A note on the digital index A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.
A ABA (American Bar Association), The Digital Signature Guidelines Access Control Server (ACS), 3-D Secure transactions accountability, Logs in Security Laws and Standards , Logs in Security Laws and Standards ACS (Access Control Server), 3-D Secure transactions ActionScript, Malvertisements ad banners (see banner ads) Adams, Douglas, Social Networking: When People Start Communicating, Big Things
Change Advanced Monitor System (AMS), Applying artificial intelligence , Security-specific virtualization advertising (see online advertising) adware (see spyware) Aegenis Group, The Payoff Agriculture, Department of, Software Vendors Give Us What We Want but Not What We
Need AHS (Authentication History Server), 3-D Secure transactions AI (artificial intelligence), Applying artificial intelligence , Better Practices for Desktop Security AllowScriptAccess tag, Malvertisements Amazon Web Services platform, Clouds and Web Services to the Rescue Amazon.com, Inflating CPA costs American Bar Association (ABA), The Digital Signature Guidelines AMS (Advanced Monitor System), Applying artificial intelligence , Security-specific virtualization analyst confirmation traps, The Analyst Confirmation Trap Anderson, Chris, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All Andreessen, Marc, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All , Democratization of Tools for Production Anna Carroll (barge), Security’s Return on Investment anti-executables, The whitelist alternative , The whitelist alternative , Host-based Intrusion Prevention Systems anti-spyware software evolution of, A Mob Response initial implementation, A Mob Response intrusive performance, Host-based Intrusion Prevention Systems strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus
Scanning anti-virus software diminished effectiveness, On the Conveyor Belt of the Internet functional fixation, Vulnerability in Place of Security functionality, Improving Perspective with Host Logging historical review, On the Conveyor Belt of the Internet –On the Conveyor Belt of the Internet honeyclients and, Analysis of Exploits intrusive performance, Host-based Intrusion Prevention Systems malware signature recognition, A Mob Response need for new strategies, Casting Spells: PC Security Theater strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus
Scanning zero-day exploits and, The evolution of the blacklist method Apgar score, Reasonable Metrics Apgar, Virginia, Reasonable Metrics Apple Computer, Password and Authentication Security Could Have Been Better from
the Start artificial intelligence (AI), Applying artificial intelligence , Better Practices for Desktop Security Ascom-Tech AG, Patent and Export Problems Ashenfelter, Orley, Information Security Economics: Supercrunching and the New Rules of
the Grid , Information Security Economics: Supercrunching and the New Rules of
the Grid Aspect Security, Developer training Atkins, Derek, From PGP 3 to OpenPGP ATMs, early security flaws, Data Transparency attacks (see malicious attacks) attribute certificates, Cumulative Trust Attrition.org, Global metrics , Global metrics authentication 3-D Secure protocol, 3-D Secure transactions auto-update and, Vulnerability in Place of Security CV2 security code, Weak Amelioration Attempts e-commerce security, Requirement 1: The Consumer Must Be Authenticated , Requirement 2: The Merchant Must Be Authenticated , Requirement 4: Authentication Data Should Not Be Shared Outside
of Authenticator and Authenticated federated programs, Success Driven from the Top, Carried Out Through
Collaboration NTLM, A Real-Life Example: How Microsoft Enabled L0phtCrack password security, Password and Authentication Security Could Have Been Better from
the Start PGP Global Directory and, The PGP Global Directory portability of, Requirement 6: Authentication Should Be Portable (Not Tied to
Hardware or Protocols) security pitfall in, Separate Permission from Information SET protocol, Secure Electronic Transaction WEP support, How it happened Authentication History Server (AHS), 3-D Secure transactions authoritative keys, Authoritative keys authorization 3-D Secure protocol, 3-D Secure transactions e-commerce security, Requirement 3: The Transaction Must Be Authorized security pitfall in, Separate Permission from Information Ayres, Ian, Information Security Economics: Supercrunching and the New Rules of
the Grid Azure cloud operating system, Builders Versus Breakers B B.J.’s Wholesale Club, The players backend control systems, Sunk Costs Versus Future Profits: An Energy Example –Sunk Costs Versus Future Profits: An Energy Example backward compatibility LANMAN password encoding, A Real-Life Example: How Microsoft Enabled L0phtCrack learned helplessness and, Learned Helplessness and Naïveté legacy systems, Password and Authentication Security Could Have Been Better from
the Start PGP issues, Patent and Export Problems balance in information security, Balance –Security’s Return on Investment banking industry (see financial institutions) banking trojans, Analysis of Exploits , On the Conveyor Belt of the Internet banner ads exploit-laden, Exploit-Laden Banner Ads –Exploit-Laden Banner Ads , Limitations of the Current Honeyclient Implementation honeyclients and, Limitations of the Current Honeyclient Implementation banner farms, False Impressions , False Impressions Barings Bank security breach, Barings Bank: Insider Breach –Barings: Some security metrics Barnes & Noble, The players Bass-O-Matic cipher, Early PGP behavioral analytics, Applying artificial intelligence Bell Labs background, Security by Design , Metrics with No Meaning software development lifecycle, Time to Market or Time to Quality? –Time to Market or Time to Quality? Bellis, Ed, Beautiful Trade: Rethinking E-Commerce
Security –The New Model Bernstein, Peter, Beautiful Security Metrics Bidzos, Jim, Patent and Export Problems , Patent and Export Problems Biham, Eli, Early PGP biometrics, Reasonable Metrics –Reasonable Metrics BITS Common Criteria for Software, Enforcing Security in Off-the-Shelf Software Black Hat Conference, Social Networking for the Security Industry blacklisting, The evolution of the blacklist method , Applying artificial intelligence Blaster virus, On the Conveyor Belt of the Internet blogging, Democratization of Tools for Production BoA Factory site, The Underground Communication Infrastructure Bork, Robert, How Data Translucency Works Boston Market, The players botnets army building software, The Payoff attack infrastructure, The Attack Infrastructure challenges in detecting, Correlating with Watch Lists client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits CPC advertising, Gaming CPC advertising , Gaming CPC advertising cyber underground and, The Makeup and Infrastructure of the Cyber Underground functionality, The Makeup and Infrastructure of the Cyber Underground , Malware , Correlating with Watch Lists peer-to-peer structure, The Attack Infrastructure BPM (Business Process Management) levels of effective programs, BPM As a Guide to Multisite Security multisite security, BPM As a Guide to Multisite Security –BPM As a Guide to Multisite Security potential for, Connecting People, Process, and Technology: The Potential for
Business Process Management –BPM As a Guide to Multisite Security supply chain composition and, Diffuse Security in a Diffuse World BPMI (Business Process Management Initiative), BPM As a Guide to Multisite Security breaches (see security breaches) bridge CAs, Cumulative Trust Briggs, Matt, Storing and Correlating Honeyclient Data brute-force attacks, Wireless Gone Wild , A Mob Response buffer overflows security vulnerability, Vulnerability in Place of Security , Open Source Honeyclient: Proactive Detection of Client-Side
Exploits SQL Slammer worm, Incident Detection: Finding the Other 68% Business Process Management (see BPM) Business Process Management Initiative (BPMI), BPM As a Guide to Multisite Security business rules engines, BPM As a Guide to Multisite Security C California AB 1950, How Geeks Need Lawyers California SB 1386 balance in information security, The California Data Privacy Law –The California Data Privacy Law on data sharing, Data Transparency , Reasonable Metrics on reporting breaches, Global metrics passage of, How Geeks Need Lawyers call options, How it happened Callas, Jon, The Evolution of PGP’s Web of Trust –References Capture-HPC honeyclient, Second-Generation Honeyclients , Related Work CardSystems security breach, Doing the Right Thing Carnegie Mellon CMMI process, How One Firm Came to Demand Secure Software Carr, Nicholas, BPM As a Guide to Multisite Security Carter Doctrine, Culture CAs (see certificate authorities) cashiers (cyber underground) defined, The Makeup and Infrastructure of the Cyber Underground drop accounts, The Money-Laundering Game CDC (Centers for Disease Control and Prevention), Data Transparency Center for Internet Security (CIS), Barings: “What if...” Center for Strategic and International Studies
(CSIS), Culture Centers for Disease Control and Prevention (CDC), Data Transparency certificate authorities, Cumulative Trust (see also introducers in PGP) certification support, Cumulative Trust DSG support, The Digital Signature Guidelines establishing trust relationships, Adapting a Proven Solution hierarchical trust, Hierarchical Trust SET requirements, Secure Electronic Transaction certificates, Hierarchical Trust (see also specific types of certificates) defined, Cumulative Trust revoking, Revocation –Reasons for revocation self-signed, Direct Trust , Hierarchical Trust verifying, Hierarchical Trust Web of Trust support, The Basic PGP Web of Trust certification defined, Cumulative Trust OpenPGP colloquialism for, Cumulative Trust OpenPGP support, Cumulative Trust CFAA (Computer Fraud and Abuse Act), How Geeks Need Lawyers Charney, Scott, Culture Chuvakin, Anton, Beautiful Log Handling –Conclusions , A Common Starting Point Cigital, Security by Design , Developer training Citi, Single-Use and Multiple-Use Virtual Cards CLASP methodology, Setting up formal quality processes for security , Developer training click fraud botnet support, The Attack Infrastructure , Gaming CPC advertising CPA advertising, Inflating CPA costs federal litigation, Inflating CPA costs client-side vulnerabilities, Enter Honeyclients (see also honeyclients) background, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits –Open Source Honeyclient: Proactive Detection of Client-Side
Exploits malware exploitation, Vulnerability in Place of Security , Open Source Honeyclient: Proactive Detection of Client-Side
Exploits , Analysis of Exploits –Analysis of Exploits naïveté about, Naïveté As the Client Counterpart to Learned Helplessness –Naïveté As the Client Counterpart to Learned Helplessness Clinton, Bill, Sunk Costs Versus Future Profits: An ISP Example cloud computing applying security to, Clouds and Web Services to the Rescue builders versus breakers, Builders Versus Breakers defined, Cloud Computing and Web Services: The Single Machine Is
Here identity management services, A New Dawn CNCI (Comprehensive National Cybersecurity
Initiative), Culture CNN network, Sunk Costs Versus Future Profits: An ISP Example COBIT regulation, Logs in Security Laws and Standards Code Red virus, On the Conveyor Belt of the Internet Commerce, Department of, How a Disciplined System Development Lifecycle Can Help commercial software (see software acquisition) Commission Junction affiliate network, Inflating CPA costs Commission on Cyber Security for the 44th
Presidency, Culture Common Vulnerabilities and Exposures (CVE) database, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits communication cyber underground infrastructure, The Underground Communication Infrastructure , The Attack Infrastructure information security and, Communication –A Data Breach Tiger Team Comprehensive National Cybersecurity Initiative
(CNCI), Culture Computer Fraud and Abuse Act (CFAA), How Geeks Need Lawyers confidentiality of data, Requirement 7: The Confidentiality and Integrity of Data and
Transactions Must Be Maintained confirmation traps defined, An Introduction to the Concept intelligence analysts, The Analyst Confirmation Trap overview, Confirmation Traps –An Introduction to the Concept rationalizing capabilities, Rationalizing Away Capabilities stale threat modeling, Stale Threat Modeling contagion worm exploit, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits cookies, stuffed, Inflating CPA costs cost per action (see CPA advertising) cost per click (see CPC advertising) Cost Per Thousand Impressions (see CPM advertising) COTS (see software acquisition) coverage metrics, Barings: Some security metrics CPA advertising functionality, Escaping Fraud-Prone CPM Advertising inflating costs, Inflating CPA costs –Inflating CPA costs stuffed cookies, Inflating CPA costs CPC advertising click-fraud detection services, Gaming CPC advertising functionality, Escaping Fraud-Prone CPM Advertising –Gaming CPC advertising syndication partnerships, Gaming CPC advertising , Gaming CPC advertising CPM advertising basis of, False Impressions fraud-prone, Escaping Fraud-Prone CPM Advertising –Inflating CPA costs credit card information as shared secret, Analyzing the Security Context –Weak Amelioration Attempts , Requirement 5: The Process Must Not Rely Solely on Shared
Secrets card associations and, Card association checking site authenticity, Establishing Wireless Trust consumers and, Consumer , Requirement 1: The Consumer Must Be Authenticated current market value, The Payoff CV2 security code, Weak Amelioration Attempts cyber underground and, The Makeup and Infrastructure of the Cyber Underground devaluing data, Devalue Data e-commerce security, Beautiful Trade: Rethinking E-Commerce
Security –Analyzing the Security Context financial institutions, Acquiring and issuing banks identity theft, Easy Money –A Cornucopia of Personal Data merchants and service providers, Merchant and service provider , Requirement 2: The Merchant Must Be Authenticated PCI protection, Barings: “What if...” proposed payment model, The New Model spyware stealing, Malware SQL injection attacks, Exploiting website vulnerabilities TJX security breach, How it happened virtual cards, Single-Use and Multiple-Use Virtual Cards cross-certification, Cumulative Trust cross-site scripting, When the security process really took hold crowdsourcing, Security in Numbers Crypto Wars, The Crypto Wars CSIS (Center for Strategic and International
Studies), Culture culture, organizational, Culture –Culture cumulative trust, Cumulative Trust Curphey, Margaret, Acknowledgments Curphey, Mark, Tomorrow’s Security Cogs and Levers –Acknowledgments CV2 security code, Weak Amelioration Attempts CVE (Common Vulnerabilities and Exposures) database, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits cyber underground attack infrastructure, The Attack Infrastructure attack methods, Attack Vectors –Phishing, facilitated by social-engineering spam cashiers, The Makeup and Infrastructure of the Cyber Underground combating, How Can We Combat This Growing Underground Economy? –Establish a Social Metric and Reputation System for Data
Responsibility communication infrastructure, The Underground Communication Infrastructure CSI-FBI Study, The Underground Economy of Security
Breaches data exchange example, The Data Exchange fraudsters and attack launchers, The Makeup and Infrastructure of the Cyber Underground goals of attacks, The Underground Economy of Security
Breaches , Incident Detection: Finding the Other 68% , Correlating with Watch Lists information dealers, The Makeup and Infrastructure of the Cyber Underground information sources, Information Sources makeup and infrastructure, The Makeup and Infrastructure of the Cyber Underground –The Attack Infrastructure malware producers, The Makeup and Infrastructure of the Cyber Underground money laundering and, The Money-Laundering Game payoffs, The Payoff –The Money-Laundering Game resource dealers, The Makeup and Infrastructure of the Cyber Underground Cydoor ad network, Exploit-Laden Banner Ads D Danford, Robert, Related Work Data Encryption Standard (DES), A Real-Life Example: How Microsoft Enabled L0phtCrack data integrity, Requirement 7: The Confidentiality and Integrity of Data and
Transactions Must Be Maintained Data Loss Database (DataLossDB), Data Transparency , Global metrics –Global metrics data responsibility incentive/reward structure, Institute an Incentive/Reward Structure social metric for, Establish a Social Metric and Reputation System for Data
Responsibility data theft as cottage industry, The Payoff botnet support, The Attack Infrastructure combating, Devalue Data from merchant stores, Information Sources incident detection considerations, Building a Resilient Detection Model spyware and, Malware data translucency additional suggestions, Going Deeper advantages, Trade-offs disadvantages, Trade-offs overview, Doing Real Work Without Real Data –How Data Translucency Works personal data and, Personal Data Stored As a Convenience real-life example, A Real-Life Example data-sharing mechanisms DHS support, Data Transparency security flaws in, Data Transparency databases data translucency in, Doing Real Work Without Real Data –Going Deeper logging support, A Proliferation of Sources security breaches and, Doing Real Work Without Real Data Dave & Buster’s, The players Davies, Donald, Tomorrow’s Security Cogs and Levers DCS systems, Sunk Costs Versus Future Profits: An Energy Example DDoS (distributed denial of service) attacks on major ISPs, Sunk Costs Versus Future Profits: An ISP Example botnet support, The Attack Infrastructure , The Attack Infrastructure , Correlating with Watch Lists client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits honeyclients and, Second-Generation Honeyclients LANs and, Wireless Gone Wild deceptive advertisements, Deceptive Advertisements –Deceptive Advertisements Defense, Department of, Logs in Security Laws and Standards Dell computers, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits Deloitte & Touche, LLP, Culture denial of service (see DDoS) Department of Agriculture, Software Vendors Give Us What We Want but Not What We
Need Department of Commerce, How a Disciplined System Development Lifecycle Can Help Department of Defense, Logs in Security Laws and Standards Department of Homeland Security, Data Transparency deperimeterization, Diffuse Security in a Diffuse World DES (Data Encryption Standard), A Real-Life Example: How Microsoft Enabled L0phtCrack designated revokers, Designated revokers DHCP lease logs, Building a Resilient Detection Model DHS (Department of Homeland Security), Data Transparency Diffie, Whitfield, Cumulative Trust , Cumulative Trust digital certificates (see certificates) Digital Point Systems, Inflating CPA costs Digital Signature Guidelines (DSG), The Digital Signature Guidelines –The Digital Signature Guidelines direct trust defined, Direct Trust root certificates, Hierarchical Trust directionality, A Common Starting Point distributed denial of service (see DDoS) distribution channels, Democratization of Channels for Distribution DKIM email-authentication, Authoritative keys Dobbertin, Hans, From PGP 3 to OpenPGP doing the right thing in information security, Doing the Right Thing –Doing the Right Thing drop accounts, The Money-Laundering Game Drucker, Peter, Information Security Economics: Supercrunching and the New Rules of
the Grid DSG (Digital Signature Guidelines), The Digital Signature Guidelines –The Digital Signature Guidelines DSW Shoe Warehouse, The players Dublin City University, Related Work Dunphy, Brian, Incident Detection: Finding the Other 68% –Summary Durick, J.D., Second-Generation Honeyclients dynamic testing, Fixing the Problems E e-commerce security 3-D Secure protocol, 3-D Secure –Evaluation of 3-D Secure analyzing current practices, Deconstructing Commerce –Analyzing the Security Context authorizing transactions, Requirement 3: The Transaction Must Be Authorized broken incentives, Broken Incentives –He who controls the spice confidentiality of data, Requirement 7: The Confidentiality and Integrity of Data and
Transactions Must Be Maintained consumer authentication, Requirement 1: The Consumer Must Be Authenticated data integrity, Requirement 7: The Confidentiality and Integrity of Data and
Transactions Must Be Maintained exploiting website vulnerabilities, Exploiting website vulnerabilities friendly fraud and, Requirement 3: The Transaction Must Be Authorized merchant authentication, Requirement 2: The Merchant Must Be Authenticated new security model, E-Commerce Redone: A New Security Model –The New Model not sharing authentication data, Requirement 4: Authentication Data Should Not Be Shared Outside
of Authenticator and Authenticated portability of authentication, Requirement 6: Authentication Should Be Portable (Not Tied to
Hardware or Protocols) primary challenges, Beautiful Trade: Rethinking E-Commerce
Security proposed payment model, The New Model SET protocol, Secure Electronic Transaction shared secrets and, Analyzing the Security Context –Weak Amelioration Attempts , Requirement 5: The Process Must Not Rely Solely on Shared
Secrets virtual cards, Single-Use and Multiple-Use Virtual Cards EAP (Extensible Authentication Protocol), How it happened Earned Value Management (EVM), Metrics with No Meaning eBay CPA advertising, Inflating CPA costs , Inflating CPA costs DDoS attacks on, Sunk Costs Versus Future Profits: An ISP Example principle of reliability, Social Networking for the Security Industry ECPA (Electronic Communications Privacy Act), How Geeks Need Lawyers Edelman, Benjamin, Securing Online Advertising: Rustlers and Sheriffs in the New Wild
West –Creating Accountability in Online Advertising , A Data Breach Tiger Team , Rewards for Misbehavior Edwards, Betsy, How a Disciplined System Development Lifecycle Can Help Einstein, Albert, Tomorrow’s Security Cogs and Levers Electronic Communications Privacy Act (ECPA), How Geeks Need Lawyers email log handling, A Proliferation of Sources malware exploits, On the Conveyor Belt of the Internet EMBED tag, Malvertisements encryption LAN Manager sequence, A Real-Life Example: How Microsoft Enabled L0phtCrack PGP support, The Evolution of PGP’s Web of Trust , PGP and Crypto History –From PGP 3 to OpenPGP security certificates and, Easy Money , A Cornucopia of Personal Data SET support, Secure Electronic Transaction Encyclopædia Britannica, Deceptive Advertisements –Deceptive Advertisements event logs (see logs) EVM (Earned Value Management), Metrics with No Meaning executables, malware exploits and, Limitations of the Current Honeyclient Implementation exportable signatures, Exportable signatures extended introducers, Extended introducers Extensible Authentication Protocol (EAP), How it happened F Facebook social network, The State of the Art and the Potential in Social
Networking , Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All , Democratization of Tools for Production failing closed, Naïveté As the Client Counterpart to Learned Helplessness failing open, Naïveté As the Client Counterpart to Learned Helplessness false negatives, Building a Resilient Detection Model false positives, Challenges with Logs , Building a Resilient Detection Model Federal Sentencing Guidelines, How Geeks Need Lawyers Federal Trade Commission (see FTC) financial institutions banking trojans, Analysis of Exploits , On the Conveyor Belt of the Internet credit card information, Acquiring and issuing banks cyber attacks on, Information Sources drop accounts, The Money-Laundering Game exploiting website vulnerabilities, Exploiting website vulnerabilities , Choosing a focus and winning over management federated authentication programs, Success Driven from the Top, Carried Out Through
Collaboration infosecurity and, How Geeks Need Lawyers Finjan security firm, The Makeup and Infrastructure of the Cyber Underground Finney, Hal, Early PGP firewalls energy company vulnerabilities, Sunk Costs Versus Future Profits: An Energy Example host logging, Improving Perspective with Host Logging log handling, Challenges with Logs , A Proliferation of Sources need for new strategies, Casting Spells: PC Security Theater SQL Slammer worm, Incident Detection: Finding the Other 68% watch lists, Correlating with Watch Lists Flash ActionScript, Malvertisements Forester, C. S., Social Networking: When People Start Communicating, Big Things
Change Forever 21, The players forums, online, A Mob Response Foundstone vulnerability management, Builders Versus Breakers Francisco, Fernando, Casting Spells: PC Security Theater –Conclusion fraudsters (cyber underground) combating, Devalue Data defined, The Makeup and Infrastructure of the Cyber Underground information sources, Information Sources Friedman, Thomas, Connecting People, Process, and Technology: The Potential for
Business Process Management friendly fraud, Requirement 3: The Transaction Must Be Authorized FTC (Federal Trade Commission) challenging deceptive ads, Deceptive Advertisements , Deceptive Advertisements deceptive door opener prohibition, Deceptive Advertisements Encyclopædia Britannica and, Deceptive Advertisements exploit-laden banner ads and, Exploit-Laden Banner Ads OWASP recommendation, Social Networking: When People Start Communicating, Big Things
Change FTP server security breach, The Observed Event –Summary functional fixation costs versus profits examples, Sunk Costs Versus Future Profits: An ISP Example –Sunk Costs Versus Future Profits: An Energy Example defined, Functional Fixation overview, Vulnerability in Place of Security fuzzing technique, Confirmation Traps G gaming trojans, Analysis of Exploits , On the Conveyor Belt of the Internet Gartner Group, Choosing a focus and winning over management Gates, Bill, Connecting People, Process, and Technology: The Potential for
Business Process Management Geer, Daniel E., Jr., Security Metrics by Analogy: Health , Security Metrics by Analogy: Health , More Public Data Sources Geyer, Grant, Incident Detection: Finding the Other 68% –Summary Gibson, Steve, A Mob Response GLBA (Gramm-Leach-Bliley Financial Services
Modernization Act), Broken Incentives , Logs in Security Laws and Standards GoDaddy, Hierarchical Trust Gonzalez, Albert, The players Google AdSense service, Lessons from Other Procurement Contexts: The Special Challenges
of Online Procurement CPC advertising, Gaming CPC advertising , Gaming CPC advertising , Gaming CPC advertising democratization of production tools, Democratization of Tools for Production false ads lawsuit, Deceptive Advertisements honeyclient support, Related Work on malware distribution, Malware Safe Browsing API, Related Work testing ads, Malvertisements Gore, Al, Tomorrow’s Security Cogs and Levers Gramm-Leach-Bliley Financial Services Modernization
Act (GLBA), Broken Incentives , Logs in Security Laws and Standards GRC.com, A Mob Response grep utility, Challenges with Logs Guin v. Brazos, Security’s Return on Investment Gutmann, Peter, Early PGP H handshakes, Wireless Gone Wild Hannaford Brothers security breach, The Payoff , Information Sources , Doing the Right Thing hash algorithms data translucency and, How Data Translucency Works LAN Manager, A Real-Life Example: How Microsoft Enabled L0phtCrack SET procedure, Secure Electronic Transaction Windows NT, A Real-Life Example: How Microsoft Enabled L0phtCrack Hasselbacher, Kyle, The PGP Global Directory health care field infosecurity and, How Geeks Need Lawyers security metrics, Security Metrics by Analogy: Health –Reasonable Metrics Health Insurance Portability and Accountability Act
(HIPAA), Broken Incentives , Logs in Security Laws and Standards hierarchical trust cumulative trust comparison, Cumulative Trust defined, Hierarchical Trust HijackThis change tracker, Exploit-Laden Banner Ads HIPAA (Health Insurance Portability and
Accountability Act), Broken Incentives , Logs in Security Laws and Standards HIPS (Host-based Intrusion Prevention Systems), Host-based Intrusion Prevention Systems Holz, Thorsten, Related Work Homeland Security, Department of, Data Transparency honeyclients defined, Enter Honeyclients future of, The Future of Honeyclients implementation limitations, Limitations of the Current Honeyclient Implementation open source, Introducing the World’s First Open Source Honeyclient –Introducing the World’s First Open Source Honeyclient operational results, Honeyclient Operational Results –Storing and Correlating Honeyclient Data operational steps, Introducing the World’s First Open Source Honeyclient , Second-Generation Honeyclients related work, Related Work –Related Work second-generation, Second-Generation Honeyclients –Second-Generation Honeyclients storing and correlating data, Storing and Correlating Honeyclient Data honeymonkeys, Related Work Honeynet Project, Second-Generation Honeyclients , Related Work honeypot systems defined, Enter Honeyclients proliferation of malware, The evolution of the blacklist method Honeywall, Second-Generation Honeyclients , Second-Generation Honeyclients host logging, Improving Perspective with Host Logging –Building a Resilient Detection Model Host-based Intrusion Prevention Systems (HIPS), Host-based Intrusion Prevention Systems hostile environments confirmation traps and, Confirmation Traps specialization in, On the Conveyor Belt of the Internet hotspot services, Easy Money House Committee on Homeland Security, Culture , Culture Howard, Michael, Microsoft Leading the Way HTTPS protocol, The Attack Infrastructure Hubbard, Dan, Related Work Hula Direct ad broker, False Impressions , False Impressions I IBM, social networking and, The State of the Art and the Potential in Social
Networking IDEA (International Data Encryption Algorithm), Early PGP , Patent and Export Problems iDefense Labs, More Public Data Sources , BPM As a Guide to Multisite Security identity certificates, Cumulative Trust identity management services, A New Dawn identity theft devaluing credit card information, Separate Permission from Information wireless networking, Easy Money –A Cornucopia of Personal Data IDS (intrusion detection system) building a resilient model, Building a Resilient Detection Model –Building a Resilient Detection Model challenges detecting botnets, Correlating with Watch Lists false positives, Challenges with Logs functionality, A Common Starting Point honeyclient support, Enter Honeyclients , Related Work host logging, Improving Perspective with Host Logging –Building a Resilient Detection Model host-based, Host-based Intrusion Prevention Systems improving detection with context, Improving Detection with Context –Correlating with Watch Lists limitations, A Common Starting Point , Improving Coverage with Traffic Analysis log handling considerations, Architecture and Context for the Incident Iframedollars.biz, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits incident detection, Building a Resilient Detection Model (see also malicious attacks) building a resilient model, Building a Resilient Detection Model –Building a Resilient Detection Model host logging and, Improving Perspective with Host Logging –Building a Resilient Detection Model improving with context, Improving Detection with Context –Correlating with Watch Lists percentage identified, Incident Detection: Finding the Other 68% , A Common Starting Point SQL Slammer worm, Incident Detection: Finding the Other 68% InCtrl change tracker, Exploit-Laden Banner Ads information dealers defined, The Makeup and Infrastructure of the Cyber Underground IRC data exchange, The Data Exchange malware producers and, The Makeup and Infrastructure of the Cyber Underground sources of information, Information Sources information security as long tail market, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All –Connection of Supply and Demand balance in, Balance –Security’s Return on Investment basic concepts, Oh No, Here Come the Infosecurity
Lawyers! cloud computing, Cloud Computing and Web Services: The Single Machine Is
Here –A New Dawn communication considerations, Communication –A Data Breach Tiger Team connecting people and processes, Connecting People, Process, and Technology: The Potential for
Business Process Management –BPM As a Guide to Multisite Security doing the right thing, Doing the Right Thing –Doing the Right Thing historical review, Growing Attacks, Defenses in Retreat –A Mob Response host logging, Improving Perspective with Host Logging need for new strategies, Casting Spells: PC Security Theater organizational culture, Culture –Culture overview, Tomorrow’s Security Cogs and Levers –Tomorrow’s Security Cogs and Levers September 11, 2001 and, On the Conveyor Belt of the Internet social networking and, Social Networking: When People Start Communicating, Big Things
Change –Security in Numbers strict scrutiny, Strict Scrutiny: Traditional and Updated Anti-Virus
Scanning –Applying artificial intelligence suggested practices, Better Practices for Desktop Security supercrunching, A New Dawn , Information Security Economics: Supercrunching and the New Rules of
the Grid –Information Security Economics: Supercrunching and the New Rules of
the Grid taking a security history, Barings: “What if...” –Barings: “What if...” web services, Cloud Computing and Web Services: The Single Machine Is
Here –A New Dawn Information Security Economics, Information Security Economics: Supercrunching and the New Rules of
the Grid –Information Security Economics: Supercrunching and the New Rules of
the Grid Information Security Group, Conclusion injected iFrames, Malware , Malware International Data Encryption Algorithm (IDEA), Early PGP , Patent and Export Problems International Tariff on Arms Regulations (ITAR), A Real-Life Example: How Microsoft Enabled L0phtCrack Internet Explorer exploit-based installs and, Exploit-Laden Banner Ads open source honeyclients, Introducing the World’s First Open Source Honeyclient recent vulnerabilities, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits Internet Relay Chat (see IRC) intranets, security flaws, A Fundamental Flaw in Web Security: Not Trusting the Trust
System introducers in PGP, The Basic PGP Web of Trust (see also certificate authorities) defined, Trust, Validity, and Authority , Cumulative Trust extended, Extended introducers Web of Trust process, The Basic PGP Web of Trust intrusion detection system (see IDS) investment metrics, Barings: Some security metrics IRC (Internet Relay Chat) botnet communication, The Attack Infrastructure cyber underground communication, The Underground Communication Infrastructure , The Data Exchange ISO 2700x standard, Logs in Security Laws and Standards ISPs, costs versus profits, Sunk Costs Versus Future Profits: An ISP Example –Sunk Costs Versus Future Profits: An ISP Example ITAR (International Tariff on Arms Regulations), A Real-Life Example: How Microsoft Enabled L0phtCrack ITIL regulation, Logs in Security Laws and Standards iTunes, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All K Kaminsky, Dan, Social Networking for the Security Industry KBA (knowledge-based authentication), The Data Exchange key loggers as information source, Information Sources specialization in, On the Conveyor Belt of the Internet key signatures bloat and harassment, Signature Bloat and Harassment certificate support, Cumulative Trust exportable, Exportable signatures freshness considerations, Freshness in-certificate preferences, In-Certificate Preferences Web of Trust, The Basic PGP Web of Trust , The social implications of signing keys , The basic model for revocation keyrings, Cumulative Trust keys (see certificates; public key cryptography) keyservers defined, Cumulative Trust key-editing policies, Key-editing policies PGP Global Directory, The PGP Global Directory Klez virus, On the Conveyor Belt of the Internet knowledge-based authentication (KBA), The Data Exchange Kovah, Xeno, Second-Generation Honeyclients L L0phtCrack government interest in, Rationalizing Away Capabilities learned helplessness example, A Real-Life Example: How Microsoft Enabled L0phtCrack –A Real-Life Example: How Microsoft Enabled L0phtCrack Lai, Xuejia, Early PGP LAN Manager, A Real-Life Example: How Microsoft Enabled L0phtCrack Lancaster, Branko, Early PGP Langevin, Jim, Culture LANs, physical security inherent in, Wireless Gone Wild Lansky, Jared, Exploit-Laden Banner Ads –Exploit-Laden Banner Ads learned helplessness backward compatibility and, Learned Helplessness and Naïveté defined, Learned Helplessness and Naïveté , Password and Authentication Security Could Have Been Better from
the Start L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrack –A Real-Life Example: How Microsoft Enabled L0phtCrack overview, Learned Helplessness and Naïveté –Password and Authentication Security Could Have Been Better from
the Start Leeson, Nick, Barings Bank: Insider Breach –Barings: Some security metrics legacy systems backward compatibility, Password and Authentication Security Could Have Been Better from
the Start e-commerce security and, Beautiful Trade: Rethinking E-Commerce
Security end-of-life upgrades, Learned Helplessness and Naïveté , Password and Authentication Security Could Have Been Better from
the Start password security and, A Real-Life Example: How Microsoft Enabled L0phtCrack –A Real-Life Example: How Microsoft Enabled L0phtCrack legal considerations balance in information security, Balance –Security’s Return on Investment communication and information security, Communication –A Data Breach Tiger Team doing the right thing, Doing the Right Thing –Doing the Right Thing information security concepts, Oh No, Here Come the Infosecurity
Lawyers! log handling, Log Analysis and Management Tools of the Future organizational culture, Culture –Culture value of logs, Logs in Security Laws and Standards Levy, Steven, The Crypto Wars LinkShare affiliate network, Inflating CPA costs Linux systems, A Proliferation of Sources log management tools, Log Analysis and Management Tools of the Future –Log Analysis and Management Tools of the Future log messages, Focus on Logs logs case study, Case Study: Behind a Trashed Server –Summary challenges with, Challenges with Logs –Challenges with Logs classifying, Focus on Logs database, A Proliferation of Sources defined, Focus on Logs email tracking, A Proliferation of Sources future possibilities, Future Logging –Log Analysis and Management Tools of the Future host logging, Improving Perspective with Host Logging –Building a Resilient Detection Model incident detection and, A Common Starting Point , Improving Detection with Context regulatory compliance and, Logs in Security Laws and Standards universal standard considerations, Challenges with Logs usefulness of, A New Dawn , Logs in Security Laws and Standards , When Logs Are Invaluable long straddle trading strategy, How it happened Lucent (see Bell Labs) Lynch, Aidan, Related Work M machine learning, Applying artificial intelligence malicious attacks, Improving Detection with Context (see also cyber underground; incident detection) attack indicators, Building a Resilient Detection Model –Building a Resilient Detection Model Blaster, On the Conveyor Belt of the Internet Code Red, On the Conveyor Belt of the Internet confirmation traps, Confirmation Traps directionality of, A Common Starting Point energy companies vulnerabilities, Sunk Costs Versus Future Profits: An Energy Example identity theft, Easy Money –Adapting a Proven Solution Jerusalem, On the Conveyor Belt of the Internet Klez, On the Conveyor Belt of the Internet Melissa, On the Conveyor Belt of the Internet Michelangelo, On the Conveyor Belt of the Internet Morris, On the Conveyor Belt of the Internet MyDoom, On the Conveyor Belt of the Internet Nimda, On the Conveyor Belt of the Internet Pakistani Flu, On the Conveyor Belt of the Internet Slammer, On the Conveyor Belt of the Internet Snort signatures, Improving Detection with Context Sober, On the Conveyor Belt of the Internet Sobig, On the Conveyor Belt of the Internet SQL Slammer worm, Incident Detection: Finding the Other 68% –A Common Starting Point , Improving Coverage with Traffic Analysis Symantec reports on, Improving Coverage with Traffic Analysis VBS/Loveletter—“I Love you”, On the Conveyor Belt of the Internet W32.Gaobot worm, Improving Coverage with Traffic Analysis malvertisements, Malvertisements –Malvertisements malware anti-virus software and, A Mob Response as cyber attack method, Malware banking trojans, Analysis of Exploits , On the Conveyor Belt of the Internet client-side exploitation, Vulnerability in Place of Security , Open Source Honeyclient: Proactive Detection of Client-Side
Exploits , Analysis of Exploits –Analysis of Exploits common distribution methods, Malware current market values, The Payoff directionality of attacks, A Common Starting Point gaming trojans, Analysis of Exploits , On the Conveyor Belt of the Internet historical review, On the Conveyor Belt of the Internet –On the Conveyor Belt of the Internet polymorphic, Malware production cycle, The Makeup and Infrastructure of the Cyber Underground streamlining identification of, Applying artificial intelligence targeted advertising, Rewards for Misbehavior , A Mob Response testing, The Makeup and Infrastructure of the Cyber Underground zero-day exploits, The evolution of the blacklist method malware producers defined, The Makeup and Infrastructure of the Cyber Underground information dealers and, The Makeup and Infrastructure of the Cyber Underground polymorphic malware, Malware testing code, The Makeup and Infrastructure of the Cyber Underground man-in-the-middle attacks, A Fundamental Flaw in Web Security: Not Trusting the Trust
System manual penetration testing, Fixing the Problems Massey, James, Early PGP MasterCard 3-D Secure protocol, 3-D Secure SET protocol, Secure Electronic Transaction Maurer, Ueli, Variable Trust Ratings MBNA, Single-Use and Multiple-Use Virtual Cards McAfee online safety survey, Choosing a focus and winning over management SiteAdvisor, Deceptive Advertisements vulnerability management, Builders Versus Breakers McBurnett, Neal, Social Networks and Traffic Analysis McCabe, Jim, How a Disciplined System Development Lifecycle Can Help , How a Disciplined System Development Lifecycle Can Help McCaul, Mike, Culture McDougle, John, How a Disciplined System Development Lifecycle Can Help , How a Disciplined System Development Lifecycle Can Help McGraw, Gary, How One Firm Came to Demand Secure Software McManus, John, Security by Design –Conclusion: Beautiful Security Is an Attribute of Beautiful
Systems Mean Time Between Security Incidents
(MTBSI), Barings: Some security metrics Mean Time to Repair (MTTR), Local metrics Mean Time to Repair Security Incidents
(MTTRSI), Barings: Some security metrics Media Guard product, Malvertisements medical field infosecurity and, How Geeks Need Lawyers security metrics, Security Metrics by Analogy: Health –Reasonable Metrics Melissa virus, On the Conveyor Belt of the Internet Merchant Server Plug-in (MPI), 3-D Secure transactions meta-introducers, Extended introducers metrician, Security Metrics by Analogy: Health metrics Barings Bank security breach, Barings Bank: Insider Breach –Barings: Some security metrics coverage, Barings: Some security metrics for data responsibility, Establish a Social Metric and Reputation System for Data
Responsibility health care field, Security Metrics by Analogy: Health –Reasonable Metrics investment, Barings: Some security metrics measuring ROI, Information Security Economics: Supercrunching and the New Rules of
the Grid scan coverage, Local metrics software development lifecycle and, Metrics with No Meaning –Metrics with No Meaning , Fixing the Problems TJX security breach, TJX: Outsider Breach –Local metrics treatment effect, Barings: Some security metrics MetricsCenter technology, Barings: “What if...” MetricsCenter.org, TJX: “What if...” Michelangelo virus, On the Conveyor Belt of the Internet microchunking, Democratization of Channels for Distribution Microsoft, Introducing the World’s First Open Source Honeyclient (see also Internet Explorer) Authenticode, Hierarchical Trust Azure cloud operating system, Builders Versus Breakers Commission on Cyber Security, Culture CPC advertising, Gaming CPC advertising hierarchical trust, Hierarchical Trust honeymonkeys, Related Work L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrack –A Real-Life Example: How Microsoft Enabled L0phtCrack security controls in SDLC, Microsoft Leading the Way SQL Server, Incident Detection: Finding the Other 68% supporting legacy systems, Password and Authentication Security Could Have Been Better from
the Start testing approach, Confirmation Traps Unix systems and, Password and Authentication Security Could Have Been Better from
the Start MITRE Corporation, Second-Generation Honeyclients , Log Analysis and Management Tools of the Future money, Barings: “What if...” , The Money-Laundering Game , Analysis of Exploits (see also financial institutions; PCI) Monroe Doctrine, Culture Morris virus, On the Conveyor Belt of the Internet mothership systems, Correlating with Watch Lists Motorola Corporation, What About the Wireless Access Point Itself? Mozilla Firefox honeyclient support, Storing and Correlating Honeyclient Data , Related Work malware exploits and, Analysis of Exploits MPI (Merchant Server Plug-in), 3-D Secure transactions MTBSI (Mean Time Between Security
Incidents), Barings: Some security metrics MTTR (Mean Time to Repair), Local metrics MTTRSI (Mean Time to Repair Security
Incidents), Barings: Some security metrics Murray, Daragh, Related Work MyDoom virus, On the Conveyor Belt of the Internet MySpace social network, The State of the Art and the Potential in Social
Networking N naïveté client counterpart of, Naïveté As the Client Counterpart to Learned Helplessness –Naïveté As the Client Counterpart to Learned Helplessness learned helplessness and, Learned Helplessness and Naïveté –Password and Authentication Security Could Have Been Better from
the Start NASA background, Security by Design perception of closed systems, Security by Design software development lifecycle, Metrics with No Meaning –Metrics with No Meaning , How a Disciplined System Development Lifecycle Can Help –How a Disciplined System Development Lifecycle Can Help National Institute for Standards, Social Networking: When People Start Communicating, Big Things
Change National Office for Cyberspace (NOC), Culture , Culture Nazario, Jose, Related Work newsgroups, A Mob Response Nichols, Elizabeth, Beautiful Security Metrics –Summary Nichols, Elizabeth A., What About the Wireless Access Point Itself? Nimda virus, On the Conveyor Belt of the Internet NOC (National Office for Cyberspace), Culture , Culture NTLM authentication, A Real-Life Example: How Microsoft Enabled L0phtCrack O OCC, Enforcing Security in Off-the-Shelf Software off-the-shelf software (see software acquisition) Office Max, The players online advertising advertisers as victims, Advertisers As Victims –Lessons from Other Procurement Contexts: The Special Challenges
of Online Procurement attacks on users, Attacks on Users –Deceptive Advertisements CPA advertising, Inflating CPA costs –Inflating CPA costs CPC advertising, Escaping Fraud-Prone CPM Advertising –Gaming CPC advertising CPM advertising, Escaping Fraud-Prone CPM Advertising –Inflating CPA costs creating accountability, Creating Accountability in Online Advertising deceptive ads, Deceptive Advertisements –Deceptive Advertisements exploit-laden banner ads, Exploit-Laden Banner Ads –Exploit-Laden Banner Ads false impressions, False Impressions –False Impressions fighting fraud, Why Don’t Advertisers Fight Harder? –Why Don’t Advertisers Fight Harder? malvertisements, Malvertisements –Malvertisements special procurement challenges, Lessons from Other Procurement Contexts: The Special Challenges
of Online Procurement targeted, Rewards for Misbehavior , A Mob Response online advertising, targeted, Rewards for Misbehavior online forums, A Mob Response Open Security Foundation, Global metrics open source honeyclients, Introducing the World’s First Open Source Honeyclient –Introducing the World’s First Open Source Honeyclient Open Web Application Security Project (see OWASP) OpenID identity management, A New Dawn OpenPGP standard/protocol background, PGP and OpenPGP certification support, Cumulative Trust , Cumulative Trust designated revokers, Designated revokers direct trust, Direct Trust exportable signatures, Exportable signatures extended introducers, Extended introducers in-certificate preferences, In-Certificate Preferences key support, Cumulative Trust key-editing policies, Key-editing policies revoking certificates, Reasons for revocation OpenSocial API, The State of the Art and the Potential in Social
Networking operating systems, host logging, Improving Perspective with Host Logging , Building a Resilient Detection Model OptOut spyware removal tool, A Mob Response Orange Book, Logs in Security Laws and Standards organizational culture, Culture –Culture outsourcing extending security initiative to, Extending Our Security Initiative to Outsourcing trends in, Connecting People, Process, and Technology: The Potential for
Business Process Management vulnerability research, BPM As a Guide to Multisite Security OWASP (Open Web Application Security Project) background, Social Networking: When People Start Communicating, Big Things
Change CLASP methodology, Setting up formal quality processes for security Top 10 list, Choosing a focus and winning over management P P2P (peer-to-peer) networks botnet communication, The Attack Infrastructure honeyclient considerations, The Future of Honeyclients packet sniffers, Exploit-Laden Banner Ads packets handshake, Wireless Gone Wild SQL Slammer worm, A Common Starting Point Pakistani Flu virus, On the Conveyor Belt of the Internet PAN (Primary Account Number), 3-D Secure transactions Panda Labs, Malware PAR (Payer Authentication Request), 3-D Secure transactions PARAM tag, Malvertisements passive sniffing, Naïveté As the Client Counterpart to Learned Helplessness passphrases, Wireless Gone Wild password grinding, Wireless Gone Wild password-cracking tools L0phtCrack example, A Real-Life Example: How Microsoft Enabled L0phtCrack –A Real-Life Example: How Microsoft Enabled L0phtCrack passphrases and, Wireless Gone Wild passwords authentication security, Password and Authentication Security Could Have Been Better from
the Start identity theft and, A Cornucopia of Personal Data NTLM authentication and, A Real-Life Example: How Microsoft Enabled L0phtCrack PATHSERVER, Social Networks and Traffic Analysis Payer Authentication Request (PAR), 3-D Secure transactions Payment Card Industry (see PCI) PayPal, Single-Use and Multiple-Use Virtual Cards PCI (Payment Card Industry) Data Security Standard, Deconstructing Commerce , Merchant and service provider , Social Networking: When People Start Communicating, Big Things
Change , Doing the Right Thing , Logs in Security Laws and Standards , Building a Resilient Detection Model protecting credit card data, Barings: “What if...” peer-to-peer networks (see P2P networks) PEM (Privacy Enhanced Mail), Early PGP perma-vendors, Diffuse Security in a Diffuse World Personally Identifiable Information (PII), How a Disciplined System Development Lifecycle Can Help Pezzonavante honeyclient, Related Work PGP (Pretty Good Privacy), Cumulative Trust (see also Web of Trust) background, The Evolution of PGP’s Web of Trust , PGP and OpenPGP , Early PGP backward compatibility issues, Patent and Export Problems Crypto Wars, The Crypto Wars designated revokers, Designated revokers encryption support, The Evolution of PGP’s Web of Trust , PGP and Crypto History –From PGP 3 to OpenPGP key validity, Trust, Validity, and Authority patent and export problems, Patent and Export Problems source download, PGP and Crypto History trust models, Trust, Validity, and Authority –The social implications of signing keys trust relationships, Trust, Validity, and Authority PGP Corporation, PGP and OpenPGP PGP Global Directory, The PGP Global Directory pharmware, Information Sources phishing 3-D Secure protocol, Evaluation of 3-D Secure as information source, Information Sources botnet support, The Attack Infrastructure challenges detecting, Correlating with Watch Lists spam and, Phishing, facilitated by social-engineering spam specialization in, On the Conveyor Belt of the Internet PhoneyC website, Related Work PII (Personally Identifiable Information), How a Disciplined System Development Lifecycle Can Help Piper, Fred, Conclusion PKI (Public Key Infrastructure) authoritative keys, Authoritative keys defined, Cumulative Trust DSG support, The Digital Signature Guidelines revoking certificates, Revocation SET considerations, Evaluation of SET PlexLogic, Barings: “What if...” Plumb, Colin, From PGP 3 to OpenPGP port scanning, Correlating with Watch Lists pragmatic security, Oh No, Here Come the Infosecurity
Lawyers! , How Geeks Need Lawyers Pre-Shared Key (PSK), Wireless Gone Wild Pretty Good Privacy (see PGP) Price, Will, The PGP Global Directory Primary Account Number (PAN), 3-D Secure transactions Privacy Enhanced Mail (PEM), Early PGP proof-of-concept project, Enforcing Security in Off-the-Shelf Software –Enforcing Security in Off-the-Shelf Software Provos, Niels, Related Work PSK (Pre-Shared Key), Wireless Gone Wild psychological traps confirmation traps, Confirmation Traps –Rationalizing Away Capabilities functional fixation, Functional Fixation –Sunk Costs Versus Future Profits: An Energy Example learned helplessness, Learned Helplessness and Naïveté public key cryptography cumulative trust systems, Cumulative Trust key revocation, Key revocation and expiration PGP support, The Evolution of PGP’s Web of Trust RSA algorithm, Patent and Export Problems SET support, Secure Electronic Transaction steganographic applications, Going Deeper validity, Trust, Validity, and Authority Public Key Infrastructure (see PKI) Public Key Partners, Patent and Export Problems put options, How it happened R Raduege, Harry, Culture Regular, Bob, Exploit-Laden Banner Ads regulatory compliance (see legal considerations) Reiter, Mark, Social Networks and Traffic Analysis Reliable Software Technologies, Security by Design , Metrics with No Meaning reputation economy, Connection of Supply and Demand resource dealers, The Makeup and Infrastructure of the Cyber Underground Return on Investment (ROI), Information Security Economics: Supercrunching and the New Rules of
the Grid , Security’s Return on Investment –Security’s Return on Investment Return on Security Investment (ROSI), Security’s Return on Investment Returnil, Applying artificial intelligence , Security-specific virtualization , Security of saved files in Returnil , Better Practices for Desktop Security revoking certificates, Revocation –Reasons for revocation RFC 1991, PGP and OpenPGP , From PGP 3 to OpenPGP RFC 3156, PGP and OpenPGP RFC 4880, PGP and OpenPGP Right Media, Malvertisements ROI (Return on Investment), Information Security Economics: Supercrunching and the New Rules of
the Grid , Security’s Return on Investment –Security’s Return on Investment root certificates defined, Hierarchical Trust direct trust, Hierarchical Trust rootkits example investigating, The Investigation Starts Rustock.C, The evolution of the blacklist method specialization in, On the Conveyor Belt of the Internet ROSI (Return on Security Investment), Security’s Return on Investment routers DDoS attacks on, Sunk Costs Versus Future Profits: An ISP Example host logging, Improving Perspective with Host Logging watch lists, Correlating with Watch Lists Routh, Jim, Forcing Firms to Focus: Is Secure Software in Your Future? –Software Vendors Give Us What We Want but Not What We
Need RSA Data Security Incorporated, Patent and Export Problems RSA public-key algorithm, Patent and Export Problems RSAREF library, Patent and Export Problems Rustock.C rootkit, The evolution of the blacklist method S Sabett, Randy V., Oh No, Here Come the Infosecurity
Lawyers! –Doing the Right Thing sandboxing functionality, Sandboxing and Virtualization: The New Silver Bullets HIPS support, Host-based Intrusion Prevention Systems need for new strategies, Casting Spells: PC Security Theater Santa Fe Group, Barings: “What if...” Sarbanes-Oxley Act (SOX), Broken Incentives , Logs in Security Laws and Standards SCADA systems, Sunk Costs Versus Future Profits: An Energy Example Schoen, Seth, The PGP Global Directory SDLC (see software development lifecycle) Second Life virtual world, The State of the Art and the Potential in Social
Networking Secret Service Shadowcrew network and, The Underground Communication Infrastructure TJX security breach and, The players Secunia, BPM As a Guide to Multisite Security Secure Electronic Transaction (see SET) security breaches attorney involvement in investigating, A Data Breach Tiger Team Barings Bank, Barings Bank: Insider Breach –Barings: Some security metrics California data privacy law, The California Data Privacy Law –The California Data Privacy Law cyber underground and, The Underground Economy of Security
Breaches –Establish a Social Metric and Reputation System for Data
Responsibility databases and, Doing Real Work Without Real Data impact of, How Geeks Need Lawyers logs in investigating, Case Study: Behind a Trashed Server –Summary public data sources, More Public Data Sources tiger team responses, A Data Breach Tiger Team –A Data Breach Tiger Team TJX, TJX: Outsider Breach –Local metrics security certificates defined, Easy Money encryption and, Easy Money , A Cornucopia of Personal Data fundamental flaw, A Fundamental Flaw in Web Security: Not Trusting the Trust
System paying attention to, Establishing Wireless Trust wireless access points, Establishing Wireless Trust , Adapting a Proven Solution Security Event Managers (SEMs), A New Dawn security metrics (see metrics) Security Metrics Catalog project, TJX: “What if...” security traps (see psychological traps) SecurityFocus database, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits SecurityMetrics.org, TJX: “What if...” SEI (Software Engineering Institute), Time to Market or Time to Quality? Seifert, Christian, Second-Generation Honeyclients , Related Work self-signed certificates, Direct Trust , Hierarchical Trust SEMs (Security Event Managers), A New Dawn separation of duties, The players September 11, 2001, On the Conveyor Belt of the Internet server applications, host logging, Improving Perspective with Host Logging Service Set Identifier (SSID), How it happened service-oriented architecture (SOA), Cloud Computing and Web Services: The Single Machine Is
Here SET (Secure Electronic Transaction) background, Secure Electronic Transaction evaluation of, Evaluation of SET protections supported, Secure Electronic Transaction transaction process, SET transactions SHA256 hash algorithm, How Data Translucency Works Shadowcrew network, The Underground Communication Infrastructure short straddle trading strategy, How it happened , How it happened signature harassment, Signature Bloat and Harassment Sinclair, Upton, Tomorrow’s Security Cogs and Levers Skinner, B. F., Information Security Economics: Supercrunching and the New Rules of
the Grid Slammer virus, On the Conveyor Belt of the Internet SMTP protocol botnet communication, The Attack Infrastructure incident detection considerations, Building a Resilient Detection Model SOA (service-oriented architecture), Cloud Computing and Web Services: The Single Machine Is
Here Sober virus, On the Conveyor Belt of the Internet Sobig virus, On the Conveyor Belt of the Internet social networking crowdsourcing, Security in Numbers impact on security, A New Dawn , Social Networking: When People Start Communicating, Big Things
Change , Social Networking for the Security Industry –Security in Numbers interoperability, The State of the Art and the Potential in Social
Networking malware distribution and, Malware PGP and, The Evolution of PGP’s Web of Trust potential in, The State of the Art and the Potential in Social
Networking state of the art in, The State of the Art and the Potential in Social
Networking Web of Trust and, Social Networks and Traffic Analysis Social Security numbers incident detection considerations, Building a Resilient Detection Model spyware stealing, Malware software acquisition enforcing security, Enforcing Security in Off-the-Shelf Software –Enforcing Security in Off-the-Shelf Software , Software Vendors Give Us What We Want but Not What We
Need –Software Vendors Give Us What We Want but Not What We
Need implicit requirements in, Implicit Requirements Can Still Be Powerful –Implicit Requirements Can Still Be Powerful software development lifecycle Bell Labs example, Time to Market or Time to Quality? –Time to Market or Time to Quality? business model evolution, Forcing Firms to Focus: Is Secure Software in Your Future? CLASP methodology, Setting up formal quality processes for security , Developer training designing security, Security by Design –Security by Design , Conclusion: Beautiful Security Is an Attribute of Beautiful
Systems –Conclusion: Beautiful Security Is an Attribute of Beautiful
Systems , The Best Software Developers Create Code with
Vulnerabilities developer training, Developer training fixing security problems, Fixing the Problems formal quality processes for security, Setting up formal quality processes for security improving software security, How One Firm Came to Demand Secure Software –Extending Our Security Initiative to Outsourcing instituting security plan, How I Put a Security Plan in Place –When the security process really took hold NASA examples, Metrics with No Meaning –Metrics with No Meaning , How a Disciplined System Development Lifecycle Can Help –How a Disciplined System Development Lifecycle Can Help outsourcing considerations, Extending Our Security Initiative to Outsourcing proof-of-concept project, Enforcing Security in Off-the-Shelf Software –Enforcing Security in Off-the-Shelf Software static code analysis tool, Setting up formal quality processes for security , Developer training , When the security process really took hold , Fixing the Problems , The Best Software Developers Create Code with
Vulnerabilities Software Engineering Institute (SEI), Time to Market or Time to Quality? Sophos, Malware SOX (Sarbanes-Oxley Act), Broken Incentives , Logs in Security Laws and Standards spam botnet support, The Attack Infrastructure , The Attack Infrastructure challenges detecting, Correlating with Watch Lists client-side vulnerability, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits phishing and, Phishing, facilitated by social-engineering spam specialization in, On the Conveyor Belt of the Internet targeted, Phishing, facilitated by social-engineering spam traffic analysis, Improving Coverage with Traffic Analysis Sports Authority, The players SpyBye honeyclient, Related Work spyware as information source, Information Sources CPA advertising, Inflating CPA costs Dell estimates, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits functionality, Malware malvertisements and, Malvertisements OptOut removal tool, A Mob Response specialization in, On the Conveyor Belt of the Internet SQL injection attacks, Exploiting website vulnerabilities , Open Source Honeyclient: Proactive Detection of Client-Side
Exploits SQL Server (Microsoft), Incident Detection: Finding the Other 68% SQL Slammer worm background, Incident Detection: Finding the Other 68% IDS challenges, A Common Starting Point port 1434/udp, Incident Detection: Finding the Other 68% , Improving Coverage with Traffic Analysis signatures, A Common Starting Point SSID (Service Set Identifier), How it happened stale threat modeling, Stale Threat Modeling static code analysis tool context-sensitive help, The Best Software Developers Create Code with
Vulnerabilities developer training, Developer training threshold of quality, Setting up formal quality processes for security vulnerability information, When the security process really took hold , Fixing the Problems steganographic applications, Going Deeper Stickley, Jim, Wireless Networking: Fertile Ground for
Social Engineering –Still, Wireless Is the Future storing data honeyclients, Storing and Correlating Honeyclient Data logs, Log Analysis and Management Tools of the Future strict scrutiny blacklisting, The evolution of the blacklist method , Applying artificial intelligence whitelisting, The whitelist alternative Stubblebine, Stuart, Social Networks and Traffic Analysis stuffed cookies, Inflating CPA costs supercrunching, A New Dawn , Information Security Economics: Supercrunching and the New Rules of
the Grid –Information Security Economics: Supercrunching and the New Rules of
the Grid supervalidity, Supervalidity , Supervalidity switches, failing open, Naïveté As the Client Counterpart to Learned Helplessness Symantec DeepSight Threat Management Service, More Public Data Sources Internet Security Threat Reports, More Public Data Sources , Improving Coverage with Traffic Analysis Managed Security Services, Correlating with Watch Lists on botnets, Correlating with Watch Lists on malware distribution, Malware SQL Slammer worm, Incident Detection: Finding the Other 68% SYSLOG format, A Proliferation of Sources system development lifecycle (see software development lifecycle) T targeted advertising, Rewards for Misbehavior , Rewards for Misbehavior , A Mob Response technology economics, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All testing ads, Malvertisements confirmation traps in, An Introduction to the Concept dynamic, Fixing the Problems fuzzing technique, Confirmation Traps malware code, The Makeup and Infrastructure of the Cyber Underground manual penetration, Fixing the Problems Microsoft approach, Confirmation Traps Thomson, William (Lord Kelvin), Beautiful Security Metrics time-to-market, Time to Market or Time to Quality? –Time to Market or Time to Quality? time-to-quality, Time to Market or Time to Quality? –Time to Market or Time to Quality? TJX security breach, What About the Wireless Access Point Itself? , TJX: Outsider Breach –Local metrics , Doing the Right Thing traffic analysis, improving coverage with, Improving Coverage with Traffic Analysis –Improving Coverage with Traffic Analysis treatment effect metrics, Barings: Some security metrics Truman Doctrine, Culture trust models cumulative trust, Cumulative Trust defined, Trust, Validity, and Authority direct trust, Direct Trust hierarchical trust, Hierarchical Trust users as certification authorities, The Basic PGP Web of Trust trust relationship defined, Trust, Validity, and Authority , Trust, Validity, and Authority , The Basic PGP Web of Trust establishing for wireless networks, Establishing Wireless Trust –Adapting a Proven Solution PGP support, The Evolution of PGP’s Web of Trust validity comparison, Trust, Validity, and Authority V validity defined, The Basic PGP Web of Trust supervalidity, Supervalidity , Supervalidity trust comparison, Trust, Validity, and Authority ValueClick, Deceptive Advertisements , Inflating CPA costs , Lessons from Other Procurement Contexts: The Special Challenges
of Online Procurement VBS/Loveletter—“I Love you” virus, On the Conveyor Belt of the Internet VeriSign hierarchical trust, Hierarchical Trust , Hierarchical Trust iDefense Labs, More Public Data Sources , BPM As a Guide to Multisite Security Viacrypt, From PGP 3 to OpenPGP Viega, John, Setting up formal quality processes for security virtual cards defined, Single-Use and Multiple-Use Virtual Cards functionality, How virtual cards work multiple-use, How virtual cards work single-use, How virtual cards work virtual machines, Virtual machines, host and guest honeyclient support, Second-Generation Honeyclients malware detection of, Analysis of Exploits virtualization, Virtual machines, host and guest –Security of saved files in Returnil , Better Practices for Desktop Security viruses (see malicious attacks) VirusTotal.com, Analysis of Exploits Visa, Inc. 3-D Secure protocol, 3-D Secure SET protocol, Secure Electronic Transaction transaction statistics, Analyzing the Security Context VMware, Second-Generation Honeyclients , Analysis of Exploits , Virtual machines, host and guest VMware Workstation, Exploit-Laden Banner Ads vulnerability scanners breaker mentality and, Builders Versus Breakers false positives/negatives, Building a Resilient Detection Model functional fixation, Vulnerability in Place of Security proliferation of malware and, The evolution of the blacklist method W W32.Gaobot worm, Improving Coverage with Traffic Analysis Wallace, Sanford, Exploit-Laden Banner Ads –Exploit-Laden Banner Ads Wang, Chenxi, The Underground Economy of Security
Breaches –Summary , A Data Breach Tiger Team , Rewards for Misbehavior Wang, Kathy, Open Source Honeyclient: Proactive Detection of Client-Side
Exploits –The Future of Honeyclients warchalking, Wireless As a Side Channel wardriving technique, How it happened Wason, Peter, An Introduction to the Concept watch lists, Correlating with Watch Lists –Correlating with Watch Lists Wayner, Peter, Doing Real Work Without Real Data –Going Deeper Web 2.0, Social Networking: When People Start Communicating, Big Things
Change web applications exploiting vulnerabilities, Exploiting website vulnerabilities , Choosing a focus and winning over management log handling support, A Proliferation of Sources risk of exploits, Enforcing Security in Off-the-Shelf Software trends in exploits, Choosing a focus and winning over management , Choosing a focus and winning over management uncovering vulnerabilities, When the security process really took hold Web of Trust areas for further research, Interesting Areas for Further Research background, The Evolution of PGP’s Web of Trust cumulative trust support, Cumulative Trust enhancements to original model, Enhancements to the Original Web of Trust Model –Variable Trust Ratings functionality, The Basic PGP Web of Trust –The Basic PGP Web of Trust implications of signing keys, The social implications of signing keys –The social implications of signing keys in-certificate preferences, In-Certificate Preferences PGP Global Directory, The PGP Global Directory revoking certificates, Revocation –Reasons for revocation rough edges in original, Rough Edges in the Original Web of Trust –The social implications of signing keys scaling issues, Scaling Issues –Authoritative keys signature bloat/harassment, Signature Bloat and Harassment social networking and, Social Networks and Traffic Analysis supervalidity, Supervalidity , Supervalidity variable trust ratings, Variable Trust Ratings web services applying security to, Clouds and Web Services to the Rescue builders versus breakers, Builders Versus Breakers defined, Cloud Computing and Web Services: The Single Machine Is
Here Websense, Related Work WEP (Wired Equivalent Privacy), Wireless Networking: Fertile Ground for
Social Engineering authentication support, How it happened security flaws, Wireless Gone Wild Western Union, The Makeup and Infrastructure of the Cyber Underground wget tool, Introducing the World’s First Open Source Honeyclient Whitehead, Alfred North, Cloud Computing and Web Services: The Single Machine Is
Here whitelisting, The whitelist alternative Whois website, Deceptive Advertisements Wi-Fi Protected Access (WPA), Wireless Networking: Fertile Ground for
Social Engineering , Wireless Gone Wild Windows Home Server, Clouds and Web Services to the Rescue Windows Live ID, A New Dawn Windows NT hash function, A Real-Life Example: How Microsoft Enabled L0phtCrack Internet security and, Password and Authentication Security Could Have Been Better from
the Start Windows Vista Internet security and, Password and Authentication Security Could Have Been Better from
the Start security warnings, A Fundamental Flaw in Web Security: Not Trusting the Trust
System strict scrutiny and, The whitelist alternative Windows XP exploit-based installs and, Exploit-Laden Banner Ads honeyclient support, Second-Generation Honeyclients , Transparent Activity from Windows XP Wired Equivalent Privacy (WEP), Wireless Networking: Fertile Ground for
Social Engineering wireless access points identity theft and, A Cornucopia of Personal Data scan coverage, Local metrics security certificates, Establishing Wireless Trust , Adapting a Proven Solution SSID support, How it happened WEP support, Wireless Gone Wild wireless networking future of, Still, Wireless Is the Future identity theft, Easy Money –Adapting a Proven Solution role at TJX, TJX: Outsider Breach –Local metrics security flaws, Wireless Gone Wild –What About the Wireless Access Point Itself? wardriving technique, How it happened Wireshark packet sniffer, Exploit-Laden Banner Ads Wood, Michael, Casting Spells: PC Security Theater –Conclusion WordPress, Platforms of the Long-Tail Variety: Why the Future Will Be
Different for Us All worms SQL Slammer, Incident Detection: Finding the Other 68% –A Common Starting Point , Improving Coverage with Traffic Analysis W32.Gaobot worm, Improving Coverage with Traffic Analysis WPA (Wi-Fi Protected Access), Wireless Networking: Fertile Ground for
Social Engineering , Wireless Gone Wild WS-Security specification, Clouds and Web Services to the Rescue
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.