O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Fundamentals of Information Systems Security, 3rd Edition

Book Description

Revised and updated with the latest data in the field, Fundamentals of Information Systems Security, Third Edition provides a comprehensive overview of the essential concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of the new risks, threats, and vulnerabilities associated with the transition to a digital world. Part 2 presents a high level overview of the Security+ Exam and provides students with information as they move toward this certification.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Preface
  7. Acknowledgments
  8. The Authors
  9. PART I The Need for Information Security
    1. CHAPTER 1 Information Systems Security
      1. Information Systems Security
        1. Risks, Threats, and Vulnerabilities
        2. What Is Information Systems Security?
        3. U.S. Compliance Laws Drive Need for Information Systems Security
      2. Tenets of Information Systems Security
        1. Confidentiality
        2. Integrity
        3. Availability
      3. The Seven Domains of a Typical IT Infrastructure
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      4. Weakest Link in the Security of an IT Infrastructure
        1. Ethics and the Internet
      5. IT Security Policy Framework
        1. Definitions
        2. Foundational IT Security Policies
      6. Data Classification Standards
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 1 ASSESSMENT
    2. CHAPTER 2 The Internet of Things Is Changing How We Live
      1. Evolution of the Internet of Things
      2. Converting to a TCP/IP World
      3. IoT’s Impact on Human and Business Life
        1. How People Like to Communicate
        2. IoT Applications That Impact Our Lives
      4. Evolution from Bricks and Mortar to E-Commerce
      5. Why Businesses Must Have an Internet and IoT Marketing Strategy
      6. IP Mobility
        1. Mobile Users and Bring Your Own Device
      7. Mobile Applications
        1. IP Mobile Communications
      8. New Challenges Created by the IoT
        1. Security
        2. Privacy
        3. Interoperability and Standards
        4. Legal and Regulatory Issues
        5. E-Commerce and Economic Development Issues
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 2 ASSESSMENT
    3. CHAPTER 3 Malicious Attacks, Threats, and Vulnerabilities
      1. Malicious Activity on the Rise
      2. What Are You Trying to Protect?
        1. Customer Data
        2. IT and Network Infrastructure
        3. Intellectual Property
        4. Finances and Financial Data
        5. Service Availability and Productivity
        6. Reputation
      3. Whom Are You Trying to Catch?
      4. Attack Tools
        1. Protocol Analyzers
        2. Port Scanners
        3. OS Fingerprint Scanners
        4. Vulnerability Scanners
        5. Exploit Software
        6. Wardialers
        7. Password Crackers
        8. Keystroke Loggers
      5. What Is a Security Breach?
        1. Denial of Service Attacks
        2. Distributed Denial of Service Attacks
        3. Unacceptable Web Browsing
        4. Wiretapping
        5. Backdoors
        6. Data Modifications
        7. Additional Security Challenges
      6. What Are Risks, Threats, and Vulnerabilities?
        1. Threat Targets
        2. Threat Types
      7. What Is a Malicious Attack?
        1. Birthday Attacks
        2. Brute-Force Password Attacks
        3. Dictionary Password Attacks
        4. IP Address Spoofing
        5. Hijacking
        6. Replay Attacks
        7. Man-in-the-Middle Attacks
        8. Masquerading
        9. Eavesdropping
        10. Social Engineering
        11. Phreaking
        12. Phishing
        13. Pharming
      8. What Is Malicious Software?
        1. Viruses
        2. Worms
        3. Trojan Horses
        4. Rootkits
        5. Spyware
      9. What Are Common Types of Attacks?
        1. Social Engineering Attacks
        2. Wireless Network Attacks
        3. Web Application Attacks
      10. What Is a Countermeasure?
        1. Countering Malware
        2. Protecting Your System with Firewalls
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 3 ASSESSMENT
    4. CHAPTER 4 The Drivers of the Information Security Business
      1. Defining Risk Management
      2. Implementing a BIA, a BCP, and a DRP
        1. Business Impact Analysis
        2. Business Continuity Plan
        3. Disaster Recovery Plan
      3. Assessing Risks, Threats, and Vulnerabilities
      4. Closing the Information Security Gap
      5. Adhering to Compliance Laws
      6. Keeping Private Data Confidential
      7. Mobile Workers and Use of Personally Owned Devices
        1. BYOD Concerns
        2. Endpoint and Device Security
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 4 ASSESSMENT
  10. PART II Securing Today’s Information Systems
    1. CHAPTER 5 Access Controls
      1. Four-Part Access Control
      2. Two Types of Access Controls
        1. Physical Access Control
        2. Logical Access Control
      3. Authorization Policies
      4. Methods and Guidelines for Identification
        1. Identification Methods
        2. Identification Guidelines
      5. Processes and Requirements for Authentication
        1. Authentication Types
        2. Single Sign-On
      6. Policies and Procedures for Accountability
        1. Log Files
        2. Monitoring and Reviews
        3. Data Retention, Media Disposal, and Compliance Requirements
      7. Formal Models of Access Control
        1. Discretionary Access Control
        2. Operating Systems-Based DAC
        3. Mandatory Access Control
        4. Nondiscretionary Access Control
        5. Rule-Based Access Control
        6. Access Control Lists
        7. Role-Based Access Control
        8. Content-Dependent Access Control
        9. Constrained User Interface
        10. Other Access Control Models
      8. Effects of Breaches in Access Control
      9. Threats to Access Controls
      10. Effects of Access Control Violations
      11. Credential and Permissions Management
      12. Centralized and Decentralized Access Control
        1. Types of AAA Servers
        2. Decentralized Access Control
        3. Privacy
      13. CHAPTER SUMMARY
      14. KEY CONCEPTS AND TERMS
      15. CHAPTER 5 ASSESSMENT
    2. CHAPTER 6 Security Operations and Administration
      1. Security Administration
        1. Controlling Access
        2. Documentation, Procedures, and Guidelines
        3. Disaster Assessment and Recovery
        4. Security Outsourcing
      2. Compliance
        1. Event Logs
        2. Compliance Liaison
        3. Remediation
      3. Professional Ethics
        1. Common Fallacies About Ethics
        2. Codes of Ethics
        3. Personnel Security Principles
      4. The Infrastructure for an IT Security Policy
        1. Policies
        2. Standards
        3. Procedures
        4. Baselines
        5. Guidelines
      5. Data Classification Standards
        1. Information Classification Objectives
        2. Examples of Classification
        3. Classification Procedures
        4. Assurance
      6. Configuration Management
        1. Hardware Inventory and Configuration Chart
      7. The Change Management Process
        1. Change Control Management
        2. Change Control Committees
        3. Change Control Procedures
        4. Change Control Issues
      8. Application Software Security
        1. The System Life Cycle
        2. Testing Application Software
      9. Software Development and Security
        1. Software Development Models
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 6 ASSESSMENT
    3. CHAPTER 7 Auditing, Testing, and Monitoring
      1. Security Auditing and Analysis
        1. Security Controls Address Risk
        2. Determining What Is Acceptable
        3. Permission Levels
        4. Areas of Security Audits
        5. Purpose of Audits
        6. Customer Confidence
      2. Defining Your Audit Plan
        1. Defining the Scope of the Plan
      3. Auditing Benchmarks
      4. Audit Data Collection Methods
        1. Areas of Security Audits
        2. Control Checks and Identity Management
      5. Post-Audit Activities
        1. Exit Interview
        2. Data Analysis
        3. Generation of Audit Report
        4. Presentation of Findings
      6. Security Monitoring
        1. Security Monitoring for Computer Systems
        2. Monitoring Issues
        3. Logging Anomalies
        4. Log Management
      7. Types of Log Information to Capture
      8. How to Verify Security Controls
        1. Intrusion Detection System (IDS)
        2. Analysis Methods
        3. HIDS
        4. Layered Defense: Network Access Control
        5. Control Checks: Intrusion Detection
        6. Host Isolation
        7. System Hardening
        8. Review Antivirus Programs
      9. Monitoring and Testing Security Systems
        1. Monitoring
        2. Testing
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 7 ASSESSMENT
    4. CHAPTER 8 Risk, Response, and Recovery
      1. Risk Management and Information Security
        1. Risk Terminology
        2. Elements of Risk
        3. Purpose of Risk Management
      2. The Risk Management Process
        1. Identify Risks
        2. Assess Risks
        3. Plan a Risk Response
        4. Implement the Risk Response Plan
        5. Monitor and Control Risk Response
      3. Business Continuity Management
        1. Terminology
        2. Assessing Maximum Tolerable Downtime
        3. Business Impact Analysis
        4. Plan Review
        5. Testing the Plan
      4. Backing Up Data and Applications
        1. Types of Backups
      5. Incident Handling
        1. Preparation
        2. Identification
        3. Notification
        4. Response
        5. Recovery
        6. Followup
        7. Documentation and Reporting
      6. Recovery from a Disaster
        1. Activating the Disaster Recovery Plan
        2. Operating in a Reduced/Modified Environment
        3. Restoring Damaged Systems
        4. Disaster Recovery Issues
        5. Recovery Alternatives
        6. Interim or Alternate Processing Strategies
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 8 ASSESSMENT
    5. CHAPTER 9 Cryptography
      1. What Is Cryptography?
        1. Basic Cryptographic Principles
        2. A Brief History of Cryptography
        3. Cryptography’s Role in Information Security
      2. Business and Security Requirements for Cryptography
        1. Internal Security
        2. Security in Business Relationships
        3. Security Measures That Benefit Everyone
      3. Cryptographic Principles, Concepts, and Terminology
        1. Cryptographic Functions and Ciphers
      4. Types of Ciphers
        1. Transposition Ciphers
        2. Substitution Ciphers
        3. Product and Exponentiation Ciphers
      5. Symmetric and Asymmetric Key Cryptography
        1. Symmetric Key Ciphers
        2. Asymmetric Key Ciphers
        3. Cryptanalysis and Public Versus Private Keys
      6. Keys, Keyspace, and Key Management
        1. Cryptographic Keys and Keyspace
        2. Key Management
        3. Key Distribution
        4. Key Distribution Centers
      7. Digital Signatures and Hash Functions
        1. Hash Functions
        2. Digital Signatures
      8. Cryptographic Applications and Uses in Information System Security
        1. Other Cryptographic Tools and Resources
        2. Symmetric Key Standards
        3. Asymmetric Key Solutions
        4. Hash Function and Integrity
        5. Digital Signatures and Nonrepudiation
      9. Principles of Certificates and Key Management
        1. Modern Key Management Techniques
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 9 ASSESSMENT
    6. CHAPTER 10 Networks and Telecommunications
      1. The Open Systems Interconnection Reference Model
      2. The Main Types of Networks
        1. Wide Area Networks
        2. Local Area Networks
      3. TCP/IP and How It Works
        1. TCP/IP Overview
        2. IP Addressing
        3. Common Ports
        4. Common Protocols
        5. Internet Control Message Protocol
      4. Network Security Risks
        1. Categories of Risk
      5. Basic Network Security Defense Tools
        1. Firewalls
        2. Virtual Private Networks and Remote Access
        3. Network Access Control
      6. Wireless Networks
        1. Wireless Access Points
        2. Wireless Network Security Controls
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 10 ASSESSMENT
    7. CHAPTER 11 Malicious Code and Activity
      1. Characteristics, Architecture, and Operations of Malicious Software
      2. The Main Types of Malware
        1. Virus
        2. Spam
        3. Worms
        4. Trojan Horses
        5. Logic Bombs
        6. Active Content Vulnerabilities
        7. Malicious Add-Ons
        8. Injection
        9. Botnets
        10. Denial of Service Attacks
        11. Spyware
        12. Adware
        13. Phishing
        14. Keystroke Loggers
        15. Hoaxes and Myths
        16. Homepage Hijacking
        17. Webpage Defacements
      3. A Brief History of Malicious Code Threats
        1. 1970s and Early 1980s: Academic Research and UNIX
        2. 1980s: Early PC Viruses
        3. 1990s: Early LAN Viruses
        4. Mid-1990s: Smart Applications and the Internet
        5. 2000 to Present
      4. Threats to Business Organizations
        1. Types of Threats
        2. Internal Threats from Employees
      5. Anatomy of an Attack
        1. What Motivates Attackers?
        2. The Purpose of an Attack
        3. Types of Attacks
        4. Phases of an Attack
      6. Attack Prevention Tools and Techniques
        1. Application Defenses
        2. Operating System Defenses
        3. Network Infrastructure Defenses
        4. Safe Recovery Techniques and Practices
        5. Implementing Effective Software Best Practices
      7. Intrusion Detection Tools and Techniques
        1. Antivirus Scanning Software
        2. Network Monitors and Analyzers
        3. Content/Context Filtering and Logging Software
        4. Honeypots and Honeynets
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 11 ASSESSMENT
  11. PART III Information Security Standards, Education, Certifications, and Laws
    1. CHAPTER 12 Information Security Standards
      1. Standards Organizations
        1. National Institute of Standards and Technology
        2. International Organization for Standardization
        3. International Electrotechnical Commission
        4. World Wide Web Consortium
        5. Internet Engineering Task Force
        6. Institute of Electrical and Electronics Engineers
        7. International Telecommunication Union Telecommunication Sector
        8. American National Standards Institute
        9. European Telecommunications Standards Institute Cyber Security Technical Committee
      2. ISO 17799(Withdrawn)
        1. ISO/IEC 27002
      3. Payment Card Industry Data Security Standard
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 12 ASSESSMENT
    2. CHAPTER 13 Information Systems Security Education and Training
      1. Self-Study Programs
      2. Instructor-Led Programs
        1. Certificate Programs
        2. Continuing Education Programs
      3. Postsecondary Degree Programs
        1. Associate’s Degree
        2. Bachelor’s Degree
        3. Master of Science Degree
        4. Master of Business Administration
        5. Doctoral Degree
      4. Information Security Training Programs
        1. Security Training Requirements
        2. Security Training Organizations
        3. Security Awareness Training
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 13 ASSESSMENT
    3. CHAPTER 14 Information Security Professional Certifications
      1. U.S. Department of Defense/Military Directive 8570.01
        1. U.S. DoD/Military Directive 8140
        2. U.S. DoD/NSA Training Standards
      2. Vendor-Neutral Professional Certifications
        1. International Information Systems Security Certification Consortium, Inc.
        2. SSCP®
        3. CISSP®
        4. CAP®
        5. CSSLP®
        6. CCFP®
        7. HCISPP®
        8. CCSP®
        9. Additional (ISC)2 Professional Certifications
        10. Global Information Assurance Certification/SANS Institute
        11. Certified Internet Webmaster
        12. CompTIA
        13. ISACA®
        14. Other Information Systems Security Certifications
      3. Vendor-Specific Professional Certifications
        1. Cisco Systems
      4. Juniper Networks
        1. RSA
        2. Symantec
        3. Check Point
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 14 ASSESSMENT
    4. CHAPTER 15 U.S. Compliance Laws
      1. Compliance Is the Law
      2. Federal Information Security
        1. The Federal Information Security Management Act of 2002
        2. The Federal Information Security Modernization Act of 2014
        3. The Role of the National Institute of Standards and Technology
        4. National Security Systems
      3. The Health Insurance Portability and Accountability Act
        1. Purpose and Scope
        2. Main Requirements of the HIPAA Privacy Rule
        3. Main Requirements of the HIPAA Security Rule
        4. Oversight
        5. Omnibus Regulations
      4. The Gramm-Leach-Bliley Act
        1. Purpose and Scope
        2. Main Requirements of the GLBA Privacy Rule
        3. Main Requirements of the GLBA Safeguards Rule
        4. Oversight
      5. The Sarbanes-Oxley Act
        1. Purpose and Scope
        2. SOX Control Certification Requirements
        3. SOX Records Retention Requirements
        4. Oversight
      6. The Family Educational Rights and Privacy Act
        1. Purpose and Scope
        2. Main Requirements
        3. Oversight
      7. The Children’s Internet Protection Act
        1. Purpose and Scope
        2. Main Requirements
        3. Oversight
      8. Payment Card Industry Data Security Standard
        1. Purpose and Scope
        2. Self-Assessment Questionnaire
        3. Main Requirements
      9. Making Sense of Laws for Information Security Compliance
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 15 ASSESSMENT
      13. ENDNOTES
    5. APPENDIX A Answer Key
    6. APPENDIX B Standard Acronyms
    7. APPENDIX C Earning the CompTIA Security+ Certification
  12. Glossary of Key Terms
  13. References
  14. Index