You are previewing Information Security The Complete Reference, Second Edition.
O'Reilly logo
Information Security The Complete Reference, Second Edition

Book Description

Develop and implement an effective end-to-end security programToday’s complex world of mobile platforms, cloud computing, and ubiquitous data access puts new security demands on every IT professional. Information Security: The Complete Reference, Second Edition (previously titled Network Security: The Complete Reference) is the only comprehensive book that offers vendor-neutral details on all aspects of information protection, with an eye toward the evolving threat landscape.

Table of Contents

  1. Cover 
  2. About the Author
  3. Title Page
  4. Copyright Page
  5. Contents at a Glance
  6. Contents 
  7. Preface
  8. Acknowledgments
  9. Introduction
  10. Part I: Foundations
    1. Chapter 1: Information Security Overview
      1. The Importance of Information Protection
      2. The Evolution of Information Security
      3. Justifying Security Investment
        1. Business Agility
        2. Cost Reduction
        3. Portability
      4. Security Methodology
      5. How to Build a Security Program
        1. Authority
        2. Framework
        3. Assessment
        4. Planning
        5. Action
        6. Maintenance
      6. The Impossible Job
      7. The Weakest Link
      8. Strategy and Tactics
      9. Business Processes vs. Technical Controls
      10. Summary
      11. References
    2. Chapter 2: Risk Analysis
      1. Threat Definition
        1. Threat Vectors
        2. Threat Sources and Targets
      2. Types of Attacks
        1. Malicious Mobile Code
        2. Advanced Persistent Threats (APTs)
        3. Manual Attacks
      3. Risk Analysis
      4. Summary
      5. References
    3. Chapter 3: Compliance with Standards, Regulations, and Laws
      1. Information Security Standards
        1. COBIT
        2. ISO 27000 Series
        3. NIST
      2. Regulations Affecting Information Security Professionals
        1. The Duty of Care
        2. Gramm-Leach-Bliley Act (GLBA)
        3. Sarbanes-Oxley Act
        4. HIPAA Privacy and Security Rules
        5. NERC CIP
        6. PCI DSS: Payment Card Industry Data Security Standard
      3. Laws Affecting Information Security Professionals
        1. Hacking Laws
        2. Electronic Communication Laws
        3. Other Substantive Laws
      4. Summary
      5. References
    4. Chapter 4: Secure Design Principles
      1. The CIA Triad and Other Models
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Additional Concepts
      2. Defense Models
        1. The Lollipop Model
        2. The Onion Model
      3. Zones of Trust
      4. Best Practices for Network Defense
        1. Secure the Physical Environment
        2. Harden the Operating System
        3. Keep Patches Updated
        4. Use an Antivirus Scanner (with Real-Time Scanning)
        5. Use Firewall Software
        6. Secure Network Share Permissions
        7. Use Encryption
        8. Secure Applications
        9. Back Up the System
        10. Implement ARP Poisoning Defenses
        11. Create a Computer Security Defense Plan
      5. Summary
      6. References
    5. Chapter 5: Security Policies, Standards, Procedures, and Guidelines
      1. Security Policies
        1. Security Policy Development
        2. Security Policy Contributors
        3. Security Policy Audience
        4. Policy Categories
        5. Frameworks
        6. Security Awareness
        7. Importance of Security Awareness
        8. Objectives of an Awareness Program
        9. Increasing Effectiveness
        10. Implementing the Awareness Program
        11. Enforcement
        12. Policy Enforcement for Vendors
        13. Policy Enforcement for Employees
        14. Software-Based Enforcement
        15. Example Security Policy Topics
        16. Acceptable Use Policies
        17. Computer Policies
        18. Network Policies
        19. Data Privacy Policies
        20. Data Integrity Policies
        21. Personnel Management Policies
        22. Security Management Policies
        23. Physical Security Policies
      2. Security Standards
        1. Security Standard Example
      3. Security Procedures
        1. Security Procedure Example
      4. Security Guidelines
        1. Security Guideline Example
      5. Ongoing Maintenance
      6. Summary
      7. References
    6. Chapter 6: Security Organization
      1. Roles and Responsibilities
        1. Security Positions
        2. Security Incident Response Team
      2. Managed Security Services
        1. Services Performed by MSSPs
        2. Services That Can Be Monitored by MSSPs
      3. Security Council, Steering Committee, or Board of Directors
      4. Interaction with Human Resources
      5. Summary
      6. References
    7. Chapter 7: Authentication and Authorization
      1. Authentication
        1. Usernames and Passwords
        2. Certificate-Based Authentication
        3. Extensible Authentication Protocol (EAP)
        4. Biometrics
        5. Additional Uses for Authentication
      2. Authorization
        1. User Rights
        2. Role-Based Authorization (RBAC)
        3. Access Control Lists (ACLs)
        4. Rule-Based Authorization
      3. Compliance with Standards
        1. NIST
        2. ISO 27002
        3. COBIT
      4. Summary
      5. References
  11. Part II: Data Security
    1. Chapter 8: Securing Unstructured Data
      1. Structured Data vs. Unstructured Data
      2. At Rest, in Transit, and in Use
      3. Approaches to Securing Unstructured Data
        1. Databases
        2. Applications
        3. Networks
        4. Computers
        5. Storage (Local, Removable, or Networked)
        6. Data Printed into the Physical World
      4. Newer Approaches to Securing Unstructured Data
        1. Data Loss Prevention (DLP)
        2. Information Rights Management (IRM)
      5. Summary
      6. References
    2. Chapter 9: Information Rights Management
      1. Overview
        1. The Difference Between DRM and IRM
        2. What’s in a Name? EDRM, ERM, RMS, IRM
      2. Evolution from Encryption to IRM
      3. IRM Technology Details
        1. What Constitutes an IRM Technology?
        2. Architecture
        3. Going Offline
        4. Unstructured Data Formats
      4. Getting Started with IRM
        1. Classification Creation
        2. User Provisioning
        3. Rights Assignment
        4. Securing Content
        5. Distributing Content
        6. Installing and Configuring the IRM Client
        7. Authentication
        8. Authorization
        9. Rights Retrieval and Storage
        10. Content Access and Rights Invocation
        11. Access Auditing and Reporting
        12. Rights Revocation
      5. Summary
      6. References
    3. Chapter 10: Encryption
      1. A Brief History of Encryption
        1. Early Codes
        2. More Modern Codes
      2. Symmetric-Key Cryptography
        1. Key Exchange
      3. Public Key Cryptography
        1. Key Exchange
      4. Public Key Infrastructure
        1. Structure and Function
        2. CA Hierarchy
        3. Certificate Templates and Enrollment
        4. Revocation
        5. Role Separation
        6. Cross-Certification
      5. Compliance with Standards
        1. NIST
        2. ISO 27002
        3. COBIT
      6. Summary
      7. References
    4. Chapter 11: Storage Security
      1. Storage Security Evolution
      2. Modern Storage Security
        1. Storage Infrastructure
        2. Administration Channel
        3. Risks to Data
      3. Risk Remediation
        1. Confidentiality Risks
        2. Integrity Risks
        3. Availability Risks
      4. Best Practices
        1. Zoning
        2. Arrays
        3. Servers
        4. Staff
        5. Offsite Data Storage
      5. Summary
      6. References
    5. Chapter 12: Database Security
      1. General Database Security Concepts
      2. Understanding Database Security Layers
        1. Server-Level Security
        2. Network-Level Security
        3. Operating System Security
      3. Understanding Database-Level Security
        1. Database Administration Security
        2. Database Roles and Permissions
        3. Object-Level Security
        4. Using Other Database Objects for Security
      4. Using Application Security
        1. Limitations of Application-Level Security
        2. Supporting Internet Applications
      5. Database Backup and Recovery
        1. Determining Backup Constraints
        2. Determining Recovery Requirements
        3. Types of Database Backups
      6. Keeping Your Servers Up to Date
      7. Database Auditing and Monitoring
        1. Reviewing Audit Logs
        2. Database Monitoring
      8. Summary
      9. References
  12. Part III: Network Security
    1. Chapter 13: Secure Network Design
      1. Introduction to Secure Network Design
        1. Acceptable Risk
        2. Designing Security into a Network
        3. Designing an Appropriate Network
        4. The Cost of Security
      2. Performance
      3. Availability
      4. Security
        1. Wireless Impact on the Perimeter
        2. Remote Access Considerations
        3. Internal Security Practices
        4. Intranets, Extranets, and DMZs
        5. Outbound Filtering
      5. Compliance with Standards
        1. NIST
        2. ISO 27002
        3. COBIT
      6. Summary
      7. References
    2. Chapter 14: Network Device Security
      1. Switch and Router Basics
        1. MAC Addresses, IP Addresses, and ARP
        2. TCP/IP
        3. Hubs
        4. Switches
        5. Routers
      2. Network Hardening
        1. Patching
        2. Switch Security Practices
        3. Access Control Lists
        4. Disabling Unused Services
        5. Administrative Practices
        6. Internet Control Message Protocol (ICMP)
        7. Anti-Spoofing and Source Routing
        8. Logging
      3. Summary
      4. References
    3. Chapter 15: Firewalls
      1. Overview
        1. The Evolution of Firewalls
        2. Application Control
        3. Must-Have Firewall Features
      2. Core Firewall Functions
        1. Network Address Translation (NAT)
        2. Auditing and Logging
      3. Additional Firewall Capabilities
        1. Application and Website Malware Execution Blocking
        2. Antivirus
        3. Intrusion Detection and Intrusion Prevention
        4. Web Content (URL) Filtering and Caching
        5. E-Mail (Spam) Filtering
        6. Enhance Network Performance
      4. Firewall Design
        1. Firewall Strengths and Weaknesses
        2. Firewall Placement
        3. Firewall Configuration
      5. Summary
      6. References
    4. Chapter 16: Virtual Private Networks
      1. How a VPN Works
      2. VPN Protocols
        1. IPSec
        2. PPTP
        3. L2TP over IPSec
        4. SSL VPNs
      3. Remote Access VPN Security
        1. Authentication Process
        2. Client Configuration
        3. Client Networking Environment
        4. Offline Client Activity
      4. Site-to-Site VPN Security
      5. Summary
      6. References
    5. Chapter 17: Wireless Network Security
      1. Radio Frequency Security Basics
        1. Security Benefits of RF Knowledge
        2. Layer One Security Solutions
      2. Data-Link Layer Wireless Security Features, Flaws, and Threats
        1. 802.11 and 802.15 Data-Link Layer in a Nutshell
        2. 802.11 and 802.15 Data-Link Layer Vulnerabilities and Threats
        3. Closed-System SSIDs, MAC Filtering, and Protocol Filtering
        4. Built-in Bluetooth Network Data-Link Security and Threats
      3. Wireless Vulnerabilities and Mitigations
        1. Wired Side Leakage
        2. Rogue Access Points
        3. Misconfigured Access Points
        4. Wireless Phishing
        5. Client Isolation
      4. Wireless Network Hardening Practices and Recommendations
        1. Wireless Security Standards
        2. Temporal Key Integrity Protocol and Counter Mode with CBC-MAC Protocol
        3. 802.1x-Based Authentication and EAP Methods
      5. Wireless Intrusion Detection and Prevention
        1. Wireless IPS and IDS
        2. Bluetooth IPS
      6. Wireless Network Positioning and Secure Gateways
      7. Summary
      8. References
    6. Chapter 18: Intrusion Detection and Prevention Systems
      1. IDS Concepts
        1. Threat Types
        2. First-Generation IDS
        3. Second-Generation IDS
      2. IDS Types and Detection Models
        1. Host-Based IDS
        2. Network-Based IDS (NIDS)
        3. Anomaly-Detection (AD) Model
        4. Signature-Detection Model
        5. What Type of IDS Should You Use?
      3. IDS Features
        1. IDS End-User Interfaces
        2. Intrusion-Prevention Systems (IPS)
        3. IDS Management
        4. IDS Logging and Alerting
      4. IDS Deployment Considerations
        1. IDS Fine-Tuning
        2. IPS Deployment Plan
      5. Security Information and Event Management (SIEM)
        1. Data Aggregation
        2. Analysis
        3. Operational Interface
        4. Additional SIEM Features
      6. Summary
      7. References
    7. Chapter 19: Voice over IP (VoIP) and PBX Security
      1. Background
      2. VoIP Components
        1. Call Control
        2. Voice and Media Gateways and Gatekeepers
        3. MCUs
        4. Hardware Endpoints
        5. Software Endpoints
        6. Call and Contact Center Components
        7. Voicemail Systems
      3. VoIP Vulnerabilities and Countermeasures
        1. Old Dogs, Old Tricks: The Original Hacks
        2. Vulnerabilities and Exploits
        3. The Protocols
        4. Security Posture: System Integrators and Hosted VoIP
      4. PBX
        1. Hacking a PBX
        2. Securing a PBX
      5. TEM: Telecom Expense Management
      6. Summary
      7. References
  13. Part IV: Computer Security
    1. Chapter 20: Operating System Security Models
      1. Operating System Models
        1. The Underlying Protocols Are Insecure
        2. Access Control Lists
        3. MAC vs. DAC
      2. Classic Security Models
        1. Bell-LaPadula
        2. Biba
        3. Clark-Wilson
        4. TCSEC
        5. Labels
      3. Reference Monitor
        1. The Reference Monitor Concept
        2. Windows Security Reference Monitor
      4. Trustworthy Computing
      5. International Standards for Operating System Security
        1. Common Criteria
      6. Summary
      7. References
    2. Chapter 21: Unix Security
      1. Start with a Fresh Install
      2. Securing a Unix System
        1. Reducing the Attack Surface
        2. Install Secure Software
        3. Configure Secure Settings
        4. Keep Software Up to Date
      3. Place Servers into Network Zones
      4. Strengthen Authentication Processes
        1. Require Strong Passwords
        2. Use Alternatives to Passwords
        3. Limit Physical Access to Systems
      5. Limit the Number of Administrators and Limit the Privileges of Administrators
        1. Use sudo
      6. Back Up Your System
      7. Subscribe to Security Lists
      8. Compliance with Standards
        1. ISO 27002
        2. COBIT
      9. Summary
      10. References
    3. Chapter 22: Windows Security
      1. Securing Windows Systems
        1. Disable Windows Services and Remove Software
        2. Securely Configure Remaining Software
        3. Use Group Policy to Manage Settings
        4. Computer Policies
        5. User Policies
        6. Security Configuration and Analysis
        7. Group Policy
        8. Install Security Software
        9. Application Whitelisting
        10. Patch Systems Regularly
        11. Segment the Network into Zones of Trust
        12. Blocking and Filtering Access to Services
        13. Mitigating the Effect of Spoofed Ports
        14. Strengthen Authentication Processes
        15. Require, Promote, and Train Users in Using Strong Passwords
        16. Use Alternatives to Passwords
        17. Apply Technology and Physical Controls to Protect Access Points
        18. Modify Defaults for Windows Authentication Systems
        19. Limit the Number of Administrators and Limit the Privileges of Administrators
        20. Applications that Require Admin Access to Files and the Registry
        21. Elevated Privileges Are Required
        22. Programmers as Administrators
        23. Requiring Administrators to Use runas
      2. Active Directory Domain Architecture
        1. Logical Security Boundaries
        2. Role-Based Administration
        3. A Role-Based Approach to Security Configuration
      3. Compliance with Standards
        1. NIST
        2. ISO 27002
        3. COBIT
      4. Summary
      5. References
    4. Chapter 23: Securing Infrastructure Services
      1. E-Mail
        1. Protocols, Their Vulnerabilities, and Countermeasures
        2. Spam and Spam Control
        3. Malware and Malware Control
      2. Web Servers
        1. Types of Attacks
        2. Web Server Protection
      3. DNS Servers
        1. Install Patches
        2. Prevent Unauthorized Zone Transfers
        3. DNS Cache Poisoning
      4. Proxy Servers
        1. HTTP Proxy
        2. FTP Proxy
        3. Direct Mapping
        4. POP3 Proxy
        5. HTTP Connect
        6. Reverse Proxy
      5. Summary
      6. References
    5. Chapter 24: Virtual Machines and Cloud Computing
      1. Virtual Machines
        1. Protecting the Hypervisor
        2. Protecting the Guest OS
        3. Protecting Virtual Storage
        4. Protecting Virtual Networks
        5. NIST Special Publication 800-125
      2. Cloud Computing
        1. Types of Cloud Services
        2. Cloud Computing Security Benefits
        3. Security Considerations
        4. Cloud Computing Risks and Remediations
      3. Summary
      4. References
    6. Chapter 25: Securing Mobile Devices
      1. Mobile Device Risks
        1. Device Risks
        2. Application Risks
      2. Mobile Device Security
        1. Built-in Security Features
        2. Mobile Device Management (MDM)
        3. Data Loss Prevention (DLP)
      3. Summary
      4. References
  14. Part V: Application Security
    1. Chapter 26: Secure Application Design
      1. Secure Development Lifecycle
      2. Application Security Practices
        1. Security Training
        2. Secure Development Infrastructure
        3. Security Requirements
        4. Secure Design
        5. Threat Modeling
        6. Secure Coding
        7. Security Code Review
        8. Security Testing
        9. Security Documentation
        10. Secure Release Management
        11. Dependency Patch Monitoring
        12. Product Security Incident Response
        13. Decisions to Proceed
      3. Web Application Security
        1. SQL Injection
        2. Forms and Scripts
        3. Cookies and Session Management
        4. General Attacks
        5. Web Application Security Conclusions
      4. Client Application Security
        1. Running Privileges
        2. Application Administration
        3. Integration with OS Security
        4. Application Updates
      5. Remote Administration Security
        1. Reasons for Remote Administration
        2. Remote Administration Using a Web Interface
        3. Authenticating Web-Based Remote Administration
        4. Custom Remote Administration
      6. Summary
      7. References
    2. Chapter 27: Writing Secure Software
      1. Security Vulnerabilities: Causes and Prevention
        1. Buffer Overflows
        2. Integer Overflows
        3. Cross-Site Scripting
        4. SQL Injection
      2. Whitelisting vs. Blacklisting
      3. Summary
      4. References
    3. Chapter 28: J2EE Security
      1. Java and J2EE Overview
        1. The Java Language
        2. Attacks on the JVM
      2. The J2EE Architecture
        1. Servlets
        2. JavaServer Pages (JSP)
        3. Enterprise JavaBeans (EJB)
        4. Containers
      3. Authentication and Authorization
        1. J2EE Authentication
        2. J2EE Authorization
      4. Protocols
        1. HTTP
        2. HTTPS
        3. Web Services Protocols
        4. IIOP
        5. JRMP
        6. Proprietary Communication Protocols
        7. JMS
        8. JDBC
      5. Summary
      6. References
    4. Chapter 29: Windows .NET Security
      1. Core Security Features of .NET
        1. Managed Code
        2. Role-Based Security
        3. Code Access Security
        4. AppDomains and Isolated Storage
      2. Application-Level Security in .NET
        1. Using Cryptography
        2. .NET Remoting Security
        3. Securing Web Services and Web Applications
      3. Summary
      4. References
    5. Chapter 30: Controlling Application Behavior
      1. Controlling Applications on the Network
        1. Access Control Challenges
        2. Application Visibility
        3. Controlling Application Communications
      2. Restricting Applications Running on Computers
        1. Application Whitelisting Software
        2. Application Security Settings
      3. Summary
      4. References
  15. Part VI: Security Operations
    1. Chapter 31: Security Operations Management
      1. Communication and Reporting
      2. Change Management
      3. Acceptable Use Enforcement
        1. Examples of Acceptable Use Enforcement
        2. Proactive Enforcement
      4. Administrative Security
        1. Preventing Administrative Abuse of Power
      5. Management Practices
      6. Accountability Controls
        1. Security Monitoring and Auditing
      7. Keeping Up with Current Events
      8. Incident Response
      9. Summary
      10. References
    2. Chapter 32: Disaster Recovery, Business Continuity, Backups, and High Availability
      1. Disaster Recovery
      2. Business Continuity Planning
        1. The Four Components of Business Continuity Planning
        2. Third-Party Vendor Issues
        3. Awareness and Training Programs
      3. Backups
        1. Traditional Backup Methods
        2. Backup Alternatives and Newer Methodologies
        3. Backup Policy
      4. High Availability
        1. Automated Redundancy Methods
        2. Operational Redundancy Methods
      5. Compliance with Standards
        1. ISO 27002
        2. COBIT
      6. Summary
      7. References
    3. Chapter 33: Incident Response and Forensic Analysis
      1. Incident Response
        1. Incident Detection
        2. Response and Containment
        3. Recovery and Resumption
        4. Review and Improvement
      2. Forensics
        1. Legal Requirements
        2. Evidence Acquisition
        3. Evidence Analysis
      3. Compliance with Laws During Incident Response
        1. Law Enforcement Referrals—Yes or No?
        2. Preservation of Evidence
        3. Confidentiality and Privilege Issues
      4. Summary
      5. References
  16. Part VII: Physical Security
    1. Chapter 34: Physical Security
      1. Classification of Assets
      2. Physical Vulnerability Assessment
        1. Buildings
        2. Computing Devices and Peripherals
        3. Documents
        4. Records and Equipment
      3. Choosing Site Location for Security
        1. Accessibility
        2. Lighting
        3. Proximity to Other Buildings
        4. Proximity to Law Enforcement and Emergency Response
        5. RF and Wireless Transmission Interception
        6. Utilities Reliability
        7. Construction and Excavation
      4. Securing Assets: Locks and Entry Controls
        1. Locks
        2. Entry Controls
      5. Physical Intrusion Detection
        1. Closed-Circuit Television
        2. Alarms
      6. Compliance with Standards
        1. ISO 27002
        2. COBIT
      7. Summary
      8. References
  17. Glossary
  18. Index