Suchen und Finden
Front Cover
1
Computer and Information Security Handbook
4
Copyright Page
5
Contents
8
Foreword
22
Preface
24
Acknowledgments
28
About the Editor
30
Contributors
32
Part I: Overview of System and Network Security: A Comprehensive Introduction
34
Chapter 1. Building a Secure Organization
36
1. Obstacles to Security
36
Security Is Inconvenient
36
Computers Are Powerful and Complex
36
Computer Users Are Unsophisticated
37
Computers Created Without a Thought to Security
37
Current Trend Is to Share, Not Protect
37
Data Accessible from Anywhere
37
Security Isn't About Hardware and Software
38
The Bad Guys Are Very Sophisticated
38
Management Sees Security as a Drain on the Bottom Line
38
2. Ten Steps to Building a Secure Organization
39
A. Evaluate the Risks and Threats
39
B. Beware of Common Misconceptions
41
C. Provide Security Training for IT Staff—Now and Forever
42
D. Think "Outside the Box"
43
E. Train Employees: Develop a Culture of Security
45
F. Identify and Utilize Built-In Security Features of the Operating System and Applications
47
G. Monitor Systems
49
H. Hire a Third Party to Audit Security
50
I. Don't Forget the Basics
52
J. Patch, Patch, Patch
53
Chapter 2. A Cryptography Primer
56
1. What is Cryptography? What is Encryption?
56
How Is Cryptography Done?
57
2. Famous Cryptographic Devices
57
The Lorenz Cipher
57
Enigma
57
3. Ciphers
58
The Substitution Cipher
58
The Shift Cipher
59
The Polyalphabetic Cipher
62
The Kasiski/Kerckhoff Method
63
4. Modern Cryptography
64
The Vernam Cipher (Stream Cipher)
64
The One-Time Pad
65
Cracking Ciphers
66
The XOR Cipher and Logical Operands
67
Block Ciphers
68
5. The Computer Age
69
Data Encryption Standard
69
Theory of Operation
70
Implementation
71
Rivest, Shamir, and Adleman (RSA)
71
Advanced Encryption Standard (AES or Rijndael)
71
Chapter 3. Preventing System Intrusions
72
1. So, What is an Intrusion?
72
2. Sobering Numbers
73
3. Know Your Enemy: Hackers Versus Crackers
73
4. Motives
74
5. Tools of the Trade
74
6. Bots
75
7. Symptoms of Intrusions
76
8. What Can You Do?
76
Know Today's Network Needs
77
Network Security Best Practices
78
9. Security Policies
78
10. Risk Analysis
79
Vulnerability Testing
79
Audits
80
Recovery
80
11. Tools of Your Trade
80
Firewalls
80
Intrusion Prevention Systems
80
Application Firewalls
81
Access Control Systems
81
Unified Threat Management
82
12. Controlling User Access
82
Authentication, Authorization, and Accounting
82
What the User Knows
82
What the User Has
83
The User Is Authenticated, But Is She Authorized?
83
Accounting
84
Keeping Current
84
13. Conclusion
84
Chapter 4. Guarding Against Network Intrusions
86
1. Traditional Reconnaissance and Attacks
86
2. Malicious Software
89
Lures and "Pull" Attacks
90
3. Defense in Depth
91
4. Preventive Measures
92
Access Control
92
Vulnerability Testing and Patching
92
Closing Ports
93
Firewalls
93
Antivirus and Antispyware Tools
94
Spam Filtering
95
Honeypots
95
Network Access Control
96
5. Intrusion Monitoring and Detection
96
Host-Based Monitoring
97
Traffic Monitoring
97
Signature-Based Detection
97
Behavior Anomalies
98
Intrusion Prevention Systems
98
6. Reactive Measures
98
Quarantine
98
Traceback
99
7. Conclusions
99
Chapter 5. Unix and Linux Security
100
1. Unix and Security
100
The Aims of System Security
100
Achieving Unix Security
100
2. Basic Unix Security
101
Traditional Unix Systems
101
Standard File and Device Access Semantics
102
4. Protecting User Accounts and Strengthening Authentication
104
Establishing Secure Account Use
104
The Unix Login Process
104
Controlling Account Access
104
Noninteractive Access
105
Other Network Authentication Mechanisms
106
Risks of Trusted Hosts and Networks
106
Replacing Telnet, rlogin, and FTP Servers and Clients with SSH
106
5. Reducing Exposure to Threats by Limiting Superuser Privileges
107
Controlling Root Access
107
6. Safeguarding Vital Data by Securing Local and Network File Systems
109
Directory Structure and Partitioning for Security
109
Chapter 6. Eliminating the Security Weakness of Linux and Unix Operating Systems
112
1. Introduction to Linux and Unix
112
What Is Unix?
112
What Is Linux?
113
System Architecture
115
2. Hardening Linux and Unix
117
Network Hardening
117
Host Hardening
121
Systems Management Security
123
3. Proactive Defense for Linux and Unix
123
Vulnerability Assessment
123
Incident Response Preparation
124
Organizational Considerations
125
Chapter 7. Internet Security
126
1. Internet Protocol Architecture
126
Communications Architecture Basics
127
Getting More Specific
128
2. An Internet Threat Model
133
The Dolev-Yao Adversary Model
134
Layer Threats
134
3. Defending Against Attacks on the Internet
138
Layer Session Defenses
139
Session Startup Defenses
146
4. Conclusion
150
Chapter 8. The Botnet Problem
152
1. Introduction
152
2. Botnet Overview
153
Origins of Botnets
153
Botnet Topologies and Protocols
153
3. Typical Bot Life Cycle
155
4. The Botnet Business Model
156
5. Botnet Defense
157
Detecting and Removing Individual Bots
157
Detecting C&C Traffic
158
Detecting and Neutralizing the C&C Servers
158
Attacking Encrypted C&C Channels
159
Locating and Identifying the Botmaster
161
6. Botmaster Traceback
161
Traceback Challenges
162
Traceback Beyond the Internet
163
7. Summary
165
Chapter 9. Intranet Security
166
1. Plugging the Gaps: NAC and Access Control
169
2. Measuring Risk: Audits
170
3. Guardian at the Gate: Authentication and Encryption
171
4. Wireless Network Security
172
5. Shielding the Wire: Network Protection
174
6. Weakest Link in Security: User Training
175
7. Documenting the Network: Change Management
175
8. Rehearse the Inevitable: Disaster Recovery
176
9. Controlling Hazards: Physical and Environmental Protection
178
10. Know Your Users: Personnel Security
179
11. Protecting Data Flow: Information and System Integrity
179
12. Security Assessments
180
13. Risk Assessments
181
14. Conclusion
181
Chapter 10. Local Area Network Security
182
1. Identify Network Threats
183
Disruptive
183
Unauthorized Access
183
2. Establish Network Access Controls
183
3. Risk Assessment
184
4. Listing Network Resources
184
5. Threats
184
6. Security Policies
184
7. The Incident-handling Process
185
8. Secure Design Through Network Access Controls
185
9. Ids Defined
186
10. NIDS: Scope and Limitations
187
11. A Practical Illustration of NIDS
187
UDP Attacks
187
TCP SYN (Half-Open) Scanning
188
Some Not-So-Robust Features of NIDS
189
12. Firewalls
191
Firewall Security Policy
192
Configuration Script for sf Router
193
13. Dynamic Nat Configuration
193
14. The Perimeter
193
15. Access List Details
195
16. Types of Firewalls
195
17. Packet Filtering: IP Filtering Routers
195
18. Application-layer Firewalls: Proxy Servers
196
19. Stateful Inspection Firewalls
196
20. NIDS Complements Firewalls
196
21. Monitor and Analyze System Activities
196
Analysis Levels
197
22. Signature Analysis
197
23. Statistical Analysis
197
24. Signature Algorithms
197
Pattern Matching
197
Stateful Pattern Matching
198
Protocol Decode-based Analysis
198
Heuristic-Based Analysis
199
Anomaly-Based Analysis
199
Chapter 11. Wireless Network Security
202
1. Cellular Networks
202
Cellular Telephone Networks
203
802.11 Wireless LANs
203
2. Wireless Ad Hoc Networks
204
Wireless Sensor Networks
204
Mesh Networks
204
3. Security Protocols
205
WEP
205
WPA and WPA2
206
SPINS: Security Protocols for Sensor Networks
206
4. Secure Routing
208
SEAD
208
Ariadne
209
ARAN
209
SLSP
210
5. Key Establishment
210
Bootstrapping
210
Key Management
211
References
214
Chapter 12. Cellular Network Security
216
1. Introduction
216
2. Overview of Cellular Networks
217
Overall Cellular Network Architecture
217
Core Network Organization
218
Call Delivery Service
218
3. The State of the Art of Cellular Network Security
219
Security in the Radio Access Network
219
Security in Core Network
220
Security Implications of Internet Connectivity
221
Security Implications of PSTN Connectivity
221
4. Cellular Network Attack Taxonomy
222
Abstract Model
222
Abstract Model Findings
222
Three-Dimensional Attack Taxonomy
225
5. Cellular Network Vulnerability Analysis
226
Cellular Network Vulnerability Assessment Toolkit (CAT)
228
Advanced Cellular Network Vulnerability Assessment Toolkit (aCAT)
231
Cellular Network Vulnerability Assessment Toolkit for evaluation (eCAT)
232
6. Discussion
234
References
235
Chapter 13. RFID Security
238
1. RFID Introduction
238
RFID System Architecture
238
RFID Standards
240
RFID Applications
241
2. RFID Challenges
242
Counterfeiting
242
Sniffing
242
Tracking
242
Denial of Service
243
Other Issues
243
Comparison of All Challenges
245
3. RFID Protections
245
Basic RFID System
245
RFID System Using Symmetric-Key Cryptography
248
RFID System Using Public-key Cryptography
250
References
252
Part II: Managing Information Security
256
Chapter 14. Information Security Essentials for IT Managers: Protecting Mission-Critical Systems
258
1. Information Security Essentials for IT Managers, Overview
258
Scope of Information Security Management
258
CISSP Ten Domains of Information Security
258
What is a Threat?
260
Common Attacks
261
Impact of Security Breaches
264
2. Protecting Mission-critical Systems
264
Information Assurance
264
Information Risk Management
264
Defense in Depth
266
Contingency Planning
266
3. Information Security from the Ground Up
269
Physical Security
269
Data Security
270
Systems and Network Security
272
Business Communications Security
274
Wireless Security
275
Web and Application Security
279
Security Policies and Procedures
280
Security Employee Training and Awareness
281
4. Security Monitoring and Effectiveness
282
Security Monitoring Mechanisms
283
Incidence Response and Forensic Investigations
284
Validating Security Effectiveness
284
References
285
Chapter 15. Security Management Systems
288
1. Security Management System Standards
288
2. Training Requirements
289
3. Principles of Information Security
289
4. Roles and Responsibilities of Personnel
289
5. Security Policies
289
6. Security Controls
290
7. Network Access
290
8. Risk Assessment
290
9. Incident Response
291
10. Summary
291
Chapter 16. Information Technology Security Management
292
1. Information Security Management Standards
292
Federal Information Security Management Act
292
International Standards Organization
293
Other Organizations Involved in Standards
293
2. Information Technology Security Aspects
293
Security Policies and Procedures
294
IT Security Processes
296
3. Conclusion
300
Chapter 17. Identity Management
302
1. Introduction
302
2. Evolution of Identity Management Requirements
302
Digital Identity Definition
303
Identity Management Overview
303
Privacy Requirement
305
User-Centricity
305
Usability Requirement
306
3. The Requirements Fulfilled by Current Identity Management Technologies
307
Evolution of Identity Management
307
Identity 2.0
311
4. Identity 2.0 for Mobile Users
319
Mobile Web 2.0
319
Mobility
320
Evolution of Mobile Identity
320
The Future of Mobile User-Centric Identity Management in an Ambient Intelligence World
323
Research Directions
325
5. Conclusion
325
Chapter 18. Intrusion Prevention and Detection Systems
326
1. What is an "Intrusion," Anyway?
326
Physical Theft
326
Abuse of Privileges (The Insider Threat)
326
2. Unauthorized Access by an Outsider
327
3. Malware Infection
327
4. The Role of the "0-day"
328
5. The Rogue's Gallery: Attackers and Motives
329
6. A Brief Introduction to TCP/IP
330
7. The TCP/IP data Architecture and Data Encapsulation
331
8. Survey of Intrusion Detection and Prevention Technologies
333
9. Anti-Malware Software
334
10. Network-based Intrusion Detection Systems
335
11. Network-based Intrusion Prevention Systems
336
12. Host-based Intrusion Prevention Systems
337
13. Security Information Management Systems
337
14. Network Session Analysis
337
15. Digital Forensics
338
16. System Integrity Validation
339
17. Putting it all Together
339
Chapter 19. Computer Forensics
340
1. What is Computer Forensics?
340
2. Analysis of Data
341
Computer Forensics and Ethics, Green Home Plate Gallery View
342
Database Reconstruction
343
3. Computer Forensics in the Court System
343
4. Understanding Internet History
345
5. Temporary Restraining Orders and Labor Disputes
345
Divorce
346
Patent Infringement
346
When to Acquire, When to Capture Acquisition
346
Creating Forensic Images Using Software and Hardware Write Blockers
346
Live Capture of Relevant Files
347
Redundant Array of Independent (or Inexpensive) Disks (RAID)
347
File System Analyses
347
NTFS
348
The Role of the Forensic Examiner in Investigations and File Recovery
348
Password Recovery
350
File Carving
351
Things to Know: How Time stamps Work
353
Experimental Evidence
354
Email Headers and Time stamps, Email Receipts, and Bounced Messages
355
Steganography "Covered Writing"
357
5. First Principles
358
6. Hacking a Windows XP Password
358
Net User Password Hack
358
Lanman Hashes and Rainbow Tables
358
Password Reset Disk
359
Memory Analysis and the Trojan Defense
359
User Artifact Analysis
359
Recovering Lost and Deleted Files
360
Email
360
Internet History
360
7. Network Analysis
361
Protocols
361
Analysis
361
8. Computer Forensics Applied
362
Tracking, Inventory, Location of Files, Paperwork, Backups, and So On
362
Testimonial
362
Experience Needed
362
Job Description, Technologist
362
Job Description Management
363
Commercial Uses
363
Solid Background
363
Education/Certification
363
Programming and Experience
364
Publications
364
9. Testifying as an Expert
365
Degrees of Certainty
365
Certainty Without Doubt
367
10. Beginning to End in Court
367
Defendants, Plaintiffs, and Prosecutors
367
Pretrial Motions
368
Trial: Direct and Cross-Examination
368
Rebuttal
368
Surrebuttal
368
Testifying: Rule 702. Testimony by Experts
368
Correcting Mistakes: Putting Your Head in the Sand
369
Chapter 20. Network Forensics
372
1. Scientific Overview
372
2. The Principles of Network Forensics
373
3. Attack Traceback and Attribution
374
IP Traceback
374
Stepping-Stone Attack Attribution
377
4. Critical Needs Analysis
379
5. Research Directions
379
VoIP Attribution
379
Tracking Botnets
379
Traceback in Anonymous Systems
379
Online Fraudster Detection and Attribution
380
Tracing Phishers
380
Tracing Illegal Content Distributor in P2P Systems
380
Chapter 21. Firewalls
382
1. Network Firewalls
382
2. Firewall Security Policies
383
Rule-Match Policies
384
3. A Simple Mathematical Model for Policies, Rules, and Packets
384
4. First-match Firewall Policy Anomalies
385
5. Policy Optimization
385
Policy Reordering
385
Combining Rules
386
Default Accept or Deny?
386
6. Firewall Types
386
Packet Filter
387
Stateful Packet Firewalls
387
Application Layer Firewalls
387
7. Host and Network Firewalls
388
8. Software and Hardware Firewall Implementations
388
9. Choosing the Correct Firewall
388
10. Firewall Placement and Network Topology
389
Demilitarized Zones
390
Perimeter Networks
390
Two-Router Configuration
390
Dual-Homed Host
391
Network Configuration Summary
391
11. Firewall Installation and Configuration
391
12. Supporting Outgoing Services Through Firewall Configuration
392
Forms of State
392
Payload Inspection
393
13. Secure External Services Provisioning
393
14. Network Firewalls for Voice and Video Applications
393
Packet Filtering H.323
394
15. Firewalls and Important Administrative Service Protocols
394
Routing Protocols
394
Internet Control Message Protocol
395
Network Time Protocol
395
Central Log File Management
395
Dynamic Host Configuration Protocol
396
16. Internal IP Services Protection
396
17. Firewall Remote Access Configuration
397
18. Load Balancing and Firewall Arrays
398
Load Balancing in Real Life
398
How to Balance the Load
398
Advantages and Disadvantages of Load Balancing
399
19. Highly Available Firewalls
399
Load Balancer Operation
399
Interconnection of Load Balancers and Firewalls
399
20. Firewall Management
400
21. Conclusion
400
Chapter 22. Penetration Testing
402
1. What is Penetration Testing?
402
2. How does Penetration Testing Differ from an Actual "Hack?"
403
3. Types of Penetration Testing
404
4. Phases of Penetration Testing
406
The Pre-Attack Phase
406
The Attack Phase
406
The Post-Attack Phase
406
5. Defining What's Expected
407
6. The Need for a Methodology
408
7. Penetration Testing Methodologies
408
8. Methodology in Action
409
EC-Council LPT Methodology
409
9. Penetration Testing Risks
411
10. Liability Issues
411
11. Legal Consequences
412
12. "Get out of jail free" Card
412
13. Penetration Testing Consultants
412
14. Required Skill Sets
413
15. Accomplishments
413
16. Hiring a Penetration Tester
413
17. Why Should a Company Hire You?
414
Qualifications
414
Work Experience
414
Cutting-Edge Technical Skills
414
Communication Skills
414
Attitude
414
Team Skills
414
Company Concerns
414
18. All's Well that Ends Well
415
Chapter 23. What Is Vulnerability Assessment?
416
1. Reporting
416
2. The "It Won't Happen to Us" Factor
416
3. Why Vulnerability Assessment?
417
4. Penetration Testing Versus Vulnerability Assessment
417
5. Vulnerability Assessment Goal
418
6. Mapping the Network
418
7. Selecting the Right Scanners
419
8. Central Scans Versus Local Scans
420
9. Defense in Depth Strategy
421
10. Vulnerability Assessment Tools
421
Nessus
421
GFI LANguard
422
Retina
422
Core Impact
422
ISS Internet Scanner
422
X-Scan
422
Sara
422
QualysGuard
422
SAINT
422
MBSA
422
11. Scanner Performance
423
12. Scan Verification
423
13. Scanning Cornerstones
423
14. Network Scanning Countermeasures
423
15. Vulnerability Disclosure Date
424
Find Security Holes Before They Become Problems
424
16. Proactive Security Versus Reactive Security
425
17. Vulnerability Causes
425
Password Management Flaws
425
Fundamental Operating System Design Flaws
425
Software Bugs
425
Unchecked User Input
425
18. DIY Vulnerability Assessment
426
19. Conclusion
426
Part III: Encryption Technology
428
Chapter 24. Data Encryption
430
1. Need for Cryptography
431
Authentication
431
Confidentiality
431
Integrity
431
Nonrepudiation
431
2. Mathematical Prelude to Cryptography
431
Mapping or Function
431
Probability
431
Complexity
431
3. Classical Cryptography
432
The Euclidean Algorithm
432
The Extended Euclidean Algorithm
432
Modular Arithmetic
432
Congruence
433
Residue Class
433
Inverses
433
Fundamental Theorem of Arithmetic
433
Congruence Relation Defined
434
Substitution Cipher
434
Transposition Cipher
435
4. Modern Symmetric Ciphers
435
S-Box
436
P-Boxes
436
Product Ciphers
437
5. Algebraic Structure
437
Definition Group
437
Definitions of Finite and Infinite Groups (Order of a Group)
437
Definition Abelian Group
437
Examples of a Group
437
Definition: Subgroup
438
Definition: Cyclic Group
438
Rings
438
Definition: Field
438
Finite Fields GF(2[sup(n)])
438
Modular Polynomial Arithmetic Over GF(2)
439
Using a Generator to Represent the Elements of GF(2[sup(n)])
439
GF(2[sup(3)]) Is a Finite Field
440
6. The Internal Functions of Rijndael in AES Implementation
440
Mathematical Preliminaries
441
State
441
7. Use of Modern Block Ciphers
445
The Electronic Code Book (ECB)
445
Cipher-Block Chaining (CBC)
445
8. Public-key Cryptography
445
Review: Number Theory
445
9. Cryptanalysis of RSA
449
Factorization Attack
449
10. Diffie-Hellman Algorithm
450
11. Elliptic Curve Cryptosystems
450
An Example
451
Example of Elliptic Curve Addition
451
EC Security
452
12. Message Integrity and Authentication
452
Cryptographic Hash Functions
452
Message Authentication
453
Digital Signature
453
Message Integrity Uses a Hash Function in Signing the Message
453
RSA Digital Signature Scheme
453
RSA Digital Signature and the Message Digest
453
13. Summary
454
References
454
Chapter 25. Satellite Encryption
456
1. The Need for Satellite Encryption
456
2. Satellite Encryption Policy
458
3. Implementing Satellite Encryption
459
General Satellite Encryption Issues
459
Uplink Encryption
461
Extraplanetary Link Encryption
461
Downlink Encryption
462
4. The Future of Satellite Encryption
463
Chapter 26. Public Key Infrastructure
466
1. Cryptographic Background
466
Digital Signatures
466
Public Key Encryption
467
2. Overview of PKI
468
3. The X.509 Model
469
The History of X.509
469
The X.509 Certificate Model
469
4. X.509 Implementation Architectures
470
5. X.509 Certificate Validation
472
Validation Step 1: Construct the Chain and Validate Signatures
472
Validation Step 2: Check Validity Dates, Policy and Key Usage
472
Validation Step 3: Consult Revocation Authorities
473
6. X.509 Certificate Revocation
473
Online Certificate Status Protocol
474
7. Server-based Certificate Validity Protocol
475
8. X.509 Bridge Certification Systems
476
Mesh PKIs and Bridge CAs
476
9. X.509 Certificate Format
477
X.509 V1 and V2 Format
478
X.509 V3 Format
478
X.509 Certificate Extensions
478
Policy Extensions
479
Certificate Policy
479
10. PKI Policy Description
480
11. PKI Standards Organizations
481
IETF PKIX
481
SDSI/SPKI
481
IETF OpenPGP
481
12. PGP Certificate Formats
482
13. PGP PKI Implementations
482
14. W3C
482
15. Alternative PKI Architectures
483
16. Modified X.509 Architectures
483
Perlman and Kaufman's User-Centric PKI
483
Gutmann's Plug and Play PKI
483
Callas's Self-Assembling PKI
483
17. Alternative Key Management Models
483
Chapter 27. Instant-Messaging Security
486
1. Why Should I Care About Instant Messaging?
486
2. What is Instant Messaging?
486
3. The Evolution of Networking Technologies
487
4. Game Theory and Instant Messaging
488
Your Workforce
488
Generational Gaps
489
Transactions
490
5. The Nature of the Threat
490
Malicious Threat
491
Vulnerabilities
492
Man-in-the-Middle Attacks
492
Phishing and Social Engineering
492
Knowledge Is the Commodity
492
Data and Traffic Analysis
493
Unintentional Threats
493
Regulatory Concerns
494
6. Common IM Applications
494
Consumer Instant Messaging
494
Enterprise Instant Messaging
494
Instant-Messaging Aggregators
495
Backdoors: Instant Messaging Via Other Means (HTML)
495
Mobile Dimension
495
7. Defensive Strategies
495
8. Instant-messaging Security Maturity and Solutions
496
Asset Management
496
Built-In Security
496
Content Filtering
496
Classic Security
496
Compliance
497
Data Loss Prevention
497
Logging
497
Archival
497
9. Processes
497
Instant-Messaging Activation and Provisioning
497
Application Review
497
People
497
Revise
497
Audit
497
10. Conclusion
498
Example Answers to Key Factors
499
Part IV: Privacy and Access Management
500
Chapter 28. NET Privacy
502
1. Privacy in the Digital Society
502
The Origins, The Debate
502
Privacy Threats
504
2. The Economics of Privacy
507
The Value of Privacy
507
Privacy and Business
508
3. Privacy-Enhancing Technologies
509
Languages for Access Control and Privacy Preferences
509
Data Privacy Protection
511
Privacy for Mobile Environments
513
4. Network Anonymity
515
Onion Routing
516
Anonymity Services
517
5. Conclusion
518
Chapter 29. Personal Privacy Policies
520
1. Introduction
520
2. Content of Personal Privacy Policies
521
Privacy Legislation and Directives
521
Requirements from Privacy Principles
521
Privacy Policy Specification
523
3. Semiautomated Derivation of Personal Privacy Policies
523
An Example
525
Retrieval from a Community of Peers
526
4. Specifying Well-formed Personal Privacy Policies
527
Unexpected Outcomes
527
Outcomes From the Way the Matching Policy Was Obtained
527
5. Preventing Unexpected Negative Outcomes
529
Definition 1
529
Definition 2
529
Rules for Specifying Near Well-Formed Privacy Policies
529
Approach for Obtaining Near Well-Formed Privacy Policies
530
6. The Privacy Management Model
530
How Privacy Policies Are Used
530
Personal Privacy Policy Negotiation
532
Personal Privacy Policy Compliance
535
7. Discussion and Related Work
535
8. Conclusions and Future Work
538
Chapter 30. Virtual Private Networks
540
1. History
541
2. Who is in Charge?
544
3. VPN Types
545
IPsec
545
L2TP
545
L2TPv3
546
L2F
546
PPTP VPN
546
MPLS
547
MPVPN™
547
SSH
547
SSL-VPN
547
TLS
547
4. Authentication Methods
548
Hashing
548
HMAC
548
MD5
548
SHA-1
548
5. Symmetric Encryption
549
6. Asymmetric Cryptography
549
7. Edge Devices
549
8. Passwords
549
9. Hackers and Crackers
550
Chapter 31. Identity Theft
552
1. Experimental Design
553
Authentic Payment Notification: Plain Versus Fancy Layout
555
Strong Phishing Message: Plain Versus Fancy Layout
558
Authentic Promotion: Effect of Small Footers
558
Weak Phishing Message
560
Authentic Message
561
Login Page
561
Login Page: Strong and Weak Content Alignment
562
Login Page: Authentic and Bogus (But Plausible) URLs
565
Login Page: Hard and Soft Emphasis on Security
565
Bad URL, with and without SSL and Endorsement Logo
568
High-Profile Recall Notice
568
Low-Profile Class-Action Lawsuit
568
2. Results and Analysis
568
3. Implications for Crimeware
579
Example: Vulnerability of Web-Based Update Mechanisms
580
Example: The Unsubscribe Spam Attack
580
The Strong Narrative Attack
581
4. Conclusion
581
Chapter 32. VoIP Security
584
1. Introduction
584
VoIP Basics
584
2. Overview of Threats
586
Taxonomy of Threats
586
Reconnaissance of VoIP Networks
586
Denial of Service
587
Loss of Privacy
588
Exploits
590
3. Security in VoIP
591
Preventative Measures
591
Reactive
592
4. Future Trends
593
Forking Problem in SIP
593
Security in Peer-to-Peer SIP
594
End-to-End Identity with SBCs
596
5. Conclusion
597
Part V: Storage Security
598
Chapter 33. SAN Security
600
1. Organizational Structure
600
AAA
601
Restricting Access to Storage
602
2. Access Control Lists (ACL) and Policies
603
Data Integrity Field (DIF)
603
3. Physical Access
604
4. Change Management
604
5. Password Policies
604
6. Defense in Depth
604
7. Vendor Security Review
604
8. Data Classification
604
9. Security Management
605
Security Setup
605
Unused Capabilities
605
10. Auditing
605
Updates
605
Monitoring
605
Security Maintenance
605
11. Management Access: Separation of Functions
606
Limit Tool Access
606
Secure Management Interfaces
606
12. Host Access: Partitioning
606
S_ID Checking
607
13. Data Protection: Replicas
607
Erasure
607
Potential Vulnerabilities and Threats
608
Physical Attacks
608
Management Control Attacks
608
Host Attacks
608
World Wide Name Spoofing
609
Man-in-the-Middle Attacks
609
E-Port Replication Attack
609
Denial-of-Service Attacks
610
Session Hijacking Attacks
610
15. Encryption in Storage
610
The Process
610
Encryption Algorithms
611
Key Management
612
Configuration Management
613
16. Application of Encryption
613
Risk Assessment and Management
613
Modeling Threats
613
Use Cases for Protecting Data at Rest
614
Use Considerations
615
Deployment Options
615
17. Conclusion
621
References
622
Chapter 34. Storage Area Networking Security Devices
624
1. What is a SAN?
624
2. SAN Deployment Justifications
624
3. The Critical Reasons for SAN Security
625
Why Is SAN Security Important?
625
4. SAN Architecture and Components
626
SAN Switches
626
5. SAN General Threats and Issues
627
SAN Cost: A Deterrent to Attackers
627
Physical Level Threats, Issues, and Risk Mitigation
627
Logical Level Threats, Vulnerabilities, and Risk Mitigation
629
6. Conclusion
636
Chapter 35. Risk Management
638
1. The Concept of Risk
639
2. Expressing and Measuring Risk
639
3. The Risk Management Methodology
642
Context Establishment
642
Risk Assessment
643
Risk Treatment
645
Risk Communication
647
Risk Monitoring and Review
647
Integrating Risk Management into the System Development Life Cycle
647
Critique of Risk Management as a Methodology
648
Risk Management Methods
649
4. Risk Management Laws and Regulations
653
5. Risk Management Standards
656
6. Summary
658
Part VI: Physical Security
660
Chapter 36. Physical Security Essentials
662
1. Overview
662
2. Physical Security Threats
663
Natural Disasters
663
Environmental Threats
664
Technical Threats
666
Human-Caused Physical Threats
667
3. Physical Security Prevention and Mitigation Measures
667
Environmental Threats
667
Technical Threats
668
Human-Caused Physical Threats
668
4. Recovery from Physical Security Breaches
669
5. Threat Assessment, Planning, and Plan Implementation
669
Threat Assessment
669
Planning and Implementation
670
6. Example: A Corporate Physical Security Policy
670
7. Integration of Physical and Logical Security
672
References
676
Chapter 37. Biometrics
678
1. Relevant Standards
679
2. Biometric System Architecture
680
Data Capture
681
Signal Processing
681
Matching
682
Data Storage
682
Decision
682
Adaptation
685
3. Using Biometric Systems
685
Enrollment
685
Authentication
686
Identification
687
4. Security Considerations
688
Error Rates
688
Doddington's Zoo
689
Birthday Attacks
689
Comparing Technologies
690
Storage of Templates
691
5. Conclusion
692
Chapter 38. Homeland Security
694
1. Statutory Authorities
694
The USA PATRIOT Act of 2001 (PL 107-56)
694
The Aviation and Transporation Security Act of 2001 (PL 107-71)
696
Enhanced Border Security and Visa Entry Reform Act of 2002 (PL 107-173)
696
Public Health Security, Bioterrorism Preparedness & Response Act of 2002 (PL 107-188)
697
Homeland Security Act of 2002 (PL 107-296)
698
E-Government Act of 2002 (PL 107-347)
699
2. Homeland Security Presidential Directives
700
3. Organizational Actions
702
Department of Homeland Security Subcomponents
702
State and Federal Organizations
702
The Governor's Office of Homeland Security
703
California Office of Information Security and Privacy Protection
703
Private Sector Organizations for Information Sharing
703
4. Conclusion
707
Chapter 39. Information Warfare
710
1. Information Warfare Model
710
2. Information Warfare Defined
711
3. IW: Myth or Reality?
711
4. Information Warfare: Making IW Possible
713
Offensive Strategies
713
5. Preventative Strategies
718
6. Legal Aspects of IW
719
Terrorism and Sovereignty
719
Liability Under International Law
719
Remedies Under International Law
720
Developing Countries Response
722
7. Holistic View of Information Warfare
722
8. Conclusion
723
Part VII: Advanced Security
724
Chapter 40. Security Through Diversity
726
1. Ubiquity
726
2. Example Attacks Against Uniformity
727
3. Attacking Ubiquity With Antivirus Tools
727
4. The Threat of Worms
728
5. Automated Network Defense
730
6. Diversity and the Browser
731
7. Sandboxing and Virtualization
731
8. DNS Example of Diversity through Security
732
9. Recovery from Disaster is Survival
732
10. Conclusion
733
Chapter 41. Reputation Management
734
1. The Human Notion of Reputation
735
2. Reputation Applied to the Computing World
737
3. State of the Art of Attack-resistant Reputation Computation
741
4. Overview of Current Online Reputation Service
744
eBay
744
Opinity
746
Rapleaf
747
Venyo
748
TrustPlus + Xing + ZoomInfo + SageFire
749
Naymz + Trufina
750
The GORB
752
ReputationDefender
753
Summarizing Table
753
5. Conclusion
753
Chapter 42. Content Filtering
756
1. The Problem with Content Filtering
756
2. User Categories, Motivations, and Justifications
757
Schools
758
Commercial Business
758
Financial Organizations
758
Healthcare Organizations
758
Internet Service Providers
758
U.S. Government
758
Other Governments
758
Libraries
758
Parents
759
3. Content Blocking Methods
759
Banned Word Lists
759
URL Block
759
Category Block
759
Bayesian Filters
760
Safe Search Integration to Search Engines with Content Labeling
760
Content-Based Image Filtering (CBIF)
760
4. Technology and Techniques for Content-Filtering Control
761
Internet Gateway-Based Products/Unified Threat Appliances
761
5. Categories
765
6. Legal Issues
768
Federal Law: ECPA
768
CIPA: The Children's Internet Protection Act
768
The Trump Card of Content Filtering: The "National Security Letter"
769
ISP Content Filtering Might Be a "Five-Year Felony"
769
7. Issues and Problems with Content Filtering
770
Bypass and Circumvention
770
Client-Based Proxies
770
Open Proxies
772
HTTP Web-Based Proxies (Public and Private)
772
Secure Public Web-Based Proxies
772
Process Killing
772
Remote PC Control Applications
772
Overblocking and Underblocking
773
Blacklist and Whitelist Determination
773
Casual Surfing Mistake
773
Getting the List Updated
773
Time-of-Day Policy Changing
773
Override Authorization Methods
773
Hide Content in "Noise" or Use Steganography
773
Nonrepudiation: Smart Cards, ID Cards for Access
773
Warn and Allow Methods
773
Integration with Spam Filtering tools
773
Detect Spyware and Malware in the HTTP Payload
773
Integration with Directory Servers
773
Language Support
774
Financial Considerations Are Important
774
Scalability and Usability
774
Performance Issues
775
Reporting Is a Critical Requirement
775
Bandwidth Usage
775
Precision Percentage and Recall
775
9. Related Products
776
10. Conclusion
776
Chapter 43. Data Loss Protection
778
1. Precursors of DLP
780
2. What is DLP?
781
3. Where to Begin?
786
4. Data is Like Water
787
5. You Don't Know What You Don't Know
788
Precision versus Recall
789
6. How Do DLP Applications Work?
789
7. Eat Your Vegetables
790
Data in Motion
790
Data at Rest
791
Data in Use
791
8. It's a Family Affair, Not Just it Security's Problem
793
9. Vendors, Vendors Everywhere! Who Do You Believe?
795
10. Conclusion
795
Part VIII: Appendices
796
Appendix A: Configuring Authentication Service on Microsoft Windows Vista
798
1. Backup and Restore of Stored Usernames and Passwords
798
Automation and Scripting
798
Security Considerations
798
2. Credential Security Service Provider and SSO for Terminal Services Logon
798
Requirements
799
Configuration
799
Security Considerations
799
3. TLS/SSL Cryptographic Enhancements
799
AES Cipher Suites
799
ECC Cipher Suites
800
Schannel CNG Provider Model
801
Default Cipher Suite Preference
802
Previous Cipher Suites
802
4. Kerberos Enhancements
802
AES
802
Read-Only Domain Controller and Kerberos Authentication
803
5. Smart Card Authentication Changes
803
Additional Changes to Common Smart Card Logon Scenarios
804
6. Previous Logon Information
806
Configuration
807
Security Considerations
807
Appendix B: Security Management and Resiliency
808
Appendix C: List of Top Security Implementation and Deployment Companies
810
List of SAN Implementation and Deployment Companies
811
SAN Security Implementation and Deployment Companies:
811
Appendix D: List of Security Products
814
Security Software
814
Appendix E: List of Security Standards
816
Appendix F: List of Miscellaneous Security Resources
818
Conferences
818
Consumer Information
818
Directories
819
Help and Tutorials
819
Mailing Lists
819
News and Media
820
Organizations
820
Products and Tools
821
Research
823
Content Filtering Links
824
Other Logging Resources
824
Appendix G: Ensuring Built-in Frequency Hopping Spread Spectrum Wireless Network Security
826
Accomplishment
826
Background
826
Additional Information
826
Appendix H: Configuring Wireless Internet Security Remote Access
828
Adding the Access Points as RADIUS Clients to IAS
828
Adding Access Points to the first IAS Server
828
Scripting the Addition of Access Points to IAS Server (Alternative Procedure)
828
Configuring the Wireless Access Points
829
Enabling Secure WLAN Authentication on Access Points
829
Additional Settings to Secure Wireless Access Points
830
Replicating RADIUS Client Configuration to Other IAS Servers
831
Appendix I: Frequently Asked Questions
832
Appendix J: Glossary
834
A
834
B
835
C
835
D
837
E
839
F
839
G
839
H
839
I
840
K
841
L
841
M
841
N
842
O
842
P
843
R
844
S
845
T
846
U
847
V
848
W
848
Y
848
Index
850
A
850
B
851
C
852
D
855
E
856
F
857
G
858
H
858
I
859
J
862
K
862
L
862
M
863
N
865
O
865
P
866
Q
868
R
868
S
870
T
873
U
874
V
875
W
876
X
877
Y
877
Z
877
Alle Preise verstehen sich inklusive der gesetzlichen MwSt.