... the
e-commerce server. This part of the system includes the customer’s computer and
browser software and the communications link to the server (see Figure 11-1).
Within this part of the system, we ... information that is saved to the customer’s system
▲
The protection of the fact that a particular customer made a particular order
Communications Security
Communications security for e-comme...
... well as assur
-
ance requirements. Thus, in order for a system to meet the qualifications for a particular
level of certification it had to meet the functional and the assurance requirements.
The ... classification, access would be denied.
This concept of modeling eventually lead to United States Department of Defense
Standard 5200.28, The Trusted Computing System Evaluation Criteria (TCSEC,...
... this part of the procedure is to identify the organiza
-
tion’s objectives before an incident occurs.
Event Identification
The identification of an incident is perhaps the most difficult part ... situation.
Authority
An important part of the IRP is defining who within the organization and the incident re
-
sponse team has the authority to take action. This part of the procedure should...
... useful. However, we may not necessarily have
knowledge of a directed or specific threat against some part of the organization.
If we assume a generic threat (somebody probably has the access, knowledge, ... or replace systems
■
Cost of experts to assist
▲
Employee overtime
As you can see from just this partial list, the costs of a successful penetration can be
large. Some of these costs wil...
... server itself.
The organization may choose to provide a File Transfer Protocol (FTP) server as part
of the Web server. An FTP server allows external individuals to get or send files. This ser
-
vice ... Beginner’s Guide
External access can take two forms: employee access (usually from remote locations
as part of their job) or non-employee access. Employee access to internal systems from r...
... Service Action
1 Partner
network
Partner DMZ Appropriate for
partnership
Accept
2 Partner
network
Any Any Deny
3 Partner DMZ Partner network Appropriate for
partnership
Accept
4 Any Partner network ... to the partner DMZ and one to the partner network.
Additional rules must be added to the firewall to allow systems at the partner organi
-
zation as well as internal systems to access the partn...
... traffic for the length of time the traffic is
valuable. Passwords may only be valuable for 30 days (assuming a 30- day change pol
-
icy); however, sensitive information may be valuable for years. Therefore, ... must be loaded on
user computers. If the computers are owned by the organization, this becomes part of the
standard software load for the computer. If the organization allows empl...
... analysis continues for some period of time after the information gathering is com
-
plete. During this part of the task, the team will attempt to assimilate all of the informa
-
346
Network Security: ... gathered and to rank the risks to the organization. Measuring the risk is
often the most difficult part of this task as the cost of a successful exploitation of a vulner
-
ability may be...
... individuals.
Vulnerability Scanning
Scanning computer systems for vulnerabilities is an important part of a good security
program. Such scanning will help an organization to identify potential entry ... systems and information. It could actually be done relatively cheaply as well.
Just dig a hole about 30 feet deep. Line the hole with concrete and place all-important sys
-
tems and inform...