Cover Your Assets : Building and... | Buy

With the exploding growth in today's e-business, Information Technology-based applications are the business. But the risks confronting these applications have never been greater.Cover Your Assets(CYA) is an e-business security manual with policies and procedures for senior managers to help-desk personnel. CYAstrengthens existing business models by teaching you to identify protection gaps in both your tangible and intangible assets. Learn to develop a security plan tailored to your application needs and the size of your Web site. Whether you have existing or new applications,CYAshows you how to lock down tangible assets and recommends tools to prevent, detect, and react to security challenges. It analyzes quality assurance and takes you through the verification process. It even tells you how to safeguard the physical plant and meet the challenge of "social engineers" trying to sweet-talk their way to sensitive information. With an extensive glossary and annotated bibliography,CYAis required reading for everyone on your team.

As co-founder and Chief Security Officer for Riskology, Inc., a Denver-based IT security firm, Troy Schumaker oversees a comprehensive collection of IT security products. A Certified Information Systems Security Professional (CISSP) with extensive field-tested knowledge of security technologies, Schumaker has analyzed security architectures for various private and government applications, products, and networks. He has served in numerous roles in application architecture and development, network security, privacy, and computer forensics for Persona, EDS, Eotek, and Martin Marietta. When he is not working on IT security, Schumaker enjoys 1980's music, ventriloquism, and time spent with his wife and two daughters in the foothills southwest of Denver.

Preface

ix

Derk Norton

Foreword

xi

Paul W. Cowley

Foreword

xiii

Doug Tschudy

Introduction: The Need for Secure Internet-Based Applications

1

(1)

Welcome to the Wild, Wild Web

2

(1)

The Security Jigsaw Puzzle

3

(2)

The Foundation of Secure Internet Applications

5

(6)

Maintaining Confidentiality

5

(2)

Maintaining System Integrity

7

(1)

Necessary Audit Trails

8

(1)

Providing Availability

9

(2)

Scalability

9

(1)

Failover

9

(1)

Data Replication

10

(1)

Identifying Single Points of Failure

10

(1)

Roles and Responsibilities---The Human Dimension

11

(10)

Senior Manager

12

(2)

Security Director

14

(2)

Director or Program Manager

16

(1)

Operations Manager

17

(1)

Operations Team Member

18

(1)

Technical Leader

18

(2)

Technical Team Member

20

(1)

Policies and Procedures

21

(6)

Enterprise-Wide Security Policies and Procedures

21

(1)

Privacy Policies

22

(1)

Terms-of-Use Statement

23

(1)

Bill of Rights

24

(1)

Handling Variances in Policy

25

(2)

Threat Analysis for E-Business Applications

27

(6)

Application Security Considerations

33

(6)

Design Security into the Application by Default

33

(1)

Implementing Secure Applications

34

(1)

How to Mitigate Buffer Overflows

35

(1)

Avoid Storing Credentials in Software

35

(1)

Avoid Insecure Functions

36

(1)

Digitally Sign Production Files

36

(1)

Avoid Faulty Assumptions

36

(1)

Run with Least Privilege

37

(1)

Application Servers

37

(1)

Commercially Available Application Servers

38

(1)

Web-Site Security Considerations

39

(8)

Lightweight Web Site

40

(1)

Middleweight Web Site

41

(2)

Heavyweight Web Site

43

(2)

Tools to Help Monitor Security Logs

45

(1)

Web-Server Lockdown

45

(2)

Network Security Considerations

47

(6)

External Shields of Defense

47

(1)

Securing the Router

48

(1)

Locking Down the Firewall

49

(1)

Creating the Demilitarized Zone (DMZ)

50

(2)

Leveraging Intrusion Detection Systems

50

(2)

Internal Shields of Defense

52

(1)

Operating Systems Security Considerations

53

(4)

Database Security Considerations

57

(8)

Best Practices When Managing the Database

57

(1)

Security Features in SQL Server 2000

58

(3)

Security Features in Oracle

61

(4)

Preparing for a Secure Deployment

65

(2)

Securing the Production Environment

67

(1)

Watching the Security Bulletins

67

(1)

Managing Operating-System Security Patches

67

(1)

Quality Assurance (QA)

68

(7)

Benefits of Security Verification

71

(1)

Sample Security Verification Suite

72

(3)

The Wisdom in Third-Party Application Security Audits

75

(2)

Social Engineering

77

(3)

Countermeasures

Appendix A: Senior Manager's Checklist

80

(2)

Appendix B: Security Director's Checklist

82

(1)

Appendix C: Director's and Program Manager's Checklist

83

(1)

Appendix D: Operations Manager's Checklist

84

(1)

Appendix E: Operations Team Member's Checklist

85

(1)

Appendix F: Technical Leader's Checklist

86

(1)

Appendix G: Technical Team Member's Checklist

87

(1)

Appendix H: Sample Web-Site Security Policy

88

(2)

Personnel

88

(1)

Access Privileges

88

(1)

Network Services

89

(1)

Maintenance

89

(1)

Appendix I: Sample Security Policy and Procedure Outline

90

(2)

Legal Documents

90

(1)

Employee Usage of Company Resources and Intellectual Property

90

(1)

Administrative Policies and Procedures for Computing Resources

90

(1)

Network Security

91

(1)

Handling Security Incidents

91

(1)

Appendix J: Components of a Riskology Application Security Audit

92

(2)

Glossary of Technical Terms

94

(9)

Annotated Bibliography

103

(1)

Books

103

(1)

Periodicals

104

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.