Computer and Information Security Handbook (eBook)

Front Cover 1
Computer and Information Security Handbook 4
Copyright Page 5
Contents 8
Foreword 22
Preface 24
Acknowledgments 28
About the Editor 30
Contributors 32
Part I: Overview of System and Network Security: A Comprehensive Introduction 34
Chapter 1. Building a Secure Organization 36
1. Obstacles to Security 36
Security Is Inconvenient 36
Computers Are Powerful and Complex 36
Computer Users Are Unsophisticated 37
Computers Created Without a Thought to Security 37
Current Trend Is to Share, Not Protect 37
Data Accessible from Anywhere 37
Security Isn't About Hardware and Software 38
The Bad Guys Are Very Sophisticated 38
Management Sees Security as a Drain on the Bottom Line 38
2. Ten Steps to Building a Secure Organization 39
A. Evaluate the Risks and Threats 39
B. Beware of Common Misconceptions 41
C. Provide Security Training for IT Staff—Now and Forever 42
D. Think "Outside the Box" 43
E. Train Employees: Develop a Culture of Security 45
F. Identify and Utilize Built-In Security Features of the Operating System and Applications 47
G. Monitor Systems 49
H. Hire a Third Party to Audit Security 50
I. Don't Forget the Basics 52
J. Patch, Patch, Patch 53
Chapter 2. A Cryptography Primer 56
1. What is Cryptography? What is Encryption? 56
How Is Cryptography Done? 57
2. Famous Cryptographic Devices 57
The Lorenz Cipher 57
Enigma 57
3. Ciphers 58
The Substitution Cipher 58
The Shift Cipher 59
The Polyalphabetic Cipher 62
The Kasiski/Kerckhoff Method 63
4. Modern Cryptography 64
The Vernam Cipher (Stream Cipher) 64
The One-Time Pad 65
Cracking Ciphers 66
The XOR Cipher and Logical Operands 67
Block Ciphers 68
5. The Computer Age 69
Data Encryption Standard 69
Theory of Operation 70
Implementation 71
Rivest, Shamir, and Adleman (RSA) 71
Advanced Encryption Standard (AES or Rijndael) 71
Chapter 3. Preventing System Intrusions 72
1. So, What is an Intrusion? 72
2. Sobering Numbers 73
3. Know Your Enemy: Hackers Versus Crackers 73
4. Motives 74
5. Tools of the Trade 74
6. Bots 75
7. Symptoms of Intrusions 76
8. What Can You Do? 76
Know Today's Network Needs 77
Network Security Best Practices 78
9. Security Policies 78
10. Risk Analysis 79
Vulnerability Testing 79
Audits 80
Recovery 80
11. Tools of Your Trade 80
Firewalls 80
Intrusion Prevention Systems 80
Application Firewalls 81
Access Control Systems 81
Unified Threat Management 82
12. Controlling User Access 82
Authentication, Authorization, and Accounting 82
What the User Knows 82
What the User Has 83
The User Is Authenticated, But Is She Authorized? 83
Accounting 84
Keeping Current 84
13. Conclusion 84
Chapter 4. Guarding Against Network Intrusions 86
1. Traditional Reconnaissance and Attacks 86
2. Malicious Software 89
Lures and "Pull" Attacks 90
3. Defense in Depth 91
4. Preventive Measures 92
Access Control 92
Vulnerability Testing and Patching 92
Closing Ports 93
Firewalls 93
Antivirus and Antispyware Tools 94
Spam Filtering 95
Honeypots 95
Network Access Control 96
5. Intrusion Monitoring and Detection 96
Host-Based Monitoring 97
Traffic Monitoring 97
Signature-Based Detection 97
Behavior Anomalies 98
Intrusion Prevention Systems 98
6. Reactive Measures 98
Quarantine 98
Traceback 99
7. Conclusions 99
Chapter 5. Unix and Linux Security 100
1. Unix and Security 100
The Aims of System Security 100
Achieving Unix Security 100
2. Basic Unix Security 101
Traditional Unix Systems 101
Standard File and Device Access Semantics 102
4. Protecting User Accounts and Strengthening Authentication 104
Establishing Secure Account Use 104
The Unix Login Process 104
Controlling Account Access 104
Noninteractive Access 105
Other Network Authentication Mechanisms 106
Risks of Trusted Hosts and Networks 106
Replacing Telnet, rlogin, and FTP Servers and Clients with SSH 106
5. Reducing Exposure to Threats by Limiting Superuser Privileges 107
Controlling Root Access 107
6. Safeguarding Vital Data by Securing Local and Network File Systems 109
Directory Structure and Partitioning for Security 109
Chapter 6. Eliminating the Security Weakness of Linux and Unix Operating Systems 112
1. Introduction to Linux and Unix 112
What Is Unix? 112
What Is Linux? 113
System Architecture 115
2. Hardening Linux and Unix 117
Network Hardening 117
Host Hardening 121
Systems Management Security 123
3. Proactive Defense for Linux and Unix 123
Vulnerability Assessment 123
Incident Response Preparation 124
Organizational Considerations 125
Chapter 7. Internet Security 126
1. Internet Protocol Architecture 126
Communications Architecture Basics 127
Getting More Specific 128
2. An Internet Threat Model 133
The Dolev-Yao Adversary Model 134
Layer Threats 134
3. Defending Against Attacks on the Internet 138
Layer Session Defenses 139
Session Startup Defenses 146
4. Conclusion 150
Chapter 8. The Botnet Problem 152
1. Introduction 152
2. Botnet Overview 153
Origins of Botnets 153
Botnet Topologies and Protocols 153
3. Typical Bot Life Cycle 155
4. The Botnet Business Model 156
5. Botnet Defense 157
Detecting and Removing Individual Bots 157
Detecting C& C Traffic
Detecting and Neutralizing the C& C Servers
Attacking Encrypted C& C Channels
Locating and Identifying the Botmaster 161
6. Botmaster Traceback 161
Traceback Challenges 162
Traceback Beyond the Internet 163
7. Summary 165
Chapter 9. Intranet Security 166
1. Plugging the Gaps: NAC and Access Control 169
2. Measuring Risk: Audits 170
3. Guardian at the Gate: Authentication and Encryption 171
4. Wireless Network Security 172
5. Shielding the Wire: Network Protection 174
6. Weakest Link in Security: User Training 175
7. Documenting the Network: Change Management 175
8. Rehearse the Inevitable: Disaster Recovery 176
9. Controlling Hazards: Physical and Environmental Protection 178
10. Know Your Users: Personnel Security 179
11. Protecting Data Flow: Information and System Integrity 179
12. Security Assessments 180
13. Risk Assessments 181
14. Conclusion 181
Chapter 10. Local Area Network Security 182
1. Identify Network Threats 183
Disruptive 183
Unauthorized Access 183
2. Establish Network Access Controls 183
3. Risk Assessment 184
4. Listing Network Resources 184
5. Threats 184
6. Security Policies 184
7. The Incident-handling Process 185
8. Secure Design Through Network Access Controls 185
9. Ids Defined 186
10. NIDS: Scope and Limitations 187
11. A Practical Illustration of NIDS 187
UDP Attacks 187
TCP SYN (Half-Open) Scanning 188
Some Not-So-Robust Features of NIDS 189
12. Firewalls 191
Firewall Security Policy 192
Configuration Script for sf Router 193
13. Dynamic Nat Configuration 193
14. The Perimeter 193
15. Access List Details 195
16. Types of Firewalls 195
17. Packet Filtering: IP Filtering Routers 195
18. Application-layer Firewalls: Proxy Servers 196
19. Stateful Inspection Firewalls 196
20. NIDS Complements Firewalls 196
21. Monitor and Analyze System Activities 196
Analysis Levels 197
22. Signature Analysis 197
23. Statistical Analysis 197
24. Signature Algorithms 197
Pattern Matching 197
Stateful Pattern Matching 198
Protocol Decode-based Analysis 198
Heuristic-Based Analysis 199
Anomaly-Based Analysis 199
Chapter 11. Wireless Network Security 202
1. Cellular Networks 202
Cellular Telephone Networks 203
802.11 Wireless LANs 203
2. Wireless Ad Hoc Networks 204
Wireless Sensor Networks 204
Mesh Networks 204
3. Security Protocols 205
WEP 205
WPA and WPA2 206
SPINS: Security Protocols for Sensor Networks 206
4. Secure Routing 208
SEAD 208
Ariadne 209
ARAN 209
SLSP 210
5. Key Establishment 210
Bootstrapping 210
Key Management 211
References 214
Chapter 12. Cellular Network Security 216
1. Introduction 216
2. Overview of Cellular Networks 217
Overall Cellular Network Architecture 217
Core Network Organization 218
Call Delivery Service 218
3. The State of the Art of Cellular Network Security 219
Security in the Radio Access Network 219
Security in Core Network 220
Security Implications of Internet Connectivity 221
Security Implications of PSTN Connectivity 221
4. Cellular Network Attack Taxonomy 222
Abstract Model 222
Abstract Model Findings 222
Three-Dimensional Attack Taxonomy 225
5. Cellular Network Vulnerability Analysis 226
Cellular Network Vulnerability Assessment Toolkit (CAT) 228
Advanced Cellular Network Vulnerability Assessment Toolkit (aCAT) 231
Cellular Network Vulnerability Assessment Toolkit for evaluation (eCAT) 232
6. Discussion 234
References 235
Chapter 13. RFID Security 238
1. RFID Introduction 238
RFID System Architecture 238
RFID Standards 240
RFID Applications 241
2. RFID Challenges 242
Counterfeiting 242
Sniffing 242
Tracking 242
Denial of Service 243
Other Issues 243
Comparison of All Challenges 245
3. RFID Protections 245
Basic RFID System 245
RFID System Using Symmetric-Key Cryptography 248
RFID System Using Public-key Cryptography 250
References 252
Part II: Managing Information Security 256
Chapter 14. Information Security Essentials for IT Managers: Protecting Mission-Critical Systems 258
1. Information Security Essentials for IT Managers, Overview 258
Scope of Information Security Management 258
CISSP Ten Domains of Information Security 258
What is a Threat? 260
Common Attacks 261
Impact of Security Breaches 264
2. Protecting Mission-critical Systems 264
Information Assurance 264
Information Risk Management 264
Defense in Depth 266
Contingency Planning 266
3. Information Security from the Ground Up 269
Physical Security 269
Data Security 270
Systems and Network Security 272
Business Communications Security 274
Wireless Security 275
Web and Application Security 279
Security Policies and Procedures 280
Security Employee Training and Awareness 281
4. Security Monitoring and Effectiveness 282
Security Monitoring Mechanisms 283
Incidence Response and Forensic Investigations 284
Validating Security Effectiveness 284
References 285
Chapter 15. Security Management Systems 288
1. Security Management System Standards 288
2. Training Requirements 289
3. Principles of Information Security 289
4. Roles and Responsibilities of Personnel 289
5. Security Policies 289
6. Security Controls 290
7. Network Access 290
8. Risk Assessment 290
9. Incident Response 291
10. Summary 291
Chapter 16. Information Technology Security Management 292
1. Information Security Management Standards 292
Federal Information Security Management Act 292
International Standards Organization 293
Other Organizations Involved in Standards 293
2. Information Technology Security Aspects 293
Security Policies and Procedures 294
IT Security Processes 296
3. Conclusion 300
Chapter 17. Identity Management 302
1. Introduction 302
2. Evolution of Identity Management Requirements 302
Digital Identity Definition 303
Identity Management Overview 303
Privacy Requirement 305
User-Centricity 305
Usability Requirement 306
3. The Requirements Fulfilled by Current Identity Management Technologies 307
Evolution of Identity Management 307
Identity 2.0 311
4. Identity 2.0 for Mobile Users 319
Mobile Web 2.0 319
Mobility 320
Evolution of Mobile Identity 320
The Future of Mobile User-Centric Identity Management in an Ambient Intelligence World 323
Research Directions 325
5. Conclusion 325
Chapter 18. Intrusion Prevention and Detection Systems 326
1. What is an "Intrusion," Anyway? 326
Physical Theft 326
Abuse of Privileges (The Insider Threat) 326
2. Unauthorized Access by an Outsider 327
3. Malware Infection 327
4. The Role of the "0-day" 328
5. The Rogue's Gallery: Attackers and Motives 329
6. A Brief Introduction to TCP/IP 330
7. The TCP/IP data Architecture and Data Encapsulation 331
8. Survey of Intrusion Detection and Prevention Technologies 333
9. Anti-Malware Software 334
10. Network-based Intrusion Detection Systems 335
11. Network-based Intrusion Prevention Systems 336
12. Host-based Intrusion Prevention Systems 337
13. Security Information Management Systems 337
14. Network Session Analysis 337
15. Digital Forensics 338
16. System Integrity Validation 339
17. Putting it all Together 339
Chapter 19. Computer Forensics 340
1. What is Computer Forensics? 340
2. Analysis of Data 341
Computer Forensics and Ethics, Green Home Plate Gallery View 342
Database Reconstruction 343
3. Computer Forensics in the Court System 343
4. Understanding Internet History 345
5. Temporary Restraining Orders and Labor Disputes 345
Divorce 346
Patent Infringement 346
When to Acquire, When to Capture Acquisition 346
Creating Forensic Images Using Software and Hardware Write Blockers 346
Live Capture of Relevant Files 347
Redundant Array of Independent (or Inexpensive) Disks (RAID) 347
File System Analyses 347
NTFS 348
The Role of the Forensic Examiner in Investigations and File Recovery 348
Password Recovery 350
File Carving 351
Things to Know: How Time stamps Work 353
Experimental Evidence 354
Email Headers and Time stamps, Email Receipts, and Bounced Messages 355
Steganography "Covered Writing" 357
5. First Principles 358
6. Hacking a Windows XP Password 358
Net User Password Hack 358
Lanman Hashes and Rainbow Tables 358
Password Reset Disk 359
Memory Analysis and the Trojan Defense 359
User Artifact Analysis 359
Recovering Lost and Deleted Files 360
Email 360
Internet History 360
7. Network Analysis 361
Protocols 361
Analysis 361
8. Computer Forensics Applied 362
Tracking, Inventory, Location of Files, Paperwork, Backups, and So On 362
Testimonial 362
Experience Needed 362
Job Description, Technologist 362
Job Description Management 363
Commercial Uses 363
Solid Background 363
Education/Certification 363
Programming and Experience 364
Publications 364
9. Testifying as an Expert 365
Degrees of Certainty 365
Certainty Without Doubt 367
10. Beginning to End in Court 367
Defendants, Plaintiffs, and Prosecutors 367
Pretrial Motions 368
Trial: Direct and Cross-Examination 368
Rebuttal 368
Surrebuttal 368
Testifying: Rule 702. Testimony by Experts 368
Correcting Mistakes: Putting Your Head in the Sand 369
Chapter 20. Network Forensics 372
1. Scientific Overview 372
2. The Principles of Network Forensics 373
3. Attack Traceback and Attribution 374
IP Traceback 374
Stepping-Stone Attack Attribution 377
4. Critical Needs Analysis 379
5. Research Directions 379
VoIP Attribution 379
Tracking Botnets 379
Traceback in Anonymous Systems 379
Online Fraudster Detection and Attribution 380
Tracing Phishers 380
Tracing Illegal Content Distributor in P2P Systems 380
Chapter 21. Firewalls 382
1. Network Firewalls 382
2. Firewall Security Policies 383
Rule-Match Policies 384
3. A Simple Mathematical Model for Policies, Rules, and Packets 384
4. First-match Firewall Policy Anomalies 385
5. Policy Optimization 385
Policy Reordering 385
Combining Rules 386
Default Accept or Deny? 386
6. Firewall Types 386
Packet Filter 387
Stateful Packet Firewalls 387
Application Layer Firewalls 387
7. Host and Network Firewalls 388
8. Software and Hardware Firewall Implementations 388
9. Choosing the Correct Firewall 388
10. Firewall Placement and Network Topology 389
Demilitarized Zones 390
Perimeter Networks 390
Two-Router Configuration 390
Dual-Homed Host 391
Network Configuration Summary 391
11. Firewall Installation and Configuration 391
12. Supporting Outgoing Services Through Firewall Configuration 392
Forms of State 392
Payload Inspection 393
13. Secure External Services Provisioning 393
14. Network Firewalls for Voice and Video Applications 393
Packet Filtering H.323 394
15. Firewalls and Important Administrative Service Protocols 394
Routing Protocols 394
Internet Control Message Protocol 395
Network Time Protocol 395
Central Log File Management 395
Dynamic Host Configuration Protocol 396
16. Internal IP Services Protection 396
17. Firewall Remote Access Configuration 397
18. Load Balancing and Firewall Arrays 398
Load Balancing in Real Life 398
How to Balance the Load 398
Advantages and Disadvantages of Load Balancing 399
19. Highly Available Firewalls 399
Load Balancer Operation 399
Interconnection of Load Balancers and Firewalls 399
20. Firewall Management 400
21. Conclusion 400
Chapter 22. Penetration Testing 402
1. What is Penetration Testing? 402
2. How does Penetration Testing Differ from an Actual "Hack?" 403
3. Types of Penetration Testing 404
4. Phases of Penetration Testing 406
The Pre-Attack Phase 406
The Attack Phase 406
The Post-Attack Phase 406
5. Defining What's Expected 407
6. The Need for a Methodology 408
7. Penetration Testing Methodologies 408
8. Methodology in Action 409
EC-Council LPT Methodology 409
9. Penetration Testing Risks 411
10. Liability Issues 411
11. Legal Consequences 412
12. "Get out of jail free" Card 412
13. Penetration Testing Consultants 412
14. Required Skill Sets 413
15. Accomplishments 413
16. Hiring a Penetration Tester 413
17. Why Should a Company Hire You? 414
Qualifications 414
Work Experience 414
Cutting-Edge Technical Skills 414
Communication Skills 414
Attitude 414
Team Skills 414
Company Concerns 414
18. All's Well that Ends Well 415
Chapter 23. What Is Vulnerability Assessment? 416
1. Reporting 416
2. The "It Won't Happen to Us" Factor 416
3. Why Vulnerability Assessment? 417
4. Penetration Testing Versus Vulnerability Assessment 417
5. Vulnerability Assessment Goal 418
6. Mapping the Network 418
7. Selecting the Right Scanners 419
8. Central Scans Versus Local Scans 420
9. Defense in Depth Strategy 421
10. Vulnerability Assessment Tools 421
Nessus 421
GFI LANguard 422
Retina 422
Core Impact 422
ISS Internet Scanner 422
X-Scan 422
Sara 422
QualysGuard 422
SAINT 422
MBSA 422
11. Scanner Performance 423
12. Scan Verification 423
13. Scanning Cornerstones 423
14. Network Scanning Countermeasures 423
15. Vulnerability Disclosure Date 424
Find Security Holes Before They Become Problems 424
16. Proactive Security Versus Reactive Security 425
17. Vulnerability Causes 425
Password Management Flaws 425
Fundamental Operating System Design Flaws 425
Software Bugs 425
Unchecked User Input 425
18. DIY Vulnerability Assessment 426
19. Conclusion 426
Part III: Encryption Technology 428
Chapter 24. Data Encryption 430
1. Need for Cryptography 431
Authentication 431
Confidentiality 431
Integrity 431
Nonrepudiation 431
2. Mathematical Prelude to Cryptography 431
Mapping or Function 431
Probability 431
Complexity 431
3. Classical Cryptography 432
The Euclidean Algorithm 432
The Extended Euclidean Algorithm 432
Modular Arithmetic 432
Congruence 433
Residue Class 433
Inverses 433
Fundamental Theorem of Arithmetic 433
Congruence Relation Defined 434
Substitution Cipher 434
Transposition Cipher 435
4. Modern Symmetric Ciphers 435
S-Box 436
P-Boxes 436
Product Ciphers 437
5. Algebraic Structure 437
Definition Group 437
Definitions of Finite and Infinite Groups (Order of a Group) 437
Definition Abelian Group 437
Examples of a Group 437
Definition: Subgroup 438
Definition: Cyclic Group 438
Rings 438
Definition: Field 438
Finite Fields GF(2[sup(n)]) 438
Modular Polynomial Arithmetic Over GF(2) 439
Using a Generator to Represent the Elements of GF(2[sup(n)]) 439
GF(2[sup(3)]) Is a Finite Field 440
6. The Internal Functions of Rijndael in AES Implementation 440
Mathematical Preliminaries 441
State 441
7. Use of Modern Block Ciphers 445
The Electronic Code Book (ECB) 445
Cipher-Block Chaining (CBC) 445
8. Public-key Cryptography 445
Review: Number Theory 445
9. Cryptanalysis of RSA 449
Factorization Attack 449
10. Diffie-Hellman Algorithm 450
11. Elliptic Curve Cryptosystems 450
An Example 451
Example of Elliptic Curve Addition 451
EC Security 452
12. Message Integrity and Authentication 452
Cryptographic Hash Functions 452
Message Authentication 453
Digital Signature 453
Message Integrity Uses a Hash Function in Signing the Message 453
RSA Digital Signature Scheme 453
RSA Digital Signature and the Message Digest 453
13. Summary 454
References 454
Chapter 25. Satellite Encryption 456
1. The Need for Satellite Encryption 456
2. Satellite Encryption Policy 458
3. Implementing Satellite Encryption 459
General Satellite Encryption Issues 459
Uplink Encryption 461
Extraplanetary Link Encryption 461
Downlink Encryption 462
4. The Future of Satellite Encryption 463
Chapter 26. Public Key Infrastructure 466
1. Cryptographic Background 466
Digital Signatures 466
Public Key Encryption 467
2. Overview of PKI 468
3. The X.509 Model 469
The History of X.509 469
The X.509 Certificate Model 469
4. X.509 Implementation Architectures 470
5. X.509 Certificate Validation 472
Validation Step 1: Construct the Chain and Validate Signatures 472
Validation Step 2: Check Validity Dates, Policy and Key Usage 472
Validation Step 3: Consult Revocation Authorities 473
6. X.509 Certificate Revocation 473
Online Certificate Status Protocol 474
7. Server-based Certificate Validity Protocol 475
8. X.509 Bridge Certification Systems 476
Mesh PKIs and Bridge CAs 476
9. X.509 Certificate Format 477
X.509 V1 and V2 Format 478
X.509 V3 Format 478
X.509 Certificate Extensions 478
Policy Extensions 479
Certificate Policy 479
10. PKI Policy Description 480
11. PKI Standards Organizations 481
IETF PKIX 481
SDSI/SPKI 481
IETF OpenPGP 481
12. PGP Certificate Formats 482
13. PGP PKI Implementations 482
14. W3C 482
15. Alternative PKI Architectures 483
16. Modified X.509 Architectures 483
Perlman and Kaufman's User-Centric PKI 483
Gutmann's Plug and Play PKI 483
Callas's Self-Assembling PKI 483
17. Alternative Key Management Models 483
Chapter 27. Instant-Messaging Security 486
1. Why Should I Care About Instant Messaging? 486
2. What is Instant Messaging? 486
3. The Evolution of Networking Technologies 487
4. Game Theory and Instant Messaging 488
Your Workforce 488
Generational Gaps 489
Transactions 490
5. The Nature of the Threat 490
Malicious Threat 491
Vulnerabilities 492
Man-in-the-Middle Attacks 492
Phishing and Social Engineering 492
Knowledge Is the Commodity 492
Data and Traffic Analysis 493
Unintentional Threats 493
Regulatory Concerns 494
6. Common IM Applications 494
Consumer Instant Messaging 494
Enterprise Instant Messaging 494
Instant-Messaging Aggregators 495
Backdoors: Instant Messaging Via Other Means (HTML) 495
Mobile Dimension 495
7. Defensive Strategies 495
8. Instant-messaging Security Maturity and Solutions 496
Asset Management 496
Built-In Security 496
Content Filtering 496
Classic Security 496
Compliance 497
Data Loss Prevention 497
Logging 497
Archival 497
9. Processes 497
Instant-Messaging Activation and Provisioning 497
Application Review 497
People 497
Revise 497
Audit 497
10. Conclusion 498
Example Answers to Key Factors 499
Part IV: Privacy and Access Management 500
Chapter 28. NET Privacy 502
1. Privacy in the Digital Society 502
The Origins, The Debate 502
Privacy Threats 504
2. The Economics of Privacy 507
The Value of Privacy 507
Privacy and Business 508
3. Privacy-Enhancing Technologies 509
Languages for Access Control and Privacy Preferences 509
Data Privacy Protection 511
Privacy for Mobile Environments 513
4. Network Anonymity 515
Onion Routing 516
Anonymity Services 517
5. Conclusion 518
Chapter 29. Personal Privacy Policies 520
1. Introduction 520
2. Content of Personal Privacy Policies 521
Privacy Legislation and Directives 521
Requirements from Privacy Principles 521
Privacy Policy Specification 523
3. Semiautomated Derivation of Personal Privacy Policies 523
An Example 525
Retrieval from a Community of Peers 526
4. Specifying Well-formed Personal Privacy Policies 527
Unexpected Outcomes 527
Outcomes From the Way the Matching Policy Was Obtained 527
5. Preventing Unexpected Negative Outcomes 529
Definition 1 529
Definition 2 529
Rules for Specifying Near Well-Formed Privacy Policies 529
Approach for Obtaining Near Well-Formed Privacy Policies 530
6. The Privacy Management Model 530
How Privacy Policies Are Used 530
Personal Privacy Policy Negotiation 532
Personal Privacy Policy Compliance 535
7. Discussion and Related Work 535
8. Conclusions and Future Work 538
Chapter 30. Virtual Private Networks 540
1. History 541
2. Who is in Charge? 544
3. VPN Types 545
IPsec 545
L2TP 545
L2TPv3 546
L2F 546
PPTP VPN 546
MPLS 547
MPVPN™ 547
SSH 547
SSL-VPN 547
TLS 547
4. Authentication Methods 548
Hashing 548
HMAC 548
MD5 548
SHA-1 548
5. Symmetric Encryption 549
6. Asymmetric Cryptography 549
7. Edge Devices 549
8. Passwords 549
9. Hackers and Crackers 550
Chapter 31. Identity Theft 552
1. Experimental Design 553
Authentic Payment Notification: Plain Versus Fancy Layout 555
Strong Phishing Message: Plain Versus Fancy Layout 558
Authentic Promotion: Effect of Small Footers 558
Weak Phishing Message 560
Authentic Message 561
Login Page 561
Login Page: Strong and Weak Content Alignment 562
Login Page: Authentic and Bogus (But Plausible) URLs 565
Login Page: Hard and Soft Emphasis on Security 565
Bad URL, with and without SSL and Endorsement Logo 568
High-Profile Recall Notice 568
Low-Profile Class-Action Lawsuit 568
2. Results and Analysis 568
3. Implications for Crimeware 579
Example: Vulnerability of Web-Based Update Mechanisms 580
Example: The Unsubscribe Spam Attack 580
The Strong Narrative Attack 581
4. Conclusion 581
Chapter 32. VoIP Security 584
1. Introduction 584
VoIP Basics 584
2. Overview of Threats 586
Taxonomy of Threats 586
Reconnaissance of VoIP Networks 586
Denial of Service 587
Loss of Privacy 588
Exploits 590
3. Security in VoIP 591
Preventative Measures 591
Reactive 592
4. Future Trends 593
Forking Problem in SIP 593
Security in Peer-to-Peer SIP 594
End-to-End Identity with SBCs 596
5. Conclusion 597
Part V: Storage Security 598
Chapter 33. SAN Security 600
1. Organizational Structure 600
AAA 601
Restricting Access to Storage 602
2. Access Control Lists (ACL) and Policies 603
Data Integrity Field (DIF) 603
3. Physical Access 604
4. Change Management 604
5. Password Policies 604
6. Defense in Depth 604
7. Vendor Security Review 604
8. Data Classification 604
9. Security Management 605
Security Setup 605
Unused Capabilities 605
10. Auditing 605
Updates 605
Monitoring 605
Security Maintenance 605
11. Management Access: Separation of Functions 606
Limit Tool Access 606
Secure Management Interfaces 606
12. Host Access: Partitioning 606
S_ID Checking 607
13. Data Protection: Replicas 607
Erasure 607
Potential Vulnerabilities and Threats 608
Physical Attacks 608
Management Control Attacks 608
Host Attacks 608
World Wide Name Spoofing 609
Man-in-the-Middle Attacks 609
E-Port Replication Attack 609
Denial-of-Service Attacks 610
Session Hijacking Attacks 610
15. Encryption in Storage 610
The Process 610
Encryption Algorithms 611
Key Management 612
Configuration Management 613
16. Application of Encryption 613
Risk Assessment and Management 613
Modeling Threats 613
Use Cases for Protecting Data at Rest 614
Use Considerations 615
Deployment Options 615
17. Conclusion 621
References 622
Chapter 34. Storage Area Networking Security Devices 624
1. What is a SAN? 624
2. SAN Deployment Justifications 624
3. The Critical Reasons for SAN Security 625
Why Is SAN Security Important? 625
4. SAN Architecture and Components 626
SAN Switches 626
5. SAN General Threats and Issues 627
SAN Cost: A Deterrent to Attackers 627
Physical Level Threats, Issues, and Risk Mitigation 627
Logical Level Threats, Vulnerabilities, and Risk Mitigation 629
6. Conclusion 636
Chapter 35. Risk Management 638
1. The Concept of Risk 639
2. Expressing and Measuring Risk 639
3. The Risk Management Methodology 642
Context Establishment 642
Risk Assessment 643
Risk Treatment 645
Risk Communication 647
Risk Monitoring and Review 647
Integrating Risk Management into the System Development Life Cycle 647
Critique of Risk Management as a Methodology 648
Risk Management Methods 649
4. Risk Management Laws and Regulations 653
5. Risk Management Standards 656
6. Summary 658
Part VI: Physical Security 660
Chapter 36. Physical Security Essentials 662
1. Overview 662
2. Physical Security Threats 663
Natural Disasters 663
Environmental Threats 664
Technical Threats 666
Human-Caused Physical Threats 667
3. Physical Security Prevention and Mitigation Measures 667
Environmental Threats 667
Technical Threats 668
Human-Caused Physical Threats 668
4. Recovery from Physical Security Breaches 669
5. Threat Assessment, Planning, and Plan Implementation 669
Threat Assessment 669
Planning and Implementation 670
6. Example: A Corporate Physical Security Policy 670
7. Integration of Physical and Logical Security 672
References 676
Chapter 37. Biometrics 678
1. Relevant Standards 679
2. Biometric System Architecture 680
Data Capture 681
Signal Processing 681
Matching 682
Data Storage 682
Decision 682
Adaptation 685
3. Using Biometric Systems 685
Enrollment 685
Authentication 686
Identification 687
4. Security Considerations 688
Error Rates 688
Doddington's Zoo 689
Birthday Attacks 689
Comparing Technologies 690
Storage of Templates 691
5. Conclusion 692
Chapter 38. Homeland Security 694
1. Statutory Authorities 694
The USA PATRIOT Act of 2001 (PL 107-56) 694
The Aviation and Transporation Security Act of 2001 (PL 107-71) 696
Enhanced Border Security and Visa Entry Reform Act of 2002 (PL 107-173) 696
Public Health Security, Bioterrorism Preparedness & Response Act of 2002 (PL 107-188)
Homeland Security Act of 2002 (PL 107-296) 698
E-Government Act of 2002 (PL 107-347) 699
2. Homeland Security Presidential Directives 700
3. Organizational Actions 702
Department of Homeland Security Subcomponents 702
State and Federal Organizations 702
The Governor's Office of Homeland Security 703
California Office of Information Security and Privacy Protection 703
Private Sector Organizations for Information Sharing 703
4. Conclusion 707
Chapter 39. Information Warfare 710
1. Information Warfare Model 710
2. Information Warfare Defined 711
3. IW: Myth or Reality? 711
4. Information Warfare: Making IW Possible 713
Offensive Strategies 713
5. Preventative Strategies 718
6. Legal Aspects of IW 719
Terrorism and Sovereignty 719
Liability Under International Law 719
Remedies Under International Law 720
Developing Countries Response 722
7. Holistic View of Information Warfare 722
8. Conclusion 723
Part VII: Advanced Security 724
Chapter 40. Security Through Diversity 726
1. Ubiquity 726
2. Example Attacks Against Uniformity 727
3. Attacking Ubiquity With Antivirus Tools 727
4. The Threat of Worms 728
5. Automated Network Defense 730
6. Diversity and the Browser 731
7. Sandboxing and Virtualization 731
8. DNS Example of Diversity through Security 732
9. Recovery from Disaster is Survival 732
10. Conclusion 733
Chapter 41. Reputation Management 734
1. The Human Notion of Reputation 735
2. Reputation Applied to the Computing World 737
3. State of the Art of Attack-resistant Reputation Computation 741
4. Overview of Current Online Reputation Service 744
eBay 744
Opinity 746
Rapleaf 747
Venyo 748
TrustPlus + Xing + ZoomInfo + SageFire 749
Naymz + Trufina 750
The GORB 752
ReputationDefender 753
Summarizing Table 753
5. Conclusion 753
Chapter 42. Content Filtering 756
1. The Problem with Content Filtering 756
2. User Categories, Motivations, and Justifications 757
Schools 758
Commercial Business 758
Financial Organizations 758
Healthcare Organizations 758
Internet Service Providers 758
U.S. Government 758
Other Governments 758
Libraries 758
Parents 759
3. Content Blocking Methods 759
Banned Word Lists 759
URL Block 759
Category Block 759
Bayesian Filters 760
Safe Search Integration to Search Engines with Content Labeling 760
Content-Based Image Filtering (CBIF) 760
4. Technology and Techniques for Content-Filtering Control 761
Internet Gateway-Based Products/Unified Threat Appliances 761
5. Categories 765
6. Legal Issues 768
Federal Law: ECPA 768
CIPA: The Children's Internet Protection Act 768
The Trump Card of Content Filtering: The "National Security Letter" 769
ISP Content Filtering Might Be a "Five-Year Felony" 769
7. Issues and Problems with Content Filtering 770
Bypass and Circumvention 770
Client-Based Proxies 770
Open Proxies 772
HTTP Web-Based Proxies (Public and Private) 772
Secure Public Web-Based Proxies 772
Process Killing 772
Remote PC Control Applications 772
Overblocking and Underblocking 773
Blacklist and Whitelist Determination 773
Casual Surfing Mistake 773
Getting the List Updated 773
Time-of-Day Policy Changing 773
Override Authorization Methods 773
Hide Content in "Noise" or Use Steganography 773
Nonrepudiation: Smart Cards, ID Cards for Access 773
Warn and Allow Methods 773
Integration with Spam Filtering tools 773
Detect Spyware and Malware in the HTTP Payload 773
Integration with Directory Servers 773
Language Support 774
Financial Considerations Are Important 774
Scalability and Usability 774
Performance Issues 775
Reporting Is a Critical Requirement 775
Bandwidth Usage 775
Precision Percentage and Recall 775
9. Related Products 776
10. Conclusion 776
Chapter 43. Data Loss Protection 778
1. Precursors of DLP 780
2. What is DLP? 781
3. Where to Begin? 786
4. Data is Like Water 787
5. You Don't Know What You Don't Know 788
Precision versus Recall 789
6. How Do DLP Applications Work? 789
7. Eat Your Vegetables 790
Data in Motion 790
Data at Rest 791
Data in Use 791
8. It's a Family Affair, Not Just it Security's Problem 793
9. Vendors, Vendors Everywhere! Who Do You Believe? 795
10. Conclusion 795
Part VIII: Appendices 796
Appendix A: Configuring Authentication Service on Microsoft Windows Vista 798
1. Backup and Restore of Stored Usernames and Passwords 798
Automation and Scripting 798
Security Considerations 798
2. Credential Security Service Provider and SSO for Terminal Services Logon 798
Requirements 799
Configuration 799
Security Considerations 799
3. TLS/SSL Cryptographic Enhancements 799
AES Cipher Suites 799
ECC Cipher Suites 800
Schannel CNG Provider Model 801
Default Cipher Suite Preference 802
Previous Cipher Suites 802
4. Kerberos Enhancements 802
AES 802
Read-Only Domain Controller and Kerberos Authentication 803
5. Smart Card Authentication Changes 803
Additional Changes to Common Smart Card Logon Scenarios 804
6. Previous Logon Information 806
Configuration 807
Security Considerations 807
Appendix B: Security Management and Resiliency 808
Appendix C: List of Top Security Implementation and Deployment Companies 810
List of SAN Implementation and Deployment Companies 811
SAN Security Implementation and Deployment Companies: 811
Appendix D: List of Security Products 814
Security Software 814
Appendix E: List of Security Standards 816
Appendix F: List of Miscellaneous Security Resources 818
Conferences 818
Consumer Information 818
Directories 819
Help and Tutorials 819
Mailing Lists 819
News and Media 820
Organizations 820
Products and Tools 821
Research 823
Content Filtering Links 824
Other Logging Resources 824
Appendix G: Ensuring Built-in Frequency Hopping Spread Spectrum Wireless Network Security 826
Accomplishment 826
Background 826
Additional Information 826
Appendix H: Configuring Wireless Internet Security Remote Access 828
Adding the Access Points as RADIUS Clients to IAS 828
Adding Access Points to the first IAS Server 828
Scripting the Addition of Access Points to IAS Server (Alternative Procedure) 828
Configuring the Wireless Access Points 829
Enabling Secure WLAN Authentication on Access Points 829
Additional Settings to Secure Wireless Access Points 830
Replicating RADIUS Client Configuration to Other IAS Servers 831
Appendix I: Frequently Asked Questions 832
Appendix J: Glossary 834
A 834
B 835
C 835
D 837
E 839
F 839
G 839
H 839
I 840
K 841
L 841
M 841
N 842
O 842
P 843
R 844
S 845
T 846
U 847
V 848
W 848
Y 848
Index 850
A 850
B 851
C 852
D 855
E 856
F 857
G 858
H 858
I 859
J 862
K 862
L 862
M 863
N 865
O 865
P 866
Q 868
R 868
S 870
T 873
U 874
V 875
W 876
X 877
Y 877
Z 877