102–103

identifying threats and vulnerabilities, 63–64

management accepting vs. mitigating, 687

monitoring key indicators of, 650

penetration testing, 728

qualitative risk analysis, 70–71

risk frameworks, 78–81

RMF (Risk Management Framework), 78–81

six steps of risk management framework, 80terminology, 61–63

Rivest, Shamir, and Adleman (RSA) algorithmadvanced persistent threat (APT) on, 609developed by RSA Data Security, 218encryption algorithms approved under Digital

Signature Standard, 242key length, 235overview of, 233–234

use by PGP, 249use by S/MIME, 249

Rivest Cipher 2 (RC2), 219Rivest Cipher 4 (RC4)

comparing symmetric algorithms, 219use by WEP encryption, 458

Rivest Cipher 5 (RC5)comparing symmetric algorithms, 219example of block cipher, 218

RJ-45 jacks, 360RMF. See Risk Management Framework (RMF)rogue antivirus software, as Trojan variant, 888

ROI (return on investment), 16–17role-based access control (role-BAC)

access control models, 599, 599–601

task-based access control (TBAC), 600

rolessecurity governance and, 22–23

security policies and, 26segregation of duties matrix, 665–666

ROM. See read-only memory (ROM)root cause analysis

in operational investigations, 805

remediation step in incident response, 703rootkits, waging escalation of privilege attacks with,

900–901

ROT3 cipherexample of substitution cipher, 203historical milestones in cryptography, 190–191

rotation, backup tape, 790

rotation of duties (job rotation), 666

routersnetwork devices, 471operating at Network layer of OSI model, 434

routing protocolscategories of, 434Network layer of OSI model and, 433

rows, cardinality of database, 862–863

RSA algorithm. See Rivest – comparing hashing algorithms 1009

RSA algorithm. See Rivest, Shamir, and Adleman (RSA)algorithm

RST (reset) packetsSYN flood attacks, 707TCP reset attacks, 708

TCP sessions, 440RTO (recovery time objective), 101rule-based access control (rule-BAC)

access control models, 601

attribute-based access control (ABAC) as advanced,601–602

mandatory access control (MAC) vs., 603overview of, 274

rulesattribute-based access control (ABAC), 601–602

auditing specific process for following, 742

NIST rules of behavior, 175running (problem) state, types of operating states,

322running key ciphers, 206–207

S

SaaS. See Software-as-a-Service (SaaS)sabotage, 714

safe harborEU privacy law and, 145transferring data with EU and, 180–181US Department of Commerce program, 177

safeguardscalculating annualized loss expectancy with, 67calculating costs of, 68cost/benefit analysis, 68–69defining risk terminology, 62

implementing for personnel security, 74–75

safety, security controls for personnel, 414, 670

salami attack, incremental attacks, 373salted passwords, cracking with brute-force attack, 614SAML (Security Assertion Markup Language)

federated identity systems using, 577vulnerabilities in web-based systems, 349

sampling, in account management, 650

San Andreas fault, disaster recovery planning, 761sandboxing

CIA techniques, 273incident response and, 726


protecting against botnets, 709

sanitizationof hardware, 171, 671

of media, 170of storage devices, 333

SANs (storage area networks), 525Sarbanes-Oxley Act of 2002 (SOX)

privacy regulations, 58role in compliance, 147segregation of duties and, 665

SAs (security associations)in IPsec sessions, 256managing with ISAKMP, 257

SCADA (supervisory control and data acquisition), 348–349

scanning attack incidents, 818–819

scenarios, in qualitative risk analysis, 70–71scheduling changes, 628SCMMM or SW-SCMM or (Software Capability Maturity

Model), 850–852

scoping, in security baselines, 180

SCP (Secure Copy), 174screen locks, mobile device security, 353screen savers, session management and, 579–580screened host, multihomed firewalls and, 467screening employment candidates, 52–53

screening routers, 466script kiddies, thrill attacks by, 817

scripted access, examples of single sign-on, 578scripts, email security issues, 510SCTP (Stream Control Transmission Protocol), 581SD3+C (Secure by Design, Security by Default, Secure in

Deployment and Communication), 29SDL (Security Development Lifecycle), 29SDLC (Synchronous Data Link Control), 536SDNs. See software-defined networks (SDNs)SDx (software-defined everything), 672–673

search warrantsin computer crime investigation, 811–812

gathering evidence using, 822

seclusion, aspects of confidentiality, 5second normal form (2NF), database normalization, 864


secondary storagecompared with primary, 332data storage, 869

second-generation languages (2GL), 840

secrecy, aspects of confidentiality, 5secret key cryptography. See symmetric key cryptographySecure by Design, Security by Default, Secure in

Deployment and Communication (SD3+C), 29Secure Copy (SCP), 174Secure Electronic Transaction (SET), 501–502Secure European System for Applications in a Multivendor

Environment (SESAME), 578Secure File Transfer Protocol (SFTP), 174Secure Hash Algorithm (SHA)

birthday attacks and SHA-3, 613–614comparing hashing algorithms, 240

1010 overview of SHA-1 and SHA-2 and SHA-3 – security impact analysis

overview of SHA-1 and SHA-2 and SHA-3, 237–238

SHA-1 use by OpenPGP, 249types of hashing algorithms, 213

Secure Hash Standard (SHS), 237–238Secure Multipurpose Internet Mail Extensions (S/MIME)

email security solutions, 511overview of, 249

secure passwords, preventing password attacks, 898

Secure Remote Procedure Call (S-RPC), secure communication protocols, 501

Secure Shell (SSH)example of end-to-end encryption, 255protecting data in transit, 174

Secure Sockets Layer (SSL)overview of, 173protecting web applications, 250secure communication protocols, 501X.509 standard for, 243

secure state machine, 278SecureAuth Identity Provider (IdP), for device

authentication, 573security architecture vulnerabilities. See vulnerabilities, in

security architectureSecurity Assertion Markup Language (SAML)

federated identity systems using, 577vulnerabilities in web-based systems, 349

security assessment and testingbuilding program for, 631–632

exam topics, 629, 651–652network discovery scans, 634–637, 77 636–637network vulnerability scans, 637–640, 638–640penetration testing, 642–643, 643review answers, 939–940review questions, 654–657security assessments, 631–632

security audits, 632–633

security management processes, 649–650

security testing, 630–631

summary, 650–651testing your software, 643–648, 645, 647types of vulnerability scans, 634

web vulnerability scans, 640–642, 641written lab, 653written lab answers, 962–963

security associations (SAs)in IPsec sessions, 256managing with ISAKMP, 257

security audits. See also audits/auditingbuilding program for, 632–633

and reviews, 745–746

security boundaries, 539

security breaches. See breachessecurity clearance, screening employment candidates, 52security controls. See controlsSecurity Development Lifecycle (SDL), 29

security domains, mandatory access control (MAC), 602, 602–604

security engineering controls, 274

security governance, 36AAA services, 8, 9abstraction, 12–13

accountability, 10–11

aligning security functions to strategies, goals,mission, and objectives, 14–16, 15

applying security governance principles, 13–14

auditing, 10

authentication, 8–9, 10

authorization, 9–10

availability principle, 7change control/management, 17–18

CIA triad, 3, 3–4

confidentiality principle, 4–5

control frameworks, 23–24

data classification, 18–22, 20–21data hiding, 13

determining and diagramming potential attacks, 32–33, 33

due care and due diligence, 24

encryption, 13

exam topics, 1–2, 38–40identification, 8, 10


integrating risk considerations into acquisition strategies and practices, 35–36

integrity principle, 5–6

lab, 41layering (defense in depth), 12

legally defensible security, 11for multi-level databases, 866–868

nonrepudiation, 11–12

organizational processes and, 16–17

performing reduction analysis, 33–34

personnel security, 59–60

policies, 25–26

prioritization and response, 34–35

procedures, 27–28, 28review answers, 916–917review Q&A, 42–45review questions, 42–45roles and responsibilities, 22–23

standards, baselines, and guidelines, 26–27

summary, 36–38

threat modeling, 28–29


security guards, as perimeter control, 409security IDs, physical security, 411security impact analysis, change management,

682–683

security incident and event management (SIEM) packages – aligning security functions to strategies 1011

security incident and event management (SIEM) packages,649

security kernel, 278

security labels. See labelssecurity layers. See layeringsecurity logs. See also logs/logging, 733

security modelsaccess control matrix, 280–282

Bell-LaPadula model, 282–284, 283Biba model, 284–286, 285Brewer and Nash model (Chinese Wall), 287

Clark-Wilson model, 286, 286–587

Goguen-Meseguer model, 288

Graham-Denning model, 288

information flow model, 279

noninterference model, 279–280


reference monitors and, 277–278

review answers, 927–929review questions, 308–311security perimeters and, 277, 77 277state machine model, 278

Sutherland model, 288

Take-Grant model, 280, 281trusted computing base (TCB) and, 276

written lab answers, 958–959security modes

comparing, 325compartmented mode, 324

dedicated mode, 323–324

multilevel (controlled security) mode, 325

overview of, 323system high mode, 324

security operationsbalancing usability with security, 681change, 680–683, 681cloud-based assets, 673–674

Common Vulnerability and Exposures (CVE) database, 688

configuration, 678–680, 679exam topics, 659–660, 689–690hardware and software assets, 671–672

information life cycle, 668–669

job rotation and, 666

mandatory vacations, 666–667

media, 675–678

need to know principle, 661–662

overview of, 661patch management, 684–685

personnel safety, 670

physical asset protection, 672

principle of least privilege, 662–663

review answers, 940–943review questions, 692–695separation of duties and responsibilities, 663–666, 665

service level agreements, 669

special privileges, 667–668

summary, 688–689virtual asses, 672–673

vulnerabilities, 685–688


security perimeterscontrols, 407–409, 408overview of, 277, 77 277

security policies. See also policiesaccess control with, 596–597

auditing effectiveness of, 742–748

for BYOD devices, 677developing, 25–26

for email, 509handling sensitive data, 167implementing defense in depth with, 598

for incident handling, 817–818


for malicious software, 724

Network Access Control (NAC) as, 464–465

for passwords, 564on potential of attacks by disgruntled employees, 816

preventing military and intelligence attacks, 813

protection mechanisms, 367–369

reduction analysis and, 34for strong passwords, 620warning banners informing users about,

723security procedures


wireless networking, 462–463

security professionals, 22–23security standards, rainbow series, 290

security targets (STs), Common Criteria, 296–297security testing, building program for, 630–631

segmentationhardware segmentation, 367storage segmentation, 354

segmentsdata at Transport layer of OSI model, 430packets converted into segments at Transport layer of

OSI model, 434segregation of duties, 664–666

SEI (Software Engineering Institute)IDEAL model for software development, 851–852

SCMM model for software development, 850–851

semantic integrity, DBMS security, 867

Sendmail debug mode, spread of Internet worm, 891

Sendmail server, Unix systems, 509senior management

aligning security functions to strategies, goals,mission, and objectives, 15

1012 analyzing business organization – Kerberos and

analyzing business organization, 96

business continuity planning and, 98getting approval of continuity plan, 109prudent man rule, 130security roles and responsibilities, 22

sensitive datacommercial classification of data, 21, 162defining, 158–160

destroying, 168–171, 170handling, 167

marking, 165–167

not including in code repositories, 859

protecting using symmetric encryption, 172–173

protecting using transport encryption, 173–174

securing email data, 164storing, 167–168

trusted systems, 274–275

sensitivity, aspects of confidentiality, 5separation of duties

Clark-Wilson model and, 286defined, 596

important elements of job descriptions, 50overview of, 663–666, 665in software testing, 857

separation of privilegemechanisms of security policies, 368overview of, 664

sequential storagecompared with random, 332–333data storage, 869

Serial Line Internet Protocol (SLIP), 516–517Server Message Block (SMB), 433server rooms, physical security of, 393–394

serversalternate processing sites for. See sites, alternate

processingcontrolling accessibility of, 393–394fully redundant failover, 766–767

implementing antivirus software on, 893

protecting with failover clusters, 772–773

server-based vulnerabilities, 341

service accounts, separation of privileges in, 664

service bureaus, as disaster recovery option, 781–782

service injection viruses, 885–886

service oriented architecture (SOA), 374Service Provisioning Markup Language (SPML), 577service set identifiers (SSIDs)

configuring wireless security, 462disabling SSID broadcast, 457securing, 456–457

service-level agreements (SLAs)hardware replacement in disasters using, 781legal and regulatory requirements and, 100preparing for equipment failure, 391

as security practice, 669

in software escrow arrangements, 790systems development control with, 859–860

vendor, consultant, and contractor controls, 56–57services

disabling unneeded as preventive measure, 705integrating for identity management, 579


SESAME (Secure European System for Applications in a Multivendor Environment), 578

session hijacking, as masquerading attack, 908

Session layer (layer 5), in OSI model, 435

sessions, managing, 579–580

SET (Secure Electronic Transaction), 501–502SFTP (Secure File Transfer Protocol), 174SHA (Secure Hash Algorithm). See Secure Hash Algorithm

(SHA)shadow passwords, preventing password attacks on Linux/

Unix, 898–899

shared key authentication (SKA), authenticating wireless access points, 458

shared private keys, 209shielded twisted-pair (STP), 475–476

shielded twisted-pair (STP) cable, 475–476

shoulder surfingsecuring work areas, 395as social engineering attack, 616–617

shrink-wrap licenses, types of license agreements, 138SHS (Secure Hash Standard), 237–238side-channel attacks, smartcards, 619

signature dynamics, biometric factors, 570signature files, anti-malware software using up-to-date, 723

signature-based detection, of antivirus programsoverview of, 886–887

updating frequently, 894

Silver Bullet Service, IronKey flash drives, 676

Simda botnet, 710

Simple Key Management for Internet Protocol (SKIP), 501Simple Mail Transfer Protocol (SMTP), 508–509simplex communication

Session layer of OSI model and, 435with UDP, 439

simulation tests, disaster recovery plan, 794

single loss expectancy (SLE)assessing impact of risks, 105elements of quantitative risk analysis, 65–66

formula, 69single points of failure, eliminating, 760

single sign-on (SSO)as centralized access control technique, 573–574examples, 578federated management of, 576–578

Kerberos and, 574–576

Lightweight Directory Access Protocol and – review answers 1013

Lightweight Directory Access Protocol and, 574

Security Association Markup Language and, 349single-state systems, 318site surveys, conducting for wireless networks, 457

sitesprovisions and processes phase of continuity plan,

108–109selecting for facility, 387–388

sites, alternate processingcloud computing, 782

cold sites, 778–779

disaster recovery plan for, 787–790

hot sites, 779–780

locating away from your main site, 767, 77 778

mobile sites, 781

service bureaus, 781–782

warm sites, 780–781

Six Cartridge Weekly Backup strategy, backup taperotations, 790

SKA (shared key authentication), authenticating wireless access points, 458

SKIP (Simple Key Management for Internet Protocol), 501Skipjack algorithm

comparing symmetric algorithms, 219overview of, 217–218

SLAs. See service-level agreements (SLAs)SLE. See single loss expectancy (SLE)SLIP (Serial Line Internet Protocol), 516–517smart TVs, 360smartcards

attacks, 619

authentication factors, 563in datacenter security, 396–397


smartphones/mobile phonesaccessing and mitigating vulnerabilities, 350–351managing, 677

types of hashing algorithms, 213wireless networking, 485

SMB (Server Message Block), 433SMDS (Switched Multimegabit Data Service), WAN

connections, 536S/MIME (Secure Multipurpose Internet Mail Extensions)

email security solutions, 511overview of, 249

SMP (symmetric multiprocessing), 316–317

SMTP (Simple Mail Transfer Protocol), 508–509smurf amplifier, 708

smurf attacksas DRDoS attacks, 706

overview of, 708

sniffer (snooping or eavesdropper) attackseavesdropping on communication network, 541–542

faxes and, 513

as man-in-the-middle attacks, 713overview of, 614–615

preventing with switches, 720

protecting against, 375, 454SOA (service oriented architecture), 374SOC (service organization control) report, 102social engineering attacks

access control attack via, 616–617

guidelines for protection against, 505overview of, 504

as password attacks, 897–898

in penetration tests, 729–730

phishing, 617–618

used during penetration tests, 727

Socket Secure (SOCKS), circuit-level gateway firewall, 466software

alternate processing sites for. See sites, alternateprocessing

anti-malware. See anti-malware softwarecopyright protection and, 134–135disaster recovery planning for failure of, 767–768

escrow arrangements, 790–791

export controls, 139forensic evidence collection, 810

identifying threats by focus on, 30integrating risk considerations into acquisition

strategies and practices, 35licensing, 671–672

RAID solutions for, 771

security controls for acquisition of, 860


trade secret protection, 137virtual, 523–524

Software Alliance, 138Software Capability Maturity Model (SW-SCMM or

SCMMM), 850–852

software developmentAgile software development, 849–850

application programming interfaces (APIs), 856–857

assurance, 841

avoiding/mitigating system failure, 841–844

change and configuration management, 853–855

code repositories, 858–859

databases/data warehousing, 860–868, 861–862, 868DevOps model, 855–856

exam topics, 837, 874Gantt charts and PERT, 853, 853

IDEAL model, 851–852, 852knowledge-based systems, 870–873

life cycle models, 847–849, 848–849object-oriented programming (OOP), 840–841

overview of, 838programming languages, 839–840

review answers, 949–950

1014 review questions – Bell-LaPadula model based on

review questions, 876–879service-level agreements (SLAs), 859–860

software acquisition, 860

Software Capability Maturity Model (SCMM), 850–851

software testing, 857–858

spiral model, 848–849, 849storing data and information, 868–869

summary, 873systems development life cycle, 844–847

waterfall model, 847–848, 848written lab, 875written lab answers, 965

Software Engineering Institute (SEI)IDEAL model for software development, 851–852

SCMM model for software development, 850–851

Software IP Encryption (swIPe), secure communication protocols, 501

software testingblack-box testing, 857–858

code review, 644–645, 645dynamic testing, 646, 858

fuzz testing, 646, 647gray-box testing, 858

interface testing, 646–648

misuse case testing, 648


reasonableness check, 857

static testing, 645, 858

test coverage analysis, 648

white-box testing, 857

Software-as-a-Service (SaaS)definition of cloud computing concepts, 346

integrating identity services, 579managing cloud-based assets, 674

overview of, 102software development security, 860

third-party security services, 726software-defined everything (SDx), 672–673

software-defined networks (SDNs)converged protocols, 453managing virtual assets, 673

virtual networking, 524–525solid state drives (SSDs)

destroying sensitive data and, 169destroying sensitive data on, 678

storage security issues, 333something you do, authentication factors, 563, 568something you have, authentication factors, 563something you know, authentication factors, 563Sony

advanced persistent threat (APT) on, 609network-based DLP could have detected attack on, 741

PlayStation breach, 610

reporting to upper management, 702SOX. See Sarbanes-Oxley Act of 2002 (SOX)spam

email security issues, 511phishing attacks using, 617

Spam over Internet Telephony (SPIT) attacks, 503spear phishing, 618

special privileges, monitoring for security, 667–668

spikes, power, 773

SPIT (Spam over Internet Telephony) attacks, 503split knowledge

in cryptography, 201

defined, 221

separation of duties/two-person control in, 666

SPML (Service Provisioning Markup Language), 577spoofing (masquerading) attacks

access abuses, 398ARP spoofing attacks on, 542–543

on communication network, 542

DNS and, 543–544

email, 616

email security issues, 510overview of, 615–616, 907–908

in STRIDE threat categorization system, 30Spoofing, Tampering, Repudiation, Information

disclosure, Denial of service, Elevation of privilege (STRIDE), threat modeling and, 30–31

spread spectrum technologies, 481spyware, as malicious code, 893

SQL. See Structured Query Language (SQL)SQL injection attacks

protecting against, 905

on web applications, 902–904

S-RPC (Secure Remote Procedure Call), secure communication protocols, 501

SSDs. See solid state drives (SSDs)SSH (Secure Shell)

example of end-to-end encryption, 255protecting data in transit, 174

SSIDs. See service set identifiers (SSIDs)SSL. See Secure Sockets Layer (SSL)SSO. See single sign-on (SSO)stand-alone infrastructure mode, wireless access points

(WAPs) and, 455standards

compliance, 57in security and risk management, 26–27

selecting, 180–181

standby UPS, 773

star topology, 479, 479

state changes, attacks based on predictability of task execution, 374

state machine modelBell-LaPadula model based on, 283

Biba model and – SVCs (switched virtual circuits) 1015

Biba model and, 284information flow model based on, 279overview of, 278

state transitions, in state machine model, 278stateful inspection firewalls, 467stateful NAT, IP addressing and, 527–528

statement of importance, documenting business continuity plan, 111–112

statement of organizational responsibility, documentingbusiness continuity plan, 111–112

statement of priorities, documenting business continuity plan, 111–112

statement of urgency and timing, documenting business continuity plan, 111–112

static electricity, controlling, 401

static NAT, IP addressing and, 528

static packet-filtering firewalls, 466static passwords, 564static RAM, 329static systems. See embedded and static systemsstatic testing, software, 645, 858

statistical attacks, types of cryptographic attacks, 258statistical intrusion detection, 717

stealth viruses, 888

steganographyegress monitoring with, 741

overview of, 250–252, 251–252STOP error, in Blue Screen of Death, 843

stopped state, types of operating states, 322storage

of disaster recovery plans, 793information life cycle management and, 669

plan for backup media, 787–790

removable, 355sensitive data, 167–168

of threats, 870

types of, 869

storage area networks (SANs), 525storage devices

security issues, 333types of, 331–333

storage segmentation, mobile device security, 354stored procedures, protecting against SQL injection, 905

storms, disaster recovery planning for, 763–764

STP (shielded twisted-pair) cable, 475–476

strategic planning, aligning security functions to, 15, 15–16

strategy development phase, in continuity planning, 107

stream ciphers, 207

Stream Control Transmission Protocol (SCTP), 581streaming media (audio/video), copyright protection and,

135STRIDE (Spoofing, Tampering, Repudiation, Information

disclosure, Denial of service, Elevation of privilege),threat modeling and, 30–31

strikes, disaster recovery planning for, 768–769

stripe of mirrors, RAID-10, 771

striping, RAID-0, 771

striping with parity, RAID-5, 771

strong passwordscreating policy for, 620dual administrator account audits for, 745


Structured Query Language (SQL)aggregation-related vulnerabilities, 341Data Definition Language, 864

Data Manipulation Language, 864

database transactions, 864–866

multilevel security database security with views, 866

relational databases, 863–864

structured walk-through test, disaster recovery plan, 794

STs (security targets), Common Criteria, 296–297study tools, for this book

additional, 968customer care, 970system requirements, 969troubleshooting, 969–970using, 969

Stuxnet wormadvanced persistent threat (APT) using, 609overview of, 892–893

subclasses, in object-oriented programming, 840

subjectsaccess control between objects and, 271, 557

in Clark-Wilson triple, 286Graham-Denning model, 288

subnet masks, IP addressing, 445subpoena, compelling surrender of evidence, 822

subscriber identity module (SIM) cardcell phone security issues, 507failure of remote wipe and, 677

substitution ciphersin American Civil War, 191Caesar cipher, 190–191one-time pads, 205–206overview of, 203–205

super-increasing sets, Merkle-Hellman Knapsack algorithm based on, 234

supervisory control and data acquisition (SCADA), 348–349

supervisory state, types of operating states, 322supplies, disaster recovery plan for, 791

support ownership, BYOD devices, 358support services, analyzing business organization, 96

Supreme Court, in U.S. legal system, 125surges, power

offline or standby UPS protecting from, 773

surge protectors, 400Sutherland model, 288

SVCs (switched virtual circuits), 532

1016 swIPe (Software IP Encryption) – TCP/IP suite

swIPe (Software IP Encryption), secure communication protocols, 501

Switched Multimegabit Data Service (SMDS), WANconnections, 536

switched virtual circuits (SVCs), 532switches

network devices, 471preventing rogue sniffers, 720

switching technologiescircuit switching, 530–531

overview of, 530

packet switching, 531–532

virtual circuits, 532

SW-SCMM or SCMMM (Software Capability MaturityModel), 850–852

Sybex text engine, 968symmetric key cryptography

Advanced Encryption Standard (AES), 218–219

algorithms, 209, 209–210

asymmetric key algorithms compared with, 213Blowfish block cipher, 217

comparing symmetric algorithms, 219creating and distributing symmetric keys, 219–221

Data Encryption Standard (DES), 214–215

exam topics, 189, 223–224International Data Encryption Algorithm (IDEA),

217

key escrow and recovery, 221–222

nonrepudiation and, 194protecting sensitive data, 172–173

review answers, 924–926review questions, 226–229Skipjack algorithm, 217–218

storing and destroying symmetric keys, 221

summary, 222–223Triple DES, 216–217

weakness of, 210written lab, 225

symmetric multiprocessing (SMP), 316–317

SYN, in TCP three-way handshake, 440SYN flood attacks

blocking, 707–708

IDS active response to, 718overview of, 706–707, 77 707

SYN/ACK, in TCP three-way handshake, 440synchronous communication, subtechnologies supported

by Ethernet, 487Synchronous Data Link Control (SDLC), 536synchronous dynamic password tokens, 567synthetic transactions, dynamic testing of software,

646

systemcontrolling access to assets, 556principle of least privilege for access to, 662–663

recovering from incident by rebuilding, 703

system high mode, security modes, 324

system logs, 733

system owner role, 175–176

system requirements, for this book, 969system resilience

overview of, 760

protecting hard drives, 771–772

protecting power sources, 773

protecting servers, 772–773

quality of service, 775


systems development life cyclecode review walk-through phase, 846

conceptual definition phase, 845

control specifications development phase, 845–846

design review phase, 846

functional requirements determination phase, 845

maintenance and change management phase, 847

overview of, 844

user acceptance testing phase, 846

Ttables, relational database

normalization of, 864


tabletsexamples of embedded and static systems, 360managing, 677

TACACS+. See Terminal Access Controller Access ControlPlus (TACACS+)

tactical planning, 15, 15–16tailoring, security baselines, 180

Take-Grant modeldirected graph, 281overview of, 280

tampering, in STRIDE threat categorization system, 30

tape mediamanaging, 675–676

mean time to failure of, 677

target of evaluation (TOE), 295–297task-based access control (TBAC), 600

TATO (temporary authorization to operate), in security governance, 59–60

TCB. See trusted computing base (TCB)TCP ACK scan, network discovery with, 635

TCP connect scan, network discovery with, 635

TCP header, 441–442TCP reset attacks, 708

TCP SYN scan, network discovery with, 634–635

TCP wrapper, in port-based access control, 439TCP/IP suite

Application layer protocols – time stamps 1017

Application layer protocols, 447–448

domain name resolution and, 450–451

implications of multilayer protocols, 448–450

layers of, 438, 438–439

Network layer protocols, 444–447

overview of, 437, 77 437–438

security of, 500Transmission Control Protocol (TCP), 440, 440–443

Transport layer protocols, 439

User Datagram Protocol (UDP), 443–444

vulnerabilities, 450

TCSEC. See Trusted Computer System Evaluation Criteria (TCSEC)

teamincident response, 701selecting for business continuity planning, 96–97

teardrop attacks, 710–711

technical access controlsimplementing defense in depth, 598

selecting and assessing countermeasures, 74types of access control, 559

technical mechanisms, 364

technical physical security controls, 389technologies

integration, 374

virus, 887–888

technology convergence, in planning secure facility, 387Telnet, SSH compared with, 174temperature, physical security and, 401

TEMPESTsecuring data on monitors and, 334securing electrical signals and radiation, 375, 399, 454

Temporal Key Integrity Protocol (TKIP)overview of, 460securing wireless networks, 257

temporary authorization to operate (TATO), in security governance, 59–60

temporary Internet files, cache-related issues, 340Ten Commandments of Computer Ethics, IAB, 828–829

Terminal Access Controller Access Control Plus (TACACS+)

AAA protocols, 581centralizing remote authentication services, 516planning remote access security, 516

termination processes, employment, 54–56, 55terrorism

computer crime, 815


test coverage analysis, software, 648

testimonial evidence, 808

testing. See also security assessment and testingdisaster recovery plan, 793–794


electronic vaulting setup, 784fuzz testing, 29

patches, 684–685

penetration testing. See penetration testingPOST (power-on-self-test), 327software. See software testingUPS devices, 767

TGS (ticket-granting service), Kerberos, 575TGT (ticket-granting ticket), Kerberos, 575–576theft


storage security issues, 333thicknet coax (10Base5), 474–475thinnet coax (10Base2), 474–475third normal form (3NF), database normalization, 864

third-generation languages (3GL), 840

third-partyplug-ins used by adware and malware, 893

security audits, 632–633

security governance, 59security services, 726

software escrow arrangements, 790threat modeling

advanced persistent threat (APT), 608–609

applying, 28–29

approaches to, 607–608

determining and diagramming potential attacks, 32–33


overview of, 607

performing reduction analysis, 33–34

prioritization and response, 34–35

threatsadvanced persistent threat (APT), 608–609

to availability, 7computer crime. See computer crimeto confidentiality, 4defined, 605


in formula for total risk, 73identifying, 63–64, 606–609

identifying with threat modeling, 607–608

insider, 816

to integrity, 6to storage, 870

three-way handshakeSYN flood attack disrupting, 706

in TCP, 440thrill attacks, computer crime, 817throughput rate, in biometric processing, 572ticket-granting service (TGS), Kerberos, 575ticket-granting ticket (TGT), Kerberos, 575–576tickets, Kerberos, 575time of check (TOC), attacks based on predictability of

task execution, 373time of use (TOU), attacks based on predictability of task

execution, 374time stamps, DBMS data integrity, 867

1018 time-of-check-to-time-of-use (TOCTOU) – TrueCrypt

time-of-check-to-time-of-use (TOCTOU)and application attacks, 900

attacks based on predictability of task execution, 374timing attacks

attacks based on predictability of task execution,373–374

smartcards, 619

TKIP (Temporal Key Integrity Protocol)overview of, 460securing wireless networks, 257

TLS. See Transport Layer Security (TLS)TOC (time of check), attacks based on predictability of

task execution, 373TOCTOU (time-of-check-to-time-of-use)

and application attacks, 900

attacks based on predictability of task execution,374

TOE (target of evaluation), 295–297token passing, LAN media access technologies, 489Token Ring, LAN technologies, 485tokens

authentication factors, 563overview of, 567–568

security attributes and, 275top secret

defining data classifications, 160governmental classification of data, 20

topologies, network, 477–480, 478–480tornadoes, disaster recovery planning for, 764TOU (time of use), attacks based on predictability of task

execution, 374Tower of Hanoi strategy, backup tape rotations, 790

TPM (Trusted Platform Module)integration of encryption systems with, 248overview of, 303–304

TPs (transformation procedures), in Clark-Wilson model, 287



traffic. See network traffictraining

BCP implementation and, 110cross-training as alternative to job rotation, 52disaster recovery crisis management, 777

disaster recovery plan for, 792–793

employees on social engineering tactics, 616establishing and managing information security

education, training, and awareness, 81–82

first responders for IT incidents, 701in malicious software, 724

operational planning and, 16on reporting security incidents, 702security training as countermeasure to confidentiality

breach, 4

security training as countermeasure to integrity breach, 6

users about security, 621transactions, database, 864–866

transformation procedures (TPs), in Clark-Wilson model,287

transients, on power lines, 773

transitive trustsaccess control between objects and subjects, 271

least privilege problem and, 663

transmissionlogging, 538planning remote access security, 515

Transmission Control Protocol (TCP)AAA protocols and, 581overview of, 439in TCP/IP suite, 440, 440–443

transparency, characteristics of security controls, 537transport encryption, protecting sensitive data, 173–174

Transport layer (layer 4), in OSI model, 434–435

Transport layer protocols, in TCP/IP suiteoverview of, 439

Transmission Control Protocol (TCP), 440–443

User Datagram Protocol (UDP), 443–444

Transport Layer Security (TLS)Diameter support for, 581as encryption protocol underlying HTTPS, 173encryption protocols used by VPNs, 174example of end-to-end encryption, 255protecting web applications, 250secure communication protocols, 501

transport mode, IPsec, 256transposition ciphers

in American Civil War, 191as example of block cipher, 207overview of, 202–203

travel, personnel safety during, 670traverse mode noise, 401trend analysis, monitoring using, 740

triple, in Clark-Wilson model, 286Triple DES (3DES)

comparing symmetric algorithms, 219overview of, 173supported by S/MIME, 249versions of, 216–217

Tripwire data integrityas malicious code countermeasure, 887


Trojan horsescreating botnet with, 890

email security issues, 510with logic bomb component, 888

as malicious code, 889–890

troubleshooting, study tools for this book, 969–970TrueCrypt, encryption on portable devices, 248

trust – storing sensitive data 1019

trustassurance procedures building system, 841

between LDAP domains, 574social engineering by gaining, 616–617

trust boundaries, in reduction analysis, 34trust relationships

Internet worm using, 892

in PKI, 242Trusted Computer System Evaluation Criteria (TCSEC)

categories and levels of protection, 290–292, 291Common Criteria replaces, 289guidelines relative to trusted paths, 277ITSEC compared with, 295–296limitations of, 294–295rainbow series and, 290Red and Green books of rainbow series, 293security standards and baselines and, 27

trusted computing base (TCB)overview of, 276

reference monitors and kernels, 277–278

security perimeter and, 277trusted paths, in TCB communication, 277Trusted Platform Module (TPM)

integration of encryption systems with, 248overview of, 303–304

trusted recoverydesigning for, 773–775

system shutdown and, 370trusted systems, in protection of sensitive data, 274–275

tsunamis, disaster recovery planning for, 762, 765tunnel mode, IPsec, 256tunneling



Point-to-Point Tunneling Protocol (PPTP), 520–521

protocols for establishing VPNs, 439tuples, relational database, 862

turnstiles, as perimeter control, 408twisted-pair cable

characteristics of, 475overview of, 475–476

two-factor authenticationoverview of, 572

smartcards, 397Twofish algorithm, 218–219two-person controls (two-man rule), 666

Type 1 Error, biometric error ratings, 570Type 2 Error, biometric error ratings, 570

UUCITA (Uniform Computer Information Transactions

Act), 138UDI (unconstrained data item), in Clark-Wilson model,

287UDP. See User Datagram Protocol (UDP)

UDP header, 443UDP packets, 708

UEFI (unified extensible firmware interface), 336Ultra, attack on Enigma code, 192unclassified

defining data classifications, 160governmental classification of data, 20

unconstrained data item (UDI), in Clark-Wilson model, 287

unicasts, subtechnologies supported by Ethernet, 488unified extensible firmware interface (UEFI), 336Uniform Computer Information Transactions Act

(UCITA), 138uninterruptible power supply (UPS)

adding fault tolerance for power sources with, 773

recovery planning for power outages, 766

securing power supply, 400testing regularly, 767

United Statescode of criminal and civil law, 126Copyright Office, 134–135Department of Commerce. See Department of

CommerceDepartment of Defense. See Department of Defense

(DoD)Patent and Trademark Office (USPTO), 135privacy law, 140–144

USA PATRIOT ACT, 143United States Constitution

administrative law and, 127Fourth Amendment (privacy rights), 140Fourth Amendment (valid search), 811

role of legislature in, 125Unix

less vulnerable to viruses, 886


unshielded twisted-pair (UTP)categories of, 476characteristics of, 475overview of, 475

updatesmethods of securing embedded and static systems, 363as preventive measure, 705of primary site servers to hot site servers, 779

protecting against botnets, 709

protecting against LAND attacks, 711Uplay, DRM technology used by video games, 254UPS. See uninterruptible power supply (UPS)usability, balancing security with, 681USB flash drives

authentication factors, 563controlling, 676

installing malware using, 712mobile system vulnerabilities and, 350storing sensitive data, 168

1020 USC (United States Code) – Diameter support for

USC (United States Code), of criminal and civil law, 126user acceptance, BYOD and, 359user acceptance testing phase, systems development life

cycle, 846

User Datagram Protocol (UDP)AAA protocols and, 580–581overview of, 439in TCP/IP suite, 443–444

user entitlement audits, 744–745

user interfaces (UIs), testing, 648

user modein four-ring model, 320types of operating modes, 326

userscomparing subjects and objects, 557delegating incident response to end user, 704detecting potential incidents, 700

registration of, 561

security roles and responsibilities, 23, 178

usernames for identifying, 561USPTO (United States Patent and Trademark Office), 135utilities

disaster recovery plan for, 791

disaster recovery planning for other, 767

disaster recovery planning for power outages, 766–767

UTP. See unshielded twisted-pair (UTP)

VVan Eck phreaking, 334Van Eck radiation, 334vandalism, disaster recovery planning for, 769–770

VBA (Visual Basic for Applications), 885

vehicle computing systems, examples of embedded and static systems, 362

vendorscommunications during disaster recovery with, 791controls, 56–57

electronic vaulting, 783

governance review, 147–148

software acquisition from, 860

VENONA project, 206verification

of backup, 650

of digital certificates, 245of integrity, 537integrity verification procedures (IVP), 287PIV (Personal Identity Verification) cards, 567secondary verification mechanisms, 412–413

Vernam ciphers, 205versioning control

in configuration management, 683

firmware (microcode), 363

videoBYOD devices and, 359–360copyright protection of streaming media, 135streaming with UDP, 443

video games, digital rights management, 254views, in multilevel security database security, 866

Vigenère cipher, 203–204virtual LANs (VLANs), 522–523

virtual machines (VMs)hosting honeypots/honeynets on, 722

managing, 672–673

virtual memorydata storage, 869

as type of secondary memory, 330virtual private networks (VPNs)

encryption and, 174how they work, 519–520

IPsec and, 521–522


overview of, 517–518Point-to-Point Tunneling Protocol (PPTP), 520–521

protocols, 520securing with IPsec, 256TCP/IP security using VPN links, 439telephony options, 513tunneling and, 518–519

virtual SANs (storage area networks), 525virtual storage area networks (VSANs), 673

virtualizationof data storage, 869

managing virtual assets, 672–673


virtual applications/software, 523–524

virtual desktops, 524virtual networking, 524–525

virus decryption routine, 888

virusesantivirus mechanisms, 886–887

email security issues, 510hoaxes, 888–889

with logic bomb component, 888

platforms vulnerable to, 885

prevalence of, 883

propagation techniques, 883–885

technologies, 887–888

vishing attacks, as variant of phishing, 618–619

visibility, factors in facility site selection, 388Visual Basic for Applications (VBA), 885

vital record program, documenting business continuity plan, 113

VLANs (virtual LANs), 522–523

VMs (virtual machines)hosting honeypots/honeynets on, 722

managing, 672–673

Voice over Internet Protocol (VoIP)converged protocols, 452–453Diameter support for, 581

phishing attacks – defacing in thrill attacks 1021

phishing attacks, 503phone number spoofing on, 616

for secure voice communication, 503–504

telephony options, 513vishing attacks, 618–619

voice encryption, 352war dialing using, 714

voice pattern recognition, biometric factors, 569volatile storage

compared with nonvolatile, 332data storage, 869

volcanic eruptions, disaster recovery planning for, 765voluntary surrender, of evidence, 822

VSANs (virtual storage area networks), 673

vulnerabilitiesCommon Vulnerability and Exposures (CVE)

database, 688

database. See database securitydefined, 61, 605

distributed systems. See distributed systemseffective management of, 685–686

evaluating based on CIA triad, 4exam topics, 376–378in formula for total risk, 73identifying, 63–64, 609–610

I/O devices, 334–335managing as security practice, 685–688

review answers, 929–930review questions, 380–383security audits reviewing management of, 746

server-based, 341

summary, 375TCP/IP suite, 450

vulnerability analysis, 609–610

web-based systems, 349–350

written lab, 379vulnerabilities, client-based

applets, 337–338

local caches, 339–341

overview of, 337

vulnerabilities, in embedded and static systemsexamples of, 360–362

methods of securing, 362–363

overview of, 360

vulnerabilities, in mobile systemsaccessing and mitigating vulnerabilities, 350–351

application security, 355–357

BYOD policies and concerns, 357–360

data ownership and, 357

device security, 352–355

vulnerabilities, in security architecturecovert channels, 369

from design or code flaws, 370

electromagnetic radiation (EM), 374–375

incremental attacks, 372–373

initialization and failure states, 370

input and parameter checking, 370–372

maintenance hooks and privileged programs, 372

overview of, 369

programming flaws, 373

technology and process integration, 374

timing, state, changes, and communicationdisconnects, 373–374

vulnerability assessmentafter departure of disgruntled employee, 816–817

network discovery scans, 634–637, 77 636–638network vulnerability scans, 637–640, 639–640overview of, 634

penetration testing of, 727

scans as reconnaissance attacks, 906

scans as security practice, 686–687

as security practice, 687–688

web vulnerability scans, 640–642, 641

Wwaiting state, types of operating states, 322WANs. See wide area networks (WANs)WAP (Wireless Application Protocol), 483–484WAPs. See wireless access points (WAPs)war dialing, 713–714

wardriving, 463warm sites, as disaster recovery option, 780–781

warning banners, incident response and, 723

WarVOX, 714water-based fire suppression systems, 405waterfall model, 847–848, 848water/flooding issues



watermarking, egress monitoring with, 741–742

watermarks, using steganography for, 251web application security

cross-site scripting (XSS), 901–902

with encryption, 249–250

overview of, 901

SQL injection, 902–904, 903“web of trust” concept, in Pretty Good Privacy (PGP), 249web vulnerability scans, 640–642, 641web-based systems, accessing and mitigating

vulnerabilities, 349–350

webcasting, copyright protection and, 135websites

defacing in thrill attacks, 817

1022 online privacy policies – use by S/MIME

online privacy policies, 178weighting information, in neural networks, 872

well known ports, 439WEP. See Wired Equivalent Privacy (WEP)wet pipe fire suppression system, 405whaling attacks, as variant of phishing, 618

white boxes, phreaker tools, 507white noise, securing electrical signals and radiation, 399white-box testing

penetration testing, 643, 729software quality, 857

white-box testing by full-knowledge team, 729

white-box testing by zero-knowledge team, 729

whitelistingin Apple iOS, 725blocking users from unauthorized applications, 724


wide area networks (WANs)connection technologies, 534–536


local area networks compared with, 473technologies, 532–534

Wi-Fi Protected Access (WPA/WPA2)configuring wireless security, 462overview of, 459

securing wireless networks, 257WikiLeaks, 350wildfires, disaster recovery planning for, 764–765

WIPO (World Intellectual Property Organization), 134Wired Equivalent Privacy (WEP)

configuring wireless security, 462IEEE 802.11 and, 455overview of, 458

securing wireless networks, 257wired extension infrastructure mode, wireless access

points and, 455wireless access points (WAPs)

configuring wireless security, 462–463encryption of, 458–460

securing, 454–456

Wireless Application Protocol (WAP), 483–484wireless cells, 454wireless channels, 456wireless networking

Bluetooth (IEEE 802.15), 484

captive portals, 462

cell phones, 481–484

conducting site surveys, 457

cordless phones, 484

encryption of wireless access points, 458–460

firewalls, 465–469, 468general concepts, 480–481

managing antenna placement and power levels, 461

mobile devices, 485

Network Access Control (NAC), 464–465

overview of, 454

securing, 257–258

securing endpoints, 469

securing hardware devices, 470–472

securing network components, 463–464

securing service set identifiers, 456–457

securing wireless access points, 454–456

security procedures, 462–463

Wireless Transport Layer Security (WTLS), 483Wireshark, 614–615

wiretaps, 483–484wiring closets, securing, 391–393, 392WordPress, role-based controls of, 601work areas (operation centers), physical security of,

395

work function (work factor), in cryptography, 201

workgroup recoverydisaster recovery strategy for, 778

implementing mobile sites for, 781World Intellectual Property Organization (WIPO),

134worms

Code Red worm, 890–891

destructive potential of, 890

email security issues, 510as malicious code, 890–893

spread of Internet worm, 891–892

Stuxnet, 892–893

WPA/WPA2. See Wi-Fi Protected Access (WPA/WPA2)wrappers, methods of securing embedded and static

systems, 363WTLS (Wireless Transport Layer Security), 483

XX.25, WAN connections, 535X.509 standard

email security solutions, 511enrollment of certificates and, 245standard for digital certificates, 242use by S/MIME, 249

XACML (Extensible Access Control Markup Language) – zzuf tool 1023

XACML (Extensible Access Control Markup Language),578

Xmas scan, network discovery with, 635

XML (extensible markup language)

types of markup languages, 577

vulnerabilities in web-based systems, 349

XOR (exclusive OR) operation

Boolean logical operations, 198

in DES, 214

XSS (cross-site scripting) attacks, on web applications,901–902

Z

zero-day vulnerabilitiesmalicious code taking advantage of, 894–895

protecting against exploits, 711–712

spear phishing, 618

zeroization, securing media storage facilities, 394zero-knowledge proof, in cryptography, 200, 200–201

Zeus, as drive-by download, 712zombies, 709

zzuf tool, mutation fuzzing, 646, 647

index [media.wiley.com] · index note to reader: bolded page numbers refer to defi nitions and main...

Documents