numbers copyrighted material · implementation types for, generally, 112 intrusion detection...

Cole bindex.tex V3 - 07/28/2009 6:40pm Page 849

Numbers3G (third generation) cellular technologies, 5074G (fourth-generation) mobile devices, 464–468802.11. See IEEE 802.11802.11i, 496–503802.1X, 491–492

AA records, 361academic technologies/ideas, 155–158acceptability, 101access

of attackers exploiting systems, 790–793controlling. See access controlfuture planning of, 846–847in penetration testing, 785–786in Windows security, 179

access controladministrative, 113–114audit trails and, 114authentication in, 115–121biometrics for, 116–117centralized, 115Challenge Handshake Authentication Protocol

for, 125to data, 123, 798to databases, 121–123decentralized, 115detective, 114–115discretionary, 110–111identification in, 115–121implementation types for, generally, 112intrusion detection systems for, 114Kerberos for, 118–121KryptoKnight for, 121mandatory, 111models for, generally, 109–110non-discretionary, 112passwords for, 116, 125physical, 115

preventive, 113–114RADIUS for, 124remote access in, 123–125for server security, 415SESAME for, 121Single Sign-On for, 117–121summary of, 125TACACS and TACACS+, 124technical, 113–114violations reports in, 114

account harvesting, 315–316accountability, 37accounts for e-mails. See e-mail securityaccreditation. See also security assurance evaluation

mechanismscertification and, 44–45defined, 757DIACAP for, 756–757, 760–763NIACAP for, 756–759overview of, 756–757, 763

acquisition phase, 56–58acquisitions, 735–736active attacks, 13–14, 40active reconnaissance, 789–790active response devices, 565–567ActiveX, 278, 306–309ad hoc mode, 479ad support, 200–201address autoconfiguration, 446–447Address Resolution Protocol (ARP). See ARP

(Address Resolution Protocol)addressees, 331administrative security controls

access control, 113–114facility planning in, 102facility security management in, 103information system security management in, 102of personnel, 102

administrator accounts, 184–185advanced blocking techniques, 253, 548Advanced Encryption Standard (AES), 496–500,

595

849

COPYRIG

HTED M

ATERIAL


A Index

Advanced Mobile Phone System (AMPS),470–471

advanced settings for Internet Explorer, 285–286advisory policies, 75adware, 802AES (Advanced Encryption Standard), 496–500,

595Aircrack, 501aircraft systems, 83–85AirSnort, 501ALE (annual loss expectancy), 70–71algorithmic-based steganography, 647algorithms. See cryptographyALIGN, 307‘‘All People Seem To Need Data Processing’’,

432America On Line (AOL), 378–379AMPS (Advanced Mobile Phone System),

470–471anacron, 228analog telephone adaptors (ATAs), 450analysis

control of, 65cryptanalysis, 577in digital forensics, 738–746, 748impact of, 66–67of loss, 22–23of penetration testing, 787of results, 93, 843–844of risk, 842–844of vulnerabilities, 528

annual loss expectancy (ALE), 70–71anomaly detection, 553–554, 565anonymous authentication, 505anonymous FTP (File Transfer Protocol),

418anonymous usernames, 417Antheil, George, 473anti-spyware/adware tools, 802antivirus protection

applications for, 172intrusion detection for, 707–708signatures for, 193software for, 149, 801–802, 833in Windows security, 171–173, 180

anycasts, 446AOL (America On Line), 378–379apmd daemon, 229APOP (Authenticated Post Office Protocol),

346–347Appletalk Session Protocol (ASP), 435

Application layer, 433–434, 504application proxies, 558application-level attacks, 792applications

installing securely. See applications installationsecurity

in server security, 417–421testing questionable, 194upgrades for, 192–193versions of, 350in Web security, 310

applications installation securityantivirus protection for, 171–173personal firewalls for, 173–174Pretty Good Privacy and, 175secure FTP and, 175Secure Shell and, 174

APTools, 502architecture

of Domain Name System, 388–389in e-mail security, 350–351of networks. See network architecturein risk management, 27of system security, 46workstations in, 176–177

ARP (Address Resolution Protocol)introduction to, 438in network architecture, 517–518spoofing, 332–334

arpwatch, 228ASP (Appletalk Session Protocol), 435Assess Information Protection, 48–51assessment

National Institute of Standards and Technologyguidelines for, 756–757, 765–770

of network security, 404of risk. See risk assessmentin risk management, 27–31of security. See security assurance evaluation

mechanismsassociation in wireless communications, 479assurance of security. See security assurance

evaluation mechanismsasymmetric encryption

certificate authorities in, 598introduction to, 597–598primitives in cryptography, 597–599web of trust in, 598–599

ATAs (analog telephone adaptors), 450atd service, 228attachments to e-mails, 351

850


Index A

attack phase of pen testing, 785–786attackers exploiting systems. See also attacks

access of, 790–793active reconnaissance of, 789–790application-level attacks of, 792back doors of, 793–794covering tracks by, 794–795denial-of-service and, 793elevating privileges of, 792–793introduction to, 787–788misconfiguration attacks of, 792operating systems attacks of, 791passive reconnaissance of, 788–789program attacks of, 792scripts in attacks of, 792Trojan horses of, 794uploading programs by, 793

attacks, 127–142. See also attackers exploitingsystems

account harvesting, 315–316ad support in, 200–201application-level, 792back door, 130, 203, 793–794birthday, 133–134, 386on browsers, 268–269buffering against, 351common types of, generally, 129in cyber security, 6–7demon-dialing, 136denial-of-service, 129–130, 203, 793device loss and theft, 141distributed denial-of-service, 136–138,

528on Domain Name System, 384–386dumpster diving, 133eavesdropping, 135espionage, 138–140external, 136–140file extensions in, 204fragmentation, 131–132on hash functions, generally, 607–608hijacking, 131, 204, 268–269internal threats, 140–141malicious code, 127–129man-in-the-middle, 130mathematical, 132on MD4, 608–610on MD5, 610–613misconfiguration, 792network architecture and, 528–529on operating systems, 791

overview of, 12–14packet sniffing, 204parasites, 269password guessing, 133–134penetration testing for. See penetration

testingphysical, 202port scanning, 133preparing for, 198program, 792replay, 131, 269–270scripts in, 792session replay, 204on SHA, 614–616social engineering, 132–133, 204–205software exploitation, 134–135spoofing, 130spyware, 200–202SQL injection, 316–317summary of, 142system misuse, 135targeted hacks, 138–140TCP, 131, 136TEMPEST, 202–203Trojan horse, 200, 794types of, 29–30, 780–782unintentional filesharing, 140–141viruses, 127–129, 198–199war driving, 136war-dialing, 136weak keys, 132on Web servers, 315–317against workstations, 198–205worms, 199–200on zeroconf networks, 524

AuCs (authentication centers), 463audit trails

access control, 114in securing information technology, 54as security assurance evaluation mechanisms,

773auditing

in configuration management, 89introduction to, 772passwords, 823process of, 773for server security, 416standards for, 772–773for Windows security, 197

Authenticated Post Office Protocol (APOP),346–347

851


A Index

authenticationin access control, 115–121browser protocols and, 262–263for cryptography, 575–576in e-mail security, 345of e-mails, 345enhancing, 265firewalls and, 531in information system security, 36integrating as security component, 823MAC layer for, 479mistakes to avoid in, 815primitives in cryptography for, 602–603in Public Key Infrastructure, 689in securing information technology, 54in WAP security layer, 505

authentication centers (AuCs), 463authentication chains, 391Authentication Headers, 696–697Authentication Servers, 685–686authorization

faulty, 316in information system security, 37system security, 757

autocorrelation, 583autofs, 228automated data protection tools, 801–803automated intrusion notice and recovery

mechanisms, 726–727automated modification of firewall rules, 539–540automated vulnerability scanners, 782–783automatic population of databases, 327automatic update servers, 218auto-processing, 323AUTORUN, 167availability issues

in cryptography, 575in e-mail security, 339in future planning, 839in information system security, 35–37steganography, 642

awarenessin data protection, 799of employees, 811–812in information system security management,

77–79of security plans, 94of server security needs, 399–400training in, 172of what is running on systems, 817

Bback door attacks

of attackers exploiting systems, 793–794defined, 130in risk management, 31on workstations, 203

background checks, 4–6backups

as data protection, 799in e-mail security, 351in integration of security components, 828–829policies for, 29sites, 95–97systems, 414–415in UNIX/Linux security, 216in Windows security, 191

base practices, 752base transceiver stations (BTSs), 462baselines for security, 75–77bastion hosts, 386Bayesian logic, 337–338behavior-based anomaly detection, 565best practices for security

antivirus software, 833auditing passwords, 823authentication, 823backups, 828–829binary code in HTTP headers, 826code reviews, 831configuration management, 832content inspection, 826–827cross-site scripting, 827defense-in-depth, 828detection methods, using multiple, 826disaster recovery plans, 830e-mail attachment inspection, 827essential services only, 831–832file transfer inspection, 827firewalls, 832–833HTTP/HTTPS tunneling, 826infrastructure assessments, 820–821internal servers protected from outbound

communications, 820intrusion detection systems, 832–833logging, 825–826malicious URL detection, 827naming servers, 834network diagrams, 819–820outgoing communications, monitoring, 826password policy, 821–823patching policies, 823–824

852


Index C

perimeter protection, 821, 832–833physical security, 830placement of systems, 820policy statements, 819remote access, 827secure communications, 828sensitive information protection, 829service accounts, 823single-use servers, 832system accounts protection, 834trust relationships, 833UNIX systems, 831URLs, 827user education, 830–831vulnerability assessments, 824–825

Big Brother, 200–201Biham, Eli, 616binary code in HTTP headers, 826BIND service, 375biometrics

for access control, 116–117in information system security management,

100–102in pass phrases, 626in quantum cryptography, 626

BIOS. See also NetBIOSchanging settings of, 213control of, 212enabling password for, 213

birthday attacks, 133–134, 386black-box penetration testing, 772blacklisting, 337blackmailing, 626–627block ciphers, 593–595blocking

advanced techniques for, 548firewalls for, 253, 543–545generic exploit, 154incoming traffic, 248–250, 543–545IP addresses, 556logging in, 546–547outgoing traffic, 250–251, 545–546port, 162–163

Bluetooth, 503–504boot loader passwords, 213bootable CDs and USB drives, 172booting, 212–213boundlessness of Internet, 12bra-kets, 617breaches of security, 10–11. See also attacksbridges, 514

broadband wireless, 506–507browser security. See Web browser securitybrute-force attacks, 576–577bsd-airtools, 501Btscanner, 502BTSs (base transceiver stations), 462buffer overflow exploit prevention, 155Bush, Dr. Vannevar, 297business continuity planning

approval of plan in, 93–94business impact assessments in, 92–93development of plan in, 93goals of, 91implementation in, 93–94overview of, 90roles and responsibilities in, 94scope and plan initiation of, 92

business impact assessments, 92–93, 401business systems, 30business workstations, 170

CC and C++ languages, 406C&A (certification and accreditation), 44–45. See

also certificationcable locks, 100cache poisoning, 385–388caching, 264, 281–282Caesar’s encryption scheme, 581–582calculating risk, 70–71. See also risk assessmentcallback functions, 543camouflage, 640–641Camouflage, 669canary values, 157capability dimension, 752, 755–756care-of addresses, 466Carnegie Mellon University, 717cast introduction, 590–591(CBC) cipher-block chaining, 497–499, 594CDMA (Code Division Multiple Access)

in cellular network technology, 464–468FHSS and, 483spread spectrum technologies as. See spread

spectrum technologiesversions of, 473in wireless transmission systems, 469–473

CDPD (Cellular Digital Packet Data), 471cell phones. See cellular telephonescell towers, 462Cellular Digital Packet Data (CDPD), 471

853


C Index

cellular telephones4G for, 464–465calling with, 464fault tolerance and, 467–468history of, 464–465local area networks and, 466–467location discovery and handoff with, 466networks for, 462–463system infrastructure of, 465–466

centralized access control, 115centralized security management consoles, 803CERs (crossover error rates), 100CERT (Community Emergency Response Teams),

350, 388CERT/CC (Community Emergency Response

Teams/Coordination Center)analyzing information, 719communications with incident response team,

719–720eliminating intruder access, 721implementing security lessons learned, 721–722normalizing operations, 721preparing to respond to intrusion, 718–719protecting information, 720recommended practices of, 717–718response policies and procedures, 718short-term containment solutions, 720

certificate authorities (CAs)in cryptography, 598e-mails security and, 684in key management, 691–692

Certificate Revocation Lists (CRLs), 691–692certificates

in Java sandbox, 305in Secure Socket Layer, 266–267in UNIX/Linux security, 243–245

certification. See also security assurance evaluationmechanisms

accreditation and, 44–45defined, 759DIACAP for, 756–757, 760–763DITSCAP for, 758–760documentation support, 761introduction to, 763NIACAP for, 756–759overview of, 756–757

CFB (cipher feedback), 594CGI (Common Gateway Interface) scripts, 301–302Chabaud, Florent, 615–616chain of evidence, 731–734

Challenge Handshake Authentication Protocol(CHAP), 125

chaos attacks, 524CHAP (Challenge Handshake Authentication

Protocol), 125Chargen, 227, 414checklist reviews, 97Chen, Rafi, 616Chinese Remainder Theorem, 604chipping code, 476chkconfig commands, 235–236chroot, 240CIA (confidentiality, integrity, availability). See

confidentiality, integrity, availability (CIA)CIDR (classless interdomain routing), 517cipher feedback (CFB), 594cipher text, 576–577cipher-block chaining (CBC), 497–499, 594ciphers

block, 593–595historical impact of, 586–587history of, 586–587stream, 592–593substitution, 581–587

circuit switching, 451–452CIRT (computer incident response teams), 708CIs (configuration items), 88civil cases, 745classical TC (Trusted Computing), 421–423, 426CLASSID, 307classifying sensitive data, 797classless interdomain routing (CIDR), 517cleaning up systems, 197–198client access controls, 803client authentication, 505client content

ActiveX and, 306–309HTTP and, 304Java and, 304–309JavaScript and, 303–304permissions in, 305–306sandboxes for security of, 304–305Web security and, 303–309

client key exchange, 701client risk, 255–259. See also Web browser securityclient/server model of HTTP, 298–299Clinton, President William, 576clipping levels, 774closed-box penetration testing, 772closed-circuit televisions, 99close-in attacks, 40

854


Index C

CLRs (Certificate Revocation Lists), 691–692cmdline, 223–224CNAME (Canonical Name) records, 362–364code cleanliness, 406Code Division Multiple Access (CDMA). See CDMA

(Code Division Multiple Access)code reviews, 831code stores, 305CODEBASE, 307cold sites, 96collaboration tools

integrity of data in, 331–334malcode attacks on, 325–327overview of, 324–325privacy of data in, 327–331

collision-resistance one-way functions, 600color tables, 653–654combustible materials, 104Common Gateway Interface (CGI) scripts, 301–302Community Emergency Response Teams (CERT),

350, 388Community Emergency Response Teams/

Coordination Center (CERT/CC). SeeCERT/CC (Community EmergencyResponse Teams/Coordination Center)

company sensitive data, 186compliance, 799compression, 296computationally secure algorithms, 591computer crime types, 106computer forensics. See also digital forensics

defined, 729legal issues in, 105proactive, 746–748traditional, 730

computer incident response teams (CIRT), 708computer security teams

CERT/CC, 723–724Federal Computer Incident Response Center,

724Forum of Incident Response and Security Teams,

725computer-to-computer calls, 451confidentiality

cryptography for, 573–574of data, 262, 265in e-mail security, 338–339in future planning, 839in Public Key Infrastructure, 689–690in steganography, 641–642

confidentiality, integrity, availability (CIA), 589,602–603

in access control, 109with cryptography, 573in information system security, 35–37, 73in physical security, 413in Windows security, 191–192

configurationauditing, 89of browsers. See Web browser configurationscontrolling. See configuration controlidentification, 88management of. See configuration managementsecurity controls, 182–184security issues, 180–182status accounting, 89

configuration control. See also configurationmanagement

for server security, 402–404, 413–415status accounting in, 89for UNIX/Linux security, 217–224

Configuration Control Board (CCB), 89, 402–404configuration items (CIs), 88configuration management. See also configuration;

configuration controlauditing in, 89definitions in, 88documentation change control in, 89–90for hardening UNIX, 245–246identification in, 88in integration of security components, 832overview of, 87primary functions of, 88procedures of, 88security in, 180–184status accounting in, 89

configuration security controlsdigital certificate technology for, 183software on workstations in, 183–184user accounts on systems, 182–183

configuration security issuesantivirus protection, 180user accounts, managing, 181–182user rights, limiting, 180confirmations, 689connections, defined, 534contemporary TC (Trusted Computing), 421–423,

426content injection, 407–409content inspection, 826–827content matching, 561

855

Cole bindex.tex V3 - 07/28/2009 6:40pm 56

C Index

content settings for Internet Explorer, 285content-level inspections, 31contingency planning, 54, 90continuity of operations, 90control analysis, 65control categories, 69–70control recommendations, 68controlling

configurations. See configuration controloperations in packet inspection methods,

560–561processes in UNIX security. See controlling

processes in UNIX securityusers, 237–243

controlling processes in UNIX securitychkconfig commands in, 235–236init process in, 233–234netstat commands in, 230–232nmap commands in, 232–233overview of, 225processes controlling processes in,

233–237ps commands in, 230service commands in, 236–237service detection in, 230–233services for special purposes in, 228–230services to avoid for, 225–226services to use for, 226–228xinetd process in, 234–235

convenience of browsers, 256cookies

browser protocols and, 264cross-site scripting and, 407data handling practices in, 185domain of, 311encryption and, 410expiration of, 311Internet Explorer settings for, 284–285Netscape and, 281path for, 311security of, 312storing, 312–313in Web browser and client security, 260–262in Web browser configurations, 276–277in Web security generally, 310in Windows security, 201workings of, 310–312

corporate firewalls, 542–543countermeasures, 841–842cover channels, 638–639covering tracks, 794–795

covert communications. See steganographyCrack, 247crackability, 580–581crackers, 532criminal cases, 746critical security ratings, 192crond service, 229crossover error rates (CERs), 100cross-site scripting (XSS), 407–408, 827cryptanalysis, 577cryptography

algorithms for, 578–580, 603–606asymmetric encryption in, 597–599for authentication, 575–576availability issues in, 575block ciphers in, 593–595brute-force attacks and, 576–577building in, 580cast introduction in, 590–591certificate authorities in, 598ciphers in, 576–577, 586–587confidentiality, integrity, availability with,

573–574, 602–603crackability of, 580–581decryption of, 577defined, 54, 572encryption as, 577goals of, 573–576hash functions in, 607–608, 617for integrity of data, 574–575keys, 577MD4, MD5 attacks on, 608–613for non-repudiation, 576plain text in, 577primitives in, 587, 605–606principles of, 577proof of security in, 578proprietary algorithms in, 579, 606–607pros and cons of, 572–573pseudo random number generation, algorithms

for, 588–589quantum. See quantum cryptographyrandom number generators in, 585–586,

587–591for secret communications, 571–572Secure Socket Layer and, 580security of, 581SHA, attacks on, 614–616sharing keys in, 595–596steganography vs., 644–646stream ciphers in, 592–593

856


Index D

sub-goals of, 575–576substitution ciphers in, 581–587summary of, 628–629symmetric encryption in, 591–596terms in, 576–577two-key encryption in, 597–599user input generating numbers for, 589Vigenere cipher in, 582–585web of trust in, 598–599whitening functions in, 589–590XOR in, 585–586

ctrl-alt-del pseudofile, 224cups-lpd, 227current packet inspection methods, 557–558current state of security, 11–12custody, 731–734customer separation, 145–146cwd, 224cyber security

active attacks in, 13–14assessing risk management in, 27–31attack types, generally, 12–13attacks in, generally, 6–7background of, 4–6boundlessness of Internet and, 12breaches of, 10–11changes in, 16–17current state of, 11–12enterprise security methodologies for, 19–27future planning for, 836–837interfacing with organizations for, generally, 19new approaches to, generally, 9, 15overview of, 3–4passive attacks in, 14principles of, 15–16reactive security vs., 6risks in, 4state of, 3–8summary of, 7–8, 17–18, 32trends in, 6, 9–16

DDAA (Designated Approving Authority), 45DAC (discretionary access control), 110–111data collection, 212data confidentiality, 262, 265data encapsulation, 432Data Encryption Standard (DES). See DES (Data

Encryption Standard)data handling, 185–186, 405–406

data integrity, 331Data Link layer, 437–438data normalization, 123data protection

access in, 798anti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803awareness in, 799backing up as, 799centralized security management consoles for,

803client access controls for, 803compliance in, 799data usage policies for, 798encryption for, 798endpoint policies for, 804–805endpoint security for, 799–805hardening for, 798, 800–801host-based intrusion detection systems for, 802insider threats and, 805–806Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 798, 803–804remote access and, 805sensitive data in, 797summary of, 806–807user education on, 805validation of, 799virtual machines and, 805vulnerability assessments of, 804Windows and, 800

data remanence, 105data sharing server applications, 417–420data transfer, 479data types, 186data usage policies, 798data volume, 643data vulnerabilities, 324databases

accessing, 121–123automatic population of, 327object-oriented, 123relational, 121–123SQL injection of, 316–317whois, 780

datagrams, 436dates, 262daytime, 227

857


D Index

DDoS (distributed denial-of-service) attacks,136–138, 528

de facto standard of security, 581decentralized access control, 115decryption, 577Defense-in-Depth strategy

attacks vs., 40in information system security principles, 38–41in integration of security components, 828operations and, 39–40overview of, 38people and, 39in server security, 398technology in, 39

definition phase, 757, 759DELETE requests, 289demilitarized zones (DMZs), 27, 513demon-dialing attacks, 136denial of applications, 28denial-of-service (DoS) attacks

distributed, 136–138Domain Name System and, 379in network architecture, 528overview of, 129–130, 793in penetration testing, 781in risk management, 28on workstations, 203on zeroconf networks, 524

Department of Defense Regulation 5000.2-R Change3, 80

Department of Defense Technology SecurityCertification and Accreditation Process(DITSCAP). See DITSCAP (Department ofDefense Technology Security Certificationand Accreditation Process)

departmental restricted data, 186depth, 584, 588DES (Data Encryption Standard)

as block cipher, 595keys of, 592security of, 581

Designated Approving Authority (DAA), 45designing server security, 396–413. See also server

securityawareness of need for, 399–400business impact assessments in, 401code cleanliness in, 406Configuration Control Board and, 402–404content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406

defense-in-depth principle in, 398development environment security for, 402development practices for, 405–411dynamic scripting in, 409encryption in, 409–411input validation in, 407language choice in, 406management and, 402network support for, 403–404overview of, 396–397respect for adversaries in, 399risk-based security controls for, 397–398screening input for, 409simplicity in, 399SQL injection in, 408stored procedures in, 408testing in, 411–413

desktop protections, 29desktops, 526despreading, 483destination IP addresses, 533detection

access control and, 114–115control of, 69–70of hardware changes, 214–215of intrusion. See intrusion detection systems

(IDSs)methods of, integrating, 826of steganography, 643–644

developmentenvironments, 402phase, 52, 56–58practices, 405–411

device loss and theft, 141DHCP (Dynamic Host Configuration Protocol),

518–519DIACAP (Department of Defense Information

Assurance Certification and AccreditationProcess)

certification documentation support in, 761challenges of, 762–763Implementation Plan of, 761introduction to, 756–757, 760phases of, 760–762Plan of Action and Milestones of, 761scorecard of, 761System Information Profile in, 761

digital forensics, 729–750acquisitions in, 734analysis in, 738–740chain of evidence in, 731–734

858


Index D

civil cases in, 745computer forensics and, 730criminal cases in, 746custody in, 731–734documentation in, 743–744evidence in, 730–731, 744forensic duplication in, 736full examination in, 741–743future research areas for, 748–750introduction to, 729–730legal closure in, 744–745life cycle of, 750limited examination in, 740live acquisition in, 736–737mirror images in, 736partial examination in, 740–741proactive, 746–748storage media for acquisitions, 737summary of, 750volatile information, 738

Digital Network Architecture Session ControlProtocol (DNA SCP), 435

Digital Picture Envelope (DPE), 665–669digital rights management (DRM)

background of, 422information control, building systems for,

423–426information control, challenges of, 422–423introduction to, 421–422

digital signaturesin cryptography, 598in e-mail security, 332–334, 339, 355in primitives, 599–600in Public Key Infrastructure, 690

digital watermarkingdefined, 673–674goals of, 676invisible, 675properties of, 674reasons for using, 674removing, 676–679steganography vs., 676–679types of, 675uses of, 676–677visible, 675

digital-coded cards, 101DIP (DIACAP Implementation Plan), 761direct sequence spread spectrum technologies,

476directories, enumerating, 315disablement, 164, 814

disaster recovery plans (DRPs)backup sites and, 95–97development of, 95goals of, 95implementation of, 97–98in integration of security components, 830introduction to, 90in risk management, 29testing of, 97timing objectives in, 95–96

Discover Information Protection Needs, 43–45discovery

in penetration testing, 780–781in pre-attack phase of pen testing, 784–785of Web services, 321

discrete logarithm problems, 596discretionary access control (DAC), 110–111disk partitioning, 215–216disposal, 29disposal phase, 52, 56–57, 59distributed denial-of-service (DDoS) attacks,

136–138, 528distribution attacks, 40DITSCAP (Department of Defense Technology

Security Certification and AccreditationProcess)

introduction to, 758–759phases of, 758–760roles of, 760

DMZs (demilitarized zones), 27DNA SCP (Digital Network Architecture Session

Control Protocol), 435DNS (Domain Name System). See Domain Name

System (DNS)DNS SEC (Domain Name System security

extensions)authentication chains in, 391implementation of, 392–393lookup process in, 391overview of, 381–382, 389–391pros and cons of, 392scalability of, 393trust anchors in, 391

Dobbertin, Hans, 610, 613document writing, 178documentation, 743–744documentation change control, 89–90dogs, 99domain dimension, 752domain name, 224domain name lookups, 513

859


D Index

Domain Name System (DNS)in Application layer, 433architecture of, 388–389attacks on, 384–386authentication chains in, 391basics of, 358–364cache poisoning, 385–388, 392designing, 386–387enumerating domain names in, 382forward lookups in, 366–371hijacking, 392introduction to, 357iterative queries and, 383lookup process in, 391master-slave relationships in, 388misconfiguration of, 379name resolution, alternative approaches to,

374–375predictable query IDs and, 382–383purpose of, generally, 364–366records, 360–361recursion and, 383–384reverse lookups in, 371–374security extensions of. See DNS SEC (Domain

Name System security extensions)security issues with, 377–384servers, 781setting up, 375–377split DNS design for, 386split-split DNS design for, 386–387spoofing, 385summary of, 393Transaction Signatures and, 380–381trust anchors in, 391updating, 414vulnerability statistics of, 384zone transfers, 379–382, 388

domain records, 360domains, world-wide, 367–370DoS (denial-of-service) attacks. See denial-of-service

(DoS) attacksdownloading from Internet, 172downtimes, 92DPE (Digital Picture Envelope), 665–669DRM (digital rights management). See digital rights

management (DRM)drop-off directories, 417DRPs (disaster recovery plans). See disaster recovery

plans (DRPs)dry contact switches, 99due care, 107

dumpster diving attacks, 133, 780Dynamic Host Configuration Protocol (DHCP),

518–519dynamic outbound packets, 513dynamic scripting, 409

EEAP (Extensible Authentication Protocol), 486–488,

491–492ease-of-use, 147Easter eggs, 639easy-to-obtain operating systems (OSs), 208eavesdropping

attacks, 135as browser vulnerability, 258Web bugs for, 313–314

ECD (electronic code book), 594Echo, 227, 414EIRs (equipment identity registers), 463electricity, 103, 580electromagnetic spectrum, 459–461electronic code book (ECD), 594electronic monitoring, 106–107Electronic Serial Number (ESN), 462elevating privileges, 792–793e-mail

applications for, 172, 682–685attachments to, 827copies of, 201in network architecture, 526protocols for. See e-mail protocolssecurity of. See e-mail securitystandard use of, 178in Windows security, 170

e-mail protocolsIMAP, 344–345POP/POP3, 343–344Simple Mail Transfer Protocol, 340–342

e-mail security+OK logged onPOP before SMTP, 348accounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351attachments, inspecting, 827Authenticated Post Office Protocol for, 346–347authentication in, 345auto-processing in, 323availability issues in, 339blacklisting, 337

860


Index E

collaboration tools vs. e-mail, generally,324–325

confidentiality in, 338–339data integrity in, 331data vulnerabilities in, 324Generic Security Services Application

Programming Interface for, 348GNU Privacy Guard for, 354–355IMAP, 344–345integrity of e-mails in, 339Kerberos, 348login authentication, 346mail client configurations in, 349–350malcode attacks in, 325–327man-in-the-middle attacks in, 332NT LanManager protocol in, 347opening e-mails, guidelines for, 349operating safely while e-mailing, 348–355plain login, 345–346POP/POP3, 343–344Pretty Good Privacy in, 354–355privacy data in, 327–335protocols in, 340–345replay attacks in, 332–335risks requiring, 323sacrificial e-mail addresses in, 349Simple Mail Transfer Protocol,

340–342social engineering in, 323spam in, 335–339SSH tunnels for, 351–354summary of, 334–335, 355

enablement vs. disablement, 814EnCase, 739–742encryption

as cryptography, 577for data protection, 798in e-mail security, 346–347in quantum cryptography, 626–628in risk management, 29for server security, 409–411two-key, 597–599in UNIX/Linux security, 243–245in Web browser configurations, 281

endpoint securityanti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803centralized security management consoles for,

803client access controls for, 803

for data protection, 799–805hardening operating systems for, 800–801host-based intrusion detection systems for, 802Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 803–804policies for, 804–805remote access and, 805user education on, 805virtual machines and, 805vulnerability assessments of, 804Windows and, 800

Engelbart, Doug, 298engineering principles, 54–56enrollment times, 100enterprise forensics. See digital forensicsenterprise security methodologies

audits in, 24–27business impacts in, 21–22controls in, 24exploits and, 21loss analysis in, 22–23mitigation in, 23–24overview of, 19–21risk assessment in, 22risk determination in, 23risk management questions, 27–31summary of, 32threats and, 21vulnerability and, 21

enumerationof directories, 315of domain names, 382in penetration testing, 781, 785

environmental issues, 103–105data remanence, 105electrical power, 103fire suppression, 104–105humidity, 103object reuse, 105

equipment identity registers (EIRs), 463ESN (Electronic Serial Number), 462espionage attacks, 138–140essential services only principle, 831–832ethical hacking, 770. See also penetration testingevaluation of risk. See risk assessmentevaluation of security, 769. See also security

assurance evaluation mechanismsevidence collection, 730–731

861


E Index

evidence retention, 744evolution of browsers, 257exclude lists, 567executables, 259expert users, 210expiration, 262exploitation of systems. See attackers exploiting

systemsExtensible Authentication Protocol (EAP), 486–488,

491–492Extensible Markup Language (XML),

319–320external attack methodologies, 136–140external penetration testing, 771eyes only data, 186EZ-Stego, 663–664

Ffacility planning, 102facility security management, 103failure points in future planning

access, 846–847limiting generally, 844–847redundancy, 845–846

Fake AP, 502false acceptance rates (FARs), 100false alarms, 815false negative detection results, 555false positive detection results, 555false rejection rates (FRRs), 100FARs (false acceptance rates), 100fast factoring, 621–622fault tolerance, 467–468faulty authorization, 316FDD (Frequency Division Duplex), 472FedCIRC (Federal Computer Incident Response

Center), 724Federal Information Processing Standard (FIPS),

763–764Federal Information Security Assessment Framework

(FITSAF), 755–756felony boxes, 422fencing, 99Ferguson, Niels, 495FHSS (frequency hopping spread spectrum),

476–479, 503file allocation tables, 167file extension attacks, 204file ownership, 210file permissions, 167, 237–239

file sharingapplications for, 172in UNIX/Linux security, 218in Windows security, 170

File Transfer Protocol (FTP)in Application layer, 433file transfers via, 226in server security, 414–418

file transfersinspecting, 827in UNIX/Linux security, 218in Windows security, 170

financeson e-mail, 178information about, 331responsibilities regarding, 400

Finger, 227, 414fingerprint systems, 101, 781FIPS (Federal Information Processing Standard),

763–764fire suppression, 104–105firewalls

advanced blocking techniques of, 548automated modification of rules for, 539–540blocking traffic with, 543–545corporate vs. home, 542–543disadvantages of, 536–537Iptables, 543–548logging blocked traffic, 546–547multiple entry points of, 538–539multiple heterogeneous rulesets for, 540overview of, 531–532packet-filtering, 533packet-filtering and, 532–534in penetration testing, 781personal, 542–548, 802policy conflicts in, 540–542proxy, 535–536in risk management, 31rules of, 537–542as security component, 832–833in server security, 404stateful packet -filtering and, 534–535summary of, 548tiered architecture of, 537–538, 540–542in Windows security, 149in workstations, 177

FIRST (Forum of Incident Response and SecurityTeams), 725

FITSAF (Federal Information Security AssessmentFramework), 755–756

862


Index H

FMDA (Frequency Division Multiple Access), 469forensic duplication, 736Forensic Tools Kit (FTKs), 739forensics, 105. See also digital forensicsforgery, 494formal processes, 37Forum of Incident Response and Security Teams

(FIRST), 725fourth-generation (4G) mobile devices, 464–468fragmentation attacks, 131–132frequencies, 460frequency analysis, 583Frequency Division Duplex (FDD), 472Frequency Division Multiple Access (FMDA), 469frequency hopping, 476–477frequency hopping spread spectrum (FHSS),

476–479, 503frequency of sine waves, 460FRRs (false rejection rates), 100FTKs (Forensic Tools Kits), 739FTP (File Transfer Protocol). See File Transfer

Protocol (FTP)full examination, 741–743full knowledge in security assessments, 780full knowledge penetration testing, 771full-interruption tests, 97full-scale exercises, 97fully qualified domain names, 364–365functional drills, 97future planning, 835–847

access in, 846–847availability in, 839confidentiality in, 839countermeasures in, 841–842cyber-security stance in, 836–837digital forensics in, 748–750failure points of, 844–847impact analysis in, 840–841integrity in, 839mission resilience in, 837–844organizational approach to, 835–836presentation of analysis results in,

843–844probability in, 840problems in, 835–837qualitative risk analysis in, 842–843quantitative risk analysis in, 843redundancy in, 845–846risk analysis in, 842–844risk in, 837–838summary of, 847

threats in, 838–839vulnerabilities in, 839–840of wireless security, 506

GG (generations) of wireless technology,

464games, 171, 178gateway interaction devices, 566gateways, 515general settings for Internet Explorer, 282generally accepted principles, 53‘‘Generally Accepted Principles and Practices for

Securing Information TechnologySystems’’, 51

generation steganography, 652–653generations (G) of wireless technology, 464generic exploit blocking, 154Generic Practices (GPs), 752–753Generic Security Services Application Programming

Interface (GSSAPI), 348GET lines, 263–264GET method, 288, 300GID flags, 239–241Gif Shuffle, 669–671Gkrellm wireless plug-ins, 502GNOME Wireless Applet, 502GNU Privacy Guard (GPG), 244, 354–355Google, 780GPG (GNU Privacy Guard), 244, 354–355gpm service, 229GPs (Generic Practices), 752–753grammar-based steganography, 648gray-box penetration testing, 772group category, 237GSSAPI (Generic Security Services Application

Programming Interface), 348guards, 99

HH.323 VoIP (Voice over Internet Protocol), 457handshakes, 265–266hardening

end points, 798hosts, 145–146, 149infrastructure, 798testing of, 175UNIX. See hardening UNIX

863


H Index

hardening, quick-startdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163printing files in, 161–162removing unneeded components for, 164–165security template for, 166service packs for, 161sharing files in, 161–162

hardening systemsAUTORUN vs., 167file allocation tables in, 167file permissions in, 167of operating systems, 800–801overview of, 166–167passwords in, 169–170Registry in, 167user groups rights in, 168user level accounts in, 168–169

hardening UNIXadvanced blocking techniques, 253blocking incoming traffic, 248–250blocking outgoing traffic, 250–251configuration items for, 245–246logging blocked traffic, 251–253packet filtering with iptables for, 247–253passwords in, 247TCP wrapper for, 247

hardware changes detection, 214–215hardware phones, 456hash codes, 683hash functions

attacks on, generally, 607–608encryption and, 410future of, 617MD4, attacks on, 608–610MD5, attacks on, 610–613in number generation, 589primitives in cryptography, 600–602SHA-1, attacks on, 616SHA-O, attacks on, 614–616

HEAD requests, 288header checksum fields, 448header condition signatures, 709header of IPv6 (Internet Protocol version 6), 448HEIGHT, 307heuristics, 802hidden fields, 315hidden frames, 314

Hide and Seek, 657–659hijacking attacks

on browsers, 268–269defined, 131on workstations, 204on zeroconf networks, 524

histories in Web browsers, 281HLRs (home location registers), 462–463home firewalls, 542–543home location registers (HLRs), 462–463home workstations, 170–171Honeyd, 716Honeynet Project, 716honeynets, 714honeypots

categories of, 713–714detecting attacks, 713high-interaction, 714Honeyd, 716Honeynet Project, 716introduction to, 712low-interaction, 713–714preventing attacks, 713purposes of, 712–713responding to attacks, 713when to use, 714–715

hooks, 543host name, 224host services, 225host-based intrusion detection systems (IDSs),

550–551, 708–710host-based intrusion prevention systems (HIPS), 149hot sites, 96Hotspotter, 501HTML (Hypertext Markup Language), 259,

300–301HTTP (Hyper Text Transfer Protocol)

client content in, 304client/server model of, 298–299DELETE requests, 289GET method in, 288, 300HEAD requests, 288HTML and, 300–301httpd in, 229HTTPS tunneling in, 826implementation of, 292–294origins of, 297–298overview of, 287–289persistent connections in, 296–298POST requests, 289PUT method in, 289, 299–300

864


Index I

slow starts in, 295–296state in Web security, 309tunneling, 826in Web browser and client security, 259–261workings of, 289–292

hubs, 514humidity, 103Hyper Text Transfer Protocol (HTTP). See HTTP

(Hyper Text Transfer Protocol)Hypertext Markup Language (HTML), 259,

300–301

IIATF(Information Assurance Technical Framework),

38–42IBSS(Independent Basic Service Set), 479ICMP (Internet Control Message Protocol), 437ID, 307ID (intrusion detection). See intrusion detection (ID)Ideaflood, 365identification

in access control, 115–121in configuration management, 88in information system security, 36in securing information technology, 54of sensitive data, 797

IDSs (intrusion detection systems). See intrusiondetection systems (IDSs)

IEEE 802.11deployment of, 482–483Extensible Authentication Protocol in, 486–487introduction to, 485–486key management in, 487as LAN/WAN standard, 438–439Light Extensible Authentication Protocol in,

487–488management of, 482–483operational features of, 483–485overview of, 480–481physical security in, 486Protected Extensible Authentication Protocol in,

488Transport Layer Security in, 488Wired Equivalent Privacy standard for, 486,

489–496wireless channels and, 481–482wireless security of. See IEEE 802.11

IEEE 802.11iAES CCM and, 500AES Counter and, 497

cipher-block chaining and, 497–499Initialization Vector in, 500overview of, 496–497pre-authentication for roaming in, 500Pre-Shared Key mode of, 500testing tools of, 501–503

IEEE 802.20, 507IEEE wireless LAN specifications

MAC layer in, 478–480PHY layer in, 478for wireless security, 478–480

IETF (Internet Engineering Task Force), 722Image Hide, 664–665images, 259IMAP (Internet Message Access Protocol), 344–345,

682imap(s), 227impact analysis

defined, 61in future planning, 840–841in risk assessment, 66–67

implementationalgorithms vs., 578–579of HTTP, 292–294phase of, 52, 56–57, 59of system security, 47–48types for, 112

Implementation Plan of DIACAP (DIP), 761IMPs (Information Management Policies), 44IMs (instant messages). See instant messages (IMs)IMSI (International Mobile Subscriber Identity), 462incident handling

automated notice and recovery mechanisms for,726–727

CERT/CC guidelines for, 717–722, 723–724Federal Computer Incident Response Center for,

724Forum of Incident Response and Security Teams

for, 725Internet Engineering Task Force guidelines for,

722introduction to, 716–717layered security approach to, 723security incident notification process in,

725–726incident response teams

CERT/CC, 723–724Federal Computer Incident Response Center,

724Forum of Incident Response and Security Teams,

725

865


I Index

Independent Basic Service Set (IBSS), 479index of coincidence, 583information assurance

Federal Information Security AssessmentFramework for, 755–756

introduction to, 751National Security Agency Infosec Assessment

Methodology for, 754–755Operationally Critical Threat, Asset, and

Vulnerability Evaluation for, 755Systems Security Engineering Maturity Model

for, 751–753Information Assurance Technical Framework (IATF),

38–42information control, 422–426information exchange, 209information leakage, 379Information Management Policies (IMPs), 44Information Protection Policies (IPPs), 44information system development cycle, 56–59information system security management

of administrative security controls, 102advisory policies in, 75baselines in, 75–77biometrics and, 100–102business continuity planning in, 90–94computer crime types, 106configuration management in, 87–90of data remanence, 105disaster recovery plans in, 90, 95–98of electrical power, 103electronic monitoring in, 106–107environmental issues in, 103–105facilities in, 102–103of fire suppression, 104–105guidelines for, 75–77of humidity, 103informative policies in, 75legal issues in, 105–107liability in, 107measuring security awareness, 78–79of object reuse, 105of personnel controls, 102physical security controls in, 98–103principles of. See information system security

principlesprocedures of, 75–77program managers in, 79–80regulatory policies in, 75security awareness in, 77–79security policies in, 73

senior management policy statements in, 74–75smart cards in, 100–101standards for, 75–77statements of work in, 82summary of, 107systems engineering management plans in,

80–87of technical efforts, 79–87technical performance measurements in, 85of technical security controls, 100test and evaluation master plans in, 85–87training in security awareness, 78U.S. government policies in, 75work breakdown structures for, 82–85

information system security principlesaccountability in, 37authentication in, 36authorization in, 37for calculating risk, 70–71confidentiality, integrity, availability, 35–37Defense-in-Depth strategy in, 38–41formal processes and, 37identification in, 36Information Assurance Technical Framework

and, 38–42in Information Systems Security Engineering. See

Information Systems Security Engineering(ISSE)

for information technology. See informationtechnology security

for risk management, 60summary of, 71systems development life cycle and, 51–59systems engineering processes and, 37–38,

41–42Information Systems Security Engineering (ISSE),

42–51architecture of system security in, 46Assess Information Protection effectiveness in,

48–51designing detailed security in, 46–47Discover Information Protection Needs in,

43–45implementing system security, 47–48overview of, 42requirements of system security in, 45–46

information technology securitycommon practices for, 53–54development cycle in, 56–59engineering principles for, 54–56

informative policies, 75

866


Index I

INFOSEC assessment, 754infrastructure assessments, 820–821infrastructure mode, 479in-house developed applications, 31init process, 233–234initial authentication, 262Initialization Vector (IV)

in 802.11i, 500in AES-CBC mode, 497–499sequencing discipline of, 493–495in TKIP upgrades, 492–493in WEP security, 489–492

initiation phase, 56–57inline network devices, 566innd, 229input validation, 407insertion, steganography, 648–651insertion-based, steganography, 647insider threats. See also internal threats

data protection and, 805–806Defense-in-Depth strategy vs., 40network architecture and, 525–528physical security in, 815

installed packages, 217–218installing applications securely

antivirus protection, 171–173application installation, 171–175personal firewalls, 173–174Pretty Good Privacy, 175secure FTP, 175Secure Shell, 174

instant messages (IMs)copies of, 202in network architecture, 526in server security, 420–421

integration of security components, 809–834analysis of log data for, 812antivirus software in, 833auditing passwords in, 823authentication in, 815, 823awareness of what is running on systems,

817backups in, 828–829best security practices in, generally, 819binary code in HTTP headers, 826budgeting in, 810–811code in, 831configuration management in, 832content inspection in, 826–827corporate espionage and, 813–814cross-site scripting in, 827

defense-in-depth principle in, 816, 828detection in, 813–814, 817–818, 826disaster recovery plans in, 830e-mail attachments in, 827employee awareness in, 811–812enablement vs. disablement in, 814essential services only in, 831–832false alarms in, 815file transfers in, 827firewalls in, 832–833HTTP in, 826infrastructure assessments in, 820–821insider threats in, 815internal servers and outbound communications

in, 820intrusion detection systems in, 832–833life cycle of security in, 814logging in, 825–826malicious URLs in, 827mistakes to avoid, 814–815monitoring outgoing communications in, 826naming servers in, 834network diagrams in, 819–820password policy in, 821–823patches in, 818, 823–824perimeters in, 821, 832–833physical security in, 815, 830placement of systems in, 820policy statements in, 819principles of least privilege in, 816–817problems facing organizations in, 809remote access in, 827secure communications in, 828sensitive information in, 829service accounts in, 823single-use servers in, 832site protection in, 815–818summary of, 834system accounts protection in, 834system checks in, 818systems within enterprises, securing all,

813trust relationships in, 833tunneling, 826UNIX systems in, 831URL directory traversal in, 827URL header length in, 827user education in, 830–831volume of attacks in, 811vulnerability assessments in, 824–825

867


I Index

integrity of datacryptography for, 574–575in future planning, 839in information system security, 35–37primitives in cryptography for, 602in Public Key Infrastructure, 689in steganography, 642

integrity of e-mails, 339intellectual property, 839interfacing with organizations. See enterprise

security methodologiesinternal networks, 27internal penetration testing, 771internal servers and outbound communications, 820internal threats, 140–141. See also insider threatsInternational Mobile Subscriber Identity (IMSI), 462International Mobile Telephone Standard 2000,

471–472Internet, boundlessness of, 12Internet Control Message Protocol (ICMP), 437Internet Engineering Task Force (IETF), 722Internet Explorer configuration options, 282–286

advanced settings, 285–286content settings, 285encryption, 286general settings, 282Internet zones, 282–283local intranet zone, 283privacy settings, 284–285restricted sites zone, 284security settings, 282–284trusted sites zone, 283–284

Internet Message Access Protocol (IMAP), 344–345,682

Internet perimeter, 145–146Internet Protocol (IP), 442–449

addresses, 262, 532–533area codes, 449classless interdomain routing in, 443–444forwarding, 219history of, 443introduction to, 442–443IPv6 solution for, 445–448network address translation in, 444–445in Network layer, 436phones, 451version 7, 448–449zone codes, 449

Internet relay chats (IRCs), 178, 420–421Internet zones, 282–283intruders, acquiring information about, 556

intrusion, response to. See also intrusion detection(ID)

CERT/CC guidelines for, 717–722computer incident response teams for, 708incident handling, generally, 716–717Internet Engineering Task Force guidelines for,

722security incident notification process in,

726–727summary of, 727terminating connections with intruders, 556

intrusion detection (ID)antivirus approaches to, 707–708components of, 708honeypots for, 712–716mechanisms for, 707–712prevention vs. See intrusion prevention systems

(IPSs)response in. See intrusion, response tosummary of, 727systems for. See intrusion detection systems

(IDSs)virus prevention software for, 708virus scanners for, 707–708

intrusion detection systems (IDSs). See also intrusionprevention systems (IPSs)

for access control, 114anomaly detection in, 553–554architecture in, 561–564in Defense-in-Depth strategy, 41detection issues in, 555emerging technologies in, generally, 556–557host-based, 550–551, 802in integration of security components, 832–833issues of, 711–712layered security approach to, 723methods of, 553–555misuse detection in, 554–555modes of, 553–555network-based, 551–553next generation packet inspection in, 564–567overview of, 549–550packet inspection methods in, 557–561pattern matching detection in, 554–555for perimeter intrusions, 99responses to intrusions in. See intrusion,

response toin risk management, 28summary of, 567–568types of, 550workstations, putting on networks, 177

868


Index K

intrusion prevention systems (IPSs). See alsointrusion detection systems (IDSs)

in data protection, 802exclude lists in, 567gateway interaction devices in, 566inline network devices and, 566packet inspection methods, 565–567session sniping, 566systems memory and process protection in, 566whitelists in, 567

inventory, 217investigative searching, 315–316invisible digital watermarking, 675IP (Internet Protocol). See Internet Protocol (IP)ipop services, 228IPPs (Information Protection Policies), 44IPSec-based virtual private networks (VPNs)

Authentication Header of, 696–697Encapsulating Security Payload of, 697–698header modes of, 695overview of, 695transport mode of, 695tunneled mode of, 695–696

IPSs (intrusion prevention systems). See intrusionprevention systems (IPSs)

iptablesadvanced blocking techniques, 253, 548blocking incoming traffic, 248–250, 543–545blocking outgoing traffic, 250–251, 545–546for defense-in-depth, 226defined, 219logging blocked traffic, 251–253, 546–547packet filtering with, 247–253

IPv6 (Internet Protocol version 6)address autoconfiguration in, 446–447anycast in, 446header of, 448multicast of, 446overview of, 445–446transition to, 447

IRCs (Internet relay chats), 178, 420–421irda, 229ISSE (Information Systems Security Engineering).

See Information Systems SecurityEngineering (ISSE)

issue-specific policies, 75iterative queries, 383IV (Initialization Vector). See Initialization Vector

(IV)IV sequencing discipline, 493–494

JJava

ActiveX and, 306–309HTTP and, 304permissions in, 305–306sandbox in, 304–305in Web browser configurations, 278–279

JavaScript, 279–280, 303–304John The Ripper, 247Joint Photographic Experts Group (JPEG),

434journaling, 215Joux, Antoine, 615–616JPEG (Joint Photographic Experts Group),

434Jsteg, 659–663jumbograms, 562

KKCKs (key confirmation keys), 496kcore, 224KEKs (key encryption keys), 496Kerberos

for access control, 118–121e-mail security and, 348security features of, 684–685

kernel configurationsmodules in, 220–221options in, 219–220overview of, 218–219/proc file systems in, 223–224system calls in, 221–223

kets, 617key confirmation keys (KCKs), 496key encryption keys (KEKs), 496key management. See also keys

in communication applications, 691–692in IEEE 802.11 wireless security, 487in Public Key Infrastructure, 691–692

keyed hash functions, 601–602keys

agreements for, 596in cryptography, 577encryption of, 495–496key confirmation, 496key encryption, 496management of. See key managementpairwise master, 496pairwise transient, 496

869


K Index

keys (continued)pre-master, 701Pre-Shared, 500public key infrastructure. See Public Key

Infrastructure (PKI)sharing, 595–596stores of, 305temporal, 492–496

keytable, 226Kismet, 501knowledge-based detection, 708KOrinoco, 502KryptoKnight, 121ksh scripting language, 209ktalk, 228kudzu, 214, 226

LLamarr, Hedy, 473language settings, 285, 406LANMAN, 195LANs (local area networks)

cellular telephones and, 466–467in e-mail attacks, 332encryption in, 243future of, 506–507hubs connecting, 514IEEE wireless specifications, 478–480infrastructure-based wireless, 484internal, 532LAN-to-LAN virtual private networks, 694sniffing, 781switches connecting, 514trusted vs. untrusted, 150, 171virtual. See VLANs (virtual local area networks)viruses on, 172wireless, 459–460

laptops, 526layered architecture, 431–432. See also specific layerslayered defenses, 40layered security approach, 723LCG (linear congruent pseudorandom number

generator), 588LDAP (Lightweight Directory Access Protocol), 229,

418–420LEAP (Light Extensible Authentication Protocol),

487–488legal issues, 105–107

civil cases, 745closure, 744–745

computer crime types, 106criminal cases, 746electronic monitoring, 106–107liability in, 107

liability, 107library calls, 158life cycles

in digital forensics, 750planning for, 53–54in security, 814

Light Extensible Authentication Protocol (LEAP),487–488

lighting, 99Lightweight Directory Access Protocol (LDAP), 229,

418–420likelihood determination, 65–66limited examination, 740limiting access, 212–213linear congruent pseudorandom number generator

(LCG), 588Link Control Protocol, 438Linux security. See also UNIX security

boot loader passwords in, 213configuration control in, 218–224hardware changes detection in, 214nmap commands in, 232open source in, 207–208process control in, 225runlevels in, 233targeting, 209–210

live acquisition, 736–737local area networks (LANs). See LANs (local area

networks)local hidden variables, 619local intranet zones, 283location discovery, 466locks, 99logging

blocked traffic, 251–253, 546–547in integration of security components, 825–826reviews of, 30in server security, 416in Windows security, 197

logical access control, 54Logical Link layer, 437login authentication, 346lookup process, 391loss of devices, 141low security ratings, 192

870


Index M

MMAC (mandatory access control), 111MAC layer, 478–480mail client configurations, 349–350Mail eXchanger (MX) records, 361–362mail proxies, 350mail servers, 217mail-relaying, 348, 350maintaining state, 262–264maintenance of security plans, 94MAIS (Major Automated Information System)

Acquisition Programs, 80Major Automated Information System (MAIS)

Acquisition Programs, 80malcode attacks

on browsers, 258in e-mail security, 325–327on home workstations, 170–171overview of, 127–129in UNIX, 225

malicious code, 127–129. See also malcode attacksmalicious data detection, 560malicious URLs, 827management

of configuration. See configuration managementconsoles for, 803of digital rights. See digital rights management

(DRM)Information Management Policies, 44of keys. See key managementof patches, 801reports to, 782of risk. See risk managementsecurity controls for, 69–70of server security, 402of users, 145–146

mandatory access control (MAC), 111Mandatory Procedures for Major Defense

Acquisition Programs (MDAPs), 80man-in-the-middle attacks

in browsers, 258defined, 130in e-mail, 332–333

mantraps, 99master-slave relationships, 388mathematical attacks, 132maturity levels, 752–753, 755Maximum Transmission Units (MTUs), 501McAfee System Protection-McAfee Intercept Server

and Desktop Agents, 155McAfee-Internet Security Suite, 155

MD (Message Digest) hash functions, 607MD4, 608–610MD5, 610–613MDAPs (Mandatory Procedures for Major Defense

Acquisition Programs), 80measuring security awareness, 78–79Media Access Control (MAC), 517–518Media Access layer, 437memory protection, 566Message Digest (MD) hash functions, 607Message Integrity Codes (MIC), 494–495Metasploit, 781MIC (Message Integrity Codes), 494–495Microsoft

Outlook, 324–325upgrades from, 192–193Windows security recommendations, 149–151

MIME (Multipurpose Internet Mail Extensions),434

minimum length of passwords, 822Ministumbler, 502mirror images, 736misconfiguration attacks, 792mission resilience

availability in, 839confidentiality in, 839countermeasures in, 841–842future planning of, 837–844impact analysis in, 840–841integrity in, 839presentation of analysis results in, 843–844probability in, 840qualitative risk analysis in, 842–843quantitative risk analysis in, 843risk analysis in, 842–844risk in, 837–838threats in, 838–839vulnerabilities in, 839–840

misuse detection, 554–555mitigation of risk, 69–70. See also risk managementMLS (multi-level security). See multi-level security

(MLS)mobile backups, 96mobile stations, 462mobile switching centers (MSCs), 462Mockapetris, Paul, 357modems (modulators-demodulators), 513–514,

781moderate security ratings, 192modulators-demodulators (modems), 513–514,

781

871


M Index

monitoringoutgoing communications, 826security assurance evaluation mechanisms for,

774in server security, 416in Windows security, 196–197

Motion Picture Experts Group (MPEG), 434MPEG (Motion Picture Experts Group), 434MSCs (mobile switching centers), 462MTUs (Maximum Transmission Units), 438multicast, 446multi-level security (MLS)

background of, 422information control, building systems for,

423–426information control, challenges of,

422–423introduction to, 421–422

multimedia, 178Multimode Terminal mode, 472multiple entry points, 538–539multiple heterogeneous rulesets, 540multiple lines of defense, 814multiple locations in defense strategies, 40multiple-center processing, 96multiprocessors support, 219Multipurpose Internet Mail Extensions (MIME),

434mutual aid agreements, 96MX (Mail eXchanger) records, 361–362mysqld, 229

NNAC (network access control), 805name resolution, 374–375Name Server (NS) records, 362named, 229namespaces, 358naming servers, 834NAT (Network Address Translation),

511–513National Information Assurance Certification and

Accreditation Process (NIACAP),756–757

National Institute of Standards and Technology(NIST). See also security assuranceevaluation mechanisms

assessment guidelines of, 765–766introduction to, 51, 756–757Special Publication 800–14, 766

Special Publication 800–27, 766Special Publication 800–30, 766–769Special Publication 800–64, 769–770

National Security Agency Infosec AssessmentMethodology (NSA-IAM), 754–755

NCP (Network Control Protocol), 438neighbor discovery, 447Nelson, Ted, 297nessus, 209net subdirectory, 224NetBIOS, 189netfs, 229Netscape, 281–282Netstat, 230–232, 414NetStumbler, 502network access control (NAC), 805Network Address Translation (NAT), 511–513network architecture

Address Resolution Protocol and, 517–518attack prevention in, 528–529basic issues in, 513–515Dynamic Host Configuration Protocol and,

518–519insider threats and, 525–528Media Access Control and, 517–518Network Address Translation in, 511–513network segments in, 510–511overview of, 509perimeter defense of, 511of private networks, 511of public networks, 510of semi-private networks, 510subnetting in, 516–517summary of, 529switching in, 516–517VLANs and, 516–517of zero configuration networks, 519–524

Network Control Protocol (NCP), 438Network File System (NFS), 226, 435Network layer, 436–437network protocols, 431–458

analog telephone adaptor, 450in Application layer, 433–434for circuit switching, 451–454for computer-to-computer calls, 451in Data Link layer, 437–438defined, 431–432H.323, 457Internet Protocol, 442–449for IP phones, 451IPv7, 448–449

872


Index O

IPv8, 448–449network design and, 455in Network layer, 436–437Open Systems Interconnect model for,

432–433for packet switching, 451–454in Physical layer, 438–441in Presentation layer, 434risk factors of, 455security issues with, 454–455server environments and, 456in Session layer, 434–435session-initiate protocol, 457softphones vs. hardware phones, 456summary of, 457–458in TCP/IP layers, 439–442in Transport layer, 435–436in VoIP, 450–458

network-based intrusion detection systems (IDSs),551–553, 708–709

networksarchitecture of. See network architecturefor cellular telephones, 462–463diagrams of, 819–820environments of, 273–274mapping of, 781protocols for. See network protocolssecurity of. See cyber securitysegments of, 510–511steganography and, 641–643support for, 403–404in UNIX/Linux security, 208for VoIP, 455

newsgroups, 780next generation packet inspection, 564–567NFS (Network File System), 226, 435NIACAP (National Information Assurance

Certification and Accreditation Process),756–757

NIST (National Institute of Standards andTechnology). See National Institute ofStandards and Technology (NIST)

nmapin penetration testing, 781in UNIX/Linux security, 209,

232–233in vulnerability assessments, 804

NMT (Nordic Mobile Telephone), 471nonces, 347non-dictionary words in passwords,

822

non-discretionary access control, 112non-repudiation

for cryptography, 576in Public Key Infrastructure, 689, 691

Nordic Mobile Telephone (NMT), 471NS (Name Server) records, 362NSA-IAM (National Security Agency Infosec

Assessment Methodology),754–755

nscd, 229NT LanManager (NTLM) protocol, 347ntalk, 228ntpd, 229nudity settings, 285NULL sessions, 190–191

Oobject reuse, 105object-oriented databases (OODB), 123OCTAVE (Operationally Critical Threat, Asset, and

Vulnerability Evaluation), 755OFB (output feedback), 594OFDM (Orthogonal Frequency Division

Multiplexing), 477–478Office of Management and Budget (OMB) Circular

A-130, 764–765+OK logged onPOP before SMTP, 348OMB (Office of Management and Budget) Circular

A-130, 764–765one-time pads, 585one-way functions, 600onsite phase, 754OODB (object-oriented databases), 123open authentication, 490Open Shortest Path First (OSPF), 437open source

algorithms, 606–607in UNIX/Linux security, 208, 210–212

Open System Interconnect (OSI)Application layer in, 433–434Data Link layer in, 437–438layers in, generally, 432–433model of, 432–433Network layer in, 436–437Physical layer in, 438–439Presentation layer in, 434Session layer in, 434–435Transport layer in, 435–436

open-box penetration testing, 772

873


O Index

opening e-mails, 349operating safely while e-mailing. See also e-mail

securityaccounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351GNU Privacy Guard for, 354–355mail client configurations in, 349–350opening e-mails in, 349Pretty Good Privacy in, 354–355sacrificial e-mail addresses in, 349SSH tunnels for, 351–354

operating servers safely. See also server securityaccess control for, 415auditing for, 416backing up systems for, 414–415configuration control for, 413–415logging in, 416monitoring in, 416passwords in, 415–416physical security and, 413–414service minimization for, 414users, controlling, 415

operating systems (OSs)attacks on, 791easy-to-obtain, 208fingerprinting, 781hardening, 151–154, 800–801out-of-the-box, 151–154system calls on, 156–157

operating UNIX safely. See also UNIX securitycertificates in, 243–245chkconfig commands in, 235–236chroot in, 240control in, 237–243controlling processes in, 225encryption in, 243–245files in, 237–239GNU Privacy Guard for, 244init process in, 233–234introduction to, 224–225netstat commands in, 230–232nmap commands in, 232–233processes controlling processes in, 233–237ps commands in, 230root access in, 240–243Secure Shell for, 244–245services in, 236–237Set UID in, 239–241xinetd process in, 234–235

operating Web browsers safely. See also Webbrowser security

network environments in, 273–274patches for, 271–272private data in, 274–275proxy servers in, 274recommended practices for, 275–276secure sites for, 272–273viruses in, 272

operating Windows safely. See also Windowssecurity

access to systems in, 179antivirus protection in, 180backups for, 191configuration issues in, 180–184data handling practices in, 185–186digital certificate technology for, 183introduction to, 177NetBIOS in, 189NULL sessions in, 190–191operating issues in, 184–191passwords in, 187–189physical security issues in, 179policy adherence for, 184risk behavior vs., 177–178software in, 183–184Trojan horses in, 186–187users in, 180–183viruses in, 186–187worms in, 186–187

operational security controls, 69–70Operationally Critical Threat, Asset, and

Vulnerability Evaluation (OCTAVE), 755operation/maintenance phase, 52, 56–59organizational approach to security, 835–836organizational criticality matrix, 754–755Orthogonal Frequency Division Multiplexing

(OFDM), 477–478Orwell, George, 201OS (operating system) fingerprinting, 781OSI (Open System Interconnect). See Open System

Interconnect (OSI)OSPF (Open Shortest Path First), 437OSs (operating systems). See operating systems

(OSs)outdated Windows systems, 195out-of-the-box operating system hardening,

151–154output feedback (OFB), 594overhead, 436owner category, 237

874


Index P

PP2P (peer-to-peer) applications, 420packet filtering

firewalls, 533–534iptables and. See packet filtering with iptablesin packet inspection methods, 558

packet filtering with iptables, 247–253advanced blocking techniques, 253blocking incoming traffic, 248–250blocking outgoing traffic, 250–251for hardening UNIX, 247–253logging blocked traffic, 251–253

packet inspection methods, 557–567anomaly detection in, 565application proxies in, 558behavior-based anomaly detection in, 565content matching in, 561controlling operations in, 560–561current, 558emerging, 558–561exclude lists in, 567gateway interaction devices and, 566inline network devices and, 566intrusion prevention systems and, 565–567malicious data detection by, 560next generation of, 564–567overview of, 557packet filters in, 558protocol anomaly detection by, 559–560security architecture and hardware for,

561–564session sniping, 566standards compliance of, 559stateful filtering in, 558systems memory and process protection in,

566traffic-based anomaly detection in, 565whitelists in, 567

packet sniffing attacks, 204packet switching, 452–453pairwise master keys (PMKs), 496pairwise transient keys (PTKs), 496parallel tests, 97parasite attacks, 269parked slaves, 504partial examination, 740–741partial knowledge penetrating testing, 772pass phrases, 623–626passive attacks, 14, 40passive reconnaissance, 788–789Password Authentication Protocol (PAP), 125

passwordsfor access control, 116aging of, 822attacks, 781guessing attacks, 133–134in hardening systems, 169–170, 247in operating Windows safely, 187–189policies for, 27–28, 821–823in quantum cryptography, 622–623in quick-start hardening, 163–164in server security, 415–416SQL injection and, 408

patchesantivirus signatures and, 193for applications, 192–193applying, 184introduction to, 191–192management of, 801from Microsoft, 192–193policies for, 823–824for quick-start hardening, 161for Web browser and client security, 271–272

patents, 365pattern matching detection, 554–555, 708. See also

intrusion detection systems (IDSs)PC (personal computer) physical controls, 100PCMCIA (Personal Computer Memory Card

International Association), 220, 226PDC (Personal Digital Cellular), 471PEAP (Protected Extensible Authentication

Protocol), 488peer-to-peer (P2P) applications, 420pen testing. See penetration testingpenetration testing. See also security assurance

evaluation mechanismsattack phase of, 785–786automated vulnerability scanners vs., 782–783black-box, 772closed-box, 772current state of, 780–783external, 771flow in, 780–782formal methodology of, 783–787full knowledge, 771gray-box, 772internal, 771introduction to, 770–771manual, 782–783open-box, 772partial knowledge, 772post-attack phase of, 787

875


P Index

penetration testing. See also security assuranceevaluation mechanisms (continued)

pre-attack phase of, 784–785security assurance evaluation mechanisms,

770–772for validating security, 777–779white-box, 771zero knowledge, 772

performance issues, 195, 267–268perimeters

defense of, 511in integration of security components, 832–833intrusion detection systems, 99protection of, 821

period of sine waves, 460peripheral switch controls, 100Perl, 209permissions, 305–306per-packet mixing function, 492–493persistent connections, 296–298persistent data, 185Personal Computer Memory Card International

Association (PCMCIA), 220, 226personal computer (PC) physical controls, 100personal data, 186Personal Digital Cellular (PDC), 471personal firewalls, 542–548, 802personnel, 54, 102pervasive wireless data network technologies,

473–478PGP (Pretty Good Privacy). See Pretty Good Privacy

(PGP)phishing attacks, 31photo processing, 178photoelectric sensors, 99photo-image cards, 101PHP pages, 302–303PHY layer, 478physical issues

access control, 115attacks, 202break-ins, 780controls for, 527–528environment, 830security as. See physical security

Physical layer, 438–441physical security

controls for, 30, 98–103for data protection, 798, 803–804in IEEE 802.11 wireless security, 486mistakes to avoid in, 815

in operations, 179for server security, 413–414in UNIX/Linux security, 212–217of workstations, 175–176

piconets, 503ping, 374–375pipelines, 563pirated software, 178PKI (Public Key Infrastructure). See Public Key

Infrastructure (PKI)placement of systems, 820placing calls, 464plain login, 345–346plain text, 577Plan of Action and Milestones (POA&M), 761plugins, 277–280PMKs (pairwise master keys), 496POA&M (Plan of Action and Milestones), 761Point-to-Point Protocol (PPP), 438, 698Point-to-Point Tunneling Protocol (PPTP), 698policies

adherence to, 184files of, 305for securing information technology, 53statements of, 819in tiered architecture, 540–542

POP (Post Office Protocol), 343–344, 346–348,682

pop services, 228popularity of browsers, 256–257Port 1025, 159Port 1026, 160Port 135 - loc-srv/epmap, 158–159Port 139 - Net BIOS Session (TCP), 159Port 139 - Net BIOS Session (UDP), 159Port 445, 159port blocking, 162–163port controls, 100port scanning, 133, 781port signatures, 709portmap, 226post accreditation phase, 757, 759POST data, 264Post Office Protocol (POP), 343–344, 682POST requests, 289postassessment phase, 754post-attack phase of pen testing, 787postgresql, 229PPP (Point-to-Point Protocol), 438, 698PPTP (Point-to-Point Tunneling Protocol), 698preassessment phase, 754

876


Index P

pre-attack phase of pen testingdiscovery in, 784–785enumeration in, 785scanning in, 785scope of assessment for, 784vulnerability mapping in, 785

pre-authentication for roaming, 500predictable query IDs, 382–383pre-master keys, 701preparing for attacks, 216–217Presentation layer, 434presentation of analysis results, 843–844Pre-Shared Key (PSK) mode, 500pre-shared secrets, 596pretexting, 400Pretty Good Privacy (PGP)

of communication applications, 682–684in e-mail security, 354–355in Windows security, 175

prevention of intrusion. See intrusion preventionsystems (IPSs)

preventive controls, 69–70, 113–114previewing e-mails, 349–350primitives

asymmetric encryption in, 597–599block ciphers in, 593–595cast introduction in, 590–591certificate authorities in, 598confidentiality, integrity, availability with,

602–603digital signatures in, 599–600hash functions in, 600–602introduction to, 587keyed hash functions in, 601–602pseudo random number generation in, 588–589random number generators in, 587–591sharing keys in, 595–596stream ciphers in, 592–593symmetric encryption in, 591–596two-key encryption in, 597–599user input generating numbers for, 589web of trust in, 598–599whitening functions in, 589–590

principals, 686principle of least privilege, 803principles of security, 15–16print daemons, 227printers, 526prioritization of critical systems, 92Priority fields, 361–362Prismtumbler, 501

privacyof data, 327–335MAC layer for, 479Pretty Good Privacy. See Pretty Good Privacy

(PGP)settings for, 284–285in Web browser and client security, 256

private data, 186, 274–275private keys, 689–690private networks, 511proactive computer forensics, 746–748probability, 840/proc file systems, 223–224process areas (PAs), 752Process IDs, 223processes controlling processes, 233–237productivity of browsers, 256–257program attacks, 792program management, 53, 79–80program policies, 75proof of security, 578proprietary algorithms, 579, 606–607Protected Extensible Authentication Protocol

(PEAP), 488protection domains, 305protocol anomaly detection, 559–560protocols

Address Resolution. See ARP (Address ResolutionProtocol)

Challenge Handshake Authentication, 125Digital Network Architecture Session Control,

435for e-mail security, 340–345Extensible Authentication, 486–488, 491–492File Transfer. See File Transfer Protocol (FTP)Hyper Text Transfer. See HTTP (Hyper Text

Transfer Protocol)Internet. See Internet Protocol (IP)Internet Control Message, 437Internet Message Access, 344–345Lightweight Directory Access, 229, 418–420Link Control, 438in network architecture, 526for networks. See network protocolspackets containing, 533Password Authentication, 125Point-to-Point, 438, 698Post Office, 343–344Reverse Address Resolution, 438Routing Information, 437Secure File Transfer, 175

877


P Index

protocols (continued)Serial Line Internet, 438session-initiate, 457Simple Mail Transfer. See Simple Mail Transfer

Protocol (SMTP)Simple Network Management, 434Temporal Key Integrity. See Temporal Key

Integrity Protocol (TKIP)Transmission Control. See TCP (Transmission

Control Protocol)Trivial File Transfer, 175, 433User Datagram, 436of VoIP, 456–457Wireless Application, 504–505

proxy firewalls, 535–536proxy servers, 274prudent man rule, 107ps commands, 230pseudo random number generation, 588–589PSK (Pre-Shared Key) mode, 500PTKs (pairwise transient keys), 496Public Key Infrastructure (PKI)

confidentiality in, 690defined, 41digital signatures in, 690introduction to, 688–689key management in, 691–692non-repudiation in, 691private keys vs., 689–690public keys in, 689–690

public networks, 510public-private key encryption, 338–339PUT method, 289, 299–300putting everything together. See integration of

security components

Qqualitative risk analysis, 842–843quantitative risk analysis, 843quantum bits, 617–622quantum cryptography. See also cryptography

biometrics in, 626bits in, 617–622blackmailing in, 626–627computation in, 617–622encryption, malicious uses of, 626–628fast factoring of large composites in, 621–622pass phrases in, 623–626passwords in, 622–623

secure communication channels in, 620secure tokens in, 624–626worms, encryption in, 627–628

quick-start hardeningdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163removing unneeded components for,

164–165security template for, 166service packs for, 161sharing files and printing, removal of,

161–162

Rr commands, 226RADIUS (Remote Authentication and Dial-In User

Service), 124random number generators

cast introduction in, 590–591in cryptography, 585–586introduction to, 587–588primitives and, 587–591pseudo random number generation and,

588–589user input generating numbers for, 589whitening functions in, 589–590

random script, 227RARP (Reverse Address Resolution Protocol), 438rawdevices, 227reactive security, 6real time communications, 436reasonable care, 107reassociation, 479rebooting, 212rebuilding systems, 196recognizance, 379records, 360–361recovery controls, 69–70recovery teams, 98recursion, 383–384Redfang v2.5, 502redundancy, 845–846re-evaluation of systems, 196Registry, 167regulatory policies, 75rekeying against key reuse, 495–496relational databases, 121–123

878


Index R

remote accessin access control, 123–125data protection and, 805in integration of security components, 827in risk management, 28

remote access virtual private networks (VPNs), 694Remote Authentication and Dial-In User Service

(RADIUS), 124remote login (rlogin), 228, 434Remote Procedure Call (RPC)

in Session layer, 435in UNIX/Linux security, 226updating, 414

removing unneeded components, 164–165, 644replay attacks

on browsers, 269–270defined, 131by e-mail, 332–335Kerberos preventing, 685secure tokens and, 625

reporting, 114, 782, 787residual risks, 70, 769resource requirements, 92respect for adversaries, 399restoring compromised systems, 787restricted sites zone, 284results documentation, 68resurrecting duckling solution, 487Reverse Address Resolution Protocol (RARP), 438reverse DNS lookups, 371–374rexec, 228Rice Monarch Project, 502ring example, 645–646RIP (Routing Information Protocol), 229, 437risk analysis. See risk assessmentrisk assessment. See also risks

analysis in, 65, 842–844control recommendations in, 68in future planning, 837–838impact analysis in, 66–67likelihood determination in, 65–66in NIST SP 800–14, 768overview of, 63results documentation in, 68risk determination in, 67–68system characterization in, 63–64threat identification in, 64vulnerability identification in, 64–65

risk management. See also risksarchitecture of networks in, 27assessment for. See risk assessmentattack types in, 29–30

backdoors in, 31backup policies in, 29business systems in, 30calculating risk in, 70–71content-level inspections in, 31definitions in, 60–61demilitarized zones in, 27denial of applications and services in, 28desktop protections in, 29disaster recovery plans in, 29disposal of sensitive information in, 29encryption in, 29evaluation in, 70firewalls in, 31in information technology, 53in-house developed applications in, 31internal networks in, 27intrusion detection systems in, 28log reviews in, 30mitigation of risk in, 69–70, 768–769password policy in, 27–28phishing attacks in, 31physical security controls in, 30remote access in, 28security policy in, 27social-engineering attacks in, 31system patching in, 31systems development life cycle and, 61Trojans in, 31of VoIP, 455vulnerability scans in, 30wireless infrastructures in, 28

risk-based security controls, 397–398risks. See also threats

assessment of. See risk assessmentassigning value to, 811in cyber security, 4defined, 61in e-mail security, 323management of. See risk managementin server security, 395–396in Web browser and client security, 255–259in Windows security, 177–178

Rivest, Ronald, 690rlogin (remote login), 228, 434robustness of security, 41rolling backups, 96Roman Empire, 639–640root access, 240–243router solicitation, 447routers, 515, 533

879


R Index

Routing Information Protocol (RIP), 229, 437RPC (Remote Procedure Call). See Remote

Procedure Call (RPC)rsh, 228rsync, 228runlevels, 233

Ssacrificial e-mail addresses, 349salting, 601salvage teams, 98sandboxes, 304–305scalability, 393scanning

firewalls and, 532in network architecture, 528–529in pre-attack phase of pen testing, 785for vulnerabilities, 194

Schuba, Christopher, 388scope of assessments, 784scorecards, 761screen snapshots, 202screening input, 409screensavers, 178script kiddies, 146scripts

in attacks, 792browser protocols and, 259in e-mail security, 351techniques for, 210

SDLC (systems development life cycle). See systemsdevelopment life cycle (SDLC)

searching, 315–316secret communications. See cryptographysecure communications, 620, 828Secure European System for Applications in a

Multivendor Environment (SESAME), 121Secure File Transfer Protocol (SFTP), 175, 434Secure Hash Algorithms (SHA)

defined, 607–608hash-generating with, 690SHA-1, 616SHA-O, 614–616

Secure Shell (SSH)servers, 227tunnels, 351–354for UNIX/Linux security, 244–245for virtual private networks (VPNs), 698–699for Windows security, 174

secure sites, 272–273

Secure Sockets Layer (SSL)communication applications in, 699–700cryptography in, 580encryption and, 410–411Handshake, 700–703in Web browser security, 264–268

secure tokens, 624–626security assessments, 779security assurance evaluation mechanisms, 751–774

for accreditation, generally, 756–757, 763for auditing, 772–773black-box penetration testing, 772for certification, generally, 756–757, 763closed-box penetration testing, 772DIACAP, 756–757, 760–763DITSCAP, 758–760external penetration testing, 771Federal Information Processing Standard,

763–764Federal Information Security Assessment

Framework, 755–756full knowledge penetration testing, 771gray-box penetration testing, 772for information assurance, 751–756internal penetration testing, 771introduction to, 751for monitoring, 774National Security Agency Infosec Assessment

Methodology, 754–755NIACAP, 756–759NIST assessment guidelines, generally, 756–757,

765–766Office of Management and Budget Circular

A-130, 764–765open-box penetration testing, 772Operationally Critical Threat, Asset, and

Vulnerability Evaluation, 755partial knowledge penetrating testing, 772penetration testing, 770–772Special Publications for, 766–770summary of, 774Systems Security Engineering Maturity Model,

751–753white-box penetration testing, 771zero knowledge penetration testing, 772

security awarenessin data protection, 799of employees, 811–812in information system security management,

77–79in planning, 94

880


Index S

server needs in, 399–400training in, 172

security extensions, 381–382security features of communication applications

for Authentication Servers, 685–686confidentiality in, 690digital signatures in, 690Domain Name System, 377–384for e-mail, 682–685Internet Explorer, 282–284introduction to, 681Kerberos, 684–685key management in, 691–692non-repudiation in, 691POP/IMAP protocols, 682Pretty Good Privacy, 682–684private keys in, 689–690Public Key Infrastructure, 688–690Secure Sockets Layer, 699–703summary of, 704Transport Layer, 699for virtual private networks (VPNs). See virtual

private networks (VPNs)VoIP, 454–455web of trust in, 692Wired Equivalent Privacy, 491working model of, 686–688

security incident notification, 726–727Security layer, 505security templates, 166semi-private networks, 510sendmail, 229senior management, 74–75, 94sensitive data, 797, 829Sequenced Packet Exchange (SPX), 436sequencing discipline, 493–495server authentication, 505server content

ActiveX and, 306–309client content and, 303–309Common Gateway Interface and, 301–302permissions in, 305–306PHP pages and, 302–303sandboxes for, 304–305security of. See server securityin Web security, generally, 301–303

server environments, 456server security, 395–427

access control for, 415applications in, 417–421auditing for, 416

awareness of need for, 399–400backing up systems for, 414–415business impact assessments in, 401code cleanliness in, 406configuration control for, 402–404, 413–415content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406, 417–420defense-in-depth principle in, 398designing for, generally, 396–397development practices for, 402, 405–411digital rights management in, 421–426dynamic scripting in, 409encryption for, 409–411FTP servers in, 417–418information control in, 422–426input validation in, 407instant messages in, 420–421Internet relay chats in, 420–421language choice in, 406Lightweight Directory Access Protocol in,

418–420logging in, 416management and, 402monitoring in, 416multi-level, 421–426network support for, 403–404operating servers safely for, 413–416passwords in, 415–416peer-to-peer applications in, 420physical security and, 413–414respect for adversaries in, 399risks requiring, 395–398screening input for, 409service minimization for, 414simplicity in, 399SQL injection in, 408stored procedures in, 408summary of, 427testing, 411–413users in, 415

server separation, 145–146servers, 228service accounts, 823service bureaus, 97service commands, 236–237service detection, 230–233service minimization, 414service packs, 161service redirection, 379Service Set Identity (SSID), 490, 502

881


S Index

SESAME (Secure European System for Applicationsin a Multivendor Environment), 121

Session IDs, 262, 700session keys, 683–684, 686Session layer, 434–435, 504session replay attacks, 204session sniping, 566Set UID, 239–241sexual settings, 285SFTP (Secure File Transfer Protocol), 175, 434sgi_fam, 228sh scripting language, 209SHA (Secure Hash Algorithms). See Secure Hash

Algorithms (SHA)Shannon/Hartley equation, 473–475shared key authentication, 490–491sharing files, 161–162sharing keys, 595–596ships, 640Shor’s algorithm, 621–622short-term containment solutions, 720shutdown, 326signal-to-noise (SNR) tool, 502signature-based intrusion detection systems (IDSs),

708, 710SIM (subscriber identity module), 462Simple Mail Transfer Protocol (SMTP)

+OK logged onPOP before, 348in Application layer, 434defined, 414in e-mail security, 340–342

Simple Network Management Protocol (SNMP),230, 434

simulation tests, 97sine waves, 460single loss expectancy (SLE), 70–71Single Sign-On (SSO), 117–121single-use servers, 832SIP (session-initiate protocol), 457site accreditation, 757site protection

awareness of what is running on systems,817

defense-in-depth principle in, 816detection vs. prevention for, 817–818introduction to, 815–816patches in, 818principles of least privilege in, 816–817system checks in, 818

site-to-site virtual private networks (VPNs),694

SLE (single loss expectancy), 70–71SLIP (Serial Line Internet Protocol), 438slow starts, 295–296Slurpie, 247smart cards, 100–101smb, 229SMTP (Simple Mail Transfer Protocol). See Simple

Mail Transfer Protocol (SMTP)sniffing, 502, 781SNMP (Simple Network Management Protocol),

230, 434SNR (signal-to-noise) tool, 502SOA (Start of Authority) records, 362social engineering attacks

defined, 780in e-mail security, 323overview of, 132–133in risk management, 31on workstations, 204–205

softphones, 456software, 184, 531software exploitation attacks, 134–135source IP addresses, 532–533source-routed frames, 219spam

denial of service attacks, 336in e-mail security, 335–339filters for, 337in network architecture, 528

Spam Mimic, 671–673Special Publications (SPs)

800-14, 766800-27, 766800-30, 766–769800-64, 769–770

split DNS design, 386split-split DNS design, 386–387spoofing

in AOL e-mail, 378–379attacks, 130Domain Name System and, 385firewalls and, 532on zeroconf networks, 524

spread spectrum technologiesdirect sequence, 476frequency hopping, 476–477Orthogonal Frequency Division Multiplexing as,

477–478overview of, 473–476of wireless security, 473–478

SPs (Special Publications), 769–770

882


Index S

SPX (Sequenced Packet Exchange), 436spyware, 200–202, 802SQL (Structured Query Language)

injection, 316–317, 408in Session layer, 435

SSAA (System Security Authorization Agreement),757

SSE-CMM (Systems Security Engineering CapabilityMaturity Model), 751–753

SSH (Secure Shell). See Secure Shell (SSH)sshd servers, 227SSID (Service Set Identity), 490, 502SSL (Secure Sockets Layer). See Secure Sockets

Layer (SSL)SSO (Single Sign-On), 117–121stack data location, 155–156standards

for auditing, 772–773for packet inspection methods, 559for security, 75–77for Web services, 319

Start of Authority (SOA) records, 362state in Web security, 309–315

applications requiring, 310cookies and, 310–313defined, 309hidden fields for, 315hidden frames for, 314HTTP and, 309tracking of, 310URL tracking and, 314Web bugs and, 313–314

state of network security, 3–8attacks in, 6–7background of, 4–6overview of, 3–4reactive security vs., 6risks in, 4summary of, 7–8trends in, 6

stateful autoconfiguration, 447stateful packet filtering, 534–535, 558stateless autoconfiguration, 447statements of work, 82static IP addresses, 359static method, 513statistical anomaly-based intrusion detection systems

(IDSs), 708, 710–711status accounting, 89steganography, 631–679

algorithmic-based, 647

availability and, 642camouflage and, 640–641, 669classification schemes of, 647–653color tables in, 653–654confidentiality and, 641–642cover channels vs., 638–639cryptography vs., 644–646data volume in, 643detection of, 643–644Digital Picture Envelope and, 665–669digital watermarking vs.. See digital

watermarkingdirection of, 633–634Easter eggs vs., 639EZ-Stego and, 663–664generation, 652–653Gif Shuffle and, 669–671grammar-based, 648hidden data in, 631–633Hide and Seek and, 657–659history of, 633, 639–641Image Hide and, 664–665implementing, generally, 654–655insertion-based, 647–651integrity of data and, 642introduction to, 631Jsteg and, 659–663network security and, 641–643new classification scheme of, 648–653original classification scheme of, 647–648overview of, 634–635principles of, 643–644pros and cons of, 636–637reasons for using, 635–636removal of, 644ring example of, 645–646in Roman Empire, 639–640in ships, 640Spam Mimic and, 671–673S-Tools and, 655–657substitution, 651–652summary of, 679survivability and, 642–643Trojan horses vs., 637–638types of, 646–654visibility of, 643during World Wars I and II, 640

sticky bits, 239–241S-Tools, 655–657storage media, 737stored procedures, 408

883


S Index

strace, 221–223stream ciphers, 589, 592–593string signatures, 709Structured Query Language (SQL). See SQL

(Structured Query Language)subnetting, 516–517subscriber identity module (SIM), 462substitution, 581–587, 651–652survivability, 642–643switch controls, 100switches, 514–517Symantec, 154symmetric encryption

block ciphers in, 593–595introduction to, 591–592primitives and, 591–596sharing keys in, 595–596stream ciphers in, 592–593

symmetric master keys, 496sys directory, 224syslog, 227Systat, 414system calls, 156–157, 221–223System Information Profile (SIP), 761System Security Authorization Agreement (SSAA),

757systems

accounts of, 834accreditation of, 757attacks on, 791characterization of, 63–64development life cycle of. See systems

development life cycle (SDLC)engineering of, 37–38, 41–42hardening of. See hardening systemsinfrastructures of, 465–466management plans for, 80–87memory and process protection in, 566misuse of, 135patching, 31

systems development life cycle (SDLC)common practices and, 53–54engineering principles for, 53–56information system security and, 52–53of information technology, 56–59phases of, 51–52

Systems Security Engineering Capability MaturityModel (SSE-CMM), 751–753

system-specific policies, 75

Ttabletop exercises, 97TACACS and TACACS+ (Terminal Access Controller

Access Control Systems), 124TACS (Total Access Communication System), 471Tagged Image File Format (TIFF), 434talk, 228targeted hacks, 138–140targeting UNIX, 207–210TC (Trusted Computing), 421–423, 426TCO (total cost of ownership), 841TCP (Transmission Control Protocol)

attacks in, 131HTTP traffic on, 288, 293–298introduction to, 435sequence numbers, 136wrappers, 247

tcpdump, 208tcpreplay, 209TDD (Time Division Duplex), 472technical performance measurements (TPMs), 85technical security management, 79–87

controls in, 69, 100–102program management in, 79–80statements of work in, 82systems engineering management plans for,

80–87technical performance measurements in, 85test and evaluation master plans in, 85–87work breakdown structures in, 82–85

technology in Defense-in-Depth strategy, 39telecommunications, 527telnet, 226, 228Telnet, 414TEMPEST, 103, 202–203Temporal Key Integrity Protocol (TKIP), 492–496

Initialization Vector in. See Initialization Vector(IV)

Message Integrity Codes and, 494–495per-packet mixing function of, 492–493rekeying against key reuse in, 495–496

temporal keys (TKs), 496TEMPS (test and evaluation master plans), 85–87Terminal Access Controller Access Control System

(TACACS), 124terminating connections with intruders, 556test and evaluation master plans (TEMPs), 85–87testing

environments for, 403security. See security assurance evaluation

mechanisms

884


Index T

server security, 411–413tools, 501–503in workstations, putting on networks, 175

testing Windows security. See also Windows securityauditing for, 197cleaning up systems for, 197–198logging in, 197monitoring in, 196–197outdated Windows systems and, 195performance issues in, 195questionable applications in, 194re-evaluation and rebuilding in, 196scanning for vulnerabilities, 194

TFTP (Trivial File Transfer Protocol), 175, 433theft, 141, 212threats, 127–142

back door, 130birthday, 133–134defined, 61demon-dialing, 136denial-of-service, 129–130device loss and theft, 141distributed denial-of-service, 136–138, 528dumpster diving, 133eavesdropping, 135espionage, 138–140evaluating. See risk assessmentexternal attack methodologies, 136–140fragmentation, 131–132in future planning, 838–839hijacking, 131identification of, 64internal threats, 140–141malicious code, 127–129man-in-the-middle, 130mathematical, 132password guessing, 133–134physical, 98port scanning, 133replay, 131social engineering, 132–133software exploitation, 134–135sources of, 61spoofing, 130summary of, 142system misuse, 135targeted hacks, 138–140Transmission Control Protocol, 131, 136types of, generally, 129unintentional filesharing, 140–141viruses, 127–129

war driving, 136war-dialing, 136weak keys, 132

throughput rates, 101ticket-granting tickets, 687–688tickets, 686tiered architecture, 537–538, 540–542TIFF (Tagged Image File Format), 434time, 228, 262Time Division Duplex (TDD), 472Time Division Multiple Access (TMDA), 469timing objectives, 95–96TKIP (Temporal Key Integrity Protocol). See

Temporal Key Integrity Protocol (TKIP)TKs (temporal keys), 496TLS (Transport Layer Security), 488, 703TMDA (Time Division Multiple Access), 469top-level domains, 365–370Total Access Communication System (TACS), 471total cost of ownership (TCO), 841TPMs (technical performance measurements), 85tracking, 310trade secrets, 839traffic

blocking, 248–251, 546–547HTTP, 293–298incoming, 248–250logging, 546–547outgoing, 250–251

traffic-based anomaly detection, 565training in security awareness, 78, 172Transaction layer, 505Transaction Signatures (TSIGs), 380–381Transmission Control Protocol (TCP). See TCP

(Transmission Control Protocol)Transport layer, 435–436, 505Transport Layer Security (TLS)

in IEEE 802.11 wireless security, 488security features of communication applications

for, 699SSL Handshake and, 703in Web browser security, 264–265

transport mode of IPSec-based VPNs, 695transport of Web services, 319trends in cyber security, 9–17

active attacks in, 13–14attack types in, 12–14boundlessness of Internet and, 12breaches of security and, 10–11changes as, 16–17current state of, 11–12

885


T Index

trends in cyber security, (continued)introduction to, 6new approaches as, 15passive attacks in, 14principles of, 15–16summary of, 17–18

Trivial File Transfer Protocol (TFTP), 175, 433Trojan horses

avoiding, 186–187exploiting systems, 794in risk management, 31steganography vs., 637–638on workstations, 200

true negative detection results, 555true positive detection results, 555trust anchors, 391trust boundaries, 399trust relationships, 815, 833Trusted Computing (TC), 421–423, 426trusted signature introducers, 692trusted sites zone, 283–284(TSIGs) Transaction Signatures, 380–381tunneled mode of IPSec-based VPNs, 695–696Tunneled TLS (Transport Layer Security), 488tunneling, 826tunnels in Secure Shell (SSH), 351–354

configuring e-mail clients for, 353–354establishing SSH sessions and, 353overview of, 351–353pros and cons of, 354

two-key encryptioncertificate authorities in, 598introduction to, 597–598in primitives, 597–599web of trust in, 598–599

two-way authentication, 505TYPE, 307type accreditation, 757Type I errors, 100Type II errors, 100

UUDP (User Datagram Protocol), 436UHF (Ultra-High Frequency), 460–461UID (User Identifier), 239–241Ultra-High Frequency (UHF), 460–461UMTS (Universal Mobile Telecommunications

Systems), 472–473Uniform Resource Locators (URLs), 314, 827

unintentional filesharing, 140–141uniqueness of passwords, 822Universal Mobile Telecommunications Systems

(UMTS), 472–473UNIX security, 207–254

automatic update servers in, 218backups without detection in, 216blocking techniques in, 248–253configuration for, 245–246configuration for hardening, 217–224detection in, 217disk partitioning in, 215–216expert users in, 210file sharing/transfer in, 218files in, 210focus of, 207hardening for, 245–253hardware changes detection in, 214–215incoming traffic in, 248–250information exchange in, 209installed packages in, 217–218integrating components of, 831inventory in, 217kernel configurations in, 218–224limiting access for, 212–213logging blocked traffic, 251–253mail servers in, 217network and development tools in, 208open source in, 208, 210–212operating safely. See operating UNIX safelyoperating systems in, 208outgoing traffic in, 250–251packet filtering with iptables for, 247–253passwords in, 247physical security in, 212–217/proc file systems in, 223–224script techniques in, 210services in, 225–233summary of, 253–254system calls in, 221–223targeting UNIX, 207–210TCP wrapper for, 247versions and builds in, 209

upgradesof antivirus signatures, 193for applications, 192–193from Microsoft, 192–193for Windows security, 149of Windows versions, 194

uploading programs, 793URLs (Uniform Resource Locators), 314, 827

886


Index V

U.S. government policies, 75user accounts, 181–183User Datagram Protocol (UDP), 436User Identifier (UID), 239–241user level accounts, 168–169users

controlling, 415education of, 805, 830–831groups of, 168input of generating numbers, 589issues of, 54keystrokes of, 201managing, 145–146rights of, 180

Vvalidating security, 777–795

attack phase of penetration testing in, 785–786automated vulnerability scanners for, 782–783of data protection, 799exploitation of systems and. See attackers

exploiting systemsflow in current penetration testing, 780–782manual penetration testing for, 782–783overview of, 777–779penetration testing, current state of, 780–783penetration testing, formal methodology of,

783–787penetration testing in, generally, 777–779post-attack phase of penetration testing in, 787pre-attack phase of penetration testing in,

784–785security assessments in, 779summary of, 795

validation phase, 757, 759van Dam, Dr. Andries, 298verification phase, 757, 759verifiers, 686de Vigenere, Blaise, 582Vigenere cipher, 582–585violations reports, 114violence settings, 285virtual local area network (VLAN) separation. See

VLANs (virtual local area networks)virtual machines, 805virtual private networks (VPNs)

Authentication Header of IPSec-based, 696–697design issues in, 693–694IPSec-based, 695–698overview of, 692–693

Point-to-Point Protocol for, 698Point-to-Point Tunneling Protocol and, 698Secure Shell for, 698–699transport mode of IPSec-based, 695tunneled mode of IPSec-based, 695–696

virus scanners, 707–708viruses

attacks of, 127–129avoiding, 186–187in e-mail security, 350software prevention for, 708in Web browser and client security, 272on workstations, 198–199

visibility, 643visible digital watermarking, 675visitor location registers (VLRs), 463VLANs (virtual local area networks)

in defense-in-depth methodology, 145–146network architecture and, 516–517in network design, 455in server security, 404

VLRs (visitor location registers), 463VoIP (Voice over Internet Protocol), 450–458

analog telephone adaptors and, 450circuit switching vs., 451–452computer-to-computer calls via, 451crossover requirements of, 456H.323, 457IP phones for, 451network design for, 455packet switching of, 452–453protocols of, 456–457reasons for using, 453risk factors of, 455security issues with, 454–455server environments of, 456session-initiate protocol for, 457softphones vs. hardware phones with, 456

volatile information, 738vulnerabilities

analysis of, 528assessment of, 93, 824–825of browsers, 258in data protection, 804defined, 61exploiting, 172in future planning, 839–840identification of, 64–65scanning for, 30, 194statistics on, 384of Windows, 154–158

887


V Index

vulnerability mapping, 781, 785vulnerability scanners, 781

WW97M_SPY.A, 270walk-through tests, 97WAN (wide area networks), 145–146,

488–489Wang, Xiaoyun, 616WAP (Wireless Application Protocol),

504–505war driving attacks, 136war-dialing, 136warez lists, 418warm sites, 96wavelength of sine waves, 460Wavemon, 502WBSs (work breakdown structures), 82–85weak keys, 132Web activity, 526Web application attacks, 781Web browser configurations, 276–286

ActiveX in, 278caches in, 281–282content settings, 285cookies, 281cookies in, 276–277encryption in, 281, 286histories in, 281for Internet Explorer, 282–286for Internet zones, 282–283Java, 278–279JavaScript, 279–280for local intranet zones, 283Netscape in, 281–282plugins, 277–280privacy settings, 284–285for restricted sites zone, 284for trusted sites zone, 283–284

Web browser security, 255–286attacks on browsers, 268–269caching in, 264configurations of browsers for. See Web browser

configurationsconvenience in., 256cookies in, 260–262encryption in, 286evolution of, 257functioning of browsers and, 259–265hijacking attacks in, 268–269

HTTP in, 259–261Internet Explorer in, 282–286maintaining state in, 262–264operating browsers safely for. See operating Web

browsers safelyparasites on browsers, 269patches for, 271–272privacy vs., 256productivity and popularity of browsers vs.,

256–257protections in browsers for, 258–259replay attacks on browsers, 269–270risks requiring, 255–259Secure Socket Layer in, 264–268summary of, 286Transport Layer Security in, 264–265vulnerabilities of browsers and, 258

Web browsersattacks on, 268–269caching by, 264configuring. See Web browser configurationscookies and, 260–262HTTP for, 259–261maintaining state of, 262–264operating safely, 271–276Secure Socket Layer in, 264–268security of. See Web browser securityTransport Layer Security for, 264–265

Web browsing, 170, 178Web bugs, 313–314web of trust, 598–599, 692Web search engines, 780Web security

account harvesting in, 315–316ActiveX and, 306–309attacks on Web servers, 315–317browsers and. See Web browser securityclient content and, 303–309Common Gateway Interface in, 301–302HTTP in. See HTTP (Hyper Text Transfer

Protocol)Java and, 304–309JavaScript and, 303–304permissions in, 305–306PHP pages and, 302–303sandboxes in, 304–305server content and, 301–303SQL injection in, 316–317state in. See state in Web securitysummary of, 321Web services, 317–321

888


Index W

Web servicesdescriptions of, 320–321discovery of, 321overview of, 317–319standards and protocols for, 319transport of, 319Web security, 317–321XML messaging and, 319–320

Web site maintenance, 178Wellenreiter, 501WEP (Wired Equivalent Privacy). See Wired

Equivalent Privacy (WEP)WEPCrack, 502WepLab, 501white-box penetration testing, 771whitelisting, 338, 567whitening functions, 589–590whois databases, 780wide area networks (WAN), 145–146, 488–489wIDS (wireless intrusion detection system), 503WIDTH, 307WIDZ, 503WiFi Scanner, 503WiMax, 506–507Windows

configuration of, 172data protection in, 800operating safely. See operating Windows safelysecurity of. See Windows securityupdates for, 149, 191–195upgrades of, 194

Windows, hardening. See also Windows securityhosts in, 145–146, 149out-of-the-box operating system in, 151–154quick-start, 160system hardening in, 166–170

Windows 2003, 158–160Windows security

ad support in, 200–201antivirus protection in, 149, 171–173applications in, 171–175, 192–194architecture in, 176–177attacks on, 198–205auditing for, 197AUTORUN vs., 167back door attacks on, 203for business workstations, 170cleaning up systems for, 197–198denial-of-service attacks on, 203disabling unneeded services for, 164ease-of-use and, 147

file extension attacks on, 204files in, 161–162, 167firewalls in, 149, 177hackers targeting, 147–148hardening for. See Windows, hardeninghijacking attacks on, 204for home workstations, 170–171intrusion detection systems for, 177logging in, 197maintaining, 194–198Microsoft recommendations for, 149–151monitoring in, 196–197operating Windows safely for. See operating

Windows safelyoverview of, 145–146packet sniffing attacks on, 204passwords in, 163–164, 169–170patches for, 161, 191–194performance issues in, 195personal firewalls for, 173–174physical security, 175–176, 202port blocking for, 162–163ports in, 159–160Pretty Good Privacy for, 175reasons for, 148–149re-evaluation and rebuilding in, 196Registry in, 167removing unneeded components for, 164–165scanning for, 194secure FTP for, 175Secure Shell for, 174security template for, 166service packs for, 161session replay attacks on, 204signatures for, 193social engineering attacks on, 204–205spyware, 200–202summary of, 205TEMPEST attacks on, 202–203testing. See testing Windows securityTrojan horses in, 200users and, 168–169viruses in, 198–199vulnerability protections in. See Windows

vulnerability protectionsworkstations and, 175–179worms in, 199–200

Windows vulnerability protections. See alsoWindows security

academic technologies/ideas for, 155–158canary values, 157

889


W Index

Windows vulnerability protections. See alsoWindows security (continued)

library call safety in, 158McAfee for, 155operating safely for. See operating Windows

safelystack data location rearrangement, 155–156Symantec for, 154system calls, 156–157vulnerability protections, 154–158

Wired Equivalent Privacy (WEP)802.1X authentication and, 491–492Crack in, 502for IEEE 802.11 wireless security, 486, 489–496Initialization Vector in, 489–492Message Integrity Codes and, 494–495open authentication in, 490overview of, 486, 489–490per-packet mixing function of, 492–493rekeying against key reuse in, 495–496security upgrades of, 491shared key authentication in, 490–491Temporal Key Integrity Protocol and, 492–496

wireless access points, 781Wireless Application Protocol (WAP), 504–505wireless channels, 481–482wireless infrastructures, 28wireless intrusion detection system (wIDS), 503wireless network security stack, 486–489wireless proximity readers, 101wireless security

3G cellular technologies in, 507Advanced Mobile Phone System in, 470–471Bluetooth in, 503–504cell phones and. See cellular telephonesCellular Digital Packet Data in, 471Code Division Multiple Access in, 469–470electromagnetic spectrum in, 459–461Frequency Division Multiple Access in, 469future of, 506IEEE 802.11 wireless security. See IEEE 802.11IEEE 802.20 for, 507IEEE wireless LAN specifications for, 478–480of International Mobile Telephone Standard

2000, 471–472MAC layer in, 478–480Nordic Mobile Telephone in, 471Personal Digital Cellular in, 471of pervasive wireless data network technologies,

473–478PHY layer in, 478

of spread spectrum technologies, 473–478summary of, 508Time Division Multiple Access in, 469Total Access Communication System in, 471of Universal Mobile Telecommunications System,

472–473WiMax and, 506–507Wireless Application Protocol in, 504–505of wireless transmission systems, 469–473

wireless transmission systems, 469–473wireless WAN (wide area networks), 488–489WireShark, 208word processing, 170work breakdown structures (WBSs), 82–85workstations

attacks on, 198–205back door attacks on, 203business, 170denial-of-service attacks on, 203firewalls in, 177hijacking attacks on, 204home, 170–171intrusion detection systems on, 177in network architecture, 176–177not is use, 179physical security in, 175–176putting on networks, 175–177social engineering attacks on, 204–205software on, 183–184testing, 175Trojan horses on, 200viruses on, 198–199worms attacking, 199–200

world category, 237World Wars I and II, 640worms

in quantum cryptography, 627–628on Windows, 186–187on workstations, 199–200

write blockers, 735

XX.509 standard, 598, 700–702xfs, 227xinetd process, 227, 234–235XML (Extensible Markup Language), 319–320XOR function, 585–586XSS (cross-site scripting), 407–408, 827X-Window System, 435

890


Index Z

YYin, Yiqun Lisa, 616Yu, Hongbo, 616

Zzero configuration networks, 519–524zero knowledge penetration testing, 772, 780zeroconf, 521–524zero-day attack prevention, 155Zimmerman, Phil, 682

zip algorithms, 296zone files, 362–364zone records, 360–361zone transfers

alternatives to, 382Domain Name System in, 381–382, 388historical problems of, 380introduction to, 379–382master-slave relationships and, 388requiring certificates in, 380–381specifying transfer sites for, 380

zones, defined, 359

891

numbers copyrighted material · implementation types for, generally, 112 intrusion detection...

Documents