You are previewing Securing the Information Infrastructure.
O'Reilly logo
Securing the Information Infrastructure

Book Description

"As computer networks spread throughout the globe and as technology advances, we are increasingly dependent upon these networks to initiate and complete our daily tasks. However, in this steadily evolving environment, the privacy, security, reliability, and integrity of online content is tested continuously.

Securing the Information Infrastructure provides a framework for building trust in computer technology by exploring an array of safeguards that can be used to uphold the integrity and reliability of computing systems. This book challenges readers to examine rapid advances in information technology to recognize its misuse in society, covering such pressing topics as computer ethics, computer network security, and computer forensics."

Table of Contents

  1. Copyright
  2. Preface
  3. Acknowledgment
  4. I. Security Through Moral and Ethical Education
    1. I. Building Trust in the Information Infrastructure
      1. Introduction
      2. Problems with Building Trust
      3. Steps to Building Trust
      4. Conclusion
      5. References
    2. II. Need for Morality and Ethics
      1. Introduction
      2. Morality
      3. Ethics
        1. Ethical Theories
          1. Sophism
          2. Socratic Method
          3. Platonism
          4. Cynicism
        2. Other Variants of the Major Greek Philosophical Theories
          1. Consequentialism
          2. Deontology
          3. Human Nature
          4. Relativism
          5. Hedonism
          6. Emotivism
        3. Ethical Reasoning
      4. Codes of Professional Responsibility
        1. Objectives of Codes
      5. The Relevancy of Ethics in Modern Life
      6. Conclusion
      7. References
    3. III. Building an Ethical Framework for Decision Making
      1. Introduction
      2. Principle of Duty of Care
      3. Work and Decision Making
      4. Pillars of a Working Life
        1. Commitment
        2. Integrity
        3. Responsibility
        4. Accountability
      5. Need for an Ethical Education
        1. Formal Education
        2. Informal Education
        3. Licensure
        4. Codes of Conduct
          1. Professional Codes of Conduct
          2. Enforcement
          3. Reporting of Grievances
          4. Hearing Procedures
          5. Sanctions
          6. Appeals
      6. Decision Making and the Ethical Framework
        1. Dilemmas in Decision Making
          1. Magnitude of Consequences
          2. Social Consensus
          3. Probability of Effect
          4. Temporal Immediacy
          5. Proximity
          6. Concentration
        2. Guilt and Making Ethical Decisions
      7. Conclusion
      8. References
    4. IV. Security, Anonymity, and Privacy
      1. Introduction
      2. Security
        1. Physical Security
        2. Information Security
          1. The CIA Security Model
            1. Confidentiality
            2. Integrity
            3. Encryption
            4. Authentication
            5. Nonrepudiation
            6. Availability
      3. The Importance of Information Security
        1. Financial Security
        2. Computer Security
        3. Network Security
      4. Government and International Security Standards
      5. Information Security Evaluation Criteria
        1. The Orange Book
        2. U.S. Federal Criteria
        3. Information Technology Security Evaluation Criteria (ITSEC)
        4. The Trusted Network Interpretation (TNI): The Red Book
        5. Common Criteria (CC)
      6. Privacy
        1. Personal Privacy
        2. Personal Identity
        3. Autonomy
        4. Social Relationships
      7. Privacy and Security in Cyberspace
        1. Technical Issues
        2. Contractual Issues
        3. Regulatory Issues
      8. Conclusion
      9. References
  5. II. Security Through Innovative Hardware and Software Design
    1. V. Software Standards, Reliability, Safety, and Risk
      1. Introduction
      2. The Role of Software in the Security of Computing Systems
        1. Additional Steps to Enhance Software Safety
      3. Software Standards
        1. Types of Software Standards
        2. Open Source Standards
        3. Assessing the Adequacy of Software Standards
          1. Development Testing
          2. Software Verification and Validation (V&V)
          3. Formal Validation
          4. Offerors Certification
          5. Performance and Capability Validation
      4. Reliability
        1. Error Detection and Prevention
          1. Software Error Detection Techniques
        2. Software Error Prevention Techniques
      5. Software Security
        1. Safety
        2. Software Quality
          1. Object-Oriented Programming
          2. Outsourcing
      6. Causes of Software Failures
        1. Human Factors
        2. Nature of Software: Complexity
        3. Environment
          1. Software Assessment
          2. Planning
          3. Implementation
          4. Monitoring
      7. Conclusion
      8. References
    2. VI. Network Basics and Securing the Network Infrastructure
      1. Introduction
      2. Computer Network Basics
        1. Computer Network Types
          1. Local Area Network (LAN)
            1. Purpose of a LAN
          2. Wide Area Networks (WANs)
          3. Metropolitan Area Networks (MANs)
        2. Network Topology
          1. Bus
          2. Star
          3. Ring
          4. Mesh
          5. Tree
      3. Network Protocols and Layering
        1. Network Communication Stack Layers
          1. Application Layer
          2. Transport Layer
          3. Presentation Layer
          4. Session layer
          5. Network Layer
          6. Data Link Layer
          7. Physical Layer
        2. Network Communication Protocols
          1. Open System Interconnection (OSI) Protocol Suite
          2. Transport Control Protocol/Internet Protocol (TCP/IP) Model
      4. Network Services
        1. Connection Services
          1. Connected-Oriented Services
          2. Connectionless Service
        2. Network Switching Services
          1. Circuit Switching
          2. Packet Switching
      5. Network Connecting Devices
        1. LAN Connecting Devices
          1. Hubs
          2. Repeaters
          3. Bridges
          4. Switches
            1. Internetworking Devices
          5. Routers
          6. Gateways
      6. Securing the Network Infrastructure: Best Practices
        1. The Security Policy
          1. Firewalls
        2. Access Control
        3. Use of Strong Encryption Algorithms
        4. Use of Strong and Innovative Authentication Techniques
        5. Intrusion Detection and Prevention
        6. Auditing
      7. Conclusion
      8. References
    3. VII. Security Threats and Vulnerabilities
      1. Introduction
      2. Types of Threats and Vulnerabilities
        1. Types of Security Threats
        2. Types of Vulnerabilities
      3. Sources of Information Security Threats
        1. Design Philosophy
        2. Vulnerabilities in Network Infrastructure and Communication Protocols
        3. Rapid Growth of Cyberspace
        4. The Growth of the Hacker Community
        5. Vulnerability in Software Systems
        6. Dealing with Software Vulnerabilities
        7. The Invisible Security Threat: The Insider Effect
        8. Social Engineering
        9. Physical Theft
        10. Viruses
          1. What to do About It
        11. Cookie Monster
          1. What to do About It
        12. Spyware
          1. What to do About It
        13. Spam
          1. What to do About It
      4. Best Practices of Online Security
      5. Conclusion
      6. References
      7. Appendix: Additional Reading
    4. VIII. Security Policies and Risk Analysis
      1. Introduction
      2. Information Security Policy
      3. Aspects of Security Policies
        1. The Principle of Separation of Duties: Two Sets of Eyes
        2. Principle of Least Privilege
        3. The Need to Know Principle
      4. Building a Security Policy
        1. Investigation and Information Gathering
        2. Risk Analysis
          1. Quantitative Risk Analysis
          2. Qualitative Risk Analysis
        3. Benefits of Risk Analysis
        4. Set a Blueprint of the Security Policy
        5. Implementation of a Security Policy
        6. Security Policy Access Rights Matrix
          1. Logical Access Restriction to the System Resources
          2. Physical Security of Resources and Site Environment
          3. Cryptographic Restrictions
        7. Policy and Procedures
          1. Common Attacks and Possible Deterrents
            1. Staff
            2. Equipment Certification
            3. Audit Trails and Legal Evidence
            4. Privacy Concerns
            5. Security Awareness Training
            6. Incident Handling
      5. Types of Security Policies
        1. Military Security Policy
        2. Commercial Security Policy
        3. Other Security Policy Models
      6. Conclusion
      7. References
    5. IX. Security Analysis, Assessment, and Assurance
      1. Introduction
      2. Threat Identification
        1. Human Factors
          1. Humanware Failures
        2. Misconfiguration of the System
        3. Natural Disasters
        4. Infrastructure Failures
          1. Hardware Failures
          2. Software Failures
        5. Policies, Procedures, and Practices
        6. Quality
        7. Conformity
        8. Comprehensiveness
      3. Security by Analysis
        1. Approaches to Security Threat Analysis
          1. Schneier's Attack Tree Method
          2. Defense in Depth
          3. Other Methods
      4. Security Assessment and Assurance
        1. System Security Policy
        2. Security Requirement Specifications
        3. Vulnerability Assessment
        4. Security Certification
          1. Phases of a Certification Process
          2. Benefits of Security Certification
        5. Security Monitoring and Auditing
          1. Monitoring Tools
          2. Type of Data Gathered
          3. Analyzed Information
          4. Auditing
      5. Conclusion
      6. References
    6. X. Access Control, Authentication, and Authorization
      1. Introduction
      2. Definitions
      3. Access Control
        1. Access Rights
        2. Access Control Mechanisms
          1. Access Control Matrix
          2. Access Control List (ACL)
          3. Access Control Capability (ACC)
          4. Role-Based Access Control (RBAC)
          5. Rule-Based Access Control
          6. Restricted Interfaces
          7. Content-Dependent Access Control
          8. Other Access Control Mechanisms
      4. Authentication
        1. Authentication Forms
          1. Authentication by Passwords
        2. One-Time Use Passwords
        3. Reusable Passwords
          1. Challenge-Response
          2. Biometrics: The Body is the Password
          3. Combined Approach Authentication
          4. Other Forms of Authentication
        4. Remote Authentication
        5. Secure Remote Procedure Call (RPC) Authentication
        6. Dial-Up Authentication
        7. Anonymous Authentication
        8. Digital Signatures-Based Authentication
        9. Authentication by Address
          1. Kerberos
            1. Kerberos Ticket-Granting Service
      5. Authorization
        1. Authorization Types
          1. Authorization in a Distributed Environment
            1. Server-Side Authorization
            2. Client-Side Authorization
          2. Centralized
        2. Authorization Principles
      6. Conclusion
      7. References
    7. XI. Perimeter Defense: The Firewall
      1. Introduction
      2. Types of Firewalls
        1. Packet Filtering
          1. Types of Packet Filtering Firewalls
          2. IP Address Filtering
          3. TCP and UDP Port Filtering
          4. Packet Filtering Based on Initial Sequence Numbers (ISN) and Acknowledgment (ACK) Bits
          5. Filtering Based on ICMP Messages
          6. Filtering Based on Flags (Fragmentation)
        2. Proxy Firewall
          1. Operations and Goals of Proxy Servers
          2. Types of Proxy Firewalls
            1. Application Proxy
            2. SOCKS Proxy
          3. Advantages of Proxy Firewalls
          4. Disadvantages of Proxy Firewalls
        3. Small Office or Home (SOHO) Firewalls
      3. Other Firewalls
        1. Network Address Translation (NAT) Firewalls
        2. Dual-Homed Firewall
        3. Screened Host Firewalls
      4. Virtual Private Network
      5. Firewall Issues Before Installation
      6. Configuration and Implementation of a Firewall
        1. The Demilitarized Zone (DMZ)
      7. Advantages of Firewalls
      8. Disadvantages of Firewalls
      9. Securing a Network by a Firewall
      10. Conclusion
      11. References
    8. XII. Intrusion Detection and Prevention Systems
      1. Introduction
      2. Definitions
        1. Intrusion Detection (ID) Alarms
          1. False Alarms
          2. True Alarms
      3. Background of Intrusion Detection
      4. Basic Modules of an Intrusion Detection System
        1. Logger
          1. Log Analyzer
          2. Report Generator
          3. Management Console
      5. Intrusion Detection Models
        1. Anomaly Detection
        2. Misuse/Signature-Based Detection
        3. Specification-based Detection
      6. Responses to Intrusion Detection Reports
        1. Analyze the Reports
        2. Act on the Reports
      7. Types of Intrusion Detection Systems
        1. Network-Based Intrusion Detection Systems (NIDSs)
          1. Placement of NIDS Sensors
          2. Advantages of Network-Based Intrusion Detection Systems
          3. Disadvantages of Network-Based Intrusion Detection Systems
        2. Host-Based Intrusion Detection Systems
          1. Advantages of Host-Based Intrusion Detection Systems
          2. Disadvantages of Host-Based Intrusion Detection Systems
      8. Challenges for Intrusion Detection
      9. Intrusion Prevention Systems (IPSs)
        1. IPS Advantages over IDS
        2. Network-Based Intrusion Prevention Systems (NIPSs)
        3. Host-Based Intrusion Prevention Systems (HIPSs)
      10. Conclusion
      11. References
    9. XIII. Security in Wireless Systems
      1. Introduction
      2. Types of Wireless Technologies
      3. The Wireless Communication Infrastructure
      4. Wireless Local Area Network (WLAN): Wireless Fidelity (Wi-Fi)
        1. Setting Up a Wi-Fi
        2. Beyond Wi-Fi: Mobile IP and Wireless Application Protocol (WAP)
          1. Mobile IP
          2. Wireless Application Protocol (WAP)
      5. Security Issues in Wireless Systems
        1. WLANs Security Threats
        2. WLANs Security Concerns and Vulnerabilities
          1. Weaknesses with Service Set Identifier (SSID)
          2. Weaknesses in Associating
          3. Problems with WEP Keys
          4. Identity in WLANs
          5. Lack of Access Control Mechanism
          6. Lack of Strong Authentication Mechanism in IEEE 802.11
          7. Lack of a WEP Key Management Protocol
        3. Security Exploits to WLANs
      6. Best Practices for Wi-Fi Security
      7. Conclusion
      8. References
    10. XIV. Biometrics for Access Control
      1. Introduction
      2. History of Biometrics
      3. Biometric Authentication System
      4. Biometric Identifiers
        1. Fingerprint
        2. Palm Print
        3. Face
        4. Iris
        5. Retina
        6. Handwriting/Signature
        7. Voice
        8. DNA
      5. Advantages of Biometrics
      6. Disadvantages of Biometrics
      7. Why Biometrics are Not Truly Accepted
      8. The Future of Biometrics
      9. Conclusion
      10. References
  6. III. Security through the Legal System
    1. XV. Digital Evidence and Computer Crime
      1. Introduction
      2. Definitions
      3. Nature of Digital Evidence
      4. Importance of Digital Evidence
      5. Reliability of Digital Evidence
      6. The Need for Standardization
      7. Proposed Standards for the Exchange of Digital Evidence
        1. Standards
          1. Principle 1
          2. Standards and Criteria 1.1
          3. Standards and Criteria 1.2
          4. Standards and Criteria 1.3
          5. Standards and Criteria 1.4
          6. Standards and Criteria 1.5
          7. Standards and Criteria 1.6
          8. Standards and Criteria 1.7
      8. The Process of Digital Evidence Acquisition
        1. The Material
        2. Validity
      9. Investigative Procedures
        1. Looking for Evidence
        2. Handling Evidence
        3. Evidence Recovery
        4. Preserving Evidence
        5. Transporting.Evidence
      10. Conclusion
      11. References
    2. XVI. Digital Crime Investigation and Forensics
      1. Definition
      2. Computer Forensics
      3. History of Computer Forensics
      4. Network Forensics
      5. Forensics Analysis
      6. Forensic Tools
        1. Software-Based Forensic Tools
        2. Hardware–Based Forensic Tools
        3. Software-Based Forensic Tools
          1. EnCase
            1. Acquiring Evidence
            2. Hashing
            3. Analysis
            4. Reporting
          2. Forensic Toolkit (FTK)
            1. Image Acquisition
            2. Hashing
            3. Analysis
            4. Reporting
          3. Comparing FTK and EnCase
          4. Other Forensics Tools
          5. Report Writing
      7. Conclusion
      8. References
  7. IV. What Next?
    1. XVII. Trends in Information Assurance
      1. Introduction
      2. Global Information Assurance Initiatives and Trends
        1. BS 7799–With Several Parts
        2. Control Objectives for Information and Related Technology (COBIT)
        3. Guidance On Control (Known Colloquially as CoCo)
        4. Control-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
        5. Federal Information Systems Controls Audit Manual (FISCAM)
        6. Information Technology Control Guidelines (ITCG)
        7. SysTrust
        8. Generally Accepted Principles and Practices (GAPP) of the U. S. National Institute of Standards and Technology (NIST)
        9. Generally Accepted System Security Principles (GASSP)
        10. System Self-Assessment Guide for Information Technology Systems (SSAG)
        11. Systems Security Engineering Capability Maturity Mode (SSE-CM)
      3. National and International Information Security Initiatives
        1. Governmental Legislative Information Assurance Initiatives
        2. Non-Governmental Initiatives
        3. Educational Information Security Initiatives
      4. Certification Programs
      5. Conclusion
      6. References
      7. Appendix: Additional Reading
  8. A. Glossary of Terms
    1. A
    2. B
    3. C
    4. D
    5. E
    6. G
    7. H
    8. I
    9. L
    10. M
    11. N
    12. P
    13. R
    14. S
    15. T
    16. U
    17. V
  9. B. About the Authors