O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Information Security for Managers

Book Description

Information systems have improved over the years to become more effective in collecting and rendering information for consumers, although these improvements have been accompanied by increases in both frequency and sophistication of attacks against them. The impacts from attacks against companies are significant, and managers are responsible for their organizations' security. Failures can cause significant losses to companies and their suppliers and clients, and may cost managers their jobs, and may even possibly lead to legal liabilities that are adjudicated against them. This textbook takes a different approach than most texts on the subject, which are organized topically. Pedagogically, Information Security for Managers utilizes an incremental development method called knowledge scaffolding –a proven educational technique for learning subject matter thoroughly by reinforced learning through an elaborative rehearsal process. This new resource includes coverage on threats to confidentiality, integrity, and availability, as well as countermeasures to preserve these. The textbook also draws extensively from the latest applied research and development, rather than simply rehashing materials and topics that are in nearly all of the extant textbooks and popular reading materials. Instructor Resources include Answers to the end-of-chapter questions and a PowerPoint Image Bank that contains key images from the text.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Section One What Should Managers Know About Security Policies and Procedures?
    1. Chapter 1 Introduction to Information Security
      1. Technological and Behavioral Security Issues
        1. Organizational Governance
        2. Security, Cyber Crime, and Costs
        3. Management Duties, Responsibilities, and Threats
      2. Assessing and Planning
        1. Financial Evaluations
        2. Attacks, Monitoring, and Recovery
        3. Reasons Why “They” Attack “Us”
    2. Chapter 2 Corporations and the Rule of Law
      1. Legal Organizational Structure
        1. Accountability, Responsibility, and Law
        2. Roles of Corporate Trust and Regulation
        3. Formal Project Undertakings
        4. Power and Organizational Structure
      2. Fiduciary Responsibilities
        1. Fiduciary Duties and Legal Ethics
        2. Law and Ethics Intersection
        3. Legal and Ethical Consciousness
      3. Law and Enforceable Security Policies
        1. Enforceable Security Policies
        2. People and Policies—The Weakest Link
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    3. Chapter 3 Management, Security Law, and Policies
      1. The Management Discipline
        1. Management Initiatives and Security
        2. Information Security Management
        3. Information Security Management Life Cycle
      2. Security Law and Cyber Knowledge Work
        1. Security, Employment Law, and Policies
        2. Virtual Work, Security, and Privacy
      3. Intellectual Property Law
        1. Trade Secrets
        2. Patents
        3. Copyrights
      4. Employee Surveillance and Privacy
        1. Video Surveillance
        2. Privacy and Policy
        3. Surveillance and Organizational Justice
      5. Cyber Law and Cyber Crime
        1. International, Federal, and State Cyber Law
        2. Employee Behavior and Cyber Law
        3. Corporate Espionage
      6. Forensics
        1. What Constitutes Evidence?
        2. Cyber Crime Evidence
        3. Cyber Law and Cyber Crime Issues
      7. Chapter Summary
      8. Think About It
      9. Key Concepts and Terms
    4. Chapter 4 Security Regulations and Governance
      1. Governance and U.S. Regulations
        1. Gramm-Leach-Bliley Act (GLBA)
        2. U.S. Fair and Accurate Credit Transactions Act (FACTA)
        3. U.S. Sarbanes–Oxley Act (SOX)
        4. OMB Circular A-123 (Revised)
        5. Government Information Security Reform Act of 2000
        6. HIPAA and Health Insurance Reform
      2. Non-U.S. and International Governance
        1. U.K. Combined Code on Corporate Governance
        2. CCCG and Turnbull Guidance
        3. Basel II
        4. U.K. Data Protection Act
        5. European Union and Other Privacy Protections
        6. Canadian PIPEDA
        7. Asian APEC Data Privacy Subgroup
      3. Management and Governance
        1. Governance and Security Programs
        2. Enactment of Security Programs
        3. Analyzing the Problem and Managing IT
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    5. Chapter 5 Security Programs: Risk Assessment and Management
      1. Risk Assessment and Management Overview
        1. Security Program Overview
        2. Risk Assessment Overview
        3. Risk Mitigation Overview
      2. Risk Determination and Control Frameworks
        1. ITIL / ITSM
        2. COBIT
        3. ISO 27K IT Security Control Selection
        4. NIST 800-53
      3. Risk Management Frameworks
        1. Octave
        2. NIST 800-30
        3. Using Frameworks for Implementing Plans
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    6. Chapter 6 Managing Organizations Securely
      1. Security Management Overview
        1. Information and Systems Security Infrastructure
        2. Information Assets: Classification and Architecture
        3. Security Policies and Models
        4. Stances and Countermeasures
      2. Risk Assessment and Management
        1. Risks and Countermeasures
        2. Hoping for the Best, Planning for the Worst
        3. Trusted Computing Base Versus Common Criteria
        4. Evaluation and Certification
      3. Monitoring and Security Policies
        1. Monitoring as a Policy
        2. Information Collection and Storage
        3. Monitoring and Organizational Justice
        4. Surveillance and Trust
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
  7. Section Two Technology Orientation for Managers
    1. Chapter 7 Data, Information, and Systems
      1. Information Systems
        1. The Nature of Data and Information
        2. IS Operations, Tactics, and Strategies
        3. Information Integration and Exchange
      2. Databases
        1. Relational Databases
        2. Relational Databases and Maintaining Data Integrity
        3. Data Warehouses
        4. Extract-Transform-Load (ETL)
      3. Distributed Systems and Information
        1. Globalization and Information Exchange
        2. Distributed Systems Architecture
        3. Markup: HTML and XML
        4. Parsing Markup
        5. RDF and Ontology Markup
        6. Active Semantic Systems
        7. Agent Frameworks and Semantic Fusion
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    2. Chapter 8 Programming Concepts
      1. Program Creation
        1. Programming Logic and Syntax
        2. Operations, Expressions, and Tasks
      2. Software Construction
        1. Code-Level Design: Coupling
        2. Code-Level Design: Cohesion
        3. Rapid Application Development Tools
        4. IDE, Wizards, and Toolkits
        5. Native Programming Environments
      3. Chapter Summary
      4. Think About It
      5. Key Concepts and Terms
    3. Chapter 9 Applications Programming
      1. Object-Oriented Software
        1. Objects and Object Features
        2. The Nature of Software Objects
        3. Abstractions and Complex Data Types
        4. Object Composition
        5. OOP and Applications
      2. Database Interaction
        1. SQL Overview
        2. Software and RDBMS Concurrency
      3. Distributed Systems
        1. Web Applications
        2. Web Application Processing
        3. JAVA Servlets
        4. Distributed Web-Based Systems
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    4. Chapter 10 Computer Operating Systems
      1. Operating Systems: An Introduction
        1. Systems and Software
        2. What Do OS Do?
        3. Windows and UNIX (Linux)
      2. Digital Architecture
        1. Hardware Components
        2. Binary Logic and Computer Hardware
        3. Hardware Logic and Software Instructions
      3. UNIX-Based Operating System Functions
        1. OS Features
        2. UNIX-Based (Including Linux and MAC/OS) Processes
        3. The UNIX-Based File System
        4. Disk Memory Management
        5. UNIX System Input–Output (I/O) and Device Drivers
      4. Microsoft Windows Operating System
        1. Windows as a Reference Example
        2. Windows Microkernel, Memory, and I/O Management
        3. Windows Processes and Security Management
        4. Microsoft Registry
      5. Chapter Summary
      6. Think About It
      7. Key Concepts and Terms
    5. Chapter 11 Networks and Addressing
      1. The ISO/OSI and TCP/IP
        1. Layered Architecture
        2. Inter-Networking
        3. Packet and Circuit Switching
        4. Network Topologies
      2. Devices and Addressing
        1. IP Addressing
        2. Subnetworks
        3. IPv4 Versus IPv6
        4. IPv6 Address Groupings and Uses
        5. IPv6 Address Configuration
      3. Network Connections Summarized
        1. Data Link Layer Connectivity
        2. Communications Facilities
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    6. Chapter 12 Protocols and Routing
      1. Link-Point Networking
        1. Physical Connections
        2. Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
        3. Transiting Data: Egress and Ingress
        4. Internet Control Message Protocol (ICMP)
      2. Encapsulation and the TCP/IP Protocol Stack
        1. Headers and Name Resolution
        2. Address Resolution Protocol (ARP)
      3. End-Point Networking
        1. Services and Sockets
        2. Transport and Sessions
        3. Applications Layer Protocols
      4. Routing Data
        1. Routes and Route Tables
        2. Routing Protocols
      5. Chapter Summary
      6. Think About It
      7. Key Concepts and Terms
  8. Section Three Computer and Network Security
    1. Chapter 13 Information Systems Security
      1. Social Interactions and Security Implications
        1. Mobility and Threats
        2. Distributed Work and Threats
        3. Interconnectivity and Threats
        4. Security Countermeasures and Complications
      2. Broad Attack Classifications and Examples
        1. Information System Attack Examples
        2. Social Engineering Attack Examples
        3. Mobile Device Attack Examples
      3. Infosec
        1. Threat Awareness and Risk Management
        2. Administrative, Technical, and Physical Controls
      4. Managing Organization Members Securely
        1. Perceptions of Control and Security
        2. Sins of Omission
        3. Sins of Commission
        4. Social Influences and Legalistic Perceptions
      5. Chapter Summary
      6. Think About It
      7. Key Concepts and Terms
    2. Chapter 14 Computer Security
      1. Hosts and Security—A Windows Example
        1. Microsoft Active Directory
        2. Windows Security Access Controls
        3. Windows Service and Process Security
        4. Access Management Framework in Windows
        5. Windows Version Security Differences
      2. Getting Past OS Security Features
        1. Circumventing Security (in Windows and Other OS)
        2. Host Attack Classifications and Examples
      3. Monitoring Attacks—Tools of the Trade
        1. Monitoring Host Attacks
        2. Intrusion Detection Systems
      4. Assessing Systems Security
        1. Assessing the Information and System
        2. Vulnerability Testing
        3. Test Reports and Recommendations
      5. Hardening Systems
        1. Ensuring a Trusted Configuration
        2. Password Protections
        3. User Authentication
      6. Biometrics
        1. Biometrics Acceptance
        2. Biometric Security Process and Information Protection
        3. Biometrics and Errors
        4. Biometric Errors and Technology
        5. Biometric Frontiers in Computer Security
      7. Secure Software and Systems SDLC
        1. Secure Systems Development
        2. Configuration Management
      8. Chapter Summary
      9. Think About It
      10. Key Concepts and Terms
    3. Chapter 15 Network Security
      1. Protecting Networks from Being Undermined
        1. Threats and Network Security
        2. Attacks and Tools
        3. Some Attack Classifications and Examples
      2. Know Thy Enemy’s Modus Operandi
        1. Reconnaissance and Attack Preparations
        2. Enumeration
        3. Sorting Out the Targets and Gaining a Foothold
        4. Target Exploitation
      3. Network Security Issues—Link to Link
        1. Connection Layer Security Issues
        2. Link Layer Security Issues
        3. ARP, Neighbor Discovery, and Poisoning
        4. Internet Layer Security Issues
      4. Network Security Issues—End to End
        1. ICMP Security Issues
        2. Layer 4 (TCP/UDP) Security Issues
        3. Port Attacks and SYN Floods
      5. Network Countermeasures
        1. Limiting and Controlling Information Releases
        2. Protecting Zone Transfers and Thwarting DNS Spoofing
        3. Using Proxies and VPNs
      6. Chapter Summary
      7. Think About It
      8. Key Concepts and Terms
    4. Chapter 16 Cryptography Uses and Firewalls
      1. Cryptography in Use
        1. Who Knows Whom: X.509 Certificates
        2. IPSec Implementation
        3. IPSec Example
        4. SSL/TLS
        5. Virtual Private Networks (VPNs)
      2. Firewall Systems
        1. Stateless Screening Filters
        2. Stateful Packet Inspection
        3. Circuit Gateway Firewalls
        4. Application-Layer Firewall
        5. Bastion Hosts
      3. Firewall Architecture
        1. “Belt and Braces” Architecture
        2. Screened Subnet Architecture
        3. Ontology-Based Architecture
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    5. Chapter 17 Cryptography—And How IT Works
      1. Cryptography Overview
        1. Cryptographic Concepts
        2. Generating a Simple Cipher Code
        3. Breaking a Simple Cipher Code
        4. Ciphertext Dissection and “S” Boxes
        5. Cryptography and Security Goals
      2. Symmetric Cryptography
        1. Symmetric Ciphers and Keys
        2. Substitution, Transposition, and Permutation
        3. Modern Symmetric Ciphers
        4. Key Issues with Symmetric Cryptography
      3. Asymmetric Cryptography
        1. Public Keys and Asymmetric Cryptography
        2. Beyond Encrypting Messages
        3. Key Distribution and PKI
        4. Public Key Algorithms: RSA as an Example
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    6. Chapter 18 Web Applications Security
      1. Web-Based Versus Web-Enabled Applications
        1. A Definition of Web Applications
        2. Client-Server Web Applications and Security
        3. Web Services and Cloud Computing
        4. Securing Web Servers
        5. Web Application Threats
      2. Protections for Web Servers
        1. Authentication
        2. Password Protections
        3. Authorization
        4. Input Validation
        5. Session Management
        6. Web Services and Security
        7. Protecting Web Content
      3. Chapter Summary
      4. Think About It
      5. Key Concepts and Terms
  9. Section Four Managing Organizations Securely
    1. Chapter 19 Configuration Management
      1. CM and Computer Security Procedures
        1. CM and Management Frameworks
        2. Managing Configurations
        3. Security Configuration Management
      2. Security Management
        1. Security Management Planning—System Level
        2. Configuring to a Secure State
        3. Managed Enterprises
        4. Checklist Groups
      3. Extended Guidelines
        1. DISA STIGs
        2. Private Industry Baseline Security
        3. Center for Internet Security Benchmarks
      4. Maintaining the Secure State
        1. Controlling Changes
        2. Conducting a Security Impact Analysis
        3. Certification and Accreditation
      5. Chapter Summary
      6. Think About It
      7. Key Concepts and Terms
    2. Chapter 20 Operations
      1. Maintaining Operations
        1. The SDLC and Security
        2. Planning: Failures Are a Rule, Not an Exception
        3. Maintaining Operational Capabilities
      2. Operational Continuity
        1. Monitoring Systems and Networks
        2. Auditing Systems and Networks
        3. Operations Centers and Contingencies
        4. Cloud Computing
      3. Security Incidents
        1. Handling Inevitable Incidents
        2. Reporting Security Incidents
        3. Collecting and Preserving Evidence
        4. Computer Forensics and the Law
        5. Cyber Stalking and Harassment Incidents
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    3. Chapter 21 Managing Security Behavior
      1. Organizational Behavior
        1. Behavior and Control
        2. Behavior Modification
      2. Organizational Security Behaviors
        1. Malicious Outsiders
        2. Malicious Insiders
        3. Non-malicious Unintentional Insider Omission
        4. Non-malicious Intentional Insider Omission
      3. Management of Omission Behaviors
        1. Responding to the Unintentional Omission
        2. Responding to the Intentional Omission
        3. Leading by Example
      4. Contravention Behaviors, Theory, and Research
        1. Attacker Motivation, Personality, and Behavior Theory
        2. Entertainment and Status
        3. Ideology and Social Acceptance
        4. Neuroticism, Impulse, and Exploitation
      5. Management of Contravention Behaviors
        1. Responding to the Outside Attacker
        2. Responding to the Inside Attacker
        3. Ethics and Employee Attitudes Toward the Law
      6. Chapter Summary
      7. Think About It
      8. Key Concepts and Terms
    4. Chapter 22 Modeling and Predicting Attacks
      1. Game Theory and Predictive Models
        1. Inductive Predictions
        2. Deductive Predictions
        3. Game Theory and Attack Modeling
      2. Reasoning and Inference
        1. Reasoning Systems
        2. Ontology and Epistemology
        3. Inference and the Ontological to Epistemic Transformation
      3. Heuristics and Decision Systems
        1. Reasoning: Discrete Versus Equivocal Problems
        2. Synthetic Heuristics
        3. Issues with Synthetic Heuristic Systems
        4. Combining Techniques
      4. Heuristic Biases and Security Planning
        1. Decisions, Naïve Theories, and Biases
        2. Interactions of Biases and Framing Effects
        3. Biases, Framing Effects, and Security Decisions
      5. Chapter Summary
      6. Think About It
      7. Key Concepts and Terms
    5. Chapter 23 Adaptive Systems Security
      1. Biologically Inspired Security
        1. Self-Healing Systems
        2. Damage and Danger
        3. Trusted Security Kernels
      2. Social Systems
        1. Socially Inspired Security
        2. Social Systems and Security Adaptation
        3. Collective Agency, Availability, and Integrity
      3. Socio-Biologically Inspired Security Systems
        1. Novelty as Potential Danger
        2. Socio-Biological Behavior as Goal-Directed Behavior
        3. Adaptive Synthetic Systems
        4. Challenges for Mobile Networks and Adaptive Systems
      4. Chapter Summary
      5. Think About It
      6. Key Concepts and Terms
    6. Chapter 24 Security Horizons: Issues for Managers
      1. Localized Security Issues
        1. The Changing Technology, Security, and Attack Landscape
        2. Advanced Technologies, Threats, and Attacks
        3. Security, Processes, and Priorities
        4. Security, Situations, and Behavior
        5. Biometric Trends
      2. Political and Behavioral Issues in Security
        1. Legislation and Global Security
        2. Globalization and Information Exposure
        3. Security and Ethical Governing
      3. Chapter Summary
      4. Think About It
      5. Key Concepts and Terms
  10. Index