book

Information Security for Managers

by Michael Workman, Daniel C. Phelps, John N. Gathegi

February 2012

Intermediate to advanced

594 pages

20h 52m

English

Jones & Bartlett Learning

Read now

Unlock full access

Technological and Behavioral Security IssuesOrganizational GovernanceSecurity, Cyber Crime, and CostsManagement Duties, Responsibilities, and ThreatsAssessing and PlanningFinancial EvaluationsAttacks, Monitoring, and RecoveryReasons Why “They” Attack “Us”
Legal Organizational StructureAccountability, Responsibility, and LawRoles of Corporate Trust and RegulationFormal Project UndertakingsPower and Organizational StructureFiduciary ResponsibilitiesFiduciary Duties and Legal EthicsLaw and Ethics IntersectionLegal and Ethical ConsciousnessLaw and Enforceable Security PoliciesEnforceable Security PoliciesPeople and Policies—The Weakest LinkChapter SummaryThink About ItKey Concepts and Terms
The Management DisciplineManagement Initiatives and SecurityInformation Security ManagementInformation Security Management Life CycleSecurity Law and Cyber Knowledge WorkSecurity, Employment Law, and PoliciesVirtual Work, Security, and PrivacyIntellectual Property LawTrade SecretsPatentsCopyrightsEmployee Surveillance and PrivacyVideo SurveillancePrivacy and PolicySurveillance and Organizational JusticeCyber Law and Cyber CrimeInternational, Federal, and State Cyber LawEmployee Behavior and Cyber LawCorporate EspionageForensicsWhat Constitutes Evidence?Cyber Crime EvidenceCyber Law and Cyber Crime IssuesChapter SummaryThink About ItKey Concepts and Terms
Governance and U.S. RegulationsGramm-Leach-Bliley Act (GLBA)U.S. Fair and Accurate Credit Transactions Act (FACTA)U.S. Sarbanes–Oxley Act (SOX)OMB Circular A-123 (Revised)Government Information Security Reform Act of 2000HIPAA and Health Insurance ReformNon-U.S. and International GovernanceU.K. Combined Code on Corporate GovernanceCCCG and Turnbull GuidanceBasel IIU.K. Data Protection ActEuropean Union and Other Privacy ProtectionsCanadian PIPEDAAsian APEC Data Privacy SubgroupManagement and GovernanceGovernance and Security ProgramsEnactment of Security ProgramsAnalyzing the Problem and Managing ITChapter SummaryThink About ItKey Concepts and Terms

Risk Assessment and Management OverviewSecurity Program OverviewRisk Assessment OverviewRisk Mitigation OverviewRisk Determination and Control FrameworksITIL / ITSMCOBITISO 27K IT Security Control SelectionNIST 800-53Risk Management FrameworksOctaveNIST 800-30Using Frameworks for Implementing PlansChapter SummaryThink About ItKey Concepts and Terms
Security Management OverviewInformation and Systems Security InfrastructureInformation Assets: Classification and ArchitectureSecurity Policies and ModelsStances and CountermeasuresRisk Assessment and ManagementRisks and CountermeasuresHoping for the Best, Planning for the WorstTrusted Computing Base Versus Common CriteriaEvaluation and CertificationMonitoring and Security PoliciesMonitoring as a PolicyInformation Collection and StorageMonitoring and Organizational JusticeSurveillance and TrustChapter SummaryThink About ItKey Concepts and Terms
Information SystemsThe Nature of Data and InformationIS Operations, Tactics, and StrategiesInformation Integration and ExchangeDatabasesRelational DatabasesRelational Databases and Maintaining Data IntegrityData WarehousesExtract-Transform-Load (ETL)Distributed Systems and InformationGlobalization and Information ExchangeDistributed Systems ArchitectureMarkup: HTML and XMLParsing MarkupRDF and Ontology MarkupActive Semantic SystemsAgent Frameworks and Semantic FusionChapter SummaryThink About ItKey Concepts and Terms
Program CreationProgramming Logic and SyntaxOperations, Expressions, and TasksSoftware ConstructionCode-Level Design: CouplingCode-Level Design: CohesionRapid Application Development ToolsIDE, Wizards, and ToolkitsNative Programming EnvironmentsChapter SummaryThink About ItKey Concepts and Terms
Object-Oriented SoftwareObjects and Object FeaturesThe Nature of Software ObjectsAbstractions and Complex Data TypesObject CompositionOOP and ApplicationsDatabase InteractionSQL OverviewSoftware and RDBMS ConcurrencyDistributed SystemsWeb ApplicationsWeb Application ProcessingJAVA ServletsDistributed Web-Based SystemsChapter SummaryThink About ItKey Concepts and Terms
Operating Systems: An IntroductionSystems and SoftwareWhat Do OS Do?Windows and UNIX (Linux)Digital ArchitectureHardware ComponentsBinary Logic and Computer HardwareHardware Logic and Software InstructionsUNIX-Based Operating System FunctionsOS FeaturesUNIX-Based (Including Linux and MAC/OS) ProcessesThe UNIX-Based File SystemDisk Memory ManagementUNIX System Input–Output (I/O) and Device DriversMicrosoft Windows Operating SystemWindows as a Reference ExampleWindows Microkernel, Memory, and I/O ManagementWindows Processes and Security ManagementMicrosoft RegistryChapter SummaryThink About ItKey Concepts and Terms
The ISO/OSI and TCP/IPLayered ArchitectureInter-NetworkingPacket and Circuit SwitchingNetwork TopologiesDevices and AddressingIP AddressingSubnetworksIPv4 Versus IPv6IPv6 Address Groupings and UsesIPv6 Address ConfigurationNetwork Connections SummarizedData Link Layer ConnectivityCommunications FacilitiesChapter SummaryThink About ItKey Concepts and Terms
Link-Point NetworkingPhysical ConnectionsCarrier Sense Multiple Access with Collision Detection (CSMA/CD)Transiting Data: Egress and IngressInternet Control Message Protocol (ICMP)Encapsulation and the TCP/IP Protocol StackHeaders and Name ResolutionAddress Resolution Protocol (ARP)End-Point NetworkingServices and SocketsTransport and SessionsApplications Layer ProtocolsRouting DataRoutes and Route TablesRouting ProtocolsChapter SummaryThink About ItKey Concepts and Terms
Social Interactions and Security ImplicationsMobility and ThreatsDistributed Work and ThreatsInterconnectivity and ThreatsSecurity Countermeasures and ComplicationsBroad Attack Classifications and ExamplesInformation System Attack ExamplesSocial Engineering Attack ExamplesMobile Device Attack ExamplesInfosecThreat Awareness and Risk ManagementAdministrative, Technical, and Physical ControlsManaging Organization Members SecurelyPerceptions of Control and SecuritySins of OmissionSins of CommissionSocial Influences and Legalistic PerceptionsChapter SummaryThink About ItKey Concepts and Terms
Hosts and Security—A Windows ExampleMicrosoft Active DirectoryWindows Security Access ControlsWindows Service and Process SecurityAccess Management Framework in WindowsWindows Version Security DifferencesGetting Past OS Security FeaturesCircumventing Security (in Windows and Other OS)Host Attack Classifications and ExamplesMonitoring Attacks—Tools of the TradeMonitoring Host AttacksIntrusion Detection SystemsAssessing Systems SecurityAssessing the Information and SystemVulnerability TestingTest Reports and RecommendationsHardening SystemsEnsuring a Trusted ConfigurationPassword ProtectionsUser AuthenticationBiometricsBiometrics AcceptanceBiometric Security Process and Information ProtectionBiometrics and ErrorsBiometric Errors and TechnologyBiometric Frontiers in Computer SecuritySecure Software and Systems SDLCSecure Systems DevelopmentConfiguration ManagementChapter SummaryThink About ItKey Concepts and Terms
Protecting Networks from Being UnderminedThreats and Network SecurityAttacks and ToolsSome Attack Classifications and ExamplesKnow Thy Enemy’s Modus OperandiReconnaissance and Attack PreparationsEnumerationSorting Out the Targets and Gaining a FootholdTarget ExploitationNetwork Security Issues—Link to LinkConnection Layer Security IssuesLink Layer Security IssuesARP, Neighbor Discovery, and PoisoningInternet Layer Security IssuesNetwork Security Issues—End to EndICMP Security IssuesLayer 4 (TCP/UDP) Security IssuesPort Attacks and SYN FloodsNetwork CountermeasuresLimiting and Controlling Information ReleasesProtecting Zone Transfers and Thwarting DNS SpoofingUsing Proxies and VPNsChapter SummaryThink About ItKey Concepts and Terms
Cryptography in UseWho Knows Whom: X.509 CertificatesIPSec ImplementationIPSec ExampleSSL/TLSVirtual Private Networks (VPNs)Firewall SystemsStateless Screening FiltersStateful Packet InspectionCircuit Gateway FirewallsApplication-Layer FirewallBastion HostsFirewall Architecture“Belt and Braces” ArchitectureScreened Subnet ArchitectureOntology-Based ArchitectureChapter SummaryThink About ItKey Concepts and Terms
Cryptography OverviewCryptographic ConceptsGenerating a Simple Cipher CodeBreaking a Simple Cipher CodeCiphertext Dissection and “S” BoxesCryptography and Security GoalsSymmetric CryptographySymmetric Ciphers and KeysSubstitution, Transposition, and PermutationModern Symmetric CiphersKey Issues with Symmetric CryptographyAsymmetric CryptographyPublic Keys and Asymmetric CryptographyBeyond Encrypting MessagesKey Distribution and PKIPublic Key Algorithms: RSA as an ExampleChapter SummaryThink About ItKey Concepts and Terms
Web-Based Versus Web-Enabled ApplicationsA Definition of Web ApplicationsClient-Server Web Applications and SecurityWeb Services and Cloud ComputingSecuring Web ServersWeb Application ThreatsProtections for Web ServersAuthenticationPassword ProtectionsAuthorizationInput ValidationSession ManagementWeb Services and SecurityProtecting Web ContentChapter SummaryThink About ItKey Concepts and Terms
CM and Computer Security ProceduresCM and Management FrameworksManaging ConfigurationsSecurity Configuration ManagementSecurity ManagementSecurity Management Planning—System LevelConfiguring to a Secure StateManaged EnterprisesChecklist GroupsExtended GuidelinesDISA STIGsPrivate Industry Baseline SecurityCenter for Internet Security BenchmarksMaintaining the Secure StateControlling ChangesConducting a Security Impact AnalysisCertification and AccreditationChapter SummaryThink About ItKey Concepts and Terms
Maintaining OperationsThe SDLC and SecurityPlanning: Failures Are a Rule, Not an ExceptionMaintaining Operational CapabilitiesOperational ContinuityMonitoring Systems and NetworksAuditing Systems and NetworksOperations Centers and ContingenciesCloud ComputingSecurity IncidentsHandling Inevitable IncidentsReporting Security IncidentsCollecting and Preserving EvidenceComputer Forensics and the LawCyber Stalking and Harassment IncidentsChapter SummaryThink About ItKey Concepts and Terms
Organizational BehaviorBehavior and ControlBehavior ModificationOrganizational Security BehaviorsMalicious OutsidersMalicious InsidersNon-malicious Unintentional Insider OmissionNon-malicious Intentional Insider OmissionManagement of Omission BehaviorsResponding to the Unintentional OmissionResponding to the Intentional OmissionLeading by ExampleContravention Behaviors, Theory, and ResearchAttacker Motivation, Personality, and Behavior TheoryEntertainment and StatusIdeology and Social AcceptanceNeuroticism, Impulse, and ExploitationManagement of Contravention BehaviorsResponding to the Outside AttackerResponding to the Inside AttackerEthics and Employee Attitudes Toward the LawChapter SummaryThink About ItKey Concepts and Terms
Game Theory and Predictive ModelsInductive PredictionsDeductive PredictionsGame Theory and Attack ModelingReasoning and InferenceReasoning SystemsOntology and EpistemologyInference and the Ontological to Epistemic TransformationHeuristics and Decision SystemsReasoning: Discrete Versus Equivocal ProblemsSynthetic HeuristicsIssues with Synthetic Heuristic SystemsCombining TechniquesHeuristic Biases and Security PlanningDecisions, Naïve Theories, and BiasesInteractions of Biases and Framing EffectsBiases, Framing Effects, and Security DecisionsChapter SummaryThink About ItKey Concepts and Terms
Biologically Inspired SecuritySelf-Healing SystemsDamage and DangerTrusted Security KernelsSocial SystemsSocially Inspired SecuritySocial Systems and Security AdaptationCollective Agency, Availability, and IntegritySocio-Biologically Inspired Security SystemsNovelty as Potential DangerSocio-Biological Behavior as Goal-Directed BehaviorAdaptive Synthetic SystemsChallenges for Mobile Networks and Adaptive SystemsChapter SummaryThink About ItKey Concepts and Terms
Localized Security IssuesThe Changing Technology, Security, and Attack LandscapeAdvanced Technologies, Threats, and AttacksSecurity, Processes, and PrioritiesSecurity, Situations, and BehaviorBiometric TrendsPolitical and Behavioral Issues in SecurityLegislation and Global SecurityGlobalization and Information ExposureSecurity and Ethical GoverningChapter SummaryThink About ItKey Concepts and Terms