TE AM FL Y COMPUTER SECURITY HANDBOOK Fourth Edition Edited by SEYMOUR BOSWORTH M.E KABAY JOHN WILEY & SONS, INC This book is printed on acid-free paper ⅜ ϱ Copyright © 2002 by John Wiley & Sons, Inc All rights reserved Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-6011, fax (212) 850-6008, E-Mail: PERMREQ @ WILEY.COM This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If legal advice or other expert assistance is required, the services of a competent professional person should be sought ISBN 0-471-41258-9 Printed in the United States of America 10 PREFACE Computers are an integral part of our economic, social, professional, governmental, and military infrastructures They have become necessities in virtually every area of modern life, but their vulnerability is of increasing concern Computer-based systems are constantly under threats of inadvertent error and acts of nature, as well as those attributable to unethical, immoral, and criminal activities It is the purpose of this Computer Security Handbook to provide guidance in eliminating these threats where possible, and if not, then to lessen any losses attributable to them This Handbook will be most valuable to those directly responsible for computer, network, or information security, as well as those who must design, install, and maintain secure systems It will be equally important to those managers whose operating functions can be affected by breaches in security, and to those executives who are responsible for protecting the assets that have been entrusted to them With the advent of desktop, laptop, and handheld computers, and with the vast international networks that interconnect them, the nature and extent of threats to computer security have grown almost beyond measure In order to encompass this unprecedented expansion, the Computer Security Handbook has grown apace When the first edition of the Handbook was published, its entire focus was on mainframe computers, the only type then in widespread use The second edition recognized the advent of small computers, while the third edition placed increased emphasis on PCs and networks Now, this fourth edition of the Computer Security Handbook, gives almost equal attention to mainframes and microcomputers With 54 chapters alone requiring over 1,100 pages, the related tutorials and appendixes have been installed on the Internet at www.wiley.com/go/securityhandbook This electronic supplement has made possible the manageable size and weight of the present hard-copy book, while presenting a greater wealth of material than ever before The Internet presence has the added advantages of providing hyperlinks to other relevant sites and of making updates feasible Edition Date Chapters Text Pages Pages of Appendices Total Pages Internet Supplement First 1973 12 162 165 — Second 1988 19 298 93 391 — Third 1995 23 571 365 984 — Fourth 2002 54 1184 On Internet 1224 www.wiley.com/go/ securityhandbook v vi PREFACE The Internet has been invaluable in another way Each of the 54 chapters has made at least seven retransmissions via e-mail among authors, editors, and the publisher Earlier editions had all of this done by courier or overnight delivery, with attendant delays and significant costs Not only are PCs and the Internet a major subject of this volume, but they have also been the instruments without which it might never have come into being In speaking of the earlier editions, I would like to give grateful recognition to Arthur Hutt and Douglas Hoyt, my previous co-editors Although both Art and Doug are deceased, their commitment and their competence remain as constant reminders to strive for excellence Mich Kabay, my new co-editor continues in their tradition I would not have wanted to undertake this project without him Thanks are also due to our colleagues at John Wiley and Sons Sheck Cho as Executive Editor, Tim Burgard as Associate Editor, Louise Jacobs as Associate Managing Editor, and Debra Manette and John Curley as copyeditors all have performed their duties in exemplary manner Finally, although the authors and editors of this Handbook have attempted to cover the essential elements of computer security, the disaster of September 11, 2001, demonstrates that new threats may come from unexpected directions The primary emphasis of the Computer Security Handbook has always been on prevention, but should this fail, the fundamental practices described here will help to mitigate the consequences SEYMOUR BOSWORTH Senior Editor February 2002 A Note from the Co-Editor I am immeasurably grateful to Sy Bosworth for his leadership in this project Although we have never met each other in the physical world, I feel that we have become good friends through our constant communication through cyberspace Our authors deserve enormous credit for the professional way in which they responded to our requests, outlines, suggestions, corrections, and nagging I want to express my personal gratitude and appreciation for their courteous, collaborative, and responsive interactions with us Finally, as always, I want to thank my beloved wife, Deborah Black, light of my life, for her support and understanding over the many months during which this project has taken away from our time together M.E KABAY Co-Editor February 2002 ABOUT THE EDITORS Seymour Bosworth (e-mail: sybosworth@aol.com), MS, CDP, is president of S Bosworth & Associates, Plainview, New York, a management consulting firm active in computing applications for banking, commerce, and industry Since 1972, he has been a contributing editor of all four editions of the Computer Security Handbook, and he has written many articles and lectured extensively about computer security and other technical and managerial subjects He has been responsible for design and manufacture, system analysis, programming, and operations, of both digital and analog computers For his technical contributions, including an error-computing calibrator, a programming aid, and an analog-to-digital converter, he has been granted a number of patents, and is working on several others Bosworth is a former president and CEO of Computer Corporation of America, manufacturers of computers for scientific and engineering applications; president of Abbey Electronics Corporation, manufacturers of precision electronic instruments and digital devices; and president of Alpha Data Processing Corporation, a general-purpose computer service bureau As a vice president at Bankers Trust company, he had overall responsibility for computer operations, including security concerns For more than 20 years, Bosworth was an adjunct associate professor of management at the Information Technologies Institute of New York University, where he lectured on computer security and related disciplines He holds a master’s degree from the Graduate School of Business of Columbia University, and the Certificate in Data Processing of the Data Processing Management Association M.E Kabay, Ph.D., CISSP (e-mail: mkabay@norwich.edu) began learning assembler at age 15 and had learned FORTRAN IV G at McGill University by 1966 In 1976, he received his Ph.D from Dartmouth College in applied statistics and invertebrate zoology He has published over 350 articles in operations management and security in several trade journals He currently writes two columns a week for Network World Fusion; archives are at www.nwfusion.com/newsletters/sec/ Kabay was Director of Education for the National Computer Security Association from 1991 to the end of 1999 He was Security Leader for the INFOSEC Group of AtomicTangerine, Inc., from January 2000 to June 2001 and joined the faculty at Norwich University in July 2001 as Associate Professor of Computer Information Systems In January 2002, he took on additional duties as the director of the graduate program in information assurance at Norwich He has a Web site at www2.norwich.edu/mkabay/index.htm vii ABOUT THE CONTRIBUTORS Rebecca G (Becky) Bace (e-mail: infomom@infidel.net) is the President/CEO of Infidel, Inc (www.infidel.net), a network security consulting practice She has been an active force in the intrusion detection community for over a decade: as the director of the National Security Agency’s research program for intrusion detection (1989–1996), where she funded much of the early research in intrusion detection; as deputy security officer for the Computing Information, and Communications Division of the Los Alamos National Laboratory (1996–1997); and in her current capacity at Infidel Bace is author of the National Institute for Standards and Technology’s Special Publication on Intrusion Detection (SP 800-31), the book Intrusion Detection (Macmillan Technical Publishing, 2000), and a variety of intrusion detection references published over the last five years She is currently advising a group of security solution startups; working with Trident Capital (www.tridentcap.com), where she is responsible for directing network security investment activities; and serving as faculty for the popular Intrusion Detection Forum series for senior information security managers offered by the Institute for Applied Network Security (www.ianetsec.com) Timothy Braithwaite (e-mail: tim.braithwaite@titan.com) has more than 30 years of hands-on experience in all aspects of automated information processing and communications He is currently Deputy Director of Strategic Programs at the Center for Information Assurance of Titan Corporation Before joining Titan Corporation, he managed most aspects of information technology, including data and communications centers, software development projects, strategic planning and budget organizations, system security programs, and quality improvement initiatives His pioneering work in computer systems and communications security while with the Department of Defense resulted in his selection to be the first Systems Security Officer for the Social Security Administration in 1980 After developing security policy and establishing a nationwide network of regional security officers, Braithwaite directed the risk assessment of all payment systems for the agency In 1982, he assumed the duties of Deputy Director, Systems Planning and Control of the SSA, where he performed substantive reviews of all major acquisitions for the Associate Commissioner for Systems and, through a facilitation process, personally led the development of the first Strategic Systems Plan for the Administration In 1984, he became Director of Information and Communication Services for the Bureau of Alcohol, Tobacco, and Firearms at the Department of Treasury In the private sector, he worked in senior technical and business development positions for SAGE Federal Systems, a software development company; Validity Corporation, a testing and independent validation and verification company; and J.G Van Dyke & Associates where he was Director: Y2K Testing Services He was recruited to join Titan Corporation in December 1999 to assist in establishing and growing the company’s ix x ABOUT THE CONTRIBUTORS Information Assurance (IA) practice He recently authored Securing E-Business: A Guide for Managers and Executives (John Wiley & Sons, 2002) He can be reached by phone at 301 982 5414 Paul J Brusil, Ph.D (e-mail: brusil@post.harvard.edu) founded Strategic Management Directions, a security and enterprise management consultancy in Beverly, Massachusetts, He has been working with various industry and government sectors including healthcare, telecommunications, and middleware to improve the specification, implementation, and use of trustworthy, quality, security-related products and systems He supported strategic planning that led to the National Information Assurance Partnership and other industry forums created to understand, promote, and use the Common Criteria to develop security and assurance requirements and evaluated products Brusil has organized, convened, and chaired several national workshops, conferences, and international symposia pertinent to management and security Through these and other efforts to stimulate awareness and cooperation among competing market forces, he spearheaded industry’s development of the initial open, secure, convergent, standardsbased network and enterprise management solutions While at the MITRE Corp, Brusil led R&D critical to the commercialization of world’s first LAN solutions, Earlier, at Harvard, he pioneered research leading to noninvasive diagnosis of cardio-pulmonary dysfunction He is a Senior Member of the IEEE, a member of the Editorial Advisory Board of the Journal of Network and Systems Management (JNSM), and has been Senior Technical Editor for JNSM He has authored nearly over 100 papers and book chapters He graduated from Harvard University with a joint degree in Engineering and Medicine David Brussin, CISSP (e-mail: dbrussin@pobox.com), is a leading technical security and privacy expert His experience architecting robust, efficient, and secure information handling processes and electronic business systems for Fortune 100 organizations led to the creation of unique formal models for information security, including Three Layer Analysis and Successive Compromise Analysis His techniques, which provide a complete, repeatable methodology for designing and verifying the security of connected infrastructure, are recognized as an industry-leading approach He is now serving as Chief Technology Officer for ePrivacy Group, a Philadelphia-based privacy consulting, training, and technology company He was a founding partner of InfoSec Labs, Inc., and then Director of Security Technology for Rainbow Technologies following its acquisition of InfoSec Labs in 1999 Brussin has published numerous articles and is a frequent speaker on security and privacy issues Quinn Campbell (e-mail: qcampbell@hushmail.com) has worked in the information security field for over six years He specializes in IT threat analysis and education John M Carroll, LL.B., Dr Eng Sci (e-mail: jmcarroll7@aol.com) is a Professor Emeritus in the Department of Computer Science of the University of Western Ontario He is a registered professional engineer and works in a criminal law practice His research interests are information technology risk management; cryptography; and microdocumentary analysis He has been consulted by police and security forces in seven countries Santosh Chokhani (e-mail: chokhani@cygnacom.com) is the founder and President of CygnaCom Solutions, Inc., an Entrust company specializing in PKI He has made ABOUT THE CONTRIBUTORS xi numerous contributions to PKI technology and related standards including trust models, security, and policy and revocation processing He is the inventor of the PKI Certificate Policy and Certification Practices Statement Framework His pioneering work in this area led to the Internet RFC that is used as the Standard for CP and CPS by governments and industry throughout the world Before starting CygnaCom, he worked for The MITRE Corporation from 1978 to 1994 At MITRE, he was senior technical manager and managed a variety of technology research, development, and engineering projects in the areas of PKI, computer security, expert systems, image processing, and computer graphics He obtained his Masters (1971) and Ph.D (1975) in EE/CS from Rutgers University, where he was a Louis Bevior Fellow from 1971–1973 Chey Cobb, CISSP (e-mail: chey@patriot.net) began her career in information security while at the National Computer Security Association (now known as TruSecure/ ICSA Labs) During her tenure as the NCSA award-winning Webmaster, she realized that Web servers often created security holes in networks and became an outspoken advocate of systems’ security Later, while developing secure networks for the Air Force in Florida, her work captured the attention of the U.S intelligence agencies Chey moved to Virginia and began working for the government as the senior technical security advisor on highly classified projects Ultimately, she went on to manage the security program at an overseas site Chey is now semi-retired and writes books and articles on computer security and is a frequent speaker at security conferences Stephen Cobb, CISSP (e-mail: scobb@cobb.com) has been helping companies, governments, and individuals to secure their computer-based information for more than 15 years A best-selling author of over 20 computer books, Cobb has presented security seminars and chaired security conferences in Europe, Asia, and America He is now Senior V.P of Research & Education for ePrivacy Group, a Philadelphia-based privacy consulting, training and technology company He served for two years as Director of Special Projects for the National Computer Security Association, launching its award-winning Web site and the Firewall Product Developers’ Consortium He left NCSA to become a founding partner of InfoSec Labs, Inc., which was acquired by Rainbow Technologies in 1999 Frequently quoted by the media as a security expert in the United States, Europe, and Asia, Cobb has published in a wide range of publications His recent writings can be found on his Web site at www.cobb.com Bernard Cowens, CISSP (e-mail: bernie.cowens@infosec.spectria.com) is Vice President of Security Services for Rainbow-Spectria, a digital security company He is a security expert with over 15 years’ experience in designing, developing, managing, and protecting complex and sensitive information systems and networks He has extensive experience managing and securing high availability, multisite military and civilian data centers and is therefore uniquely adept at recognizing and balancing security imperatives with operational realities He has conducted security reviews and analyses which involved extremely sensitive, highly classified national security data and equipment Cowens has created, trained, and served on a number of computer emergency and incident response teams over the years and has real-world experience responding to disasters, attacks and system failures resulting from a variety of sources He has served as a member of and an advisor to national-level panels charged with analyzing network and information system threats, assessing associated risks, and recommending both technical and nontechnical risk mitigation policies and procedures I ⅐ 12 INDEX I IBM, Christmas Tree DoS attack, • 3, 11 • 3, 11 • –11 • IBM computers, • 5, • 6, • 7, • –1 • 10 ICANN (Internet Corporation for Assigned Names and Numbers), • 11 ICSA Labs, 27 • 10 Identification, defined, 16 • Identity, Internet, 53 • 7– 53 • 10 IEEE 802.11, 18 • IETF (Internet Engineering Task Force), 27 • 3, 28 • 12 Illicit terminals, 14 • 23 Immune systems, computer, 24 • 10 – 24 • 11 Impersonation, • – • Implementation vulnerabilities, • 14 Incident Command System (ICS), 14 • Incident numbers, • 18 Incidents, security See also Attacks, in security incident events vs attacks, • 15, • 17 corrective actions, • 18 – • 19 date terminology, • 18 defined, • 15, • 16 event targets, • – • 5, • 6, • 10 – • 11 handling records, • 1– • 21 reporting, • 1– • 21 Include files See Server-side includes (SSIs) Incremental backups, 41 • Incremental information leveraging, • – • Indency, • 15 – • 17 Indexing backups, 41 • Indictments, 34 • 11 Indispensable employees, 31 • – 31 • Inference, in statistics, • – • Information, role in health care, 49 • 1– 49 • Information exchange, as tool of attack, • 13 Information flow control, and operating system security, 17 • Information loss, list of types, • 10 – • 13 Information security See also Security policies authenticity element, • – • 5, • 9, • 11 availability element, • – • 3, • 9, • 10 – • 11, • 12 CIA (confidentiality, integrity, availability) model, • Clark-Wilson Integrity (CWI) model, • 3, • 19 – • 24 vs computer security, • confidentiality element, • – • 6, • 9, • 11, • 12 integrity element, • 4, • 9, • 11 list of functions, • 17– • 18 list of potential losses, • – • 17 new framework, • 1– • 19 possession element, • – • 7, • 9, • 11, • 15 • 12 – • 13 selecting safeguards, • 18 – • 19 Threats, Assets, Vulnerabilities Model, • 2, • 19 utility element, • – • 4, • 9, • 10 – • 11 Information Security Industry, • Information systems (IS) See also Infrastructure basic ways to exploit weaknesses, • 19 – • 20 climate control, 15 • 37–15 • 38 current risks, 14 • –14 • elements of infrastructure protection, 15 • –15 • 14 facility design considerations, 15 • 25 –15 • 40 history, • –1 • 12 infrastructure protection, 15 • 1–15 • 46 logical element, 14 • overview of physical threats to infrastructure, 14 • –14 • penetration, • – • physical element, 14 • physical infrastructure threat assessment process, 14 • –14 • 12 premises element, 14 • restricting physical site access, 15 • 26 –15 • 27 security overview, • 1–1 • 3, 14 • technical penetration, • – • 29 tools for finding weaknesses, • 16 – • 19 who should manage physical security, 14 • Information Technology Security Evaluation Criteria (ITSEC), 27 • Information warfare: and China, • 13 –7 • 15 critical infrastructure, • –7 • defenses against, • 20 –7 • 23 military tactics, • –7 • overview, • sources of threat, • 13 –7 • 17 types of weapons, • 17–7 • 20 vulnerabilities, • –7 • weapons inadvertently provided, • 20 weapons of mass destruction, • 20, 14 • 21–14 • 22, 15 • 42 –15 • 43 Infrastructure See also Information systems (IS); Public-key infrastructure (PKI) critical vulnerabilities, • –7 • economic, • 13 intrusion detection, 20 • 12 local area networks, 18 • –18 • physical threat overview, 14 • –14 • 12 protecting, 15 • 1–15 • 46 U.S vulnerabilities, • –7 • Y2k lessons, 48 • – 48 • 6, 48 • 8, 48 • 13 In-house assessments, 27 • – 27 • Initialization errors, 25 • In-kind counterattacks, • 22 Input validation, • 23 – • 27 Insiders See Employees Insider threats, 54 • 17 Inspections, as tool in teaching security awareness, 29 • 17 Insurance See also CGL (commercial general liability) insurance common exclusions, 44 • crime and fraud policies, 44 • 10 – 44 • 11 damage to intangible assets, 44 • as defensive strategy, 15 • defining covered claims, 44 • 7– 44 • e-commerce policies, 44 • 11– 44 • 12 extensions of coverage, 44 • intellectual property coverage, 44 • – 44 • 10 limitations, 44 • prior acts coverage, 44 • Integrated performance metrics, 32 • Integrity, as information security framework element, • 4, • 9, • 11 Intellectual property See also Copyrights; Patents; Trademarks attempts to justify theft of, 33 • 22 – 33 • 24 and CGL insurance, 44 • – 44 • 10 damages for infringement, 12 • 17–12 • 18 international aspects, 12 • –12 • 13 overview, • piracy, 33 • 21– 33 • 24 plagiarism, 33 • 24 – 33 • 25 role of Internet service providers, 12 • 15 trade-related aspects, 12 • –12 • 13 U.S legal framework, 12 • 1–12 • INDEX Intruders: defined, 11 • in distributed DoS attacks, 11 • 14, 11 • 15, 11 • 16 Intrusion alarms, 15 • 19 –15 • 20 Intrusion detection systems (IDS): analysis schemes, 37 • – 37 • 10 architecture, 37 • automated responses, 37 • 11– 37 • 12 event information sources, 37 • 7– 37 • history, 37 • – 37 • misuse detection vs anomaly detection, 37 • – 37 • 10 monitoring, 37 • 4, 37 • 5, 37 • 7– 37 • needs assessment, 37 • 13 – 37 • 14 overview, 37 • 2, 37 • – 37 • passive vs active response, 37 • 10 – 37 • 11 product selection, 37 • 14 – 37 • 15 reports, 37 • 11 role in security management, 37 • stand-alone vs integrated responses, 37 • 11– 37 • 12 unified infrastructure, 20 • 12 vs vulnerability assessment, 37 • – 37 • Intrusions: detection, 20 • (See also Intrusion detection systems (IDS)) overview, • 20 – • 21 response, 20 • – 20 • as security hazard, 14 • 19 –14 • 20 vs trespasses, • 21 unified detection infrastructure, 20 • 12 Invalid file access attempts log, 38 • Invalid log-on attempts log, 38 • Involuntary employee terminations, 31 • 11 IOMEGA Corporation, 41 • IP addresses: private, 11 • 22, 11 • 23 reserved, 11 • 23 spoofing, 11 • 23, 21 • IP (Internet Protocol), • 18, 13 • 5, 21 • IP Traceback, 11 • 25 IPv4 addresses, 21 • 5, 21 • ISO 9000, 27 • – 27 • ISO 15408, 27 • 6, 27 • 14 See also Common Criteria (CC) standard ISO 17799, 28 • – 28 • Israel, encryption use, 50 • ITSEC (Information Technology Security Evaluation Criteria), 27 • TE AM FL Y Intercepts, communication, • 19–2 • 20, • 7–8 • 12 Intercultural differences, 35 • 7– 35 • Interfaces, protecting, 12 • Internal auditing, 36 • 2, 36 • 11 Internal investigations, 34 • 17– 34 • 19 International issues: criminal prosecution, • 22 encryption, 50 • 1– 50 • 13 espionage, • 12 intellectual property, 12 • –12 • 13 law enforcement, 34 • 19 – 34 • 20 legal standards for e-commerce, 19 • –19 • privacy, • 11– • 12 regulation of speech, 51 • 20 – 51 • Internet See also E-commerce anonymous postings, 52 • 14 – 52 • 15 and CGL insurance, 44 • developing user policies, 33 • – 33 • 46 dissemination and use of incorrect information, 33 • 7– 33 • guidelines for using information, 33 • – 33 • history, • 8, • 12 hoaxes, 33 • 10 – 33 • 12 misuse by employees, • 12 monitoring usage, 52 • 15 piracy issues, 12 • 13 –12 • 17, 26 • 7– 26 • SANS Institute list of critical security threats, 18 • 14 –18 • 15 security macrotrends, 54 • – 54 • 14 security microtrends, 54 • 14 – 54 • 15 as tool in teaching security awareness, 29 • 14 – 29 • 15 what constitutes identity, 53 • 7– 53 • 10 Internet addiction, 33 • 36 – 33 • 37 Internet Assigned Numbers Authority (IANA), 21 • Internet connections, as security hazard, • Internet Corporation for Assigned Names and Numbers (ICANN), • 11 Internet Engineering Task Force (IETF), 27 • 3, 28 • 12 Internet Exploder ActiveX control, 10 • Internet Explorer, • 10 Internet hosting, 12 • 15 Internet Information Services (IIS) Indexing Service, 11 • 20 Internet service providers (ISPs): anonymity and pseudonymity issues, 53 • 17– 53 • 18 and black boxes, 52 • defending against DDoS attacks, 11 • 23 –11 • 24 role in intellectual property issues, 12 • 15 Internet sniffing, applying risk equation, 54 • 13 – 54 • 14 Internet-visible systems See also Web sites auditing, 21 • 12 out-of-service costs, 21 • 11– 21 • 12 overview, 21 • 1– 21 • security planning, 21 • 12 site dispersion, 21 • 13 site hardening, 21 • 12 – 21 • 13 technical issues, 21 • – 21 • 13 Internet worm See Morris worm Interrogation, in criminal investigation, 34 • Interviews: in criminal investigation, 34 • 7– 34 • as research method in computer crime, • Intranets: protecting staff, 22 • 21 as tool in teaching security awareness, 29 • 14 – 29 • 15 I ⅐ 13 J Jacobson’s Window risk model, 47 • – 47 • Japan: computer crime, • 14, • 15, • 16 encryption use, 50 • Java: as avenue for DoS attacks, 11 • 12 as example of mobile code, 10 • 2, 10 • J2EE (Java Enterprise Edition), 13 • 13 JavaBeans, 13 • 13 JavaScript: CGI scripting, 13 • 14 as mobile code language, 10 • scanning and filtering code, 20 • server issues, 10 • JAZ diskettes, 41 • Joint application design (JAD), 25 • Joint requirements planning (JRD), 25 • Junk e-mail, 33 • 14 – 33 • 16 I ⅐ 14 INDEX K Kerberos, • 11, 16 • –16 • 10 Kernel panic attacks, 11 • Key escrow, 23 • 19 – 23 • 20, 23 • 21, 50 • Key locks, 15 • 14 –15 • 15 Key recovery, 23 • 19 – 23 • 21 Keys: data-encryption, 23 • 19 defined, 50 • as method of user authentication, 16 • private, 23 • 19 public, 23 • 19 recovering, 23 • 19 – 23 • 21 signing, 23 • 19 splitting, 23 • 21 Keyspace, • 13, 50 • Keystrokes, capturing, • 12 Known-good software, 32 • 11 L Labelling backup storage media, 41 • Laboratory accreditation, 27 • 27– 27 • 32 Land attacks, 11 • Landslides, as security hazard, 14 • 13 Language, common, for security incidents, • 1– • 21 LANS See Local area networks (LANs) Laptops, backup strategies, 41 • – 41 • 10 Law See Legal issues Law enforcement: criminal investigations, 34 • – 34 • 12 criminal monitoring and surveillance technologies, 52 • – 52 • and deterrence, 34 • – 34 • establishing relationships, 34 • 12 – 34 • 15 goals, 34 • – 34 • history of computer crime, 34 • – 34 • vs internal investigations, 34 • 17– 34 • 19 international investigations, 34 • 19 – 34 • 20 overview, 34 • policies for dealing with, 34 • 15 – 34 • 17 and privacy issues, 52 • – 52 • and prosecution, 34 • 3, 34 • 10 – 34 • 12, 34 • 14 – 34 • 15 role of corporate counsel, 34 • 15 vulnerabilities to information warfare, • 11–7 • 12 Layers of security, as defensive strategy, 15 • Leased lines, as security hazard, • Legal issues See also Intellectual property; Law enforcement censorware, 51 • 17 and computer emergency response teams (CERTs), 40 • contracts, • – • copyrights (See Copyrights) criminal acts, • 18 – • 24 defamation, • 13 – • 14 due diligence, • 14 in e-commerce, 19 • –19 • 14 in employee terminations, 31 • 12 global privacy concerns, 52 • – 52 • inappropriate e-mail use, 33 • indency, • 15 – • 17 Internet speech, 51 • 13 – 51 • 14 law as a defense against information warfare, • 21 libel, 33 • litigation, • 17– • 18, 22 • 19 – 22 • 20 medical records, 49 • – 49 • 23 negligence, • 14 – • 15 obscenity, • 15 – • 17 online gambling, 33 • 30 patents, 12 • 8, 12 • 11–12 • 12, 26 • privacy, • 11– • 13, 52 • – 52 • public libraries, and Internet access, 51 • 14 – 51 • 15 software piracy, 26 • trademarks, • – • 11, 26 • U.S First Amendment rights, 51 • 7– 51 • 15 Web server liabilities, 22 • 17– 22 • 18 Liability: and FEMA guidelines, 15 • 5, 15 • –15 • issues in physical threats to information system infrastructure, 14 • 7–14 • role of security manager, 45 • – 45 • 10 Libel, 33 • Libraries, data, 36 • Licenses: as contracts, • – • vs first sale, 12 • Lightweight Directory Access Protocol (LDAP), 23 • 13 Linux, 18 • 14, 18 • 15 List linking, 11 • Litigation: role of technology, • 17– • 18 Web-related, 22 • 19 – 22 • 20 Load condition errors, 25 • Local area networks (LANs): defending against DDoS attacks, 11 • 22 –11 • 23 history, • 10 –1 • 11 linking together, • 11–1 • 12 operating system issues, 18 • –18 • 17 packet capture vulnerability, • physical site security, 18 • –18 • securing infrastructure, 18 • –18 • security policy and procedure issues, 18 • 1–18 • sniffer software, • 9, 18 • –18 • wire and cable vulnerabilities, 18 • –18 • wireless issues, 18 • 7–18 • Location privacy, 52 • 15 – 52 • 16 Locking, DBMS, conditional vs unconditional, 39 • – 39 • Locks and door hardware, 15 • 14 –15 • 15 See also Card entry systems Locus of control, 35 • 15 – 35 • 16 Log files: analyzing, 38 • – 38 • archiving, 38 • – 38 • for back-out process, 39 • – 39 • CPU log, 38 • for databases, 39 • – 39 • disk space log, 38 • – 38 • exception reports, 38 • file close log, 38 • file input/output log, 38 • – 38 • file open log, 38 • invalid file access attempts log, 38 • invalid log-on attempts log, 38 • memory consumption log, 38 • network activity log, 38 • in operations management, 32 • – 32 • 7, 32 • overview, 38 • – 38 • process initiation log, 38 • process termination log, 38 • protecting against alteration, 38 • 7– 38 • resource utilization log, 38 • role in data validation, 32 • 15 sequestering tapes and cartridges, 38 • INDEX session initiation log, 38 • session termination log, 38 • system boot log, 38 • system console activity log, 38 • system level vs job level, 38 • system shutdown log, 38 • types of records, 38 • – 38 • Logical data corruption, 39 • – 39 • Logic flow errors, 25 • Login process: building in delay, • 13 – • 14 capturing information, • 11– • 12 for facility visitors, 32 • as security hazard, • 11– • 12 Trojan Horse programs, • 11– • 12 Log-on screens, as tool in promoting security awareness, 29 • 16 Logs See also Log files in litigation, 22 • 19, 22 • 20 monitoring access to controlled areas, 15 • 17 Long-distance transmissions, as security hazard, • “Look and feel” issue, 12 • Loss, information: examples and suggested controls, • 13 – • 16 list of types, • 10 – • 13 physical circumstances, • 16 – • 17 Loss potential, 47 • 12 – 47 • 14 Lying, • – • M Macintosh computers, • 10, 18 • 15 –18 • 17, 24 • Macro facilities, • 12 Macro viruses, • – • 9, 24 • 4, 24 • Magnetic media: destroying, 41 • 16 longevity issues, 41 • 11, 41 • 12 Mail clients, vulnerabilities, 13 • –13 • Mail servers, vulnerabilities, 13 • Mail storms, 33 • 19 – 33 • 21 See also Denial-of-service (DoS) attacks Mainframe computers: backup strategies, 41 • – 41 • controlling access to files and databases, 32 • 13 in IT history, 20 • limiting access to operations centers, 32 • – 32 • moving new versions of software into production, 32 • – 32 • as network model, 20 • operating systems, 32 • 11 and operations management, 32 • – 32 • 11 protecting data, 32 • 11– 32 • 13 terminology, 32 • – 32 • Maintenance personnel, as security hazard, 14 • 22 Malicious code See also Mobile code; Viruses; Worms coping with, 54 • 16 – 54 • 17 mobile, 10 • nonreplicating, • 17– • 19 overview, 13 • questions for policy study, 46 • 10 as weapon in information warfare, • 17–7 • 18 Malware See Malicious code Management: and denial-of-service issues, 11 • 26 EDP control responsibilities, 36 • –10 issues for board of directors, 48 • 11– 48 • 13 and organizational culture, • and personality styles, 35 • – 35 • role in computer security, 45 • 1– 45 • 11 I ⅐ 15 role in security policy development, 46 • 11, 46 • 12 – 46 • 13 Managing: change, 25 • 14 – 25 • 15 employees, 31 • – 31 • Man-made threats, 14 • 17–14 • 22 Mantraps, 15 • 26 –15 • 27 Master boot record (MBR) viruses, • Masters, DDoS, 11 • 14, 11 • 15, 11 • 16 Media access control (MAC), 18 • 4, 18 • Medical emergencies See also Weapons of mass destruction (WMD) biological hazards, 14 • 14, 15 • 42 epidemics, 14 • 13 HAZMAT incidents, 14 • 14 protecting against, 15 • 43 radiological incidents, 14 • 14 as security hazard, 14 • 23 Medical records See also Health care industry accountability of, 49 • availability of, 49 • confidentiality of, 49 • consortia and standards, 49 • 24 – 49 • 28 core security model, 49 • – 49 • expectations in U.K., 49 • expectations in U.S., 49 • external pressures, 49 • – 49 • 28 government policies in U.K., 49 • 23 – 49 • 24 government policies in U.S., 49 • 24 impact of information technology, 49 • – 49 • importance of privacy and security, 49 • – 49 • integrity of, 49 • internal policies, procedures, and protocols, 28 IT security challenges, 49 • – 49 • laws and regulations in U.K., 49 • 20 – 49 • 22 laws and regulations in U.S., 49 • – 49 • 20 legal issues, 49 • – 49 • 23 privacy and security issues, 49 • 1– 49 • 32 security implementation difficulties, 49 • 28 – 49 • 29 vulnerabilities to information warfare, • 11 Melissa virus, • 10 – • 11, 11 • 4, 33 • 19, 54 • 16 Memory: obtaining copies, 38 • – 38 • protecting, 17 • –17 • Memory consumption log, 38 • Memory dumps, 38 • – 38 • 10 Memory-resident viruses, • Message boards, anonymous postings, 52 • 14 – 52 • 15 Messenger personnel, as security hazard, 14 • 22 Metacharacters, • 28 Metatext, • 20 – • 11 Microprocessors, • Microsoft Authenticode, 10 • 3, 10 • Microsoft Corporation: antipiracy programs, 26 • 14, 26 • 16 in IT history, • software vulnerability to viruses, • – • 16 Microsoft Internet Explorer, • 10 Microsoft Office, and viruses, • – • 9, • 10, 24 • Microsoft Outlook, and viruses, • 10 – • 11 Microsoft Windows 9x operating systems, • – • 16, 18 • 10 –18 • 11, 24 • 4, 24 • Microsoft Windows 95, • – • 10 Microsoft Windows 98, • 10 – • 16 Microsoft Windows 2000, 17 • 15 –17 • 19, 18 • 11–18 • 12, 24 • Microsoft Windows ME (Millenium Edition), 18 • 11 I ⅐ 16 INDEX Microsoft Windows NT, 18 • 11–18 • 12, 24 • 6, 54 • 16 Microsoft Windows XP, 18 • 12 Microsoft Word macro virus, • – • Middle East: encryption use, 50 • Internet use, 51 • regulation of speech, 51 • Middleware, vulnerabilities, 13 • 13 –13 • 14 Military, U.S.: OPSEC (Operations Security), • –7 • tactics against information warfare, • –7 • Minicomputers, • Misrepresentation, • – • Mistakes, number required, 54 • 15 – 54 • 16 Mitigation, as defensive strategy, 15 • Mitnick, Kevin, • 11, • 17, • – • Mobile code See also ActiveX; Malicious code design and implementation errors, 10 • –10 • malicious, 10 • as multidimensional threat, 10 • –10 • overview, 10 • 1–10 • server issues, 10 • –10 • 10 signed, 10 • –10 • trust issues, 10 • –10 • 4, 10 • Mobile data centers, 43 • 11 Modems, as LAN security hazard, 18 • –18 • Modifying, defined in security incident taxonomy, • 9, • 10 Monitoring: of access to controlled areas, 15 • 17 of applications, 37 • credentialed vs noncredentialed, 37 • of customers, 22 • 18 – 22 • 19 defined, 38 • of employees, 22 • 16, 52 • 13 – 52 • 14 Internet usage, 52 • 15 in intrusion detection systems, 37 • 4, 37 • 5, 37 • 7– 37 • in law enforcement, 52 • – 52 • in operations management, 32 • – 32 • 11 purpose, 38 • of resource utilization, 32 • 10, 38 • role of cookies, 52 • 15 role of log file records, 38 • – 38 • of security components, 20 • 13 – 20 • 15 terminology, 38 • in vulnerability assessment systems, 37 • of Web sites, 22 • 22 – 22 • 23 Monolithic firewalls, 21 • Moore’s law, 54 • 9, 54 • 13 Morris worm, • 17, 11 • –11 • 3, 11 • Motion Picture Association of America (MPAA), 26 • 4, 26 • Motivation, role in security awareness, 29 • – 29 • 6, 45 • – 45 • Movies, digital, 26 • – 26 • See also VHS movies MP3, • 7– • 8, 26 • 4, 26 • See also MPEG (Moving Pictures Experts Group) MPAA (Motion Picture Association of America), 26 • 4, 26 • MPEG (Moving Pictures Experts Group), 26 • 4, 26 • MRA (Mutual Recognition Arrangement), 27 • 12 – 27 • 13, 27 • 24 – 27 • 26 Multidropper RAT, • 18 – • 19 Multilevel security, 17 • 12 –17 • 13 Music piracy, • 7– • 8, 26 • 4, 26 • – 26 • 8, 33 • 22 Mutual Recognition Arrangement (MRA), 27 • 12 – 27 • 13, 27 • 24 – 27 • 26 Myammar: encryption use, 50 • Internet use, 51 • – 51 • regulation of speech, 51 • – 51 • N Napster, • 7– • 8, 26 • 7– 26 • 8, 33 • 22 Narcissism, and computer crime, • NASA (U.S National Aeronautics and Space Administration), • 18 National Information Assurance Partnership (NIAP) Validation Body, 27 • 26, 27 • 31 National Infrastructure Protection Center (NIPC), 34 • 13 – 34 • 14 National Interagency Incident Management System (NIIMS), 14 • National Music Publishers Association (NMPA), 26 • 4, 26 • National Security Agency (NSA): Computer Security Center, 17 • 13 security guidelines, 28 • 10 – 28 • 11 National Voluntary Laboratory Accreditation Program (NVLAP), 27 • 28, 27 • 31– 27 • 32 Nation-states, as source of information warfare threats, • 13 –7 • 15 See also International issues Natural threats and disasters, 14 • 12 –14 • 13 NCSA/ICSA Labs annual computer virus survey, • 11 Negligence, • 14 – • 15 The Netherlands, encryption use, 50 • Netiquette, 33 • NetWare, • 10, 18 • 12 –18 • 14 Network activity log, 38 • Network layer, 13 • –13 • Networks See also Internet compartmentalization, 21 • – 21 • 10 control of allowed paths, 20 • 5, 20 • 13 defending against DDoS attacks, 11 • 22 –11 • 23 intrusion detection and response, 20 • 5, 20 • – 20 • in IT history, 20 • – 20 • monitoring for intrusion detection, 37 • 7– 37 • negligent administration, • 15 operating system issues, • 10 –1 • 11, 18 • –18 • 17 perimeter protection, 20 • – 20 • questions for policy study, 46 • – 46 • 10 role of security mechanisms, 20 • – 20 • securing LANs, 18 • 1–18 • 17 testing for penetration, • 17 NIAP (National Information Assurance Partnership) Validation Body, 27 • 26, 27 • 31 Nimda worm, • 15 – • 16, 11 • 21, 11 • 24 NIPC (National Infrastructure Protection Center), 34 • 13 – 34 • 14 NMPA (National Music Publishers Association), 26 • 4, 26 • Norm of reciprocity, 35 • 14 Northwest Computer Technology and Crime Analysis Center (NCT), 34 • 14 Notebook computers, backup strategies, 41 • – 41 • 10 Novell NetWare, • 10, 18 • 12 –18 • 14 NSA (U.S National Security Agency): Computer Security Center, 17 • 13 security guidelines, 28 • 10 – 28 • 11 NTSC (National Television System Committee), 26 • 4, 26 • Nuclear weapons See Weapons of mass destruction (WMD) INDEX NVLAP (National Voluntary Laboratory Accreditation Program), 27 • 28, 27 • 31– 27 • 32 Nymity, defined, 53 • See also Identity, Internet O Obscenity, • 15 – • 17 Off-hours visitors, as security hazard, 14 • 22 Off-the-shelf software, • 73, 13 • 12, 32 • One-time passwords, • 12, 16 • 12 Online auctions, 33 • 27– 33 • 29 Online backups, 41 • 15 Online dating, 33 • 37– 33 • 40 Online gambling, 33 • 29 – 33 • 31 Open Source, 27 • Operating systems: fingerprinting, • 18 – • 19 installing new versions, 32 • 11 kernel mode, 17 • –17 • 10 known-good software, 32 • 11 LAN security considerations, 18 • –18 • 10 Macintosh, 18 • 15 –18 • 17 mainframe, 32 • 11 monitoring for intrusion detection, 37 • networking issues, • 10 –1 • 11, 18 • –18 • 17 Novell NetWare, 18 • 12 –18 • 14 patching, 32 • 11 processor execution modes, 17 • –17 • 10 for production systems, 32 • 11 protecting shared resources, 17 • –17 • 10 restricted or nonprivileged environments, 10 • role in e-commerce applications, 13 • –13 • security issues, 13 • 19 –13 • 20, 17 • 1–17 • 20 security overview, 17 • 1–17 • security requirements, 17 • –17 • types of protection policies, 17 • 1–17 • Unix, 18 • 14 –18 • 15 user mode, 17 • –17 • 10 vulnerabilities, 13 • Windows 9x, • – • 16, 18 • 10 –18 • 11, 24 • 4, 24 • Windows 2000, 17 • 15 –17 • 19, 18 • 11–18 • 12, 24 • Windows ME (Millenium Edition), 18 • 11 Windows NT, 18 • 11–18 • 12, 24 • 6, 54 • 16 Windows XP, 18 • 12 Operations, defined, 32 • Operations management See also Controls, EDP system controlling access to files and databases, 32 • 13 handling visitors to facilities, 32 • limiting access to facilities, 32 • – 32 • and mainframe computers, 32 • – 32 • 11 monitoring output quality, 32 • 10 – 32 • 11 monitoring system performance, 32 • – 32 • 10 monitoring system resources, 32 • 10 moving new versions of software into production, 32 • – 32 • protecting data, 32 • 11– 32 • 13 questions for policy study, 46 • role of log files, 32 • – 32 • 7, 32 • separation of duties, 32 • – 32 • testing programs, 32 • 12 OPSEC (Operations Security), • –7 • Optical fiber, as security hazard, • Optical media: for data storage, 41 • destroying, 41 • 16 longevity issues, 41 • 12 Orange Book, 27 • Organizational culture, • I ⅐ 17 Organization for Economic Cooperation and Development (OECD): cryptography guidelines, 50 • 10 – 50 • 11 privacy guidelines, 52 • view of e-commerce, • 15 Organizations, anonymity and pseudonymity issues, 53 • 16 – 53 • 17 Outlook, and viruses, • 10 – • 11 Outsourcing, as defensive strategy, 15 • See also Application service providers Overt protections, 15 • 13 –15 • 14 P Packet-filtering firewalls, 20 • 10 Packet radio, • 10 Packets: filtering, 11 • 12 –11 • 13, 11 • 22, 11 • 24, 20 • 10 rule processing on routing devices, 20 • – 20 • 10 stateful inspection, 20 • 10 – 20 • 11 Packet sniffers, • 9, 18 • –18 • 5, 33 • 35, 52 • Packet-switching networks, as security hazard, • PANIX Internet provider, 11 • 3, 11 • Parallel processing, as form of backup, 41 • – 41 • Parameter passing errors, 25 • Parker, Donn B., • 10, • 14 Passwords: access by system administrators, 16 • cracking, • 20, 18 • 11 enforcing changes, 16 • 11–16 • 12 future issues, 54 • 10 – 54 • 12 intelligent guessing, • 14 – • 15 as method of user authentication, 16 • 2, 16 • offline dictionary attacks, 16 • –16 • one-time, • 12, 16 • 12 online guessing attacks, 16 • 7–16 • poor choices, • 13 poorly maintained, 16 • replay risk, 16 • –16 • 10 reusing, 16 • 11–16 • 12 server spoofing risk, 16 • 10 –16 • 11 simple vs strong, 54 • 10 – 54 • 12 sniffing risk, 16 • –16 • 10 strong, 54 • 10 – 54 • 12 types of risks, 16 • –16 • 12 undetected sharing, 16 • –16 • undetected theft, 16 • –16 • Patents, 12 • 8, 12 • 11–12 • 12, 26 • Payment systems, vulnerabilities to information warfare, • 10 PC mirroring, 41 • PDF files, 28 • 20 Pedophiles, 33 • 44 – 33 • 46 Penetrating information systems: future factors, • 32 information dissemination issue, • 29 – • 32 nontechnical methods, • – • technical methods, • – • 29 testing, tools, and techniques, • 16 – • 20 via Web sites, • 22 – • 29 People’s Republic of China, computer crime in, • 15 – • 16 Perimeter alarms, 15 • 20 Perimeter protection, 20 • – 20 • Perl, 13 • 14 –13 • 15 Personal computers (PCs): history, • 8, • –1 • 10 mirroring, 41 • Personal information See Privacy Personality theories, 35 • – 35 • Persuasion, 35 • 11 I ⅐ 18 INDEX Phone taps: preventing, 15 • 41 as security hazard, 14 • 20 Physical attacks: defensive strategies, • 20, 15 • defined, • 13 vs electronic attacks, 14 • 13 overview, • 19 –7 • 20 protecting against, 15 • 42 –15 • 43 as weapon in information warfare, • 19 –7 • 20 Physical data corruption, 39 • – 39 • Physical information loss, • 16 – • 17 Physical layer, wireless LANs, 18 • Physical threats: assessing costs associated with various risks, 14 • 10 –14 • 11 cost when threat becomes reality, 14 • –14 • current risks, 14 • –14 • elements of infrastructure protection, 15 • –15 • 14 general threats, 14 • 12 –14 • 17 information infrastructure assessment process, 14 • –14 • 12 IS facility design considerations, 15 • 25 –15 • 40 IS infrastructure overview, 14 • –14 • man-made threats, 14 • 17–14 • 22 need to keep information confidential, 14 • 23 –14 • 24 prioritizing, 14 • 11 protecting IS infrastructure, 15 • 1–15 • 46 strategic planning for infrastructure protection, 15 • –15 • types of threats, 14 • 12 –14 • 23 PING Sweeps tool, • 18 Piracy See also Antipiracy techniques bulletin board, 26 • consumer attitudes, 26 • 10 – 26 • 11 DVDs, 26 • – 26 • end-user type, 26 • Internet, 26 • legal issues, 12 • 13 –12 • 17 music, • 7– • 8, 26 • 4, 26 • – 26 • overview, 12 • 13 size of losses, 26 • 1– 26 • software, • 18, • 19, 12 • 13 –12 • 17, 26 • 1– 26 • 18 terminology, 26 • – 26 • TV transmissions, 26 • – 26 • 10 types of, 26 • – 26 • VHS movies, 26 • – 26 • PKI See Public-key infrastructure (PKI) Plagiarism, 33 • 24 – 33 • 25 Plaintext, 50 • See also Cleartext Planning See also Business continuity planning; Damage control plans emerging standards for emergency response, 14 • –14 • FEMA guidelines for emergency response, 15 • –15 • strategic planning process for physical infrastructure protection, 15 • –15 • Platforms See also Operating systems role in e-commerce applications, 13 • –13 • security issues, 13 • 19 –13 • 20 Point-to-Point Tunneling Protocol (PPTP), 18 • Policies See Security policies Political disorder, as security hazard, 14 • 18 Politics, as free speech issue, 51 • – 51 • Polymorphic viruses, • – • Ponzi schemes, 33 • 16 – 33 • 17 Pornography, 33 • 41– 33 • 44 Portable computers, backup strategies, 41 • – 41 • 10 Possession, as information security framework element, • – • 7, • 9, • 11, • 12 – • 13 PPs See Protection Profiles (PPs) Prejudice, 35 • Presidential Decision Directive 63 (PDD-63), 27 • 6, 49 • 24 Pretty Good Privacy (PGP), 50 • Privacy and anonymity, 53 • 10 – 53 • 12 and biometrics, 16 • 15 codes of conduct, 52 • 17– 52 • 18 compliance models, 52 • 17– 52 • 20 contractual protection, • 13 dimensions of, 53 • 10 as e-commerce issue, 33 • 32, 53 • 11 European approaches, 52 • – 52 • international issues, • 11– • 12, 52 • – 52 • and law enforcement, 52 • – 52 • legal aspects, • 11– • 13, 52 • – 52 • self-regulatory regimes, 52 • 17– 52 • 18 U.S common law, • 12 – • 13, 52 • – 52 • U.S Constitutional law, • 12 U.S state legislation, 52 • 16 – 52 • 17 U.S statutory protection, • 12, 52 • 7– 52 • in workplaces, 52 • 13 – 52 • 14 Privacy Act of 1974, 49 • 9, 52 • 7– 52 • Private Branch Exchange (PBX), 27 • 19 – 27 • 20 Private documents, exposing, 13 • 17 Private IP addresses, 11 • 22, 11 • 23, 21 • 5, 21 • Private keys, 23 • 19 Private testing services, 27 • 10 – 27 • 11 Privileges, as type of access control, 15 • 14 Probing, defined in security incident taxonomy, • – • 7, • 10 Procedures, defined, 28 • 3, 32 • Process initiation log, 38 • Process termination log, 38 • Production systems: controlling access to files and databases, 32 • 13 defined, 32 • handling externally supplied software, 32 • limiting access to facilities, 32 • – 32 • monitoring output quality, 32 • 10 – 32 • 11 monitoring performance, 32 • – 32 • 10 monitoring system resources, 32 • 10 moving new versions of software into production, 32 • – 32 • operating systems, 32 • 11 protecting data, 32 • 11– 32 • 13 role of digital signatures, 32 • testing, 32 • 12 Productivity, as security issue, 14 • –14 • Professional criminals, defined in security incident taxonomy, • 17 Programmers: access to production programs, 32 • 12 EDP control responsibilities, 36 • 10 separation of duties, 32 • – 32 • Programs See Applications; Software Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act, 50 • Property destruction, • 21– • 22 Prosecution of computer crimes, 34 • 3, 34 • 10 – 34 • 12, 34 • 14 – 34 • 15 Prosecutors, 34 • 14 – 34 • 15 Protection Profiles (PPs), 27 • 14, 27 • 15, 27 • 17– 27 • 21, 27 • 29, 27 • 30 INDEX Protocols: and LAN security, 18 • –18 • as network risks, 13 • –13 • 12 Provisioning, 22 • 12 Proximity cards, 15 • 16 –15 • 17, 15 • 19 Proxy servers: caching feature, 20 • configuration, 20 • 15 – 20 • 16 as form of perimeter protection, 20 • – 20 • role in network security, 20 • – 20 • role of encryption, 20 • technical details, 20 • 11 Pseudonymity: benefits, 53 • 10 – 53 • 12 defined, 53 • disadvantages, 53 • 12 – 53 • 13 in real world, 53 • – 53 • traceable, 53 • – 53 • untraceable, 53 • – 53 • Pseudospoofing, 53 • Psychological operations, • 19 Public Key Cryptography Standards (PKCS), 23 • 13 Public key cryptosystems (PKCs), 23 • 3, 50 • See also Public-key infrastructure (PKI) Public-key infrastructure (PKI): certificate policy, 23 • – 23 • certificate validity period, 23 • 18 cost, 23 • 23 defined, 23 • enterprise components, 23 • – 23 • global, 23 • 7– 23 • 14 and health care industry, 49 • 26 – 49 • 27 how it works, 23 • – 23 • importance of interoperability, 23 • 11– 23 • 14 need for, 23 • – 23 • purpose, 23 • 21 selecting architecture, 23 • 10 and signed code, 10 • 4, 10 • trust models, 23 • 4, 23 • 6, 23 • 7– 23 • 10 Public keys, 23 • 19 Public libraries, and Internet access, 51 • 14 – 51 • 15 Public relations See Security awareness Public schools, and Internet access, 51 • 15 Punched-card systems, • –1 • Python scripting language, 13 • 14 Q Quality, defined, 25 • Quality assurance See also Software development defined, 32 • EDP controls, 36 • goals for software development, 25 • – 25 • vs quality control, 32 • Quality control: defined, 32 • monitoring output quality, 32 • 10 – 32 • 11 monitoring system performance, 32 • – 32 • 10 monitoring system resources, 32 • 10 vs quality assurance, 32 • role of service-level agreements, 32 • – 32 • Quantitative risk model, 42 • 29 – 42 • 30 Questionnaires, limits in assessing risk, 47 • – 47 • R Race conditions: errors, 25 • testing, 25 • 12 Radio-frequency signals, as security hazard, • 10 – • 11 I ⅐ 19 Radiological incidents, as security hazard, 14 • 14 RAID (redundant arrays of independent disks), 41 • Railroads, vulnerabilities to information warfare, 7•8 Raised floors, 15 • 27–15 • 28 RAM, scavenging, • 14 Random sampling, • RATs (remote access Trojans), • 17– • 18 RDBMS (relational database management systems), 39 • 1– 39 • See also Database management systems (DBMS) Reaction plans, 22 • 23, 22 • 27 Reading, defined in security incident taxonomy, • – • 9, • 10 Read-only file security, 21 • 11 Real world, defined, 53 • Reciprocal agreements, 43 • 11 Recording Industry Association of America (RIAA), 26 • 4, 26 • 6, 26 • 7, 26 • Recordings, bootleg, 26 • See also Music piracy Recording systems, surveillance, 15 • 23 –15 • 24 Records handling, 22 • 19, 22 • 20 See also Log files Recovery See Business continuity planning; Disaster response Redundancy, as defensive strategy, 15 • 4, 15 • 10, 43 • 11 Redundant arrays of independent disks (RAID), 41 • Reference monitors, 17 • 12 –17 • 13 Registration authorities (RAs), 23 • – 23 • Regression testing, 25 • 13, 25 • 14 Regulatory requirements, for reporting computer crime, 34 • 22 – 34 • 23 Rekeying certificates, 23 • 18 – 23 • 19 Relational database management systems (RDBMS), 39 • 1– 39 • See also Database management systems (DBMS) Remailers, anonymizing, 53 • – 53 • Remote access Trojans (RATs), • 17– • 18 Remote spying devices, 15 • 41–15 • 42 Removable media, 41 • – 41 • Repudiation: controlling, • 14 – • 15 inverse of, • 11– • 12 and Kerberos, • 11 overview, • 11– • 12 Reserved IP addresses, 11 • 23 See also Private IP addresses Reserve systems, 43 • 12 – 43 • 13 Resignations, employee, 31 • Resource exhaustion, 25 • Resources, monitoring utilization, 32 • 10, 38 • Retroviruses, • – • Reverse engineering, 12 • –12 • 4, 26 • 13 Reverse ident scanning, • 19 Revocation See also Certificate revocation lists (CRLs) recommendations for notification, 23 • 17– 23 • 18 server-based protocols, 23 • 17 Rewarding behavior, 35 • 10 – 35 • 11 RFC 1918, 11 • 22, 11 • 23, 21 • RFC 2196 (Site Security Handbook), 28 • 12 – 28 • 13 RIAA (Recording Industry Association of America), 26 • 4, 26 • 6, 26 • 7, 26 • Rich text format (RTF) files, 28 • 20 Right to Financial Privacy Act, 52 • Risk: defined, • 2, 47 • 1– 47 • and future of information security, 54 • – 54 • infrequent, 47 • – 47 • 10 manager’s job, 47 • – 47 • I ⅐ 20 INDEX Risk: (Continued) mitigating, 47 • – 47 • 11 quantifying, 47 • – 47 • and rapidly changing environment, 54 • – 54 • in risk equation, 54 • – 54 • ROI-based mitigation, 47 • selecting mitigation measures, 47 • 15 – 47 • 16 simplified model, 47 • – 47 • Risk assessment: objectives, 47 • – 47 • role in selecting security safeguards, • 18 – • 19 techniques, 47 • 11– 47 • 16 Risk equation: applied to encryption, 54 • 12 – 54 • 14 as way to view computer security elements, 54 • 1– 54 • Risk events, 47 • 14 – 47 • 15 Risk management: defined, • –1 • 3, 47 • in e-commerce, 19 • 13 –19 • 14 future issues, 54 • 15 – 54 • 17 role in security management, 27 • – 27 • Y2k lessons, 48 • – 48 • Role playing, 35 • Roll-forward recovery, 39 • Rootkit software, • 14, • 21, 13 • Routers: access control lists for, 20 • 3, 20 • and packet filtering, 11 • 12 –11 • 13, 20 • – 20 • 10 rule processing, 20 • – 20 • 10 as targets of DoS attacks, 11 • 12 RSA (Business Software Alliance), 26 • RTF (rich text format) files, 28 • 20 Rules: creating, 20 • 15 dynamic modification, 20 • implicit, 20 • 16 Russia, encryption use, 50 • S Safe Harbor principles, 52 • 12 – 52 • 13 Safes, fire-resistant, 41 • 14 SAG (Screen Actors Guild), 26 • Salience effect, 35 • Sampling, statistical, • – • Sandbox, 10 • SATAN (Security Analysis Tool for Auditing Networks), • 16 SBWA (security by walking around), 29 • 17 Scanners, as security tool, • 16 – • 20 Scanning, defined in security incident taxonomy, • – • 7, • 10 See also Virus scanning Scavenging: data, • 6, 41 • 15 – 41 • 16 RAM, • 14 Schema, defined, 35 • 3, 35 • Schemata, defined, 35 • 3, 35 • Schwartz, Randal, 31 • Scour, Inc., 26 • Screen savers, as tool in promoting security awareness, 29 • 15 Scripting languages, 13 • 14 –13 • 15 Scripts See also Mobile code ActiveX concerns, 10 • –10 • as tools of attack, • 13, • 14 SDLC (Software Development Life Cycle): analysis phase, 25 • decoding and debugging phase, 25 • design phase, 25 • 5, 25 • implementation phase, 25 • 5, 25 • incorporating control design strategy, 36 • investigation phase, 25 • – 25 • maintenance phase, 25 • 5, 25 • overview, 25 • – 25 • rapid application development (RAD), 25 • – 25 • requirements analysis phase, 25 • – 25 • testing phase, 25 • 5, 25 • traditional model, 25 • – 25 • waterfall model, 25 • – 25 • SDMI (Secure Digital Music Initiative), 26 • 4, 26 • 12 – 26 • 13 SDM (system development methodology), 36 • Secret key cryptography, 23 • SecureComm 98 conference, • 15 Secure Digital Music Initiative (SDMI), 26 • 4, 26 • 12 – 26 • 13 Secure Sockets Layer (SSL), 13 • 10, 16 • 10 –16 • 11, 20 • 7, 22 • 20 Security, defined, • 2, • – • See also Computer security; Information security Security and Freedom Through Encryption Act (SAFE), 50 • Security awareness: approaches to, 29 • – 29 • critical success factors, 29 • – 29 • information resources, 29 • 19 in-place information policy, 29 • measuring and evaluating program, 29 • 18 – 29 • 19 media campaign, 29 • – 29 • overview, 29 • planning, 29 • principles, 29 • profiling audience, 29 • – 29 • program content, 29 • – 29 • program goals, 29 • program presentation, 29 • – 29 • 13 raising, 29 • – 29 • role of motivation, 29 • – 29 • senior management support, 29 • – 29 • and social psychology, 35 • 1– 35 • 16 tools for teaching and promoting, 29 • 13 – 29 • 17 Security by walking around (SBWA), 29 • 17 Security descriptors, 17 • 16, 17 • 17–17 • 19 Security domains, multiple, 22 • 13 Security kernel database, 17 • 13 Security officers, 32 • Security policies: changing, 28 • 21 constructing, 46 • 12 contents of initial study, 46 • – 46 • 11 defined, 28 • developing, 46 • 1– 46 • 14 formal and informal standards, 28 • – 28 • 14 getting across, 35 • – 35 • 10 implementing, 46 • 12 – 46 • 13 maintaining, 28 • 20 – 28 • 21, 46 • 13 needs analysis, 46 • 11– 46 • 12 organizing, 28 • 17– 28 • 18 preliminary evaluation, 46 • –11 presenting, 35 • – 35 • 10 publishing electronically, 28 • 19 – 28 • 20 publishing on paper, 28 • 18 – 28 • 19 resources for writers, 28 • – 28 • 16 reviewing, 28 • 21 role of collaboration, 46 • – 46 • for security awareness, 29 • and social psychology, 35 • 1– 35 • 16 INDEX terminology, 28 • – 28 • writing, 28 • 16 – 28 • 17 Security Proof of Concept Keystone (SPOCK), 27 • Security Targets (STs), 27 • 14 – 27 • 15, 27 • 21– 27 • 23, 27 • 29, 27 • 30 Seduction, • Segmenting secrets, as security strategy, 15 • Self-insurance, as defensive strategy, 15 • Self-serving bias, 35 • – 35 • Semiconductor Chip Protection Act, 12 • Sensitivity testing, 47 • 15 Sensors, for intrusion detection, 37 • 14 – 37 • 15 Separation of duties: as EDP auditing issue, 36 • – 36 • as human resources issue, 31 • 7– 31 • in operations management, 32 • – 32 • September 11 attacks: and anonymizing services, 53 • Cantor Fitzgerald example, 42 • impact on IT and infrastructure, • 9, 14 • 2, 14 • 5, 22 • 2, 22 • – 22 • impact on thinking about information warfare, • 16, • 19 –7 • 20, 15 • 42 impact on Web operations, 22 • and Port Authority of New York and New Jersey, • Server-based authentication, 18 • Server-based revocation protocols, 23 • 17 Servers See also Proxy servers; Web servers backup strategies, 41 • deploying AV scanners, 24 • 14 Server-side includes (SSIs), • 28 – • 29, 13 • 16 –13 • 17 Server-side SSL, 16 • 10 –16 • 11 Service interruption losses, 47 • 13 – 47 • 14 Service-level agreements, 32 • – 32 • Session initiation log, 38 • Session termination log, 38 • Sex, as free speech issue, 51 • Shaft DDoS tool, 11 • 19 Shared resources, protecting, 17 • –17 • 10 Shipping, vulnerabilities to information warfare, • 8–9 Shrink-wrap licenses, • – • Signed code: Authenticode example, 10 • limitations, 10 • – overview, 10 • trust issue, 10 • –10 • Signing keys, 23 • 19 Sign-on screens, as tool in promoting security awareness, 29 • 16 SIIA See Software and Information Industry Association (SIIA) Simple Mail Transfer Protocol (SMTP), 10 • 10, 20 • Simple Network Management Protocol (SNMP), 20 • 14, 20 • 15 Site dispersion: for Internet-visible systems, 21 • 13 for Web servers, 22 • 25 – 22 • 26 Site hardening: for Internet-visible systems, 21 • 12 – 21 • 13 for Web server facilities, 22 • 24 – 22 • 25 Site names, defined, • 17, • 18 Sites, defined, • 17, • 18 See also Facilities; Web sites Smart cards, 16 • 12 –16 • 13 Smoke: precautions to take, 15 • 11–15 • 12, 15 • 38 –15 • 40 as security hazard, 14 • 14 –14 • 15 I ⅐ 21 SMTP (Simple Mail Transfer Protocol), 10 • 10, 20 • SMURF attacks, 11 • Sniffer software, • 19, • 9, 18 • –18 • 5, 33 • 35, 52 • SNMP (Simple Network Management Protocol), 20 • 14, 20 • 15 Snuffle encryption software, 50 • Social context, and computer crime, • – • Social engineering attacks, • – • Social learning theory, and computer crime, • 6–6 • Social psychology: effects of anonymity, 53 • – 53 • 10 role in implementing security policies, 35 • 1– 35 • 16 and security policies, 35 • 1– 35 • 16 Soft tokens, 16 • 13 Software: authorized access issues, 12 • 16 –12 • 17 authorized use issues, 12 • 13 –12 • 16 for backups, 41 • – 41 • commercial off-the-shelf (COTS), • 73, 13 • 12, 32 • as computer system asset, 17 • concurrent installation, 26 • 13 concurrent usage, 26 • 13 – 26 • 14 copying, • copyright issues, • 7, 12 • –12 • counterfeiting, • for EDP audits, 36 • 13, 36 • 18 – 36 • 21 externally supplied, 32 • first sale vs licensing, 12 • longevity issues, 41 • 12 – 41 • 13 monitoring system performance, 32 • – 32 • 10 moving new versions into production, 32 • – 32 • piracy, • 18, • 19, 12 • 13 –12 • 17, 26 • 1– 26 • 18, 33 • 21– 33 • 24 programmer access, 32 • 12 program revisison controls, 36 • testing, 25 • 10 – 25 • 14, 32 • 12 as tools of attack, • 13, • 14 transformative uses, 12 • 4, 12 • 14 Software and Information Industry Association (SIIA), • 18, • 19, 26 • – 26 • Software development: building test data sets, 25 • 13 change requests, 25 • 14 – 25 • 15 designing test cases, 25 • 10 – 25 • 13 integrating security, 25 • life cycle, 25 • – 25 • quality assurance goals, 25 • – 25 • questions for policy study, 46 • sources of bugs and other problems, 25 • 15 – 25 • 16 tracking bugs, 25 • 14 types of errors, 25 • 7– 25 • 10 user interface problems, 25 • – 25 • 10 Software Development Life Cycle (SDLC): analysis phase, 25 • decoding and debugging phase, 25 • design phase, 25 • 5, 25 • implementation phase, 25 • 5, 25 • incorporating control design strategy, 36 • investigation phase, 25 • – 25 • maintenance phase, 25 • 5, 25 • overview, 25 • – 25 • rapid application development (RAD), 25 • – 25 • requirements analysis phase, 25 • – 25 • testing phase, 25 • 5, 25 • I ⅐ 22 INDEX Software Development Life Cycle (SDLC): (Continued) traditional model, 25 • – 25 • waterfall model, 25 • – 25 • Software Engineering Institute, Carnegie Mellon University See Computer Emergency Response Team Coordination Center (CERT-CC) Software keys, 26 • 11– 26 • 13 Software metering, 26 • 13 – 26 • 14 Software piracy, • 18, • 19, 12 • 13 –12 • 17, 26 • 1– 26 • 18, 33 • 21– 33 • 24 See also Antipiracy techniques Software Publishers Association (SPA), 26 • 5, 26 • 10 – 26 • 11 Source compare programs, 36 • 19 – 36 • 20 Spam, 33 • 14 – 33 • 16 SPA (Software Publishers Association), 26 • 5, 26 • 10 – 26 • 11 Spies, defined in security incident taxonomy, • 17 See also Spyware Splitting keys, 23 • 21 SPOCK (Security Proof of Concept Keystone), 27 • Spoofing: and DDoS attacks, 11 • 23 defined in security incident taxonomy, • 8, • 10 Spread-spectrum technology, • 10 Spying, • 16 Spying devices, remote, 15 • 41–15 • 42 Spyware, 13 • 9, 33 • 34 – 33 • 36 SSE-CMM (Systems Security Engineering Capability Maturity Model), 27 • SSIs (server-side includes), • 28 – • 29, 13 • 16 –13 • 17 SSL (Secure Sockets Layer), 13 • 10, 16 • 10 –16 • 11, 20 • 7, 22 • 20 Stacheldraht DDoS tool, 11 • 18 Stakeholders, 45 • 7– 45 • Standard deviation, in statistics, • Standards: defined, 28 • – 28 • overview, 27 • 1– 27 • for security assessment, 27 • – 27 • for security policies, 28 • – 28 • 14 Stateful inspection firewalls, 20 • 10 – 20 • 11 State transitions, 25 • 11– 25 • 12 Statistics: association vs causality, • 7– • computer crime and, • – • descriptive, • – • hypothesis testing, • – • inference in, • – • sampling in, • – • standard deviation in, • Stealing: defined in security incident taxonomy, • 9, • 10 as security hazard, • 15, 14 • 19 –14 • 20 Stealth scans, • 18 Stealth viruses, • Stolen software See Software piracy Storage rooms, as security hazard, 14 • 22 –14 • 23 Strong passwords, 54 • 10 – 54 • 12 STs See Security Targets (STs) SubSeven RAT, • 18 Subversion, • – • Success, defined, • 17 Sunkist Growers, Inc., 42 • – 42 • Superencryption, 23 • 21 Surveillance technology: broadband connections, 15 • 24 –15 • 25 camera control systems, 15 • 24 cameras, 15 • 19 –15 • 20, 15 • 21–15 • 23 and privacy, 52 • recording systems, 15 • 23 –15 • 24 systems overview, 15 • 21 Surveys, as research method in computer crime, • 8–4 • Suspended ceilings, 15 • 27 Symmetric-key encryption, 23 • 2, 23 • 19, 50 • Synchronization software, 41 • – 41 • 10 Synchronous communications, as security hazard, 8•8 SYN flooding, 11 • 10 –11 • 11 System Administration and Network Security Institute (SANS), 28 • 16 System administrators, role in defending against DDoS attacks, 11 • 21–11 • 22 System boot log, 38 • System console activity log, 38 • System development controls, 36 • Systems See Computers; Information systems (IS); Networks System shutdown log, 38 • Systems Security Engineering Capability Maturity Model (SSE-CMM), 27 • System tables, 38 • T Tape cartridge systems, 41 • – 41 • Taps, as tools of attack, • 14 See also Wiretaps Targets, in security incident events, • – • 5, • 6, • 10 – • 11 Taxonomy, for security incidents, • 3, • – • 17 TCP Connect tool, • 17 TCP SYN tool, • 17 TCSEC (Trusted Computer System Evaluation Criteria), 27 • Teardrop attacks, 11 • Telecommunications Act of 1996, • 16 – • 17 Telecommunication security controls, 36 • Telecommuting, • 11–1 • 12 Telephone lines, as LAN security hazard, 18 • –18 • Telephone taps: in litigation, • 17– • 18 preventing, • 7, 15 • 41 as security hazard, • 7– • 8, 14 • 20 Television signals, pirated, 26 • – 26 • 10 Temperature, as security hazard, 14 • 16 TEMPEST standard, • 11 Terminals, illicit, 14 • 23 Terminating employees, 31 • – 31 • 12 Terminology: in monitoring and control, 38 • piracy, 26 • – 26 • security policy, 28 • – 28 • Terrorism See also September 11 attacks impact on Web sites, 22 • – 22 • protecting against, 15 • 42 –15 • 43 as serious threat, 14 • 2, 14 • as source of information warfare threats, • 15 –7 • 16 in workplace, 14 • 21–14 • 22 Terrorists, defined in security incident taxonomy, • 17 Test-coverage monitors, 25 • 12 – 25 • 13 Testing: automated, 25 • 13 – 25 • 14 of backups, 41 • 10 for disaster readiness, 43 • 19 – 43 • 20 for network penetration, • 17 INDEX Tribe Flood Network (TFN) DDoS tool, 11 • 17–11 • 18 Trinity DDoS tool, 11 • 19 Trinkets, as tool in promoting security awareness, 29 • 16 – 29 • 17 Trinoo DDoS tool, 11 • 16 –11 • 17 TRIPS (Agreement on Trade-Related Aspects of Intellectual Property Rights), 12 • –12 • 13 Trojan Horse programs: for capturing login data, • 11– • 12 defending against with secure, trusted operating systems, 17 • 13 –17 • 15 example, 17 • 13 –17 • 15 overview, • 21 Trucking, vulnerabilities to information warfare, • Trust: asymmetric, 10 • derivative, 10 • and in-house product assessments, 27 • – 27 • methods of establishing, 27 • 7– 27 • 12 nonstandard development alternatives, 27 • 7– 27 • 11 and private testing services, 27 • 10 – 27 • 11 and public-key infrastructure, 23 • 7– 23 • 14 role in security management, 27 • – 27 • role of trade press, 27 • – 27 • 10 as signed code issue, 10 • –10 • standard development alternatives, 27 • 11– 27 • 12 transitive, 10 • and vendor self-declarations, 27 • 7– 27 • Trust anchors, 23 • 6, 23 • 7, 23 • 8, 23 • 10 TRUSTe, 33 • 31, 52 • 17 Trusted archival services, 23 • 22 – 23 • 23 Trusted Computer System Evaluation Criteria (TCSEC), 27 • Trusted systems, 17 • 11–17 • 13 Trusted time stamps, 23 • 23 Trust models: anarchy, 23 • 10 bridge, 23 • – 23 • 10 hierarchy, 23 • multiple trust anchors, 23 • 10 overview, 23 • 7– 23 • and PKI interoperability, 23 • 11, 23 • 12 strict hierarchy, 23 • – 23 • TrustWatch, 33 • 31 Tunneling viruses, • Turkey, encryption use, 50 • TV surveillance cameras, 15 • 20, 15 • 21–15 • 23 TV transmissions, pirated, 26 • – 26 • 10 TE AM FL Y in production systems, 32 • 12 regression, 25 • 13, 25 • 14 of security profiles and products, 27 • 27– 27 • 32 of software, 25 • 5, 25 • 6, 25 • 10 – 25 • 13, 32 • 12 unauthorized, 31 • validating of, 27 • 32 – 27 • 34 Testing labs, 27 • 10 – 27 • 11 TFN See Tribe Flood Network (TFN) DDoS tool Theft, as security hazard, • 15, 14 • 19 –14 • 20 See also Stealing Threat assessment: cost-value analysis, 15 • 44 –15 • 45 process for IS infrastructure, 14 • –14 • 12 Threats: communication intercepts, • 19 – • 20, • 7– • 12 cost when threat becomes reality, 14 • –14 • current risks, 14 • –14 • elements of infrastructure protection, 15 • –15 • 14 e-mail, 33 • 12 – 33 • 13 and future of information security, 54 • – 54 • general, 14 • 12 –14 • 17 information infrastructure assessment process, 14 • –14 • 12 from insiders, 54 • 17 IS infrastructure overview, 14 • –14 • man-made, 14 • 17–14 • 22 need to keep information confidential, 14 • 23 –14 • 24 prioritizing, 14 • 11 protecting IS infrastructure, 15 • 1–15 • 46 raising awareness, 29 • in risk equation, 54 • – 54 • 3, 54 • 13 – 54 • 14 types of, 14 • 12 –14 • 23 Threats, Assets, Vulnerabilities Model, • 2, • 19 Time sharing, • Time stamps, trusted, 23 • 23 Tokens, as method of user authentication, 16 • 2, 16 • –16 • 4, 16 • 12 –16 • 13 Tools, used in attacks, • 12, • 13 – • 14 Tornadoes, as security hazard, 14 • 13 Touch cards, 15 • 16 –15 • 17 Traceable anonymity, 53 • – 53 • Trademark Counterfeiting statute, 26 • Trademarks: vs copyrights and patents, 26 • and domain names, • 10, • 11 and embedded text, • 20 – • 11 and fair use, • 11 nature of protection, • – • 10 overview, • Trade secrets: proprietary rights overview, 12 • 1–12 • trade-related aspects, 12 • 10 vulnerabilities to information warfare, • 12 Trafficking in Counterfeit Labels statute, 26 • Training computer emergency response teams (CERTs), 40 • Transistors, • Transitive trust, 10 • Transmission Control Protocol/Internet Protocol (TCP/IP), 13 • 6, 13 • 10 Transportation: vulnerabilities to information warfare, • –7 • and World Trade Center attack, • Trespassing, • 20 – • 21 Tribe Flood Network 2K (TFN2K) DDoS tool, 11 • 18 –11 • 19 I ⅐ 23 U Unconditional locking, 39 • 4, 39 • Underground recordings, 26 • See also Music piracy Unified Modeling Language (UML), 13 • 13 Uniform commercial code (UCC), 19 • –19 • Uniform Electronic Transactions Act (UETA), 19 • –19 • Uninterruptible power supply (UPS) units, 15 • 31–15 • 32 United Kingdom: British Standard 7799, 49 • 27– 49 • 28 computer crime, • 13, • 14, • 17, • 20 – • 21 Computer Misuse Act, 49 • 22 Copyright, Designs, Patents Act, 49 • 22 Data Protection Act, 49 • 20 – 49 • 21 encryption use, 50 • – 50 • I ⅐ 24 INDEX United Kingdom: (Continued) government policies on medical records, 49 • 23 – 49 • 24 medical records expectations, 49 • medical records laws and regulations, 49 • 20 – 49 • 22 regulation of speech, 51 • United Nations Model Law on Electronic Commerce, 19 • –19 • United States: encryption use, 50 • – 50 • export regulations on encryption products, 50 • – 50 • 10 First Amendment rights, 51 • 7– 51 • 15 government vulnerabilities to information warfare, • 7–7 • infrastructure vulnerabilities, • –7 • medical records expectations, policies, rules and regulations, 49 • 8, 49 • – 49 • 20, 49 • 24 Presidential Decision Directive 63 (PDD-63), 27 • 6, 49 • 24 and privacy law, 52 • – 52 • 17 regulation of speech, 51 • 2, 51 • 7– 51 • 15 uniformity in commercial law, 19 • –19 • UNIVAC, • –1 • Unix, 18 • 14 –18 • 15, 24 • Unprotected speech, 51 • 11– 51 • 12 Unsolicited commercial e-mail, 33 • 14 – 33 • 16 Updating: databases, 39 • – 39 • Web sites, 22 • 10, 22 • 14 – 22 • 15 UPS (uninterruptible power supply) units, 15 • 31–15 • 32 Urban myths, 33 • 10 U.S Copyright Law, • 5, 26 • U.S Environmental Protection Agency, • 21 U.S Federal Best Security Practices (BSPs), 28 • 11– 28 • 12 U.S Federal Bureau of Investigation See CSI (Computer Security Institute)/FBI annual computer crime survey U.S Federal Communications Commission (FCC), 26 • 4, 26 • U.S Federal Criteria, 27 • U.S Federal Emergency Management Agency (FEMA), 14 • 7, 15 • –15 • U.S General Accounting Office (GAO), • 18, • 19 – • 20, • U.S government, computer security breaches, • 14 – • 15, • 18, • 21 U.S National Aeronautics and Space Administration (NASA), • 18 U.S National Security Agency (NSA): Computer Security Center, 17 • 13 security guidelines, 28 • 10 – 28 • 11 Usenet, • 31, 33 • 6, 33 • User commands, as tool of attack, • 13, • 14 User Datagram Protocol (UDP) scans, • 18 User-defined objects, 17 • 19 User identifiers (IDs): as form of authorization, 16 • 1–16 • intelligent guessing, • 14 – • 15 User interface problems, 25 • – 25 • 10 Users See also Employees access to production data, 32 • 11– 32 • 12 defending against DDoS attacks, 11 • 21–11 • 22 EDP control responsibilities, 36 • 10 – 36 • 11 Utility, as information security framework element, • – • 4, • 9, • 10 – • 11 Utility disruptions, 14 • 13, 14 • 16 –14 • 17 V Vacation time, 31 • Validating testing, 27 • 32 – 27 • 34 Validation Bodies, 27 • 26 See also NIAP (National Information Assurance Partnership) Validation Body Validation controls: diagnostic utilities, 11 identifying input errors, 39 • 10 overview, 39 • – 39 • 10 for production control, 32 • 13 – 32 • 15 range checks, 39 • 10 tables of values and codes, 39 • 10 – 39 • 11 Vandals, defined in security incident taxonomy, • 17 Variance, in statistics, • Vaults, data, 41 • 14 – 41 • 15 VBR (variable bit rate) compression, 26 • 12 VBScript code, scanning and filtering, 20 • Vectors, content, 20 • 12 Vendors, as source of security alerts and updates, 20 • 17 Vendor self-declaration, 27 • 7– 27 • VeriSign, 10 • 6, 45 • VHS movies: counterfeiting, 26 • – 26 • piracy, 33 • 22 protecting, 26 • 11– 26 • 12 Video, as tool in promoting security awareness, 29 • 16 See also VHS movies Video Privacy Protection Act, 52 • 12 Violence, protecting against, 15 • 42 –15 • 43 Virtual private networks (VPNs), 18 • 8, 20 • 7, 27 • See also VPN Consortium Viruses See also Worms annual NCSA/ICSA Labs survey, • 11 antivirus technologies, 24 • 1– 24 • 15 boot, • code generators, • – • deploying AV scanners against, 24 • 8, 24 • 13 – 24 • 14 detecting, 24 • 8, 24 • 13 – 24 • 14 history, • – • 4, 24 • – 24 • hoaxes, • 19 – • 20 lack of standard meaning, • list of guidelines, 33 • 13 – 33 • 14 memory-resident, • and Microsoft software, • – • 16 myths about, 33 • 10 – 33 • 11 need for policies and strategies, 24 • 14 – 24 • 15 original definition, • overview, 24 • 1– 24 • polymorphic, • – • preventing, 24 • – 24 • profiles of writers, • 10 – • 11, • 16 – • 18 program infectors, • – • retroviruses, • – • stealth, • tunneling, • varieties, • – • Virus scanning: deploying scanners, 24 • 8, 24 • 13 – 24 • 14 issues and problems, 24 • – 24 • 3, 24 • 4, 24 • – 24 • methodologies, 24 • 7– 24 • 10 overview, 20 • Visitors, handling, 15 • 16, 15 • 19, 32 • Visual BASIC for Applications, • 8, • Voicemail, workplace monitoring, 52 • 13, 52 • 14 Voice-over IP (VoIP), 21 • Voice-print scanners, 15 • 18 INDEX Volcanic eruptions, as security hazard, 14 • 12–14 • 13 Voyeurs, defined in security incident taxonomy, • 17 VPN Consortium, 27 • VPNs See Virtual private networks (VPNs) Vulnerabilities: configuration-type, • 14 defined, • 14 design-type, • 14 and future of information security, 54 • – 54 • implementation-type, • 14 and increasing system complexity, 54 • – 54 • in risk equation, 54 • – 54 • 4, 54 • 13 Web server, • 22 – • 29, 13 • 4, 13 • 16 –13 • 18 Vulnerability assessment systems (VAS): assessment strategies, 37 • history, 37 • vs intrusion detection, 37 • – 37 • monitoring, 37 • overview, 37 • – 37 • 3, 37 • role in security management, 37 • strengths and weaknesses, 37 • – 37 • when to use, 37 • W Warfare See Information warfare Wassenaar Arrangement on Export Controls for ConventionalArms and Dual-Use Goods and Technologies, 50 • 11– 50 • 12 Water leaks and flooding, as security hazard, 14 • 13, 14 • 15 Watermarking, 26 • 11, 26 • 12 – 26 • 13 Weapons of mass destruction (WMD), • 20, 14 • 21–14 • 22, 15 • 42 –15 • 43 Weather, as security hazard, 22 • Web-based click agreements, • – • Web-based courses, as tool in teaching security awareness, 29 • 14 – 29 • 15 Web beacons, 52 • 15 Web browsers: security risks, 13 • –13 • security settings, • 19 and spyware, 33 • 34 – 33 • 36 Web bugs, 52 • 15 Web crawlers, and fair use, 12 • 15 –12 • 16 Web pages See also Web sites defacements, • 21– • 22 hidden form fields, • 25 – • 27 metatext, • 20 – • 11 and trademark infringement, • 20 – • 11 Web servers: configuring for security, 13 • 16 –13 • 18 dangers of server-side includes, 13 • 16 –13 • 17 and directory browsing, 13 • 17 file system vulnerabilities, • 27– • 29 and HTML coding, 13 • 16 –13 • 17 liability issues, 22 • 17– 22 • 18 and mobile code, 10 • –10 • 10 protecting with intrusion detection systems, 37 • 13 – 37 • 14 security restrictions, 22 • 12 – 22 • 13 site dispersion, 22 • 25 – 22 • 26 site hardening, 22 • 24 – 22 • 25 user input vulnerabilities, • 23 – • 27 vulnerabilities, • 22 – • 29, 13 • 4, 13 • 16 –13 • 18 Web sites: accidental worms, 22 • 10 and Acts of God, 22 • – 22 • buying products, 33 • 31– 33 • 34 caching services, 51 • 17– 51 • 18 I ⅐ 25 compartmentalization, 22 • 23 – 22 • 24 and crackers, 22 • – 22 • as criminal target, 22 • defacements, • 21– • 22, • 23 defensive actions, 22 • 11– 22 • 16 developing user policies, 33 • 21– 33 • 46 and disintermediation, 33 • 7– 33 • duplicating resources, 22 • 12 and employee misbehavior, 22 • ethical issues in protecting, 22 • 16 – 22 • 19 exposure, 22 • 13 failures in planning, 22 • 10 file security, 22 • 22 going offline, 22 • 22 guidelines for using information, 33 • – 33 • hardware failure, 22 • as hostile targets, 22 • impact of interruptions, 22 • impact of terrorism, 22 • – 22 • liability issues, 22 • 17– 22 • 18 and libel, 33 • links and frames as copyright issue, • – • litigation issues, 22 • 19 – 22 • 20 maintaining integrity, 22 • 15 – 22 • 16 maintenance, 22 • 10, 22 • 14 – 22 • 15 mobile code dangers, • 19 monitoring, 22 • 22 – 22 • 23 monitoring employee use, 52 • 13, 52 • 14 nonhostile service interruptions, 22 • 7– 22 • 10 operator errors, 22 • – 22 • 10 outages, 22 • 2, 22 • as penetration pathway, • 22 – • 29 and PR image, 22 • problem of incorrect information, 33 • 7– 33 • protecting, 22 • 1– 22 • 30 reacting to security incidents, 22 • 16 risk analysis, 22 • – 22 • self-protective measures, 22 • 11– 22 • 16 as target of competitors, 22 • as target of dissatisfied customers, 22 • as target of political activism, 22 • technical issues in protecting, 22 • 11– 22 • 16 threat and hazard assessment, 22 • – 22 • 10 types of business loss, 22 • – 22 • types of threats, 22 • – 22 • updating, 22 • 10, 22 • 14 – 22 • 15 user input vulnerabilities, • 23 – • 27 WebTrust, 33 • 31 West Coast Labs, 27 • 10 WGA (Writers Guild of America), 26 • Wide area networks (WANs), • 11, 20 • – 20 • Wildfires, as security hazard, 14 • 14 –14 • 15 WildList, 24 • 2, 24 • Windows Help files, 28 • 20 Windows operating systems: and computer viruses, 24 • – 24 • 4, 24 • Windows 9x, • – • 16, 18 • 10 –18 • 11, 24 • 4, 24 • Windows 2000, 17 • 15 –17 • 19, 18 • 11–18 • 12, 24 • Windows ME (Millenium Edition), 18 • 11 Windows NT, 18 • 11–18 • 12, 24 • 6, 54 • 16 Windows XP, 18 • 12 Wired Equivalent Privacy (WEP) encryption method, 18 • 8, 18 • Wireless communication, as security hazard, • – • 10 Wireless LANs, 18 • 7–18 • Wiretaps: in litigation, • 17– • 18 I ⅐ 26 INDEX Wiretaps: (Continued) preventing, • 7, 15 • 41 as security hazard, • 7– • 8, 14 • 20 Wiring and cabling: in IS facilities design, 15 • 28 –15 • 29 LAN vulnerabilities, 18 • –18 • as security hazard, 14 • 18 –14 • 19 WLANs (wireless LANs), 18 • 7–18 • Workplace privacy, 52 • 13 – 52 • 14 Workplace violence, 14 • 21–14 • 22 Workstation mirroring, 41 • Workstations, backup strategies, 41 • World Trade Center attack See September 11 attacks World Wide Web See also E-commerce; Internet; Web sites click agreements, • – • history, • 12 mobile code, 10 • and piracy issues, 12 • 13 –12 • 17 Worms: accidental, 22 • 10 Anna Kournikova, • 12 defined, • 16 – • 17 Happy99, • history, • lack of standard meaning, • prevention, • 17 self-updating, • 11– • 12 ZippedFile.exe, • 11 X X.500 directory, 23 • 13, 23 • 14 X.509 standard, 23 • 4, 23 • 5, 23 • 6, 23 • 13, 23 • 14 XML files, 28 • 19 Y Y2k, 48 • 1– 48 • 14 Year 2000 See Y2K Z ZIP diskettes, 41 • ZippedFile.exe worm, • 11 Zombie DDoS software, 11 • 20 See also Daemons, DdoS ...COMPUTER SECURITY HANDBOOK Fourth Edition Edited by SEYMOUR BOSWORTH M.E KABAY JOHN WILEY & SONS, INC This book is printed on acid-free paper ⅜ ϱ Copyright © 2002 by John Wiley & Sons, Inc... e-commerce security He is the author of E-Commerce Security: Weak Links, Best Defenses (Wiley, 1998), a definitive guide to e-commerce security, and Security and Privacy for E-Business (John Wiley & Sons, ... Future of Information Security Peter Tippett INDEX Appendices and Tutorials for this Handbook are online at www .wiley. com/go/securityhandbook PART ONE FOUNDATIONS OF COMPUTER SECURITY CHAPTER Brief