Index
A
acceptability metric, access control, 125
acceptance, false, 137
access control, 12–19, 121–139
authentication in, 17, 133–134
authorization in, 133
base relations (SQL) and, 16, 129–130
biometrics in, 14, 18, 124–125, 137–138
call back schemes and, 13, 121–122
context dependence/independence in, 14, 125
Enterprise Access Management (EAM) in, 18, 136–137
general packet radio services (GPRS) and, 19, 138
global system for mobile (GSM) and, 19, 138–139
grouped processes and, 13, 122–123
object-oriented databases and, 17, 132–133
physical security and, for high security areas, 96, 309
protection domains and, 13, 122–123
reference monitors and, 17, 133–134
relational databases and, 14, 17, 126, 132–133
restricted shell and, 14–15, 126–127
rows and columns in, 13, 123–124
Secure European System for Applications in Multivendor Environment (SESAME) and, 15, 128–129
security kernels and, 133
Security Support Provider Interface (SSPI) in, 129
Simple Security Property and, 16, 130–131
single sign on (SSO) interfaces and, 17, 131–132, 136–137
Star Property and, 16, 130–131
statistical information and, 16, 129
timestamps in, 127
virtual private networks (VPNs) and, 19, 138
Windows 2000 and, 16–17, 128–129
access control lists (ACLs), 122
access control triples, 122
access nodes, WLAN, 159
access triples, 200
accreditation, in security architecture and models, 51, 205–206
ad hoc mode WLAN, 159
adaptive chosen plaintext attacks, 172
address resolution protocol (ARP), 158
advanced encryption standard (AES), 37, 175, 177–178, 188
aggregation, 126
AiroPeek, 149
algorithms, cryptography, 33, 164
annualized loss expectancy (ALE), 3, 100–101
ANSI ASC X12 standard in security architecture and models, 51, 207–209
ANSI X9.52 standard, 40, 185–186
applets, 196
application level firewalls, 153
application level proxy server, 151–152
application programming interfaces (APIs), 39, 183–184
applications and systems development, 63–71, 239–255
artificial neural networks (ANNs) and, 69, 250–251
capability maturity model (CMM) in, 66, 243–244
classes and subclasses in, 67, 246
client/server model in, 70, 254–255
common object model (COM) and, 70, 253–254
common object request broker architecture (CORBA) and, 70, 253–254
configuration management and, 65, 241
Construction Cost Model (COCOMO) in, 65, 241–242
data dictionaries and, 69, 251
database management systems (DBMS) in, 71, 255
distributed data processing (DDP) and, 70, 255
expert systems and, 67–68, 247–248
genetic algorithms and, 69, 251–252
incremental development in, 66
inference engines in, 68, 247–248
knowledge based system (KBS) and, 67, 246–247
object request architecture (ORA) in, 69, 252
object request broker (ORB) and, 69, 253
object-oriented languages in, 67, 246
object-oriented programming and, 67, 245–246
software capability evaluation in, 66–67, 245
software engineering and, 65, 239–240
software process assessment in, 66–67, 245
validation in, 240
array processors, 195
arrays, 195
artificial intelligence, 246
artificial neural networks (ANNs), 69, 250–251
assets identification, in business continuity, disaster recovery, 80, 272–273
associative memory, in security architecture and models, 52, 210
asymmetric key encryption, 170
asynchronous data transmission, 146
asynchronous transfer mode (ATM), 156
attributes, access control, 130
audit trails
law, investigation, ethics and, 89, 292
operations security and, 58, 220–221
auditing, 196
operations security and, 59, 223–224
security management and, 6–7, 109
authentication headers (AHs), 42, 190
authorization, 133
automated information systems (AIS), 215–216, 277
automated scanning tools, 107
availability, 109
awareness, training, education, 4–5, 7, 102–103, 106, 111
B
back propagation, 251
backup methods
in business continuity, disaster recovery, 77, 79, 265–266, 271–272
in law, investigation, ethics, 88, 290–291
in telecommunications and network security, 29, 161–162
backward chaining, 247
base relations (SQL), access control, 16, 129–130
basic rate interface (BRI) in ISDN, 23, 143
behaviors, in OOP, 245
Bell-LaPadula model for security architecture, 47–48, 197–199
Biba model for security architecture, 48, 199–200
access control and, 14, 18, 137–138
birthday attacks, 172
blackboard, in expert systems, 247
block ciphers, 36–37, 41, 175–177, 189
Blue Book, 216
Bluetooth, 144
BO2K, 154
British Standards Institution, 184
bus, 277
bus topologies, 154
business assets identification, in business continuity, disaster recovery, 80, 272–273
business continuity and disaster recovery, 73–80, 257–275
business assets identification in, 80, 272–273
business continuity programs in, 77, 265
business impact analysis (BIA) in, 78, 267–268
business resumption plan development in, 76, 262–263
contingency planning process in, 75–76, 260–261
disasters defined for, 77, 263–264
emergency management plan development in, 78, 266–267
evaluation and modification of, 79, 272
financial decision making and, 76, 261
financial management's role in, 77, 264
human caused hazards in, 80, 273
isolation of scene in, 79, 271
mutual aid agreements in, 78, 266, 272
natural disasters and, 76, 262
public and media disclosure of event in, 80, 273–274
remote sensing technology and, 75, 258
resuming normal operations and, 79, 270
senior management's role in, 76, 261–262
short-term objectives in, 79, 270–271
tiered organization structures and, 78, 267
vulnerability assessments in, 78, 268–269
water purification and, 79, 269–270
business continuity programs, 77, 265
business impact analysis (BIA), 78, 267–268
business resumption plan development, 76, 262–263
Business Software Alliance (BSA), 294–295
C
cache logic, 212
cache poisoning, 154
Caesar ciphers, 189
call back schemes, access control, 13, 121–122
capability maturity model (CMM), in applications and systems development, 66, 243–244
Capstone cryptography, 36, 174–175
carbon dioxide (CO2) agents, 308
carnivores, in law, investigation, ethics, 84, 280–281
carrier sense multiple access control/carrier detect (CSMA/CD), 142
CAST5 cryptography, 180
categories of cabling, 24, 144–145, 159
categories of computer crimes, 83, 277–279
CD-ROM companion disk and use, 311–313
central processing unit (CPU), 277, in security architecture and models, 52, 210
centralized architectures, 211
CERT Coordination Center (CERT/CC), 212–213
certification, in security architecture and models, 51, 205–206
challenge handshake authentication protocol (CHAP), 151
challenge-response authentication, 134
checklist reviews, in business continuity, disaster recovery, 259
checksums, access control, 16, 131
Chinese Wall model, 254
chosen ciphertext attacks, 172
CIAP and security architecture, 206
cipher block chaining (CBC), 176
ciphers, 164
circuit level firewalls, 153
cladding, optical fiber, 162
Clark-Wilson Integrity Model for security architecture, 48, 200
classes, in applications and systems development, 67, 246
classes of IP addresses, 26, 151
classification scheme, for security management, 7, 112–114
“clean” fire extinguishers, 94, 301
client/server model, 70, 254–255
Clipper chip cryptography, 36, 173–175
cold sites, 272
columns, in access control, 13, 123–124, 132–133
common criteria (CC) for operations security, 60–61, 230, 232–233
common criteria terminology, in security
architecture and models, 49, 201
common object model (COM), 70, 253–254
common object request broker architecture (CORBA), 70, 253–254
communications, 229
Communications Assistance for Law
Enforcement (CALEA), 83, 279–280
Communications Security Establishment (CSE), 281
compartmented mode of operation, 219
compartmented mode workstation (CMW), 197
complete backup, 161
composition model for security architecture, 200–201
computer aided software engineering (CASE) tools, 251
computer crime categories, 83, 277–279
computer forensics, 291
Conditional Access Directive (CAD), 84, 282
confidential data classification, 113
in security architecture and models, 48, 199–200
configuration control, operations security, 60, 227–228
Configuration Control Board (CCB), 59, 222–223
configuration items (CIs), 59, 225, 227
configuration management
in applications and systems development, 65, 241
operations security and, 58–59, 61, 222, 225, 233
confinement property, 198
confusion, cryptography, 189
constrained data items (CDIs), 200
Construction Cost Model (COCOMO), 65, 241–242
Content Scrambling Systems (CSS), 281–282
context dependence/independence, in access control, 14, 125
contingency planning process, 76, 260–261
controls, security management, 6, 107
copyright management information (CMI), 84, 281–282
covert channels, 198
covert storage channels, 61, 231–232
crossovers, in evolutionary computing, 252
cryptanalysis, 44, 164, 193–194
advanced encryption standard (AES) and, 37, 178, 188
ANSI X9.52 standard in, 40, 185–186
application programming interfaces (APIs) for, 39, 183–184
asymmetric, 170
authentication headers (AHs) and, 42, 190
birthday attacks, 172
block ciphers and, 36–37, 41, 175–177, 189
data encryption standard (DES) and, 40, 185–186
digital certificates and, 35, 172–173
Digital Signature Analysis (DSA) and, 35, 171–172
digital signatures and, 37–38, 44, 180, 193
EIGamal public key in, 33, 165–168
electronic funds transfer and, 38, 180–181
encapsulating security payload (ESP) in, 42, 190
hash functions and, 34–35, 169–170, 172
Internet Security Protocols and, 37, 177–179
IPSec and, 42
iterated block ciphers in, 37, 176
key recovery methods in, 38, 181–182
law enforcement access field (LEAF) and, 36, 173–175
message digest (MD) algorithms in, 36, 173
modulo 26 substitution ciphers in, 40–41, 187
multipurpose Internet mail extension (MIME) and, 37–38, 180
National Computer Security Center (NCSC) and, 41–42, 189
National Security Agency (NSA) and, 36, 174–175
number field sieve (NFS) in, 40, 185
public key cryptography standards (PKCS) and, 39, 183
public keys in, 33, 42–43, 165–168, 192–193
quantum computing vs., 38–39, 182–183
secure hash algorithm (SHA) in, 171–172
symmetric key, 170
TEMPEST and, 175
transport layer security (TLS) and, 33, 168, 178–179
Vigenere cipher squares in, 42–43, 190–191
wired equivalent privacy (WEP) and, 41, 187
Wireless Application Protocol (WAP) and, 37, 177–179
wireless LANs (WLANs) and, 41, 187
wireless transport layer security (WTLS) and, 37, 177–179
cryptosystems, 164
cryptovariables, 164
crytopgraphic application programming interface (CAPI), 183–184
cut through switching, telecommunications and network security, 25, 148–149
D
damages awarded in litigation, 85, 285
data administration, 250
data classification scheme, 7, 112–114
data description languages (DDL), 125–126
data encryption standard (DES), 40, 176, 180, 185–186
data flow diagrams (DFDs), 239
data mart, 249
data remanence, 58, 215–216, 219–220
data scrubbing, 249
data type dictionary, 251
database management systems (DBMS), 71, 255
databases, access control, 14, 125–126
decision support system (DSS), 249
dedicated mode of operation, 218
Defense Information Technology Security Certification and Accreditation Process (DITSCAP), 205–206
Defense Security Directorate (DSD), 281
defuzzification, 249
deguassing, 220
delegation, in OOP, 246
demon dialing, 149
denial of service (DoS) attack, 25, 147
derived data, 250
destruction of data, 215–216, 220
DESX cryptography, 40, 185–186
diagraphs, 138
Diffie-Hellman cryptography, 176
diffusion, in cryptography, 41, 189
digital certificates, 35, 172–173
Digital Millennium Copyright Act (DMCA), 281–282
Digital Signature Analysis (DSA), 35, 171–172
digital signatures, 35, 37–38, 44, 170–172, 180, 193
direct memory access (DMA), 210
disaster recovery (see business continuity and disaster recovery) disasters defined for business continuity, disaster recovery, 77, 263–264
discovery process, in law, investigation, ethics, 88, 291
disk image backup, 88, 290–291
distance metric, in access control, 125
distance vector routing, 158
distributed architectures, 211
distributed COM (DCOM), 254
distributed data processing (DDP), 70, 255
document reviews, 107
DoD layered network model, 23–24, 143–144
domain experts, 248
domains, access control, 130
dry pipe sprinkler systems, 93, 299–300
DSA, 180
dual homed hosts, 26–27, 151–152
dynamic control protocol routing, 158
dynamic lifetime of objects, 239–240
dynamic state tables, 27, 152–153
E
Echelon, 280
EIGamal public key, 33, 165–168
electromagnetic interference (EMI), in physical security, 95, 305–306
Electronic Communications Privacy Act (ECPA), 83, 279–280
electronic data interchange (EDI), in law, investigation, ethics, 83, 279
electronic funds transfer, 38, 180–181
Electronic Signature Directive, 85, 284
electronic signatures, 85, 202–203, 284–285
Electronic Signatures in Global and National
Commerce Act (ESIGN), 85, 284–285
elliptic curves, in cryptography, 34, 169
emergency management plan development, 78, 266–267
encapsulating security payload (ESP), 42, 148, 190
encapsulation, in OOP, 239
enforced paths, in access control, 13, 121
enrollment, biometrics, 137
enrollment time metric, in access control, 125
Enterprise Access Management (EAM), 18, 136–137
Escrowed Encryption Standard (EES), 174–175
Ethernet 1000BaseCX, 157
Ethernet 1000BaseFX, 157
Ethernet 1000BaseLX, 157
Ethernet 1000BaseSX, 157
Ethernet 100BaseT networks, 24, 144–145
Ethernet networks
telecommunications and network security and, 28–29, 156–157, 159
ethics (see law, investigation, ethics)
European Union Electronic Signature Directive, 85, 284
evaluation assurance levels (EALs)
operations security and, 60–61, 230
in security architecture and models, 201
evidence gathering in computer crimes, 87, 288–289
evolutionary computing, 252
expert systems, 67–68, 247–248
extensible authentication protocol (EAP), 146
F
false acceptance, 137
false acceptance rate (FAR), 137
false rejection, 137
false rejection rate (FRR), 137
Federal Computer Incident Response Center (FedCIRC), 53, 212–213
Federal Intelligence Surveillance Act (FISA), 83, 279–280
Federal Rules of Evidence, in law, investigation, ethics, 87, 289
Feistel ciphers, 176
Feistel, Horst, 176
fetch times, in security architecture and models, 47, 195
fiber distributed data interface (FDDI), 154
field programmable gate array (FPGA), 206
file transfer protocol (FTP), 149, 158
financial decision making, in business
continuity, disaster recovery, 76, 261
financial management's role in business
continuity, disaster recovery, 77, 264
fingerprinting, 297
fire, classifications, 93, 299
fire extinguishers, 93–94, 96, 298–299, 301, 303, 308
fire protection (see also physical security), 93, 287–298, 310
fire retardants, 310
fire safety ratings, 97, 309–310
firmware, 206
fitness values, 252
flooding attack, 147
fluoroiodocarbons (FICs), 298
forensics, computer, 291
Forest Green Book, 57, 215–216
Fortezza cryptography, 175
forward chaining, 247
Fourth Amendment Rights, in law, investigation, ethics, 87–88, 289–290
frame check sequence (FCS), 156–157
Frame Relay, 156
frequency shift keying (FSK), 188
full backup, 161
full-duplex transmission, 207
full-scale exercise, in business continuity, disaster recovery, 259
functional drills, in business continuity, disaster recovery, 259
functionality, in security architecture and models, 201
G
General Communications Security Bureau (GCSB), 281
general packet radio services (GPRS), 19, 138
generalized security application programming interface (GSAPI), 255
generic security service API (GSS-API), 183
genetic algorithms, 69, 251–252
genomes, in evolutionary computing, 252
Global Positioning System (GPS), 149
global system for mobile (GSM), 19, 138–139
Government Communication Head Quarters (GCHQ), 280–281
Gramm-Leach-Bliley (GLB) Act, 51, 203, 209
Grey/Silver Book, 216
group rights
in security architecture and models, 49, 200–201
grouped processes, in access control, 13, 122–123
H
half-duplex transmission, 207
halocarbon agents for fire extinguishers, 93, 298–299
Halon, 308
handprinting, 297
Handshake Protocols, 168
hash functions, 34–35, 169–170, 172
Health Insurance Portability and Accountability Act, 49–51, 86, 202–203, 207–209, 286–287
Hearsay Rule, in law, investigation, ethics, 87, 289
honey pots, 150
hot sites, 272
human caused hazards, in business continuity, disaster recovery, 80, 273
hydrochlorfluorcarbons (HCFCs), 298
hydrofluorcarbons (HFCs), 298
hydrogen fluoride fire extinguishing agents, 94, 303
I
identity, of objects, 239
incident handling capabilities, 7, 60, 112, 229–230
incremental development, 66, 242
independent review of security controls (OMB Circular A-130), 8, 114
inert gas (IG) fire extinguishers, 298–299
inference engines, 68, 247–248
information flow model, 125, 200–201
information gathering, in security management, 5, 106–107
information policies, in security management, 4, 103
information systems security officer (ISO), 4, 102
Information Technology Security Evaluation Criteria (ITSEC), 49, 202
infrastructure WLAN, 159
inheritance, in OOP, 246
Inmon, Bill, 249
integrated project support environment (IPSE), 251
integrity, 109
in security architecture and models, 48, 199–200
integrity check (IC), 188
integrity property, 199
interface contracts, 253
interface definition language (IDL), 253
interior gateway protocols, 24, 145
International Standard for the Common Criteria, 59, 226
Internet Activities Board (IAB) ethics, 89, 292
Internet Assigned Numbers Authority (IANA), 23, 142–143
Internet Control Message Protocol (ICMP), 158
Internet Gateway Routing Protocol (IGRP), 145–146
Internet Message Access Protocol (IMAP), 151
Internet Security Protocols, and cryptography, 37, 177–179
interviews, onsite, 107
investigation (see law, investigation, ethics) investigation characteristics in computer crime, 87, 287–288
IP addressing, 23, 26, 28–30, 142–143, 151, 162
ISDN
access control and, 138
basic rate interface (BRI) in, 23, 143
primary rate interface (PRI) in, 143
isochronous data transmission, 146
isolation of scene, in business continuity, disaster recovery, 79, 271
issue-specific policies, in security management, 5, 7, 104–105, 110
iterated block ciphers, 37, 176
J
jackets, optical fiber, 162
Java Security Model (JSM), 47, 196
Java Virtual Machine (JVM), 196
jump instructions, 210
K
Kennedy-Kassebaum (see Health Insurance Portability and Accountability Act)
Kerberos, in access control, 15–17, 127–128, 131
key clustering, 165
key recovery methods, 38, 181–182
keyed message authentication code (MAC), 168, 170
keys, cryptographic, 33, 164–165
keyspace, 164
knowledge acquisition system, 248, 251
knowledge based system (KBS), 67, 246–247
knowledge engineers, 248
L
LAN backups, in business continuity, disaster recovery, 77, 265–266
LAN topologies, telecommunications and network security, 27, 154
land.c attack, 153
law enforcement access field (LEAF), and cryptography, 36, 173–175
law, investigation, ethics, 81–90, 277–295
Business Software Alliance (BSA) and, 294–295
categories of computer crimes and, 83, 277–279
Communications Assistance for Law Enforcement (CALEA) and, 83, 279–280
Conditional Access Directive (CAD) and, 84, 282
copyright management information (CMI) and, 84, 281–282
damages awarded in litigation and, 85, 285
discovery process and, 88, 291
disk image backup and, 88, 290–291
Electronic Communications Privacy Act (ECPA) and, 83, 279–280
electronic data interchange (EDI) and, 83, 279
Electronic Signatures in Global and National Commerce Act (ESIGN) and, 85, 284–285
European Union Electronic Signature Directive and, 85, 284
evidence gathering in, 87, 288–289
Federal Intelligence Surveillance Act (FISA) and, 83, 279–280
Federal Rules of Evidence and, 87, 289
Health Insurance Portability and Accountability Act and, 86, 286–287
Internet Activities Board (IAB) ethics and, 89, 292
investigation characteristics in computer crime and, 87, 287–288
Kennedy-Kassebaum (see Health Insurance Portability and Accountability Act)
password access and, 88–89, 291
Patriot Act and, 84, 87–88, 282–283, 289–290
Privacy Rule of HIPPA, 86–87, 287
protected health information (PHI) and, 86, 286–287
search and seizure rules and, 87–88, 289–290
software piracy and, 90, 294–295
surveillance of computer/networks in, 89, 293
trademarks, service marks, tradenames, copyright and, 90, 293–294
Uniform Computer Information Transactions Act (UCITA) and, 85, 283
World Intellectual Property Organization (WIPO) and, 84, 281–282
layer two forwarding protocol (L2FP), 148
layer two tunneling protocol (L2TP), 148
layered security architectures, 6, 107–108
least privilege concept, 57, 126, 216, 218
life cycle phases of security, 8, 114
linear feedback shift registers (LFSRs), 192
link state protocol (LSP), 158
link state routing, 158
Lisp, 246
locks, 309
log on process, in access control, 13, 122
logical ring topologies, 154
M
maintenance hooks, 309
malfeasance, 277
management reviews, 116
mandatory access control, 130–131
man-in-the-middle attack, 154
man-in-the-middle authentication, 134
MD5, 180
media access control (MAC) addresses, 23, 28–29, 141–142
media control, in operations security, 62, 234–235
meet-in-the-middle attacks, 172
memory, in security architecture and models, 52, 211–212
message authentication code (MAC), 168, 170
message digest (MD) algorithms, 36, 173, 180
message, in OOP, 245
methods, in OOP, 245
metropolitan area networks (MANs), 156
microprocessors, 277
modes of secure operation, 58, 218
modulo 26 substitution ciphers, 40–41, 187
monitoring, in security management, 6–7, 109
motion detection systems, 94, 302–303
multilevel mode of operation, 219
multilevel security systems (MLSs), 47–48, 197–198
multimode optical fiber, telecommunications and network security, 27, 155
multiple inheritance, in OOP, 246
multipurpose Internet mail extension (MIME), and cryptography, 37–38, 180
mutual aid agreements, 78, 266, 272
N
National Computer Security Center (NCSC), 41–42, 189
National Fire Protection Association (NFPA), 93, 297–298
National Information Assurance Certification and Accreditation Process (NIACAP), 50, 205–206
National Institute of Standards and Technology (NIST), 8, 115–116, 189
National Security Agency (NSA), and cryptography, 36, 174–175
natural disasters, in business continuity, disaster recovery, 76, 262
need-to-know concepts, 57, 217–218
NetStumbler, 149
network address translation (NAT), 143
Network Layer, in telecommunications and network security, 24, 144
network security (see telecommunications and network security)
NIST IT security principles, 8, 115–116
no read down property, 199
no read up property, 198
no write down property, 198
no write up property, 199
noncombustible materials, 310
nonflammable materials, 310
non-interference model for security architecture, 200–201
normalization of data, 249
notice, choice, access, security and enforcement
in security architecture, 50, 203–204
number field sieve (NFS), 40, 185
O
Object Management Group (OMG), 252
object-oriented databases, 17, 132–133
object-oriented languages, 67, 246
object-oriented programming, 67, 245–246
object-oriented systems, 239
object request architecture (ORA), 69, 252
object request broker (ORB), 69, 253
object reuse, in operations security, 62, 237
objects, 239
OMG Object Model, 253
one-time password authentication, 134
online analytical processing (OLAP), 249
onsite interviews, 107
Open Group, for access control, 17, 131–132
open shortest path first (OSPF), 145
open systems, 211
operational assurance, 61, 230–231
operations security, 55–62, 215–237
common criteria (CC) and, 60–61, 230, 232–233
compartmented mode of operation in, 219
configuration control and, 60, 227–228
Configuration Control Board (CCB) and, 59, 222–223
configuration items (CIs) in, 59, 225, 227
configuration management and, 58–59, 61, 222, 225, 233
covert storage channels and, 61, 231–232
data remanence and, 58, 219–220
dedicated mode of operation in, 218
evaluation assurance levels (EALs) in, 60–61, 230
Forest Green Book in, 57, 215–216
incident handling capabilities and, 60, 229–230
International Standard for the Common Criteria in, 59, 226
least privilege concept in, 57, 216
modes of operation in, 58, 218
multilevel mode of operation in, 219
need-to-know concepts in, 57, 217–218
operational assurance and, 61, 230–231
partitioned security mode in, 61–62, 233–234
protection profiles (PPs) and, 61, 232–233
Rainbow series of books and, 57, 215
separation of duties and, 62, 235
system-high mode of operation in, 218–219
Trusted Computer System Evaluation Criteria (TCSEC) and, 57–58, 217, 221–222
trusted computing base (TCB) in, 57, 60, 217, 228–229
trusted distribution controls and, 62, 235–236
trusted facility management in, 62, 236–237
trusted network interpretation (TNI) and, 57, 215
trusted recovery and, 58, 221–222
user account administration in, 59, 224–225
user accounts and, 60, 226–227
optical fiber, in telecommunications and
network security, 27–30, 155, 157, 162
orthogonal frequency division multiplexing (OFDM), 144
OSI layered reference model, 23–24, 141, 144
overhead, 207
overwriting data, 220
ownership, system vs. information, 7, 111–112
P
packages, in security architecture and models, 201
packet filtering firewalls, 153
packet switching networks, 28, 156
padded cells, 150
parallel test, in business continuity, disaster recovery, 259
parents, in evolutionary computing, 252
partitioned security mode, 61–62, 233–234
passwords
access control and, 18, 135–136
in law, investigation, ethics, 88–89, 291
in telecommunications and network security, 26, 149–150
Patriot Act, 84, 87–88, 282–283, 289–290
perflurocarbons (PFCs/FCs), 298
personal identification numbers (PINs), 134
personally identifiable information (PII), 204
phrenology, 297
physical access controls, 13–14, 124
physical security, 91–97, 297–310
access control for high security areas, 96, 309
carbon dioxide (CO2) agents and, 308
“clean” fire extinguishers and, 94, 301
dry pipe sprinkler systems in, 93, 299–300
electromagnetic interference (EMI) and, 95, 305–306
fire extinguishers and, 93–94, 96, 301, 303, 308
fire protection and, 93, 297–298
fire safety ratings and, 97, 309–310
halocarbon agents in, 93, 298–299
hydrogen fluoride fire extinguishing agents and, 94, 303
motion detection systems in, 94, 302–303
radio frequency interference (RFI) and, 95, 305–306
raised flooring and, 94–95, 303–304
smoke damage and, 95–96, 304–305, 307–308
social engineering and, 96, 307
sprinkler systems in, 94, 301–302
storage of records and materials and, 93–94, 300
toxicity of fire extinguisher agents and, 96, 308
two-factor authentication in, 94, 300–301
ping of death attacks, 147, 153
pipelining, 195
plaintext, 164
platform for privacy preferences (P3P), 51–52, 209–210
pleisiochronous data transmission, 146
point to point tunneling protocol (PPTP), 148
policy development cryptography and, 40, 184
security management and, 9, 118–119
polyalphabetic substitution ciphers, 190
post office protocol (POP), 151
preservation of organization's information, security management, 5, 105
pretty good privacy (PGP), 180
primary memory, 212
primary rate interface (PRI) in ISDN, 143
principles of security, NIST, 8, 115–116
priorities in business continuity, disaster recovery, 80, 274–275
priority queues, 251
privacy enhanced mail (PEM), 173
law, investigation, ethics and, 86, 285
in security architecture and models, 51, 209
Privacy Rule of HIPPA, 86–87, 287
private data classification, 113
procedural languages, 246
processors, 277
programmable logic devices (PLDs), 206
protected health information (PHI), 86, 208, 286–287
protection domains, 13, 122–123
protection profiles (PPs), 61, 201, 232–233
public data classification, 113–114
public key cryptography standards (PKCS), 39, 183
public keys, in cryptography, 33, 42–43, 165–168, 192–193
Pumps, in security architecture and models, 47, 197
Purple Book, 215
Q
quantum computing vs. cryptography, 38–39, 182–183
questionnaires, 106
R
radio frequency interference (RFI), and physical security, 95, 305–306
Rainbow series of books for operations security, 57, 215
raised flooring, and physical security, 94–95, 303–304
random access memory (RAM), 212
RC5, 175
RC6, 177
read only memory (ROM), in security architecture and models, 51, 206
real memory, 212
Record and Handshake Protocols, 168
Red Book, 215
reduced instruction set computer (RISC), 195
reference monitors, in access control, 17, 133–134
reinforcement learning, 251
rejection, false, 137
relational databases, in access control, 14, 17, 126, 132–133
relations, in access control, 132–133
remote sensing technology, 75, 258
restricted shell, for access control, 14–15, 126–127
resuming normal operations, in business continuity, disaster recovery, 79, 270
reverse address resolution protocol (RARP), 158
reviews, management, 116
risk analysis, 5
role-based access control, 16, 130, 197
rotation of duties, 218
routing information protocol (RIP), 145, 158
routing tables, in telecommunications and network security, 28, 158
rows and columns, in access control, 13, 123–124
RSA, 180
rule-based access control, 130
S
S box cryptography, 189
sabotage, 278
salami fraud, 307
scalar processors, 195
scanning tools, automated, in information gathering, 107
screened host firewalls, 151–152
screened subnet firewalls, 151–152
search and seizure rules, in law, investigation, ethics, 87–88, 289–290
secondary logic, 212
secret key cryptography, 33, 165
Secure European System for Applications in Multivendor Environment (SESAME), 15, 128–129
secure hash algorithm (SHA), 171–172
secure sockets layer (SSL), 29, 160–161, 168
Secure/Multipurpose Internet Mail Extension (S/MIME), 160–161
security architecture and models, 45–53, 195–213
ANSI ASC X12 standard in, 51, 207–209
associative memory and, 52, 210
Bell-LaPadula model for, 47–48, 197–199
central processing unit (CPU) and, 52, 210
CIAP and, 206
Clark-Wilson Integrity Model for, 48, 200
common criteria terminology and, 49, 201
composition model for, 200–201
confidentiality and, 48, 199–200
Defense Information Technology Security Certification and Accreditation Process (DITSCAP) in, 205–206
evaluation assurance levels (EALs) and, 201
Federal Computer Incident Response Center (FedCIRC) and, 53, 212–213
Gramm-Leach-Bliley (GLB) Act and, 51, 203, 209
Health Insurance Portability and Accountability Act and, 49–51, 202–203, 207–209
information flow model for, 200–201
Information Technology Security Evaluation Criteria (ITSEC) and, 49, 202
Java Security Model (JSM) and, 47, 196
multilevel security systems (MLSs) and, 47–48, 197–198
National Information Assurance Certification and Accreditation Process (NIACAP) in, 50, 205–206
non-interference model for, 200–201
notice, choice, access, security and enforcement in, 50, 203–204
platform for privacy preferences (P3P) in, 51–52, 209–210
read only memory (ROM) and, 51, 206
reduced instruction set computer (RISC) and, 195
separation of duty and, 50, 204–205
serial data transmission and, 51, 206–207
site accreditation in, 205
strong tranquillity property in (Bell-LaPadula model), 48, 198–199
Trusted Computer System Evaluation Criteria (TCSEC) and, 49, 202
trusted computing base (TCB) and, 49, 201
type accreditation in, 50, 205
World Wide Web Consortium (W3C) and, 51–52, 209–210
Security Association (SA), 148
Security Association Database (SAD), 148
security awareness, training, education, 4–5, 7, 102–103, 106, 111
security kernels, 133
annualized loss expectancy (ALE) in, 3, 100–101
confidentiality protection and, 6, 108–109
data classification scheme for, 7, 112–114
incident handling capabilities and, 7, 112
independent review of controls in (OMB Circular A-130), 8, 114
information gathering for, 5, 106–107
information policies and, 4, 103
information systems security officer (ISO) in, 4, 102
issue-specific policies and, 5, 7, 104–105, 110
layered security architectures and, 6, 107–108
life cycle phases of security in, 8, 114
NIST IT security principles in, 8, 115–116
ownerships, system vs. information, 7, 111–112
policy development in, 9, 118–119
preservation of organization's information and, 5, 105
risk analysis and, 5
security awareness, training, education, 4–5, 7, 102–103, 106, 111
self-testing techniques for, 9, 118
single loss expectancy (SLE) in, 3, 100
system-specific policies and, 7, 110
unfriendly terminations and, 5, 103–104
user account management and, 8, 116
visibility of IT security policy in, 9, 117–118
Security Support Provider Interface (SSPI), 129
security target (ST), 201
self-testing techniques, in security management, 9, 118
senior management's role in business continuity, disaster recovery, 76, 261–262
sensitive data classification, 113
separation of duties, 126, 218, 254
operations security and, 62, 235
in security architecture and models, 50, 204–205
sequence number attack, 153
serial data transmission, 51, 206–207
Session Layer protocols, in telecommunications and network security, 23, 141
SHA-1, 180
shell, restricted, 14–15, 126–127
short-term objectives in business continuity, disaster recovery, 79, 270–271
simple integrity property, 199
simple mail transfer protocol (SMTP), 151
Simple Security Property, in access control, 16, 130–131
simple security property/ss property, 198
simplex data transmission, 207
simulation test, in business continuity, disaster recovery, 259
single loss expectancy (SLE), 3, 100
single sign on (SSO) interfaces, 17, 131–132, 136–137
singlemode optical fiber, in telecommunications and network security, 27, 155
site accreditation, in security architecture and models, 205
Skipjack algorithm, 175
smoke damage, 95–96, 304–305, 307–308
SMURF attack, 147
Snort, 154
social engineering, in physical security, 96, 307
SOCKS protocol, in telecommunications and network security, 25, 149
software capability evaluation, 66–67, 245
software engineering, 65, 239–240
Software Engineering Institute (SEI), 212–213
software process assessment, 66–67, 245
software process capability, 243
software process maturity, 244
software process performance, 244
software processes, 243
spanning tree protocol, in telecommunications and network security, 23, 141–142
spiral model, in applications and systems development, 66, 243
sprinkler systems, 94, 301–302
SQL, in access control, 16, 129–130
standards for security management, 4, 101–102
Star Property, in access control, 16, 130–131
star topologies, 154
start bits, 207
stateful inspection firewalls, 153
static random access memory (SRAM), 206
static routing, 158
statistical information, in access control, 16, 129
statistical modeling, 249
stop bits, 207
storage of records and materials, 93–94, 300
store and forward switching, in telecommunications and network security, 25, 148–149
stream cipher cryptography, 42, 192
strong tranquillity property (Bell-LaPadula model), 48, 198–199
structured analysis/structured design (SA/SD), 239
structured walk through test, in business continuity, disaster recovery, 259
subclasses, in applications and systems development, 67, 246
subnet masks, in telecommunications and network security, 30, 162
substitution ciphers, 40–41, 187, 189
superscalar processors, 195
surveillance of computer/networks, 89, 293
switched multimegabit data service (SMDS), 156
symmetric key encryption, 170
SYN attack, 153
synchronicity of transmissions, 24, 146
synchronous data transmission, 146, 207
system-high mode of operation, 218–219
system-specific policies, in security management, 7, 110
T
table top exercises, in business continuity, disaster recovery, 259
TCP SYN attack, 147
telecommunications and network security, 21–30, 141–163
backup methods in, 29, 161–162
basic rate interface (BRI) in ISDN and, 23, 143
cut through switching and, 25, 148–149
denial of service (DoS) attack and, 25, 147
disk mirroring and, 25, 146–147
DoD layered network model in, 23–24, 143–144
dual homed hosts and, 26–27, 152
dynamic state tables and, 27, 152–153
Ethernet 100BaseT networks in, 24, 144–145
Ethernet networks and, 28–29, 156–157, 159
interior gateway protocols in, 24, 145
Internet Assigned Numbers Authority (IANA), 23, 142–143
IP addressing and, 23, 26, 28–30, 142–143, 151, 162
media access control (MAC) addresses and, 23, 28–29, 141–142
multimode vs. singlemode optical fiber and, 27, 155
network address translation (NAT), 143
optical fiber networks and, 28–30, 157, 162
OSI layered reference model in, 23–24, 141, 144
packet switching networks and, 28, 156
secure sockets layer (SSL) in, 29, 160–161
Session Layer protocols and, 23, 141
spanning tree protocol and, 23, 141–142
spoofing attacks and, 27, 153–154
store and forward switching and, 25, 148–149
synchronicity of transmissions in, 24, 146
Transport Layer in, 23–24, 143–144
unshielded twisted pair (UTP) and, 24, 144–145, 155
virtual LANs (VLANs) and, 28, 155–156
wide area networks (WANs) and, 28, 156
Windows NT and passwords in, 26, 149–150
wireless connectivity and, 24, 144
wireless LANs (WLANs) and, 29, 159–160
TELNET, 149
TEMPEST cryptography, 175
termination of employees, security management, 5, 103–104
testing business continuity, disaster recovery, 75–77, 259, 263
theft, 278
ThickNet, 159
ThinNet, 159
timestamps, access control, 127
TLS Record and Handshake Protocols, 168
Token Ring, 154
ToneLoc, 149
topologies, telecommunications and network security, 27, 154
toxicity of fire extinguisher agents, 96, 308
traffic analysis, 280
training operations security and, 229
security management and, 4–5, 7, 102–103, 106, 111
transactions and code sets, 202–203
transformation procedures (TPs), 200
transmission control protocol (TCP) access control and, 138
telecommunications and network security and, 27, 143, 153
Transport Layer, in network security, 23–24, 143–144
Transport Layer Security (TLS), 33, 168, 178–179
transposition, in cryptography, 189
trap-and-trace device, 280
trigraphs, 138
triples, access control, 122, 200
trivial file transfer protocol (TFTP), 158
Trojan Horses, 309
Trusted Computer System Evaluation Criteria (TCSEC) operations security and, 57–58, 217, 221–222
in security architecture and models, 49, 202
trusted computing base (TCB), 121
operations security and, 57, 60, 217, 228–229
in security architecture and models, 49, 201
trusted distribution controls, 62, 235–236
trusted facility management, 62, 201, 236–237
trusted network interpretation (TNI), 57, 215
trusted paths, 121
trusted subjects, 198
tunneling, 148
tuples, access control, 132–133
turnaround time, 207
Twinax, 159
two-factor authentication, 94, 300–301
type accreditation, in security architecture and models, 50, 205
U
unauthorized/illegal activities, detection, 116
unfriendly terminations, security management, 5, 103–104
Uniform Computer Information Transactions Act (UCITA), 85, 283
unique health identifiers, 202–203
unshielded twisted pair (UTP), 24, 144–145, 155, 159
user account administration/management
operations security and, 59–60, 224–227
security management and, 8, 116
user datagram protocol (UDP)
access control and, 138
telecommunications and network security and, 143
V
validation, 240
vectors, 195
verification, in applications and systems development, 65, 240
very long instruction word (VLIW), 195
view relations, access control, 14, 126
Vigenere cipher squares cryptography, 42–43, 190–191
virtual LANs (VLANs), 28, 155–156
virtual memory, 212
virtual private networks (VPNs), 19, 121, 138
visibility of IT security policy, 9, 117–118
volatile memory, 206
von Neumann architectures, 246
vulnerability assessments, in business continuity, disaster recovery, 78, 268–269
W
walk through drill, in business continuity, disaster recovery, 259
WAP Forum, 179
WAP Identity Module (WIM), 179
war walking/war driving, 149
water purification, 79, 269–270
waterfall model, in applications and systems development, 66, 242
weak tranquillity property (Bell-LaPadula model), 199
well-formed transactions, 200
wide area networks (WANs), 28, 156
Windows 2000, access control, 16–17, 128–129
Windows NT and passwords, 26, 149–150
wired equivalent privacy (WEP), 41, 187
wireless application protocol (WAP), 187
access control and, 138
wireless connectivity, telecommunications and network security, 24, 144
wireless LANs (WLANs) cryptography and, 41, 187
telecommunications and network security and, 29, 159–160
wireless personal area networks (WPAN), 144
wireless transaction protocol (WTP), access control, 138
wireless transport layer security (WTLS), 37, 177–179
WMLScript Crypto Library, 179
World Intellectual Property Organization (WIPO), 84, 281–282
World Wide Web Consortium (W3C), security architecture and models, 51–52, 209–210
X
X.25, 156
X12 standard in security architecture and models, 51, 207–209