book

Fundamentals of Information Systems Security

by David Kim, Michael G. Solomon

November 2010

Beginner

514 pages

15h 31m

English

Jones & Bartlett Learning

Read now

Unlock full access

Copyright
Letter from (ISC)2 Executive Director W. Hord Tipton
Preface
Purpose of This BookLearning FeaturesAudience
Acknowledgments
About the Authors
ONE. The Need for Information Security
1. Information Systems Security
Information Systems SecurityRisks, Threats, and VulnerabilitiesDefining Information Systems SecurityU.S. Compliance Laws Drive Need for Information Systems SecurityTenets of Information Systems SecurityAvailabilityIntegrityConfidentialityThe Seven Domains of a Typical IT InfrastructureUser DomainUser Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the User DomainWorkstation DomainWorkstation Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the Workstation DomainLAN DomainLAN Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the LAN DomainLAN-to-WAN DomainLAN-to-WAN Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the LAN-to-WAN DomainWAN DomainWAN Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Internet)Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Connectivity)Remote Access DomainRemote Access Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the Remote Access DomainSystem/Application DomainSystem/Application Domain Roles, Responsibilities, and AccountabilityRisks, Threats, and Vulnerabilities Commonly Found in the System/Application DomainWeakest Link in the Security of an IT InfrastructureEthics and the Internet(ISC)2: Information Systems Security CertificationSSCP Professional CertificationCISSP Professional Certification(ISC)2 Code of EthicsIT Security Policy FrameworkDefinitionsFoundational IT Security PoliciesData Classification StandardsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT
2. Changing How People and Businesses Communicate
Evolution of Voice CommunicationsFrom Analog to DigitalTelephony Risks, Threats, and VulnerabilitiesTelephony Security Best PracticesFrom Digital to Voice over IP (VoIP)VoIP and SIP Risks, Threats, and VulnerabilitiesVoIP and SIP Security Best PracticesConverting to a TCP/IP WorldHow Different Groups CommunicateBroadband Boom of the 1990sIP Transformation of Telecommunication Service Providers1970s to 1984 (Divestiture): Analog Communications RuledDivestiture to Late 1980s: Transforming to a Digital WorldLate 1980s to Mid 1990s: Next-Generation WAN ServicesMultimodal CommunicationsVoice over IP (VoIP) MigrationUnified Communications (UC)Solving Business Challenges with Unified CommunicationsExamples of Human Latency and UC EnablementEvolution from Brick-and-Mortar to e-CommerceSolving Business Challenges with e-Business TransformationWhy Businesses Today Need an Internet Marketing StrategyThe Web Effect on People, Businesses, and Other OrganizationsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENT
3. Malicious Attacks, Threats, and Vulnerabilities
Malicious Activity on the RiseWhat Are You Trying to Protect?IT and Network InfrastructureIntellectual PropertyFinances and Financial DataService Availability and ProductivityReputationWhom Are You Trying to Catch?Attack ToolsVulnerability ScannersPort ScannersSniffersWardialersKeyloggersWhat Is a Security Breach?Denial of Service AttacksDistributed Denial of Service AttacksUnacceptable Web BrowsingWiretappingBackdoorData ModificationsAdditional Security ChallengesSpamHoaxesCookiesWhat Are Vulnerabilities and Threats?Threat TargetsThreat TypesDenial or Destruction ThreatsAlteration ThreatsDisclosure ThreatsWhat Is a Malicious Attack?Brute-Force AttacksDictionary AttacksAddress SpoofingHijackingReplay AttacksMan-in-the-Middle AttacksMasqueradingEavesdroppingSocial EngineeringPhreakingPhishingPharmingWhat Is Malicious Software?VirusesWormsTrojan HorsesRootkitsSpywareWhat Are Countermeasures?Countering MalwareProtecting Your System with FirewallsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENT
4. The Drivers of the Information Security Business
Defining Risk ManagementRisk IdentificationRisk AnalysisQualitative Risk AnalysisQuantitative Risk AnalysisRisk-Response PlanningRisk Monitoring and ControlImplementing a BIA, a BCP, and a DRPBusiness Impact AnalysisBusiness Continuity PlanDisaster Recovery PlanThreat AnalysisImpact ScenariosRecovery Requirement DocumentationDisaster RecoveryAssessing Risks, Threats, and VulnerabilitiesClosing the Information Security GapAdhering to Compliance LawsKeeping Private Data ConfidentialCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENT

TWO. The Systems Security Certifies Practitioner (SSCP®) Professional Certification from (ISC)2
5. Access Controls
The Four Parts of Access ControlThe Two Types of Access ControlPhysical Access ControlLogical Access ControlThe Security KernelAccess Control PoliciesDefining an Authorization PolicyIdentification Methods and GuidelinesIdentification MethodsIdentification GuidelinesAuthentication Processes and RequirementsAuthentication TypesAuthentication by KnowledgePassword Best PracticesTips for Creating Strong PasswordsAccount Lockout PoliciesAuditing Logon EventsPassword Reset and StorageUsing a PassphraseAuthentication by OwnershipSynchronous TokensAsynchronous TokensAuthentication by Characteristics/BiometricsConcerns Surrounding BiometricsTypes of BiometricsAdvantages and Disadvantages of BiometricsPrivacy IssuesSingle Sign-On (SSO)Advantages and Disadvantages of SSOSSO ProcessesKerberosSESAMEAccountability Policies and ProceduresLog FilesData Retention, Media Disposal, and Compliance RequirementsProceduresSecurity ControlsMedia Disposal RequirementsFormal Models of Access ControlDiscretionary Access Control (DAC)Operating Systems-Based DACApplication-Based DACPermission LevelsMandatory Access Control (MAC)How MAC WorksNon-Discretionary Access ControlRule-Based Access ControlAccess Control Lists (ACLs)Role Based Access Control (RBAC)Content-Dependent Access ControlConstrained User InterfaceOther Access Control ModelsBell-La Padula ModelBiba Integrity ModelClark and Wilson Integrity ModelBrewer and Nash Integrity ModelEffects of Breaches in Access ControlThreats to Access ControlsEffects of Access Control ViolationsCentralized and Decentralized Access ControlThree Types of AAA ServersRADIUSTACACS +DIAMETERDecentralized Access ControlPrivacyMonitoring in the WorkplaceCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENT
6. Security Operations and Administration
Security AdministrationControlling AccessDocumentation, Procedures, and GuidelinesDisaster Assessment and RecoverySecurity OutsourcingOutsourcing ConsiderationsComplianceSecurity Event LogsCompliance LiaisonRemediationProfessional EthicsCommon Fallacies About EthicsCodes of Ethics(ISC)2 Code of EthicsInternet Architecture Board (IAB) Statement of PolicyProfessional RequirementsPersonnel Security PrinciplesLimiting AccessSeparation of DutiesJob RotationMandatory VacationsSecurity Training and AwarenessSocial EngineeringThe Infrastructure for an IT Security PolicyPoliciesStandardsProceduresBaselinesGuidelinesData Classification StandardsInformation Classification ObjectivesExamples of ClassificationClassification ProceduresAssuranceConfiguration ManagementHardware Inventory and Configuration ChartHardware Configuration ChartPatch and Service-Pack ManagementThe Change Management ProcessChange Control ManagementReviewing Changes for Potential Security ImpactChange Control CommitteesChange Control ProceduresChange Control IssuesThe System Life Cycle (SLC) and System Development Life Cycle (SDLC)The System Life Cycle (SLC)Testing and Developing SystemsSystems ProcurementThe Common CriteriaDisposing of EquipmentCertification and AccreditationCertificationAccreditationTriggers for New CertificationSoftware Development and SecuritySoftware Development MethodsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENT
7. Auditing, Testing, and Monitoring
Security Auditing and AnalysisSecurity Controls Address RiskDetermining What Is AcceptablePermission LevelsAreas of Security AuditsPurpose of AuditsCustomer ConfidenceDefining Your Audit PlanDefining the Scope of the PlanAuditing BenchmarksAudit Data–Collection MethodsAreas of Security AuditsControl Checks and Identity ManagementPost-Audit ActivitiesExit InterviewData AnalysisGeneration of Audit ReportPresentation of FindingsSecurity MonitoringSecurity Monitoring for Computer SystemsMonitoring IssuesLogging AnomaliesLog ManagementTypes of Log Information to CaptureHow to Verify Security ControlsIntrusion Detection System (IDS)Analysis MethodsHIDSLayered Defense: Network Access ControlControl Checks: Intrusion DetectionHost IsolationSystem HardeningSet a Baseline ConfigurationDisable Unnecessary ServicesReview Antivirus ProgramMonitoring and Testing Security SystemsMonitoringTestingA Testing Road MapEstablishing Testing GoalsReconnaissance MethodsNetwork-Mapping MethodsCovert Versus Overt TestersTesting MethodsSecurity Testing Tips and TechniquesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENT
8. Risk, Response, and Recovery
Risk Management and Information SecurityDefinitions of RiskElements of RiskPurpose of Risk ManagementThe Risk EquationThe Process of Risk ManagementRisk AnalysisEmerging ThreatsTwo Approaches: Quantitative and QualitativeCalculating Quantified RiskQualitative Risk AnalysisDeveloping a Strategy for Dealing with RiskAcceptable Range of Risk/Residual RiskEvaluating CountermeasuresPricing/Costing a CountermeasureCountermeasure EvaluationControls and Their Place in the Security Life CyclePlanning to SurviveTerminologyAssessing Maximum Tolerable Downtime (MTD)Business Impact AnalysisSpeed of ImpactCritical DependenciesAssessing the Impact of DowntimePlan ReviewTesting the PlanChecklist TestStructured Walk-Through TestSimulation TestParallel TestFull-Interruption TestBacking Up Data and ApplicationsTypes of BackupsSteps to Take in Handling an IncidentNotificationResponseRecoveryFollow-UpDocumentationRecovery from a DisasterPrimary Steps to Disaster RecoveryActivating the Disaster Recovery PlanOperating in a Reduced/Modified EnvironmentRestoring Damaged SystemsDisaster Recovery IssuesRecovery AlternativesInterim or Alternate Processing StrategiesProcessing AgreementsReciprocal or Mutual AidReciprocal CentersContingencyService BureauCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENT
9. Cryptography
What Is Cryptography?Basic Cryptographic PrinciplesA Brief History of CryptographyTwentieth-Century CryptographyCryptography's Role in Information SecurityConfidentialityIntegrityAuthenticationNonrepudiationBusiness and Security Requirements for CryptographyInternal SecuritySecurity Between BusinessesSecurity Measures That Benefit EveryoneCryptographic Applications and Uses in Information System SecurityCryptanalysis and Public Versus Private KeysSymmetric and Asymmetric Key Cipher Resistance to AttackCryptographic Principles, Concepts, and TerminologyCryptographic Functions and CiphersBusiness-Security ImplementationsTypes of CiphersTransposition CiphersSubstitution CiphersProduct and Exponentiation CiphersSymmetric and Asymmetric Key CryptographySymmetric Key CiphersAsymmetric Key CiphersKeys, Keyspace, and Key ManagementCryptographic Keys and KeyspaceKey ManagementKey DistributionKey-Distribution Centers (KDCs)Digital Signatures and Hash FunctionsHash FunctionsDigital SignaturesCryptographic Applications, Tools, and ResourcesSymmetric Key StandardsWireless Security802.11 Wireless SecurityAsymmetric Key SolutionsHash Function and IntegrityHash FunctionsDigital Signatures and NonrepudiationDigital Signatures Versus Digitized SignaturesPrinciples of Certificates and Key ManagementModern Key-Management TechniquesAESIPSecISAKMPXKMSManaged PKIANSI X9.17CHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
10. Networks and Telecommunications
The Open Systems Interconnection Reference ModelThe Two Types of NetworksWide Area NetworksConnectivity OptionsRoutersLocal Area NetworksEthernet NetworksLAN Devices: Hubs and SwitchesTCP/IP and How It WorksTCP/IP OverviewIP AddressingICMPNetwork Security RisksThree Categories of RiskNetwork ReconnaissanceNetwork EavesdroppingNetwork Denial of ServiceBasic Network Security Defense ToolsFirewallsFirewall TypesFirewall-Deployment TechniquesBorder FirewallScreened SubnetMultilayered FirewallsVirtual Private Networks and Remote AccessNetwork Access ControlWireless NetworksWireless Access Points (WAPs)Wireless Network Security ControlsWireless EncryptionSSID BeaconingMAC Address FilteringCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
11. Malicious Code and Activity
Characteristics, Architecture, and Operations of Malicious SoftwareThe Main Types of MalwareVirusBoot Record InfectorsMaster Boot Record and System InfectorsFile (Program) InfectorsMacro (Data File) InfectorsOther Virus ClassificationsSpamWormsTrojan HorsesLogic BombsActive Content VulnerabilitiesBotnetsDenial of Service AttacksSYN Flood AttacksSmurf AttacksSpywareAdwarePhishingSpear-PhishingPharmingKeystroke LoggersHoaxes and MythsHome-Page HijackingWeb-Page DefacementsA Brief History of Malicious Code Threats1970s and Early 1980s: Academic Research and UNIX1980s: Early PC Viruses1990s: Early LAN VirusesMid-1990s: Smart Applications and the Internet2000 to PresentThreats to Business OrganizationsTypes of ThreatsInternal Threats from EmployeesAnatomy of an AttackWhat Motivates Attackers?The Purpose of an AttackTypes of AttacksUnstructured AttacksStructured AttacksDirect AttacksIndirect AttacksPhases of an AttackReconnaissance and ProbingDNS, ICMP, and related toolsSNMP toolsPort-scanning and port-mapping toolsSecurity probesAccess and Privilege EscalationCovering Your TracksAttack Prevention Tools and TechniquesApplication DefensesOperating System DefensesNetwork Infrastructure DefensesSafe Recovery Techniques and PracticesImplementing Effective Software Best PracticesIncident Detection Tools and TechniquesAntivirus Scanning SoftwareNetwork Monitors and AnalyzersContent/Context Filtering and Logging SoftwareHoneypots and HoneynetsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
THREE. Information Security Standards, Education, Certifications, and Laws
12. Information Security Standards
Standards OrganizationsNISTInternational Organization for Standardization (ISO)International Electrotechnical Commission (IEC)World Wide Web Consortium (W3C)Internet Engineering Task Force (IETF)Request for Comments (RFC)Internet Architecture Board (IAB)IEEEInternational Telecommunication Union Telecommunication Sector (ITU-T)ANSIISO 17799ISO/IEC 27002PCI DSSCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENT
13. Information Security Education and Training
Self-StudyAdult Continuing Education ProgramsCertificate ProgramsCPE CreditsPost-Secondary Degree ProgramsAssociate's DegreeBachelor's DegreeMaster's DegreeMaster of Science DegreeMaster of Business AdministrationDoctoral DegreeInformation Security Training ProgramsSecurity Training RequirementsSecurity Training OrganizationsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENT
14. Information Security Professional Certifications
Vendor-Neutral Professional Certifications(ISC)2Systems Security Certified Practitioner (SSCP)Certified Information Systems Security Professional (CISSP)Certified Authorization Professional (CAP)Certified Secure Software Lifecycle Professional (CSSLP)GIAC/SANS InstituteCIWCompTIASCPISACAVendor-Specific Professional CertificationsCisco SystemsJuniper NetworksRSASymantecCheck PointDoD/Military—8570.01CHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
15. U.S. Compliance Laws
Compliance and the LawThe Federal Information Security Management ActPurpose and Main RequirementsThe Role of the National Institute of Standards and TechnologyNational Security SystemsOversightThe Future of FISMAThe Health Insurance Portability and Accountability ActPurpose and ScopeMain Requirements of the HIPAA Privacy RuleMain Requirements of the HIPAA Security RuleOversightThe Gramm-Leach-Bliley ActPurpose and ScopeMain Requirements of the GLBA Privacy RuleMain Requirements of the GLBA Safeguards RuleOversightThe Sarbanes-Oxley ActPurpose and ScopeSOX Control Certification RequirementsSOX Records Retention RequirementsOversightThe Family Educational Rights and Privacy ActPurpose and ScopeMain RequirementsOversightThe Children's Internet Protection ActPurpose and ScopeMain RequirementsOversightMaking Sense of Laws for Information Security ComplianceCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENTENDNOTES
A. Answer Key
B. Standard Acronyms
C. Become an SSCP®
About (ISC)2®About SSCP®Maintenance RequirementsAbout the Associate of (ISC)2®Participation RequirementsThe Advantages of Becoming an Associate of (ISC)2Hold Yourself to Globally Recognized Standards
D. SSCP® Practice Exam
Glossary of Key Terms
References

Overview

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES!

Fundamentals of Information System Security provides a comprehensive overview of the essential concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of the new risks, threats, and vulnerabilities associated with the transformation to a digital world, including a look at how business, government, and individuals operate today. Part 2 is adapted from the Official (ISC)2 SSCP Certified Body of Knowledge and presents a high-level overview of each of the seven domains within the System Security Certified Practitioner certification. The book closes with a resource for readers who desire additional material on information security standards, education, professional certifications, and compliance laws. With its practical, conversational writing style and step-by-step examples, this text is a must-have resource for those entering the world of information systems security.

Instructor Materials for Fundamentals of Information System Security include:

PowerPoint Lecture Slides
Exam Questions
Case Scenarios/Handouts
.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Fundamentals of Information Systems Security, 4th Edition

Publisher Resources

ISBN: 9780763790257

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills