Fundamentals of Information Systems Security, 4th Edition

Table of contents

1. Cover
2. Title Page
3. Copyright Page
4. Dedication Page
5. Contents
6. Preface
7. New to This Edition
8. Acknowledgments
9. The Authors
10. CHAPTER 1 Information Systems Security
    1. Information Systems Security
       1. Risks, Threats, and Vulnerabilities
       2. What Is Information Systems Security?
       3. Compliance Laws and Regulations Drive the Need for Information Systems Security
    2. Tenets of Information Systems Security
       1. Confidentiality
       2. Integrity
       3. Availability
    3. The Seven Domains of a Typical IT Infrastructure
       1. User Domain
       2. Workstation Domain
       3. LAN Domain
       4. LAN-to-WAN Domain
       5. WAN Domain
       6. Remote Access Domain
       7. System/Application Domain
    4. Weakest Link in the Security of an IT Infrastructure
       1. Ethics and the Internet
    5. IT Security Policy Framework
       1. Definitions
       2. Foundational IT Security Policies
    6. Data Classification Standards
    7. Chapter Summary
    8. Key Concepts and Terms
    9. Chapter 1 Assessment
11. CHAPTER 2 Emerging Technologies Are Changing How We Live
    1. Evolution of the Internet of Things
    2. Converting to a Tcp/Ip World
    3. IoT’s Impact on Human and Business Life
       1. How People Like to Communicate
       2. IoT Applications That Impact Our Lives
    4. Evolution from Brick and Mortar to E-Commerce
    5. Why Businesses Must Have an Internet and IoT Marketing Strategy
    6. IP Mobility
       1. Mobile Users and Bring Your Own Device
    7. Mobile Applications
       1. IP Mobile Communications
    8. New Challenges Created by the IoT
       1. Security
       2. Privacy
       3. Interoperability and Standards
       4. Legal and Regulatory Issues
       5. E-Commerce and Economic Development Issues
    9. Chapter Summary
    10. Key Concepts and Terms
    11. Chapter 2 Assessment
12. CHAPTER 3 Risks, Threats, and Vulnerabilities
    1. Risk Management and Information Security
       1. Risk Terminology
       2. Elements of Risk
       3. Purpose of Risk Management
    2. The Risk Management Process
       1. Identify Risks
       2. Assess and Prioritize Risks
       3. Plan a Risk Response Strategy
       4. Implement the Risk Response Plan
       5. Monitor and Control Risk Response
    3. IT and Network Infrastructure
       1. Intellectual Property
       2. Finances and Financial Data
       3. Service Availability and Productivity
       4. Reputation
    4. Who Are the Perpetrators?
    5. Risks, Threats, and Vulnerabilities in an IT Infrastructure
       1. Threat Targets
       2. Threat Types
    6. What Is a Malicious Attack?
       1. Birthday Attacks
       2. Brute-Force Password Attacks
       3. Credential Harvesting and Stuffing
       4. Dictionary Password Attacks
       5. IP Address Spoofing
       6. Hijacking
       7. Replay Attacks
       8. Man-in-the-Middle Attacks
       9. Masquerading
       10. Eavesdropping
       11. Social Engineering
       12. Phreaking
       13. Phishing
       14. Pharming
    7. What Are Common Attack Vectors?
       1. Social Engineering Attacks
       2. Wireless Network Attacks
       3. Web Application Attacks
    8. The Importance of Countermeasures
    9. Chapter Summary
    10. Key Concepts and Terms
    11. Chapter 3 Assessment
13. CHAPTER 4 Business Drivers of Information Security
    1. Risk Management’s Importance to the Organization
    2. Understanding the Relationship between a BIA, a BCP, and a DRP
       1. Business Impact Analysis (BIA)
       2. Business Continuity Plan (BCP)
       3. Disaster Recovery Plan (DRP)
    3. Assessing Risks, Threats, and Vulnerabilities
    4. Closing the Information Security Gap
    5. Adhering to Compliance Laws
    6. Keeping Private Data Confidential
    7. Mobile Workers and Use of Personally Owned Devices
       1. BYOD Concerns
       2. Endpoint and Device Security
    8. Chapter Summary
    9. Key Concepts and Terms
    10. Chapter 4 Assessment
14. CHAPTER 5 Networks and Telecommunications
    1. The Open Systems Interconnection Reference Model
    2. The Main Types of Networks
       1. Wide Area Networks
       2. Local Area Networks
    3. TCP/IP and How It Works
       1. TCP/IP Overview
       2. IP Addressing
       3. Common Ports
       4. Common Protocols
       5. Internet Control Message Protocol
    4. Network Security Risks
       1. Categories of Risk
    5. Basic Network Security Defense Tools
       1. Firewalls
       2. Virtual Private Networks and Remote Access
       3. Network Access Control
       4. Voice and Video in an IP Network
    6. Wireless Networks
       1. Wireless Access Points
       2. Wireless Network Security Controls
    7. Chapter Summary
    8. Key Concepts and Terms
    9. Chapter 5 Assessment
15. CHAPTER 6 Access Controls
    1. Four-Part Access Control
    2. Two Types of Access Controls
       1. Physical Access Control
       2. Logical Access Control
    3. Authorization Policies
    4. Methods and Guidelines for Identification
       1. Identification Methods
       2. Identification Guidelines
    5. Processes and Requirements for Authentication
       1. Authentication Types
       2. Single Sign-On
    6. Policies and Procedures for Accountability
       1. Log Files
       2. Monitoring and Reviewing
       3. Data Retention, Media Disposal, and Compliance Requirements
    7. Formal Models of Access Control
       1. Discretionary Access Control
       2. Operating Systems–Based DAC
       3. Mandatory Access Control
       4. Nondiscretionary Access Control
       5. Rule-Based Access Control
       6. Access Control Lists
       7. Role-Based Access Control
       8. Content-Dependent Access Control
       9. Constrained User Interface
       10. Other Access Control Models
    8. Effects of Breaches in Access Control
    9. Threats to Access Controls
    10. Effects of Access Control Violations
    11. Credential and Permissions Management
    12. Centralized and Decentralized Access Control
        1. Types of AAA Servers
        2. Decentralized Access Control
        3. Privacy
    13. Chapter Summary
    14. Key Concepts and Terms
    15. Chapter 6 Assessment
16. CHAPTER 7 Cryptography
    1. What Is Cryptography?
       1. Basic Cryptographic Principles
       2. A Brief History of Cryptography
       3. Cryptography’s Role in Information Security
    2. Business and Security Requirements for Cryptography
       1. Internal Security
       2. Security in Business Relationships
       3. Security Measures That Benefit Everyone
    3. Cryptographic Principles, Concepts, and Terminology
       1. Cryptographic Functions and Ciphers
    4. Types of Ciphers
       1. Transposition Ciphers
       2. Substitution Ciphers
       3. Product and Exponentiation Ciphers
    5. Symmetric and Asymmetric Key Cryptography
       1. Symmetric Key Ciphers
       2. Asymmetric Key Ciphers
       3. Cryptanalysis and Public Versus Private Keys
    6. Keys, Keyspace, and Key Management
       1. Cryptographic Keys and Keyspace
       2. Key Management
       3. Key Distribution
       4. Key Distribution Centers
    7. Digital Signatures and Hash Functions
       1. Hash Functions
       2. Digital Signatures
    8. Cryptographic Applications and Uses in Information System Security
       1. Other Cryptographic Tools and Resources
       2. Symmetric Key Standards
       3. Asymmetric Key Solutions
       4. Hash Function and Integrity
       5. Digital Signatures and Nonrepudiation
    9. Principles of Certificates and Key Management
       1. Modern Key Management Techniques
    10. Chapter Summary
    11. Key Concepts and Terms
    12. Chapter 7 Assessment
17. CHAPTER 8 Malicious Software and Attack Vectors
    1. Characteristics, Architecture, and Operations of Malicious Software
    2. The Main Types of Malware
       1. Viruses
       2. Spam
       3. Worms
       4. Trojan Horses
       5. Logic Bombs
       6. Active Content Vulnerabilities
       7. Malicious Add-Ons
       8. Injection
       9. Botnets
       10. Denial of Service Attacks
       11. Spyware
       12. Adware
       13. Phishing
       14. Keystroke Loggers
       15. Hoaxes and Myths
       16. Homepage Hijacking
       17. Webpage Defacements
    3. A Brief History of Malicious Code Threats
       1. 1970s and Early 1980s: Academic Research and UNIX
       2. 1980s: Early PC Viruses
       3. 1990s: Early LAN Viruses
       4. Mid-1990s: Smart Applications and the Internet
       5. 2000 to the Present
    4. Threats to Business Organizations
       1. Types of Threats
       2. Internal Threats from Employees
    5. Anatomy of an Attack
       1. What Motivates Attackers?
       2. The Purpose of an Attack
       3. Types of Attacks
       4. Phases of an Attack
    6. Attack Prevention Tools and Techniques
       1. Application Defenses
       2. Operating System Defenses
       3. Network Infrastructure Defenses
       4. Safe Recovery Techniques and Practices
       5. Implementing Effective Software Best Practices
    7. Intrusion Detection Tools and Techniques
       1. Antivirus Scanning Software
       2. Network Monitors and Analyzers
       3. Content/Context Filtering and Logging Software
       4. Honeypots and Honeynets
    8. Chapter Summary
    9. Key Concepts and Terms
    10. Chapter 8 Assessment
18. CHAPTER 9 Security Operations and Administration
    1. Security Administration
       1. Controlling Access
       2. Documentation, Procedures, and Guidelines
       3. Disaster Assessment and Recovery
       4. Security Outsourcing
    2. Compliance
       1. Event Logs
       2. Compliance Liaison
       3. Remediation
    3. Professional Ethics
       1. Common Fallacies About Ethics
       2. Codes of Ethics
       3. Personnel Security Principles
    4. The Infrastructure for an IT Security Policy
       1. Policies
       2. Standards
       3. Procedures
       4. Baselines
       5. Guidelines
    5. Data Classification Standards
       1. Information Classification Objectives
       2. Examples of Classification
       3. Classification Procedures
       4. Assurance
    6. Configuration Management
       1. Hardware Inventory and Configuration Chart
    7. The Change Management Process
       1. Change Control Management
       2. Change Control Committees
       3. Change Control Procedures
       4. Change Control Issues
    8. Application Software Security
       1. The System Life Cycle
       2. Testing Application Software
    9. Software Development and Security
       1. Software Development Models
    10. Chapter Summary
    11. Key Concepts and Terms
    12. Chapter 9 Assessment
19. CHAPTER 10 Auditing, Testing, and Monitoring
    1. Security Auditing and Analysis
       1. Security Controls Address Risk
       2. Determining What Is Acceptable
       3. Permission Levels
       4. Areas of Security Audits
       5. Purpose of Audits
       6. Customer Confidence
    2. Defining the Audit Plan
       1. Defining the Scope of the Plan
    3. Auditing Benchmarks
    4. Audit Data Collection Methods
       1. Areas of Security Audits
       2. Control Checks and Identity Management
    5. Post-Audit Activities
       1. Exit Interview
       2. Data Analysis
       3. Generation of Audit Report
       4. Presentation of Findings
    6. Security Monitoring
       1. Security Monitoring for Computer Systems
       2. Monitoring Issues
       3. Logging Anomalies
       4. Log Management
    7. Types of Log Information to Capture
    8. How to Verify Security Controls
       1. Intrusion Detection System
       2. Analysis Methods
       3. HIDS
       4. Layered Defense: Network Access Control
       5. Control Checks: Intrusion Detection
       6. Host Isolation
       7. System Hardening
    9. Monitoring and Testing Security Systems
       1. Monitoring
       2. Testing
    10. Chapter Summary
    11. Key Concepts and Terms
    12. Chapter 10 Assessment
20. CHAPTER 11 Contingency Planning
    1. Business Continuity Management
       1. Emerging Threats
       2. Static Environments
       3. Terminology
       4. Assessing Maximum Tolerable Downtime
       5. Business Impact Analysis
       6. Plan Review
       7. Testing the Plan
    2. Backing Up Data and Applications
       1. Types of Backups
    3. Incident Handling
       1. Preparation
       2. Identification
       3. Notification
       4. Response
       5. Recovery
       6. Follow-Up
       7. Documentation and Reporting
    4. Recovery from a Disaster
       1. Activating the Disaster Recovery Plan
       2. Operating in a Reduced/Modified Environment
       3. Restoring Damaged Systems
       4. Disaster Recovery Issues
       5. Recovery Alternatives
       6. Interim or Alternate Processing Strategies
    5. Chapter Summary
    6. Key Concepts and Terms
    7. Chapter 11 Assessment
21. CHAPTER 12 Digital Forensics
    1. Introduction to Digital Forensics
       1. Understanding Digital Forensics
       2. Knowledge That Is Needed for Forensic Analysis
    2. Overview of Computer Crime
       1. Types of Computer Crime
       2. The Impact of Computer Crime on Forensics
    3. Forensic Methods and Labs
       1. Forensic Methodologies
       2. Setting Up a Forensic Lab
    4. Collecting, Seizing, and Protecting Evidence
       1. The Importance of Proper Evidence Handling
       2. Imaging Original Evidence
    5. Recovering Data
       1. Undeleting Data
       2. Recovering Data from Damaged Media
    6. Operating System Forensics
       1. Internals and Storage
       2. Command-Line Interface and Scripting
    7. Mobile Forensics
       1. Mobile Device Evidence
       2. Seizing Evidence from a Mobile Device
    8. Chapter Summary
    9. Key Concepts and Terms
    10. Chapter 12 Assessment
22. CHAPTER 13 Information Security Standards
    1. Standards Organizations
       1. National Institute of Standards and Technology
       2. International Organization for Standardization
       3. International Electrotechnical Commission
       4. World Wide Web Consortium
       5. Internet Engineering Task Force
       6. Institute of Electrical and Electronics Engineers
       7. International Telecommunication Union Telecommunication Sector
       8. American National Standards Institute
       9. European Telecommunications Standards Institute Cyber Security Technical Committee
    2. ISO 17799 (Withdrawn)
       1. ISO/IEC 27002
       2. Payment Card Industry Data Security Standard
    3. Chapter Summary
    4. Key Concepts and Terms
    5. Chapter 13 Assessment
23. CHAPTER 14 Information Security Certifications
    1. U.S. Department of Defense/Military Directive 8570.01
       1. U.S. DoD/Military Directive 8140
       2. U.S. DoD Training Framework
    2. Vendor-Neutral Professional Certifications
       1. International Information Systems Security Certification Consortium, Inc.
       2. Global Information Assurance Certification/SANS Institute
       3. Certified Internet Web Professional
       4. CompTIA
       5. ISACA®
       6. Other Information Systems Security Certifications
    3. Vendor-Specific Professional Certifications
       1. Cisco Systems
       2. Juniper Networks
       3. RSA
       4. Symantec
       5. Check Point
    4. Chapter Summary
    5. Key Concepts and Terms
    6. Chapter 14 Assessment
24. CHAPTER 15 Compliance Laws
    1. Compliance Is the Law
    2. Federal Information Security
       1. The Federal Information Security Management Act of 2002
       2. The Federal Information Security Modernization Act of 2014
       3. The Role of the National Institute of Standards and Technology
       4. National Security Systems
    3. The Health Insurance Portability and Accountability Act (HIPAA)
       1. Purpose and Scope
       2. Main Requirements of the HIPAA Privacy Rule
       3. Main Requirements of the HIPAA Security Rule
       4. Oversight
       5. Omnibus Regulations
    4. The Gramm-Leach-Bliley Act
       1. Purpose and Scope
       2. Main Requirements of the GLBA Privacy Rule
       3. Main Requirements of the GLBA Safeguards Rule
       4. Oversight
    5. The Sarbanes-Oxley Act
       1. Purpose and Scope
       2. SOX Control Certification Requirements
       3. SOX Records Retention Requirements
       4. Oversight
    6. The Family Educational Rights and Privacy Act
       1. Purpose and Scope
       2. Main Requirements
       3. Oversight
    7. The Children’s Online Privacy Protection Act of 1998
    8. The Children’s Internet Protection Act
       1. Purpose and Scope
       2. Main Requirements
       3. Oversight
    9. Payment Card Industry Data Security Standard
       1. Purpose and Scope
       2. Self-Assessment Questionnaire
    10. General Data Protection Regulation
    11. California Consumer Privacy Act
    12. Making Sense of Laws for Information Security Compliance
    13. Chapter Summary
    14. Key Concepts and Terms
    15. Chapter 15 Assessment
25. APPENDIX A Answer Key
26. APPENDIX B Standard Acronyms
27. APPENDIX C Earning the CompTIA Security+ Certification
28. Glossary of Key Terms
29. References
30. Index