Information Security Management Handbook Sixth Edition VOLUME 2 CRC_AU6708_FM.indd iCRC_AU6708_FM.indd i 1/29/2008 5:33:20 PM1/29/2008 5:33:20 PM AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 Fax: 1-800-374-3401 E-mail: orders@crcpress.com 802.1X Port-Based Authentication Edwin Lyle Brown ISBN: 1-4200-4464-8 Approach to Security in the Organization, Second Edition Jan Killmeyer ISBN: 0-8493-1549-2 Audit and Trace Log Management: Consolidation and Analysis Phillip Q. Maier ISBN: 0-8493-2725-3 The CISO Handbook: A Practical Guide to Securing Your Company Michael Gentile, Ron Collette and Tom August ISBN: 0-8493-7943-1 CISO Leadership: Essential Principles for Success Todd Fitzgerald adn Micki Krause ISBN: 0-8493-1952-8 Complete Guide to CISM Certification Thomas R. Peltier and Justin Peltier ISBN: 0-849-35356-4 Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI Debra S. Herrmann ISBN: 0-8493-5402-1 Computer Forensics: Evidence Collection and Management Robert C. Newman ISBN: 0-8493-0561-6 Cyber Crime Investigator s Field Guide, Second Edition Bruce Middleton ISBN: 0-8493-2768-7 Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edtion Albert J. Marcella, Jr. and Doug Menendez ISBN: 0-8493-8328-5 Database and Applications Security: Integrating Information Security and Data Management Bhavani Thuraisingham ISBN: 0-8493-2224-3 Digital Privacy: Theory, Technologies, and Practices Alessandro Acquisti, Stefanos Grizallis, Costos Lambrinoudakis, Sabrina di Vimercati ISBN: 1-4200-5217-9 How to Achieve 27001 Certification: An Example of Applied Compliance Management Sigurjon Thor Armason and Keith D. Willett ISBN: 0-8493-3648-1 Information Security: Design, Implementation, Measurement, and Compliance Timothy P. Layton ISBN: 0-8493-7087-6 Information Security Architecture: An Integrated Information Security Cost Management Ioana V. Bazavan and Ian Lim ISBN: 0-8493-9275-6 Information Security Fundamentals Thomas R. Peltier, Justin Peltier and John A. Blackley ISBN: 0-8493-1957-9 Information Security Management Handbook, Sixth Edition Harold F. Tipton and Micki Krause ISBN: 0-8493-7495-2 Information Security Risk Analysis, Second Edition Thomas R. Peltier ISBN: 0-8493-3346-6 Insider Computer Fraud: An In-Depth Framework for Detecting and Defending against Insider IT Attacks Kenneth Brancik ISBN: 1-4200-4659-4 Investigations in the Workplace Eugene F. Ferraro ISBN: 0-8493-1648-0 Managing an Information Security and Privacy Awareness and Training Program Rebecca Herold ISBN: 0-8493-2963-9 A Practical Guide to Security Assessments Sudhanshu Kairab ISBN: 0-8493-1706-1 Practical Hacking Techniques and Countermeasures Mark D. Spivey ISBN: 0-8493-7057-4 Securing Converged IP Networks Tyson Macaulay ISBN: 0-8493-7580-0 The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments Douglas J. Landoll ISBN: 0-8493-2998-1 Wireless Crime and Forensic Investigation Gregory Kipper ISBN: 0-8493-3188-9 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH CRC_AU6708_FM.indd iiCRC_AU6708_FM.indd ii 1/29/2008 5:33:21 PM1/29/2008 5:33:21 PM Information Security Management Handbook Sixth Edition Edited by Harold F. Tipton, CISSP . Micki Krause, CISSP Boca Raton New York Auerbach Publications is an imprint of the Taylor & Francis Group, an informa business VOLUME 2 CRC_AU6708_FM.indd iiiCRC_AU6708_FM.indd iii 1/29/2008 5:33:21 PM1/29/2008 5:33:21 PM Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2008 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4200-6708-8 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For orga- nizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Tipton, Harold F. Information security management handbook / Harold F. Tipton, Micki Krause. -- 6th ed. p. cm. ((ISC) 2 Press ; 27) Includes bibliographical references and index. ISBN 1-4200-6708-7 1. Computer security--Management--Handbooks, manuals, etc. 2. Data protection--Handbooks, manuals, etc. I. Krause, Micki. II. Title. QA76.9.A25154165 2006 005.8--dc22 2006048504 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com CRC_AU6708_FM.indd ivCRC_AU6708_FM.indd iv 1/29/2008 5:33:21 PM1/29/2008 5:33:21 PM v Contents Preface ix Editors xi Contributors xiii DOMAIN 1: INFORMATION SECURITY AND RISK MANAGEMENT Security Management Concepts and Principles 1 Integrated  reat Management 3 GEORGE G. McBRIDE 2 Understanding Information Security Management Systems .15 TOM CARLSON Policies, Standards, Procedures, and Guidelines 3 Planning for a Privacy Breach 29 REBECCA HEROLD Risk Management 4 Using Quasi-Intelligence Resources to Protect the Enterprise .47 CR AIG A. SCHILLER 5 Information Risk Management: A Process Approach to Risk Diagnosis and Treatment .71 NICK HALVORSON 6 Department-Level Transformation 83 R. SCOTT McCOY 7 Setting Priorities in Your Security Program 93 DEREK SCHATZ 8 Why and How Assessment of Organization Culture Shapes Security Strategies 109 DON SAR ACCO 9 A Look Ahead .135 SAMANTHA THOMAS CRC_AU6708_FM.indd vCRC_AU6708_FM.indd v 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM vi Ⅲ Contents DOMAIN 2: ACCESS CONTROL Access Control Techniques 10 Authentication Tokens .145 PAUL A. HENRY 11 Authentication and the Role of Tokens 153 JEFF DAVIS Access Control Administration 12 Accountability 163 DEAN R. BUSHMILLER Methods of Attack 13 Rootkits:  e Ultimate Malware  reat 175 E. EUGENE SCHULTZ AND EDWARD RAY DOMAIN 3: CRYPTOGRAPHY 14 Encryption Key Management in Large-Scale Network Deployments .191 FRANJO MAJSTOR AND GUY VANCOLLIE DOMAIN 4: PHYSICAL SECURITY Elements of Physical Security 15 Mantraps and Turnstiles 201 R. SCOTT McCOY DOMAIN 5: SECURITY ARCHITECTURE AND DESIGN Principles of Computer and Network Organizations, Architectures, and Designs 16 Service-Oriented Architecture and Web Services Security . 209 GLENN J. CATER 17 Analysis of Covert Channels 229 RALPH SPENCER POORE 18 Security Architecture of Biological Cells: An Example of Defense in Depth .237 KENNETH J. KNAPP AND R. FRANKLIN MORRIS, JR. 19 ISO Standards Draft Content 245 SCOTT ERKONEN 20 Security Frameworks 253 ROBERT M. SLADE CRC_AU6708_FM.indd viCRC_AU6708_FM.indd vi 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM Contents Ⅲ vii DOMAIN 6: TELECOMMUNICATIONS AND NETWORK SECURITY Communications and Network Security 21 Facsimile Security 273 BEN ROTHKE Internet, Intranet, and Extranet Security 22 Network Content Filtering and Leak Prevention .289 GEORGE J. JAHCHAN Network Attacks and Countermeasures 23  e Ocean Is Full of Phish .295 TODD FITZGERALD DOMAIN 7: APPLICATION SECURITY Application Issues 24 Neural Networks and Information Assurance Uses 307 SEAN M. PRICE 25 Information Technology Infrastructure Library and Security Management Overview .333 DAVID McPHEE 26 Adaptation: A Concept for Next-Generation Security Application Development .349 ROBBY S. FUSSELL 27 Quantum Computing: Implications for Security .361 ROBERT M. SLADE DOMAIN 8: LEGAL, REGULATIONS, COMPLIANCE, AND INVESTIGATION Information Law 28 Compliance Assurance: Taming the Beast .377 TODD FITZGERALD Incident Handling 29 Enterprise Incident Response and Digital Evidence Management and Handling .391 MARCUS K. ROGERS 30 Security Information Management Myths and Facts 405 SASAN HAMIDI Index .415 CRC_AU6708_FM.indd viiCRC_AU6708_FM.indd vii 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM CRC_AU6708_FM.indd viiiCRC_AU6708_FM.indd viii 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM ix Preface Traditionally, the preface for this handbook focuses on the evolving landscape of the security profession, highlighting industry trends such as the burgeoning impact of privacy laws and regu- lations, emerging technologies that challenge de facto security, or any of the other various and sundry topics du jour.  is time, we shift the focus. Information security is an interesting, many times frustrating discipline to institutionalize.  e commonly accepted triad—people, process, technology—trips easily off the tongue. How- ever, breaking down the threesome into its subcomponents gives one pause. Information security truly is a complex composite of many fi elds of study, including sociology, psychology, anthropol- ogy, virology, criminology, cryptology, etiology, and technology.  us, we give tribute here to those who willingly choose to slay the dragons, oftentimes fi nding themselves tilting at windmills instead. Further, and importantly, we want to give tribute to, and underscore the contributions of, our authors. We can only speculate on what compels an individual to take keyboard in hand in an eff ort to share information and experiences that will benefi t others. And yet, year after year, we have a select community of practitioners and professionals who give their all for the good of the industry.  is volume of the handbook is no exception.  e topics featured encompass a broad spectrum of areas, ranging from the fundamentals of access control, malicious software, and network secu- rity to more esoteric, but equally important, organizational culture and governance framework discussions. All of the chapters share a common property—they contain gems of information that aff ord the readers a leg up in their individual eff orts to instill adequate and appropriate levels of security within their organizations. To our readers, Don Quixotes that you are, we wish you good luck and good reading. And to our authors, we sincerely thank you for your valuable and valued contributions. Hal Tipton Micki Krause CRC_AU6708_FM.indd ixCRC_AU6708_FM.indd ix 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM [...]... to information security effectiveness and has been published in numerous outlets including Information Systems Management, Information Systems Security, Communications of the AIS, Information Management & Computer Security, International Journal of Information Security and Privacy, Journal of Digital Forensics, Security, and Law, as well as the 2007 edition of the Information Security Management Handbook. .. and an Information System Security Management Professional He has published several papers on information security issues with Auerbach Publishers (Handbook of Information Security Management, Data Security Management, and Information Security Journal ); National Academy of Sciences (Computers at Risk); Data Pro Reports; Elsevier; and ISSA Access magazine He has been a speaker at all the major information. .. in information security, risk assessment, and management consulting Currently, Nick is a senior consultant for Hotskills, Inc., specializing in information security and management consulting His experience includes the development of risk management strategies, process implementation, and security management solutions His efforts have led directly to the creation of several information security management. .. provided security solutions to many Fortune 500 companies Ben is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) and a contributing author to Network Security: The Complete Reference (Osborne), and The Handbook of Information Security Management (Auerbach) He writes a monthly security book review for Security Management and is a former columnist for Information Security, ... at all the major information security conferences, including Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security & Audit Users Conference, and Industrial Security Awareness Conference... in industry-influential groups including the Information Systems Security Information (ISSA) and the International Information Systems Security Certification Consortium (ISC)2® and is a passionate advocate for professional security leadership She is a reputed speaker, published author, and coeditor of the Information Security Management Handbook series CRC_AU6708_FM.indd xii 1/29/2008 5:33:22 PM Contributors... Exam, Information Security Magazine, The Information Security Handbook, The HIPAA Program Reference Book, Managing an Information Security and Privacy Awareness and Training Program, and several other security- related publications Todd is also a member of the editorial board for (ISC) 2 Journal, Information Systems Security Magazine, and the Darkreading.com security publication and is frequently called... Technology for Information Security conference He is a cofounder of two ISSA chapters E Eugene Schultz, PhD, CISM, CISSP, is the chief technology officer and chief information security officer at High Tower Software, a company that develops security event management software He is the author/coauthor of five books: the first on UNIX security, the second on Internet security, the third on Windows NT/2000 security, ... his current employer in 1998 as a senior UNIX security analyst Since 2000, he has held a management role within information security, and is currently managing the infrastructure support team R Franklin Morris, Jr., is an assistant professor of management information systems at The Citadel in Charleston, South Carolina He received his PhD in management information systems from Auburn University, Auburn,... Fraud Examiner, Certified Information Systems Auditor, CISSP, Qualified Security Assessor, and is certified in Homeland Security- Level III Sean M Price, CISA, CISSP, is an independent information security consultant residing in Northern Virginia He provides security consulting and architecture services to commercial and government entities Price has more than 12 years of information security experience, which . several papers on information security issues with Auerbach Publishers (Handbook of Information Security Management, Data Security Management, and Information. 0-8493-7087-6 Information Security Architecture: An Integrated Information Security Cost Management Ioana V. Bazavan and Ian Lim ISBN: 0-8493-9275-6 Information Security