9781597491105

How to Cheat at Managing Information Security

by
  • ISBN13:

    9781597491105

  • ISBN10:

    1597491101

  • Format: Paperback
  • Copyright: 2006-10-13
  • Publisher: Elsevier Science
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $44.95 Save up to $1.12
  • Buy New
    $43.83
    Add to Cart Free Shipping

    PRINT ON DEMAND: 2-4 WEEKS. THIS ITEM CANNOT BE CANCELLED OR RETURNED.

Supplemental Materials

What is included with this book?

  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Summary

Information security is different from many other disciplines both within mainstream information technology and other business areas. Even though there are now many good books on various areas, getting the breadth of knowledge across the many subareas is still difficult, but it is essential to success. This book is designed to cover both the basic concepts of security (non-technical principles and practices) and basic information about the technical details of many of the products-real products, not just theory. Book jacket.

Author Biography

Mark Osborne is currently the CISO at Interoute Communications Limited, owner and operator of Europe's largest next-generation network

Table of Contents

Preface xxiii
Introduction xxv
Chapter 1 The Security Organization 1(18)
Anecdote
2(1)
Introduction
2(4)
Where to Put the Security Team
2(1)
Where Should Security Sit?
Below the IT Director Report
3(2)
Pros
4(1)
Cons
4(1)
Where Should Security Sit? Below the Head of Audit
5(2)
Pros
5(1)
Cons
6(1)
Where Should Security Sit? Below the CEO, CTO, or CFO
6(1)
Pros
6(1)
Cons
6(1)
Your Mission—If You Choose to Accept It
7(1)
Role of the Security Function: What's in a Job?
7(5)
Incident Management and Investigations
8(1)
Legal and Regulatory Considerations
9(1)
Policy, Standards, and Baselines Development
10(1)
Business Consultancy
10(1)
Architecture and Research
11(1)
Assessments and Audits
11(1)
Operational Security
12(1)
The Hybrid Security Team: Back to Organizational Studies
12(5)
Making Friends
14(1)
The Board
15(1)
Internal Audit
15(1)
Legal
15(1)
IT
15(6)
Help Desk
16(1)
System Development
16(1)
Tech Support
16(1)
What Makes a Good CISO?
17(1)
Summary
18(1)
Chapter 2 The Information Security Policy 19(30)
Anecdote
20(1)
Introduction
20(1)
Policy, Strategy, and Standards: Business Theory
21(4)
Strategy
22(1)
Tactics and Policy
23(1)
Operations: Standards and Procedures
24(1)
Back to Security
25(1)
The Security Strategy and the Security Planning Process
25(5)
Security Organization
28(1)
Security Tools
29(1)
Security Policy Revisited
30(6)
Policy Statements
32(5)
What Do I Need to Set a Policy On?
33(1)
Template, Toolkit, or Bespoke?
34(1)
So Why Haven't I Just Told You How to Write a Good Information Security Policy?
35(1)
Security Standards Revisited
36(1)
Compliance and Enforcement
37(5)
Information Security Awareness: The Carrot
38(2)
Active Enforcement: The Stick
40(16)
Patch Management
40(1)
Automated Audit Compliance
40(2)
Summary
42(7)
Chapter 3 Jargon, Principles, and Concepts 49(22)
Anecdote
50(1)
Introduction
50(1)
CIA: Confidentiality, Integrity, and Availability
51(3)
Confidentiality
51(1)
Integrity
52(1)
Availability
52(1)
Nonrepudiation
53(1)
When Is CIA Used?
54(1)
The Vulnerability Cycle
54(2)
Types of Controls
56(2)
Protective Control
57(1)
Detective Control
57(1)
Recovery Controls
58(1)
Administrative Control
58(1)
Segregation of Duties
58(1)
Job Rotation
58(1)
Risk Analysis
58(5)
Types of Risk Analysis
59(1)
Quantitative Analysis
59(1)
Qualitative Analysis
60(1)
How It Really Works: Strengths and Weaknesses
61(1)
So What Now?
62(1)
AAA
63(3)
Authentication
63(1)
Types of Authentication
64(1)
Authorization
64(1)
Accounting
65(1)
AAA in Real Life
65(1)
Other Concepts You Need to Know
66(1)
Least Privilege
66(1)
Defense in Depth
66(1)
Failure Stance
67(1)
Security through Obscurity
67(1)
Generic Types of Attack
67(3)
Network Enumeration and Discovery
67(1)
Message Interception
68(1)
Message Injection/Address Spoofing
68(1)
Session Hijacking
68(1)
Denial of Service
68(1)
Message Replay
69(1)
Social Engineering
69(1)
Brute-Force Attacks on Authenticated Services
69(1)
Summary
70(1)
Chapter 4 Information Security Laws and Regulations 71(16)
Anecdote
72(1)
Introduction
73(1)
U.K. Legislation
73(9)
Computer Misuse Act 1990
73(2)
How Does This Law Affect a Security Officer?
75(1)
The Data Protection Act 1998
75(2)
How Does This Law Affect a Security Officer?
76(1)
Other U.K. Acts
77(5)
The Human Rights Act 1998
77(1)
The Regulation of Investigatory Powers Act 2000
78(1)
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
79(1)
The Freedom of Information Act 2000
80(1)
Audit Investigation and Community Enterprise Act 2005
80(1)
Official Secrets Act
80(2)
U.S. Legislation
82(4)
California SB 1386
83(1)
Sarbanes-Oxley 2002
83(1)
Section 201
83(1)
Section 302
84(1)
Section 404
84(1)
Gramm-Leach-Bliley Act (GLBA)
84(1)
Health Insurance Portability and Accountability Act (HIPAA)
85(1)
USA Patriot Act 2001
85(1)
Summary
86(1)
Chapter 5 Information Security Standards and Audits 87(24)
Anecdote
88(1)
Introduction
89(9)
BS 7799 and ISO 17799
89(10)
A Canned History of BS 7799
90(2)
History of BS 7799, Part 2
92(1)
PDCA
93(5)
ISO/IEC 27001:2005: What Now for BS 7799?
98(1)
PAS 56
99(3)
What Is PAS 56?
99(1)
The Stages of the BCM Life Cycle
100(2)
Stage 1: Initiate the BCM Project
100(1)
Stage 2: Understand the Business
100(1)
Stage 3: Define BCM Strategies
100(1)
Stage 4: Produce a BCM Plan
101(1)
Stage 5: Instill a BCM Culture
101(1)
Stage 6: Practice, Maintain, and Audit
101(1)
FIPS 140-2
102(1)
Should I Bother with FIPS 140-2?
102(1)
What Are the Levels?
102(1)
Common Criteria Certification
103(1)
Other CC Jargon
103(1)
The Security Target
103(1)
Protection Profile
103(1)
Evaluation Assurance Level
103(1)
Types of Audit
104(6)
Computer Audit as Part of the Financial Audit
104(1)
Section 39 Banking Audit
105(1)
SAS 70
106(1)
Other Types of Audits
107(1)
Tips for Managing Audits
108(2)
Summary
110(1)
Chapter 6 Interviews, Bosses, and Staff 111(12)
Anecdote
112(1)
Introduction
112(8)
Interviews as the Interviewee
112(5)
Interview 1
113(1)
Interview 2
114(1)
Interview 3
115(1)
Interview 4
116(1)
Preinterview Questionnaires
117(2)
Interviews as the Interviewer
119(1)
Interview 1
119(1)
Interview 2
119(1)
Bosses
120(2)
Runner-up for the Worst Boss in the World
120(1)
Worst Boss in the World
120(2)
Worst Employees
122(1)
Summary
122(1)
Chapter 7 Infrastructure Security 123(20)
Anecdote
124(1)
Introduction
124(9)
Network Perimeter Security
124(2)
The Corporate Firewall
126(5)
Threat Analysis
127(1)
E-mail Protection
128(2)
Browser Content Control and Logging
130(1)
Web and FTP Server
131(1)
Remote Access DMZ
131(2)
Threat Analysis
131(1)
Remote Access Design Options
132(1)
E-commerce
133(7)
Threat Analysis
136(3)
Threat Analysis
139(1)
Just Checking
140(1)
Summary
140(3)
Chapter 8 Firewalls 143(32)
Anecdote
144(1)
Introduction
144(3)
What Is a Firewall, and What Does It Do?
144(2)
Why Do We Need Firewalls?
146(1)
Firewall Structure and Design
147(10)
Firewall Types
147(4)
Screening Routers
148(1)
Application-Level Gateways or Proxies
148(1)
Circuit-Level Gateways
149(1)
The Stateful Inspection Firewall
149(2)
So What Are the Features You Want from a Firewall?
151(6)
Stateful Rule
151(1)
NAT/PAT
151(4)
Antispoofing
155(1)
Advanced Logging
155(1)
User-Authenticated Traffic
155(1)
IPSec Termination
156(1)
Ability to Define Your Own Protocols
156(1)
Time-Based Rules
157(1)
Other Types of Firewalls
157(1)
Stealth Firewalls
157(1)
Virtualized Firewalls
158(1)
Commercial Firewalls
158(16)
The Cisco PIX
158(6)
Features
159(1)
Adaptive Security Algorithm
159(2)
Cut-Through Proxy
161(1)
Failover
161(2)
Configuration
163(1)
Check Point FireWall-1
164(14)
How It Works
165(2)
The Gory Details
167(3)
Security Policy: Global Policies
170(1)
SYNDefender
171(1)
Antispoofing
171(3)
Summary
174(1)
Chapter 9 Intrusion Detection Systems: Theory 175(30)
Anecdote
176(1)
Introduction
177(1)
Why Bother with an IDS?
178(3)
Problems with Host-Based IDSes
179(2)
Whether to Use a HIDS or Not? That Is the Question
179(1)
And Is It A Bad Thing?
180(1)
NIDS in Your Hair
181(18)
Detection Flaws
182(6)
Dropped Packets
182(1)
Fragment Reassembly
183(1)
Packet Grepping versus Protocol Analysis, or Just Not Working Right
184(4)
Lazy Rule Structure
188(1)
Poor Deployment
188(5)
Switches
189(1)
SSL and Encryption
190(2)
Asymmetric Routing
192(1)
Poor Configuration
193(6)
Signature Analysis
193(2)
Anomalous Traffic Detection
195(4)
For the Technically Minded
199(5)
Snort
199(2)
RealSecure
201(3)
Summary
204(1)
Chapter 10 Intrusion Detection Systems: In Practice 205(30)
Anecdote
206(1)
Introduction: Tricks, Tips, and Techniques
206(7)
Deploying a NIDS: Stealth Mode
206(1)
Spanning Ports
207(2)
Tap Technology
209(3)
Failover Monitoring
210(1)
Aggregating Different Flows
211(1)
AsymmetricRouting
212(1)
IDS Deployment Methodology
213(2)
The Methodology
214(1)
Selection
215(1)
Deployment
216(9)
Step 1: Planning Sensor Position and Assigning Positional Risk
217(2)
Sensor 2
217(2)
Step 2: Establish Monitoring Policy and Attack Gravity
219(4)
Step 3: Reaction
223(1)
Step 4: Further Action: IPS
223(2)
Firewalls, Master Blocking, and Inline IPSes
223(1)
Host Detectors
224(1)
Application Interface
224(1)
Honeypots
225(1)
Information Management
225(2)
Log Management
225(1)
Console Management
226(1)
Logical Access Controls
226(1)
Incident Response and Crisis Management
227(4)
Identification
229(1)
Documentation
229(1)
Notification
229(1)
Containment
229(1)
Assessment
229(1)
Recovery
230(1)
Eradication
230(1)
Other Valuable Tips
230(1)
Test and Tune
231(3)
Tune
231(1)
Reduce False Positives
231(1)
Reduce False Negatives
232(1)
Test
232(7)
Technical Testing
232(1)
Covert Penetration Testing
233(1)
Summary
234(1)
Chapter 11 Intrusion Prevention and Protection 235(20)
Anecdote
236(1)
Introduction
237(1)
What Is an IPS?
237(1)
Active Response: What Can an IPS Do?
238(1)
A Quick Tour of IPS Implementations
239(8)
Traditional IDSes with Active Response
240(1)
In-Line Protection
241(4)
General In-Line IPSes
242(1)
DDoS
243(1)
Application Firewall
243(2)
Deception Technology
245(1)
Why Would I Want One?
245(1)
Extended Host OS Protection
246(1)
Why Would I Want One?
246(1)
Example Deployments
247(7)
Dealing with DDoS Attacks
247(3)
How It Works
247(2)
Scrubbing and Cleansing: The Cisco Guard
249(1)
An Open Source In-Line IDS/IPS: Hogwash
250(4)
Summary
254(1)
Chapter 12 Network Penetration Testing 255(26)
Anecdote
256(1)
Introduction
257(1)
Types of Penetration Testing
258(1)
Network Penetration Test
258(1)
Application Penetration Test
258(1)
Periodic Network Vulnerability Assessment
258(1)
Physical Security
259(1)
Network Penetration Testing
259(15)
An Internet Testing Process
259(1)
Test Phases
259(11)
Passive Research
259(3)
Network Enumeration and OS Fingerprinting
262(1)
Host Enumeration
262(3)
Vulnerability Scanning
265(1)
Scenario Analysis
266(3)
Reporting
269(1)
Internal Penetration Testing
270(500)
Application Penetration Testing
770
Application Pen Test Versus Application System Testing
270(4)
Controls and the Paperwork You Need
274(2)
Indemnity and Legal Protection
274(1)
Scope and Planning
275(1)
Success Criteria
275(1)
Escalation
275(1)
DoS
276(1)
Social Engineering
276(1)
What's the Difference between a Pen Test and Hacking?
276(4)
Who Is the Hacker?
276(6)
The Digital Blagger: Hacking for Profit
277(1)
Hacktivists: The Digital Moral Outrage
277(1)
White Hats: The Digital Whistleblowers
278(1)
Script Kiddies
278(1)
The End of the Story
279(1)
Summary
280(1)
Chapter 13 Application Security Flaws and Application Testing 281(22)
Anecdote
282(1)
Introduction
282(2)
The Vulnerabilities
283(1)
Configuration Management
284(1)
Unvalidated Input
285(10)
Buffer Overflows
286(2)
Cross-Site Scripting
288(3)
SQL Injection
291(3)
Command Injection
294(1)
Bad Identity Control
295(3)
Forceful Browsing
296(1)
URL Parameter Tampering
297(1)
Insecure Storage
297(1)
Fixing Things
298(1)
Qwik Fix
299(1)
For the More Technically Minded
299(3)
Does It Work?
301(1)
Summary
302(1)
Index 303

Rewards Program

Write a Review