Security in a Web 2.0+ World: A Standards-Based Approach

Security in a Web 2.0+ World: A Standards-Based Approach

by Carlos Curtis Solari
Released May 2009
Publisher(s): Wiley
ISBN: 9780470745755

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Discover how technology is affecting your business, and why typical security mechanisms are failing to address the issue of risk and trust.

Security for a Web 2.0+ World looks at the perplexing issues of cyber security, and will be of interest to those who need to know how to make effective security policy decisions to engineers who design ICT systems – a guide to information security and standards in the Web 2.0+ era. It provides an understanding of IT security in the converged world of communications technology based on the Internet Protocol.

Many companies are currently applying security models following legacy policies or ad-hoc solutions. A series of new security standards (ISO/ITU) allow security professionals to talk a common language. By applying a common standard, security vendors are able to create products and services that meet the challenging security demands of technology further diffused from the central control of the local area network. Companies are able to prove and show the level of maturity of their security solutions based on their proven compliance of the recommendations defined by the standard.

Carlos Solari and his team present much needed information and a broader view on why and how to use and deploy standards. They set the stage for a standards-based approach to design in security, driven by various factors that include securing complex information-communications systems, the need to drive security in product development, the need to better apply security funds to get a better return on investment.

Security applied after complex systems are deployed is at best a patchwork fix. Concerned with what can be done now using the technologies and methods at our disposal, the authors set in place the idea that security can be designed in to the complex networks that exist now and for those in the near future. Web 2.0 is the next great promise of ICT – we still have the chance to design in a more secure path.

Time is of the essence – prevent-detect-respond!

Table of contents

  1. Copyright
  2. About the Authors and Contributors...
  3. Foreword
  4. Prologue
  5. 1. The World of Cyber Security in 2019
    1. 1.1. Executive Summary
    2. 1.2. General Review of Security Challenges
      1. 1.2.1. Content is king
      2. 1.2.2. Broadband wireless security
    3. 1.3. Cyber Security as the Friction and Latency of Business and Government
    4. 1.4. Protecting Web 2.0 Data
    5. 1.5. The Present Models for Cyber Security are Broken
      1. 1.5.1. A systemic problem
  6. 2. The Costs and Impact of Cyber Security
    1. 2.1. Executive Summary
    2. 2.2. The Economics of Security
    3. 2.3. The Security Value Life Cycle
    4. 2.4. Security Costs at the Point of Creation
    5. 2.5. Security Costs at the Point of Purchase – Service Creation
      1. 2.5.1. Incident costs
      2. 2.5.2. The costs of compliance
      3. 2.5.3. The costs of security infrastructure
    6. 2.6. Security Cost at Point of Service
    7. 2.7. Impact of Security Costs on Security Decisions and Investments: Network Security Risk Management
  7. 3. Protecting Web 2.0: What Makes it so Challenging?
    1. 3.1. Executive Summary
    2. 3.2. Defining Web 2.0
      1. 3.2.1. Its the network
      2. 3.2.2. Applications and content in the cloud
    3. 3.3. The Challenges of Web 2.0 Security
      1. 3.3.1. Motive, Capability and Opportunity
    4. 3.4. Securing the Web 2.0 Network
      1. 3.4.1. The devil is in the details – starting with the protocols
      2. 3.4.2. Security required end to end
      3. 3.4.3. Securing the interfaces and why they need to be secured
      4. 3.4.4. Virtualization is not necessarily a security net gain
    5. 3.5. The Wireless Data Challenge
      1. 3.5.1. Stated simply
    6. 3.6. Securing the Web 2.0 Applications and Content
      1. 3.6.1. Securing the data exchanges – and why they need to be secured
      2. 3.6.2. Protecting privacy
      3. 3.6.3. Integrity checking
      4. 3.6.4. Other considerations
  8. 4. Limitations of the Present Models
    1. 4.1. Executive Summary
    2. 4.2. Aftermarket Security – A Broken Model
    3. 4.3. Standards and Regulations
    4. 4.4. Regulate Yourself into Good Security?
    5. 4.5. Silos of Risk
    6. 4.6. Absence of Metrics to Define Trust
      1. 4.6.1. Design
      2. 4.6.2. Acquisition
      3. 4.6.3. Integration
      4. 4.6.4. Operation and maintenance
    7. 4.7. The Current Model is Broken – Now What?
  9. 5. Defining the Solution – ITU-T X.805 Standard Explained
    1. 5.1. Executive Summary
    2. 5.2. The ITU-T X.805 Standard Explained: Building a foundation for the Security Value Life Cycle
      1. 5.2.1. A bit of the history
    3. 5.3. Coupling to the ISO/IEC 27000 Series Standard: Complementary Standards that Enable the Process and Policy Leading to Compliance
    4. 5.4. Enterprise Risk and IT Management Frameworks
  10. 6. Building the Security Foundation Using the ITU-T X.805 Standard: The ITU-T X.805 Standard Made Operational
    1. 6.1. Executive Summary
      1. 6.1.1. The standard made operational
      2. 6.1.2. Key lesson: Complexity breeds insecurity
      3. 6.1.3. Key lesson: The cloud has entered the building
      4. 6.1.4. Key lesson: Address common vulnerabilities
      5. 6.1.5. Key lesson: Not all vulnerabilities are created equal
      6. 6.1.6. Key lesson: What is reportable and when is it reportable?
      7. 6.1.7. Key lesson: Security mitigation is also a business risk management decision
      8. 6.1.8. Key lesson: Performing the assessment with confidence in the results
      9. 6.1.9. Key lesson: Convince the product unit
      10. 6.1.10. Closing thoughts on the key lessons
  11. 7. The Benefits of a Security Framework Approach
    1. 7.1. Executive Summary
    2. 7.2. Convincing the CFO
      1. 7.2.1. Point of creation
      2. 7.2.2. Point of purchase and service creation
      3. 7.2.3. Point of service delivery or end use
  12. 8. Correcting Our Path – What Will it Take?
    1. 8.1. Executive Summary
    2. 8.2. The Power of the Customer to Transform an Industry
      1. 8.2.1. Government
      2. 8.2.2. Business
      3. 8.2.3. Academia
    3. 8.3. Summary and Conclusions
  13. A. Building Secure Products and Solutions
    1. A.1. Introduction
    2. A.2. Product Lifecycle Overview
    3. A.3. Integrating Security Into the Product Lifecycle
    4. A.4. Building in Security
    5. A.5. Bell Labs Security Framework Overview
      1. A.5.1. Security layers
      2. A.5.2. Security planes
      3. A.5.3. Security dimensions
      4. A.5.4. Modular methodology
    6. A.6. The Proposed Approach
    7. A.7. Integrating Security in Requirements and Design Phase
      1. A.7.1. Security specifications
      2. A.7.2. Asset identification
      3. A.7.3. Threats identification
      4. A.7.4. Vulnerabilities identification
      5. A.7.5. Impact analysis
      6. A.7.6. Control analysis
    8. A.8. Integrating Security in the Implementation Phase
    9. A.9. Integrating Security in Testing Phase
    10. A.10. Integrating Security in the Product Management
      1. A.10.1. Policy for secure product development
      2. A.10.2. Management oversight
      3. A.10.3. Risk assessment and management
      4. A.10.4. Measurement and feedback
      5. A.10.5. Resources and training
      6. A.10.6. Project planning and tracking
      7. A.10.7. Relationship to other standards
    11. A.11. Conclusion
      1. A.11.1. Acknowledgments
      2. A.11.2. *Trademarks
      3. A.11.3. References
  14. B. Using the Bell Labs Security Framework to Enhance the ISO 17799/27001 Information Security Management System
    1. B.1. Introduction
    2. B.2. Augmenting ISO/IEC 27001 with the Bell Labs Security Framework
    3. B.3. Implementation Guidance Using the Bell Labs Security Framework
    4. B.4. Methodology for Applying the Bell Labs Security Framework to ISO/IEC 27001
    5. B.5. Examples of Applying the Bell Labs Security Framework to ISO/IEC 27001 Controls
    6. B.6. Case Study: Using the Bell Labs Security Framework to Establish, Implement, and Operate an ISMS
    7. B.7. Using the Bell Labs Security Framework to Implement an ISMS for Government Networks
    8. B.8. Conclusion
    9. B.9. Further Reading
      1. B.9.1. *Trademarks
      2. B.9.2. References
  15. C. Appendix C
    1. C.1. Ch 2, Ref 1
      1. C.1.1. Ch 2, Ref 1
      2. C.1.2. Calculating the financial impact of cyber risk
      3. C.1.3. Ch 2, Ref 2: A Transaction Based Network Valuation Model
    2. C.2. Valuing an Entire Network
    3. C.3. The Sum Value of All Networks
      1. C.3.1. Ch 3, Ref 1
      2. C.3.2. Ch 3, Ref 2
      3. C.3.3. Ch3, Ref 3: Protecting the domain name service (DNS)
      4. C.3.4. Ch3, Ref 4
      5. C.3.5. Ch 3, Ref 5
      6. C.3.6. Ch 3, Ref 6
      7. C.3.7. Ch 3, Ref 7
      8. C.3.8. Ch 3, Ref 8
      9. C.3.9. Ch 3, Ref 9
  16. Glossary

Product information

  • Title: Security in a Web 2.0+ World: A Standards-Based Approach
  • Author(s): Carlos Curtis Solari
  • Release date: May 2009
  • Publisher(s): Wiley
  • ISBN: 9780470745755