Security Smarts for the Self-Guided IT Professional “An extraordinarily thorough and sophisticated explanation of why you need to measure the effectiveness of your security program and how to do it. A must-have for any quality security program!” —Dave Cullinane, CISSP, CISO & VP, Global Fraud, Risk & Security, eBay Learn how to communicate the value of an information security program, enable investment planning and decision making, and drive necessary change to improve the security of your organization. Security Metrics: A Beginner's Guide explains, step by step, how to develop and implement a successful security metrics program. This practical resource covers project management, communication, analytics tools, identifying targets, defining objectives, obtaining stakeholder buy-in, metrics automation, data quality, and resourcing. You'll also get details on cloud-based security metrics and process improvement. Templates, checklists, and examples give you the hands-on help you need to get started right away. Security Metrics: A Beginner's Guide features: Lingo--Common security terms defined so that you're in the know on the job IMHO--Frank and relevant opinions based on the author's years of industry experience Budget Note--Tips for getting security technologies and processes into your organization's budget In Actual Practice--Exceptions to the rules of security explained in real-world contexts Your Plan--Customizable checklists you can use on the job now Into Action--Tips on how, why, and when to apply new skills and techniques at work Caroline Wong, CISSP, was formerly the Chief of Staff for the Global Information Security Team at eBay, where she built the security metrics program from the ground up. She has been a featured speaker at RSA, ITWeb Summit, Metricon, the Executive Women's Forum, ISC2, and the Information Security Forum. Cover About the Author About the Contributors and Technical Reviewers Title Page Copyright Page Contents at a Glance Contents Preface Acknowledgments Introduction Part I: Foundations Chapter 1: Information Security Overview The Importance of Information Protection The Evolution of Information Security Justifying Security Investment Business Agility Cost Reduction Portability Security Methodology How to Build a Security Program Authority Framework Assessment Planning Action Maintenance The Impossible Job The Weakest Link Strategy and Tactics Business Processes vs. Technical Controls Summary References Chapter 2: Risk Analysis Threat Definition Threat Vectors Threat Sources and Targets Types of Attacks Malicious Mobile Code Advanced Persistent Threats (APTs) Manual Attacks Risk Analysis Summary References Chapter 3: Compliance with Standards, Regulations, and Laws Information Security Standards COBIT ISO 27000 Series NIST Regulations Affecting Information Security Professionals The Duty of Care Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act HIPAA Privacy and Security Rules NERC CIP PCI DSS: Payment Card Industry Data Security Standard Laws Affecting Information Security Professionals Hacking Laws Electronic Communication Laws Other Substantive Laws Summary References Chapter 4: Secure Design Principles The CIA Triad and Other Models Confidentiality Integrity Availability Additional Concepts Defense Models The Lollipop Model The Onion Model Zones of Trust Best Practices for Network Defense Secure the Physical Environment Harden the Operating System Keep Patches Updated Use an Antivirus Scanner (with Real-Time Scanning) Use Firewall Software Secure Network Share Permissions Use Encryption Secure Applications Back Up the System Implement ARP Poisoning Defenses Create a Computer Security Defense Plan Summary References Chapter 5: Security Policies, Standards, Procedures, and Guidelines Security Policies Security Policy Development Security Policy Contributors Security Policy Audience Policy Categories Frameworks Security Awareness Importance of Security Awareness Objectives of an Awareness Program Increasing Effectiveness Implementing the Awareness Program Enforcement Policy Enforcement for Vendors Policy Enforcement for Employees Software-Based Enforcement Example Security Policy Topics Acceptable Use Policies Computer Policies Network Policies Data Privacy Policies Data Integrity Policies Personnel Management Policies Security Management Policies Physical Security Policies Security Standards Security Standard Example Security Procedures Security Procedure Example Security Guidelines Security Guideline Example Ongoing Maintenance Summary References Chapter 6: Security Organization Roles and Responsibilities Security Positions Security Incident Response Team Managed Security Services Services Performed by MSSPs Services That Can Be Monitored by MSSPs Security Council, Steering Committee, or Board of Directors Interaction with Human Resources Summary References Chapter 7: Authentication and Authorization Authentication Usernames and Passwords Certificate-Based Authentication Extensible Authentication Protocol (EAP) Biometrics Additional Uses for Authentication Authorization User Rights Role-Based Authorization (RBAC) Access Control Lists (ACLs) Rule-Based Authorization Compliance with Standards NIST ISO 27002 COBIT Summary References Part II: Data Security Chapter 8: Securing Unstructured Data Structured Data vs. Unstructured Data At Rest, in Transit, and in Use Approaches to Securing Unstructured Data Databases Applications Networks Computers Storage (Local, Removable, or Networked) Data Printed into the Physical World Newer Approaches to Securing Unstructured Data Data Loss Prevention (DLP) Information Rights Management (IRM) Summary References Chapter 9: Information Rights Management Overview The Difference Between DRM and IRM What’s in a Name? EDRM, ERM, RMS, IRM Evolution from Encryption to IRM IRM Technology Details What Constitutes an IRM Technology? Architecture Going Offline Unstructured Data Formats Getting Started with IRM Classification Creation User Provisioning Rights Assignment Securing Content Distributing Content Installing and Configuring the IRM Client Authentication Authorization Rights Retrieval and Storage Content Access and Rights Invocation Access Auditing and Reporting Rights Revocation Summary References Chapter 10: Encryption A Brief History of Encryption Early Codes More Modern Codes Symmetric-Key Cryptography Key Exchange Public Key Cryptography Key Exchange Public Key Infrastructure Structure and Function CA Hierarchy Certificate Templates and Enrollment Revocation Role Separation Cross-Certification Compliance with Standards NIST ISO 27002 COBIT Summary References Chapter 11: Storage Security Storage Security Evolution Modern Storage Security Storage Infrastructure Administration Channel Risks to Data Risk Remediation Confidentiality Risks Integrity Risks Availability Risks Best Practices Zoning Arrays Servers Staff Offsite Data Storage Summary References Chapter 12: Database Security General Database Security Concepts Understanding Database Security Layers Server-Level Security Network-Level Security Operating System Security Understanding Database-Level Security Database Administration Security Database Roles and Permissions Object-Level Security Using Other Database Objects for Security Using Application Security Limitations of Application-Level Security Supporting Internet Applications Database Backup and Recovery Determining Backup Constraints Determining Recovery Requirements Types of Database Backups Keeping Your Servers Up to Date Database Auditing and Monitoring Reviewing Audit Logs Database Monitoring Summary References Part III: Network Security Chapter 13: Secure Network Design Introduction to Secure Network Design Acceptable Risk Designing Security into a Network Designing an Appropriate Network The Cost of Security Performance Availability Security Wireless Impact on the Perimeter Remote Access Considerations Internal Security Practices Intranets, Extranets, and DMZs Outbound Filtering Compliance with Standards NIST ISO 27002 COBIT Summary References Chapter 14: Network Device Security Switch and Router Basics MAC Addresses, IP Addresses, and ARP TCP/IP Hubs Switches Routers Network Hardening Patching Switch Security Practices Access Control Lists Disabling Unused Services Administrative Practices Internet Control Message Protocol (ICMP) Anti-Spoofing and Source Routing Logging Summary References Chapter 15: Firewalls Overview The Evolution of Firewalls Application Control Must-Have Firewall Features Core Firewall Functions Network Address Translation (NAT) Auditing and Logging Additional Firewall Capabilities Application and Website Malware Execution Blocking Antivirus Intrusion Detection and Intrusion Prevention Web Content (URL) Filtering and Caching E-Mail (Spam) Filtering Enhance Network Performance Firewall Design Firewall Strengths and Weaknesses Firewall Placement Firewall Configuration Summary References Chapter 16: Virtual Private Networks How a VPN Works VPN Protocols IPSec PPTP L2TP over IPSec SSL VPNs Remote Access VPN Security Authentication Process Client Configuration Client Networking Environment Offline Client Activity Site-to-Site VPN Security Summary References Chapter 17: Wireless Network Security Radio Frequency Security Basics Security Benefits of RF Knowledge Layer One Security Solutions Data-Link Layer Wireless Security Features, Flaws, and Threats 802.11 and 802.15 Data-Link Layer in a Nutshell 802.11 and 802.15 Data-Link Layer Vulnerabilities and Threats Closed-System SSIDs, MAC Filtering, and Protocol Filtering Built-in Bluetooth Network Data-Link Security and Threats Wireless Vulnerabilities and Mitigations Wired Side Leakage Rogue Access Points Misconfigured Access Points Wireless Phishing Client Isolation Wireless Network Hardening Practices and Recommendations Wireless Security Standards Temporal Key Integrity Protocol and Counter Mode with CBC-MAC Protocol 802.1x-Based Authentication and EAP Methods Wireless Intrusion Detection and Prevention Wireless IPS and IDS Bluetooth IPS Wireless Network Positioning and Secure Gateways Summary References Chapter 18: Intrusion Detection and Prevention Systems IDS Concepts Threat Types First-Generation IDS Second-Generation IDS IDS Types and Detection Models Host-Based IDS Network-Based IDS (NIDS) Anomaly-Detection (AD) Model Signature-Detection Model What Type of IDS Should You Use? IDS Features IDS End-User Interfaces Intrusion-Prevention Systems (IPS) IDS Management IDS Logging and Alerting IDS Deployment Considerations IDS Fine-Tuning IPS Deployment Plan Security Information and Event Management (SIEM) Data Aggregation Analysis Operational Interface Additional SIEM Features Summary References Chapter 19: Voice over IP (VoIP) and PBX Security Background VoIP Components Call Control Voice and Media Gateways and Gatekeepers MCUs Hardware Endpoints Software Endpoints Call and Contact Center Components Voicemail Systems VoIP Vulnerabilities and Countermeasures Old Dogs, Old Tricks: The Original Hacks Vulnerabilities and Exploits The Protocols Security Posture: System Integrators and Hosted VoIP PBX Hacking a PBX Securing a PBX TEM: Telecom Expense Management Summary References Part IV: Computer Security Chapter 20: Operating System Security Models Operating System Models The Underlying Protocols Are Insecure Access Control Lists MAC vs. DAC Classic Security Models Bell-LaPadula Biba Clark-Wilson TCSEC Labels Reference Monitor The Reference Monitor Concept Windows Security Reference Monitor Trustworthy Computing International Standards for Operating System Security Common Criteria Summary References Chapter 21: Unix Security Start with a Fresh Install Securing a Unix System Reducing the Attack Surface Install Secure Software Configure Secure Settings Keep Software Up to Date Place Servers into Network Zones Strengthen Authentication Processes Require Strong Passwords Use Alternatives to Passwords Limit Physical Access to Systems Limit the Number of Administrators and Limit the Privileges of Administrators Use sudo Back Up Your System Subscribe to Security Lists Compliance with Standards ISO 27002 COBIT Summary References Chapter 22: Windows Security Securing Windows Systems Disable Windows Services and Remove Software Securely Configure Remaining Software Use Group Policy to Manage Settings Computer Policies User Policies Security Configuration and Analysis Group Policy Install Security Software Application Whitelisting Patch Systems Regularly Segment the Network into Zones of Trust Blocking and Filtering Access to Services Mitigating the Effect of Spoofed Ports Strengthen Authentication Processes Require, Promote, and Train Users in Using Strong Passwords Use Alternatives to Passwords Apply Technology and Physical Controls to Protect Access Points Modify Defaults for Windows Authentication Systems Limit the Number of Administrators and Limit the Privileges of Administrators Applications that Require Admin Access to Files and the Registry Elevated Privileges Are Required Programmers as Administrators Requiring Administrators to Use runas Active Directory Domain Architecture Logical Security Boundaries Role-Based Administration A Role-Based Approach to Security Configuration Compliance with Standards NIST ISO 27002 COBIT Summary References Chapter 23: Securing Infrastructure Services E-Mail Protocols, Their Vulnerabilities, and Countermeasures Spam and Spam Control Malware and Malware Control Web Servers Types of Attacks Web Server Protection DNS Servers Install Patches Prevent Unauthorized Zone Transfers DNS Cache Poisoning Proxy Servers HTTP Proxy FTP Proxy Direct Mapping POP3 Proxy HTTP Connect Reverse Proxy Summary References Chapter 24: Virtual Machines and Cloud Computing Virtual Machines Protecting the Hypervisor Protecting the Guest OS Protecting Virtual Storage Protecting Virtual Networks NIST Special Publication 800-125 Cloud Computing Types of Cloud Services Cloud Computing Security Benefits Security Considerations Cloud Computing Risks and Remediations Summary References Chapter 25: Securing Mobile Devices Mobile Device Risks Device Risks Application Risks Mobile Device Security Built-in Security Features Mobile Device Management (MDM) Data Loss Prevention (DLP) Summary References Part V: Application Security Chapter 26: Secure Application Design Secure Development Lifecycle Application Security Practices Security Training Secure Development Infrastructure Security Requirements Secure Design Threat Modeling Secure Coding Security Code Review Security Testing Security Documentation Secure Release Management Dependency Patch Monitoring Product Security Incident Response Decisions to Proceed Web Application Security SQL Injection Forms and Scripts Cookies and Session Management General Attacks Web Application Security Conclusions Client Application Security Running Privileges Application Administration Integration with OS Security Application Updates Remote Administration Security Reasons for Remote Administration Remote Administration Using a Web Interface Authenticating Web-Based Remote Administration Custom Remote Administration Summary References Chapter 27: Writing Secure Software Security Vulnerabilities: Causes and Prevention Buffer Overflows Integer Overflows Cross-Site Scripting SQL Injection Whitelisting vs. Blacklisting Summary References Chapter 28: J2EE Security Java and J2EE Overview The Java Language Attacks on the JVM The J2EE Architecture Servlets JavaServer Pages (JSP) Enterprise JavaBeans (EJB) Containers Authentication and Authorization J2EE Authentication J2EE Authorization Protocols HTTP HTTPS Web Services Protocols IIOP JRMP Proprietary Communication Protocols JMS JDBC Summary References Chapter 29: Windows .NET Security Core Security Features of .NET Managed Code Role-Based Security Code Access Security AppDomains and Isolated Storage Application-Level Security in .NET Using Cryptography .NET Remoting Security Securing Web Services and Web Applications Summary References Chapter 30: Controlling Application Behavior Controlling Applications on the Network Access Control Challenges Application Visibility Controlling Application Communications Restricting Applications Running on Computers Application Whitelisting Software Application Security Settings Summary References Part VI: Security Operations Chapter 31: Security Operations Management Communication and Reporting Change Management Acceptable Use Enforcement Examples of Acceptable Use Enforcement Proactive Enforcement Administrative Security Preventing Administrative Abuse of Power Management Practices Accountability Controls Security Monitoring and Auditing Keeping Up with Current Events Incident Response Summary References Chapter 32: Disaster Recovery, Business Continuity, Backups, and High Availability Disaster Recovery Business Continuity Planning The Four Components of Business Continuity Planning Third-Party Vendor Issues Awareness and Training Programs Backups Traditional Backup Methods Backup Alternatives and Newer Methodologies Backup Policy High Availability Automated Redundancy Methods Operational Redundancy Methods Compliance with Standards ISO 27002 COBIT Summary References Chapter 33: Incident Response and Forensic Analysis Incident Response Incident Detection Response and Containment Recovery and Resumption Review and Improvement Forensics Legal Requirements Evidence Acquisition Evidence Analysis Compliance with Laws During Incident Response Law Enforcement Referrals—Yes or No? Preservation of Evidence Confidentiality and Privilege Issues Summary References Part VII: Physical Security Chapter 34: Physical Security Classification of Assets Physical Vulnerability Assessment Buildings Computing Devices and Peripherals Documents Records and Equipment Choosing Site Location for Security Accessibility Lighting Proximity to Other Buildings Proximity to Law Enforcement and Emergency Response RF and Wireless Transmission Interception Utilities Reliability Construction and Excavation Securing Assets: Locks and Entry Controls Locks Entry Controls Physical Intrusion Detection Closed-Circuit Television Alarms Compliance with Standards ISO 27002 COBIT Summary References Glossary Index
This is a complete, cover-to-cover revision of the most authoritative volume available on information security (the first edition of which was titled Network Security: The Complete Reference), and covers all of the most important tools and practices that concern any information security practitioner today, including the very latest information available on security standards and regulations.
Information Security: The Complete Reference, Second Edition guides security practitioners through how to plan, implement, and maintain a secure data environment, protect confidential information, and ensure corporate networks are in compliance with the latest regulations. The book covers essential standards, such as ISO 27001, CoBIT, and SAS 70. Important legal regulations (and their context and relevance), such as Sarbanes-Oxley (SOX), SB 1386, SB 1841, FFIEC, Gramm-Leach-Bliley (GLB), and HIPAA are highlighted throughout where their relevance intersects with topics—enhancing this edition’s value and practicality.
This authoritative volume includes contributions from 30+ technical experts and leaders in the security industry. New chapters have been added on VoIP security, controlling application behavior, and operational security. The chapters covering system security, planning and response, and standards compliance have been extensively revised.
The 35 chapters are divided into six parts. Part 1 covers the elements of network security foundations including policies, organization, and defense models. Part II covers access control, including security management, operational security, and data security. Part III gets into key network security aspects, including firewalls, virtual private networks, wireless security, VoIP security, and more. Part IV explains system security, focusing on security models, UNIX, Linux, and Windows Security. Part V covers application security, including J2EE, Windows .NET, database security, writing secure software, and more. Part VI explains planning and response, including disaster recovery, attacks and countermeasures, incident response, as well as legal, regulatory, and standards compliance.
The first edition of this book was titled Network Security: The Complete Reference.
Information Security: The Complete Reference, Second Edition
- Now presents essential security standards and regulation information paired with related topics throughout the book, greatly enhancing ease-of-use and the ability to readily apply business recommendations
- Teaches end-to-end IT security concepts and techniques, complete with methodology, analysis, case examples, tips, and all the technical supporting details needed to suit an IT audience’s requirements
- Spans from a beginner to advanced practitioner level
- Includes detailed updates on how to assure business compliance with IT standards and regulations, including ISO 27001, CoBIT, SAS 70, and SOX
- Offers completely updated coverage of Linux/UNIX, wireless, secure Windows, VPN, software development, and physical premises
- Contains comprehensive information on how to design an effective security defense model, develop and deploy computer, personnel, and physical security policies, design and manage authentication and authorization methods, and much more
Publisher's Note: Products purchased from Third Party sellers are not guaranteed by the publisher for quality, authenticity, or access to any online entitlements included with the product. Develop and implement an effective end-to-end security programToday's complex world of mobile platforms, cloud computing, and ubiquitous data access puts new security demands on every IT professional. Information Security: The Complete Reference, Second Edition (previously titled Network Security: The Complete Reference ) is the only comprehensive book that offers vendor-neutral details on all aspects of information protection, with an eye toward the evolving threat landscape. Thoroughly revised and expanded to cover all aspects of modern information security--from concepts to details--this edition provides a one-stop reference equally applicable to the beginner and the seasoned professional. Find out how to build a holistic security program based on proven methodology, risk analysis, compliance, and business needs. You'll learn how to successfully protect data, networks, computers, and applications. In-depth chapters cover data protection, encryption, information rights management, network security, intrusion detection and prevention, Unix and Windows security, virtual and cloud security, secure application development, disaster recovery, forensics, and real-world attacks and countermeasures. Included is an extensive security glossary, as well as standards-based references. This is a great resource for professionals and students alike. Understand security concepts and building blocks Identify vulnerabilities and mitigate risk Optimize authentication and authorization Use IRM and encryption to protect unstructured data Defend storage devices, databases, and software Protect network routers, switches, and firewalls Secure VPN, wireless, VoIP, and PBX infrastructure Design intrusion detection and prevention systems Develop secure Windows, Java, and mobile applications Perform incident response and forensic analysis Develop and implement an effective end-to-end security program Today's complex world of mobile platforms, cloud computing, and ubiquitous data access puts new security demands on every IT professional. Information Security: The Complete Reference, Second Edition (previously titled Network Security: The Complete Reference ) is the only comprehensive book that offers vendor-neutral details on all aspects of information protection, with an eye toward the evolving threat landscape. Thoroughly revised and expanded to cover all aspects of modern information security--from concepts to details--this edition provides a one-stop reference equally applicable to the beginner and the seasoned professional. Find out how to build a holistic security program based on proven methodology, risk analysis, compliance, and business needs. You'll learn how to successfully protect data, networks, computers, and applications. In-depth chapters cover data protection, encryption, information rights management, network security, intrusion detection and prevention, Unix and Windows security, virtual and cloud security, secure application development, disaster recovery, forensics, and real-world attacks and countermeasures. Included is an extensive security glossary, as well as standards-based references. This is a great resource for professionals and students alike. Understand security concepts and building blocks Identify vulnerabilities and mitigate risk Optimize authentication and authorization Use IRM and encryption to protect unstructured data Defend storage devices, databases, and software Protect network routers, switches, and firewalls Secure VPN, wireless, VoIP, and PBX infrastructure Design intrusion detection and prevention systems Develop secure Windows, Java, and mobile applications Perform incident response and forensic analysis Security smarts for the self-guided IT professional! Learn proven and easy-to-use security metrics strategies.Written by the developer of eBay's security metrics program, Security Metrics: A Beginner's Guide is a must-have tool for any networking or security practitioner looking to optimize an existing security program and demonstrate measurable results. The book assumes real-life scenarios with limited resources and provides straightforward guidance for getting started quickly. Templates, checklists, and examples are provided both in the book and on the companion web site.This practical guide begins by discussing the objective of measuring security, and addresses the key elements required to develop an effective security metrics program. This is followed by recommendations on how to identify targets for measurement, define key messages for key audiences, and obtain buy-in from stakeholders on measurement goals and timelines. The book describes processes for leveraging metrics for decision-making and driving change in an organization. It concludes with tips from an enterprise practitioner on how to work feedback loops into an effective metrics program for continuous improvement