You are previewing Fundamentals of Information Systems Security.
O'Reilly logo
Fundamentals of Information Systems Security

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Fundamentals of Information System Security provides a comprehensive overview of the essential concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of the new risks, threats, and vulnerabilities associated with the transformation to a digital world, including a look at how business, government, and individuals operate today. Part 2 is adapted from the Official (ISC)2 SSCP Certified Body of Knowledge and presents a high-level overview of each of the seven domains within the System Security Certified Practitioner certification. The book closes with a resource for readers who desire additional material on information security standards, education, professional certifications, and compliance laws. With its practical, conversational writing style and step-by-step examples, this text is a must-have resource for those entering the world of information systems security.

Table of Contents

  1. Copyright
  2. Letter from (ISC)2 Executive Director W. Hord Tipton
  3. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  4. Acknowledgments
  5. About the Authors
  6. ONE. The Need for Information Security
    1. 1. Information Systems Security
      1. Information Systems Security
        1. Risks, Threats, and Vulnerabilities
        2. Defining Information Systems Security
        3. U.S. Compliance Laws Drive Need for Information Systems Security
      2. Tenets of Information Systems Security
        1. Availability
        2. Integrity
        3. Confidentiality
      3. The Seven Domains of a Typical IT Infrastructure
        1. User Domain
          1. User Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the User Domain
        2. Workstation Domain
          1. Workstation Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the Workstation Domain
        3. LAN Domain
          1. LAN Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the LAN Domain
        4. LAN-to-WAN Domain
          1. LAN-to-WAN Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the LAN-to-WAN Domain
        5. WAN Domain
          1. WAN Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Internet)
          3. Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Connectivity)
        6. Remote Access Domain
          1. Remote Access Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the Remote Access Domain
        7. System/Application Domain
          1. System/Application Domain Roles, Responsibilities, and Accountability
          2. Risks, Threats, and Vulnerabilities Commonly Found in the System/Application Domain
      4. Weakest Link in the Security of an IT Infrastructure
        1. Ethics and the Internet
        2. (ISC)2: Information Systems Security Certification
        3. SSCP Professional Certification
        4. CISSP Professional Certification
        5. (ISC)2 Code of Ethics
      5. IT Security Policy Framework
        1. Definitions
        2. Foundational IT Security Policies
      6. Data Classification Standards
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 1 ASSESSMENT
    2. 2. Changing How People and Businesses Communicate
      1. Evolution of Voice Communications
        1. From Analog to Digital
        2. Telephony Risks, Threats, and Vulnerabilities
        3. Telephony Security Best Practices
        4. From Digital to Voice over IP (VoIP)
      2. VoIP and SIP Risks, Threats, and Vulnerabilities
        1. VoIP and SIP Security Best Practices
      3. Converting to a TCP/IP World
        1. How Different Groups Communicate
        2. Broadband Boom of the 1990s
        3. IP Transformation of Telecommunication Service Providers
          1. 1970s to 1984 (Divestiture): Analog Communications Ruled
          2. Divestiture to Late 1980s: Transforming to a Digital World
          3. Late 1980s to Mid 1990s: Next-Generation WAN Services
      4. Multimodal Communications
        1. Voice over IP (VoIP) Migration
        2. Unified Communications (UC)
        3. Solving Business Challenges with Unified Communications
          1. Examples of Human Latency and UC Enablement
      5. Evolution from Brick-and-Mortar to e-Commerce
        1. Solving Business Challenges with e-Business Transformation
      6. Why Businesses Today Need an Internet Marketing Strategy
      7. The Web Effect on People, Businesses, and Other Organizations
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 2 ASSESSMENT
    3. 3. Malicious Attacks, Threats, and Vulnerabilities
      1. Malicious Activity on the Rise
      2. What Are You Trying to Protect?
        1. IT and Network Infrastructure
        2. Intellectual Property
        3. Finances and Financial Data
        4. Service Availability and Productivity
        5. Reputation
      3. Whom Are You Trying to Catch?
      4. Attack Tools
        1. Vulnerability Scanners
        2. Port Scanners
        3. Sniffers
        4. Wardialers
        5. Keyloggers
      5. What Is a Security Breach?
        1. Denial of Service Attacks
        2. Distributed Denial of Service Attacks
        3. Unacceptable Web Browsing
        4. Wiretapping
        5. Backdoor
        6. Data Modifications
        7. Additional Security Challenges
          1. Spam
          2. Hoaxes
          3. Cookies
      6. What Are Vulnerabilities and Threats?
        1. Threat Targets
        2. Threat Types
          1. Denial or Destruction Threats
          2. Alteration Threats
          3. Disclosure Threats
      7. What Is a Malicious Attack?
        1. Brute-Force Attacks
        2. Dictionary Attacks
        3. Address Spoofing
        4. Hijacking
        5. Replay Attacks
        6. Man-in-the-Middle Attacks
        7. Masquerading
        8. Eavesdropping
        9. Social Engineering
        10. Phreaking
        11. Phishing
        12. Pharming
      8. What Is Malicious Software?
        1. Viruses
        2. Worms
        3. Trojan Horses
        4. Rootkits
        5. Spyware
      9. What Are Countermeasures?
        1. Countering Malware
        2. Protecting Your System with Firewalls
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 3 ASSESSMENT
    4. 4. The Drivers of the Information Security Business
      1. Defining Risk Management
        1. Risk Identification
        2. Risk Analysis
          1. Qualitative Risk Analysis
          2. Quantitative Risk Analysis
        3. Risk-Response Planning
        4. Risk Monitoring and Control
      2. Implementing a BIA, a BCP, and a DRP
        1. Business Impact Analysis
        2. Business Continuity Plan
        3. Disaster Recovery Plan
          1. Threat Analysis
          2. Impact Scenarios
          3. Recovery Requirement Documentation
          4. Disaster Recovery
      3. Assessing Risks, Threats, and Vulnerabilities
      4. Closing the Information Security Gap
      5. Adhering to Compliance Laws
      6. Keeping Private Data Confidential
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 4 ASSESSMENT
  7. TWO. The Systems Security Certifies Practitioner (SSCP®) Professional Certification from (ISC)2
    1. 5. Access Controls
      1. The Four Parts of Access Control
      2. The Two Types of Access Control
        1. Physical Access Control
        2. Logical Access Control
          1. The Security Kernel
          2. Access Control Policies
      3. Defining an Authorization Policy
      4. Identification Methods and Guidelines
        1. Identification Methods
        2. Identification Guidelines
      5. Authentication Processes and Requirements
        1. Authentication Types
          1. Authentication by Knowledge
          2. Password Best Practices
          3. Tips for Creating Strong Passwords
            1. Account Lockout Policies
            2. Auditing Logon Events
            3. Password Reset and Storage
            4. Using a Passphrase
          4. Authentication by Ownership
            1. Synchronous Tokens
            2. Asynchronous Tokens
          5. Authentication by Characteristics/Biometrics
            1. Concerns Surrounding Biometrics
            2. Types of Biometrics
            3. Advantages and Disadvantages of Biometrics
            4. Privacy Issues
        2. Single Sign-On (SSO)
          1. Advantages and Disadvantages of SSO
          2. SSO Processes
            1. Kerberos
            2. SESAME
      6. Accountability Policies and Procedures
        1. Log Files
        2. Data Retention, Media Disposal, and Compliance Requirements
          1. Procedures
          2. Security Controls
          3. Media Disposal Requirements
      7. Formal Models of Access Control
        1. Discretionary Access Control (DAC)
          1. Operating Systems-Based DAC
          2. Application-Based DAC
          3. Permission Levels
        2. Mandatory Access Control (MAC)
          1. How MAC Works
        3. Non-Discretionary Access Control
        4. Rule-Based Access Control
        5. Access Control Lists (ACLs)
        6. Role Based Access Control (RBAC)
        7. Content-Dependent Access Control
        8. Constrained User Interface
        9. Other Access Control Models
          1. Bell-La Padula Model
          2. Biba Integrity Model
          3. Clark and Wilson Integrity Model
          4. Brewer and Nash Integrity Model
        10. Effects of Breaches in Access Control
      8. Threats to Access Controls
      9. Effects of Access Control Violations
      10. Centralized and Decentralized Access Control
        1. Three Types of AAA Servers
          1. RADIUS
          2. TACACS +
          3. DIAMETER
        2. Decentralized Access Control
        3. Privacy
          1. Monitoring in the Workplace
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 5 ASSESSMENT
    2. 6. Security Operations and Administration
      1. Security Administration
        1. Controlling Access
        2. Documentation, Procedures, and Guidelines
        3. Disaster Assessment and Recovery
        4. Security Outsourcing
          1. Outsourcing Considerations
      2. Compliance
        1. Security Event Logs
        2. Compliance Liaison
        3. Remediation
      3. Professional Ethics
        1. Common Fallacies About Ethics
        2. Codes of Ethics
          1. (ISC)2 Code of Ethics
          2. Internet Architecture Board (IAB) Statement of Policy
          3. Professional Requirements
        3. Personnel Security Principles
          1. Limiting Access
          2. Separation of Duties
          3. Job Rotation
          4. Mandatory Vacations
          5. Security Training and Awareness
          6. Social Engineering
      4. The Infrastructure for an IT Security Policy
        1. Policies
        2. Standards
        3. Procedures
        4. Baselines
        5. Guidelines
      5. Data Classification Standards
        1. Information Classification Objectives
        2. Examples of Classification
        3. Classification Procedures
        4. Assurance
      6. Configuration Management
        1. Hardware Inventory and Configuration Chart
          1. Hardware Configuration Chart
          2. Patch and Service-Pack Management
      7. The Change Management Process
        1. Change Control Management
          1. Reviewing Changes for Potential Security Impact
        2. Change Control Committees
        3. Change Control Procedures
        4. Change Control Issues
      8. The System Life Cycle (SLC) and System Development Life Cycle (SDLC)
        1. The System Life Cycle (SLC)
        2. Testing and Developing Systems
          1. Systems Procurement
          2. The Common Criteria
          3. Disposing of Equipment
          4. Certification and Accreditation
            1. Certification
            2. Accreditation
            3. Triggers for New Certification
      9. Software Development and Security
        1. Software Development Methods
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 6 ASSESSMENT
    3. 7. Auditing, Testing, and Monitoring
      1. Security Auditing and Analysis
        1. Security Controls Address Risk
        2. Determining What Is Acceptable
        3. Permission Levels
        4. Areas of Security Audits
        5. Purpose of Audits
        6. Customer Confidence
      2. Defining Your Audit Plan
        1. Defining the Scope of the Plan
      3. Auditing Benchmarks
      4. Audit Data–Collection Methods
        1. Areas of Security Audits
        2. Control Checks and Identity Management
      5. Post-Audit Activities
        1. Exit Interview
        2. Data Analysis
        3. Generation of Audit Report
        4. Presentation of Findings
      6. Security Monitoring
        1. Security Monitoring for Computer Systems
        2. Monitoring Issues
        3. Logging Anomalies
        4. Log Management
      7. Types of Log Information to Capture
      8. How to Verify Security Controls
        1. Intrusion Detection System (IDS)
        2. Analysis Methods
        3. HIDS
        4. Layered Defense: Network Access Control
        5. Control Checks: Intrusion Detection
        6. Host Isolation
        7. System Hardening
          1. Set a Baseline Configuration
          2. Disable Unnecessary Services
        8. Review Antivirus Program
      9. Monitoring and Testing Security Systems
        1. Monitoring
        2. Testing
          1. A Testing Road Map
          2. Establishing Testing Goals
          3. Reconnaissance Methods
          4. Network-Mapping Methods
          5. Covert Versus Overt Testers
          6. Testing Methods
          7. Security Testing Tips and Techniques
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 7 ASSESSMENT
    4. 8. Risk, Response, and Recovery
      1. Risk Management and Information Security
        1. Definitions of Risk
        2. Elements of Risk
        3. Purpose of Risk Management
        4. The Risk Equation
      2. The Process of Risk Management
      3. Risk Analysis
        1. Emerging Threats
      4. Two Approaches: Quantitative and Qualitative
        1. Calculating Quantified Risk
        2. Qualitative Risk Analysis
      5. Developing a Strategy for Dealing with Risk
        1. Acceptable Range of Risk/Residual Risk
      6. Evaluating Countermeasures
        1. Pricing/Costing a Countermeasure
        2. Countermeasure Evaluation
      7. Controls and Their Place in the Security Life Cycle
      8. Planning to Survive
        1. Terminology
        2. Assessing Maximum Tolerable Downtime (MTD)
        3. Business Impact Analysis
          1. Speed of Impact
          2. Critical Dependencies
          3. Assessing the Impact of Downtime
        4. Plan Review
        5. Testing the Plan
          1. Checklist Test
          2. Structured Walk-Through Test
          3. Simulation Test
          4. Parallel Test
          5. Full-Interruption Test
      9. Backing Up Data and Applications
        1. Types of Backups
      10. Steps to Take in Handling an Incident
        1. Notification
        2. Response
        3. Recovery
        4. Follow-Up
        5. Documentation
      11. Recovery from a Disaster
      12. Primary Steps to Disaster Recovery
        1. Activating the Disaster Recovery Plan
        2. Operating in a Reduced/Modified Environment
        3. Restoring Damaged Systems
        4. Disaster Recovery Issues
        5. Recovery Alternatives
        6. Interim or Alternate Processing Strategies
          1. Processing Agreements
          2. Reciprocal or Mutual Aid
          3. Reciprocal Centers
          4. Contingency
          5. Service Bureau
      13. CHAPTER SUMMARY
      14. KEY CONCEPTS AND TERMS
      15. CHAPTER 8 ASSESSMENT
    5. 9. Cryptography
      1. What Is Cryptography?
        1. Basic Cryptographic Principles
        2. A Brief History of Cryptography
          1. Twentieth-Century Cryptography
        3. Cryptography's Role in Information Security
          1. Confidentiality
          2. Integrity
          3. Authentication
          4. Nonrepudiation
      2. Business and Security Requirements for Cryptography
        1. Internal Security
        2. Security Between Businesses
        3. Security Measures That Benefit Everyone
      3. Cryptographic Applications and Uses in Information System Security
        1. Cryptanalysis and Public Versus Private Keys
          1. Symmetric and Asymmetric Key Cipher Resistance to Attack
      4. Cryptographic Principles, Concepts, and Terminology
        1. Cryptographic Functions and Ciphers
          1. Business-Security Implementations
        2. Types of Ciphers
          1. Transposition Ciphers
          2. Substitution Ciphers
          3. Product and Exponentiation Ciphers
        3. Symmetric and Asymmetric Key Cryptography
          1. Symmetric Key Ciphers
          2. Asymmetric Key Ciphers
        4. Keys, Keyspace, and Key Management
          1. Cryptographic Keys and Keyspace
          2. Key Management
          3. Key Distribution
          4. Key-Distribution Centers (KDCs)
        5. Digital Signatures and Hash Functions
          1. Hash Functions
          2. Digital Signatures
      5. Cryptographic Applications, Tools, and Resources
        1. Symmetric Key Standards
          1. Wireless Security
            1. 802.11 Wireless Security
        2. Asymmetric Key Solutions
        3. Hash Function and Integrity
          1. Hash Functions
        4. Digital Signatures and Nonrepudiation
          1. Digital Signatures Versus Digitized Signatures
      6. Principles of Certificates and Key Management
        1. Modern Key-Management Techniques
          1. AES
          2. IPSec
          3. ISAKMP
          4. XKMS
          5. Managed PKI
          6. ANSI X9.17
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 9 ASSESSMENT
    6. 10. Networks and Telecommunications
      1. The Open Systems Interconnection Reference Model
      2. The Two Types of Networks
        1. Wide Area Networks
          1. Connectivity Options
          2. Routers
        2. Local Area Networks
          1. Ethernet Networks
          2. LAN Devices: Hubs and Switches
      3. TCP/IP and How It Works
        1. TCP/IP Overview
        2. IP Addressing
        3. ICMP
      4. Network Security Risks
        1. Three Categories of Risk
          1. Network Reconnaissance
          2. Network Eavesdropping
          3. Network Denial of Service
      5. Basic Network Security Defense Tools
        1. Firewalls
          1. Firewall Types
          2. Firewall-Deployment Techniques
            1. Border Firewall
            2. Screened Subnet
            3. Multilayered Firewalls
        2. Virtual Private Networks and Remote Access
        3. Network Access Control
      6. Wireless Networks
        1. Wireless Access Points (WAPs)
        2. Wireless Network Security Controls
          1. Wireless Encryption
          2. SSID Beaconing
          3. MAC Address Filtering
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 10 ASSESSMENT
    7. 11. Malicious Code and Activity
      1. Characteristics, Architecture, and Operations of Malicious Software
      2. The Main Types of Malware
        1. Virus
          1. Boot Record Infectors
          2. Master Boot Record and System Infectors
          3. File (Program) Infectors
          4. Macro (Data File) Infectors
          5. Other Virus Classifications
        2. Spam
        3. Worms
        4. Trojan Horses
        5. Logic Bombs
        6. Active Content Vulnerabilities
        7. Botnets
        8. Denial of Service Attacks
          1. SYN Flood Attacks
          2. Smurf Attacks
        9. Spyware
        10. Adware
        11. Phishing
          1. Spear-Phishing
          2. Pharming
        12. Keystroke Loggers
        13. Hoaxes and Myths
        14. Home-Page Hijacking
        15. Web-Page Defacements
      3. A Brief History of Malicious Code Threats
        1. 1970s and Early 1980s: Academic Research and UNIX
        2. 1980s: Early PC Viruses
        3. 1990s: Early LAN Viruses
        4. Mid-1990s: Smart Applications and the Internet
        5. 2000 to Present
      4. Threats to Business Organizations
        1. Types of Threats
        2. Internal Threats from Employees
      5. Anatomy of an Attack
        1. What Motivates Attackers?
        2. The Purpose of an Attack
        3. Types of Attacks
          1. Unstructured Attacks
          2. Structured Attacks
          3. Direct Attacks
          4. Indirect Attacks
        4. Phases of an Attack
          1. Reconnaissance and Probing
            1. DNS, ICMP, and related tools
            2. SNMP tools
            3. Port-scanning and port-mapping tools
            4. Security probes
          2. Access and Privilege Escalation
          3. Covering Your Tracks
      6. Attack Prevention Tools and Techniques
        1. Application Defenses
        2. Operating System Defenses
        3. Network Infrastructure Defenses
        4. Safe Recovery Techniques and Practices
        5. Implementing Effective Software Best Practices
      7. Incident Detection Tools and Techniques
        1. Antivirus Scanning Software
        2. Network Monitors and Analyzers
        3. Content/Context Filtering and Logging Software
        4. Honeypots and Honeynets
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 11 ASSESSMENT
  8. THREE. Information Security Standards, Education, Certifications, and Laws
    1. 12. Information Security Standards
      1. Standards Organizations
        1. NIST
        2. International Organization for Standardization (ISO)
        3. International Electrotechnical Commission (IEC)
        4. World Wide Web Consortium (W3C)
        5. Internet Engineering Task Force (IETF)
          1. Request for Comments (RFC)
          2. Internet Architecture Board (IAB)
        6. IEEE
        7. International Telecommunication Union Telecommunication Sector (ITU-T)
        8. ANSI
      2. ISO 17799
      3. ISO/IEC 27002
      4. PCI DSS
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 12 ASSESSMENT
    2. 13. Information Security Education and Training
      1. Self-Study
      2. Adult Continuing Education Programs
        1. Certificate Programs
        2. CPE Credits
      3. Post-Secondary Degree Programs
        1. Associate's Degree
        2. Bachelor's Degree
        3. Master's Degree
          1. Master of Science Degree
          2. Master of Business Administration
        4. Doctoral Degree
      4. Information Security Training Programs
        1. Security Training Requirements
        2. Security Training Organizations
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 13 ASSESSMENT
    3. 14. Information Security Professional Certifications
      1. Vendor-Neutral Professional Certifications
        1. (ISC)2
          1. Systems Security Certified Practitioner (SSCP)
          2. Certified Information Systems Security Professional (CISSP)
          3. Certified Authorization Professional (CAP)
          4. Certified Secure Software Lifecycle Professional (CSSLP)
        2. GIAC/SANS Institute
        3. CIW
        4. CompTIA
        5. SCP
        6. ISACA
      2. Vendor-Specific Professional Certifications
        1. Cisco Systems
        2. Juniper Networks
        3. RSA
        4. Symantec
        5. Check Point
      3. DoD/Military—8570.01
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 14 ASSESSMENT
    4. 15. U.S. Compliance Laws
      1. Compliance and the Law
      2. The Federal Information Security Management Act
        1. Purpose and Main Requirements
        2. The Role of the National Institute of Standards and Technology
        3. National Security Systems
        4. Oversight
        5. The Future of FISMA
      3. The Health Insurance Portability and Accountability Act
        1. Purpose and Scope
        2. Main Requirements of the HIPAA Privacy Rule
        3. Main Requirements of the HIPAA Security Rule
        4. Oversight
      4. The Gramm-Leach-Bliley Act
        1. Purpose and Scope
        2. Main Requirements of the GLBA Privacy Rule
        3. Main Requirements of the GLBA Safeguards Rule
        4. Oversight
      5. The Sarbanes-Oxley Act
        1. Purpose and Scope
        2. SOX Control Certification Requirements
        3. SOX Records Retention Requirements
        4. Oversight
      6. The Family Educational Rights and Privacy Act
        1. Purpose and Scope
        2. Main Requirements
        3. Oversight
      7. The Children's Internet Protection Act
        1. Purpose and Scope
        2. Main Requirements
        3. Oversight
      8. Making Sense of Laws for Information Security Compliance
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 15 ASSESSMENT
      12. ENDNOTES
  9. A. Answer Key
  10. B. Standard Acronyms
  11. C. Become an SSCP®
    1. About (ISC)2®
    2. About SSCP®
      1. Maintenance Requirements
    3. About the Associate of (ISC)2®
      1. Participation Requirements
      2. The Advantages of Becoming an Associate of (ISC)2
      3. Hold Yourself to Globally Recognized Standards
  12. D. SSCP® Practice Exam
  13. Glossary of Key Terms
  14. References