book

Fundamentals of Information Systems Security, 3rd Edition

by David Kim, Michael G. Solomon

October 2016

Beginner

548 pages

20h 17m

English

Jones & Bartlett Learning

Read now

Unlock full access

Information Systems SecurityRisks, Threats, and VulnerabilitiesWhat Is Information Systems Security?U.S. Compliance Laws Drive Need for Information Systems SecurityTenets of Information Systems SecurityConfidentialityIntegrityAvailabilityThe Seven Domains of a Typical IT InfrastructureUser DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainWeakest Link in the Security of an IT InfrastructureEthics and the InternetIT Security Policy FrameworkDefinitionsFoundational IT Security PoliciesData Classification StandardsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT

Evolution of the Internet of ThingsConverting to a TCP/IP WorldIoT’s Impact on Human and Business LifeHow People Like to CommunicateIoT Applications That Impact Our LivesEvolution from Bricks and Mortar to E-CommerceWhy Businesses Must Have an Internet and IoT Marketing StrategyIP MobilityMobile Users and Bring Your Own DeviceMobile ApplicationsIP Mobile CommunicationsNew Challenges Created by the IoTSecurityPrivacyInteroperability and StandardsLegal and Regulatory IssuesE-Commerce and Economic Development IssuesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENT
Malicious Activity on the RiseWhat Are You Trying to Protect?Customer DataIT and Network InfrastructureIntellectual PropertyFinances and Financial DataService Availability and ProductivityReputationWhom Are You Trying to Catch?Attack ToolsProtocol AnalyzersPort ScannersOS Fingerprint ScannersVulnerability ScannersExploit SoftwareWardialersPassword CrackersKeystroke LoggersWhat Is a Security Breach?Denial of Service AttacksDistributed Denial of Service AttacksUnacceptable Web BrowsingWiretappingBackdoorsData ModificationsAdditional Security ChallengesWhat Are Risks, Threats, and Vulnerabilities?Threat TargetsThreat TypesWhat Is a Malicious Attack?Birthday AttacksBrute-Force Password AttacksDictionary Password AttacksIP Address SpoofingHijackingReplay AttacksMan-in-the-Middle AttacksMasqueradingEavesdroppingSocial EngineeringPhreakingPhishingPharmingWhat Is Malicious Software?VirusesWormsTrojan HorsesRootkitsSpywareWhat Are Common Types of Attacks?Social Engineering AttacksWireless Network AttacksWeb Application AttacksWhat Is a Countermeasure?Countering MalwareProtecting Your System with FirewallsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENT
Defining Risk ManagementImplementing a BIA, a BCP, and a DRPBusiness Impact AnalysisBusiness Continuity PlanDisaster Recovery PlanAssessing Risks, Threats, and VulnerabilitiesClosing the Information Security GapAdhering to Compliance LawsKeeping Private Data ConfidentialMobile Workers and Use of Personally Owned DevicesBYOD ConcernsEndpoint and Device SecurityCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENT
Four-Part Access ControlTwo Types of Access ControlsPhysical Access ControlLogical Access ControlAuthorization PoliciesMethods and Guidelines for IdentificationIdentification MethodsIdentification GuidelinesProcesses and Requirements for AuthenticationAuthentication TypesSingle Sign-OnPolicies and Procedures for AccountabilityLog FilesMonitoring and ReviewsData Retention, Media Disposal, and Compliance RequirementsFormal Models of Access ControlDiscretionary Access ControlOperating Systems-Based DACMandatory Access ControlNondiscretionary Access ControlRule-Based Access ControlAccess Control ListsRole-Based Access ControlContent-Dependent Access ControlConstrained User InterfaceOther Access Control ModelsEffects of Breaches in Access ControlThreats to Access ControlsEffects of Access Control ViolationsCredential and Permissions ManagementCentralized and Decentralized Access ControlTypes of AAA ServersDecentralized Access ControlPrivacyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENT
Security AdministrationControlling AccessDocumentation, Procedures, and GuidelinesDisaster Assessment and RecoverySecurity OutsourcingComplianceEvent LogsCompliance LiaisonRemediationProfessional EthicsCommon Fallacies About EthicsCodes of EthicsPersonnel Security PrinciplesThe Infrastructure for an IT Security PolicyPoliciesStandardsProceduresBaselinesGuidelinesData Classification StandardsInformation Classification ObjectivesExamples of ClassificationClassification ProceduresAssuranceConfiguration ManagementHardware Inventory and Configuration ChartThe Change Management ProcessChange Control ManagementChange Control CommitteesChange Control ProceduresChange Control IssuesApplication Software SecurityThe System Life CycleTesting Application SoftwareSoftware Development and SecuritySoftware Development ModelsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENT
Security Auditing and AnalysisSecurity Controls Address RiskDetermining What Is AcceptablePermission LevelsAreas of Security AuditsPurpose of AuditsCustomer ConfidenceDefining Your Audit PlanDefining the Scope of the PlanAuditing BenchmarksAudit Data Collection MethodsAreas of Security AuditsControl Checks and Identity ManagementPost-Audit ActivitiesExit InterviewData AnalysisGeneration of Audit ReportPresentation of FindingsSecurity MonitoringSecurity Monitoring for Computer SystemsMonitoring IssuesLogging AnomaliesLog ManagementTypes of Log Information to CaptureHow to Verify Security ControlsIntrusion Detection System (IDS)Analysis MethodsHIDSLayered Defense: Network Access ControlControl Checks: Intrusion DetectionHost IsolationSystem HardeningReview Antivirus ProgramsMonitoring and Testing Security SystemsMonitoringTestingCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENT
Risk Management and Information SecurityRisk TerminologyElements of RiskPurpose of Risk ManagementThe Risk Management ProcessIdentify RisksAssess RisksPlan a Risk ResponseImplement the Risk Response PlanMonitor and Control Risk ResponseBusiness Continuity ManagementTerminologyAssessing Maximum Tolerable DowntimeBusiness Impact AnalysisPlan ReviewTesting the PlanBacking Up Data and ApplicationsTypes of BackupsIncident HandlingPreparationIdentificationNotificationResponseRecoveryFollowupDocumentation and ReportingRecovery from a DisasterActivating the Disaster Recovery PlanOperating in a Reduced/Modified EnvironmentRestoring Damaged SystemsDisaster Recovery IssuesRecovery AlternativesInterim or Alternate Processing StrategiesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENT
What Is Cryptography?Basic Cryptographic PrinciplesA Brief History of CryptographyCryptography’s Role in Information SecurityBusiness and Security Requirements for CryptographyInternal SecuritySecurity in Business RelationshipsSecurity Measures That Benefit EveryoneCryptographic Principles, Concepts, and TerminologyCryptographic Functions and CiphersTypes of CiphersTransposition CiphersSubstitution CiphersProduct and Exponentiation CiphersSymmetric and Asymmetric Key CryptographySymmetric Key CiphersAsymmetric Key CiphersCryptanalysis and Public Versus Private KeysKeys, Keyspace, and Key ManagementCryptographic Keys and KeyspaceKey ManagementKey DistributionKey Distribution CentersDigital Signatures and Hash FunctionsHash FunctionsDigital SignaturesCryptographic Applications and Uses in Information System SecurityOther Cryptographic Tools and ResourcesSymmetric Key StandardsAsymmetric Key SolutionsHash Function and IntegrityDigital Signatures and NonrepudiationPrinciples of Certificates and Key ManagementModern Key Management TechniquesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
The Open Systems Interconnection Reference ModelThe Main Types of NetworksWide Area NetworksLocal Area NetworksTCP/IP and How It WorksTCP/IP OverviewIP AddressingCommon PortsCommon ProtocolsInternet Control Message ProtocolNetwork Security RisksCategories of RiskBasic Network Security Defense ToolsFirewallsVirtual Private Networks and Remote AccessNetwork Access ControlWireless NetworksWireless Access PointsWireless Network Security ControlsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
Characteristics, Architecture, and Operations of Malicious SoftwareThe Main Types of MalwareVirusSpamWormsTrojan HorsesLogic BombsActive Content VulnerabilitiesMalicious Add-OnsInjectionBotnetsDenial of Service AttacksSpywareAdwarePhishingKeystroke LoggersHoaxes and MythsHomepage HijackingWebpage DefacementsA Brief History of Malicious Code Threats1970s and Early 1980s: Academic Research and UNIX1980s: Early PC Viruses1990s: Early LAN VirusesMid-1990s: Smart Applications and the Internet2000 to PresentThreats to Business OrganizationsTypes of ThreatsInternal Threats from EmployeesAnatomy of an AttackWhat Motivates Attackers?The Purpose of an AttackTypes of AttacksPhases of an AttackAttack Prevention Tools and TechniquesApplication DefensesOperating System DefensesNetwork Infrastructure DefensesSafe Recovery Techniques and PracticesImplementing Effective Software Best PracticesIntrusion Detection Tools and TechniquesAntivirus Scanning SoftwareNetwork Monitors and AnalyzersContent/Context Filtering and Logging SoftwareHoneypots and HoneynetsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
Standards OrganizationsNational Institute of Standards and TechnologyInternational Organization for StandardizationInternational Electrotechnical CommissionWorld Wide Web ConsortiumInternet Engineering Task ForceInstitute of Electrical and Electronics EngineersInternational Telecommunication Union Telecommunication SectorAmerican National Standards InstituteEuropean Telecommunications Standards Institute Cyber Security Technical CommitteeISO 17799(Withdrawn)ISO/IEC 27002Payment Card Industry Data Security StandardCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENT
Self-Study ProgramsInstructor-Led ProgramsCertificate ProgramsContinuing Education ProgramsPostsecondary Degree ProgramsAssociate’s DegreeBachelor’s DegreeMaster of Science DegreeMaster of Business AdministrationDoctoral DegreeInformation Security Training ProgramsSecurity Training RequirementsSecurity Training OrganizationsSecurity Awareness TrainingCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENT
U.S. Department of Defense/Military Directive 8570.01U.S. DoD/Military Directive 8140U.S. DoD/NSA Training StandardsVendor-Neutral Professional CertificationsInternational Information Systems Security Certification Consortium, Inc.SSCP®CISSP®CAP®CSSLP®CCFP®HCISPP®CCSP®Additional (ISC)2 Professional CertificationsGlobal Information Assurance Certification/SANS InstituteCertified Internet WebmasterCompTIAISACA®Other Information Systems Security CertificationsVendor-Specific Professional CertificationsCisco SystemsJuniper NetworksRSASymantecCheck PointCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
Compliance Is the LawFederal Information SecurityThe Federal Information Security Management Act of 2002The Federal Information Security Modernization Act of 2014The Role of the National Institute of Standards and TechnologyNational Security SystemsThe Health Insurance Portability and Accountability ActPurpose and ScopeMain Requirements of the HIPAA Privacy RuleMain Requirements of the HIPAA Security RuleOversightOmnibus RegulationsThe Gramm-Leach-Bliley ActPurpose and ScopeMain Requirements of the GLBA Privacy RuleMain Requirements of the GLBA Safeguards RuleOversightThe Sarbanes-Oxley ActPurpose and ScopeSOX Control Certification RequirementsSOX Records Retention RequirementsOversightThe Family Educational Rights and Privacy ActPurpose and ScopeMain RequirementsOversightThe Children’s Internet Protection ActPurpose and ScopeMain RequirementsOversightPayment Card Industry Data Security StandardPurpose and ScopeSelf-Assessment QuestionnaireMain RequirementsMaking Sense of Laws for Information Security ComplianceCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENTENDNOTES

Overview

Revised and updated with the latest data in the field, Fundamentals of Information Systems Security, Third Edition provides a comprehensive overview of the essential concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of the new risks, threats, and vulnerabilities associated with the transition to a digital world. Part 2 presents a high level overview of the Security+ Exam and provides students with information as they move toward this certification.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Fundamentals of Information Systems Security, 4th Edition

Publisher Resources

ISBN: 9781284116465

Fundamentals of Information Systems Security, 3rd Edition

by David Kim, Michael G. Solomon

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Fundamentals of Information Systems Security, 4th Edition