CART

(0) items

Corporate Computer and Network Security,9780130384713
This item qualifies for
FREE SHIPPING!
FREE SHIPPING OVER $59!

Your order must be $59 or more, you must select US Postal Service Shipping as your shipping preference, and the "Group my items into as few shipments as possible" option when you place your order.

Bulk sales, PO's, Marketplace Items, eBooks, Apparel, and DVDs not included.

Corporate Computer and Network Security

by
Edition:
2nd
ISBN13:

9780130384713

ISBN10:
0130384712
Format:
Hardcover
Pub. Date:
1/1/2010
Publisher(s):
Pearson College Div

Related Products


  • Corporate Computer and Network Security
    Corporate Computer and Network Security
  • Corporate Computer Security
    Corporate Computer Security
  • Corporate Computer Security
    Corporate Computer Security
  • Early Edition Corporate Computer and Network Security
    Early Edition Corporate Computer and Network Security





Summary

For Internet and Network Security courses. This up-to-date examination of computer and corporate security in the business setting fills the critical need for security education. Its comprehensive, balanced, and well-organized presentation emphasizes implementing security within corporations using existing commercial software and provides coverage of all major security issues.

Table of Contents

Preface xvii
About the Author xxii
A Framework
1(44)
Corporations at Risk
2(9)
CSI/FBI Computer Crime and Security Surveys
2(5)
Other Empirical Attack Data
7(2)
Tomorrow Will Be Worse
9(2)
Attackers
11(9)
Elite Hackers
11(4)
Virus Writers and Releasers
15(1)
Script Kiddies
15(1)
With Criminal Intent
16(2)
Corporate Employees
18(1)
Cyberterrorism and Cyberwar
19(1)
Attacks
20(6)
Access Control
21(1)
Site Access Attacks and Defenses
22(1)
Social Engineering Attacks and Defenses
23(1)
Dialog Attacks and Defenses
24(2)
Penetration Attacks and Defenses
26(5)
Penetration Attack Dangers
27(2)
Penetration Defenses
29(2)
Security Management
31(3)
Primarily a Management Issue, Not a Technology Issue
31(1)
Top-To-Bottom Commitment
31(1)
Comprehensive Security
32(1)
General Security Goals
33(1)
The Plan-Protect-Respond (PPR) Cycle
34(6)
Planning
34(4)
Protecting
38(1)
Responding
39(1)
The Book
40(1)
Access Control and Site Security
40(1)
Review of TCP/IP Internetworking
40(1)
Penetration Attacks and Firewalls
40(1)
Host Security
40(1)
Elements of Cryptography
40(1)
Cryptographic Systems
41(1)
Application Security
41(1)
Incident and Disaster Response
41(1)
Managing the Security Function
41(1)
The Broader Perspective
41(1)
Conclusion
41(4)
Risk Management, Not Risk Elimination
41(1)
Security is Primarily a Management Issue, Not a Technology Issue
42(1)
Testing
43(2)
Examples of Security Problems
45(10)
Introduction
45(1)
Examples
45(7)
Sabotage by a Disgruntled Employee
45(1)
Herbert Pierre-Louise
Cyberframing a Female Employee who Spurned Him
46(1)
Washington Leung
Two Programmers: A Denial-of-Service Attack by IT Employees
46(1)
Two Accountants: Financial Theft Through Procedure Exploitation
46(1)
Cisco Systems Employee: Theft of Trade Secrets by Employee for Personal Benefit
47(1)
Paralegal Employee: Theft of Trade Secrets to Sell Them
47(1)
Computer Sabotage and Damage of Reputation
47(1)
Patrick McKenna
Website Hacking and Defacement
47(1)
Eric Burns
Hacking to Make Money from Stolen Computer Resources
47(1)
Raymond Torricelli
Credit Card Theft by Hacker
48(1)
Vasiliy Gorshkov
Three NEC Tosheba Space Systems Workers: Industrial Espionage on Third-Party Computer
48(1)
Two Kazakhstan Employees of a Business Partner Use Extortion to Reveal a Vulnerability
48(1)
Financial Brokerage Firm: Extortion to Avoid a Denial-of-Service Attack
49(1)
Theft of Credit Card Numbers by an Employee
49(1)
Patrice Williams
Makeebrah Turner
Computer Sabotage by Terminated Systems Administrator
49(1)
Tim Lloyd
Sabotage by an IT Contractor Employee
49(1)
Claude Carpenter
Website Defacement and the Posting of Identity Theft Information
50(1)
Pakistani Hacktivist
Distributed Denial-of-Service Attacks Against E-Commerce Sites
50(1)
Mafiaboy
Many Hacking Infractions
50(1)
Kevin Mitinck
Hacking While out on Bail
51(1)
Jason Diekman
Extortion to Explain a Hack
51(1)
Matthew Kroker
Demonstrating Break-Ins Results in Prosecution
51(1)
Stephan Puffer
Princeton Director of Admissions Hacks Yale
52(1)
The September 11 Disaster
52(3)
Managerial Deficiencies
52(1)
Operational Deficiencies
53(1)
Government Breakdowns
53(2)
Access Control and Site Security
55(38)
Introduction
56(2)
Access Control
56(2)
Site Security
58(1)
Reusable Passwords
58(12)
Hands-On Software Cracking
58(2)
Hacking Root
60(1)
Physical Access Password Cracking
61(2)
Password Policies
63(2)
Encrypted Password Files
65(1)
UNIX Passwords
66(1)
Windows Server Passwords
67(1)
Shoulder Surfing
68(1)
Keystroke Capture Software
68(1)
Windows Client PC Passwords
69(1)
Building Security
70(4)
Building Security Basics
71(1)
Data Wiring Security
72(2)
Access Cards
74(2)
Magnetic Stripe Cards
74(1)
Smart Cards
75(1)
Tokens
75(1)
Card Cancellation
75(1)
PINs: Two-Factor Authentication
75(1)
Biometric Authentication
76(7)
Biometric Identification
76(1)
Biometric Systems
76(1)
Verification and Authentication
76(2)
Precision
78(1)
User Acceptance
79(1)
Biometric Methods
79(2)
Biometric Standards
81(1)
Can Biometrics Be Duped?
81(2)
802.11 Wireless LAN (WLAN) Security
83(7)
802.11
83(1)
Basic Operation
83(3)
Multiple 802.11 Standards
86(1)
Apparent 802.11 Security
86(1)
Wired Equivalent Privacy (WEP)
87(1)
802.1x and 802.11i
88(2)
Conclusion
90(3)
Review of TCP/IP Internetworking
93(42)
Introduction: A Review
94(1)
Single Networks Versus Internets
94(1)
TCP/IP Standards
94(11)
Origins
94(3)
The Hybrid TCP/IP-OSI Architecture
97(1)
Single-Network Standards
97(1)
Internet Layer Links (Routes)
98(1)
Frames and Packets
98(4)
Internet and Transport Layers
102(1)
The Application Layer
103(2)
Layer Cooperation
105(4)
On the Source Host
105(1)
On the Destination Host
106(1)
On Routers
106(1)
TCP/IP and Border Security
107(2)
The Internet Protocol (IP)
109(12)
Basic Characteristics
109(1)
Connection-Oriented Service and Connectionless Service
109(1)
IP Is Unreliable
109(2)
Hierarchical IP Addresses
111(4)
IP Addressing and Security
115(2)
Other IP Header Fields
117(4)
Transmission Control Protocol (TCP)
121(7)
Reliable Service
121(1)
Connections
121(2)
Sequence and Acknowledgement Numbers
123(2)
Port Numbers
125(3)
User Datagram Protocol (UDP)
128(1)
UDP Datagrams
128(1)
UDP Port Spoofing
128(1)
UDP Datagram Insertion
128(1)
Internet Control Message Protocol (ICMP) for Supervisory Information
129(4)
ICMP and IP
129(1)
ICMP Message Types
129(2)
ICMP Network Analysis Messages
131(1)
ICMP Error Advisement Messages
132(1)
ICMP Control Messages
132(1)
Other ICMP Messages
133(1)
Conclusion
133(2)
Attack Methods
135(38)
Introduction
136(1)
Targeted Hacking Attacks (System Penetration/Break-Ins)
136(19)
Unobtrusive Information Collection
136(7)
IP Address Spoofing and Attack Chaining
143(1)
Scanning Attacks
143(8)
The Break-In
151(2)
After the Compromise
153(2)
Denial-of-Service Attacks
155(6)
Vandalism
155(1)
Single-Message DoS Attacks
156(1)
Flooding Denial-of-Service (DDoS) Attacks
156(1)
Smurf Flooding Attacks
157(1)
Distributed DoS Attacks
158(1)
The Difficulty of Stopping DoS Attacks
159(2)
Malware Attacks
161(9)
Types of Malware
161(4)
Viruses
165(1)
Antivirus Protection
166(3)
Case Study: The Nimda Worm
169(1)
Conclusion
170(3)
Firewalls
173(42)
Introduction
174(3)
Firewalls
174(1)
Types of Protection
174(3)
Integrated Firewalls
177(1)
Firewall Hardware and Software
177(5)
Types of Firewalls
177(4)
Firewall Processing Requirements
181(1)
Static Packet Filter Firewalls
182(7)
Basic Characteristics
183(1)
Access Control Lists (ACLs) for Ingress Filtering
183(4)
Engress Filtering
187(2)
Stateful Firewalls
189(5)
Limits of Static Packet Filtering
189(1)
Stateful Firewall Operation: TCP Connections
190(1)
Stateful Firewalls and Connectionless Protocols
191(1)
Stateful Firewalls and Port-Switching Applications
192(1)
Stateful Inspection ACLs
193(1)
ACLs in Integrated Firewalls
193(1)
Network Address Translation
194(2)
Sniffers
194(1)
NAT Operation
194(1)
Perspective on NAT
195(1)
Address Multiplication
195(1)
Application Firewalls
196(5)
Application Firewall Operation
196(1)
Client/Server Relaying
197(1)
Core Protections
198(1)
HTTP Filtering
199(1)
FTP Filtering
200(1)
Multiple Proxies
200(1)
Circuit Firewalls
200(1)
Firewall Architectures
201(7)
Screening Static Packet Filtering with a Router
202(1)
Main Firewall
203(1)
Demilitarized Zones
203(1)
Hosts in the DMZ
204(1)
Internal Firewalls
204(1)
Host Firewalls
205(1)
Defense in Depth
205(1)
Other Firewall Architectures
205(2)
Related Architectural Issues
207(1)
Configuring, Testing, and Maintaining Firewalls
208(2)
Firewall Misconfiguration Is a Serious Problem
208(1)
Policies
209(1)
Testing with Security Audits
209(1)
Updating Firewalls
210(1)
Check Point and Cisco Systems Firewalls
210(3)
Check Point's Firewall-1
210(1)
Cisco's PIX and Router Capabilities
211(2)
Conclusion
213(2)
Host Security
215(40)
Introduction
216(8)
Host Hardening
216(2)
Windows Computers
218(3)
UNIX (Including LINUX)
221(2)
Cisco's Internetwork Operating System (IOS)
223(1)
Other Host Operating Systems
223(1)
Installation and Patching
224(4)
Installation
224(1)
Known Vulnerabilities and Exploits
224(1)
Fixes: Patches and Work-Arounds
224(2)
The Mechanics of Patch Installation
226(1)
Failures to Patch
226(2)
Turning Off Unnecessary Services
228(5)
Unnecessary Services
228(1)
Turning Off Services in Windows
228(1)
Turning Off Services in UNIX
228(5)
Managing Users and Groups
233(5)
Creating and Managing Users and Groups in Windows
233(5)
Managing Users and Groups in UNIX
238(1)
Managing Permissions
238(5)
The Principle of Least Permissions
238(1)
Assigning Permissions in Windows
238(3)
Assigning Permissions in UNIX
241(1)
The UNIX Is -l Command
241(2)
Advanced Server Hardening Techniques
243(6)
Logging
243(2)
Backup
245(1)
File Encryption
246(1)
File Integrity Checkers
247(2)
Server Host Firewalls
249(1)
Testing for Vulnerabilities
249(2)
UNIX
249(1)
The Microsoft Baseline Security Analyzer (MBSA)
250(1)
Hardening Clients
251(2)
The Importance of Clients
251(1)
Enforcing Good Practice
251(2)
Central Control
253(1)
Palladium
253(1)
Conclusion
254(1)
The Elements of Cryptography
255(34)
Cryptographic Elements and Systems
256(1)
Cryptographic Systems
256(1)
Cryptographic Elements
256(1)
Encryption for Confidentiality
256(3)
Plaintext, Encryption, Decryption, and Ciphertext
257(1)
Keys
257(1)
Exhaustive Search
258(1)
Cryptography for Authentication
258(1)
Encryption for Confidentiality with Symmetric Key Encryption
259(7)
Symmetric Key Encryption: A Single Key
259(1)
Symmetric Key Encryption Methods
260(1)
Data Encryption Standard (DES)
260(1)
DES-CBC (Cipher Block Chaining)
261(1)
Weak and Strong Symmetric Keys
261(1)
Triple DES (3DES)
262(2)
Advanced Encryption Standard (AES)
264(1)
Other Encryption Methods
264(1)
Efficiency of Symmetric Key Encryption for Long Messages
265(1)
Encryption for Confidentiality with Public Key Encryption
266(2)
The Basic Process
266(1)
Disadvantage and Advantage
267(1)
Major Public Key Encryption Methods and Key Lengths
267(1)
Encryption for Authentication
268(5)
Applicant and Verifier
269(1)
Initial Authentication with MS-CHAP Challenge-Response Authentication
270(1)
Message-by-Message Authentication with Digital Signatures
271(2)
Digital Certificates
273(6)
Certificate Authorities and Digital Certificates
274(1)
X.509 Digital Certificates
275(2)
The Role of the Digital Certificate
277(1)
Checking the Certificate Revocation List (CRL)
278(1)
Public Key Infrastructures (PKIs)
278(1)
Symmetric Key Exchange
279(3)
Long-Term Keys Versus Session Keys
279(1)
Symmetric Key Exchange Using Public Key Encryption
280(1)
Symmetric Key Exchange Using Diffie-Hellman Key Agreement
281(1)
Replay Attacks and Defenses
282(2)
Replay Attacks
282(1)
Replay Attacks: Playing Back Encrypted Messages
282(1)
Thwarting Replay Attacks
283(1)
Advanced Topics: Quantum Computing and Steganography
284(3)
Quantum Computing
284(2)
Steganography
286(1)
Conclusion
287(2)
Major Topics
287(1)
Cryptographic Systems
287(1)
Common Points of Confusion
287(2)
Cryptographic Systems: SSL/TLS, VPNs, and Kerberos
289(34)
Introduction
290(4)
Cryptographic Elements Versus Cryptographic Systems
290(1)
Cryptographic System Stages
291(1)
Major Cryptographic Systems
292(1)
Virtual Private Networks (VPNs)
293(1)
SSL/TLS
294(3)
Origins
294(1)
Protection
294(1)
Operation
294(2)
Perspective
296(1)
PPP
297(5)
Remote Access
297(1)
Point-to-Point Protocol Security: The Negotiation Phase
298(1)
PPP Authentication
298(3)
PPP Confidentiality
301(1)
PPTP and L2TP
302(5)
PPP Tunneling
302(1)
Point-to-Point Tunneling Protocol (PPTP)
303(2)
Layer 2 Tunneling Protocol (L2TP)
305(2)
Voluntary Versus Compulsory Tunneling
307(1)
IPsec
307(8)
Cryptographic Systems and Internet Layer Protection
307(1)
Transport and Tunnel Modes
307(3)
IPsec Headers
310(1)
Security Associations (SAs)
311(1)
Establishing Security Associations
312(1)
IPsec Mandatory Default Security Protocols
313(2)
IPsec Windows Implementation
315(1)
Kerberos
315(5)
Authentication
316(1)
Ticket-Granting Service
316(3)
Perspective
319(1)
Firewalls and Cryptographic Systems
320(1)
NAT and Cryptographic Systems
320(1)
Encryption Versus Inspection
320(1)
Conclusion
321(2)
Application Security: Electronic Commerce and E-Mail
323(36)
General Application Security Issues
324(6)
Executing Commands with the Privileges of a Compromised Application
324(1)
Buffer Overflow Attacks
324(3)
Few Operating Systems, Many Applications
327(1)
Application Security Actions
327(3)
Webservice and E-Commerce Security
330(15)
The Importance of Webservice and E-Commerce Security
330(3)
Webservers Versus E-Commerce Servers
333(1)
Some Webserver Attacks
334(2)
Patching the Webserver and E-Commerce Software and its Components
336(1)
Other Website Protections
337(1)
Controlling Dynamic Webpage Development
337(2)
User Authentication
339(1)
Browser Attacks
340(3)
Enhancing Browser Security
343(2)
E-Mail
345(9)
E-Mail Technology
345(4)
E-Mail Content Filtering
349(1)
E-Mail Retention
350(2)
E-Mail Encryption
352(2)
Security Issues in Other Applications
354(3)
Database
354(2)
Instant Messaging (IM)
356(1)
Conclusion
357(2)
Incident and Disaster Response
359(40)
Introduction
360(2)
Incidents Happen
360(1)
Incident Severity
360(1)
Speed is of the Essence
361(1)
Backup
362(3)
Backup Technology
362(1)
Managing Backup
362(3)
Intrusion Detection Systems (IDSs)
365(17)
Elements of an IDS
365(5)
Distributed IDSs
370(2)
Network IDSs
372(1)
Host IDSs
373(2)
Log Files
375(2)
Analysis Methods
377(1)
Action
378(2)
Managing IDSs
380(2)
The Intrusion Response Process
382(7)
Organizational Preparation
382(2)
Initiation and Analysis
384(1)
Containment
385(1)
Recovery
386(1)
Punishment
386(2)
Communication
388(1)
Protecting the System in the Future
388(1)
Postmortem Evaluation
388(1)
Business Continuity Planning
389(2)
Business Process Analysis
390(1)
Communication, Testing, and Upgrading the Plan
390(1)
Disaster Recovery
391(5)
Types of Backup Facilities
393(1)
Restoration of Data and Programs
394(1)
Testing the Disaster Recovery Plan
395(1)
Conclusion
396(3)
Backup
396(1)
Intrusion Detection Technology
396(1)
Intrusion Response Processes
396(1)
Business Continuity and Disaster Recovery Planning
396(3)
Managing the Security Function
399(34)
Introduction
400(1)
Organization
400(9)
Top Management Support
400(3)
Should You Place Security Within IT?
403(1)
Security and Auditing
404(1)
Managed Security Service Providers (MSSPs)
404(2)
Security and Business Staffs
406(1)
Security and Business Partners
407(1)
Uniformed Personnel
407(1)
Staffing and Training
408(1)
Risk Analysis
409(5)
Financially Sensible Protections
409(1)
Enumeration of Assets
409(2)
Asset Classification
411(1)
Threat Assessment
412(1)
Responding to Risk
412(1)
Risk Analysis Calculations
413(1)
Qualitative Risk Analysis
414(1)
Security Architecture
414(5)
Security Architectures
414(2)
Principles
416(2)
Elements of a Security Architecture
418(1)
Control Principles
419(3)
Policies
419(1)
Standards
419(2)
Baselines
421(1)
Guidelines
421(1)
Procedures
421(1)
Employee Behavior Policies
421(1)
Best Practices and Recommended Practices
422(1)
Managing Operations
422(4)
Principles
422(2)
Accountability
424(1)
Managing Development and Change for Production Servers
425(1)
Mobilizing Users
426(3)
User Training
426(2)
Authentication
428(1)
Vulnerability Testing
429(3)
Vulnerability Testing Technology
430(1)
Vulnerability Testing Contracts
430(1)
Limiting False Positives with Tuning
431(1)
Who Should Do Vulnerability Testing?
431(1)
Conclusion
432(1)
The Broader Perspective
433(38)
Introduction
434(1)
Laws Governing Hacking
434(1)
Privacy
434(1)
Cyberwar and Cyberterror
434(1)
Laws Governing Computer Crimes
434(3)
U.S. National Laws
434(3)
U.S. State Laws
437(1)
Laws Around the World
437(1)
The Limitation of Laws
437(1)
Consumer Privacy
437(12)
Introduction
437(3)
Credit Card Fraud and Identity Theft
440(2)
Knowing Too Much: Customer Tracking by Commercial Companies
442(7)
Employee Workplace Monitoring
449(7)
Monitoring Trends
449(1)
Why Monitor?
449(4)
The Legal Basis for Monitoring
453(1)
Should a Firm Monitor
454(1)
Computer and Internet Use Policy
455(1)
Employee Training
455(1)
Government Surveillance
456(4)
U.S. Tradition of Protection from Improper Searches
456(1)
Telephone Surveillance
456(3)
Internet Surveillance
459(1)
Carnivore
459(1)
The Future of Government Surveillance
459(1)
Cyberwar and Cyberterror
460(9)
Threats
460(2)
Cyberwar
462(1)
Cyberterrorism
463(2)
Building a National and International Response Strategy
465(2)
Hardening the Internet
467(2)
Conclusion
469(2)
Glossary 471(30)
Index 501


Please wait while the item is added to your cart...