Chapter 1 Introduction to Information Security
Introduction
The History of Information Security
The 1960s
The 1970s and 80s
The 1990s
The Present
What Is Security?
What Is Information Security?
Critical Characteristics of Information
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
NSTISSC Security Model
Components of an Information System
Software
Hardware
Data
People
Procedures
Securing the Components
Balancing Security and Access
Top-Down Approach to Security Implementation
The Systems Development Life Cycle
Methodology
Phases
Investigation
Analysis
Logical Design
Physical Design
Implementation
Maintenance and Change
The Security Systems Development Life Cycle
Investigation
Analysis
Logical Design
Physical Design
Implementation
Maintenance and Change
Key Terms
Security Professionals and the Organization
Senior Management
Security Project Team
Data Ownership
Communities of Interest
Information Security Management and Professionals
Information Technology Management and Professionals
Organizational Management and Professionals
Information Security: Is It an Art or a Science?
Security as Art
Security as Science
Security as a Social Science
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 2 The Need for Security
Introduction
Business Needs First, Technology Needs Last
Protecting the Ability of the Organization to Function
Enabling the Safe Operation of Applications
Protecting Data that Organizations Collect and Use
Safeguarding Technology Assets in Organizations
Threats
Threat Group 1: Inadvertent Acts
Threat Group 2: Deliberate Acts
Threat Group 3: Acts of God
Threat Group 4: Technical Failures
Threat Group 5: Management Failures
Attacks
Malicious Code
Hoaxes
Back Doors
Password Crack
Brute Force
Dictionary
Denial-of-Service (DOS) and Distributed Denial-of-Service (DDoS)
Spoofing
Man-in-the-Middle
Spam
Mail bombing
Snifters
Social Engineering
Buffer Overflow
Timing Attack
Chapter Summary
Review Questions
Case Exercises
Chapter 3 Legal, Ethical and Professional Issues in Information Security
Introduction
Law and Ethics in Information Security
Types Of Law
Relevant U.S. Laws
General Computer Crime Laws
Privacy
Export and Espionage Laws
U.S. Copyright Law
International Laws and Legal Bodies
European Council Cyber-Crime Convention
Digital Millennium Copyright Act (DMCA)
United Nations Charter
Policy Versus Law
Ethical Concepts in Information Security
Cultural Differences in Ethical Concepts
Software License Infringement
Illicit Use
Misuse of Corporate Resources
Ethics and Education
Deterrence to Unethical and Illegal Behavior
Codes of Ethics, Certifications, and Professional Organizations
Other Security Organizations
Key U.S. Federal Agencies
Organizational Liability and the Need for Counsel
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 4 Risk Management: Identifying and Assessing Risk
Introduction
Chapter Organization
Risk Management
Know Yourself
Know the Enemy
All Communities of Interest are Accountable
Integrating Risk Management into the SecSDLC
Risk Identification
Asset Identification and Valuation
Automated Risk Management Tools
Information Asset Classification
Information Asset Valuation
Listing Assets in Order of Importance
Data Classification and Management
Security Clearances
Management of Classified Data
Threat Identification
Identify And Prioritize Threats and Threat Agents
Vulnerability Identification
Risk Assessment
Introduction to Risk Assessment
Likelihood
Valuation of Information Assets
Percentage of Risk Mitigated by Current Controls
Risk Determination
Identify Possible Controls
Access Controls
Documenting Results of Risk Assessment
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 5 Risk Management: Assessing and Controlling Risk
Introduction
Risk Control Strategies
Avoidance
Transference
Mitigation
Acceptance
Risk Mitigation Strategy Selection
Evaluation, Assessment, and Maintenance of Risk Controls
Categories of Controls
Control Function
Architectural Layer
Strategy Layer
Information Security Principles
Feasibility Studies
Cost Benefit Analysis (CBA)
Other Feasibility Studies
Risk Management Discussion Points
Risk Appetite
Residual Risk
Documenting Results
Recommended Practices in Controlling Risk
Qualitative Measures
Delphi Technique
Risk Management and the SecSDLC
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 6 Blueprint For Security
Introduction
Information Security Policy, Standards, and Practices
Definitions
Security Program Policy (SPP)
Issue-Specific Security Policy (ISSP)
Systems-Specific Policy (SysSP)
Policy Management
Information Classification
Systems Design
Information Security Blueprints
ISO 17799/BS 7799
NIST Security Models,
NIST Special Publication SP 800-12
NIST Special Publication 800-14
IETF Security Architecture
VISA International Security Model
Baselining and Best Business Practices
Hybrid Framework for a Blueprint of an Information Security System
Security Education, Training, and Awareness Program
Security Education
Security Training
Security Awareness
Design of Security Architecture
Defense in Depth
Security Perimeter
Key Technology Components
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 7 Planning for Continuity
Introduction
Continuity Strategy
Business Impact Analysis
Threat Attack Identification and Prioritization
Business Unit Analysis
Attack Success Scenario Development'
Potential Damage Assessment
Subordinate Plan Classification
Incident Response Planning
Incident Planning
Incident Detection
When Does an Incident Become a Disaster?
Incident Reaction
Notification of Key Personnel
Documenting an Incident
Incident Containment Strategies
Incident Recovery
Prioritization of Efforts
Damage Assessment
Recovery
Backup Media
Automated Response
Disaster Recovery Planning
The Disaster Recovery Plan
Crisis Management
Recovery Operations
Business Continuity Planning
Developing Continuity Programs (BCPs)
Continuity Strategies
Model for a Consolidated Contingency Plan
The Planning Document
Law Enforcement Involvement
Local, State, or Federal Authorities
Benefits and Drawbacks of Law Enforcement Involvement
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 8 Security Technology
Introduction
Physical Design of the SecSDLC
Firewalls
Development of Firewalls
Firewall Architectures
Configuring and Managing Firewalls
Dial-up Protection
RADIUS and TACACS
Intrusion Detection Systems (IDS)
Host-based IDS
Network-based IDS
Signature-based IDS
Statistical Anomaly-based IDS
Scanning and Analysis Tools
Port Scanners
Vulnerability Scanners
Packet Sniffers
Content Filters
Trap and Trace
Cryptography and Encryption-based Solutions
Encryption Definitions
Encryption Operations
Verrnam Cipher
Book or Running Key Cipher
Symmetric Encryption
Asymmetric Encryption
Digital Signatures
RSA
PKI
What are Digital Certificates and Certificate Authorities?
Hybrid Systems
Securing E-mail
Securing the Web
Securing Authentication
Sesame
Access Control Devices
Authentication
Effectiveness of Biometrics
Acceptability of Biometrics
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 9 Physical Security
Introduction
Access Controls
Controls for Protecting the Secure Facility
Fire Safety
Fire Detection and Response
Failure of Supporting Utilities and Structural Collapse
Heating, Ventilation, and Air Conditioning
Power Management and Conditioning
Testing Facility Systems
Interception of Data
Mobile and Portable Systems
Remote Computing Security'
Special Considerations for Physical Security Threats
Inventory Management
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 10 Implementing Security
Introduction
Project Management in the Implementation Phase
Developing the Project Plan
Project Planning Considerations
The Need for Project Management
Supervising Implementation
Executing the Plan
Wrap-up
Technical Topics of Implementation
Conversion Strategies
The Bull's-eye Model for Information Security Project Planning
To Outsource or Not
Technology Governance and Change Control
Nontechnical Aspects of Implementation
The Culture of Change Management
Considerations for Organizational Change
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 11 Security and Personnel
Introduction
The Security Function Within an Organization's Structure
Staffing the Security Function
Qualifications and Requirements
Entry into the Security Profession
Information Security Positions
Credentials of Information Security Professionals
Certified Information Systems Security Professional (CISSP) and Systems Security Certified
Practitioner (SSCP)
Security Certified Professional
TruSecure ICSA Certified Security Associate (T.I.C.S.A.) and TruSecure ICSA Certified Security
Expert (T.I.C.S.E.)
Security+
Certified Information Systems Auditor (CISA)
Certified Information Systems Forensics Investigator
Related Certifications
Cost of Being Certified
Advice for Information Security Professionals
Employment Policies and Practices
Hiring and Termination Issues
Performance Evaluation
Termination
Security Considerations for Nonemployees
Temporary Employees
Contract Employees
Consultants
Business Partners
Separation of Duties and Collusion
Privacy and the Security of Personnel Data
Chapter Summary
Review Questions
Exercises
Case Exercises
Chapter 12 Information Security Maintenance
Introduction
Managing for Change
Security Management Models
The ISO Network Management Model
The Maintenance Model
Monitoring the External Environment
Monitoring the Internal Environment
Planning and Risk Assessment
Vulnerability Assessment and Remediation
Readiness and Review
Chapter Summary
Review Questions
Exercises
Case Exercises
Appendix A Cryptography
Introduction
Definitions
Types of Ciphers
Polyalphabetic Substitution Ciphers
Transposition Ciphers
Cryptographic Algorithms
Asymmetric Cryptography or Public Key Cryptography
Hybrid Cryptosystems
Popular Cryptographic Algoritms
Data Encryption Standard (DES)
Data Encryption Core Process
Public Key Infrastructure (PKI)
Digital Signatures
Digital Certificates
Pretty Good Privacy (PGP)
PGP Suite of Security Solutions
Protocols for Secure Communications
S-HTTP and SSL
Secure/Multipurpose Intemet Mail Extension (S/MIME)
Intemet Protocol Security (IPSec)
Attacks on Cryptosystems
Man-in-the-Middle Attack
Correlation Attacks
Dictionary Attacks
Timing Attacks
Glossary
鄂公网安备 42010302001612号 