Computer and Information Security Handbook

Computer and Information Security Handbook
 
Author:
John R. Vacca
Publisher: Elsevier
ISBN No: 978-0-12-374354-1
Release at: 2009
Pages: 831
Edition:
First Edition
File Size: 12 MB
File Type: pdf
Language: English



Content of Computer and Information Security Handbook



Part I Overview of System and Network Security: A Comprehensive

Introduction
1. Building a Secure Organization 3
John Mallery
1. Obstacles to Security 3
Security Is Inconvenient 3
Computers Are Powerful and Complex 3
Computer Users Are Unsophisticated 4
Computers Created Without a Thought
to Security 4
Current Trend Is to Share, Not Protect 4
Data Accessible from Anywhere 4
Security Isn’t About Hardware
and Software 5
The Bad Guys Are Very Sophisticated 5
Management Sees Security as a Drain
on the Bottom Line 5
2. Ten Steps to Building a Secure Organization 6
A. Evaluate the Risks and Threats 6
B. Beware of Common Misconceptions 8
C. Provide Security Training for
IT Staff—Now and Forever 9
D. Think “Outside the Box” 10
E. Train Employees: Develop a Culture
of Security 12
F. Identify and Utilize Built-In Security
Features of the Operating System and
Applications 14
G. Monitor Systems 16
H. Hire a Third Party to Audit Security 17
I. Don’t Forget the Basics 19
J. Patch, Patch, Patch 20
2. A Cryptography Primer 23
Scott R. Ellis
1. What is Cryptography?
What is Encryption? 23
How Is Cryptography Done? 24

2. Famous Cryptographic Devices 24
The Lorenz Cipher 24
Enigma 24
3. Ciphers 25
The Substitution Cipher 25
The Shift Cipher 26
The Polyalphabetic Cipher 29
The Kasiski/Kerckhoff Method 30
4. Modern Cryptography 31
The Vernam Cipher (Stream Cipher) 31
The One-Time Pad 32
Cracking Ciphers 33
The XOR Cipher and Logical Operands 34
Block Ciphers 35
5. The Computer Age 36
Data Encryption Standard 36
Theory of Operation 37
Implementation 38
Rivest, Shamir, and Adleman (RSA) 38
Advanced Encryption Standard
(AES or Rijndael) 38
3 Preventing System Intrusions 39
Michael West
1. So, What is an Intrusion? 39
2. Sobering Numbers 40
3. Know Your Enemy: Hackers Versus
Crackers 40
4. Motives 41
5. Tools of the Trade 41
6. Bots 42
7. Symptoms of Intrusions 43
8. What Can You Do? 43
Know Today’s Network Needs 44
Network Security Best Practices 45
9. Security Policies 45
10. Risk Analysis 46
Vulnerability Testing 46
Audits 47
Recovery 47
11. Tools of Your Trade 47
Firewalls 47
Intrusion Prevention Systems 47
Application Firewalls 48
Access Control Systems 48
Unified Threat Management 49
12. Controlling User Access 49
Authentication, Authorization,
and Accounting 49
What the User Knows 49
What the User Has 50
The User Is Authenticated,
But Is She Authorized? 50
Accounting 51
Keeping Current 51
13. Conclusion 51
4. Guarding Against Network
Intrusions 53
Tom ChenandPatrick J. Walsh
1. Traditional Reconnaissance and Attacks 53
2. Malicious Software 56
Lures and “Pull” Attacks 57
3. Defense in Depth 58
4. Preventive Measures 59
Access Control 59
Vulnerability Testing and Patching 59
Closing Ports 60
Firewalls 60
Antivirus and Antispyware Tools 61
Spam Filtering 62
Honeypots 62
Network Access Control 63
5. Intrusion Monitoring and Detection 63
Host-Based Monitoring 64
Traffic Monitoring 64
Signature-Based Detection 64
Behavior Anomalies 65
Intrusion Prevention Systems 65
6. Reactive Measures 65
Quarantine 65
Traceback 66
7. Conclusions 66
5. Unix and Linux Security 67
Gerald Beuchelt
1. Unix and Security 67
The Aims of System Security 67
Achieving Unix Security 67
2. Basic Unix Security 68
Traditional Unix Systems 68
Standard File and Device Access
Semantics 69
4. Protecting User Accounts
and Strengthening Authentication 71
Establishing Secure Account Use 71
The Unix Login Process 71
Controlling Account Access 71
Noninteractive Access 72
Other Network Authentication
Mechanisms 73
Risks of Trusted Hosts and Networks 73
Replacing Telnet, rlogin, and FTP
Servers and Clients with SSH 73
5. Reducing Exposure to Threats by
Limiting Superuser Privileges 74
Controlling Root Access 74

6. Safeguarding Vital Data by Securing
Local and Network File Systems 76
Directory Structure and Partitioning
for Security 76
6. Eliminating the Security Weakness
of Linux and Unix Operating
Systems 79
Mario Santana
1. Introduction to Linux and Unix 79
What Is Unix? 79
What Is Linux? 80
System Architecture 82
2. Hardening Linux and Unix 84
Network Hardening 84
Host Hardening 88
Systems Management Security 90
3. Proactive Defense for Linux and Unix 90
Vulnerability Assessment 90
Incident Response Preparation 91
Organizational Considerations 92
7. Internet Security 93
Jesse Walker
1. Internet Protocol Architecture 93
Communications Architecture Basics 94
Getting More Specific 95
2. An Internet Threat Model 100
The Dolev-Yao Adversary Model 101
Layer Threats 101
3. Defending Against Attacks on
the Internet 105
Layer Session Defenses 106
Session Startup Defenses 113
4. Conclusion 117
8. The Botnet Problem 119
Xinyuan Wang and Daniel Ramsbrock
1. Introduction 119
2. Botnet Overview 120
Origins of Botnets 120
Botnet Topologies and Protocols 120
3. Typical Bot Life Cycle 122
4. The Botnet Business Model 123
5. Botnet Defense 124
Detecting and Removing
Individual Bots 124
Detecting C&C Traffic 125
Detecting and Neutralizing
the C&C Servers 125
Attacking Encrypted C&C Channels 126
Locating and Identifying the Botmaster 128
6. Botmaster Traceback 128
Traceback Challenges 129
Traceback Beyond the Internet 130
7. Summary 132
9. Intranet Security 133
Bill Mansoor
1. Plugging the Gaps: NAC
and Access Control 136
2. Measuring Risk: Audits 137
3. Guardian at the Gate: Authentication
and Encryption 138
4. Wireless Network Security 139
5. Shielding the Wire: Network
Protection 141
6. Weakest Link in Security:
User Training 142
7. Documenting the Network:
Change Management 142
8. Rehearse the Inevitable:
Disaster Recovery 143
9. Controlling Hazards: Physical
and Environmental Protection 145
10. Know Your Users:
Personnel Security 146
11. Protecting Data Flow:
Information and System Integrity 146
12. Security Assessments 147
13. Risk Assessments 148
14. Conclusion 148
10. Local Area Network Security 149
Dr. Pramod Pandya
1. Identify network threats 150
Disruptive 150
Unauthorized Access 150
2. Establish Network Access Controls 150
3. Risk Assessment 151
4. Listing Network Resources 151
5. Threats 151
6. Security Policies 151
7. The Incident-handling Process 152
8. Secure Design Through Network
Access Controls 152
9. Ids Defined 153
10. NIDS: Scope and Limitations 154
11. A Practical Illustration of NIDS 154
UDP Attacks 154
TCP SYN (Half-Open) Scanning 155
Some Not-So-Robust Features
of NIDS 156
12. Firewalls 158
Firewall Security Policy 159
Configuration Script for sf Router 160
13. Dynamic Nat Configuration 160
14. The Perimeter 160
15. Access List Details 162
16. Types of Firewalls 162
17. Packet Filtering: IP Filtering Routers 162

18. Application-layer Firewalls:
Proxy Servers 163
19. Stateful Inspection Firewalls 163
20. NIDS Complements Firewalls 163
21. Monitor and Analyze
System Activities 163
Analysis Levels 164
22. Signature Analysis 164
23. Statistical Analysis 164
24. Signature Algorithms 164
Pattern Matching 164
Stateful Pattern Matching 165
Protocol Decode-based Analysis 165
Heuristic-Based Analysis 166
Anomaly-Based Analysis 166
11. Wireless Network Security 169
Chunming Rong andErdal Cayirci
1. Cellular Networks 169
Cellular Telephone Networks 170
802.11 Wireless LANs 170
2. Wireless Ad Hoc Networks 171
Wireless Sensor Networks 171
Mesh Networks 171
3. Security Protocols 172
WEP 172
WPA and WPA2 173
SPINS: Security Protocols for
Sensor Networks 173
4. Secure Routing 175
SEAD 175
Ariadne 176
ARAN 176
SLSP 177
5. Key Establishment 177
Bootstrapping 177
Key Management 178
References 181
12. Cellular Network Security 183
Peng Liu , Thomas F. LaPorta and
Kameswari Kotapati
1. Introduction 183
2. Overview of Cellular Networks 184
Overall Cellular Network
Architecture 184
Core Network Organization 185
Call Delivery Service 185
3. The State of the Art of Cellular
Network Security 186
Security in the Radio Access
Network 186
Security in Core Network 187
Security Implications of Internet
Connectivity 188
Security Implications of PSTN
Connectivity 188
4. Cellular Network Attack Taxonomy 189
Abstract Model 189
Abstract Model Findings 189
Three-Dimensional Attack
Taxonomy 192
5. Cellular Network Vulnerability
Analysis 193
Cellular Network Vulnerability
Assessment Toolkit (CAT) 195
Advanced Cellular Network
Vulnerability Assessment
Toolkit (aCAT) 198
Cellular Network Vulnerability
Assessment Toolkit for evaluation
(eCAT) 199
6. Discussion 201
References 202
13. RFID Security 205
Chunming Rong and Erdal Cayirci
1. RFID Introduction 205
RFID System Architecture 205
RFID Standards 207
RFID Applications 208
2. RFID Challenges 209
Counterfeiting 209
Sniffing 209
Tracking 209
Denial of Service 210
Other Issues 210
Comparison of All Challenges 212
3. RFID Protections 212
Basic RFID System 212
RFID System Using Symmetric-Key
Cryptography 215
RFID System Using Public-key
Cryptography 217
References 219

Part II Managing Information Security

14. Information Security Essentials
for IT Managers, Protecting
Mission-Critical Systems 225
Albert Caballero
1. Information Security Essentials
for IT Managers, Overview 225
Scope of Information Security
Management 225
CISSP Ten Domains of Information
Security 225
What is a Threat? 227
Common Attacks 228

Impact of Security Breaches 231
2. Protecting Mission-critical Systems 231
Information Assurance 231
Information Risk Management 231
Defense in Depth 233
Contingency Planning 233
3. Information Security from
the Ground Up 236
Physical Security 236
Data Security 237
Systems and Network Security 239
Business Communications Security 241
Wireless Security 242
Web and Application Security 246
Security Policies and Procedures 247
Security Employee Training
and Awareness 248
4. Security Monitoring
and Effectiveness 249
Security Monitoring Mechanisms 250
Incidence Response and Forensic
Investigations 251
Validating Security Effectiveness 251
References 252
15. Security Management Systems 255
Joe Wright and Jim Harmening
1. Security Management
System Standards 255
2. Training Requirements 256
3. Principles of Information Security 256
4. Roles and Responsibilities
of Personnel 256
5. Security Policies 256
6. Security Controls 257
7. Network Access 257
8. Risk Assessment 257
9. Incident Response 258
10. Summary 258
16. Information Technology Security
Management 259
Rahul Bhasker andBhushan Kapoor
1. Information Security Management
Standards 259
Federal Information Security
Management Act 259
International Standards Organization 260
Other Organizations Involved
in Standards 260
2. Information Technology
security aspects 260
Security Policies and Procedures 261
IT Security Processes 263
3. Conclusion 267
17. Identity Management 269
Dr. Jean-Marc Seigneur and Dr. Tewfiq El
Malika
1. Introduction 269
2. Evolution of Identity Management
Requirements 269
Digital Identity Definition 270
Identity Management Overview 270
Privacy Requirement 272
User-Centricity 272
Usability Requirement 273
3. The Requirements Fulfilled
by Current Identity Management
Technologies 274
Evolution of Identity Management 274
Identity 2.0 278
4. Identity 2.0 for Mobile Users 286
Mobile Web 2.0 286
Mobility 287
Evolution of Mobile Identity 287
The Future of Mobile User-Centric
Identity Management in an Ambient
Intelligence World 290
Research Directions 292
5. Conclusion 292
18. Intrusion Prevention and
Detection Systems 293
Christopher Day
1. What is an “Intrusion,” Anyway? 293
Physical Theft 293
Abuse of Privileges (The Insider Threat) 293
2. Unauthorized Access by an
Outsider 294
3. Malware Infection 294
4. The Role of the “0-day” 295
5. The Rogue’s Gallery:
Attackers and Motives 296
6. A Brief Introduction to TCP/IP 297
7. The TCP/IP data Architecture and
Data Encapsulation 298
8. Survey of Intrusion Detection
and Prevention Technologies 300
9. Anti-Malware Software 301
10. Network-based Intrusion
Detection Systems 302
11. Network-based Intrusion
Prevention Systems 303
12. Host-based Intrusion
Prevention Systems 304
13. Security Information
Management Systems 304
14. Network Session Analysis 304
15. Digital Forensics 305
16. System Integrity Validation 306
17. Putting it all Together 306

19. Computer Forensics 307
Scott R. Ellis
1. What is Computer Forensics? 307
2. Analysis of Data 308
Computer Forensics and Ethics,
Green Home Plate Gallery View 309
Database Reconstruction 310
3. Computer Forensics in the Court
System 310
4. Understanding Internet History 312
5. Temporary Restraining Orders
and Labor Disputes 312
Divorce 313
Patent Infringement 313
When to Acquire, When to
Capture Acquisition 313
Creating Forensic Images Using
Software and Hardware
Write Blockers 313
Live Capture of Relevant Files 314
Redundant Array of Independent
(or Inexpensive) Disks (RAID) 314
File System Analyses 314
NTFS 315
The Role of the Forensic Examiner
in Investigations and File
Recovery 315
Password Recovery 317
File Carving 318
Things to Know: How Time stamps
Work 320
Experimental Evidence 321
Email Headers and Time stamps,
Email Receipts, and Bounced
Messages 322
Steganography “Covered Writing” 324
5. First Principles 325
6. Hacking a Windows XP Password 325
Net User Password Hack 325
Lanman Hashes and Rainbow
Tables 325
Password Reset Disk 326
Memory Analysis and the Trojan
Defense 326
User Artifact Analysis 326
Recovering Lost and Deleted Files 327
Email 327
Internet History 327
7. Network Analysis 328
Protocols 328
Analysis 328
8. Computer Forensics Applied 329
Tracking. Inventory, Location
of Files, Paperwork, Backups,
and So On 329
Testimonial 329
Experience Needed 329
Job Description, Technologist 329
Job Description Management 330
Commercial Uses 330
Solid Background 330
Education/Certification 330
Programming and Experience 331
Publications 331
9. Testifying as an Expert 332
Degrees of Certainty 332
Certainty Without Doubt 334
10. Beginning to End in Court 334
Defendants, Plaintiffs,
and Prosecutors 334
Pretrial Motions 335
Trial: Direct and Cross-Examination 335
Rebuttal 335
Surrebuttal 335
Testifying: Rule 702. Testimony
by Experts 335
Correcting Mistakes: Putting Your
Head in the Sand 336
20. Network Forensics 339
Yong Guan
1. Scientific Overview 339
2. The Principles of Network Forensics 340
3. Attack Traceback and Attribution 341
IP Traceback 341
Stepping-Stone Attack Attribution 344
4. Critical Needs Analysis 346
5. Research Directions 346
VoIP Attribution 346
21. Firewalls 349
Dr . Errin W. Fulp
1. Network Firewalls 349
2. Firewall Security Policies 350
Rule-Match Policies 351
3. A Simple Mathematical Model
for Policies, Rules, and Packets 351
4. First-match Firewall Policy
Anomalies 352
5. Policy Optimization 352
Policy Reordering 352
Combining Rules 353
Default Accept or Deny? 353
6. Firewall Types 353
Packet Filter 354
Stateful Packet Firewalls 354
Application Layer Firewalls 354
7. Host and Network Firewalls 355
8. Software and Hardware Firewall
Implementations 355
9. Choosing the Correct Firewall 355
10. Firewall Placement and
Network Topology 356
Demilitarized Zones 357
Perimeter Networks 357

Two-Router Configuration 357
Dual-Homed Host 358
Network Configuration Summary 358
11. Firewall Installation and
Configuration 358
12. Supporting Outgoing Services
Through Firewall Configuration 359
Forms of State 359
Payload Inspection 360
13. Secure External Services
Provisioning 360
14. Network Firewalls for Voice and
Video Applications 360
Packet Filtering H.323 361
15. Firewalls and Important
Administrative Service Protocols 361
Routing Protocols 361
Internet Control Message
Protocol 362
Network Time Protocol 362
Central Log File Management 362
Dynamic Host Configuration
Protocol 363
16. Internal IP Services Protection 363
17. Firewall Remote Access
Configuration 364
18. Load Balancing and
Firewall Arrays 365
Load Balancing in Real Life 365
How to Balance the Load 365
Advantages and Disadvantages
of Load Balancing 366
19. Highly Available Firewalls 366
Load Balancer Operation 366
Interconnection of Load Balancers
and Firewalls 366
20. Firewall Management 367
21. Conclusion 367
22. Penetration Testing 369
Sanjay Bavisi
1. What is Penetration Testing? 369
2. How does Penetration Testing
Differ from an Actual “Hack?” 370
3. Types of Penetration Testing 371
4. Phases of Penetration Testing 373
The Pre-Attack Phase 373
The Attack Phase 373
The Post-Attack Phase 373
5. Defining What’s Expected 374
6. The Need for a Methodology 375
7. Penetration Testing
Methodologies 375
8. Methodology in Action 376
EC-Council LPT Methodology 376
9. Penetration Testing Risks 378
10. Liability Issues 378
11. Legal Consequences 379
12. “Get out of jail free” Card 379
13. Penetration Testing Consultants 379
14. Required Skill Sets 380
15. Accomplishments 380
16. Hiring a Penetration Tester 380
17. Why Should a Company
Hire You? 381
Qualifications 381
Work Experience 381
Cutting-Edge Technical Skills 381
Communication Skills 381
Attitude 381
Team Skills 381
Company Concerns 381
18. All’s Well that Ends Well 382
23. What Is Vulnerability
Assessment? 383
Almantas Kakareka
1. Reporting 383
2. The “It Won’t Happen to Us” Factor 383
3. Why Vulnerability Assessment? 384
4. Penetration Testing Versus
Vulnerability Assessment 384
5. Vulnerability Assessment Goal 385
6. Mapping the Network 385
7. Selecting the Right Scanners 386
8. Central Scans Versus Local Scans 387
9. Defense in Depth Strategy 388
10. Vulnerability Assessment Tools 388
Nessus 388
GFI LANguard 389
Retina 389
Core Impact 389
ISS Internet Scanner 389
X-Scan 389
Sara 389
QualysGuard 389
SAINT 389
MBSA 389
11. Scanner Performance 390
12. Scan Verification 390
13. Scanning Cornerstones 390
14. Network Scanning
Countermeasures 390
15. Vulnerability Disclosure Date 391
Find Security Holes Before
They Become Problems 391
16. Proactive Security Versus Reactive
Security 392
17. Vulnerability Causes 392
Password Management Flaws 392
Fundamental Operating
System Design Flaws 392
Software Bugs 392
Unchecked User Input 392
18. DIY Vulnerability Assessment 393
19. Conclusion 393

Part III Encryption Technology

24. Data Encryption 397
Dr. Bhushan Kapoor and Dr. Pramod
Pandya
1. Need for Cryptography 398
Authentication 398
Confidentiality 398
Integrity 398
Nonrepudiation 398
2. Mathematical Prelude to Cryptography 398
Mapping or Function 398
Probability 398
Complexity 398
3. Classical Cryptography 399
The Euclidean Algorithm 399
The Extended Euclidean Algorithm 399
Modular Arithmetic 399
Congruence 400
Residue Class 400
Inverses 400
Fundamental Theorem
of Arithmetic 400
Congruence Relation Defined 401
Substitution Cipher 401
Transposition Cipher 402
4. Modern Symmetric Ciphers 402
S-Box 403
P-Boxes 403
Product Ciphers 404
5. Algebraic Structure 404
Definition Group 404
Definitions of Finite and Infinite
Groups (Order of a Group) 404
Definition Abelian Group 404
Examples of a Group 404
Definition: Subgroup 405
Definition: Cyclic Group 405
Rings 405
Definition: Field 405
Finite Fields GF(2n) 405
Modular Polynomial Arithmetic
Over GF(2) 406
Using a Generator to Represent
the Elements of GF(2n) 406
GF(23) Is a Finite Field 407
6. The Internal Functions of Rijndael
in AES Implementation 407
Mathematical Preliminaries 408
State 408
7. Use of Modern Block Ciphers 412
The Electronic Code Book (ECB) 412
Cipher-Block Chaining (CBC) 412
8. Public-key Cryptography 412
Review: Number Theory 412
9. Cryptanalysis of RSA 416
Factorization Attack 416
10. Diffie-Hellman Algorithm 417
11. Elliptic Curve Cryptosystems 417
An Example 418
Example of Elliptic Curve Addition 418
EC Security 419
12. Message Integrity and
Authentication 419
Cryptographic Hash Functions 419
Message Authentication 420
Digital Signature 420
Message Integrity Uses a Hash
Function in Signing the Message 420
RSA Digital Signature Scheme 420
RSA Digital Signature and
the Message Digest 420
13. Summary 421
References 421
25. Satellite Encryption 423
Daniel S. Soper
1. The Need for Satellite Encryption 423
2. Satellite Encryption Policy 425
3. Implementing Satellite Encryption 426
General Satellite Encryption Issues 426
Uplink Encryption 428
Extraplanetary Link Encryption 428
Downlink Encryption 429
4. The Future of Satellite Encryption 430
26. Public Key Infrastructure 433
Terence Spies
1. Cryptographic Background 433
Digital Signatures 433
Public Key Encryption 434
2. Overview of PKI 435
3. The X.509 Model 436
The History of X.509 436
The X.509 Certificate Model 436
4. X.509 Implementation Architectures 437
5. X.509 Certificate Validation 439
Validation Step 1: Construct the
Chain and Validate Signatures 439
Validation Step 2: Check Validity
Dates, Policy and Key Usage 439
Validation Step 3: Consult
Revocation Authorities 440
6. X.509 Certificate Revocation 440
Online Certificate Status Protocol 441
7. Server-based Certificate
Validity Protocol 442
8. X.509 Bridge Certification
Systems 443
Mesh PKIs and Bridge CAs 443
9. X.509 Certificate Format 444
X.509 V1 and V2 Format 445

X.509 V3 Format 445
X.509 Certificate Extensions 445
Policy Extensions 446
Certificate Policy 446
10. PKI Policy Description 447
11. PKI Standards Organizations 448
IETF PKIX 448
SDSI/SPKI 448
IETF OpenPGP 448
12. PGP Certificate Formats 449
13. PGP PKI Implementations 449
14. W3C 449
15. Alternative PKI Architectures 450
16. Modified X.509 Architectures 450
Perlman and Kaufman’s User-Centric
PKI 450
Gutmann’s Plug and Play PKI 450
Callas’s Self-Assembling PKI 450
17. Alternative Key Management Models 450
27. Instant-Messaging Security 453
Samuel J. J. Curry
1. Why Should I Care About
Instant Messaging? 453
2. What is Instant Messaging? 453
3. The Evolution of Networking
Technologies 454
4. Game Theory and Instant Messaging 455
Your Workforce 455
Generational Gaps 456
Transactions 457
5. The Nature of the Threat 457
Malicious Threat 458
Vulnerabilities 459
Man-in-the-Middle Attacks 459
Phishing and Social Engineering 459
Knowledge Is the Commodity 459
Data and Traffic Analysis 460
Unintentional Threats 460
Regulatory Concerns 461
6. Common IM Applications 461
Consumer Instant Messaging 461
Enterprise Instant Messaging 461
Instant-Messaging Aggregators 462
Backdoors: Instant Messaging
Via Other Means (HTML) 462
Mobile Dimension 462
7. Defensive Strategies 462
8. Instant-messaging Security Maturity
and Solutions 463
Asset Management 463
Built-In Security 463
Content Filtering 463
Classic Security 463
Compliance 464
Data Loss Prevention 464
Logging 464
Archival 464
9. Processes 464
Instant-Messaging Activation
and Provisioning 464
Application Review 464
People 464
Revise 464
Audit 464
10. Conclusion 465
Example Answers to Key Factors 466

Part IV Privacy and Access Management

28. NET Privacy 469
Marco Cremonini

, Chiara Braghin and Claudio

Agostino Ardagna
1. Privacy in the Digital Society 469
The Origins, The Debate 469
Privacy Threats 471
2. The Economics of Privacy 474
The Value of Privacy 474
Privacy and Business 475
3. Privacy-Enhancing Technologies 476
Languages for Access Control
and Privacy Preferences 476
Data Privacy Protection 478
Privacy for Mobile Environments 480
4. Network Anonymity 482
Onion Routing 483
Anonymity Services 484
5. Conclusion 485
29. Personal Privacy Policies 487
Dr. George Yee and Larry Korba
1. Introduction 487
2. Content of Personal Privacy Policies 488
Privacy Legislation and Directives 488
Requirements from Privacy Principles 488
Privacy Policy Specification 490
3. Semiautomated Derivation
of Personal Privacy Policies 490
An Example 492
Retrieval from a Community of Peers 493
4. Specifying Well-formed Personal
Privacy Policies 494
Unexpected Outcomes 494
Outcomes From the Way the
Matching Policy Was Obtained 494
5. Preventing Unexpected Negative
Outcomes 496
Definition 1 496
Definition 2 496
Rules for Specifying Near
Well-Formed Privacy Policies 496

Approach for Obtaining Near
Well-Formed Privacy Policies 497
6. The Privacy Management Model 497
How Privacy Policies Are Used 497
Personal Privacy Policy Negotiation 499
Personal Privacy Policy Compliance 502
7. Discussion and Related Work 502
8. Conclusions and Future Work 505
30. Virtual Private Networks 507
Jim Harmening and Joe Wright
1. History 508
2. Who is in Charge? 511
3. VPN Types 512
IPsec 512
L2TP 512
L2TPv3 513
L2F 513
PPTP VPN 513
MPLS 514
MPVPNTM 514
SSH 514
SSL-VPN 514
TLS 514
4. Authentication Methods 515
Hashing 515
HMAC 515
MD5 515
SHA-1 515
5. Symmetric Encryption 516
6. Asymmetric Cryptography 516
7. Edge Devices 516
8. Passwords 516
9. Hackers and Crackers 517
31. Identity Theft 519
Markus Jacobsson and Alex Tsow
1. Experimental Design 520
Authentic Payment Notification:
Plain Versus Fancy Layout 522
Strong Phishing Message: Plain
Versus Fancy Layout 525
Authentic Promotion: Effect of
Small Footers 525
Weak Phishing Message 527
Authentic Message 528
Login Page 528
Login Page: Strong and Weak
Content Alignment 529
Login Page: Authentic and Bogus
(But Plausible) URLs 532
Login Page: Hard and Soft
Emphasis on Security 532
Bad URL, with and without SSL
and Endorsement Logo 535
High-Profile Recall Notice 535
Low-Profile Class-Action Lawsuit 535
2. Results and Analysis 535
3. Implications for Crimeware 546
Example: Vulnerability of Web-Based
Update Mechanisms 547
Example: The Unsubscribe
Spam Attack 547
The Strong Narrative Attack 548
4. Conclusion 548
32. VoIP Security 551
Dan Wing and Harsh Kupwade Patil
1. Introduction 551
VoIP Basics 551
2. Overview of Threats 553
Taxonomy of Threats 553
Reconnaissance of VoIP Networks 553
Denial of Service 554
Loss of Privacy 555
Exploits 557
3. Security in VoIP 558
Preventative Measures 558
Reactive 559
4. Future Trends 560
Forking Problem in SIP 560
Security in Peer-to-Peer SIP 561
End-to-End Identity with SBCs 563
5. Conclusion 564

Part V Storage Security

33. SAN Security 567
John McGowan, Jeffrey Bardin and
John McDonald
1. Organizational Structure 567
AAA 568
Restricting Access to Storage 569
2. Access Control Lists (ACL)
and Policies 570
Data Integrity Field (DIF) 570
3. Physical Access 571
4. Change Management 571
5. Password Policies 571
6. Defense in Depth 571
7. Vendor Security Review 571
8. Data Classification 571
9. Security Management 572
Security Setup 572
Unused Capabilities 572
10. Auditing 572
Updates 572
Monitoring 572
Security Maintenance 572

11. Management Access: Separation of
Functions 573
Limit Tool Access 573
Secure Management Interfaces 573
12. Host Access: Partitioning 573
S_ID Checking 574
13. Data Protection: Replicas 574
Erasure 574
Potential Vulnerabilities and Threats 575
Physical Attacks 575
Management Control Attacks 575
Host Attacks 575
World Wide Name Spoofing 576
Man-in-the-Middle Attacks 576
E-Port Replication Attack 576
Denial-of-Service Attacks 577
Session Hijacking Attacks 577
15. Encryption in Storage 577
The Process 577
Encryption Algorithms 578
Key Management 579
Configuration Management 580
16. Application of Encryption 580
Risk Assessment and Management 580
Modeling Threats 580
Use Cases for Protecting Data
at Rest 581
Use Considerations 582
Deployment Options 582
17. Conclusion 588
References 589
34. Storage Area Networking
Devices Security 591
Robert Rounsavall
1. What is a SAN? 591
2. SAN Deployment Justifications 591
3. The Critical Reasons for SAN Security 592
Why Is SAN Security Important? 592
4. SAN Architecture and Components 593
SAN Switches 593
5. SAN General Threats and Issues 594
SAN Cost: A Deterrent to Attackers 594
Physical Level Threats, Issues,
and Risk Mitigation 594
Logical Level Threats, Vulnerabilities,
and Risk Mitigation 596
6. Conclusion 603
35. Risk Management 605
Sokratis K. Katsikas
1. The Concept of Risk 606
2. Expressing and Measuring Risk 606
3. The Risk Management Methodology 609
Context Establishment 609
Risk Assessment 610
Risk Treatment 612
Risk Communication 614
Risk Monitoring and Review 614
Integrating Risk Management into the
System Development Life Cycle 614
Critique of Risk Management
as a Methodology 615
Risk Management Methods 616
4. Risk Management Laws and
Regulations 620
5. Risk Management Standards 623
6. Summary 625

Part VI Physical Security

36. Physical Security Essentials 629
William Stallings
1. Overview 629
2. Physical Security Threats 630
Natural Disasters 630
Environmental Threats 631
Technical Threats 633
Human-Caused Physical Threats 634
3. Physical Security Prevention
and Mitigation Measures 634
Environmental Threats 634
Technical Threats 635
Human-Caused Physical Threats 635
4. Recovery from Physical Security
Breaches 636
5. Threat Assessment, Planning,
and Plan Implementation 636
Threat Assessment 636
Planning and Implementation 637
6. Example: A Corporate Physical
Security Policy 637
7. Integration of Physical and
Logical Security 639
References 643
37. Biometrics 645
Luther Martin
1. Relevant Standards 646
2. Biometric System Architecture 647
Data Capture 648
Signal Processing 648
Matching 649
Data Storage 649
Decision 649
Adaptation 652
3. Using Biometric Systems 652
Enrollment 652

Authentication 653
Identification 654
4. Security Considerations 655
Error Rates 655
Doddington’s Zoo 656
Birthday Attacks 656
Comparing Technologies 657
Storage of Templates 658
5. Conclusion 659
38. Homeland Security 661
Rahul Bhaskar Ph.D. and Bhushan Kapoor
1. Statutory Authorities 661
The USA PATRIOT Act of 2001
(PL 107-56) 661
The Aviation and Transporation
Security Act of 2001 (PL 107-71) 663
Enhanced Border Security and
Visa Entry Reform Act of 2002
(PL 107-173) 663
Public Health Security, Bioterrorism
Preparedness & Response Act
of 2002 (PL 107-188) 664
Homeland Security Act of 2002
(PL 107-296) 665
E-Government Act of 2002
(PL 107-347) 666
2. Homeland Security Presidential
Directives 667
3. Organizational Actions 669
Department of Homeland
Security Subcomponents 669
State and Federal Organizations 669
The Governor’s Office of Homeland
Security 670
California Office of Information
Security and Privacy Protection 670
Private Sector Organizations
for Information Sharing 670
4. Conclusion 674
39. Information Warfare 677
Jan Eloff and Anna Granova
1. Information Warfare Model 677
2. Information Warfare Defined 678
3. IW: Myth or Reality? 678
4. Information Warfare: Making
IW Possible 680
Offensive Strategies 680
5. Preventative Strategies 685
6. Legal Aspects of IW 686
Terrorism and Sovereignty 686
Liability Under International Law 686
Remedies Under International Law 687
Developing Countries Response 689
7. Holistic View of Information
Warfare 689
8. Conclusion 690

Part VII Advanced Security

40. Security Through Diversity 693
Kevin Noble
1. Ubiquity 693
2. Example Attacks Against Uniformity 694
3. Attacking Ubiquity With Antivirus Tools 694
4. The Threat of Worms 695
5. Automated Network Defense 697
6. Diversity and the Browser 698
7. Sandboxing and Virtualization 698
8. DNS Example of Diversity
through Security 699
9. Recovery from Disaster is Survival 699
10. Conclusion 700
41. Reputation Management 701
Dr. Jean-Marc Seigneur
1. The Human Notion of Reputation 702
2. Reputation Applied to the
Computing World 704
3. State of the Art of Attack-resistant
Reputation Computation 708
4. Overview of Current Online
Reputation Service 711
eBay 711
Opinity 713
Rapleaf 714
Venyo 715
TrustPlus  Xing  ZoomInfo 
SageFire 716
Naymz  Trufina 717
The GORB 719
ReputationDefender 720
Summarizing Table 720
5. Conclusion 720
42. Content Filtering 723
Peter Nicoletti
1. The Problem with Content
Filtering 723
2. User Categories, Motivations,
and Justifications 724
Schools 725
Commercial Business 725
Financial Organizations 725
Healthcare Organizations 725
Internet Service Providers 725
U.S. Government 725
Other Governments 725
Libraries 725
Parents 726
3. Content Blocking Methods 726
Banned Word Lists 726
URL Block 726
Category Block 726
Bayesian Filters 727
Safe Search Integration to Search
Engines with Content Labeling 727
Content-Based Image Filtering
(CBIF) 727
4. Technology and Techniques for
Content-Filtering Control 728
Internet Gateway-Based Products/
Unified Threat Appliances 728
5. Categories 732
6. Legal Issues 735
Federal Law: ECPA 735
CIPA: The Children’s Internet
Protection Act 735
The Trump Card of Content
Filtering: The “National Security
Letter” 736
ISP Content Filtering Might Be
a “Five-Year Felony” 736
7. Issues and Problems with Content
Filtering 737
Bypass and Circumvention 737
Client-Based Proxies 737
Open Proxies 739
HTTP Web-Based Proxies
(Public and Private) 739
Secure Public Web-Based Proxies 739
Process Killing 739
Remote PC Control Applications 739
Overblocking and Underblocking 740
Blacklist and Whitelist
Determination 740
Casual Surfing Mistake 740
Getting the List Updated 740
Time-of-Day Policy Changing 740
Override Authorization Methods 740
Hide Content in “Noise” or Use
Steganography 740
Nonrepudiation: Smart Cards,
ID Cards for Access 740
Warn and Allow Methods 740
Integration with Spam Filtering tools 740
Detect Spyware and Malware
in the HTTP Payload 740
Integration with Directory Servers 740
Language Support 741
Financial Considerations Are
Important 741
Scalability and Usability 741
Performance Issues 742
Reporting Is a Critical Requirement 742
Bandwidth Usage 742
Precision Percentage and Recall 742
9. Related Products 743
10. Conclusion 743
43. Data Loss Protection 745
Ken Perkins
1. Precursors of DLP 747
2. What is DLP? 748
3. Where to Begin? 753
4. Data is Like Water 754
5. You Don’t Know What You
Don’t Know 755
Precision versus Recall 756
6. How Do DLP Applications Work? 756
7. Eat Your Vegetables 757
Data in Motion 757
Data at Rest 758
Data in Use 758
8. It’s a Family Affair, Not Just
it Security’s Problem 760
9. Vendors, Vendors Everywhere!
Who Do You Believe? 762
10. Conclusion 762

Part VIII Appendices

Appendix A Configuring Authentication
Service on Microsoft
Windows Vista 765
John R. Vacca
1. Backup and Restore of Stored
Usernames and Passwords 765
Automation and Scripting 765
Security Considerations 765
2. Credential Security Service Provider
and SSO for Terminal Services Logon 765
Requirements 766
Configuration 766
Security Considerations 766
3. TLS/SSL Cryptographic
Enhancements 766
AES Cipher Suites 766
ECC Cipher Suites 767
Schannel CNG Provider Model 768
Default Cipher Suite Preference 769
Previous Cipher Suites 769
4. Kerberos Enhancements 769
AES 769
Read-Only Domain Controller
and Kerberos Authentication 770
5. Smart Card Authentication Changes 770
Additional Changes to Common
Smart Card Logon Scenarios 771

6. Previous Logon Information 773
Configuration 774
Security Considerations 774
Appendix B Security Management
and Resiliency 775
John R. Vacca
Appendix C List of Top Security
Implementation and
Deployment Companies 777
List of SAN Implementation
and Deployment Companies 778
SAN Security Implementation
and Deployment Companies: 778
Appendix D List of Security

Products 781
Security Software 781
Appendix E List of Security

Standards 783
Appendix F List of Miscellaneous
Security Resources 785
Conferences 785
Consumer Information 785
Directories 786
Help and Tutorials 786
Mailing Lists 786
News and Media 787
Organizations 787
Products and Tools 788
Research 790
Content Filtering Links 791
Other Logging Resources 791
Appendix G Ensuring Built-in
Frequency Hopping
Spread Spectrum
Wireless Network
Security 793
Accomplishment 793
Background 793
Additional Information 793
Appendix H Configuring Wireless
Internet Security
Remote Access 795
Adding the Access Points as RADIUS
Clients to IAS 795
Adding Access Points to the first
IAS Server 795
Scripting the Addition of Access Points to
IAS Server (Alternative Procedure) 795
Configuring the Wireless Access Points 796
Enabling Secure WLAN Authentication
on Access Points 796
Additional Settings to Secure
Wireless Access Points 797
Replicating RADIUS Client Configuration
to Other IAS Servers 798

Appendix I Frequently Asked

Questions 799
Appendix J Glossary 801
Index 817

GET THIS BOOK
Similar Books

0 comments: