TLFeBOOK Fifth Edition, Volume OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection and Security Management Handbook POA Publishing ISBN: 0-8493-1603-0 Building a Global Information Assurance Program Raymond J Curts and Douglas E Campbell ISBN: 0-8493-1368-6 Information Technology Control and Audit, Second Edition Fredrick Gallegos, Daniel Manson, Sandra Allen-Senft, and Carol Gonzales ISBN: 0-8493-2032-1 Investigator's Guide to Steganography Gregory Kipper 0-8493-2433-5 Building an Information Security Awareness Program Mark B Desman ISBN: 0-8493-0116-5 Managing a Network Vulnerability Assessment Thomas Peltier, Justin Peltier, and John A Blackley ISBN: 0-8493-1270-1 Critical Incident Management Alan B Sterneckert ISBN: 0-8493-0010-X Network Perimeter Security: Building Defense In-Depth Cliff Riggs ISBN: 0-8493-1628-6 Cyber Crime Investigator's Field Guide, Second Edition Bruce Middleton ISBN: 0-8493-2768-7 Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes Albert J Marcella, Jr and Robert S Greenfield ISBN: 0-8493-0955-7 The Practical Guide to HIPAA Privacy and Security Compliance Kevin Beaver and Rebecca Herold ISBN: 0-8493-1953-6 A Practical Guide to Security Engineering and Information Assurance Debra S Herrmann ISBN: 0-8493-1163-2 The Ethical Hack: A Framework for Business Value Penetration Testing James S Tiller ISBN: 0-8493-1609-X The Privacy Papers: Managing Technology, Consumer, Employee and Legislative Actions Rebecca Herold ISBN: 0-8493-1248-5 The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks Susan Young and Dave Aitel ISBN: 0-8493-0888-7 Public Key Infrastructure: Building Trusted Applications and Web Services John R Vacca ISBN: 0-8493-0822-4 Information Security Architecture: An Integrated Approach to Security in the Organization Jan Killmeyer Tudor ISBN: 0-8493-9988-2 Securing and Controlling Cisco Routers Peter T Davis ISBN: 0-8493-1290-6 Information Security Fundamentals Thomas R Peltier ISBN: 0-8493-1957-9 Information Security Management Handbook, 5th Edition Harold F Tipton and Micki Krause ISBN: 0-8493-1997-8 Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management Thomas R Peltier ISBN: 0-8493-1137-3 Information Security Risk Analysis Thomas R Peltier ISBN: 0-8493-0880-1 Strategic Information Security John Wylder ISBN: 0-8493-2041-0 Surviving Security: How to Integrate People, Process, and Technology, Second Edition Amanda Andress ISBN: 0-8493-2042-9 A Technical Guide to IPSec Virtual Private Networks James S Tiller ISBN: 0-8493-0876-3 Using the Common Criteria for IT Security Evaluation Debra S Herrmann ISBN: 0-8493-1404-6 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com Fifth Edition, Volume ® PRESS Edited by Boca Raton New York Chapter 18, Enterprise Security Management Program, by George G McBride © 2005 Copyright Lucent Technologies Chapter 23, Beyond Information Security Awareness Training: It Is Time To Change the Culture, by Stan Stahl © Copyright 2005, Citadel Information Group, Inc Chapter 25, System Development Security Methodology, by Ian Lim and Ioana V Bazavan © Copyright 2003 Accenture All rights reserved Used by permission Published in 2006 by Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group No claim to original U.S Government works Printed in the United States of America on acid-free paper 10 International Standard Book Number-10: 0-8493-9561-5 (Hardcover) International Standard Book Number-13: 978-0-8493-9561-1 (Hardcover) Library of Congress Card Number 2003061151 This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Information security management handbook / Harold F Tipton, Micki Krause, editors. 5th ed p cm Includes bibliogaphical references and index ISBN 0-8493-9561-5 (alk paper) Computer security Management Handbooks, manuals, etc Data protection Handbooks, manuals, etc I Tipton, Harold F II Krause, Micki QA76.9.A25I54165 2003 658’.0558 dc22 2003061151 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group is the Academic Division of Informa plc and the Auerbach Publications Web site at http://www.auerbach-publications.com Table of Contents About the Editors xi Contributors .xiii Introduction .xxiii ACCESS CONTROL SYSTEMS AND METHODOLOGY Section 1.1 Access Control Techniques Sensitive or Critical Data Access Controls Mollie E Krehnke and David C Krehnke An Introduction to Role-Based Access Control 17 Ian Clark Smart Cards 31 Jim Tiller A Guide to Evaluating Tokens 41 Joseph T Hootman Section 1.2 Access Control Administration Identity Management: Benefits and Challenges 51 Lynda L McGhie TELECOMMUNICATIONS AND NETWORK SECURITY 69 Section 2.1 Communications and Network Security An Examination of Firewall Architectures 73 Paul A Henry The Five W’s and Designing a Secure, Identity-Based, Self-Defending Network (5W Network) 119 Samuel W Chun v Maintaining Network Security: Availability via Intelligent Agents 131 Robby Fussell PBX Firewalls: Closing the Back Door 139 William A Yarberry, Jr Section 2.2 Internet, Intranet, Extranet Security 10 Voice over WLAN 145 Bill Lipiczky 11 Spam Wars: How To Deal with Junk E-Mail 155 Al Bredenberg Section 2.3 Network Attacks and Countermeasures 12 Auditing the Telephony System: Defenses against Communications Security Breaches and Toll Fraud 161 William A Yarberry, Jr SECURITY MANAGEMENT PRACTICES 175 Section 3.1 Security Management Concepts and Principles 13 The Controls Matrix 179 Robert M Slade 14 Information Security Governance 183 Ralph Spencer Poore 15 Belts and Suspenders: Diversity in Information Technology Security 189 Jeffrey Davis 16 Building Management Commitment through Security Councils, or Security Council Critical Success Factors 197 Todd Fitzgerald Section 3.4 Risk Management 17 Developing and Conducting a Security Test and Evaluation 213 Sean M Price 18 Enterprise Security Management Program 223 George G McBride 19 Technology Convergence and Security: A Simplified Risk Management Model 233 Ken M Shaurette Section 3.5 Employment Policies and Practices 20 People, Processes, and Technology: A Winning Combination 241 Felicia M Nicastro vi Section 3.6 Policies, Standards, Procedures, and Guidelines 21 Building an Effective Privacy Program 251 Rebecca Herold 22 Training Employees To Identify Potential Fraud and How To Encourage Them To Come Forward 265 Rebecca Herold Section 3.8 Security Management Planning 23 Beyond Information Security Awareness Training: It Is Time To Change the Culture 285 Stan Stahl 24 Establishing a Successful Security Awareness Program 295 Charles R Hudson, Jr APPLICATIONS AND SYSTEMS DEVELOPMENT SECURITY 305 Section 4.3 System Development Controls 25 System Development Security Methodology 309 Ian Lim and Ioana V Bazavan 26 Software Engineering Institute Capability Maturity Model 325 Matt Nelson Section 4.4 Malicious Code 27 Organized Crime and Malware 339 Michael Pike Section 4.5 Methods of Attack 28 Enabling Safer Deployment of Internet Mobile Code Technologies 351 Ron Moritz CRYPTOGRAPHY 363 Section 5.2 Crypto Concepts, Methodologies and Practices 29 Blind Detection of Steganographic Content in Digital Images Using Cellular Automata 367 Sasan Hamidi 30 An Overview of Quantum Cryptography 373 Ben Rothke vii 31 Elliptic Curve Cryptography: Delivering High-Performance Security for E-Commerce and Communications 385 Paul Lambert SECURITY ARCHITECTURE AND MODELS 393 Section 6.1 Principles of Computer and Network Organizations, Architectures, and Designs 32 Enterprise Assurance: A Framework Explored 397 Bonnie A Goins OPERATIONS SECURITY 403 Section 7.1 Operations Controls 33 Managing Unmanaged Systems 407 Bill Stackpole and Man Nguyen Section 7.2 Resource Protection Requirements 34 Understanding Service Level Agreements 423 Gilbert Held BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING 429 Section 8.1 Business Continuity Planning 35 Building Maintenance Processes for Business Continuity Plans 433 Ken Doughty 36 Identifying Critical Business Functions 445 Bonnie A Goins 37 Selecting the Right Business Continuity Strategy 451 Ken Doughty Section 8.2 Disaster Recovery Planning 38 Contingency at a Glance 457 Ken M Shaurette and Thomas J Schleppenbach 39 The Business Impact Assessment Process and the Importance of Using Business Process Mapping 465 Carl Jackson 40 How To Test Business Continuity and Disaster Recovery Plans and How Often 483 James S Mitts viii LAW, INVESTIGATION, AND ETHICS 497 Section 9.1 Information Law 41 Sarbanes–Oxley Compliance: A Technology Practitioner’s Guide 501 Bonnie A Goins 42 Health Insurance Portability and Accountability Act Security Rule 511 Lynda L McGhie 43 The Ethical and Legal Concerns of Spyware 525 Janice C Sipior, Burke T Ward, and Georgina R Roselli Section 9.3 Major Categories of Computer Crime 44 The Evolution of the Sploit 537 Ed Skoudis 45 Computer Crime 551 Christopher A Pilewski 46 Phishing: A New Twist to an Old Game 559 Stephen D Fried 47 It’s All about Power: Information Warfare Tactics by Terrorists, Activists, and Miscreants 579 Gerald L Kovacich, Andy Jones, and Perry G Luzwick Section 9.4 Incident Handling 48 DCSA: A Practical Approach to Digital Crime Scene Analysis 601 Marcus K Rogers 49 What a Computer Security Professional Needs To Know about E-Discovery and Digital Forensics 615 Larry R Leibrock 50 How To Begin a Non-Liturgical Forensic Examination 621 Carol Stucki 10 PHYSICAL SECURITY 637 Section 10.1 Elements of Physical Security 51 Physical Security for Mission-Critical Facilities and Data Centers 641 Gerald Bowman INDEX 663 ix 672 error messages, 319, 528, 565 error rate, service level agreements and, 425–426 ESM, see enterprise security management ESP, see Encapsulating Security Protocol espionage, 9, 199, 339, 341, 551, 593, 643 Internet and, 594 Ethernet, 121, 122, 125, 146, 147, 148, 227, 416, 417 ethical persuasion, 291–293 European Union Data Protection Directive, 104, 225, 260 Euskadi Ta Askatasuna (ETA), 585, 586 evaluation areas/methods, fraud, 279–280 events per second (EPS), 225 event-synchronous tokens, 46 evidence life cycle, 611, 612 evidence, to validate a claim, 399, 400, 401 standards for, 401, 402 examination, of digital forensics data, 617 exception handling, 319 exploit, 537–550 evolution of, 540–548 auto-rooter, 542 engine, 543–545, 546 framework, 545–546, 547, 548, 549–550 mass-rooter, 542–543 rooter, 541–542 system-call proxy, 546–547 examples of, 553–554 types of, 554–556 exploitation engine, 543–545 exploitation framework, 545–546, 547, 548, 549–550 explosives detectors, 656 exponential time, 386 Export Administration Regulations (EAR), expos, 299 Extensible Authentication Protocol (EAP), 115, 125, 149, 417, 418 extortion, 346–347, 348 F facial recognition, 650 FACs, see forced authorization codes Fair and Accurate Credit Transactions (FACT), 266 Fair Credit Reporting Act (FCRA), 251 Fair Information Practices (FIPs), 252 fast path, 74, 91 fast scanning worm, 110 fax-on-demand service, 171 faxes, 139, 141, 142, 143, 156 Information Security Management Handbook fear, uncertainty, and doubt (FUD), 54 Federal Information Processing Standards (FIPS), 511 Federal Information Security Management Act (FISMA), 214, 273 Federal Sentencing Guidelines (1991), 267 Federal Sentencing Guidelines (2004), 268–269 Federal Trade Commission, Plaintiff, v Seismic Entertainment Productions, Inc., SmartBot.net, Inc., and Sanford Wallace, 535 federated identity management, 63 feedback, 133, 134, 135, 136, 137 fences, 646, 647 FFEIC Customer Identification Program, 275 fiber fence, 647 File Allocation Table (FAT), 582 file integrity checkers, 12 File Transfer Protocol (FTP), 77, 81, 82, 108, 113, 123, 225, 358, 542, 588 financial fraud, 341; see also fraud financial losses, criticality and, 447 Financial Modernization Act, 67 fingerprint recognition, 651 FIPs, see Fair Information Practices fire alarms, 655, 658–659 fire detection/suppression, 658–659 Firefox, 532 fires, types of, 659 firewalls, 12, 39, 73–118, 168, 180, 189–190, 193, 216, 225, 241, 242, 246, 259, 349, 359, 413, 532, 533, 545 application-layer, 106, 115, 116 ASIC-based, 87–88 deep packet inspection, 89–93 dual, 96 hardware-based, 96 host-based, 190 infrastructure, 113–114 manageability of, 107–108 patch management, 115–116 PBX, 139–144, 169–170 platforms, 93–96 security manager, and, 101–116 signature capacity of, 90 stateful filtering vs application proxy, 73 topologies, 96–98 types of, 74 5W network, 119–129 benefits of, 126 components of, 125 convergence, and, 125 designing, 124 673 Index disadvantages of, 126 sample architecture for, 126–128 flame stage, of fire, 659 flash disk, 96 forced authorization codes (FACs), 164 forensic examination, non-liturgical, 621–636 evidence correlation, 635–636 isolation of equipment, 621–622 isolation of files, 622 Recent Documents, 629–630 tracking illicit software installation, 630–634 tracking log-on patterns, 628–629 tracking Web sites visited, 622–628 forensically sound tasks (FSTs), 607, 608, 613 forensics examiners, focus of, 617 format string attacks, 538, 543, 539, 554 forwarding calls, 163 four nines, 642, 658 four-tiered, holistic classification, Uptime Institute’s, 642, 658 frame pointer, 539 Frame Relay, 426 fraud, 21, 65–66, 186, 341, 342, 346, 389, 529, 530, 533, 534, 551, 552, 556, 558, 561, 564, 565, 575, 595, 606; see also phishing awareness, 265–284 Computer Fraud and Abuse Act (CFAA), 272, 533 evaluation areas/methods, 279–280 legislation, 266 online banking, 595 toll, 140, 144, 161–174, 561 training employees to identify, 265–284 Freedom of Information Act (FOIA), 273 FUD, see fear, uncertainty, and doubt fuel protests, 590–591, 598 full interruption test, 485 functions vs procedures, 448–449 funding, business continuity, 439–442 G game, ActiveX, 355 games, traditional, 296, 301 games, video, 527, 529, 607, 630, 634 illicitly installed, 630 spyware and, 530, 531 gap analysis, 520–521 gap assessment, 56 gases, physical security and, 643 General Public License (GPL), 420 generally accepted practices, 607 ghost accounts, 57 ghosting data, 622 GIF images, 368, 369, 370 Globally Unique IDentifier (GUID), 529 Goner, 199 governance, 183–188, 223, 226, 228, 229 corporate, 183, 187, 188, 435, 501 document, Treadway Commission, 183 HIPAA, 515 information management, 55 information security, 183–188 information technology, 10, 184, 185, 186, 501, 503, 506 privacy, 251, 252, 253, 254–255, 261, 263 government contractors, 63 GPO, see Group Policy Object grammer, phishing and, 560, 567, 568, 570 Gramm–Leach–Bliley (GLB), 64, 65, 104, 199, 214, 224, 225, 229, 251, 267, 273, 311, 459 graphical user interface (GUI), 87, 107, 227, 421, 543, 545, 547 gray companies, 342 grayscale images, 369 Greenpeace, 590 Group Policy Object (GPO), 411, 418, 420 groups, 23 guard, security, 8, 287, 398, 485, 646, 647–648, 649, 652, 653, 655, 660 guardhouse, manned, 398, 646, 647–648 H hackers, 74, 77, 79, 95, 97, 111, 131, 139, 140, 161, 162, 163, 166, 167, 170, 172, 246, 260, 329, 330, 340, 413, 587, 591, 594, 597, 598; see also malware motivators for, 594 Russian, 594 hacktivists, 579, 591, 598 hand-scan geometry, 651 handshake, three-way, 79, 84, 85, 90–91 hardened computing platforms, 10 hardened operating system, 86, 93, 94, 109, 409, 549, 557 hardened server, 318 hardened utility trenches, 645 hardening enterprise, against worm attacks, 110 hardening, of control standards, 10 hashing algorithms, 191 Hawaii Coalition against Nuclear Testing, 590 header, 75 application level, 75 data–payload, 75 674 Internet Protocol (IP), 75, 76, 77, 79, 80, 81 Transmission Control Protocol (TCP), 75, 77, 80, 81 Health Insurance Portability and Accountability Act (HIPAA), 5, 64, 65, 67, 106–107, 199, 214, 225, 244, 245, 251, 266, 272, 311, 400, 401, 446, 448, 459, 511–523, 525, 551 as-is state analysis, 520–521 checklist, 523 communication plan, 516 critical components, 515 gap analysis, 520–521 project scope, 517 project team, 516 qualitative vs quantitative measurement, 520 risk assessment, 518–520 roles and responsibilities, 516 Security Rule interpretation, 513–515, 517 Security Rule matrix, 517, 521 Security Rule overview, 512–515 training, 522 health-check mechanisms, 418–419 heap, 538, 539 Heartbeat, 422 heat stage, of a fire, 659 heating, ventilation, and air conditioning (HVAC), 658 Heisenberg’s uncertainty principle, 378–379, 380, 382–383, 608 help desks, 54, 59, 61, 163, 229, 248, 321, 337, 424, 556, 572 heuristics, 190, 358 hexadecimal display, 46 hidden files, 634–635 hierarchical objectives-based framework (HOBF), 603, 604–605 hierarchies, 20–21 High-Tech Crime Investigators Association (HTCIA), 608 hijacking, 345–346, 347, 525, 527, 530, 535, 555, 565 HIPAA, see Health Insurance Portability and Accountability Act history buffer, 626–627 home computers, 245, 246, 345, 348, 407 homepage hijacking, 530 host operating system controls, 192–194 host support, synchronous, 46 host-based authentication, 42 host-based firewall, 190 Hosts file, 531, 532 hotlinks, 571 Information Security Management Handbook hotspots, WiFi, 145, 146, 147, 152 human factor, physical security, 643, 658, 660–661 Huntingdon Life Sciences, 594 hybrid locks, 652 hyperlink, 555 HyperText Markup Language (HTML), 157, 348, 351, 353, 354, 526, 555, 564, 566, 570, 584 HyperText Transfer Protocol (HTTP), 73, 77, 81, 84, 95, 103, 108, 117, 242, 355, 526 I IDs, 11, 14, 41, 43, 44, 51, 57, 60, 62, 63, 193, 195, 529, 564, 568, 573, 622, 629, 650, 654 tokens as, 45 IDEAL (initiating, diagnosing, establishing, acting, leveraging), 334–336 identification, of crime scene evidence, 602, 607, 610 identity, 120 verifying, 124 identity and access management (IAM), 52, 57, 65 identity management (IM), 51–68, 241, 418 administration, 57–59 audits, 67–68 authentication, 59–60 authorization, 63–64 buy-in, 53, 56 challenges, 55 federated, 63 goal of, 54 infrastructure, 56–57 ISO 17799, 67 laws and regulations, 64–65 monitoring, 67–68 password management, and, 60–62 privacy and fraud, 65–66 projected savings, 54 regulatory distractions, 65 return on investment, 53–55 self-service passwords, 59 trust relationships, and, 66–67 identity theft, 199, 265, 266, 278, 341, 559, 561, 593–594 IEEE 802.11, 145, 148, 149, 150, 151, 172 IEEE 802.1x, 125, 126, 128, 147, 148, 416–418, 419 IEEE working groups, 148 iiscrack, 554 images, index-/compression-based, 368, 370 Immunity CANVAS, 541, 547, 548 impact analysis, 435–436 implementation, HIPAA, 513 Index incident management, 128, 458, 506, 519 incident tracking, 519 logs, 507 incipient stage, of fire, 659 index-based images, 368, 370 individualization, of crime scene evidence, 602 indoor air quality (IAQ), 658 information protection requirements, 311 information security (InfoSec), 642 agreements, 276 awareness training, 285–294; see also security awareness cultural challenge, 286–287 diversity in, 189–196 evolution of, 197–200 governance, 183–188 learning organization, 288–289 model, components of, 131 motivation, 275–276 program, 52, 285–294 team, 52 training, 265 information security officer (ISO), 204, 206, 207, 211 Information Systems Audit and Control Association (ISACA), 55, 184 Information Systems Security Association (ISSA), 55 information technology as core competency, 439 assertion team, and, 508 business continuity plan and, 438–439, 465 committee, 208 complexity of, 31, 51 compliance, 52 contingency process, and, 458 critical business function of, 449 ESM review process, and, 226 evidence, 401 funding, of business continuity plan, 440 generally accepted pracatices, and, 607 governance, 10, 184 HIPAA, and, 523 incident response procedures, and, 605 infrastructure, 7, 17, 51, 150 interviews, 504 inventory, 408–409, 416 layered technical safeguards, 557 operational changes, and, 437 organization, outsourced, 439, 519 password management, and, 59 personally identifiable information, and, 261 675 phishing, and, 571 physical infrastructure, and, 438 privacy impact assessments, and, 255 processes, 507–508 quality and processes, 325–327 recovery strategy costs, 453–454 regulatory compliance, 101–102; see also regulatory compliance remote offices, and, 121 risks, 223 Sarbanes–Oxley, and, 502–503 security, 197, 200, 204 council representation, 206, 207 diversity in, 189–196 standards, 18 subculture, 286 system development, and, 313 vulnerability management, and, 558 Information Technology Infrastructure Library (ITIL), 337–338, 438 information warfare, 579–599 activist, 589–591 tactics, 580–585, 589–591, 592–598 infrastructure corporate network, 410, 411 information technology, 7, 17, 51, 150 physical, 437–438 initial certification review, 322 initialization vectors (IVs), 148 initialization, of tokens, 45 insider threats, 112–113 insurance, 239 insurance, toll fraud, 173 integer factorization problem, 386, 387 integer overflows, 538 integrated circuit (IC), 31, 32, 38 integrated circuit card (ICC), 31, 33; see also smart cards integrated digital investigation process (IDIP), 603, 604 phases of, 604 Integrated Product Development Capability Maturity Model (IPD-CMM), 330 integration testing, 320 integrity, 55, 374, 376, 512, 608, 611, 617, 622 intelligence, online collection of, 593 intelligent agents, 131–137 Intelligent Multimedia Subsystems (IMSs), 227 intelligent patching, 660–661 intelligent reasoning, 134 interactive media, 530 interactive voice response (IVR), 162 interdependence, 447 676 internal controls, Sarbanes–Oxley, 502, 503 internal testing, of software, 328 International Organization on Computer Evidence (IOCE), 603 International Traffic in Arms Regulations (ITAR), Internet access, controlling, 112 Internet Authentication Service (IAS), 127 Internet Control Messaging Protocol (ICMP), 196, 421 Internet Engineering Task Force (IETF), 153 Internet Explorer (IE), 532 Internet Key Exchange (IKE), 418 Internet Protocol (IP), 120, 122 address, 544 address space, 114 address spoofing, 77, 79, 110 addresses, fixed, 418 fields within, 75 header, 75, 76, 77, 78, 79, 80, 81 packets, 420 phones, 146 scanning, 414 Internet Protocol Security (IPSec), 88, 111, 191, 192, 418, 426 Internet Relay Chat (IRC), 589, 598 Internet, securing electronic transactions on, 388–391 Internet Service Provider (ISP), 141, 142, 146, 170, 229, 259, 343, 345, 346, 562, 568, 572, 595, 641 Internet Spyware (I-SPY) Prevention Act, 534 interpretation, of crime scene evidence, 602 intranet, 12, 13, 59, 105, 106, 110, 248, 280, 281, 300, 301, 351, 352, 506, 628, intrusion detection, physical security and, 647, 655–656 intrusion detection system (IDS), 13, 88, 89, 90, 113, 114, 119, 124, 125, 126, 128, 190, 192, 194, 225, 227, 241, 246, 398, 401, 519, 549 intrusion prevention system (IPS), 13, 74, 88, 88–89, 117, 119, 125, 128, 190, 227, 241, 246, 549 inventory, information technology, 408–409, 416 investigation, of digital forensics data, 617 investigative discovery, 616–617 invisible secrets, 584 ionization detectors, 659 IPSec, see Internet Protocol Security iris scans, 651 ISO 17799, 61, 64, 67, 504, 511, 607 ISO 9001, 337 Information Security Management Handbook J Java, 351–361 agent code, 135, 136 applets, see applets run-time, 357 sandbox, 355, 357 vs ActiveX, 356 Java Archive (JAR), 355 Java Development Kit (JDK), 357 Java Virtual Machine (JVM), 37, 39, 353, 354, 355, 356, 357, 358, 359 JavaScript, 354, 532, 555 JPEG images, 368, 369, 370, 584 jphide, 584 jsteg, 584 jump equivalents, 546 K Kerberos, 44, 60, 114, 418 kernel space, dedicated, 93 key, cryptographic, 375, 377, 380, 381–382; see also cryptography, private-key cryptography, public-key cryptography key distribution, 381–382 key performance indicators (KPIs), 435 key personnel, 448 key, private, see private key, private-key cryptography key, public, see public key, public-key cryptography key size, 191, 390 keyboard, numeric, 45 keys, shared, 191 keystroke loggers, 108, 343, 526–527, 529, 564, 565, 570, 629 keystroke security ratio, 49 knowledge discovery in database (KDD), 11 knowledge representation (KR), 134 knowledge, skills, and abilities (KSA), 608 L LAND, 79 laws, 64–65; see also regulations, regulatory compliance leaks, water, 659 LEAP, see Lightweight and Efficient Application Protocol learning, reinforcement, 133, 137 learning, team, 289 least significant bit (LSB), 369 legal discovery, 616–617 677 Index legislation, fraud, 266 life cycle evidence, 611, 612 privacy governance program, 254 security requirements, 217 system development, 438 Lightweight and Efficient Application Protocol (LEAP), 115, 125 Lightweight Directory Access Protocol (LDAP), 114 liking, as persuasion trigger, 293 liquid crystal display (LCD), 45 liquids, physical security and, 643 litigation, spyware, 535 Litronics card reader, 388, 389 load/weight evaluation algorithm, 135 local area network (LAN), 64, 111, 112, 113, 199, 407, 416, 417, 453 access points, 145 Locard’s exchange principle, 602, 616 location, 121 locks and keys, 652–653 log files, of network controls, 192 logging, 319 logic bombs, 339, 398 logic, control, 32 logic, smart card, 32 log on/log in, 10, 11, 14, 35, 43, 44, 45, 50, 61, 62, 63, 121, 193, 197, 198, 199, 204, 215, 280, 327, 343, 346, 347, 354, 411, 422, 526, 555, 564, 568, 621, 628–629, 651 host, 49 unsuccessful, 226 log off, 214, 215 automatic, 62 logs, 67, 124, 141, 170, 194, 195, 223, 229, 319, 551, 553, 558 access, 8, 635 application, 15 attack, 103 audit, 11, 67, 68, 215, 216, 221, 312 component test, 320 connections, 216 cursor impressions, 529, 629 EAP message, 418 error message, 319 event, 94, 506 investigation, 622 firewall, 103 historical, lack of, 96 host security, 195 mail traffic, 103 network access, 107, 192 PBX call, 141, 170 RADIUS accounting, 418 security incident, 230, 280, 401 session, 42, 44 system, 15, 193, 195 training, 280 long-distance authorization, 163–164 loss potential, 447 LSB, see least significant bit lunch and learn sessions, 299–300, 302 M MAC, see message authentication code, mandatory access control, Medium Access Control magic cookies, 623 mail relay attacks, 92 maintenance, 13 reviews, 434 malicious code, 194, 419, 554; see also malware malloc (memory allocation), 538, 554 malware, 121, 243, 245, 339–349, 401, 525, 552, 575 tools and methods, 342–345 management commitment, 197–212, 298, 466–468 establishing, 202–203 management responsiblities, Sarbanes–Oxley, 502 managing unmanaged systems, 407–422 mandatory access control (MAC), 22–23, 172 man-in-the-middle attacks, 62, 191, 560 mantraps, 653 manual review, 631, 634 mass-rooter, 542–543 material weaknesses, Sarbanes–Oxley and, 502, 507, 508 mathematical problem, hard (difficult), 385, 386 matrix, controls, 179–182 McAfee’s VirusScan, 533 mean time to failure (MTTF), 424, 657 mean time to repair (MTTR), 424, 657 measurement, system perturbance and, 379, 382 mechanical locks, 652 Medium Access Control (MAC), 173 meetings, with management personnel, 202 Melissa, 123, 199 memory allocation (malloc), 538, 554 programs embedded in, 32 smart card, 31–32, 39 mental models, 288 message authentication code (MAC), 115, 120, 122, 128, 148, 415, 421 678 Message Digest (MD2), 191 Message Digest (MD5), 191 Message Integrity Code (MIC), 149 metal detectors, 656 Metasploit, 541, 543–546, 547, 548, 549 user interface, 544 meterpreter, 541, 545 metrics, 229, 401 service level agreement, 423–427 microcontroller, in smart card, 32 migration, secure system, 321 mime attacks, 92 minimalization, 608 MIPS years, 387 miscreants, 592–598 mission statement, security council, 205–206 MLS, see multilevel security mobile code technologies, 351–361 security, and, 355–359 modems, 139, 140, 141, 142, 162, 166, 170, 345 monitoring tools, remote, 410 Moore’s law, 73, 117 motion sensors, 656 movement, physical security and, 643 MP3 files, 584 MP3Stego, 584 MPEG images, 368 msfelfscan, 546 msfpescan, 546 multifactor authentication, 36–37, 649 multilevel security (MLS), 86, 93 N n2 problem, 377 NAT, see network address translator National Aeronautic and Space Administration (NASA), 325 National High-Tech Crime Unit (NHTCU), 340 National Security Agency’s INFOSEC Assessment Methodology (NSA IAM), 445, 504, 518 natural disasters, 645–646, 657 Nbtstat, 421 need to know, 64 neighborhood, cellular automata, 368 NetBIOS, 421 NEBS, see Network Equipment Building Systems Network (SMS), 422 network authentication, 43, 44 controls, 189–192 5W, 119–129 ideal, 123 Information Security Management Handbook infrastructure, 125 interface cards (NICs), 147 modern-day, 121–123 probe, 415–416 security, 74–76 maintaining, 131–137 service monitoring, 416 query, 415, 416 network address translator (NAT), 114 Network Equipment Building Systems (NEBS), 658 network operations centers (NOCs), 245, 246, 248 Network Stumbler, 172 new employee orientation, see orientation training newsletters, 301 Nigerian letter scam, 556–557 Nmap (Network Mapper), 420 node failure cascading, 132 identifying problem, 132 preventing, 136 probability of, 131–132 see also cascading failure, in scale-free network nodes, 44, 131, 422 communication between, 134 key, 131 non-production systems, 412 nonrepudiation, 37, 374, 376, 388, 389 no-operation (NOP) command, 539 NOCs, see network operations centers NOP sled/slide, 539, 540 North American Electric Reliability Council (NERC), 645 nuclear testing, in the Pacific, 590 O Object Linking & Embedding (OLE), 354 objectives-based subphases (OBSPs), 605 occupant emergency plan (OEP), 459 off-by-one flaws, 538 one out of two (1oo2), 96, 98–101 one-factor authentication, 193, 649 one-off systems, 407, 411, 412–413 one-time programmable (OTP), 31 online coding resources, 319 Open Database Connectivity (ODBC), 411 open source models, software, 329 Open Systems Interconnection (OSI), 73, 74, 76, 78, 80, 81, 82, 83, 84, 85, 88, 94, 98 Index operating systems (OSs), 17, 23, 24, 25, 35, 36, 39, 44, 58, 78, 86, 89, 93, 98, 99, 100, 112, 117, 119, 120, 172, 189, 192–194, 195, 196, 197, 198, 216, 220, 300, 318, 319, 320, 342, 353, 358, 410, 414, 449, 564, 605, 606, 617 copy, 616 embedded, 407 hardened vs patched, 93, 94, 117 IPSec, and, 418 Nmap, and, 420 spyware, and, 532 sploits, and, 539, 542, 544, 554, 556, 557 32-bit, 354, 582 Operational Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 518 operational impacts, 436–437 opportunists, 342 organisms, physical security and, 643 organizational culture, 203–205, 285–294, 296, 466, 467, 468 organizational initiatives, against spyware, 531–533 organizational policies to combat phishing, 570–572 organizational requirements, HIPAA, 513 organized crime, 339–349, 566, 592, 595, 596 trends in, 340–341 orientation training, 243, 247, 300 Osama bin Laden, 579, 581, 582 outguess 01.3b, 584 outsourcing, 51, 56, 67, 162, 211, 313, 340, 349, 436, 437, 439, 513, 519 P packet delay, service level agreements and, 426–427 packet filter, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 90, 98, 102, 103, 104, 105, 107, 116, 117, 180 packets, 150, 151, 420, 425, 426 PAE, see port access entity parking garages, as security threat, 649 passive discovery methods, 414–416, 422 password sniffer, 344, 348 passwords, 11, 12, 13, 14, 31, 35, 38, 43, 44, 51, 54, 59, 60, 62, 63, 65, 111, 164, 165, 192, 198, 238, 318, 321, 343–344, 413, 529, 555, 564, 568, 572–573, 622, 649 dynamic, 41–42 guidelines for, 10 679 length of, 60–61 management of, 60–62 maximum length, 46 one-time, 41 self-service, 59 patch management, 115–116, 241, 243, 244 system, 229 patched operating system, 93, 94, 95 patches, 116, 246, 413, 421, 549, 557 patching, intelligent, 660–661 patching systems, 558 payload, 540, 542, 544, 545, 546, 547, 553, 558 payload stub, 547 PBX, 165, 168, 173 firewalls, 139–144, 169–170 capabilities of, 141–143 implementation, 142–143 limitations of, 144 limitations of, 140 unprotected, 161 penalties, for noncompliance, penalties, service level agreement, 427 penetration testing, 214, 401, 541, 545, 547, 549 people, processes, and products, 213, 214, 221 people, processes, and technology, 56, 241–250, 519 perimeter, of data center, 646–649 barriers, 646–647 periodicity, 446 Perl Exploit Library (Pex), 545 permissions, 18, 19, 20, 21, 23, 25, 26 persistent cookies, 623 personal digital assistants (PDAs), 9, 33, 145, 146, 147, 149, 150, 172, 173, 326, 346, 417, 610 personal greeting, phishing and, 570 personal health information (PHI), 313 personal identification number (PIN), 12, 35, 36–37, 38, 42, 43, 46, 49, 50, 60, 61, 167, 192, 193, 568, 649 hard vs soft, 48 personal identification verification card, personal information, 103, 104, 105, 106, 199; see also privacy program, personally identifiable information (PII) loss of, 66, 167–168, 225 Personal Information Protection and Electronic Documents Act (PIPEDA), 251 personal mastery, 288 personally identifiable information (PII), 251–252, 255, 259, 261, 400 personnel, key, 448 persuasion triggers, 291–293 680 PestPatrol, 533 PEX, see Perl Exploit Library pharming, 238, 343 Phish Report Network, 575 phishing, 238, 347, 348, 349, 529, 556, 559–576 combating, 569–574 consumer awareness, 569–570 organization policies, 570–571 defined, 560 detection, 567–569 effects of, 565–566 history of, 560–561 how it works, 562–563 incident response team, 571 organizations against, 575 prevention through technology, 572–574 statistics, 561 underlying problems, 566–567 variations in, 563–565 phone phreaks, 161 photons, 374, 378, 381, 382, 383 phreaking, 560 physical access, smart card and, 34, 38 physical safeguards, HIPAA, 513, 517 physical security, 641–661 PIAs, see privacy impact assessments piconets, 150 PII, see personally identifiable information Ping of Death, 79, 125 PIRA, see Provisional Irish Republican Army Piracy Deterrence and Education Act, 534 PKCS #11 standard, 35, 36 plaintext, 370, 375, 377 Platform for Privacy Preferences Project (P3P), 258, 259 plug-in applications, 354 points of presence (POPs), 644 policies and procedures, HIPAA, 513 policies, security, 297 policies, standards, and procedures, for system management, 408 policy documents, 215 policy statement, 215–216 polynomial time, 386 pop+pop+return sequences, 546 pop-up adware, 535 pop-up blockers, 260 port access entity (PAE), 417 port-level security features,127 portable devices, 13 potentially unwanted programs (PUPs), 533 power law configuration, of Internet, 131 presentations, to senior management, 200–201 Information Security Management Handbook Pretty Good Privacy (PGP), 585, 596 preventive controls, 179, 189, 190, 462 printf, 538, 554 prioritization, governance and, 186 privacy, 65–66, 112, 143 awareness, 265, 266, 267 governance, 251 invasion, 528–529 laws, impact on business, 260–261 leadership, establishing, 255–256 policies, 256–257 program, 251–263 building, 254–255 employee training, 257–258 establishing leadership, 255–256 incident response procedures, 262 mistakes, 252–253 policies and procedures, 256–257 what to protect, 251–252 seals, 259 standard, of HIPAA, 107 team, members of, 256 tools, 259–260 training, 265 Privacy Act, 5, 272 privacy enhancing technologies (PETs), 259 privacy impact assessments (PIAs), 254–255, 258, 259, 261 private key, 32, 191, 377, 391; see also private-key cryptography private security services, 648 private-key cryptography, 35, 37, 574 privilege escalation, 553, 554 probability of failure, 657, 658 probability of node failure, 131–132 procedures, defined, 244 process control systems, 96 process, defined, 243 product testing, 320 programmable read-only memory (PROM), 31 projectiles, physical security and, 643 PROM, see programmable read-only memory propaganda, 585–587, 589, 591 properties, security, 399, 400 Protected Extensible Authentication Protocol (PEAP), 125 prototype testing, of system development security methodology, 315 Provisional Irish Republican Army (PIRA), 585 provisioning, identity management and, 57 proxies, 73, 74, 75, 81, 82, 84–86, 91, 93 proximity coupling device (PCD), 33, 34 proximity integrated circuit card (PICC), 33, 34 Index Proxy Automatic Configuration (PAC), 532 pseudorandom number generators (PSNGs), 318 pseudo-single sign-on (PSSO), 35 PSTN, see public switched telephone network Public Company Accounting Oversight Board (PCAOB), 503, 508 public key, 191, 388; see also public-key cryptography public-key cryptography, 35, 37, 377, 378, 381, 382, 383, 385, 386, 391, 392, 574; see also elliptic curve cryptography public-key infrastructure (PKI), 35, 37, 140 public/private key encryption, 191 public switched telephone network (PSTN), 139, 145, 153, 644 Q quality of service (QoS), 133, 147, 148 quantum computer, 379 quantum cryptography, 373–384 disadvantages of, 383 vs public-key cryptography, 382 vs quantum computing, 379–380 vs traditional cryptography, 380–381 quantum key distribution or (QKD), 380 quantum key generation and distribution, 381–382 quantum mechanics, 378–379, 380, 381, 382 quantum parallelism, 380 quantum physics, see quantum mechanics quantum routers, 383 qubits, 379, 383 questionnaires, see business impact assessment (BIA): questionnaires R radiofrequency (RF), 33 radiofrequency identification (RFID), 233, 652 RAM, see random access memory Ramzi Yousef, 581 random access memory (RAM), 32, 78, 79, 86, 390, 626, 628 random number generators, 318, 391 raster data, 368 RBAC, see role-based access control read-only memory (ROM), 31 read-only tools, 410 real-time alerts, by PBX firewall, 141, 144, 170 Recent Documents, 629–630 reciprocity, 291 recognition, of crime scene evidence, 602, 607, 610 681 reconstruction, of crime scene, 602 records storage, 102, 103 recovery strategy workshop, 451–453 recovery time objectives (RTOs), 474, 478, 480, 481 redirection, 343 Reduced Instruction Set Computer (RISC), 79 redundancy, 131 computer room, 658 regulations, 64–65, 272–275, 311 against spyware, 533–535 as critical business functions, 448 regulatory compliance, 101–107, 265, 266–270, 448, 461, 501–509 roadmap, 509 reinforcement learning, 133, 137 remediation, system management, 411, 413, 416, 419–420 remote access, 13 ports, 165–166 security, 111–112 Remote Dial-In User Service (RADIUS), 114, 125, 127, 128, 166, 417, 418 remote monitoring, 413 tools, 410 Remote Monitoring (RMON), 415, 416 reporting, crime scene, 602 reporting, of digital forensics data, 617 reproducibility, 608 required implementation, HIPAA, 513 response, 195–196 retinal scans, 651 return pointer, 538, 539, 545 return on investment (ROI), 52, 53–55, 57, 60, 66, 185, 249, 511 return on security investment (ROSI), 249 reverse shell, 544, 545 risk, 397–398 acceptable level of, 224 equation for, 224 vs convenience, 235 risk assessment, 56, 200, 214, 218, 221, 226, 313, 401, 451, 452–453, 460, 466, 469, 473, 502, 517, 518–520, 657 risk factor, 235, 236–237 equation, 237 risk management, 54, 181, 185, 228, 229, 235, 237–238, 240, 433, 436, 458, 461, 511 equation, 238 model, 233–240 risk mitigation document, 314, 322, 323 risk, reducing, 239 risk, transferring, 239 682 risk vs cost analysis, 313 rogue devices, 407, 416 rogue systems, 407, 413, 415, 416 rogue Web sites, 343, 348 role, 120 access based on, see role-based access control engineering, 25–26 of user, 18, 19, 20, 22, 23, 195, 408 role-based access control (RBAC), 10, 17–27, 63, 67, 126 commercial, 24 constrained, 21–22 core, 19–20 hierarchical, 20–21 implementing, 24–26 models for, 18 reference model, 19–23 vs traditional access control, 22–23 ROM, see read-only memory rooter, 541–542 rough order of magnitude (ROM), 468, 473, 479 RSA, 32, 140, 191, 370, 378, 379, 380, 381, 383, 386, 387, 388, 389 RTOs, see recovery time objectives rule creation, 141 complex, 141, 170 rule set baseline algorithm, 135 rule-based access control, 10 rule-based call termination, 141, 170 rule-based security policy, for calls, 141, 170 rules, of intelligent agents, 133 rules, packet filter, 77, 78, 81 S SafeBack, 622 Safeguard Against Privacy Invasions Act, 531, 534 safeguards, 11, 104, 106, 179, 181, 205, 224, 251, 276, 292, 328, 489, 511, 512, 513, 514, 517, 518, 519, 521, 531, 556, 557 Safeguards Rule (Gramm–Leach–Bliley), 273 sally ports, 653 sanctions, 249, 277 sandbox, Java, 355, 357 Sarbanes–Oxley (SOX), 5, 17, 27, 53, 64, 65, 67, 102–103, 183, 214, 224, 225, 229, 235, 267, 274, 449, 525, 551, 618 assertion and attestation process, 507–508 COBIT control objectives, 503 compliance, 501–509 information technology role, 502–503 senior management annual report, 502 Sasser, 199, 542 Information Security Management Handbook SATAN, 548 scale-free networks, 131, 132, 133 scarcity, 293 Schrödinger’s cat, 375 Scientific Working Group on Digital Evidence (SWGDE), 603, 608 scrambling devices, 167 scripting language, 353–354 SCSI e-Disk, 86 SDLC, see system development lifecycle SDSM, see system development security methodology Secure Electronic Transaction (SET), 388, 389 secure enclaves, 12 Secure Hashing Algorithm Version (SHA1), 191 Secure Sockets Layer (SSL), 13, 105, 151, 191, 192, 570 secure system migration, 321 Secure Telephone Unit, third generation (STU-III), 141, 143, 169 secure, identity-based, self-defending network, 119–129 security architecture, 10–12 security assessment, 250, 445 security associations (SAs), 418 security audit requirements, 311–312 security awareness, 237, 241, 247–249, 266, 558 programs, 61, 295–304 creating, 298–300 feedback, 302–304 framework, 295–298 giveaways/prizes, 304 training, 321, 401, 522 security breaches, 260, 262, 287 occurrence of, 234 Security Breach Information Act, 103 security budget, 237 security councils, 197–212 critical success factors for, 202–211 establishing, 205–206 representation, 206–207 sample mission statement, 205 stages of, 207–208 security event correlation system, 195–196 security event management (SEM), 223 security guards, 8, 287, 398, 485, 646, 647–648, 649, 652, 653, 655, 660 security incidents costs of, 253 logging, 230, 280, 401 security information management (SIM), 223 security manager, 101–116 security manager, Java Virtual Machine, 357 Index security, mobile code technologies and, 355–359 security operations centers (SOCs), 227, 246 security, physical, 641–661 security policies, 230, 297 security professionals, digital forensics and, 618–619 security program office (SPO), 249 security properties, 399, 400 security requirements testing matrix (SRTM), 217, 218 security requirements, identifying, 215–216 security roadmap, 226 security standard, of HIPAA, 107 security standards general rules, HIPAA, 512 security test and evaluation (ST&E), 213–222 conducting, 219–220 development, 217–220 methods, 214–215, 219 results analysis, 220–221 security testing, 319–320 types of, 316 security training, 247–249 security updates, 301–302 seminars, 299 SenderID, 573, 574 sensitivity, 6, 445, 446 sensors, 225, 226 separation of duty (SoD), 21 server hardening, 318 servers, database, 11 service level agreement (SLA), 54, 315, 412, 423–428, 452, 454, 455, 519 penalties, 427 session control nodes, 44 Session Initiation Protocol (SIP), 153 session key, 192 session riding, 555 sessions, role-based access control, 19, 20 SET, see secure electronic transaction shared secrets, 573 shared vision, 288 shell code, 537, 539, 541, 544, 545, 546 shell-escape codes, 318 shoulder surfing, 167 shredding, 14 signatures, 32, 35, 89, 90, 111, 190, 191, 259, 383, 391, 574 Sign-On Manager, 35 Simple Mail Transfer Protocol (SMTP), 73, 77, 92, 110, 565 Simple Network Management Protocol (SNMP), 141, 151, 170, 414–415, 416, 421 single loss expectancy (SLE), 520 683 single sign-on (SSO), 43, 52, 55, 62 single-factor authentication, 36, 60, 653 single-packet attacks, 79 SIP, see Session Initiation Protocol site security, 644–646 Six Sigma, 337 slack space, 582 Slammer, 109, 110, 199, 407, 553, 558 slogans, 298–299 sloppy code, 538 S-Mail, 582 Small Computer Systems Interface (SCSI), 86 small to medium businesses (SMBs), 147 smart cards, 13, 31–39, 44, 45, 48, 49–50, 60, 140, 192, 193, 385, 388, 389, 390–391, 572 benefits of, 35–37 challenges of, 38–39 contact vs contactless, 33–34 memory for, 31–32 processors for, 32–33 types of, 33–34 uses for, 34–35 smoldering stage, of fire, 659 SMP, see symmetric multiprocessing sniffers, 564 SNMP Sweep, 421 Snort, 90 Snow, 583 social engineering, 59, 110, 166–167, 285, 343, 555, 556–557, 562, 566–567 social proof, 292 software bugs, 355 Software Engineering Institute (SEI), 329, 334 software installation, illicit, 630–634 software licenses, 630 Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act, 534 software quality, 327–329, 330 software tokens, 42, 43, 44, 45, 46, 50 Solar Sunrise, 593 source address, 78, 79, 83 spam, 92, 121, 155–160, 260, 529, 563, 575 battle plans, 158 future of, 159–160 phishing, and, 562 reducing exposure to, 157 retaliation, 158–159 spammers, 156, 347 sploits, 537–550 types of, 538–540 spoofing attacks, 77, 79, 92, 110, 561, 573 spyware, 245, 246, 342, 349, 525–536, 565, 575 684 battling, 530–535 blockers, 532 data collection, surreptitious, 529 direct marketing, 530 ethical/legal concerns of, 527–530 hijacking, 530 legislation regarding, 533–535 litigation regarding, 535 occurrence of, 525, 526 organizational initiatives against, 531–533 privacy invasion, 528–529 state legislation against, 534–535 stealth, 528 trespass, 527–528 types of, 526–527 user vigilance, and, 530–531 stack, 538, 539, 545, 554 smashed, 538 stack-based buffer overflow, 538–539, 540 Standard CMM Assessment Model for Process Improvement (SCAMPI), 330 standard operating procedures (SOPs), 602, 603 state awareness, 77 stateful call inspection, by PBX firewall, 141 stateful inspection, 74, 83–84, 90, 91, 92, 170 stateful packet filter, 74, 77–80, 90, 103, 105, 107 statements of work (SOWs), 519 static maintenance review, 434 static packet filter, 74, 76–77, 82 rules database, 77 static random access memory (SRAM), 627 static separation of duty (SSD), 21–22 status seekers, 342 stealth spyware, 528 steganography, 257, 259, 581, 582–584 blind detection of, 367–371 deficiencies in, 367 Steganography Detection & Recovery Toolkit (S-DART), 584 Steganography Tools 4, 583 Stegdetect, 584 StegFS,, 584 storage area networks (SANs), 227 Strategic National Implementation Process (SNIP), 518 strength, as security property, 399, 400 string searching, 617 strong application proxies, 82, 90–93, 94 Structure Query Language (SQL), 409, 422 SW-CMM, see Capability Maturity Model for Software subexponential time, 387 subject matter experts (SMEs), 314 Information Security Management Handbook super-encryption, 192 SuperScan, 421 surveillance cameras, 647, 653, 655 symmetric cryptography, 377 symmetric encryption, 191 symmetric multiprocessing (SMP), 75, 79, 82, 84 synchronization (SYN), 79, 81, 84, 91, 588 synchronous host support, 46 synchronous tokens, 43, 44, 46, 49 syscall proxy, 541; see also system-call proxy system call, 539 system-call proxy, 541, 546–547, 548 system development life cycle (SDLC), 309, 311, 312, 316, 318, 320, 321, 322, 324, 438, 520 system development security methodology (SDSM), 309–324 analyze stage, 312–314 build and test stage, 316–320 deploy stage, 321–323 design stage, 314–316 framework, 309–310 requirements stage, 311–312 test phases, 320 System Information, 630, 631 system management essentials, 408–411 system monitors, 526–527 System Registry, 630, 631 system reliability, 657–658 system review, 631–634 Systems Engineering Capability Model (SECM), 330 Systems Management Server (SMS), 422 systems security officer, 615 systems thinking, 289 systems, unmanaged, 407–422 known, 411–413 unknown, 413–420 discovering, 413–419 T tandem calls, 165 Tao Te Ching, 289, 290–291 Tear Drop, 79 technical safeguards, 557 HIPAA, 513, 517, 521–522 techno-anarchists, 592 techno-babble, 200 technology convergence, 233–240 technology, embracing, 236 telecommunications, site selection and, 644 telecommuting, 111 685 Index telemedicine, 580 Telephone Consumer Protection Act (TCPA), 251 telephony system, 161–174 temperature, physical security and, 643, 658 Temporal Key Integrity Protocol (TKIP), 149 Temporary Internet Files, 628, 629 term searching, 617 termination, of personnel, 14, 57, 113 terrorism, 579–599 defined, 580 goals of, 581–582 TESO, 540, 542 text messages, 92 theft, 551, 593 themes, 298–299 third-party service providers, 439, 454 third-party system, 412 threat exposure, 236 3DES, see triple Data Encryption Standard three-factor authentication, 36 three-way handshake, 79, 84, 85, 90–91 throughput degradation, WLAN, 151 time, access controls and, 121 tokens, 10, 12, 13, 60, 111, 193, 389, 417, 572, 623, 649 asynchronous vs synchronous, 43, 49 cryptographic, 36 displays for, 46 evaluating, 41–50 initialization of, 45 operation modes, 43 passwords for, 46 types of, 44–49 warranty for, 49 toll fraud, 140, 144, 161–174, 561 examples of, 162–163 Total Quality Management (TQM), 202, 336–337 total stream protection, 74 traffic control, 648–649, 654, 660 traffic load, 133, 134, 135, 136 traffic, malicious, 189–190, 231 training, 14, 38, 39, 56, 66, 204, 210, 214, 229, 242, 243, 245, 247, 248, 250, 251, 255, 257, 258, 262, 267, 268, 277, 278–284; see also employee training as required by law, 270 contingency plan, 463 information security awareness, 285–294 motivators, 270–271 types of, 282–284 transactions and code sets standard, of HIPAA, 107 transactions, smart cards and, 38 Transmission Control Protocol (TCP), 75, 76, 109, 120, 168, 190, 414, 421, 539, 543, 544, 545 header, 75, 77, 80, 81 three-way handshake, 90–91 Transmission Control Protocol/Internet Protocol (TCP/IP), 120, 320, 421, 426 transportation, site selection and, 644 Treadway Commission, 183 trespass to chattels, 528 trespass, spyware, 527–528 triggers, persuasion, 291–293 triple Data Encryption Standard (3DES), 168, 191 Trojans, 108, 112, 340, 343, 344, 345, 348, 398, 526, 530, 552, 562, 564, 576 trunk group calls, 169 trunking blockage, 144 trunk-to-trunk tandeming, 165 trust relationships, 66–67 trusted sender stamps, 259 trusted third party (TTP), 574 TTP, see trusted third party Tunneled Transport Layer Security (TTLS), 125 turnstiles, 653 two-factor authentication, 36, 37, 60, 140, 193, 417, 649, 653 two-man rule, 651, 652 two-slit experiment, 375 U U.S Patriot Act, 106, 274 U.S Patriot Act Customer Identification Program, 64 UDP, see User Datagram Protocol unallocated digital data, 617 unauthorized use, 341 Unified Modeling Language (UML), 26 uninterruptible power system (UPS), 462 United States v Dopps, 123 United States v Meydbray, 123 United States v Smith, 123 universal resource locater (URL), 112, 116, 530, 532, 560, 562, 563, 564, 567, 568, 570, 571, 573, 624, 626, 627 mistyped, 530 phishing, and, 560, 562, 563, 564, 567, 568, 570, 571, 573 universal serial bus (USB), 109, 617 USB port authenticators, 60 user account, setting up, 57 user authentication, 42 user base, 311 686 User Datagram Protocol (UDP), 80, 109, 162, 168, 414, 415, 421, 543, 553 user friendliness, of tokens, 45 user private network (UPN), 127 user vigilance, against spyware, 530–531 utilities, availability of for data center site, 645 Utilization Review Accreditation Committee (URAC), 518 V validation, browser-based, 573 verification hash, 616 video conferencing, 474 IP-based, 168 Video Smoke Detection, 655 virtual local area network (VLAN), 113, 114 virtual network computing (VNC), 543, 545 virtual private network (VPN), 13, 87, 88, 102–103, 104, 105, 107, 111, 112, 151, 192, 196, 245, 407, 418, 426 virus protection, 11; see also anti-virus viruses, 92, 108–109, 124, 194, 199, 242, 243, 245, 285, 340, 398, 520, 552, 565, 566, 570 vision statement, security council, 205 visitor controls, Voice over Internet Protocol (VoIP), 73, 145, 146, 150, 153, 168, 227, 411 Voice over Wireless Fidelity (VoWiFi), 145, 152 Voice over Wireless LAN (VoWLAN), 145–153 security issues, 151–152 voice packets, 150, 151 voice traffic, 151 voicemail, 165 vulnerabilities, 10, 89, 90, 93, 94, 95, 98, 116, 122, 139, 161, 190–191, 194, 221, 224, 239, 318, 359, 420, 466, 519, 537, 538, 546, 549, 552, 553, 554, 560 vulnerability assessment, 214, 221, 239, 323, 401 vulnerability management, 557–558 vulnerability scanners, 537, 549 vulnerability scans, 190–191 W W32.Sober.I, 108 walk-through tests, business continuity planning, 485, 489 war driving, 172 war-dialing, 139, 140, 143 Warhol worm, 110 warranty, for tokens, 49 water pipes, 659 Information Security Management Handbook WAV files, 583 wbStego, 584 weapons screening, 656 Web bots, 12 Web site defacements, 591, 597 Web site privacy policy, 256 Web sites, tracking visited, 622–628 weights update process, 135 WEPcrack, 115 WhenU.com, 535 white space, 90 white/black lists, 574 wide area network (WAN), 199 WiFi Alliance, 149, 150 WiFi handset, 146 WiFi Multimedia (WMM), 149 WiFi Protected Access (WPA), 115, 149, 151 WiFi Protected Access (WPA2), 149 WiMAX Forum, 149 Windows 2000, 23, 550, 606 Windows Enumeration, 421 Windows Internet Naming Service (WINS), 415 Windows Management Instrumentation (WMI), 422 Wired Equivalent Privacy (WEP), 115, 148–149, 151, 173 Wireless Application Protocol (WAP), 391 Wireless Fidelity (WiFi), 145–153 wireless LAN (WLAN), 417 wireless local area network (WLAN), 145, 147, 149, 150, 152, 173 wireless personal area network (WPAN), 148, 150 wireless security, 114–115, 172–173, 391, 416 Wireless Transport Layer Security (WTLS), 391 word spotting, 143, 170 workflow, identity management and, 58 Workgroup for Electronic Data Interchange (WEDI), 518 workstations, 13, 198 authentication, 42, 43 software tokens, and, 50 World Trade Center, Verizon and, 644 World Trade Center/Pentagon attacks, reaction to, 587 worms, 92, 109–110, 194, 199, 242, 340, 398, 552, 553, 564, 565, 566, 576 fast scanning, 110 WPA, see WiFi Protected Access Z Zapatistas, 579, 585, 586–587 zones of trust, 113 ... He has published several papers on information security issues in the Information Security Management Handbook, Data Security Management, Information Systems Security, and the National Academy... Information Security Fundamentals Thomas R Peltier ISBN: 0-8493-1957-9 Information Security Management Handbook, 5th Edition Harold F Tipton and Micki Krause ISBN: 0-8493-1997-8 Information Security. .. has published widely, including articles on information security issues in the Information Security Management Handbook and in Information Systems Security (where he was a past consulting editor)