Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

Symbols

3-D Secure protocol
account holder domain, 3-D Secure transactions
acquirer domain, 3-D Secure transactions
e-commerce security and, 3-D SecureEvaluation of 3-D Secure
evaluation of, Evaluation of 3-D Secure
issuer domain, 3-D Secure transactions
transaction process, 3-D Secure transactions
802.11b standard, How it happened, How it happened
802.11i standard, How it happened

A

ABA (American Bar Association), The Digital Signature Guidelines
Access Control Server (ACS), 3-D Secure transactions
accountability, Logs in Security Laws and Standards, Logs in Security Laws and Standards
ACS (Access Control Server), 3-D Secure transactions
ActionScript, Malvertisements
ad banners (see banner ads)
Adams, Douglas, Social Networking: When People Start Communicating, Big Things Change
Advanced Monitor System (AMS), Applying artificial intelligence, Security-specific virtualization
advertising (see online advertising)
adware (see spyware)
Aegenis Group, The Payoff
Agriculture, Department of, Software Vendors Give Us What We Want but Not What We Need
AHS (Authentication History Server), 3-D Secure transactions
AI (artificial intelligence), Applying artificial intelligence, Better Practices for Desktop Security
AllowScriptAccess tag, Malvertisements
Amazon Web Services platform, Clouds and Web Services to the Rescue
Amazon.com, Inflating CPA costs
American Bar Association (ABA), The Digital Signature Guidelines
AMS (Advanced Monitor System), Applying artificial intelligence, Security-specific virtualization
analyst confirmation traps, The Analyst Confirmation Trap
Anderson, Chris, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
Andreessen, Marc, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All, Democratization of Tools for Production
Anna Carroll (barge), Security’s Return on Investment
anti-executables, The whitelist alternative, The whitelist alternative, Host-based Intrusion Prevention Systems
anti-spyware software
evolution of, A Mob Response
initial implementation, A Mob Response
intrusive performance, Host-based Intrusion Prevention Systems
strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
anti-virus software
diminished effectiveness, On the Conveyor Belt of the Internet
functional fixation, Vulnerability in Place of Security
functionality, Improving Perspective with Host Logging
historical review, On the Conveyor Belt of the InternetOn the Conveyor Belt of the Internet
honeyclients and, Analysis of Exploits
intrusive performance, Host-based Intrusion Prevention Systems
malware signature recognition, A Mob Response
need for new strategies, Casting Spells: PC Security Theater
strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
zero-day exploits and, The evolution of the blacklist method
Apgar score, Reasonable Metrics
Apgar, Virginia, Reasonable Metrics
Apple Computer, Password and Authentication Security Could Have Been Better from the Start
artificial intelligence (AI), Applying artificial intelligence, Better Practices for Desktop Security
Ascom-Tech AG, Patent and Export Problems
Ashenfelter, Orley, Information Security Economics: Supercrunching and the New Rules of the Grid, Information Security Economics: Supercrunching and the New Rules of the Grid
Aspect Security, Developer training
Atkins, Derek, From PGP 3 to OpenPGP
ATMs, early security flaws, Data Transparency
attacks (see malicious attacks)
attribute certificates, Cumulative Trust
Attrition.org, Global metrics, Global metrics
authentication
3-D Secure protocol, 3-D Secure transactions
auto-update and, Vulnerability in Place of Security
CV2 security code, Weak Amelioration Attempts
e-commerce security, Requirement 1: The Consumer Must Be Authenticated, Requirement 2: The Merchant Must Be Authenticated, Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated
federated programs, Success Driven from the Top, Carried Out Through Collaboration
NTLM, A Real-Life Example: How Microsoft Enabled L0phtCrack
password security, Password and Authentication Security Could Have Been Better from the Start
PGP Global Directory and, The PGP Global Directory
portability of, Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols)
security pitfall in, Separate Permission from Information
SET protocol, Secure Electronic Transaction
WEP support, How it happened
Authentication History Server (AHS), 3-D Secure transactions
authoritative keys, Authoritative keys
authorization
3-D Secure protocol, 3-D Secure transactions
e-commerce security, Requirement 3: The Transaction Must Be Authorized
security pitfall in, Separate Permission from Information
Ayres, Ian, Information Security Economics: Supercrunching and the New Rules of the Grid
Azure cloud operating system, Builders Versus Breakers

B

B.J.’s Wholesale Club, The players
backend control systems, Sunk Costs Versus Future Profits: An Energy ExampleSunk Costs Versus Future Profits: An Energy Example
backward compatibility
LANMAN password encoding, A Real-Life Example: How Microsoft Enabled L0phtCrack
learned helplessness and, Learned Helplessness and Naïveté
legacy systems, Password and Authentication Security Could Have Been Better from the Start
PGP issues, Patent and Export Problems
balance in information security, BalanceSecurity’s Return on Investment
banking industry (see financial institutions)
banking trojans, Analysis of Exploits, On the Conveyor Belt of the Internet
banner ads
exploit-laden, Exploit-Laden Banner AdsExploit-Laden Banner Ads, Limitations of the Current Honeyclient Implementation
honeyclients and, Limitations of the Current Honeyclient Implementation
banner farms, False Impressions, False Impressions
Barings Bank security breach, Barings Bank: Insider BreachBarings: Some security metrics
Barnes & Noble, The players
Bass-O-Matic cipher, Early PGP
behavioral analytics, Applying artificial intelligence
Bell Labs
background, Security by Design, Metrics with No Meaning
software development lifecycle, Time to Market or Time to Quality?Time to Market or Time to Quality?
Bellis, Ed, Beautiful Trade: Rethinking E-Commerce SecurityThe New Model
Bernstein, Peter, Beautiful Security Metrics
Bidzos, Jim, Patent and Export Problems, Patent and Export Problems
Biham, Eli, Early PGP
biometrics, Reasonable MetricsReasonable Metrics
BITS Common Criteria for Software, Enforcing Security in Off-the-Shelf Software
Black Hat Conference, Social Networking for the Security Industry
blacklisting, The evolution of the blacklist method, Applying artificial intelligence
Blaster virus, On the Conveyor Belt of the Internet
blogging, Democratization of Tools for Production
BoA Factory site, The Underground Communication Infrastructure
Bork, Robert, How Data Translucency Works
Boston Market, The players
botnets
army building software, The Payoff
attack infrastructure, The Attack Infrastructure
challenges in detecting, Correlating with Watch Lists
client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
CPC advertising, Gaming CPC advertising, Gaming CPC advertising
cyber underground and, The Makeup and Infrastructure of the Cyber Underground
functionality, The Makeup and Infrastructure of the Cyber Underground, Malware, Correlating with Watch Lists
peer-to-peer structure, The Attack Infrastructure
BPM (Business Process Management)
levels of effective programs, BPM As a Guide to Multisite Security
multisite security, BPM As a Guide to Multisite SecurityBPM As a Guide to Multisite Security
potential for, Connecting People, Process, and Technology: The Potential for Business Process ManagementBPM As a Guide to Multisite Security
supply chain composition and, Diffuse Security in a Diffuse World
BPMI (Business Process Management Initiative), BPM As a Guide to Multisite Security
breaches (see security breaches)
bridge CAs, Cumulative Trust
Briggs, Matt, Storing and Correlating Honeyclient Data
brute-force attacks, Wireless Gone Wild, A Mob Response
buffer overflows
security vulnerability, Vulnerability in Place of Security, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
SQL Slammer worm, Incident Detection: Finding the Other 68%
Business Process Management (see BPM)
Business Process Management Initiative (BPMI), BPM As a Guide to Multisite Security
business rules engines, BPM As a Guide to Multisite Security

C

California AB 1950, How Geeks Need Lawyers
California SB 1386
balance in information security, The California Data Privacy LawThe California Data Privacy Law
on data sharing, Data Transparency, Reasonable Metrics
on reporting breaches, Global metrics
passage of, How Geeks Need Lawyers
call options, How it happened
Callas, Jon, The Evolution of PGP’s Web of TrustReferences
Capture-HPC honeyclient, Second-Generation Honeyclients, Related Work
CardSystems security breach, Doing the Right Thing
Carnegie Mellon CMMI process, How One Firm Came to Demand Secure Software
Carr, Nicholas, BPM As a Guide to Multisite Security
Carter Doctrine, Culture
CAs (see certificate authorities)
cashiers (cyber underground)
defined, The Makeup and Infrastructure of the Cyber Underground
drop accounts, The Money-Laundering Game
CDC (Centers for Disease Control and Prevention), Data Transparency
Center for Internet Security (CIS), Barings: “What if...”
Center for Strategic and International Studies (CSIS), Culture
Centers for Disease Control and Prevention (CDC), Data Transparency
certificate authorities, Cumulative Trust
(see also introducers in PGP)
certification support, Cumulative Trust
DSG support, The Digital Signature Guidelines
establishing trust relationships, Adapting a Proven Solution
hierarchical trust, Hierarchical Trust
SET requirements, Secure Electronic Transaction
certificates, Hierarchical Trust
(see also specific types of certificates)
defined, Cumulative Trust
revoking, RevocationReasons for revocation
self-signed, Direct Trust, Hierarchical Trust
verifying, Hierarchical Trust
Web of Trust support, The Basic PGP Web of Trust
certification
defined, Cumulative Trust
OpenPGP colloquialism for, Cumulative Trust
OpenPGP support, Cumulative Trust
CFAA (Computer Fraud and Abuse Act), How Geeks Need Lawyers
Charney, Scott, Culture
Chuvakin, Anton, Beautiful Log HandlingConclusions, A Common Starting Point
Cigital, Security by Design, Developer training
Citi, Single-Use and Multiple-Use Virtual Cards
CLASP methodology, Setting up formal quality processes for security, Developer training
click fraud
botnet support, The Attack Infrastructure, Gaming CPC advertising
CPA advertising, Inflating CPA costs
federal litigation, Inflating CPA costs
client-side vulnerabilities, Enter Honeyclients
(see also honeyclients)
background, Open Source Honeyclient: Proactive Detection of Client-Side ExploitsOpen Source Honeyclient: Proactive Detection of Client-Side Exploits
malware exploitation, Vulnerability in Place of Security, Open Source Honeyclient: Proactive Detection of Client-Side Exploits, Analysis of ExploitsAnalysis of Exploits
naïveté about, Naïveté As the Client Counterpart to Learned HelplessnessNaïveté As the Client Counterpart to Learned Helplessness
Clinton, Bill, Sunk Costs Versus Future Profits: An ISP Example
cloud computing
applying security to, Clouds and Web Services to the Rescue
builders versus breakers, Builders Versus Breakers
defined, Cloud Computing and Web Services: The Single Machine Is Here
identity management services, A New Dawn
CNCI (Comprehensive National Cybersecurity Initiative), Culture
CNN network, Sunk Costs Versus Future Profits: An ISP Example
COBIT regulation, Logs in Security Laws and Standards
Code Red virus, On the Conveyor Belt of the Internet
Commerce, Department of, How a Disciplined System Development Lifecycle Can Help
commercial software (see software acquisition)
Commission Junction affiliate network, Inflating CPA costs
Commission on Cyber Security for the 44th Presidency, Culture
Common Vulnerabilities and Exposures (CVE) database, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
communication
cyber underground infrastructure, The Underground Communication Infrastructure, The Attack Infrastructure
information security and, CommunicationA Data Breach Tiger Team
Comprehensive National Cybersecurity Initiative (CNCI), Culture
Computer Fraud and Abuse Act (CFAA), How Geeks Need Lawyers
confidentiality of data, Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
confirmation traps
defined, An Introduction to the Concept
intelligence analysts, The Analyst Confirmation Trap
overview, Confirmation TrapsAn Introduction to the Concept
rationalizing capabilities, Rationalizing Away Capabilities
stale threat modeling, Stale Threat Modeling
contagion worm exploit, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
cookies, stuffed, Inflating CPA costs
cost per action (see CPA advertising)
cost per click (see CPC advertising)
Cost Per Thousand Impressions (see CPM advertising)
COTS (see software acquisition)
coverage metrics, Barings: Some security metrics
CPA advertising
functionality, Escaping Fraud-Prone CPM Advertising
inflating costs, Inflating CPA costsInflating CPA costs
stuffed cookies, Inflating CPA costs
CPC advertising
click-fraud detection services, Gaming CPC advertising
functionality, Escaping Fraud-Prone CPM AdvertisingGaming CPC advertising
syndication partnerships, Gaming CPC advertising, Gaming CPC advertising
CPM advertising
basis of, False Impressions
fraud-prone, Escaping Fraud-Prone CPM AdvertisingInflating CPA costs
credit card information
as shared secret, Analyzing the Security ContextWeak Amelioration Attempts, Requirement 5: The Process Must Not Rely Solely on Shared Secrets
card associations and, Card association
checking site authenticity, Establishing Wireless Trust
consumers and, Consumer, Requirement 1: The Consumer Must Be Authenticated
current market value, The Payoff
CV2 security code, Weak Amelioration Attempts
cyber underground and, The Makeup and Infrastructure of the Cyber Underground
devaluing data, Devalue Data
e-commerce security, Beautiful Trade: Rethinking E-Commerce SecurityAnalyzing the Security Context
financial institutions, Acquiring and issuing banks
identity theft, Easy MoneyA Cornucopia of Personal Data
merchants and service providers, Merchant and service provider, Requirement 2: The Merchant Must Be Authenticated
PCI protection, Barings: “What if...”
proposed payment model, The New Model
spyware stealing, Malware
SQL injection attacks, Exploiting website vulnerabilities
TJX security breach, How it happened
virtual cards, Single-Use and Multiple-Use Virtual Cards
cross-certification, Cumulative Trust
cross-site scripting, When the security process really took hold
crowdsourcing, Security in Numbers
Crypto Wars, The Crypto Wars
CSIS (Center for Strategic and International Studies), Culture
culture, organizational, CultureCulture
cumulative trust, Cumulative Trust
Curphey, Margaret, Acknowledgments
Curphey, Mark, Tomorrow’s Security Cogs and LeversAcknowledgments
CV2 security code, Weak Amelioration Attempts
CVE (Common Vulnerabilities and Exposures) database, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
cyber underground
attack infrastructure, The Attack Infrastructure
attack methods, Attack VectorsPhishing, facilitated by social-engineering spam
cashiers, The Makeup and Infrastructure of the Cyber Underground
combating, How Can We Combat This Growing Underground Economy?Establish a Social Metric and Reputation System for Data Responsibility
communication infrastructure, The Underground Communication Infrastructure
CSI-FBI Study, The Underground Economy of Security Breaches
data exchange example, The Data Exchange
fraudsters and attack launchers, The Makeup and Infrastructure of the Cyber Underground
goals of attacks, The Underground Economy of Security Breaches, Incident Detection: Finding the Other 68%, Correlating with Watch Lists
information dealers, The Makeup and Infrastructure of the Cyber Underground
information sources, Information Sources
makeup and infrastructure, The Makeup and Infrastructure of the Cyber UndergroundThe Attack Infrastructure
malware producers, The Makeup and Infrastructure of the Cyber Underground
money laundering and, The Money-Laundering Game
payoffs, The PayoffThe Money-Laundering Game
resource dealers, The Makeup and Infrastructure of the Cyber Underground
Cydoor ad network, Exploit-Laden Banner Ads

D

Danford, Robert, Related Work
Data Encryption Standard (DES), A Real-Life Example: How Microsoft Enabled L0phtCrack
data integrity, Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
Data Loss Database (DataLossDB), Data Transparency, Global metricsGlobal metrics
data responsibility
incentive/reward structure, Institute an Incentive/Reward Structure
social metric for, Establish a Social Metric and Reputation System for Data Responsibility
data theft
as cottage industry, The Payoff
botnet support, The Attack Infrastructure
combating, Devalue Data
from merchant stores, Information Sources
incident detection considerations, Building a Resilient Detection Model
spyware and, Malware
data translucency
additional suggestions, Going Deeper
advantages, Trade-offs
disadvantages, Trade-offs
overview, Doing Real Work Without Real DataHow Data Translucency Works
personal data and, Personal Data Stored As a Convenience
real-life example, A Real-Life Example
data-sharing mechanisms
DHS support, Data Transparency
security flaws in, Data Transparency
databases
data translucency in, Doing Real Work Without Real DataGoing Deeper
logging support, A Proliferation of Sources
security breaches and, Doing Real Work Without Real Data
Dave & Buster’s, The players
Davies, Donald, Tomorrow’s Security Cogs and Levers
DCS systems, Sunk Costs Versus Future Profits: An Energy Example
DDoS (distributed denial of service)
attacks on major ISPs, Sunk Costs Versus Future Profits: An ISP Example
botnet support, The Attack Infrastructure, The Attack Infrastructure, Correlating with Watch Lists
client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
honeyclients and, Second-Generation Honeyclients
LANs and, Wireless Gone Wild
deceptive advertisements, Deceptive AdvertisementsDeceptive Advertisements
Defense, Department of, Logs in Security Laws and Standards
Dell computers, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
Deloitte & Touche, LLP, Culture
denial of service (see DDoS)
Department of Agriculture, Software Vendors Give Us What We Want but Not What We Need
Department of Commerce, How a Disciplined System Development Lifecycle Can Help
Department of Defense, Logs in Security Laws and Standards
Department of Homeland Security, Data Transparency
deperimeterization, Diffuse Security in a Diffuse World
DES (Data Encryption Standard), A Real-Life Example: How Microsoft Enabled L0phtCrack
designated revokers, Designated revokers
DHCP lease logs, Building a Resilient Detection Model
DHS (Department of Homeland Security), Data Transparency
Diffie, Whitfield, Cumulative Trust, Cumulative Trust
digital certificates (see certificates)
Digital Point Systems, Inflating CPA costs
Digital Signature Guidelines (DSG), The Digital Signature GuidelinesThe Digital Signature Guidelines
direct trust
defined, Direct Trust
root certificates, Hierarchical Trust
directionality, A Common Starting Point
distributed denial of service (see DDoS)
distribution channels, Democratization of Channels for Distribution
DKIM email-authentication, Authoritative keys
Dobbertin, Hans, From PGP 3 to OpenPGP
doing the right thing in information security, Doing the Right ThingDoing the Right Thing
drop accounts, The Money-Laundering Game
Drucker, Peter, Information Security Economics: Supercrunching and the New Rules of the Grid
DSG (Digital Signature Guidelines), The Digital Signature GuidelinesThe Digital Signature Guidelines
DSW Shoe Warehouse, The players
Dublin City University, Related Work
Dunphy, Brian, Incident Detection: Finding the Other 68%Summary
Durick, J.D., Second-Generation Honeyclients
dynamic testing, Fixing the Problems

E

e-commerce security
3-D Secure protocol, 3-D SecureEvaluation of 3-D Secure
analyzing current practices, Deconstructing CommerceAnalyzing the Security Context
authorizing transactions, Requirement 3: The Transaction Must Be Authorized
broken incentives, Broken IncentivesHe who controls the spice
confidentiality of data, Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
consumer authentication, Requirement 1: The Consumer Must Be Authenticated
data integrity, Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
exploiting website vulnerabilities, Exploiting website vulnerabilities
friendly fraud and, Requirement 3: The Transaction Must Be Authorized
merchant authentication, Requirement 2: The Merchant Must Be Authenticated
new security model, E-Commerce Redone: A New Security ModelThe New Model
not sharing authentication data, Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated
portability of authentication, Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols)
primary challenges, Beautiful Trade: Rethinking E-Commerce Security
proposed payment model, The New Model
SET protocol, Secure Electronic Transaction
shared secrets and, Analyzing the Security ContextWeak Amelioration Attempts, Requirement 5: The Process Must Not Rely Solely on Shared Secrets
virtual cards, Single-Use and Multiple-Use Virtual Cards
EAP (Extensible Authentication Protocol), How it happened
Earned Value Management (EVM), Metrics with No Meaning
eBay
CPA advertising, Inflating CPA costs, Inflating CPA costs
DDoS attacks on, Sunk Costs Versus Future Profits: An ISP Example
principle of reliability, Social Networking for the Security Industry
ECPA (Electronic Communications Privacy Act), How Geeks Need Lawyers
Edelman, Benjamin, Securing Online Advertising: Rustlers and Sheriffs in the New Wild WestCreating Accountability in Online Advertising, A Data Breach Tiger Team, Rewards for Misbehavior
Edwards, Betsy, How a Disciplined System Development Lifecycle Can Help
Einstein, Albert, Tomorrow’s Security Cogs and Levers
Electronic Communications Privacy Act (ECPA), How Geeks Need Lawyers
email
log handling, A Proliferation of Sources
malware exploits, On the Conveyor Belt of the Internet
EMBED tag, Malvertisements
encryption
LAN Manager sequence, A Real-Life Example: How Microsoft Enabled L0phtCrack
PGP support, The Evolution of PGP’s Web of Trust, PGP and Crypto HistoryFrom PGP 3 to OpenPGP
security certificates and, Easy Money, A Cornucopia of Personal Data
SET support, Secure Electronic Transaction
Encyclopædia Britannica, Deceptive AdvertisementsDeceptive Advertisements
event logs (see logs)
EVM (Earned Value Management), Metrics with No Meaning
executables, malware exploits and, Limitations of the Current Honeyclient Implementation
exportable signatures, Exportable signatures
extended introducers, Extended introducers
Extensible Authentication Protocol (EAP), How it happened

F

Facebook social network, The State of the Art and the Potential in Social Networking, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All, Democratization of Tools for Production
failing closed, Naïveté As the Client Counterpart to Learned Helplessness
failing open, Naïveté As the Client Counterpart to Learned Helplessness
false negatives, Building a Resilient Detection Model
false positives, Challenges with Logs, Building a Resilient Detection Model
Federal Sentencing Guidelines, How Geeks Need Lawyers
Federal Trade Commission (see FTC)
financial institutions
banking trojans, Analysis of Exploits, On the Conveyor Belt of the Internet
credit card information, Acquiring and issuing banks
cyber attacks on, Information Sources
drop accounts, The Money-Laundering Game
exploiting website vulnerabilities, Exploiting website vulnerabilities, Choosing a focus and winning over management
federated authentication programs, Success Driven from the Top, Carried Out Through Collaboration
infosecurity and, How Geeks Need Lawyers
Finjan security firm, The Makeup and Infrastructure of the Cyber Underground
Finney, Hal, Early PGP
firewalls
energy company vulnerabilities, Sunk Costs Versus Future Profits: An Energy Example
host logging, Improving Perspective with Host Logging
log handling, Challenges with Logs, A Proliferation of Sources
need for new strategies, Casting Spells: PC Security Theater
SQL Slammer worm, Incident Detection: Finding the Other 68%
watch lists, Correlating with Watch Lists
Flash ActionScript, Malvertisements
Forester, C. S., Social Networking: When People Start Communicating, Big Things Change
Forever 21, The players
forums, online, A Mob Response
Foundstone vulnerability management, Builders Versus Breakers
Francisco, Fernando, Casting Spells: PC Security TheaterConclusion
fraudsters (cyber underground)
combating, Devalue Data
defined, The Makeup and Infrastructure of the Cyber Underground
information sources, Information Sources
Friedman, Thomas, Connecting People, Process, and Technology: The Potential for Business Process Management
friendly fraud, Requirement 3: The Transaction Must Be Authorized
FTC (Federal Trade Commission)
challenging deceptive ads, Deceptive Advertisements, Deceptive Advertisements
deceptive door opener prohibition, Deceptive Advertisements
Encyclopædia Britannica and, Deceptive Advertisements
exploit-laden banner ads and, Exploit-Laden Banner Ads
OWASP recommendation, Social Networking: When People Start Communicating, Big Things Change
FTP server security breach, The Observed EventSummary
functional fixation
costs versus profits examples, Sunk Costs Versus Future Profits: An ISP ExampleSunk Costs Versus Future Profits: An Energy Example
defined, Functional Fixation
overview, Vulnerability in Place of Security
fuzzing technique, Confirmation Traps

G

gaming trojans, Analysis of Exploits, On the Conveyor Belt of the Internet
Gartner Group, Choosing a focus and winning over management
Gates, Bill, Connecting People, Process, and Technology: The Potential for Business Process Management
Geer, Daniel E., Jr., Security Metrics by Analogy: Health, Security Metrics by Analogy: Health, More Public Data Sources
Geyer, Grant, Incident Detection: Finding the Other 68%Summary
Gibson, Steve, A Mob Response
GLBA (Gramm-Leach-Bliley Financial Services Modernization Act), Broken Incentives, Logs in Security Laws and Standards
GoDaddy, Hierarchical Trust
Gonzalez, Albert, The players
Google
AdSense service, Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
CPC advertising, Gaming CPC advertising, Gaming CPC advertising, Gaming CPC advertising
democratization of production tools, Democratization of Tools for Production
false ads lawsuit, Deceptive Advertisements
honeyclient support, Related Work
on malware distribution, Malware
Safe Browsing API, Related Work
testing ads, Malvertisements
Gore, Al, Tomorrow’s Security Cogs and Levers
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA), Broken Incentives, Logs in Security Laws and Standards
GRC.com, A Mob Response
grep utility, Challenges with Logs
Guin v. Brazos, Security’s Return on Investment
Gutmann, Peter, Early PGP

H

handshakes, Wireless Gone Wild
Hannaford Brothers security breach, The Payoff, Information Sources, Doing the Right Thing
hash algorithms
data translucency and, How Data Translucency Works
LAN Manager, A Real-Life Example: How Microsoft Enabled L0phtCrack
SET procedure, Secure Electronic Transaction
Windows NT, A Real-Life Example: How Microsoft Enabled L0phtCrack
Hasselbacher, Kyle, The PGP Global Directory
health care field
infosecurity and, How Geeks Need Lawyers
security metrics, Security Metrics by Analogy: HealthReasonable Metrics
Health Insurance Portability and Accountability Act (HIPAA), Broken Incentives, Logs in Security Laws and Standards
hierarchical trust
cumulative trust comparison, Cumulative Trust
defined, Hierarchical Trust
HijackThis change tracker, Exploit-Laden Banner Ads
HIPAA (Health Insurance Portability and Accountability Act), Broken Incentives, Logs in Security Laws and Standards
HIPS (Host-based Intrusion Prevention Systems), Host-based Intrusion Prevention Systems
Holz, Thorsten, Related Work
Homeland Security, Department of, Data Transparency
honeyclients
defined, Enter Honeyclients
future of, The Future of Honeyclients
implementation limitations, Limitations of the Current Honeyclient Implementation
open source, Introducing the World’s First Open Source HoneyclientIntroducing the World’s First Open Source Honeyclient
operational results, Honeyclient Operational ResultsStoring and Correlating Honeyclient Data
operational steps, Introducing the World’s First Open Source Honeyclient, Second-Generation Honeyclients
related work, Related WorkRelated Work
second-generation, Second-Generation HoneyclientsSecond-Generation Honeyclients
storing and correlating data, Storing and Correlating Honeyclient Data
honeymonkeys, Related Work
Honeynet Project, Second-Generation Honeyclients, Related Work
honeypot systems
defined, Enter Honeyclients
proliferation of malware, The evolution of the blacklist method
Honeywall, Second-Generation Honeyclients, Second-Generation Honeyclients
host logging, Improving Perspective with Host LoggingBuilding a Resilient Detection Model
Host-based Intrusion Prevention Systems (HIPS), Host-based Intrusion Prevention Systems
hostile environments
confirmation traps and, Confirmation Traps
specialization in, On the Conveyor Belt of the Internet
hotspot services, Easy Money
House Committee on Homeland Security, Culture, Culture
Howard, Michael, Microsoft Leading the Way
HTTPS protocol, The Attack Infrastructure
Hubbard, Dan, Related Work
Hula Direct ad broker, False Impressions, False Impressions

I

IBM, social networking and, The State of the Art and the Potential in Social Networking
IDEA (International Data Encryption Algorithm), Early PGP, Patent and Export Problems
iDefense Labs, More Public Data Sources, BPM As a Guide to Multisite Security
identity certificates, Cumulative Trust
identity management services, A New Dawn
identity theft
devaluing credit card information, Separate Permission from Information
wireless networking, Easy MoneyA Cornucopia of Personal Data
IDS (intrusion detection system)
building a resilient model, Building a Resilient Detection ModelBuilding a Resilient Detection Model
challenges detecting botnets, Correlating with Watch Lists
false positives, Challenges with Logs
functionality, A Common Starting Point
honeyclient support, Enter Honeyclients, Related Work
host logging, Improving Perspective with Host LoggingBuilding a Resilient Detection Model
host-based, Host-based Intrusion Prevention Systems
improving detection with context, Improving Detection with ContextCorrelating with Watch Lists
limitations, A Common Starting Point, Improving Coverage with Traffic Analysis
log handling considerations, Architecture and Context for the Incident
Iframedollars.biz, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
incident detection, Building a Resilient Detection Model
(see also malicious attacks)
building a resilient model, Building a Resilient Detection ModelBuilding a Resilient Detection Model
host logging and, Improving Perspective with Host LoggingBuilding a Resilient Detection Model
improving with context, Improving Detection with ContextCorrelating with Watch Lists
percentage identified, Incident Detection: Finding the Other 68%, A Common Starting Point
SQL Slammer worm, Incident Detection: Finding the Other 68%
InCtrl change tracker, Exploit-Laden Banner Ads
information dealers
defined, The Makeup and Infrastructure of the Cyber Underground
IRC data exchange, The Data Exchange
malware producers and, The Makeup and Infrastructure of the Cyber Underground
sources of information, Information Sources
information security
as long tail market, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us AllConnection of Supply and Demand
balance in, BalanceSecurity’s Return on Investment
basic concepts, Oh No, Here Come the Infosecurity Lawyers!
cloud computing, Cloud Computing and Web Services: The Single Machine Is HereA New Dawn
communication considerations, CommunicationA Data Breach Tiger Team
connecting people and processes, Connecting People, Process, and Technology: The Potential for Business Process ManagementBPM As a Guide to Multisite Security
doing the right thing, Doing the Right ThingDoing the Right Thing
historical review, Growing Attacks, Defenses in RetreatA Mob Response
host logging, Improving Perspective with Host Logging
need for new strategies, Casting Spells: PC Security Theater
organizational culture, CultureCulture
overview, Tomorrow’s Security Cogs and LeversTomorrow’s Security Cogs and Levers
September 11, 2001 and, On the Conveyor Belt of the Internet
social networking and, Social Networking: When People Start Communicating, Big Things ChangeSecurity in Numbers
strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus ScanningApplying artificial intelligence
suggested practices, Better Practices for Desktop Security
supercrunching, A New Dawn, Information Security Economics: Supercrunching and the New Rules of the GridInformation Security Economics: Supercrunching and the New Rules of the Grid
taking a security history, Barings: “What if...”Barings: “What if...”
web services, Cloud Computing and Web Services: The Single Machine Is HereA New Dawn
Information Security Economics, Information Security Economics: Supercrunching and the New Rules of the GridInformation Security Economics: Supercrunching and the New Rules of the Grid
Information Security Group, Conclusion
injected iFrames, Malware, Malware
International Data Encryption Algorithm (IDEA), Early PGP, Patent and Export Problems
International Tariff on Arms Regulations (ITAR), A Real-Life Example: How Microsoft Enabled L0phtCrack
Internet Explorer
exploit-based installs and, Exploit-Laden Banner Ads
open source honeyclients, Introducing the World’s First Open Source Honeyclient
recent vulnerabilities, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
Internet Relay Chat (see IRC)
intranets, security flaws, A Fundamental Flaw in Web Security: Not Trusting the Trust System
introducers in PGP, The Basic PGP Web of Trust
(see also certificate authorities)
defined, Trust, Validity, and Authority, Cumulative Trust
extended, Extended introducers
Web of Trust process, The Basic PGP Web of Trust
intrusion detection system (see IDS)
investment metrics, Barings: Some security metrics
IRC (Internet Relay Chat)
botnet communication, The Attack Infrastructure
cyber underground communication, The Underground Communication Infrastructure, The Data Exchange
ISO 2700x standard, Logs in Security Laws and Standards
ISPs, costs versus profits, Sunk Costs Versus Future Profits: An ISP ExampleSunk Costs Versus Future Profits: An ISP Example
ITAR (International Tariff on Arms Regulations), A Real-Life Example: How Microsoft Enabled L0phtCrack
ITIL regulation, Logs in Security Laws and Standards
iTunes, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All

J

J/Secure, 3-D Secure
JCB International, 3-D Secure
Jericho Forum, Diffuse Security in a Diffuse World
Jerusalem virus, On the Conveyor Belt of the Internet

K

Kaminsky, Dan, Social Networking for the Security Industry
KBA (knowledge-based authentication), The Data Exchange
key loggers
as information source, Information Sources
specialization in, On the Conveyor Belt of the Internet
key signatures
bloat and harassment, Signature Bloat and Harassment
certificate support, Cumulative Trust
exportable, Exportable signatures
freshness considerations, Freshness
in-certificate preferences, In-Certificate Preferences
Web of Trust, The Basic PGP Web of Trust, The social implications of signing keys, The basic model for revocation
keyrings, Cumulative Trust
keys (see certificates; public key cryptography)
keyservers
defined, Cumulative Trust
key-editing policies, Key-editing policies
PGP Global Directory, The PGP Global Directory
Klez virus, On the Conveyor Belt of the Internet
knowledge-based authentication (KBA), The Data Exchange
Kovah, Xeno, Second-Generation Honeyclients

L

L0phtCrack
government interest in, Rationalizing Away Capabilities
learned helplessness example, A Real-Life Example: How Microsoft Enabled L0phtCrackA Real-Life Example: How Microsoft Enabled L0phtCrack
Lai, Xuejia, Early PGP
LAN Manager, A Real-Life Example: How Microsoft Enabled L0phtCrack
Lancaster, Branko, Early PGP
Langevin, Jim, Culture
LANs, physical security inherent in, Wireless Gone Wild
Lansky, Jared, Exploit-Laden Banner AdsExploit-Laden Banner Ads
learned helplessness
backward compatibility and, Learned Helplessness and Naïveté
defined, Learned Helplessness and Naïveté, Password and Authentication Security Could Have Been Better from the Start
L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrackA Real-Life Example: How Microsoft Enabled L0phtCrack
overview, Learned Helplessness and NaïvetéPassword and Authentication Security Could Have Been Better from the Start
Leeson, Nick, Barings Bank: Insider BreachBarings: Some security metrics
legacy systems
backward compatibility, Password and Authentication Security Could Have Been Better from the Start
e-commerce security and, Beautiful Trade: Rethinking E-Commerce Security
end-of-life upgrades, Learned Helplessness and Naïveté, Password and Authentication Security Could Have Been Better from the Start
password security and, A Real-Life Example: How Microsoft Enabled L0phtCrackA Real-Life Example: How Microsoft Enabled L0phtCrack
legal considerations
balance in information security, BalanceSecurity’s Return on Investment
communication and information security, CommunicationA Data Breach Tiger Team
doing the right thing, Doing the Right ThingDoing the Right Thing
information security concepts, Oh No, Here Come the Infosecurity Lawyers!
log handling, Log Analysis and Management Tools of the Future
organizational culture, CultureCulture
value of logs, Logs in Security Laws and Standards
Levy, Steven, The Crypto Wars
LinkShare affiliate network, Inflating CPA costs
Linux systems, A Proliferation of Sources
log management tools, Log Analysis and Management Tools of the FutureLog Analysis and Management Tools of the Future
log messages, Focus on Logs
logs
case study, Case Study: Behind a Trashed ServerSummary
challenges with, Challenges with LogsChallenges with Logs
classifying, Focus on Logs
database, A Proliferation of Sources
defined, Focus on Logs
email tracking, A Proliferation of Sources
future possibilities, Future LoggingLog Analysis and Management Tools of the Future
host logging, Improving Perspective with Host LoggingBuilding a Resilient Detection Model
incident detection and, A Common Starting Point, Improving Detection with Context
regulatory compliance and, Logs in Security Laws and Standards
universal standard considerations, Challenges with Logs
usefulness of, A New Dawn, Logs in Security Laws and Standards, When Logs Are Invaluable
long straddle trading strategy, How it happened
Lucent (see Bell Labs)
Lynch, Aidan, Related Work

M

machine learning, Applying artificial intelligence
malicious attacks, Improving Detection with Context
(see also cyber underground; incident detection)
attack indicators, Building a Resilient Detection ModelBuilding a Resilient Detection Model
Blaster, On the Conveyor Belt of the Internet
Code Red, On the Conveyor Belt of the Internet
confirmation traps, Confirmation Traps
directionality of, A Common Starting Point
energy companies vulnerabilities, Sunk Costs Versus Future Profits: An Energy Example
identity theft, Easy MoneyAdapting a Proven Solution
Jerusalem, On the Conveyor Belt of the Internet
Klez, On the Conveyor Belt of the Internet
Melissa, On the Conveyor Belt of the Internet
Michelangelo, On the Conveyor Belt of the Internet
Morris, On the Conveyor Belt of the Internet
MyDoom, On the Conveyor Belt of the Internet
Nimda, On the Conveyor Belt of the Internet
Pakistani Flu, On the Conveyor Belt of the Internet
Slammer, On the Conveyor Belt of the Internet
Snort signatures, Improving Detection with Context
Sober, On the Conveyor Belt of the Internet
Sobig, On the Conveyor Belt of the Internet
SQL Slammer worm, Incident Detection: Finding the Other 68%A Common Starting Point, Improving Coverage with Traffic Analysis
Symantec reports on, Improving Coverage with Traffic Analysis
VBS/Loveletter—“I Love you”, On the Conveyor Belt of the Internet
W32.Gaobot worm, Improving Coverage with Traffic Analysis
malvertisements, MalvertisementsMalvertisements
malware
anti-virus software and, A Mob Response
as cyber attack method, Malware
banking trojans, Analysis of Exploits, On the Conveyor Belt of the Internet
client-side exploitation, Vulnerability in Place of Security, Open Source Honeyclient: Proactive Detection of Client-Side Exploits, Analysis of ExploitsAnalysis of Exploits
common distribution methods, Malware
current market values, The Payoff
directionality of attacks, A Common Starting Point
gaming trojans, Analysis of Exploits, On the Conveyor Belt of the Internet
historical review, On the Conveyor Belt of the InternetOn the Conveyor Belt of the Internet
polymorphic, Malware
production cycle, The Makeup and Infrastructure of the Cyber Underground
streamlining identification of, Applying artificial intelligence
targeted advertising, Rewards for Misbehavior, A Mob Response
testing, The Makeup and Infrastructure of the Cyber Underground
zero-day exploits, The evolution of the blacklist method
malware producers
defined, The Makeup and Infrastructure of the Cyber Underground
information dealers and, The Makeup and Infrastructure of the Cyber Underground
polymorphic malware, Malware
testing code, The Makeup and Infrastructure of the Cyber Underground
man-in-the-middle attacks, A Fundamental Flaw in Web Security: Not Trusting the Trust System
manual penetration testing, Fixing the Problems
Massey, James, Early PGP
MasterCard
3-D Secure protocol, 3-D Secure
SET protocol, Secure Electronic Transaction
Maurer, Ueli, Variable Trust Ratings
MBNA, Single-Use and Multiple-Use Virtual Cards
McAfee
online safety survey, Choosing a focus and winning over management
SiteAdvisor, Deceptive Advertisements
vulnerability management, Builders Versus Breakers
McBurnett, Neal, Social Networks and Traffic Analysis
McCabe, Jim, How a Disciplined System Development Lifecycle Can Help, How a Disciplined System Development Lifecycle Can Help
McCaul, Mike, Culture
McDougle, John, How a Disciplined System Development Lifecycle Can Help, How a Disciplined System Development Lifecycle Can Help
McGraw, Gary, How One Firm Came to Demand Secure Software
McManus, John, Security by DesignConclusion: Beautiful Security Is an Attribute of Beautiful Systems
Mean Time Between Security Incidents (MTBSI), Barings: Some security metrics
Mean Time to Repair (MTTR), Local metrics
Mean Time to Repair Security Incidents (MTTRSI), Barings: Some security metrics
Media Guard product, Malvertisements
medical field
infosecurity and, How Geeks Need Lawyers
security metrics, Security Metrics by Analogy: HealthReasonable Metrics
Melissa virus, On the Conveyor Belt of the Internet
Merchant Server Plug-in (MPI), 3-D Secure transactions
meta-introducers, Extended introducers
metrician, Security Metrics by Analogy: Health
metrics
Barings Bank security breach, Barings Bank: Insider BreachBarings: Some security metrics
coverage, Barings: Some security metrics
for data responsibility, Establish a Social Metric and Reputation System for Data Responsibility
health care field, Security Metrics by Analogy: HealthReasonable Metrics
investment, Barings: Some security metrics
measuring ROI, Information Security Economics: Supercrunching and the New Rules of the Grid
scan coverage, Local metrics
software development lifecycle and, Metrics with No MeaningMetrics with No Meaning, Fixing the Problems
TJX security breach, TJX: Outsider BreachLocal metrics
treatment effect, Barings: Some security metrics
MetricsCenter technology, Barings: “What if...”
MetricsCenter.org, TJX: “What if...”
Michelangelo virus, On the Conveyor Belt of the Internet
microchunking, Democratization of Channels for Distribution
Microsoft, Introducing the World’s First Open Source Honeyclient
(see also Internet Explorer)
Authenticode, Hierarchical Trust
Azure cloud operating system, Builders Versus Breakers
Commission on Cyber Security, Culture
CPC advertising, Gaming CPC advertising
hierarchical trust, Hierarchical Trust
honeymonkeys, Related Work
L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrackA Real-Life Example: How Microsoft Enabled L0phtCrack
security controls in SDLC, Microsoft Leading the Way
SQL Server, Incident Detection: Finding the Other 68%
supporting legacy systems, Password and Authentication Security Could Have Been Better from the Start
testing approach, Confirmation Traps
Unix systems and, Password and Authentication Security Could Have Been Better from the Start
MITRE Corporation, Second-Generation Honeyclients, Log Analysis and Management Tools of the Future
money, Barings: “What if...”, The Money-Laundering Game, Analysis of Exploits
(see also financial institutions; PCI)
Monroe Doctrine, Culture
Morris virus, On the Conveyor Belt of the Internet
mothership systems, Correlating with Watch Lists
Motorola Corporation, What About the Wireless Access Point Itself?
Mozilla Firefox
honeyclient support, Storing and Correlating Honeyclient Data, Related Work
malware exploits and, Analysis of Exploits
MPI (Merchant Server Plug-in), 3-D Secure transactions
MTBSI (Mean Time Between Security Incidents), Barings: Some security metrics
MTTR (Mean Time to Repair), Local metrics
MTTRSI (Mean Time to Repair Security Incidents), Barings: Some security metrics
Murray, Daragh, Related Work
MyDoom virus, On the Conveyor Belt of the Internet
MySpace social network, The State of the Art and the Potential in Social Networking

N

naïveté
client counterpart of, Naïveté As the Client Counterpart to Learned HelplessnessNaïveté As the Client Counterpart to Learned Helplessness
learned helplessness and, Learned Helplessness and NaïvetéPassword and Authentication Security Could Have Been Better from the Start
NASA
background, Security by Design
perception of closed systems, Security by Design
software development lifecycle, Metrics with No MeaningMetrics with No Meaning, How a Disciplined System Development Lifecycle Can HelpHow a Disciplined System Development Lifecycle Can Help
National Institute for Standards, Social Networking: When People Start Communicating, Big Things Change
National Office for Cyberspace (NOC), Culture, Culture
Nazario, Jose, Related Work
newsgroups, A Mob Response
Nichols, Elizabeth, Beautiful Security MetricsSummary
Nichols, Elizabeth A., What About the Wireless Access Point Itself?
Nimda virus, On the Conveyor Belt of the Internet
NOC (National Office for Cyberspace), Culture, Culture
NTLM authentication, A Real-Life Example: How Microsoft Enabled L0phtCrack

O

OCC, Enforcing Security in Off-the-Shelf Software
off-the-shelf software (see software acquisition)
Office Max, The players
online advertising
advertisers as victims, Advertisers As VictimsLessons from Other Procurement Contexts: The Special Challenges of Online Procurement
attacks on users, Attacks on UsersDeceptive Advertisements
CPA advertising, Inflating CPA costsInflating CPA costs
CPC advertising, Escaping Fraud-Prone CPM AdvertisingGaming CPC advertising
CPM advertising, Escaping Fraud-Prone CPM AdvertisingInflating CPA costs
creating accountability, Creating Accountability in Online Advertising
deceptive ads, Deceptive AdvertisementsDeceptive Advertisements
exploit-laden banner ads, Exploit-Laden Banner AdsExploit-Laden Banner Ads
false impressions, False ImpressionsFalse Impressions
fighting fraud, Why Don’t Advertisers Fight Harder?Why Don’t Advertisers Fight Harder?
malvertisements, MalvertisementsMalvertisements
special procurement challenges, Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
targeted, Rewards for Misbehavior, A Mob Response
online advertising, targeted, Rewards for Misbehavior
online forums, A Mob Response
Open Security Foundation, Global metrics
open source honeyclients, Introducing the World’s First Open Source HoneyclientIntroducing the World’s First Open Source Honeyclient
Open Web Application Security Project (see OWASP)
OpenID identity management, A New Dawn
OpenPGP standard/protocol
background, PGP and OpenPGP
certification support, Cumulative Trust, Cumulative Trust
designated revokers, Designated revokers
direct trust, Direct Trust
exportable signatures, Exportable signatures
extended introducers, Extended introducers
in-certificate preferences, In-Certificate Preferences
key support, Cumulative Trust
key-editing policies, Key-editing policies
revoking certificates, Reasons for revocation
OpenSocial API, The State of the Art and the Potential in Social Networking
operating systems, host logging, Improving Perspective with Host Logging, Building a Resilient Detection Model
OptOut spyware removal tool, A Mob Response
Orange Book, Logs in Security Laws and Standards
organizational culture, CultureCulture
outsourcing
extending security initiative to, Extending Our Security Initiative to Outsourcing
trends in, Connecting People, Process, and Technology: The Potential for Business Process Management
vulnerability research, BPM As a Guide to Multisite Security
OWASP (Open Web Application Security Project)
background, Social Networking: When People Start Communicating, Big Things Change
CLASP methodology, Setting up formal quality processes for security
Top 10 list, Choosing a focus and winning over management

P

P2P (peer-to-peer) networks
botnet communication, The Attack Infrastructure
honeyclient considerations, The Future of Honeyclients
packet sniffers, Exploit-Laden Banner Ads
packets
handshake, Wireless Gone Wild
SQL Slammer worm, A Common Starting Point
Pakistani Flu virus, On the Conveyor Belt of the Internet
PAN (Primary Account Number), 3-D Secure transactions
Panda Labs, Malware
PAR (Payer Authentication Request), 3-D Secure transactions
PARAM tag, Malvertisements
passive sniffing, Naïveté As the Client Counterpart to Learned Helplessness
passphrases, Wireless Gone Wild
password grinding, Wireless Gone Wild
password-cracking tools
L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrackA Real-Life Example: How Microsoft Enabled L0phtCrack
passphrases and, Wireless Gone Wild
passwords
authentication security, Password and Authentication Security Could Have Been Better from the Start
identity theft and, A Cornucopia of Personal Data
NTLM authentication and, A Real-Life Example: How Microsoft Enabled L0phtCrack
PATHSERVER, Social Networks and Traffic Analysis
Payer Authentication Request (PAR), 3-D Secure transactions
Payment Card Industry (see PCI)
PayPal, Single-Use and Multiple-Use Virtual Cards
PCI (Payment Card Industry)
Data Security Standard, Deconstructing Commerce, Merchant and service provider, Social Networking: When People Start Communicating, Big Things Change, Doing the Right Thing, Logs in Security Laws and Standards, Building a Resilient Detection Model
protecting credit card data, Barings: “What if...”
peer-to-peer networks (see P2P networks)
PEM (Privacy Enhanced Mail), Early PGP
perma-vendors, Diffuse Security in a Diffuse World
Personally Identifiable Information (PII), How a Disciplined System Development Lifecycle Can Help
Pezzonavante honeyclient, Related Work
PGP (Pretty Good Privacy), Cumulative Trust
(see also Web of Trust)
background, The Evolution of PGP’s Web of Trust, PGP and OpenPGP, Early PGP
backward compatibility issues, Patent and Export Problems
Crypto Wars, The Crypto Wars
designated revokers, Designated revokers
encryption support, The Evolution of PGP’s Web of Trust, PGP and Crypto HistoryFrom PGP 3 to OpenPGP
key validity, Trust, Validity, and Authority
patent and export problems, Patent and Export Problems
source download, PGP and Crypto History
trust models, Trust, Validity, and AuthorityThe social implications of signing keys
trust relationships, Trust, Validity, and Authority
PGP Corporation, PGP and OpenPGP
PGP Global Directory, The PGP Global Directory
pharmware, Information Sources
phishing
3-D Secure protocol, Evaluation of 3-D Secure
as information source, Information Sources
botnet support, The Attack Infrastructure
challenges detecting, Correlating with Watch Lists
spam and, Phishing, facilitated by social-engineering spam
specialization in, On the Conveyor Belt of the Internet
PhoneyC website, Related Work
PII (Personally Identifiable Information), How a Disciplined System Development Lifecycle Can Help
Piper, Fred, Conclusion
PKI (Public Key Infrastructure)
authoritative keys, Authoritative keys
defined, Cumulative Trust
DSG support, The Digital Signature Guidelines
revoking certificates, Revocation
SET considerations, Evaluation of SET
PlexLogic, Barings: “What if...”
Plumb, Colin, From PGP 3 to OpenPGP
port scanning, Correlating with Watch Lists
pragmatic security, Oh No, Here Come the Infosecurity Lawyers!, How Geeks Need Lawyers
Pre-Shared Key (PSK), Wireless Gone Wild
Pretty Good Privacy (see PGP)
Price, Will, The PGP Global Directory
Primary Account Number (PAN), 3-D Secure transactions
Privacy Enhanced Mail (PEM), Early PGP
proof-of-concept project, Enforcing Security in Off-the-Shelf SoftwareEnforcing Security in Off-the-Shelf Software
Provos, Niels, Related Work
PSK (Pre-Shared Key), Wireless Gone Wild
psychological traps
confirmation traps, Confirmation TrapsRationalizing Away Capabilities
functional fixation, Functional FixationSunk Costs Versus Future Profits: An Energy Example
learned helplessness, Learned Helplessness and Naïveté
public key cryptography
cumulative trust systems, Cumulative Trust
key revocation, Key revocation and expiration
PGP support, The Evolution of PGP’s Web of Trust
RSA algorithm, Patent and Export Problems
SET support, Secure Electronic Transaction
steganographic applications, Going Deeper
validity, Trust, Validity, and Authority
Public Key Infrastructure (see PKI)
Public Key Partners, Patent and Export Problems
put options, How it happened

Q

Qualys vulnerability management, Builders Versus Breakers

R

Raduege, Harry, Culture
Regular, Bob, Exploit-Laden Banner Ads
regulatory compliance (see legal considerations)
Reiter, Mark, Social Networks and Traffic Analysis
Reliable Software Technologies, Security by Design, Metrics with No Meaning
reputation economy, Connection of Supply and Demand
resource dealers, The Makeup and Infrastructure of the Cyber Underground
Return on Investment (ROI), Information Security Economics: Supercrunching and the New Rules of the Grid, Security’s Return on InvestmentSecurity’s Return on Investment
Return on Security Investment (ROSI), Security’s Return on Investment
Returnil, Applying artificial intelligence, Security-specific virtualization, Security of saved files in Returnil, Better Practices for Desktop Security
revoking certificates, RevocationReasons for revocation
RFC 1991, PGP and OpenPGP, From PGP 3 to OpenPGP
RFC 3156, PGP and OpenPGP
RFC 4880, PGP and OpenPGP
Right Media, Malvertisements
ROI (Return on Investment), Information Security Economics: Supercrunching and the New Rules of the Grid, Security’s Return on InvestmentSecurity’s Return on Investment
root certificates
defined, Hierarchical Trust
direct trust, Hierarchical Trust
rootkits
example investigating, The Investigation Starts
Rustock.C, The evolution of the blacklist method
specialization in, On the Conveyor Belt of the Internet
ROSI (Return on Security Investment), Security’s Return on Investment
routers
DDoS attacks on, Sunk Costs Versus Future Profits: An ISP Example
host logging, Improving Perspective with Host Logging
watch lists, Correlating with Watch Lists
Routh, Jim, Forcing Firms to Focus: Is Secure Software in Your Future?Software Vendors Give Us What We Want but Not What We Need
RSA Data Security Incorporated, Patent and Export Problems
RSA public-key algorithm, Patent and Export Problems
RSAREF library, Patent and Export Problems
Rustock.C rootkit, The evolution of the blacklist method

S

Sabett, Randy V., Oh No, Here Come the Infosecurity Lawyers!Doing the Right Thing
sandboxing
functionality, Sandboxing and Virtualization: The New Silver Bullets
HIPS support, Host-based Intrusion Prevention Systems
need for new strategies, Casting Spells: PC Security Theater
Santa Fe Group, Barings: “What if...”
Sarbanes-Oxley Act (SOX), Broken Incentives, Logs in Security Laws and Standards
SCADA systems, Sunk Costs Versus Future Profits: An Energy Example
Schoen, Seth, The PGP Global Directory
SDLC (see software development lifecycle)
Second Life virtual world, The State of the Art and the Potential in Social Networking
Secret Service
Shadowcrew network and, The Underground Communication Infrastructure
TJX security breach and, The players
Secunia, BPM As a Guide to Multisite Security
Secure Electronic Transaction (see SET)
security breaches
attorney involvement in investigating, A Data Breach Tiger Team
Barings Bank, Barings Bank: Insider BreachBarings: Some security metrics
California data privacy law, The California Data Privacy LawThe California Data Privacy Law
cyber underground and, The Underground Economy of Security BreachesEstablish a Social Metric and Reputation System for Data Responsibility
databases and, Doing Real Work Without Real Data
impact of, How Geeks Need Lawyers
logs in investigating, Case Study: Behind a Trashed ServerSummary
public data sources, More Public Data Sources
tiger team responses, A Data Breach Tiger TeamA Data Breach Tiger Team
TJX, TJX: Outsider BreachLocal metrics
security certificates
defined, Easy Money
encryption and, Easy Money, A Cornucopia of Personal Data
fundamental flaw, A Fundamental Flaw in Web Security: Not Trusting the Trust System
paying attention to, Establishing Wireless Trust
wireless access points, Establishing Wireless Trust, Adapting a Proven Solution
Security Event Managers (SEMs), A New Dawn
security metrics (see metrics)
Security Metrics Catalog project, TJX: “What if...”
security traps (see psychological traps)
SecurityFocus database, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
SecurityMetrics.org, TJX: “What if...”
SEI (Software Engineering Institute), Time to Market or Time to Quality?
Seifert, Christian, Second-Generation Honeyclients, Related Work
self-signed certificates, Direct Trust, Hierarchical Trust
SEMs (Security Event Managers), A New Dawn
separation of duties, The players
September 11, 2001, On the Conveyor Belt of the Internet
server applications, host logging, Improving Perspective with Host Logging
Service Set Identifier (SSID), How it happened
service-oriented architecture (SOA), Cloud Computing and Web Services: The Single Machine Is Here
SET (Secure Electronic Transaction)
background, Secure Electronic Transaction
evaluation of, Evaluation of SET
protections supported, Secure Electronic Transaction
transaction process, SET transactions
SHA256 hash algorithm, How Data Translucency Works
Shadowcrew network, The Underground Communication Infrastructure
short straddle trading strategy, How it happened, How it happened
signature harassment, Signature Bloat and Harassment
Sinclair, Upton, Tomorrow’s Security Cogs and Levers
Skinner, B. F., Information Security Economics: Supercrunching and the New Rules of the Grid
Slammer virus, On the Conveyor Belt of the Internet
SMTP protocol
botnet communication, The Attack Infrastructure
incident detection considerations, Building a Resilient Detection Model
SOA (service-oriented architecture), Cloud Computing and Web Services: The Single Machine Is Here
Sober virus, On the Conveyor Belt of the Internet
Sobig virus, On the Conveyor Belt of the Internet
social networking
crowdsourcing, Security in Numbers
impact on security, A New Dawn, Social Networking: When People Start Communicating, Big Things Change, Social Networking for the Security IndustrySecurity in Numbers
interoperability, The State of the Art and the Potential in Social Networking
malware distribution and, Malware
PGP and, The Evolution of PGP’s Web of Trust
potential in, The State of the Art and the Potential in Social Networking
state of the art in, The State of the Art and the Potential in Social Networking
Web of Trust and, Social Networks and Traffic Analysis
Social Security numbers
incident detection considerations, Building a Resilient Detection Model
spyware stealing, Malware
software acquisition
enforcing security, Enforcing Security in Off-the-Shelf SoftwareEnforcing Security in Off-the-Shelf Software, Software Vendors Give Us What We Want but Not What We NeedSoftware Vendors Give Us What We Want but Not What We Need
implicit requirements in, Implicit Requirements Can Still Be PowerfulImplicit Requirements Can Still Be Powerful
software development lifecycle
Bell Labs example, Time to Market or Time to Quality?Time to Market or Time to Quality?
business model evolution, Forcing Firms to Focus: Is Secure Software in Your Future?
CLASP methodology, Setting up formal quality processes for security, Developer training
designing security, Security by DesignSecurity by Design, Conclusion: Beautiful Security Is an Attribute of Beautiful SystemsConclusion: Beautiful Security Is an Attribute of Beautiful Systems, The Best Software Developers Create Code with Vulnerabilities
developer training, Developer training
fixing security problems, Fixing the Problems
formal quality processes for security, Setting up formal quality processes for security
improving software security, How One Firm Came to Demand Secure SoftwareExtending Our Security Initiative to Outsourcing
instituting security plan, How I Put a Security Plan in PlaceWhen the security process really took hold
NASA examples, Metrics with No MeaningMetrics with No Meaning, How a Disciplined System Development Lifecycle Can HelpHow a Disciplined System Development Lifecycle Can Help
outsourcing considerations, Extending Our Security Initiative to Outsourcing
proof-of-concept project, Enforcing Security in Off-the-Shelf SoftwareEnforcing Security in Off-the-Shelf Software
static code analysis tool, Setting up formal quality processes for security, Developer training, When the security process really took hold, Fixing the Problems, The Best Software Developers Create Code with Vulnerabilities
Software Engineering Institute (SEI), Time to Market or Time to Quality?
Sophos, Malware
SOX (Sarbanes-Oxley Act), Broken Incentives, Logs in Security Laws and Standards
spam
botnet support, The Attack Infrastructure, The Attack Infrastructure
challenges detecting, Correlating with Watch Lists
client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
phishing and, Phishing, facilitated by social-engineering spam
specialization in, On the Conveyor Belt of the Internet
targeted, Phishing, facilitated by social-engineering spam
traffic analysis, Improving Coverage with Traffic Analysis
Sports Authority, The players
SpyBye honeyclient, Related Work
spyware
as information source, Information Sources
CPA advertising, Inflating CPA costs
Dell estimates, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
functionality, Malware
malvertisements and, Malvertisements
OptOut removal tool, A Mob Response
specialization in, On the Conveyor Belt of the Internet
SQL injection attacks, Exploiting website vulnerabilities, Open Source Honeyclient: Proactive Detection of Client-Side Exploits
SQL Server (Microsoft), Incident Detection: Finding the Other 68%
SQL Slammer worm
background, Incident Detection: Finding the Other 68%
IDS challenges, A Common Starting Point
port 1434/udp, Incident Detection: Finding the Other 68%, Improving Coverage with Traffic Analysis
signatures, A Common Starting Point
SSID (Service Set Identifier), How it happened
stale threat modeling, Stale Threat Modeling
static code analysis tool
context-sensitive help, The Best Software Developers Create Code with Vulnerabilities
developer training, Developer training
threshold of quality, Setting up formal quality processes for security
vulnerability information, When the security process really took hold, Fixing the Problems
steganographic applications, Going Deeper
Stickley, Jim, Wireless Networking: Fertile Ground for Social EngineeringStill, Wireless Is the Future
storing data
honeyclients, Storing and Correlating Honeyclient Data
logs, Log Analysis and Management Tools of the Future
strict scrutiny
blacklisting, The evolution of the blacklist method, Applying artificial intelligence
whitelisting, The whitelist alternative
Stubblebine, Stuart, Social Networks and Traffic Analysis
stuffed cookies, Inflating CPA costs
supercrunching, A New Dawn, Information Security Economics: Supercrunching and the New Rules of the GridInformation Security Economics: Supercrunching and the New Rules of the Grid
supervalidity, Supervalidity, Supervalidity
switches, failing open, Naïveté As the Client Counterpart to Learned Helplessness
Symantec
DeepSight Threat Management Service, More Public Data Sources
Internet Security Threat Reports, More Public Data Sources, Improving Coverage with Traffic Analysis
Managed Security Services, Correlating with Watch Lists
on botnets, Correlating with Watch Lists
on malware distribution, Malware
SQL Slammer worm, Incident Detection: Finding the Other 68%
SYSLOG format, A Proliferation of Sources
system development lifecycle (see software development lifecycle)

T

targeted advertising, Rewards for Misbehavior, Rewards for Misbehavior, A Mob Response
technology economics, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
testing
ads, Malvertisements
confirmation traps in, An Introduction to the Concept
dynamic, Fixing the Problems
fuzzing technique, Confirmation Traps
malware code, The Makeup and Infrastructure of the Cyber Underground
manual penetration, Fixing the Problems
Microsoft approach, Confirmation Traps
Thomson, William (Lord Kelvin), Beautiful Security Metrics
time-to-market, Time to Market or Time to Quality?Time to Market or Time to Quality?
time-to-quality, Time to Market or Time to Quality?Time to Market or Time to Quality?
TJX security breach, What About the Wireless Access Point Itself?, TJX: Outsider BreachLocal metrics, Doing the Right Thing
traffic analysis, improving coverage with, Improving Coverage with Traffic AnalysisImproving Coverage with Traffic Analysis
treatment effect metrics, Barings: Some security metrics
Truman Doctrine, Culture
trust models
cumulative trust, Cumulative Trust
defined, Trust, Validity, and Authority
direct trust, Direct Trust
hierarchical trust, Hierarchical Trust
users as certification authorities, The Basic PGP Web of Trust
trust relationship
defined, Trust, Validity, and Authority, Trust, Validity, and Authority, The Basic PGP Web of Trust
establishing for wireless networks, Establishing Wireless TrustAdapting a Proven Solution
PGP support, The Evolution of PGP’s Web of Trust
validity comparison, Trust, Validity, and Authority

U

Unified Compliance Framework, Barings: “What if...”
University of London, Conclusion
Unix systems
grep utility, Challenges with Logs
log handling, A Proliferation of Sources
security vulnerabilities, Password and Authentication Security Could Have Been Better from the Start
usernames, identity theft and, A Cornucopia of Personal Data

V

validity
defined, The Basic PGP Web of Trust
supervalidity, Supervalidity, Supervalidity
trust comparison, Trust, Validity, and Authority
ValueClick, Deceptive Advertisements, Inflating CPA costs, Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
VBS/Loveletter—“I Love you” virus, On the Conveyor Belt of the Internet
VeriSign
hierarchical trust, Hierarchical Trust, Hierarchical Trust
iDefense Labs, More Public Data Sources, BPM As a Guide to Multisite Security
Viacrypt, From PGP 3 to OpenPGP
Viega, John, Setting up formal quality processes for security
virtual cards
defined, Single-Use and Multiple-Use Virtual Cards
functionality, How virtual cards work
multiple-use, How virtual cards work
single-use, How virtual cards work
virtual machines, Virtual machines, host and guest
honeyclient support, Second-Generation Honeyclients
malware detection of, Analysis of Exploits
virtualization, Virtual machines, host and guestSecurity of saved files in Returnil, Better Practices for Desktop Security
viruses (see malicious attacks)
VirusTotal.com, Analysis of Exploits
Visa, Inc.
3-D Secure protocol, 3-D Secure
SET protocol, Secure Electronic Transaction
transaction statistics, Analyzing the Security Context
VMware, Second-Generation Honeyclients, Analysis of Exploits, Virtual machines, host and guest
VMware Workstation, Exploit-Laden Banner Ads
vulnerability scanners
breaker mentality and, Builders Versus Breakers
false positives/negatives, Building a Resilient Detection Model
functional fixation, Vulnerability in Place of Security
proliferation of malware and, The evolution of the blacklist method

W

W32.Gaobot worm, Improving Coverage with Traffic Analysis
Wallace, Sanford, Exploit-Laden Banner AdsExploit-Laden Banner Ads
Wang, Chenxi, The Underground Economy of Security BreachesSummary, A Data Breach Tiger Team, Rewards for Misbehavior
Wang, Kathy, Open Source Honeyclient: Proactive Detection of Client-Side ExploitsThe Future of Honeyclients
warchalking, Wireless As a Side Channel
wardriving technique, How it happened
Wason, Peter, An Introduction to the Concept
watch lists, Correlating with Watch ListsCorrelating with Watch Lists
Wayner, Peter, Doing Real Work Without Real DataGoing Deeper
Web 2.0, Social Networking: When People Start Communicating, Big Things Change
web applications
exploiting vulnerabilities, Exploiting website vulnerabilities, Choosing a focus and winning over management
log handling support, A Proliferation of Sources
risk of exploits, Enforcing Security in Off-the-Shelf Software
trends in exploits, Choosing a focus and winning over management, Choosing a focus and winning over management
uncovering vulnerabilities, When the security process really took hold
Web of Trust
areas for further research, Interesting Areas for Further Research
background, The Evolution of PGP’s Web of Trust
cumulative trust support, Cumulative Trust
enhancements to original model, Enhancements to the Original Web of Trust ModelVariable Trust Ratings
functionality, The Basic PGP Web of TrustThe Basic PGP Web of Trust
implications of signing keys, The social implications of signing keysThe social implications of signing keys
in-certificate preferences, In-Certificate Preferences
PGP Global Directory, The PGP Global Directory
revoking certificates, RevocationReasons for revocation
rough edges in original, Rough Edges in the Original Web of TrustThe social implications of signing keys
scaling issues, Scaling IssuesAuthoritative keys
signature bloat/harassment, Signature Bloat and Harassment
social networking and, Social Networks and Traffic Analysis
supervalidity, Supervalidity, Supervalidity
variable trust ratings, Variable Trust Ratings
web services
applying security to, Clouds and Web Services to the Rescue
builders versus breakers, Builders Versus Breakers
defined, Cloud Computing and Web Services: The Single Machine Is Here
Websense, Related Work
WEP (Wired Equivalent Privacy), Wireless Networking: Fertile Ground for Social Engineering
authentication support, How it happened
security flaws, Wireless Gone Wild
Western Union, The Makeup and Infrastructure of the Cyber Underground
wget tool, Introducing the World’s First Open Source Honeyclient
Whitehead, Alfred North, Cloud Computing and Web Services: The Single Machine Is Here
whitelisting, The whitelist alternative
Whois website, Deceptive Advertisements
Wi-Fi Protected Access (WPA), Wireless Networking: Fertile Ground for Social Engineering, Wireless Gone Wild
Windows Home Server, Clouds and Web Services to the Rescue
Windows Live ID, A New Dawn
Windows NT
hash function, A Real-Life Example: How Microsoft Enabled L0phtCrack
Internet security and, Password and Authentication Security Could Have Been Better from the Start
Windows Vista
Internet security and, Password and Authentication Security Could Have Been Better from the Start
security warnings, A Fundamental Flaw in Web Security: Not Trusting the Trust System
strict scrutiny and, The whitelist alternative
Windows XP
exploit-based installs and, Exploit-Laden Banner Ads
honeyclient support, Second-Generation Honeyclients, Transparent Activity from Windows XP
Wired Equivalent Privacy (WEP), Wireless Networking: Fertile Ground for Social Engineering
wireless access points
identity theft and, A Cornucopia of Personal Data
scan coverage, Local metrics
security certificates, Establishing Wireless Trust, Adapting a Proven Solution
SSID support, How it happened
WEP support, Wireless Gone Wild
wireless networking
future of, Still, Wireless Is the Future
identity theft, Easy MoneyAdapting a Proven Solution
role at TJX, TJX: Outsider BreachLocal metrics
security flaws, Wireless Gone WildWhat About the Wireless Access Point Itself?
wardriving technique, How it happened
Wireshark packet sniffer, Exploit-Laden Banner Ads
Wood, Michael, Casting Spells: PC Security TheaterConclusion
WordPress, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
worms
SQL Slammer, Incident Detection: Finding the Other 68%A Common Starting Point, Improving Coverage with Traffic Analysis
W32.Gaobot worm, Improving Coverage with Traffic Analysis
WPA (Wi-Fi Protected Access), Wireless Networking: Fertile Ground for Social Engineering, Wireless Gone Wild
WS-Security specification, Clouds and Web Services to the Rescue

X

X.509 certificates
authoritative keys, Authoritative keys
certification support, Cumulative Trust
hierarchical trust, Hierarchical Trust
revoking, Revocation
SET support, Secure Electronic Transaction
web services and, Clouds and Web Services to the Rescue

Y

Yahoo!
CPC advertising, Gaming CPC advertising
DDoS attacks on, Sunk Costs Versus Future Profits: An ISP Example
YouTube, Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All

Z

Zatko, Peiter “Mudge”, Psychological Security TrapsSummary, Security’s Return on Investment
zero-day exploits, The evolution of the blacklist method
Zimmermann, Phil, The Evolution of PGP’s Web of TrustReferences
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset