You are previewing Information Security and IT Risk Management.
O'Reilly logo
Information Security and IT Risk Management

Book Description

This new text provides students the knowledge and skills they will need to compete for and succeed in the information security roles they will encounter straight out of college. This is accomplished by providing a hands-on immersion in essential system administration, service and application installation and configuration, security tool use, TIG implementation and reporting.

It is designed for an introductory course on IS Security offered usually as an elective in IS departments in 2 and 4 year schools. It is not designed for security certification courses.

Table of Contents

  1. Cover Page
  2. Wiley's Digital Advantage
  3. Title Page
  4. Copyright
  5. Table of Contents
  6. List of Figures
  7. Preface
  8. CHAPTER 1: Introduction
    1. Overview
    2. Professional utility of information security knowledge
    3. Brief history
    4. Definition of information security
    5. SUMMARY
    6. EXAMPLE CASE–WIKILEAKS, CABLEGATE, AND FREE REIGN OVER CLASSIFIED NETWORKS
    7. REFERENCES
    8. CHAPTER REVIEW QUESTIONS
    9. EXAMPLE CASE QUESTIONS
    10. HANDS-ON ACTIVITY–SOFTWARE INSPECTOR, STEGANOGRAPHY
    11. CRITICAL THINKING EXERCISE: IDENTIFYING CIA AREA(S) AFFECTED BY SAMPLE REAL-LIFE HACKING INCIDENTS
    12. DESIGN CASE
  9. CHAPTER 2: System Administration (Part 1)
    1. Overview
    2. Introduction
    3. What is system administration?
    4. System administration and information security
    5. Common system administration tasks
    6. System administration utilities
    7. SUMMARY
    8. EXAMPLE CASE–T.J. MAXX
    9. REFERENCES
    10. CHAPTER REVIEW QUESTIONS
    11. EXAMPLE CASE QUESTIONS
    12. HANDS-ON ACTIVITY–LINUX SYSTEM INSTALLATION
    13. CRITICAL THINKING EXERCISE–GOOGLE EXECUTIVES SENTENCED TO PRISON OVER VIDEO
    14. REFERENCES
    15. CRITICAL THINKING QUESTIONS
    16. DESIGN CASE
    17. SECURITY DESIGN CASE QUESTIONS
  10. CHAPTER 3: System Administration (Part 2)
    1. Overview
    2. Operating system structure
    3. The command-line interface
    4. Files and directories
    5. Moving around the filesystem–pwd, cd
    6. Listing files and directories
    7. Shell expansions
    8. File management
    9. Viewing files
    10. Searching for files
    11. Access control and user management
    12. Access control lists
    13. File ownership
    14. Editing files
    15. Software installation and updates
    16. Account management
    17. Command-line user administration
    18. Example case–Northwest Florida State College
    19. REFERENCES
    20. SUMMARY
    21. CHAPTER REVIEW QUESTIONS
    22. EXAMPLE CASE QUESTIONS
    23. HANDS-ON ACTIVITY–BASIC LINUX SYSTEM ADMINISTRATION
    24. CRITICAL THINKING EXERCISE–OFFENSIVE CYBER EFFECTS OPERATIONS (OCEO)
    25. REFERENCES
    26. CRITICAL THINKING QUESTIONS
    27. DESIGN CASE
  11. CHAPTER 4: The Basic Information Security Model
    1. Overview
    2. Introduction
    3. Components of the basic information security model
    4. Common vulnerabilities, threats, and controls
    5. Example case–ILOVEYOU virus
    6. REFERENCES
    7. SUMMARY
    8. CHAPTER REVIEW QUESTIONS
    9. EXAMPLE CASE QUESTIONS
    10. HANDS-ON ACTIVITY–WEB SERVER SECURITY
    11. QUESTIONS
    12. CRITICAL THINKING EXERCISE–THE INTERNET, “AMERICAN VALUES,” AND SECURITY
    13. CRITICAL THINKING QUESTIONS
    14. DESIGN CASE
  12. CHAPTER 5: Asset Identification and Characterization
    1. Overview
    2. Assets overview
    3. Determining assets that are important to the organization
    4. Asset types
    5. Asset characterization
    6. IT asset life cycle and asset identification
    7. System profiling
    8. Asset ownership and operational responsibilities
    9. Example case–Stuxnet
    10. REFERENCES
    11. SUMMARY
    12. CHAPTER REVIEW QUESTIONS
    13. EXAMPLE CASE QUESTIONS
    14. HANDS-ON ACTIVITY–COURSE ASSET IDENTIFICATION
    15. CRITICAL THINKING EXERCISE–USES OF A HACKED PC
    16. DESIGN CASE
    17. DESIGN CASE QUESTIONS
  13. CHAPTER 6: Threats and Vulnerabilities
    1. Overview
    2. Introduction
    3. Threat models
    4. Threat agent
    5. Threat action
    6. Vulnerabilities
    7. Example case–Gozi
    8. REFERENCES
    9. SUMMARY
    10. CHAPTER REVIEW QUESTIONS
    11. EXAMPLE CASE QUESTIONS
    12. HANDS-ON ACTIVITY–VULNERABILITY SCANNING
    13. CRITICAL THINKING EXERCISE–IRAQ CYBERWAR PLANS IN 2003
    14. REFERENCE
    15. DESIGN CASE
  14. CHAPTER 7: Encryption Controls
    1. Overview
    2. Introduction
    3. Encryption basics
    4. Encryption types overview
    5. Encryption types details
    6. Encryption in use
    7. Example case–Nation technologies
    8. SUMMARY
    9. CHAPTER REVIEW QUESTIONS
    10. EXAMPLE CASE QUESTIONS
    11. HANDS-ON ACTIVITY–ENCRYPTION
    12. CRITICAL THINKING EXERCISE–ENCRYPTION KEYS EMBED BUSINESS MODELS
    13. REFERENCES
    14. CRITICAL THINKING EXERCISE QUESTIONS
    15. DESIGN CASE
  15. CHAPTER 8: Identity and Access Management
    1. Overview
    2. Identity management
    3. Access management
    4. Authentication
    5. Single sign-on
    6. Federation
    7. Example case–Markus Hess
    8. REFERENCES
    9. SUMMARY
    10. CHAPTER REVIEW QUESTIONS
    11. EXAMPLE CASE QUESTIONS
    12. HANDS-ON ACTIVITY–IDENTITY MATCH AND MERGE
    13. CRITICAL THINKING EXERCISE–FEUDALISM THE SECURITY SOLUTION FOR THE INTERNET?
    14. REFERENCES
    15. CRITICAL THINKING EXERCISE QUESTIONS
    16. DESIGN CASE
  16. CHAPTER 9: Hardware and Software Controls
    1. Overview
    2. Password management
    3. Access control
    4. Firewalls
    5. Intrusion detection/prevention systems
    6. Patch management for operating systems and applications
    7. End-point protection
    8. Example case–AirTight networks
    9. REFERENCES
    10. CHAPTER REVIEW QUESTIONS
    11. EXAMPLE CASE QUESTIONS
    12. HANDS-ON ACTIVITY–HOST-BASED IDS (OSSEC)
    13. CRITICAL THINKING EXERCISE–EXTRA-HUMAN SECURITY CONTROLS
    14. REFERENCES
    15. CRITICAL THINKING EXERCISE QUESTIONS
    16. DESIGN CASE
  17. CHAPTER 10: Shell Scripting
    1. Overview
    2. Introduction
    3. Output redirection
    4. Text manipulation
    5. Variables
    6. Conditionals
    7. User input
    8. Loops
    9. Putting it all together
    10. Example case–Max Butler
    11. REFERENCES
    12. SUMMARY
    13. CHAPTER REVIEW QUESTIONS
    14. EXAMPLE CASE QUESTIONS
    15. HANDS-ON ACTIVITY–BASIC SCRIPTING
    16. CRITICAL THINKING EXERCISE–SCRIPT SECURITY
    17. REFERENCE
    18. SHELL SCRIPTING QUESTIONS
    19. DESIGN CASE
  18. CHAPTER 11: Incident Handling
    1. Introduction
    2. Incidents overview
    3. Incident handling
    4. The disaster
    5. Example case–on-campus piracy
    6. SUMMARY
    7. CHAPTER REVIEW QUESTIONS
    8. EXAMPLE CASE QUESTIONS
    9. HANDS-ON ACTIVITY–INCIDENT TIMELINE USING OSSEC
    10. QUESTIONS
    11. CRITICAL THINKING EXERCISE–DESTRUCTION AT THE EDA
    12. DESIGN CASE
  19. CHAPTER 12: Incident Analysis
    1. Introduction
    2. Log analysis
    3. Event criticality
    4. General log configuration and maintenance
    5. Live incident response
    6. Timelines
    7. Other forensics topics
    8. Example case–backup server compromise
    9. CHAPTER REVIEW QUESTIONS
    10. EXAMPLE CASE QUESTIONS
    11. HANDS-ON ACTIVITY–SERVER LOG ANALYSIS
    12. CRITICAL THINKING EXERCISE–DESTRUCTION AT THE EDA (CONTD.)
    13. DESIGN CASE
    14. QUESTIONS
  20. CHAPTER 13: Policies, Standards, and Guidelines
    1. Introduction
    2. Guiding principles
    3. Writing a policy
    4. Impact assessment and vetting
    5. Policy review
    6. Compliance
    7. Key policy issues
    8. Example case–HB Gary
    9. REFERENCES
    10. SUMMARY
    11. REFERENCE
    12. CHAPTER REVIEW QUESTIONS
    13. EXAMPLE CASE QUESTIONS
    14. HANDS-ON ACTIVITY–CREATE AN AUP
    15. CRITICAL THINKING EXERCISE–AARON SWARTZ
    16. REFERENCES
    17. CRITICAL THINKING QUESTIONS
    18. DESIGN CASE
  21. CHAPTER 14: IT Risk Analysis and Risk Management
    1. Overview
    2. Introduction
    3. Risk management as a component of organizational management
    4. Risk-management framework
    5. The NIST 800-39 framework
    6. Risk assessment
    7. Other risk-management frameworks
    8. IT general controls for Sarbanes–Oxley compliance
    9. Compliance versus risk management
    10. Selling security
    11. Example case–online marketplace purchases
    12. REFERENCE
    13. SUMMARY
    14. CHAPTER REVIEW QUESTIONS
    15. EXAMPLE CASE QUESTIONS
    16. HANDS-ON ACTIVITY–RISK ASSESSMENT USING LSOF
    17. QUESTIONS
    18. CRITICAL THINKING EXERCISE–RISK ESTIMATION BIASES
    19. REFERENCES
    20. CRITICAL THINKING QUESTIONS
    21. DESIGN CASE
  22. APPENDIX A: Password List for the Linux Virtual Machine
  23. Glossary
  24. Index