book

Information Security: The Complete Reference, Second Edition, 2nd Edition

Name: Information Security: The Complete Reference, Second Edition, 2nd Edition
Author: Mark Rhodes-Ousley
ISBN: 9780071784368

by Mark Rhodes-Ousley

April 2013

Intermediate to advanced

928 pages

29h 37m

English

McGraw-Hill

Read now

Unlock full access

Cover
About the Author
Title Page
Copyright Page
Contents at a Glance
Contents
Preface
Acknowledgments
Introduction
Part I: Foundations

Chapter 1: Information Security Overview
The Importance of Information ProtectionThe Evolution of Information SecurityJustifying Security InvestmentBusiness AgilityCost ReductionPortabilitySecurity MethodologyHow to Build a Security ProgramAuthorityFrameworkAssessmentPlanningActionMaintenanceThe Impossible JobThe Weakest LinkStrategy and TacticsBusiness Processes vs. Technical ControlsSummaryReferences
Chapter 2: Risk Analysis
Threat DefinitionThreat VectorsThreat Sources and TargetsTypes of AttacksMalicious Mobile CodeAdvanced Persistent Threats (APTs)Manual AttacksRisk AnalysisSummaryReferences
Chapter 3: Compliance with Standards, Regulations, and Laws
Information Security StandardsCOBITISO 27000 SeriesNISTRegulations Affecting Information Security ProfessionalsThe Duty of CareGramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley ActHIPAA Privacy and Security RulesNERC CIPPCI DSS: Payment Card Industry Data Security StandardLaws Affecting Information Security ProfessionalsHacking LawsElectronic Communication LawsOther Substantive LawsSummaryReferences
Chapter 4: Secure Design Principles
The CIA Triad and Other ModelsConfidentialityIntegrityAvailabilityAdditional ConceptsDefense ModelsThe Lollipop ModelThe Onion ModelZones of TrustBest Practices for Network DefenseSecure the Physical EnvironmentHarden the Operating SystemKeep Patches UpdatedUse an Antivirus Scanner (with Real-Time Scanning)Use Firewall SoftwareSecure Network Share PermissionsUse EncryptionSecure ApplicationsBack Up the SystemImplement ARP Poisoning DefensesCreate a Computer Security Defense PlanSummaryReferences
Chapter 5: Security Policies, Standards, Procedures, and Guidelines
Security PoliciesSecurity Policy DevelopmentSecurity Policy ContributorsSecurity Policy AudiencePolicy CategoriesFrameworksSecurity AwarenessImportance of Security AwarenessObjectives of an Awareness ProgramIncreasing EffectivenessImplementing the Awareness ProgramEnforcementPolicy Enforcement for VendorsPolicy Enforcement for EmployeesSoftware-Based EnforcementExample Security Policy TopicsAcceptable Use PoliciesComputer PoliciesNetwork PoliciesData Privacy PoliciesData Integrity PoliciesPersonnel Management PoliciesSecurity Management PoliciesPhysical Security PoliciesSecurity StandardsSecurity Standard ExampleSecurity ProceduresSecurity Procedure ExampleSecurity GuidelinesSecurity Guideline ExampleOngoing MaintenanceSummaryReferences
Chapter 6: Security Organization
Roles and ResponsibilitiesSecurity PositionsSecurity Incident Response TeamManaged Security ServicesServices Performed by MSSPsServices That Can Be Monitored by MSSPsSecurity Council, Steering Committee, or Board of DirectorsInteraction with Human ResourcesSummaryReferences
Chapter 7: Authentication and Authorization
AuthenticationUsernames and PasswordsCertificate-Based AuthenticationExtensible Authentication Protocol (EAP)BiometricsAdditional Uses for AuthenticationAuthorizationUser RightsRole-Based Authorization (RBAC)Access Control Lists (ACLs)Rule-Based AuthorizationCompliance with StandardsNISTISO 27002COBITSummaryReferences
Part II: Data Security
Chapter 8: Securing Unstructured Data
Structured Data vs. Unstructured DataAt Rest, in Transit, and in UseApproaches to Securing Unstructured DataDatabasesApplicationsNetworksComputersStorage (Local, Removable, or Networked)Data Printed into the Physical WorldNewer Approaches to Securing Unstructured DataData Loss Prevention (DLP)Information Rights Management (IRM)SummaryReferences
Chapter 9: Information Rights Management
OverviewThe Difference Between DRM and IRMWhat’s in a Name? EDRM, ERM, RMS, IRMEvolution from Encryption to IRMIRM Technology DetailsWhat Constitutes an IRM Technology?ArchitectureGoing OfflineUnstructured Data FormatsGetting Started with IRMClassification CreationUser ProvisioningRights AssignmentSecuring ContentDistributing ContentInstalling and Configuring the IRM ClientAuthenticationAuthorizationRights Retrieval and StorageContent Access and Rights InvocationAccess Auditing and ReportingRights RevocationSummaryReferences
Chapter 10: Encryption
A Brief History of EncryptionEarly CodesMore Modern CodesSymmetric-Key CryptographyKey ExchangePublic Key CryptographyKey ExchangePublic Key InfrastructureStructure and FunctionCA HierarchyCertificate Templates and EnrollmentRevocationRole SeparationCross-CertificationCompliance with StandardsNISTISO 27002COBITSummaryReferences
Chapter 11: Storage Security
Storage Security EvolutionModern Storage SecurityStorage InfrastructureAdministration ChannelRisks to DataRisk RemediationConfidentiality RisksIntegrity RisksAvailability RisksBest PracticesZoningArraysServersStaffOffsite Data StorageSummaryReferences
Chapter 12: Database Security
General Database Security ConceptsUnderstanding Database Security LayersServer-Level SecurityNetwork-Level SecurityOperating System SecurityUnderstanding Database-Level SecurityDatabase Administration SecurityDatabase Roles and PermissionsObject-Level SecurityUsing Other Database Objects for SecurityUsing Application SecurityLimitations of Application-Level SecuritySupporting Internet ApplicationsDatabase Backup and RecoveryDetermining Backup ConstraintsDetermining Recovery RequirementsTypes of Database BackupsKeeping Your Servers Up to DateDatabase Auditing and MonitoringReviewing Audit LogsDatabase MonitoringSummaryReferences
Part III: Network Security
Chapter 13: Secure Network Design
Introduction to Secure Network DesignAcceptable RiskDesigning Security into a NetworkDesigning an Appropriate NetworkThe Cost of SecurityPerformanceAvailabilitySecurityWireless Impact on the PerimeterRemote Access ConsiderationsInternal Security PracticesIntranets, Extranets, and DMZsOutbound FilteringCompliance with StandardsNISTISO 27002COBITSummaryReferences
Chapter 14: Network Device Security
Switch and Router BasicsMAC Addresses, IP Addresses, and ARPTCP/IPHubsSwitchesRoutersNetwork HardeningPatchingSwitch Security PracticesAccess Control ListsDisabling Unused ServicesAdministrative PracticesInternet Control Message Protocol (ICMP)Anti-Spoofing and Source RoutingLoggingSummaryReferences
Chapter 15: Firewalls
OverviewThe Evolution of FirewallsApplication ControlMust-Have Firewall FeaturesCore Firewall FunctionsNetwork Address Translation (NAT)Auditing and LoggingAdditional Firewall CapabilitiesApplication and Website Malware Execution BlockingAntivirusIntrusion Detection and Intrusion PreventionWeb Content (URL) Filtering and CachingE-Mail (Spam) FilteringEnhance Network PerformanceFirewall DesignFirewall Strengths and WeaknessesFirewall PlacementFirewall ConfigurationSummaryReferences
Chapter 16: Virtual Private Networks
How a VPN WorksVPN ProtocolsIPSecPPTPL2TP over IPSecSSL VPNsRemote Access VPN SecurityAuthentication ProcessClient ConfigurationClient Networking EnvironmentOffline Client ActivitySite-to-Site VPN SecuritySummaryReferences
Chapter 17: Wireless Network Security
Radio Frequency Security BasicsSecurity Benefits of RF KnowledgeLayer One Security SolutionsData-Link Layer Wireless Security Features, Flaws, and Threats802.11 and 802.15 Data-Link Layer in a Nutshell802.11 and 802.15 Data-Link Layer Vulnerabilities and ThreatsClosed-System SSIDs, MAC Filtering, and Protocol FilteringBuilt-in Bluetooth Network Data-Link Security and ThreatsWireless Vulnerabilities and MitigationsWired Side LeakageRogue Access PointsMisconfigured Access PointsWireless PhishingClient IsolationWireless Network Hardening Practices and RecommendationsWireless Security StandardsTemporal Key Integrity Protocol and Counter Mode with CBC-MAC Protocol802.1x-Based Authentication and EAP MethodsWireless Intrusion Detection and PreventionWireless IPS and IDSBluetooth IPSWireless Network Positioning and Secure GatewaysSummaryReferences
Chapter 18: Intrusion Detection and Prevention Systems
IDS ConceptsThreat TypesFirst-Generation IDSSecond-Generation IDSIDS Types and Detection ModelsHost-Based IDSNetwork-Based IDS (NIDS)Anomaly-Detection (AD) ModelSignature-Detection ModelWhat Type of IDS Should You Use?IDS FeaturesIDS End-User InterfacesIntrusion-Prevention Systems (IPS)IDS ManagementIDS Logging and AlertingIDS Deployment ConsiderationsIDS Fine-TuningIPS Deployment PlanSecurity Information and Event Management (SIEM)Data AggregationAnalysisOperational InterfaceAdditional SIEM FeaturesSummaryReferences
Chapter 19: Voice over IP (VoIP) and PBX Security
BackgroundVoIP ComponentsCall ControlVoice and Media Gateways and GatekeepersMCUsHardware EndpointsSoftware EndpointsCall and Contact Center ComponentsVoicemail SystemsVoIP Vulnerabilities and CountermeasuresOld Dogs, Old Tricks: The Original HacksVulnerabilities and ExploitsThe ProtocolsSecurity Posture: System Integrators and Hosted VoIPPBXHacking a PBXSecuring a PBXTEM: Telecom Expense ManagementSummaryReferences
Part IV: Computer Security
Chapter 20: Operating System Security Models
Operating System ModelsThe Underlying Protocols Are InsecureAccess Control ListsMAC vs. DACClassic Security ModelsBell-LaPadulaBibaClark-WilsonTCSECLabelsReference MonitorThe Reference Monitor ConceptWindows Security Reference MonitorTrustworthy ComputingInternational Standards for Operating System SecurityCommon CriteriaSummaryReferences
Chapter 21: Unix Security
Start with a Fresh InstallSecuring a Unix SystemReducing the Attack SurfaceInstall Secure SoftwareConfigure Secure SettingsKeep Software Up to DatePlace Servers into Network ZonesStrengthen Authentication ProcessesRequire Strong PasswordsUse Alternatives to PasswordsLimit Physical Access to SystemsLimit the Number of Administrators and Limit the Privileges of AdministratorsUse sudoBack Up Your SystemSubscribe to Security ListsCompliance with StandardsISO 27002COBITSummaryReferences
Chapter 22: Windows Security
Securing Windows SystemsDisable Windows Services and Remove SoftwareSecurely Configure Remaining SoftwareUse Group Policy to Manage SettingsComputer PoliciesUser PoliciesSecurity Configuration and AnalysisGroup PolicyInstall Security SoftwareApplication WhitelistingPatch Systems RegularlySegment the Network into Zones of TrustBlocking and Filtering Access to ServicesMitigating the Effect of Spoofed PortsStrengthen Authentication ProcessesRequire, Promote, and Train Users in Using Strong PasswordsUse Alternatives to PasswordsApply Technology and Physical Controls to Protect Access PointsModify Defaults for Windows Authentication SystemsLimit the Number of Administrators and Limit the Privileges of AdministratorsApplications that Require Admin Access to Files and the RegistryElevated Privileges Are RequiredProgrammers as AdministratorsRequiring Administrators to Use runasActive Directory Domain ArchitectureLogical Security BoundariesRole-Based AdministrationA Role-Based Approach to Security ConfigurationCompliance with StandardsNISTISO 27002COBITSummaryReferences
Chapter 23: Securing Infrastructure Services
E-MailProtocols, Their Vulnerabilities, and CountermeasuresSpam and Spam ControlMalware and Malware ControlWeb ServersTypes of AttacksWeb Server ProtectionDNS ServersInstall PatchesPrevent Unauthorized Zone TransfersDNS Cache PoisoningProxy ServersHTTP ProxyFTP ProxyDirect MappingPOP3 ProxyHTTP ConnectReverse ProxySummaryReferences
Chapter 24: Virtual Machines and Cloud Computing
Virtual MachinesProtecting the HypervisorProtecting the Guest OSProtecting Virtual StorageProtecting Virtual NetworksNIST Special Publication 800-125Cloud ComputingTypes of Cloud ServicesCloud Computing Security BenefitsSecurity ConsiderationsCloud Computing Risks and RemediationsSummaryReferences
Chapter 25: Securing Mobile Devices
Mobile Device RisksDevice RisksApplication RisksMobile Device SecurityBuilt-in Security FeaturesMobile Device Management (MDM)Data Loss Prevention (DLP)SummaryReferences
Part V: Application Security
Chapter 26: Secure Application Design
Secure Development LifecycleApplication Security PracticesSecurity TrainingSecure Development InfrastructureSecurity RequirementsSecure DesignThreat ModelingSecure CodingSecurity Code ReviewSecurity TestingSecurity DocumentationSecure Release ManagementDependency Patch MonitoringProduct Security Incident ResponseDecisions to ProceedWeb Application SecuritySQL InjectionForms and ScriptsCookies and Session ManagementGeneral AttacksWeb Application Security ConclusionsClient Application SecurityRunning PrivilegesApplication AdministrationIntegration with OS SecurityApplication UpdatesRemote Administration SecurityReasons for Remote AdministrationRemote Administration Using a Web InterfaceAuthenticating Web-Based Remote AdministrationCustom Remote AdministrationSummaryReferences
Chapter 27: Writing Secure Software
Security Vulnerabilities: Causes and PreventionBuffer OverflowsInteger OverflowsCross-Site ScriptingSQL InjectionWhitelisting vs. BlacklistingSummaryReferences
Chapter 28: J2EE Security
Java and J2EE OverviewThe Java LanguageAttacks on the JVMThe J2EE ArchitectureServletsJavaServer Pages (JSP)Enterprise JavaBeans (EJB)ContainersAuthentication and AuthorizationJ2EE AuthenticationJ2EE AuthorizationProtocolsHTTPHTTPSWeb Services ProtocolsIIOPJRMPProprietary Communication ProtocolsJMSJDBCSummaryReferences
Chapter 29: Windows .NET Security
Core Security Features of .NETManaged CodeRole-Based SecurityCode Access SecurityAppDomains and Isolated StorageApplication-Level Security in .NETUsing Cryptography.NET Remoting SecuritySecuring Web Services and Web ApplicationsSummaryReferences
Chapter 30: Controlling Application Behavior
Controlling Applications on the NetworkAccess Control ChallengesApplication VisibilityControlling Application CommunicationsRestricting Applications Running on ComputersApplication Whitelisting SoftwareApplication Security SettingsSummaryReferences
Part VI: Security Operations
Chapter 31: Security Operations Management
Communication and ReportingChange ManagementAcceptable Use EnforcementExamples of Acceptable Use EnforcementProactive EnforcementAdministrative SecurityPreventing Administrative Abuse of PowerManagement PracticesAccountability ControlsSecurity Monitoring and AuditingKeeping Up with Current EventsIncident ResponseSummaryReferences
Chapter 32: Disaster Recovery, Business Continuity, Backups, and High Availability
Disaster RecoveryBusiness Continuity PlanningThe Four Components of Business Continuity PlanningThird-Party Vendor IssuesAwareness and Training ProgramsBackupsTraditional Backup MethodsBackup Alternatives and Newer MethodologiesBackup PolicyHigh AvailabilityAutomated Redundancy MethodsOperational Redundancy MethodsCompliance with StandardsISO 27002COBITSummaryReferences
Chapter 33: Incident Response and Forensic Analysis
Incident ResponseIncident DetectionResponse and ContainmentRecovery and ResumptionReview and ImprovementForensicsLegal RequirementsEvidence AcquisitionEvidence AnalysisCompliance with Laws During Incident ResponseLaw Enforcement Referrals—Yes or No?Preservation of EvidenceConfidentiality and Privilege IssuesSummaryReferences
Part VII: Physical Security
Chapter 34: Physical Security
Classification of AssetsPhysical Vulnerability AssessmentBuildingsComputing Devices and PeripheralsDocumentsRecords and EquipmentChoosing Site Location for SecurityAccessibilityLightingProximity to Other BuildingsProximity to Law Enforcement and Emergency ResponseRF and Wireless Transmission InterceptionUtilities ReliabilityConstruction and ExcavationSecuring Assets: Locks and Entry ControlsLocksEntry ControlsPhysical Intrusion DetectionClosed-Circuit TelevisionAlarmsCompliance with StandardsISO 27002COBITSummaryReferences
Glossary
Index

Content preview from Information Security: The Complete Reference, Second Edition, 2nd Edition

CHAPTER
6	Security Policies, Standards, Procedures, and Guidelines

Information security is no longer simply about patch management and firewalls. It requires a holistic risk management approach. As organizations increasingly rely on global networks for supply chain and communications, and amass distributed data in terabyte amounts, it has become apparent that the old models for computer security are no longer effective. The exploitation points have correspondingly increased exponentially. The old model of hiring a couple of security analysts or engineers and throwing them into the Information Technology department is no longer sufficient to address the growing needs of data and communications protection. Security can no longer be ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Information Security Handbook - Second Edition

Publisher Resources

ISBN: 9780071784351

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Information Security: The Complete Reference, Second Edition, 2nd Edition

by Mark Rhodes-Ousley

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.