Đang tải... (xem toàn văn)
Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 include of the following content: Domain 6 security architecture and design: principles of computer and network organizations, architectures, and designs; domain 7 operations security: operations controls; domain 8 business continuity and disaster recovery planning; domain 9 legal, regulations, compliance, and investigations: major categories of computer crime; domain 10 physical (environmental) security: elements of physical security.
Chapter 17 Building Application Security Testing into the Software Development Life Cycle Sandy Bacik Every enterprise should utilize an application development life cycle and within that life cycle there should be an application security architecture An application security architecture contains a strong foundation of the application, providing controls to protect the confidentiality of information, integrity of data, and access to the data when it is required (availability) and ensuring it is the authorized entities And an application security architecture carefully considers feature sets, controls, safer and reliable processes using the enterprise’s security posture As security controls are developed for an application, they must be tested during the use test and quality assurance testing processes At a very high level, application security testing should consider answering the following questions: ◾◾ Is the process surrounding this function, service, or feature as safe and strong as possible without impacting operational requirements? In other words, is this a flawed process? ◾◾ If I were a bad entity, how could/would I abuse this function, service, or feature? ◾◾ If I were an inexperienced user, how could/would I use/abuse this function, service, or feature? ◾◾ Is the function, service, or feature required to be on by default? If so, are there limits or options that could help limit the risk from this function, service, or feature? ◾◾ Have success, failure, and abuse been considered when testing this function, service, or feature? Security functions, services, and features that are built into an application should be based on existing application objectives, business requirements, use cases, and then test cases When developing security functions, services, and features within an application that are based on documented requirements, the development of test cases for security should be relatively easy Many 249 250 ◾ Information Security Management Handbook times, this is not the case The tester must then attempt to build security testing into the quality assurance testing processes If it is the responsibility of the tester to include security testing into their process without the support of management and security being built into the life cycle, the job of the tester will be uphill in ensuring that security testing is included as part of the application life cycle Building in security requirements and test cases will produce a stronger and more secure application and application development life cycle Over the last decade, many software issues have not improved Some of the top software development flaws include the following, but this is not an exhaustive list: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Buffer overruns Format string problems Integer overflows SQL and command injection Failing to handle errors or revealing too much information Cross-site scripting Failing to protect network transactions Use of magic URLs and hidden form fields Improper use of SSL and TLS Use of weak authentication mechanism, such as weak passwords Failing to store and protect data securely Information leakage Improper file access Race conditions Poor usability How can we improve this? Yes, extending the application development life cycle to include more testing, specifically security testing Without a good foundation to develop security testing, improving the security of an application cannot be accomplished Before developing application test cases and testing requirements, standard definitions need to be accepted by the group For example, ◾◾ A set of test requirements are technical or administrative actionable statements that are not subject to interpretation for a tester to develop a test plan/procedure ◾◾ A test case is a step scenario of the items to be tested based upon a set of use cases and requirements ◾◾ A test plan/procedure is a detailed list of tasks based on a requirement to perform the test This would be the “how.” For example, a test plan/procedure will contain a requirement, passed, failed, and remarks about the test A requirement would be something similar to “the time stamp shall be read from the clock off a centralized time source.” ◾◾ A test program is a set or collection of test plans/procedures ◾◾ Defining a test requirement −− The term “shall” means the requirement is required −− The term “should” means the requirement is optional −− The requirement shall be positively stated −− The requirement shall contain one and only one action −− The requirement shall be documented as technical or administrative Building Application Security Testing into the Software Development Life Cycle ◾ 251 −− The requirement shall be detailed enough to tell the tester what specifically needs to be tested and not contain implementation details −− The requirement shall include what needs to be verified −− The requirement shall use strong verbs Action verbs are observable and better communicate the intent of what is to be attempted, like to plan, write, conduct, produce, apply, recite, revise, contrast, install, select, assemble, compare, investigate, develop, demonstrate, find, use, perform, show, assess, identify, illustrate, classify, formulate, indicate, represent, explain, etc −− The requirement shall avoid using verbs that can be misinterpreted, such as understand, know, think, determine, believe, aware of, familiar with, conceptualize, learn, comprehend, appreciate, and are conscious of −− The requirement shall avoid generalities in objective statements and infinitives to avoid include to know, understand, enjoy, and believe rather than to learn, understand, and feel The words need to be not only active but also measurable Example of Integrating Security into the Application Development Life Cycle As an example of integrating security into the application development life cycle and developing security application testing, while an application is being developed, use or business cases are developed to ensure that the application being developed meets the needs of the stakeholders Then application use cases form the basis of developing test cases for quality assurance testers to test The application use case can provide the following baselines for developing a test case and test requirements: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Name the system scope and boundaries Who are the primary actors or what are the endpoints sending and receiving information? What is the goal of the system or transaction? Who are the stakeholders? What are the requirements? What are actor/endpoint interests, preconditions, and guarantees? What is the main success scenario? What are the steps to success? From the above information being described in an application use case, application security requirements can be developed Therefore, if the application development requirements include something like the following, again, not an exhaustive list: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Data entry fields shall have secure defaults Access shall be based on the principle of least privilege The application shall employ a defense-in-depth strategy The application shall fail securely and not display sensitive information The application shall verify and validate all services The application shall employ segregation of duties based on roles 252 ◾ Information Security Management Handbook From this list of requirements, we know that the following functions are the minimum that are required for this application: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Administration Integration Authentication Authorization Segregation of duties Access control Logging Record/log retention Reporting, alerting, and monitoring As the scenarios are developed for test cases, the above functions need to be integrated into the scenarios and steps within the application A sample test case paragraph could be as follows: The application user shall be authenticated using an application user account and password prior to being placed in an application role and having one and only one user session at one time The application shall log all successful and failed authentication attempts to access the application The steps developed within the application test case would then include the following: The application shall display a use logon screen The user shall enter a user ID and password The application shall validate the entered user ID and password If the user ID or password is invalid, the application shall display an invalid logon message If the user ID or password is invalid, the application shall log an invalid logon message If the user ID and password are valid, the application shall validate that this is the only signed-in location for the use account If the user ID and password are valid, the application shall log a valid logon message If the user ID and password are valid, the session shall be placed in an application role based on the use account membership From the above set of requirements, the application tester can now produce detailed steps to perform security testing of the authentication process These security testing steps need to include testing as a good user, as an intentionally bad user, as an accidentally bad user, and as a user not authorized to access and use the application Other things that could be considered when testing authentication and authorization could include the following: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Setting up multiple sessions with the same and different information to overload the system Valid/invalid/disabled accounts Password changes/lockouts/resets Elevating privileges (administrative versus nonadministrative) Accessing screens/fields/tables/functions Valid/invalid data in each field Logging out versus aborting the application Building Application Security Testing into the Software Development Life Cycle ◾ 253 ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ Information disclosure on errors and aborting Information and access within log files and alerts Hidden fields—special areas to click to execute Can you get to a command line (listing or seeing directory content)? Can you put in extra characters in a field and get the application to accept them? Use application security requirements to build security test cases Use existing testing cases and look at them from a security point of view to additional testing Look at what can accidently or deliberately be done with the application Using the flaws listed above with many applications, the following table describes some of the tests that could be performed during the quality assurance testing to build security testing into the application life cycle Potential Software Flaw Buffer overruns Security Testing to be Included Carefully check your buffer accesses by using safe string and buffer handling functions Use compiler-based defenses Use operating system–level buffer overrun defenses Understand what data the attacker controls, and manage that data safely in code Format string problems Use fixed format strings, or format string from a trusted source Check and limit locale requests to valid values Integer overflows Check all calculations used to determine memory allocations to check that arithmetic cannot overflow Check all calculations used to determine array indexes to check that the arithmetic cannot overflow Use unsigned integers for array offsets and memory allocation sizes SQL and command injection Understand the database you use Check the input for validity and trustworthiness Use parameterized queries, prepared statements, placeholders, or parameter binding to build SQL statements Store the database connection information in a location outside of the application Perform input validate on all inputs before passing it to a command processor Handle the failure security if an input validation check failed Failing to handle errors Check the return value of every function Attempt to gracefully recover from error conditions Cross-site scripting Check all Web-based inputs for validity and trustworthiness HTML-encode all outputs originating from user input 254 ◾ Information Security Management Handbook Failing to protect network traffic Perform ongoing message authentication for all network traffic Use a strong initial authentication mechanism Encrypt all data for which privacy is a concern and err on the side of privacy Use SSL/TLS for all on-the-wire crypto needs Use of magic URLs and hidden form fields Test all Web input, including forms, with malicious input Improper user of SSL and TLS Use the latest version of SSL/TLS available Understand the strengths and weaknesses of the approach, if you are not using cryptographic primitives to solve some of these issues Use a certificate allow list, if applicable Ensure that, before you send data, the peer certificate is traced back to a trusted CA and within its validity period Check that the expected hostname appears in a proper field of the peer certificate Use of weak passwordbased systems Ensure that passwords are not unnecessarily snoopable over the wire when authenticating Give one a single message for failed login attempts Log failed password attempts Use a strong, salted cryptographic one-way function based on a hash for password storage Provide a secure mechanism for people who know their passwords to change them Improper file access Be strict and account what you will accept as a valid filename Race conditions Write code that does not depend on side effects Be very careful when writing signal handlers Information leakage Define who should have access to what error and status information data Use operating system defenses such as ACLs and permissions Use cryptographic means to protect sensitive data Failing to store and protect data securely Think about the access controls the application explicitly places on objects, and the access controls objects inherit by default Realize that some data is so sensitive it should never be stored on a general purpose, production server Leverage the operating system capabilities to secure secret and sensitive data Use appropriate permissions Remove the secret from memory space once you have used it Scrub the memory before you free it Building Application Security Testing into the Software Development Life Cycle ◾ 255 Poor usability Understand security needs and provide the appropriate information to help them get their jobs done Default to a secure configuration whenever possible Provide a simple and easy-to-understand message Make security prompts actionable Conclusion If the application life cycle includes security from the beginning, then the security application testing will logically follow when performing the quality assurance and user testing If security is not included throughout the application life cycle, it will be harder to accomplish good application security testing within the quality assurance and user test processes Including application security testing within the application life cycle will reduce the risk to information assets within the enterprise Malicious Code Comprehensive Table of Contents ◾ 465 Domain (continued) Application Development Security Title Web Application Security, Mandy Andress Vol Vol Vol Vol Vol Vol x Security for XML and Other Metadata Languages, William Hugh Murray x XML and Information Security, Samuel C McClintock x Application Security, Walter S Kobus, Jr x Covert Channels, Anton Chuvakin x Security as a Value Enhancer in Application Systems Development, Lowell Bruce McCulley x Open Source versus Closed Source, Ed Skoudis x A Look at Java Security, Ben Rothke x Neural Networks and Information Assurance Uses, Sean M Price x Information Technology Infrastructure Library and Security Management Overview, David McPhee x Adaptation: A Concept for NextGeneration Security Application Development, Robby S Fussell x Quantum Computing: Implications for Security, Robert M Slade x Mashup Security, Mano Paul x Format String Vulnerabilities, Mano Paul x 4.2 Databases and Data Warehousing Reflections on Database Integrity, William Hugh Murray Digital Signatures in Relational Database Applications, Mike R Prevost x x (continued ) 466 ◾ Comprehensive Table of Contents Domain (continued) Application Development Security Title Security and Privacy for Data Warehouses: Opportunity or Threat? David Bonewell, Karen Gibbs, and Adriaan Veldhuisen Vol Vol Vol Vol Vol x 4.3 Systems Development Controls Data Loss Prevention Program, Powell Hamilton x Data Reliability: Trusted Time Stamps, Jeff Stapleton x Security in the NET Framework, James D Murray x Building and Assessing Security in the Software Development Lifecycle, George G McBride x Avoiding Buffer Overflow Attacks, Sean Price x Secure Development Life Cycle, Kevin Henry x System Development Security Methodology, Ian Lim and Ioana V Bazawan x Software Engineering Institute Capability Maturity Mode, Matt Nelson x Enterprise Security Architecture, William Hugh Murray x Certification and Accreditation Methodology, Mollie E Krehnke and David C Krehnke x System Development Security Methodology, Ian Lim and Ioana V Carastan x Methods of Auditing Applications, David C Rice and Graham Bucholz x The Effectiveness of Access Management Reviews, Chris Hare x Securing SaaS Applications: A Cloud Security Perspective for Application Providers, Pradnyesh Rane x Attacking RFID Systems, Pedro Peris-Lopez, Julio Cesar HernandezCastro, Juan M Estevez-Tapiador, and Arturo Ribagorda x Vol Comprehensive Table of Contents ◾ 467 Domain (continued) Application Development Security Title Vol Vol Vol Vol Vol Vol Application Whitelisting, Georges J Jahchan x Design of Information Security for Large System Development Projects, James C Murphy x Building Application Security Testing into the Software Development Life Cycle, Sandy Bacik x 4.4 Malicious Code Fast Scanning Worms, Paul A Henry x Organized Crime and Malware, Michael Pike x Net-Based Malware Detection: A Comparison with Intrusion Detection Models, Robert M Slade Malware and Computer Viruses, Robert M Slade x x An Introduction to Hostile Code and Its Control, Jay Heiser A Look at Java Security, Ben Rothke x x Twenty-Five (or Forty) Years of Malware History, Robert M Slade x 4.5 Methods of Attack Hacking Methods, Georges J Jahchan x Enabling Safer Deployment of Internet Mobile Code Technologies, Ron Moritz x Domain 5 Cryptography Title Vol Vol Vol Vol Vol Vol 5.1 Use of Cryptography Auditing Cryptography: Assessing System Security, Steve Stanek Three New Models for the Application of Cryptography, Jay Heiser x x (continued ) 468 ◾ Comprehensive Table of Contents Domain (continued) Cryptography Title Vol Vol Vol Vol Vol Vol 5.2 Cryptographic Concepts, Methodologies, and Practices Cryptography: A Unifying Principle in Compliance Programs, Ralph Spencer Poore x Cryptographic Transitions, Ralph Spencer Poore x Blind Detection of Steganographic Content in Digital Images Using Cellular Automata, Sasan Hamidi x An Overview of Quantum Cryptography, Ben Rothke x Elliptic Curve Cryptography: Delivering High-Performance Security for E-Commerce and Communications, Paul Lambert x Cryptographic Key Management Concepts, Ralph Spencer Poore x Message Authentication, James S Tiller x Fundamentals of Cryptography and Encryption, Ronald A Gove x Steganography: The Art of Hiding Messages, Mark Edmead x An Introduction to Cryptography, Javek Ikbal x Hash Algorithms: From Message Digests to Signatures, Keith Pasley x A Look at the Advanced Encryption Standard (AES), Ben Rothke x Message Digest, Ralph Spencer Poore x Quantum Computing: The Rise of the Machine, Robby Fussell x Cryptography: Mathematics vs Engineering, Ralph Spencer Poore x Cryptographic Message Syntax, Jeff Stapleton x Format Preserving Encryption, Ralph Spencer Poore x Comprehensive Table of Contents ◾ 469 Domain (continued) Cryptography Title Vol Vol Vol Vol Vol Vol Elliptic Curve Cryptosystems, Jeff Stapleton x Pirating the Ultimate Killer App: Hacking Military Unmanned Aerial Vehicles, Sean P McBride x 5.3 Private Key Algorithms Principles and Applications of Cryptographic Key Management, William Hugh Murray x 5.4 Public Key Infrastructure (PKI) Preserving Public Key Hierarchy, Geoffrey C Grabow x PKI Registration, Alex Golod x Encryption Key Management in Large-Scale Network Deployments, Franjo Majstor and Guy Vancollie x 5.5 System Architecture for Implementing Cryptographic Functions Implementing Kerberos in Distributed Systems, Joe Kovara and Ray Kaplan x 5.6 Methods of Attack Methods of Attacking and Defending Cryptosystems, Joost Houwen x Domain 6 Security Architecture and Design Title Vol Vol Vol Vol Vol Vol 6.1 Principles of Computer and Network Organizations, Architectures, and Designs Enterprise Assurance: A Framework Explored, Bonnie A Goins x Creating a Secure Architecture, Christopher A Pilewski and Bonnie A Goins x Common Models for Architecting an Enterprise Security Capability, Matthew J Decker x (continued ) 470 ◾ Comprehensive Table of Contents Domain (continued) Security Architecture and Design Title The Reality of Virtual Computing, Chris Hare Vol Vol Vol Vol Vol Vol x Service-Oriented Architecture and Web Services Security, Glenn J Cater x Analysis of Covert Channels, Ralph Spencer Poore x Security Architecture of Biological Cells: An Example of Defense in Depth, Kenneth J Knapp and R Franklin Morris, Jr x ISO Standards Draft Content, Scott Erkonen x Security Frameworks, Robert M Slade x Information Flow and Covert Channels, Sean Price x Securing Data at Rest: From Smartphones to Tapes Defining Data at Rest, Sam Chun and Leo Kahng x Best Practices in Virtualization Security, Shanit Gupta x Everything New Is Old Again, Robert M Slade x An Introduction to Virtualization Security, Paul Henry x Service-Oriented Architecture, Walter B Williams x Cloud Security, Terry Komperda x Enterprise Zones of Trust, Sandy Bacik x 6.2 Principles of Security Models, Architectures, and Evaluation Criteria Formulating an Enterprise Information Security Architecture, Mollie E Krehnke and David C Krehnke x Security Architecture and Models, Foster J Henderson and Kellina M Craig-Henderson x The Common Criteria for IT Security Evaluation, Debra S Herrmann x Comprehensive Table of Contents ◾ 471 Domain (continued) Security Architecture and Design Title Vol Vol Vol Vol Vol Vol Vol Vol 6.3 Common Flaws and Security Issues: System Architecture and Design Common System Design Flaws and Security Issues, William Hugh Murray x Domain 7 Operations Security Title Vol Vol Vol Vol 7.1 Concepts Security Considerations in Distributed Computing: A Grid Security Overview, Sasan Hamidi x Managing Unmanaged Systems, Bill Stackpole and Man Nguyen x Storage Area Networks Security Protocols and Mechanisms, Franjo Majstor x Operations: The Center of Support and Control, Kevin Henry x Why Today’s Security Technologies Are So Inadequate: History, Implications, and New Approaches, Steven Hofmeyr x Operations Security and Controls, Patricia A.P Fisher x 7.2 Resource Protection Requirements The Nebulous Zero Day, Rob Slade x Understanding Service Level Agreements, Gilbert Held x Physical Access Control, Dan M Bowers x 7.3 Auditing Auditing the Electronic Commerce Environment, Chris Hare x (continued ) 472 ◾ Comprehensive Table of Contents Domain (continued) Operations Security Title Vol Vol Vol Vol Vol Vol 7.4 Intrusion Detection Improving NetworkLevel Security through Real-Time Monitoring and Intrusion Detection, Chris Hare Intelligent Intrusion Analysis: How Thinking Machines Can Recognize Computer Intrusions, Bryan D Fish x x 7.5 Operations Controls Directory Security, Ken Buszta x Patch Management 101: It Just Makes Good Sense! Lynda McGhie x Security Patch Management: The Process, Felicia M Nicastro x Validating Tape Backups, Sandy Bacik x A Brief Summary of Warfare and Commercial Entities, Rob Shein x Information Destruction Requirements and Techniques, Ben Rothke x Warfare and Security: Deterrence and Dissuasion in the Cyber Era, Samuel Chun x Configuration, Change, and Release Management, Sean M Price x Tape Backup Considerations, Sandy Bacik x Productivity vs Security, Sandy Bacik x Complex Event Processing for Automated Security Event Analysis, Rob Shein x Records Management, Sandy Bacik x Comprehensive Table of Contents ◾ 473 Domain 8 Business Continuity and Disaster Recovery Planning Title Vol Vol Vol Vol Vol Vol 8.1 Business Continuity Planning Developing Realistic Continuity Planning Process Metrics, Carl B Jackson x Building Maintenance Processes for Business Continuity Plans, Ken Doughty x Identifying Critical Business Functions, Bonnie A Goins x Selecting the Right Business Continuity Strategy, Ken Doughty x Contingency Planning Best Practices and Program Maturity, Timothy R Stacey x Reengineering the Business Continuity Planning Process, Carl B Jackson x The Role of Continuity Planning in the Enterprise Risk Management Structure, Carl Jackson x Determining Business Unit Priorities in Business Continuity Management, Kevin Henry x Continuity Program Testing, Maintenance, Training and Awareness, Carl Jackson x Integrated Business Continuity Planning, James C Murphy x CERT/BERT: Community and Business Emergency Response, Carl B Jackson x Continuity Planning for Small- and Medium-Sized Organizations, Carl Jackson Data Backup Strategies: Traditional versus Cloud, Carl B Jackson x x (continued ) 474 ◾ Comprehensive Table of Contents Domain (continued) Business Continuity and Disaster Recovery Planning Title Vol Vol Vol Vol Vol Vol Vol Vol Vol 8.2 Disaster Recovery Planning Contingency at a Glance, Ken M Shaurette and Thomas J Schleppenbach x The Business Impact Assessment Process and the Importance of Using Business Process Mapping, Carl Jackson x Testing Business Continuity and Disaster Recovery Plans, James S Mitts x Restoration Component of Business Continuity Planning, John Dorf and Martin Johnson x Business Resumption Planning and Disaster Recovery: A Case History, Kevin Henry x Business Continuity Planning: A Collaborative Approach, Kevin Henry x 8.3 Elements of Business Continuity Planning The Business Impact Assessment Process, Carl B Jackson x Domain 9 Legal, Regulations, Compliance, and Investigations Title Vol Vol 9.1 Information Law Sarbanes–Oxley Compliance: A Technology Practitioner’s Guide, Bonnie A Goins x Health Insurance Portability and Accountability Act Security Rule, Lynda L McGhie x Jurisdictional Issues in Global Transmissions, Ralph Spencer Poore x An Emerging Information Security Minimum Standard of Due Care, Robert Braun and Stan Stahl x ISPs and Accountability, Lee Imrey x Vol Comprehensive Table of Contents ◾ 475 Domain (continued) Legal, Regulations, Compliance, and Investigations Title Vol The Case for Privacy, Michael J Corby x Liability for Lax Computer Security in DDoS Attacks, Dorsey Morrow x Compliance Assurance: Taming the Beast, Todd Fitzgerald Vol Vol Vol Vol Vol x The Cost of Risk: An Examination of Risk Assessment and Information Security in the Financial Industry, Seth Kinnett x Data Security and Privacy Legislation, Salahuddin Kamran x 9.2 Investigations Operational Forensics, Michael J Corby x Computer Crime Investigation and Computer Forensics, Thomas Welch x What Happened? Kelly J Kuchta x 9.3 Major Categories of Computer Crime Potential Cyber Terrorist Attacks, Chris Hare x The Evolution of the Sploit, Ed Skoudis x Computer Crime, Christopher A Pilewski x Phishing: A New Twist to an Old Game, Stephen D.Fried x It’s All about Power: Information Warfare Tactics by Terrorists, Activists, and Miscreants, Gerald L Kovacich, Andy Jones, and Perry G Luzwick x Bluesnarfing, Mano Paul Cyberstalking, Micki Krause Nozaki Managing Advanced Persistent Threats, E Eugene Schultz and Cuc Du x x x (continued ) 476 ◾ Comprehensive Table of Contents Domain (continued) Legal, Regulations, Compliance, and Investigations Title Vol Vol Vol Vol Vol Vol 9.4 Incident Handling Social Engineering: The Human Factor in Information Assurance, Marcus K Rogers x Privacy Breach Incident Response, Rebecca Herold x Security Event Management, Glenn Cater x DCSA: A Practical Approach to Digital Crime Scene Analysis, Marcus K Rogers x What a Computer Security Professional Needs to Know about E-Discovery and Digital Forensics, Larry R Leibrock x How to Begin a Non-Liturgical Forensic Examination, Carol Stucki x Honeypot Essentials, Anton Chuvakin x Managing the Response to a Computer Security Incident, Michael Vangelos x Cyber-Crime: Response, Investigation, and Prosecution, Thomas Akin x Enterprise Incident Response and Digital Evidence Management and Handling, Marcus K Rogers Security Information Management Myths and Facts, Sasan Hamidi Virtualization and Digital Investigations, Marcus K Rogers and Sean C Leshney Is Software Write Blocking a Viable Alternative to Hardware Write Blocking in Computer Forensics? Paul A Henry Discovery of Electronically Stored Information, Salahuddin Kamran Virtualization Forensics, Paul A Henry x x x x x x Comprehensive Table of Contents ◾ 477 Domain 10 Physical (Environmental) Security Title Vol Vol Vol Vol Vol Vol 10.1 Elements of Physical Security Perimeter Security, R Scott McCoy x Melding Physical Security and Traditional Information Systems Security, Kevin Henry x Physical Security for Mission-Critical Facilities and Data Centers, Gerald Bowman x Physical Security: A Foundation for Information Security, Christopher Steinke x Physical Security: Controlled Access and Layered Defense, Bruce R Matthews x Computing Facility Physical Security, Alan Brusewitz x Closed-Circuit Television and Video Surveillance, David Litzau x Mantraps and Turnstiles, R Scott McCoy Halon Fire Suppression Systems, Chris Hare x x Crime Prevention through Environmental Design, Mollie Krehnke x Data Center Site Selection and Facility Design Considerations, Sandy Bacik x Protection of Sensitive Data, Sandy Bacik x Water Leakage and Flooding, Sandy Bacik x Site Selection and Facility Design Considerations, Sandy Bacik An Overview of IP-Based Video Surveillance, Leo Kahng The Layered Defense Model and Perimeter Intrusion Detection, Leo Kahng x x x (continued ) 478 ◾ Comprehensive Table of Contents Domain 10 (continued) Physical (Environmental) Security Title Vol Terrorism an Overview, Frank Bolz, Jr., Kenneth J Dudonis, and David P Schulz Vol Vol Vol Vol Vol x 10.2 Technical Controls Types of Information Security Controls, Harold F Tipton x Countermeasure Goals and Strategies, Thomas L Norman x 10.3 Environment and Life Safety Workplace Violence: Event Characteristics and Prevention, George Richards Physical Security: The Threat after September 11, 2001, Jaymes Williams x x IT Management Information Security Management Handbook Sixth Edition • Volume Edited by Harold F Tipton, CISSP • Micki Krause Nozaki, CISSP Updated annually, the Information Security Management Handbook, Sixth Edition, Volume is the most comprehensive and up-to-date reference available on information security and risk management Bringing together the knowledge, skills, techniques, and tools required of IT security professionals, it facilitates the up-to-date understanding required to stay one step ahead of evolving threats, standards, and regulations Reporting on the latest developments in information security and recent changes to the (ISC)2® CISSP Common Body of Knowledge (CBK®), this volume features new information on advanced persistent threats, HIPAA requirements, social networks, virtualization, and Service Oriented Architecture (SOA) Its comprehensive coverage touches on all the key areas IT security professionals need to know, including: • • • • • • • • • • Access Control: Technologies and administration including the requirements of current laws Telecommunications and Network Security: Addressing the Internet, intranet, and extranet Information Security and Risk Management: Organizational culture, preparing for a security audit, and the risks of social media Application Security: Ever-present malware threats and building security into the development process Security Architecture and Design: Principles of design including zones of trust Cryptography: Elliptic curve cryptosystems, format-preserving encryption Operations Security: Event analysis Business Continuity and Disaster Recovery Planning: Business continuity in the cloud Legal, Regulations, Compliance, and Investigation: Persistent threats and incident response in the virtual realm Physical Security: Essential aspects of physical security The ubiquitous nature of computers and networks will always provide the opportunity and means to harm This edition updates its popular predecessors with the information you need to address the vulnerabilities created by recent innovations such as cloud computing, mobile banking, digital wallets, and near-field communications This handbook is also available on CD K14176 ISBN 978-1-4398-9313-5 90000 781439 893135 ... hours 20 02 It is quiet Too quiet 27 8 ◾ Information Security Management Handbook 20 03 Sobig is one of the most successful of the new breed of viruses that will eventually make up spambotnets 20 04... Cryptology—CT-RSA 20 02 LNCS 22 71, Springer-Verlag, 20 02, 114–130 Bellare, M., Ristenpart, T., Rogaway, P., and Stegers, T Format-preserving encryption, Selected Areas in Cryptography (SAC 20 09) LNCS... Publication 197 U.S DoC/NIST, 20 01 21 Stapleton, J and Poore, R S Information technology? ?Security techniques—Encryption algorithms— Part 3: Block ciphers ISO/IEC 18033-3 :20 05 22 Stapleton, J and Poore,