Index
Numerics
3-D Secure, 39
3DES (Triple DES), 41
modes, 61
6 to 4, 112
802.1x, 118
A
accept strategy for risk analysis, 312
acceptance testing, 522
access control models, 572-575
access control matrix, 574
ACLs, 575
administrative controls, 294
compensative controls, 292
content-dependent access control, 574
context-dependent access control, 574
corrective controls, 292
defaulting to no access, 575
detective controls, 292
deterrent controls, 293
directive controls, 293
logical controls, 295
MAC, 573
physical controls, 296
policies, 575
preventive controls, 293
recovery controls, 293
rule-based access control, 574
access points, 499
ACLs (access control lists), 204, 575
acquisition phase (SDLC), 518
acquisitions
design considerations during, 545
security issues, 271
active fingerprinting, 452-453
active vulnerability scanners, 134-135
ActiveX, 257
AD (Active Directory), 586-587
identity propagation, 580
ad hoc mode (WLANs), 499
Adams, Carlisle, 43
adherence to standards, 536
administrative controls, 294
Adobe Flash, 257
advanced trust systems, 585-587
LDAP, 586
advancements in technology, communicating, 395-396
advising staff and senior management, 469
AES (Advanced Encryption Standard), 42
aggregate CIA score, determining, 298-299
agreements, 408
NDA, 346
OLA, 345
SLA, 345
AH (Authentication Header), 40
AIK (attestation identity key), 208
AJAX (Asynchronous JavaScript and XML), 258
ALE (annualized loss expectancy), calculating, 304-305
algebraic attacks, 64
algorithms
asymmetric algorithms
Diffie-Hellman, 45
ECC, 46
El Gamal, 46
Knapsack, 46
private keys, 44
public keys, 44
weaknesses of, 61
Zero Knowledge Proof, 47
implementing, 66
Rijndael algorithm, 42
3DES, 41
AES, 42
Blowfish, 42
CAST, 43
DES, 41
IDEA, 42
RC algorithms, 43
session keys, 41
Skipjack, 42
Twofish, 43
weaknesses of, 61
analyzing
security solutions
availability, 424
capability, 423
latency, 423
maintainability, 424
performance, 422
scalability, 423
anticipating
risk changes, 332
antispam services for the cloud, 213
antispyware, 192
antivirus software, 192
cloud antivirus, 213
applications. See also software
client-based application virtualization, 222
standard libraries, 245
industry-accepted development practices, 245-247
BSI initiative, 246
ISO/IEC 27000, 246
OWASP, 246
interoperability requirements, 538-539
security issues
buffer overflow attacks, 239-241
CSRF, 232
geotagging, 243
improper error and exception handling, 237
improper storage of sensitive data, 237-238
input validation, 235
insecure direct object references, 231
integer overflows, 242
memory leaks, 242
privilege escalation, 237
race conditions, 242
session hijacking attacks, 233-235
time of check/time of use attacks, 242-243
server-based application virtualization, 222
software development methods
Agile model, 253
build and fix, 248
Cleanroom model, 254
incremental model, 250
JAD, 254
prototyping, 250
RAD model, 252
spiral model, 251
V-shaped model, 249
web applications
client-side processing, 255-260
cookies, storing, 239
JavaScript, 260
JSON, 256
REST, 256
security issues, 230
server-side processing, 255-260
state management, 260
whitelisting, 199
APTs (advanced persistent threats), 398-406
intelligence, 406
sources of, 406
zero-day attacks, mitigating, 398-399
ARAT (active reader/active tag), 527
archive bits, 369
ARO (annualized rate of occurrence), 306
ARPT (active reader/passive tag), 527
assessment methods. See also code review, 454-455
active fingerprinting, 452-453
passive fingerprinting, 453-454
black box testing, 451
gray box testing, 451
selecting method, 452
strategies, 450
white box testing, 451
reconnaissance, 452
Retina, 449
social engineering attacks, 455-456
vulnerability assessment, 445-446
assessment tools
fuzzers, 438
HTTP interceptors, 439
passive reconnaissance tools, 440-444
social media, 441
vulnerability scanners, 434
asset management
device-tracking technologies, 526
geolocation, 526
geotagging, 527
Diffie-Hellman, 45
ECC, 46
El Gamal, 46
Knapsack, 46
private keys, 44
public keys, 44
weaknesses of, 61
Zero Knowledge Proof, 47
attacks
algebraic attacks, 64
analytic attacks, 65
birthday attacks, 64
brute-force attacks, 63
buffer overflow attacks, 239-241
chosen ciphertext attacks, 62
chosen plaintext attacks, 62
cipher-only attacks, 62
CSRF, 232
dictionary attacks, 65
factoring attacks, 65
fault injection attacks, 238-239
frequency analysis, 64
known plaintext attacks, 62
man-in-the-middle attacks, 66
meet-in-the-middle attacks, 66
race conditions, 242
time of check/time of use attacks, 242-243
rainbow table attacks, 33
replay attacks, 65
reverse engineering attacks, 65
session hijacking attacks, 233-235
side-channel attacks, 63
social engineering attacks, 63, 455-456
statistical attacks, 65
VLAN hopping attacks, 140
VM escape attacks, 219
wireless attacks, 505
zero-day attacks, mitigating, 398-399
ID-FF, 582
audit trails, monitoring, 196-198
802.1x, 118
access control models, defaulting to no access, 575
certificate-based authentication, 570-571
characteristic factor authentication, 117, 566-570
behavioral characteristics, 568
physiological characteristics, 567-568
dual-factor authentication, 570
identity and account management, 562-563
knowledge factor authentication, 116
MAC, 33
multi-factor authentication, 570
ownership factor authentication, 117
access control models, 572
access control policies, 575
ACLs, 575
content-dependent access control, 574
context-dependent access control, 574
MAC, 573
rule-based access control, 574
SPML, 578
automation systems, building, 178
A/V (audio/visual) systems, 181-182
avoid strategy for risk analysis, 310-311
B
archive bits, 369
daily backups, 370
differential backups, 369
electronic backups, 372
full backups, 369
incremental backups, 370
transaction log backups, 370
Base II, 339
bastion hosts, 144
bcrypt, key stretching, 32
behavioral authentication systems, 568
best practices
industry-accepted development practices, 245-247
BSI initiative, 246
ISO/IEC 27000, 246
OWASP, 246
for SANs, 84
BIA (business impact analysis), 341-344
biometric scanning devices, 567-570
birthday attacks, 64
black box testing, 451
Black Hat convention, 405
black hats, 406
blacklisting
applications, 199
character blacklisting, 235
blind tests, 450
block ciphers, 57
Blowfish, 42
IDEA, 42
Skipjack, 42
Blowfish, 42
Bluesnarfing, 207
Bluetooth, 502
restricting, 207
boot loader protections
IMA, 218
measured launch, 218
bottom-up policy development, 332
boundary errors, 241
BPA (business partnership agreement), 346-347
bridge model, 581
ActiveX, 257
AJAX, 258
Flash, 257
HTML5, 257
Java applets, 257
brute-force attacks, 63
BSI (Build Security In) initiative, 246
build and fix software development approach, 248
building automation systems, 178
business continuity planning, 318-320
business tools, security implications of, 400-403
end-user cloud storage, 402-403
social media/networking, 401
BYOD (“bring your own device”), 278-279, 495-497
C
Cain and Abel, 437
calculating
payback, 308
SLE, 304
CANVAS, 440
capability, analyzing, 423
captured email messages, 486
CAs (certificate authorities), 51
root CAs, 51
CAST, 43
CBC (cipher block chaining) mode, 58-59
CBC-MAC (cipher block chaining MAC), 37
CC (Common Criteria), 190
CDMA (Code Division Multiple Access), 498
CDP (Cisco Discovery Protocol), 443
centralized VDI model, 221
CER (crossover error rate), 569
CERT (Computer Emergency Response Team) secure coding standards, 247
certificate-based authentication, 570-571
certificates
classes of, 55
CRL, 53
OCSP, 53
certification, advantages of, 625-626
CFAA (Computer Fraud and Abuse Act), 338
CFB (cipher feedback) mode, 59
change control policies, 159-160
CHAP (Challenge-Handshake Authentication Protocol), 444
characteristic factor authentication, 117, 566-570
behavioral characteristics, 568
physiological characteristics, 567-568
characters, blacklisting/whitelisting, 235
chosen ciphertext attacks, 62
chosen plaintext attacks, 62
chroot, 210
CIA (confidentiality, integrity, and authentication), 30, 287-289
aggregate score, determining, 298-299
incorporating stakeholder input, 291
integrity, 50
CIFS (Common Internet File System), 90
cipher-only attacks, 62
ciphers
block ciphers, 57
Blowfish, 42
IDEA, 42
Skipjack, 42
concealment ciphers, 56
classes of digital certificates, 55
Cleanroom development model, 254
client-based application virtualization, 222
client-side attacks, identifying, 396-397
client-side processing, 255-260
clipping level, 566
communities, 80
elastic cloud computing, 542
multi-tenancy model, 541
resource provisioning, 543-544
security issues, 270
antispam services, 213
antivirus products, 213
content filtering, 216
sandboxing, 216
vulnerability scanning, 214-215
services, 80
clustering, 165
CMAC (cipher-based MAC), 37
CMDB (configuration management database), 555
CMS (content management system), 555
CobiT (Control Objectives for Information and Related Technology), 316
code signing, 36
cognitive passwords, 564
collaborating with teams, 469-470
collisions, 33
combination passwords, 563
command shell, restricting, 202-203
commercial business data classifications, 289-290
commercial software, interoperability with in-house developed software, 539
commissioning an asset, 514
communities, 80
compensative controls, 292
competing standards, 536
complex passwords, 564
CompTIA career pathway, 625-626
Computer Security Act of 1987, 339
concealment ciphers, 56
conducting
lessons-learned/after action review, 425
accept strategy, 312
ARO, 306
magnitude of impact, 304
mitigate strategy, 311
qualitative risk analysis, 302-303
quantitative risk analysis, 303
SLE, calculating, 304
transfer strategy, 311
trend analysis, 306
configuration lockdown, 160
configuring
dedicated interfaces, 203
confusion, 49
container-based virtualization, 211
containment technologies, 526-527
content filtering, 216
content-dependent access control, 574
context-dependent access control, 574
contracts, researching security requirements, 406-408
agreements, 408
RFIs, 408
RFPs, 407
RFQs, 407
control plane, 166
controls, advising staff and senior management, 469
cookies, storing, 239
COOP (continuity of operations plan), 384-385
core dumps, 448
corrective controls, 292
cost/benefit analysis, performing, 419
crackers, 406
credit card transactions, securing, 39
PCI DSS, 339
criminal actions, responding to, 379
CRL (certificate revocation list), 53
CRM (customer relationship management), 552
cross-certification model, 581
cryptanalysis
differential cryptanalysis, 63
CryptoAPI, 49
cryptography, 30, 40-47. See also encryption
algorithms, implementing, 66
applications
S/MIME, 69
SSH, 69
asymmetric algorithms, 44
Diffie-Hellman, 45
ECC, 46
El Gamal, 46
Knapsack, 46
Zero Knowledge Proof, 47
CIA
confidentiality, 30
code signing, 36
confidentiality, 50
confusion, 49
diffusion, 49
DRM, 67
encryption, 30
entropy, 49
hash value, identifying, 34
HAVAL, 36
limitations of, 33
MAC, 33
message digests, 34
one-way hash function, 33
RIPEMD-160, 36
vulnerabilities, 33
hybrid ciphers, 47
integrity, 50
key stretching, 32
MAC, 36
CBC-MAC, 37
CMAC, 37
HMAC, 37
non-repudiation, 50
PKCS, 69
CAs, 51
CRL, 53
issuance of certificates to entities, 53-54
OCSP, 53
systems, 55
PNRG, 37
symmetric algorithms, 40
3DES, 41
AES, 42
Blowfish, 42
CAST, 43
DES, 41
IDEA, 42
RC algorithms, 43
session keys, 41
Skipjack, 42
Twofish, 43
weaknesses of, 61
technique, selecting, 32
transport encryption, 38
watermarking, 67
CSRF (cross-site request forgery), 232
CTR (counter) mode, 60
cyber defense needs, anticipating, 420-421
D
DAC (discretionary access control), 572-573
DAI (dynamic ARP inspection), 138
daily backups, 370
DAM (database activity monitoring), 135-136, 254
data aggregation, 543
data at rest encryption, 40-47
asymmetric algorithms, 44
Diffie-Hellman, 45
ECC, 46
El Gamal, 46
Knapsack, 46
weaknesses of, 61
Zero Knowledge Proof, 47
symmetric algorithms, 40
3DES, 41
AES, 42
CAST, 43
DES, 41
IDEA, 42
RC algorithms, 43
session keys, 41
Skipjack, 42
Twofish, 43
weaknesses of, 61
data backups. See backups
data breaches, incident response, 374-378
data clearing, 244
data encryption. See encryption
data flows
enforcing, 175
SSL inspection, 156
data isolation, 543
data plane, 166
remanence, 515
database administrators, security requirements, 463-464
DDPs (dynamic disk pools), 93-94
de jure standards, 536
decommissioning an asset, 514
decryption, key escrow, 56
deduplication, 92
defaulting to no access, 575
DEFCON conferences, 405
defense-in-depth principle, 535
degaussing, 244
de-perimeterization, impact of
cloud computing, 278
outsourcing, 279
telecommuting, 278
deprovisioning resources, 543-544
DES (Digital Encryption Standard), 41
desktop sharing, securing, 481-482
detective controls, 292
deterrence, 314
deterrent controls, 293
developing applications
CERT secure coding standards, 247
industry-accepted development practices, 247
BSI initiative, 246
ISO/IEC 27000, 246
OWASP, 246
software development methods, 247-254
build and fix, 248
Cleanroom model, 254
incremental model, 250
JAD, 254
prototyping, 250
RAD model, 252
V-shaped model, 249
Waterfall method, 248-249, 523-524
standard libraries, 245
device-tracking technologies, 526
DHCP snooping, 139
diagrams
logical deployment diagrams, 546
physical network diagrams, 547
dictionary attacks, 65
differential backups, 369
differential cryptanalysis, 63
Diffie-Hellman, 45
diffusion, 49
digital certificates, classes of, 55
directive controls, 293
directory services, 554
disk-level encryption, 96
disposal phase (SDLC), 519
diverse industry integration, security concerns
geography, 273
policies, 272
rules, 272
divestitures, design considerations during, 545
DLP (data loss prevention) software, 194
DMCA (U.S. Digital Millennium Copyright Act of 1998), 67
DMZs (demilitarized zones), 176, 548-549
DNS (Domain Name System), 554-555
document exchange/reviews, 276
documentation
IA, 344
ISA, 345
MOU, 345
NDA, 346
NIST SP 800-30, risk management processes, 312-314
OLA, 345
SLA, 345
double tagging, 140
double-blind tests, 450
downstream liability, 273
DRM (digital rights management), 67
DSA (Digital Security Algorithm), 48
DSS (Digital Signature Standard), 48
DSSS (Direct Sequence Spread Spectrum), 498
DSV (dynamic signature verification), 568
DTP (Dynamic Trunking Protocol), 172
Dual Stack, 112
dual-factor authentication, 570
dual-homed firewalls, 145
dual-key cryptography. See asymmetric algorithms
due care, 274
due diligence, 274
dumpster diving, 456
dynamic packet-filtering firewalls, 142
dynamic routing protocols, 174, 443
E
daily backups, 370
differential backups, 369
electronic backups, 372
full backups, 369
incremental backups, 370
data recovery and storage, 368
electronic inventory and asset control, 366-367
legal holds, 374
transaction log backups, 370
EALs (Evaluation Assurance Levels), 190
EAP (Extensible Authentication Protocol), 114-115
EC-Council (International Council of Electronic Commerce Consultants), 403
ECB (electronic code book) mode, 58
ECC (Elliptic Curve Cryptosystem), 46
ECDSA (Elliptical Curve DSA), 48
Economic Espionage Act of 1996, 339
effectiveness of existing security controls, reviewing, 421
EK (endorsement key), 208
El Gamal, 46
elastic cloud computing, 542
electronic backups, 372
electronic inventory and asset control, 366-367
electronic vaulting, 372
antispam services for the cloud, 213
captured messages, 486
disclosure of information, 487
IMAP, 484
spear phishing, 485
whaling, 486
emergency response
chain of custody, 381
emergent threats, 399-400, 525-526
employment policies, 356
encryption, 30
ciphers
block ciphers, 57
confusion, 49
data at rest encryption, 40-47
disk-level encryption, 96
hybrid ciphers, 47
key escrow, 56
port-level encryption, 98
record-level encryption, 98
steganography, 56
transport encryption
3-D Secure, 39
HTTP, 39
HTTPS, 39
SET, 39
SHTTP, 39
end-to-end solution ownership
commissioning an asset, 514
maintenance, 513
object reuse, 515
operational activities, 512-513
end-user cloud storage
integrating into your business, 403
security implications of, 402-403
endpoint security software, 191-198
antispyware, 192
antivirus software, 192
DLP software, 194
IDS, 193
patch management, 193
enforcing data flows, 175
enrollment time, 568
enterprise application integration enablers, 552-555
CMDB, 555
CMS, 555
CRM, 552
directory services, 554
ERP, 553
ESB, 553
GRC, 553
SOA, 553
enterprise security
cost/benefit analysis, performing, 419
cyber defense needs, anticipating, 420-421
effectiveness of existing security controls, reviewing, 421
lessons-learned/after action review, 425
metric collection and analysis, 419-420
multiple solutions, testing, 418-419
reverse engineering existing solutions, 422
security solutions, analyzing
availability, 424
capability, 423
latency, 423
maintainability, 424
performance, 422
scalability, 423
enterprise security architecture frameworks, 315-318
CobiT, 316
NIST SP 800-53, control families, 317
SABSA, 315
enterprise storage
deduplication, 92
encryption
disk-level encryption, 96
port-level encryption, 98
record-level encryption, 98
HBA allocation, 95
LUN masking, 94
VSANs, 86
entropy, 49
ERP (enterprise resource planning), 553
ESB (enterprise service bus), 553
ESP (Encapsulating Security Payload), 40
establishing partnerships, security issues, 269
events versus incidents, 353-354
exam
preparing for, 628
examples of TOS, 191
executive management, security requirements, 465-466
exemptions, 313
extreme scenario planning, 299-301
F
facilitating incident response, 378-381
facilities manager, security requirements, 468
factoring attacks, 65
failover, 165
failsoft, 165
FAR (false acceptance rate), 569
FATKit, 448
FCoE (Fiber Channel over Ethernet), 88-89
FDMA (Frequency Division Multiple Access), 498
feasibility of cryptographic algorithms, 66
feature extraction, 568
Federal Privacy Act of 1974, 338
federated identity management, 581
OpenID, 583
FHSS (Frequency Hopping Spread Spectrum), 498
FIFO (first in, first out) rotation scheme, 370-371
financial staff, security requirements, 466-467
active fingerprinting, 452-453
passive fingerprinting, 453-454
FIPS (Federal Information Processing Standard Publication 199), 288
bastion hosts, 144
dual-homed firewalls, 145
kernel proxy firewalls, 142
multihomed firewalls, 146
packet-filtering firewalls, 141
placement of, 143
screened host firewalls, 147-148
stateful firewalls, 141
FireWire, restricting, 207-208
FISMA (Federal Information Security Management Act), 339
hardware/embedded device analysis, 384
media analysis, 383
network analysis, 384
software analysis, 384
forensic tasks for incident response team, 354-356
formal code review, 454
standard libraries, 245
frequency analysis, 64
FRR (false rejection rate), 569
FTP (File Transfer Protocol), 113
full backups, 369
full-knowledge tests, 450
G
generation-based fuzzing, 238
geofencing, 527
geolocation, 526
GFS (grandfather/father/son) rotation scheme, 370-371
government data classifications, 290
GPG (GNU Privacy Guard), 67-68
GPMC (Group Policy Management Console), 201
GPOs (Group Policy Objects), 200
GPRS (General Packet Radio Service), 499
GPS (Global Positioning System) location, 526
Gramm-Leach-Bliley Act of 1999, 338
graphical passwords, 564
gray box testing, 451
gray hats, 406
GRC (governance, risk, and compliance), 553
GRE (Generic Routing Encapsulation) tunnels, 112
Group Policy, 199
GPMC, 201
GPOs, 200
GSM (Global System Mobile Communication), 499
guidelines, 324
H
hackers, 406
hacktivists, 406
hardening, host hardening, 198-209
ACLs, 204
applications, blacklisting/whitelisting, 199
baselining, 199
command shell restrictions, 202-203
dedicated interfaces, configuring, 203
Group Policy, implementing, 200-202
management interfaces, 205
peripheral restrictions, 206-208
hardware/embedded device analysis, 384
hash value, identifying, 34
HAVAL, 36
limitations of, 33
MAC, 33
one-way hash function, 33
RIPEMD-160, 36
vulnerabilities, 33
HAVAL, 36
HBA (host bus adapter) allocation, 95
Health Care and Education Reconciliation Act of 2010, 340
HIPAA (Health Insurance Portability and Accountability Act), 338
hiring policies, 356
HMAC (hash MAC), 37
horizontal privilege escalation, 237
boot loader protections, 217-219
IMA, 218
measured launch, 218
endpoint security software, 191-198
antispyware, 192
antivirus software, 192
DLP software, 194
IDS, 193
patch management, 193
ACLs, 204
applications, blacklisting/whitelisting, 199
baselining, 199
command shell restrictions, 202-203
dedicated interfaces, configuring, 203
Group Policy, implementing, 200-202
management interfaces, 205
peripheral restrictions, 206-208
CC, 190
examples, 191
TCSEC, 190
VDI, 221
virtualization
client-based application virtualization, 222
container-based virtualization, 211
server virtualization, 209-211
server-based application virtualization, 222
vulnerabilities of hosts with differing security requirements, 219-221
data remnants, 221
live VM migration, 220
privilege elevation, 220
VM escape attacks, 219
hosted VDI model, 221
hot fixes, 193
HSM (hardware security module), 127-128
HSM (hierarchical storage management), 372
HTML5, 257
HTTP (Hypertext Transfer Protocol), 39
HTTP interceptors, 439
HTTPS (HTTP Secure), 39
human resources, security requirements, 466-467
HVAC controllers, 180
hybrid ciphers, 47
hypervisor
Type I hypervisor, 210
Type II hypervisor, 211
I
IA (interoperability agreement), 344
Iaas (Infrastructure as a Service), 80
ICANN (Internet Corporation for Assigned Names and Numbers), 442
ICS (industrial control systems), 183
IDEA (International Data Encryption Algorithm), 42
identifying
hash values, 34
identity theft, 456
ID-FF (Liberty Identity Federation Framework), 582
IDS (intrusion detection system), 193
IETF (Internet Engineering Task Force), RFCs, 395-396
IMA (Integrity Measurement Architecture), 218
IMAP (Internet Message Access Protocol), 484
IMPACT, 440
implementation phase (SDLC), 518
implementing
cryptographic algorithms, 66
in-house developed software, interoperability with commercial software, 539
in-line deduplication, 92
incident response, 351-356, 364, 374-378. See also e-discovery
chain of custody, 381
criminal actions, 379
hardware/embedded device analysis, 384
media analysis, 383
network analysis, 384
software analysis, 384
non-malicious threats, responding to, 380
rules of engagement, 354
incremental backups, 370
incremental software development model, 250
industry-accepted development practices
BSI initiative, 246
ISO/IEC 27000, 246
OWASP, 246
INE (in-line network encryptor), 126
influences on security policies
audits, 275
client requirements, 277
competitors, 275
document exchange/review, 276
onsite assessments, 276
process/policy reviews, 276
regulatory entities, 276
top-level management, 277
information classification, 289-290
commercial business classifications, 289-290
military and government classifications, 290
infrared wireless, 502
infrastructure mode (WLANs), 499
inherent risk, 314
initiation phase (SDLC), 517-518
input validation, 235
insecure direct object references, 231
instant messaging, securing, 481
integer overflows, 242
integrating
diverse industries, security concerns
geography, 273
policies, 272
rules, 272
end-user cloud storage into your business, 403
storage into an enterprise, 552
integrity, 50
intended audience for this book, 628
interfaces
dedicated interfaces, configuring, 203
loopback interfaces, 205
management interfaces, 205
interoperability
application requirements, 538-539
of cryptographic algorithms, 66
of legacy and current systems, 537-538
inventory control
device-tracking technologies, 526
electronic inventory and asset control, 366-367
geolocation, 526
geotagging, 527
IPS (intrusion protection system), 193
IPsec (Internet Protocol Security), 39-40, 493-494
iptables, 195
IrTran-P protocol, 502
ISA (interconnection security agreement), 271, 345
ISAKMP (Internet Security Association and Key Management Protocol), 40
ISC2 (International Information Systems Security Certification Consortium), 403
iSCSI (Internet Small Computer System Interface), 87-88
ISO/IEC 27000 series standards, 246, 333-336
issuance of certificates to entities, 53-54
issue-specific security policies, 323
baselines, 324
guidelines, 324
issue-specific security policies, 323
organizational security policy, 322-323
procedures, 324
standards, 324
system-specific security policies, 323
J
JAD (Joint Analysis Development), 254
Java applets, 257
JavaScript, 260
job rotation, 349
John the Ripper, 438
JSON (JavaScript Object Notation), 256
JVM (Java Virtual Machine), 257
K
kernel proxy firewalls, 142
key escrow, 56
key recovery, 56
key stretching, 32
keystroke dynamics, 568
Knapsack, 46
knowledge factor authentication, 116
known plaintext attacks, 62
KnTTools, 448
L
L2TP (Layer 2 Tunneling Protocol), 492-493
latency, 423
LDAP (Lightweight Directory Access Protocol), 586
legacy systems, interoperability with current systems, 537-538
legal holds, 374
legislation
CFAA, 338
Computer Security Act of 1987, 339
DMCA, 67
Economic Espionage Act of 1996, 339
Federal Privacy Act of 1974, 338
FISMA, 339
Gramm-Leach-Bliley Act of 1999, 338
Health Care and Education Reconciliation Act of 2010, 340
HIPAA, 338
PIPEDA, 339
SOX, 337
USA PATRIOT Act, 340
lessons-learned/after action review, 425
downstream liability, 273
due diligence, 274
lightweight code review, 454-455
limitations of hashing, 33
Linux
command shell restrictions, 202-203
iptables, 195
password storage, 566
load balancing, 165
logical controls, 295
logical deployment diagrams, 546
loopback interfaces, 205
LUN (logical unit number) masking, 94
M
MAC (mandatory access control), 573
MAC (message authentication code), 33, 36-37
CBC-MAC, 37
CMAC, 37
HMAC, 37
maintainability, analyzing, 424
maintenance, 513
MAM (mobile application management), 400
management controls, 294
management interfaces, 205
management plane, 166
managing
software patches, 193
storage
deduplication, 92
HBA allocation, 95
LUN masking, 94
mandatory vacation policies, 350
MD2 (message digest 2) algorithm, 34-35
MDM (mobile device management), 400, 495-497
measured launch, 218
media analysis, 383
meet-in-the-middle attacks, 66
Memdump, 448
memory
leaks, 242
mergers
design considerations during, 545
security issues, 271
mesh networks, 120
messaging framework (SOAP), 259
Metasploit, 440
metrics
military data classifications, 290
MIME (Multipurpose Internet Mail Extensions), 69
mitigate strategy for risk analysis, 311
mitigating zero-day attacks, 398-399
MITM (man-in-the-middle) attacks, 66
modes
3DES, 61
monitoring
DAM, 254
MOU (memorandum of understanding), 345
MPLS (Multiprotocol Label Switching), 108
MTBF (mean time between failures), 162
MTTR (mean time to repair), 162
multi-factor authentication, 570
multihomed firewalls, 146
multiple solutions, testing, 418-419
multi-tenancy model, 541
mutation fuzzing, 238
N
NAC (network access control), 176-178
NAS (network-attached storage), 84-86
NDA (nondisclosure agreeement), 346
Nessus, 434
network administrators, security requirements, 464-465
network infrastructure design, 548-551
VLANs, 549
VPNs, 550
new technologies
business tools, security implications of, 400-403
end-user cloud storage, 402-403
social media/networking, 401
risk management, 268
NFS (Network File System), 89
NFS (Number Field Sieve), 46
NGFWs (next-generation firewalls), 133-134
NICs (network interface cards), OOB, 203-204
NIDS (network intrusion detection system), 124-125
NIPS (network intrusion prevention system), 123
NIST (National Institute of Standards and Technology), 35
NIST SP 800-30, risk management processes, 312-314
NIST SP 800-53, control families, 317
non-malicious threats, 380
non-repudiation, 50
NPV (net present value), calculating, 308-309
numeric passwords, 564
O
OAKLEY, 40
OAUTH (Open Authorization), 575-576
object reuse, 515
objectives
integration of computing, communications, and business disciplines, 21-23
research, analysis, and assessment, 19-21
technical integration of enterprise components, 23-26
OCSP (Online Certificate Status Protocol), 53
OFB (output feedback) mode, 60
OFDM (Orthogonal Frequency Division Multiplexing), 498
OFDMA (Orthogonal Frequency Division Multiple Access), 498
OLA (operating-level agreement), 345
on-demand cloud computing, 542
one-way hash function, 33
onsite assessments, 276
OOB (out-of-band) NICs, 203-204
open standards, 536
OpenID, 583
operate/maintain phase (SDLC), 518-519
operational activities, 512-513
optical jukebox, 372
Orange Book, 190
organizational security policy, 322-323
OTPs (one-time passwords), 564
outsourcing
downstream liability, 273
due diligence, 274
OWASP (Open Web Application Security Project), 438
ownership factor authentication, 117
P
PaaS (Platform as a Service), 80
packet-filtering firewalls, 141
PAP (Password Authentication Protocol), 444
partial-knowledge tests, 450
security issues, 269
passive fingerprinting, 453-454
passive reconnaissance tools, 440-444
social media, 441
passive vulnerability scanners, 134
passphrase passwords, 564
passwords. See also authentication; authorization
key stretching, 32
patch management, 193
payback, calculating, 308
PBKDF2 (Password-Based Key Derivation Function 2), key stretching, 32
PCI DSS (Payment Card Industry Data Security Standard), 339
PCR (platform configuration register) hash, 209
PDP (policy decision point), 577
Peach, 438
black box testing, 451
gray box testing, 451
Retina, 449
selecting method, 452
strategies, 450
white box testing, 451
PEP (policy enforcement point), 577
performance
analyzing, 422
of cryptographic algorithms, 66
performing ongoing research
evolution of technology, 395-396
security systems and services, 394-395
peripherals, restricting, 206-208
permutation, 49
PFS (perfect forward secrecy), 37-38
physical access control systems, 181
physical controls, 296
physical network diagrams, 547
physical security manager, security requirements, 468
physiological authentication systems, 567-568
PII (personally identifiable information), 347
PIPEDA (Personal Information Protection and Electronic Documents Act), 339
PKCS (Public Key Cryptography Standards), 69
PKI (public key infrastructure)
CAs, 51
root CAs, 51
certificates
classes of, 55
CRL, 53
OCSP, 53
systems, 55
placement of security devices, 128-131
plaintext attacks
chosen plaintext attacks, 62
known plaintext attacks, 62
PLCs (programmable logic controllers), 183
PNRG (pseudo-random number generator), 37
policies
access control policies, 575
change control policies, 159-160
continuous monitoring, 356-357
developing, 332
ISO/IEC 27000 series standards, 333-336
hiring policies, 356
rules of engagement, 354
issue-specific security policies, 323
job rotation, 349
mandatory vacation policies, 350
organizational security policies, 322-323
principle of least privilege, 350-351
system-specific security policies, 323
termination procedures, 356
POP (Post Office Protocol), 484
port-level encryption, 98
ports, 152
post-process deduplication, 92
PPP (Point-to-Point Protocol), 444
PPTP (Point-to-Point Tunneling Protocol), 492-493
preparing for exam, 628
preventing
fault injection attacks, 239
privilege escalation, 237
preventive controls, 293
principle of least privilege, 350-351
privacy, 347
PIAs, 379
private keys, 44
privilege elevation, 220
privilege escalation, 237
procedure development, 336
process/policy reviews, 276
programmers, security requirements, 463
provisioning
servers, 544
user accounts, 544
virtual devices, 544
proxies, 152
PSTN (public switched telephone network), 491
public keys, 44
public-key cryptography. See asymmetric algorithms
Q
QoS (quality of service), 158
qualitative risk analysis, 302-303
quantitative risk analysis, 303
R
race conditions, time of check/time of use attacks, 242-243
RAD (Rapid Application Development), 252
RADIUS (Remote Access Dial-In User Service), 118-120, 585-586
RAID (redundant array of inexpensive disks), 162-164
rainbow table attacks, 33
RAs (registration authorities), 51
RAs (risk assessments), 340-341
RBAC (role-based access control), 573-574
RC algorithms, 43
RDP (Remote Desktop Protocol), 109
read-only snapshots, 92
reconnaissance, 452
passive reconnaissance tools, 440-444
social media, 441
record-level encryption, 98
recoverability, analyzing, 424-425
recovering data, 368
daily backups, 370
differential backups, 369
full backups, 369
incremental backups, 370
transaction log backups, 370
recovery controls, 293
influence on security policies, 276
remanence, 515
remote access
authentication methods, 114-120
characteristic factor authentication, 117
knowledge factor authentication, 116
ownership factor authentication, 117
RDP, 109
SSH, 108
site-to-site VPNs, 494
SSL, 495
remote administration, 495
remote assistance, securing, 482-483
remote journaling, 372
remote virtual desktops model (VDI), 221
removing data from magnetic storage media, 244
replay attacks, 65
replication, 372
researching
advancements in technology, communicating, 395-396
end-user cloud storage, 402-403
security systems and services, 394-395
social media/networking, security implications of, 401
security requirements for contracts, 406-408
agreements, 408
RFIs, 408
RFPs, 407
RFQs, 407
residual risk, 314
resource provisioning, 543-544
REST (Representational State Transfer), 256
restricting
Retina, 449
reverse engineering attacks, 65
reverse engineering existing solutions, 422
reviewing effectiveness of existing security controls, 421
RFCs (requests for comments), 395-396
RFI (request for information), 408
RFP (request for proposal), 407
RFQ (request for quote), 407
Rijndael algorithm, 42
RIPEMD-160, 36
risk analysis, performing, 301-310
accept strategy, 312
ARO, 306
magnitude of impact, 304
mitigate strategy, 311
motivation of risk, 305
qualitative risk analysis, 302-303
quantitative risk analysis, 303
SLE, calculating, 304
transfer strategy, 311
trend analysis, 306
risk management, 268
anticipating changes, 332
continuous improvement, 318
due care, 274
rogue access points, 505
ROI (return on investment), 419
root CAs, 51
routing protocols, 174
RSA (Rivest, Shamir, and Adleman), 45-46
RSA conference, 404
RTUs (remote terminal units), 183
rule-based access control, 574
rules, 272
S
SaaS (Software as a Service), 80
vulnerability scanning, 214-215
SABSA (Sherwood Applied Business Security Architecture), 315
sales staff, security requirements, 462
SAML (Security Assertion Markup Language), 581-582
SANs (storage area networks), 83-84
SANS (SysAdmin, Audit, Networking, and Security) Institute, 403
satellite Internet connections, 504
SCADA (Supervisory Control and Data Acquisition), 183
scalability, analyzing, 423
screened host firewalls, 147-148
scrubbing, 197
scrypt, key stretching, 32
SDL (Security Development Life Cycle), 519-521
SDLC (system development life cycle), 517-519
acquisition phase, 518
disposal phase, 519
implementation phase, 518
operate/maintain phase, 518-519
sealing, 208
SecureCode, 39
SecureSessionModule, 235
security policies, 272
Group Policy
GPMC, 201
GPOs, 200
influences on
audits, 275
client requirements, 277
competitors, 275
document exchange/review, 276
onsite assessments, 276
process/policy reviews, 276
regulations, 276
top-level management, 277
security zones
DMZs, 176
separation of critical assets, 176
selecting
cryptographic technique, 32
penetration testing method, 452
sensitive data, storing, 237-238
sensors, 180
separation of critical assets, 176
server-based application virtualization, 222
server-side processing, 255-260
servers
provisioning, 544
virtualization, 209
Type I hypervisor, 210
Type II hypervisor, 211
service packs, 193
services (cloud), 80
session keys, 41
SET (Secure Electronic Transaction), 39
SFTP (SSH File Transfer Protocol), 113
SHA (Secure Hash Algorithm), 35-36
SHA-2, 35
SHA-3, 35
shoulder surfing, 456
SHTTP (Secure HTTP), 39
side-channel attacks, 63
SIEM (security information and event management), 126-127
site-to-site VPNs, 494
situational awareness, 396-398
of client-side attacks, 396-397
Skipjack, 42
SLA (service-level agreement), 162-164, 345
SLE (single loss expectancy), calculating, 304
S/MIME (Secure Multipurpose Internet Mail Extensions), 69
SMTP (Simple Mail Transfer Protocol), 484
SNMP (Simple Network Management Protocol), 205
SOA (service-oriented architecture), 553
SOA (statement of applicability), 340-341
SOAP (Simple Object Access Protocol), 246-247, 259
social engineering attacks, 63, 455-456
social media/networking, security implications of, 401
SOEs (standard operating environments), 279
antivirus software, cloud antivirus, 213
build and fix, 248
Cleanroom model, 254
incremental model, 250
JAD, 254
prototyping, 250
RAD model, 252
V-shaped model, 249
Waterfall method, 248-249, 523-524
endpoint security software, 191-198
antispyware, 192
antivirus software, 192
DLP software, 194
IDS, 193
patch management, 193
in-house developed software, interoperability with commercial software, 539
secure coding standards, 247
solving difficult problems, 425
sources of emerging threats, 406
SOX (Sarbanes-Oxley) Act, 337
antispam services for the cloud, 213
spear phishing, 485
SPI (Security Parameter Index), 40
spin-offs, security issues, 271
spiral software development model, 251, 524
SPML (Service Provisioning Markup Language), 578
SPOF (single point of failure), 166
SRK (storage root key), 208
SRTM (Security Requirements Traceability Matrix), 297, 522
SSDLC (Security System Development Life Cycle), 519-521
SSID (service set identifier), 499
SSL (Secure Sockets Layer), 38, 68-69, 110-111
SSL inspection, 156
advanced trust systems, 585-587
LDAP, 586
stakeholders
incorporating input into CIA decisions, 291
security requirements, 290
database administrators, 463-464
facilities manager, 468
management/executive management, 465-466
network administrators, 464-465
physical security manager, 468
programmers, 463
sales staff, 462
standard libraries, 245
standard word passwords, 563
standards
adherence to, 536
competing standards, 536
ISO/IEC 27000 series standards, 333-336
lack of, 536
open standards, 536
PCI DSS, 339
PKCS, 69
state management, 260
stateful firewalls, 141
static passwords, 564
statistical attacks, 65
steganography, 56
watermarking, 67
storage. See also storage keys; storage protocols
antivirus products, 213
content filtering, 216
sandboxing, 216
vulnerability scanning, 214-215
cookies, storing, 239
deduplication, 92
encryption
disk-level encryption, 96
port-level encryption, 98
record-level encryption, 98
HBA allocation, 95
HSM, 372
integrating into an enterprise, 552
LUN masking, 94
magnetic storage media, removing data from, 244
password storage, 566
sensitive data, storing, 237-238
VSANs, 86
storage keys, 209
CIFS, 90
NFS, 89
strategies for penetration testing, 450
strength of cryptographic algorithms, 66
subobjectives
of enterprise security objective, 6-13
of integration of computing, communications, and business disciplines objective, 21-23
of research, analysis, and assessment objective, 19-21
of risk management objectives, 15-18
of technical integration of enterprise components objective, 23-26
switch spoofing, 140
3DES, 41
modes, 61
AES, 42
Blowfish, 42
CAST, 43
DES, 41
RC algorithms, 43
session keys, 41
Skipjack, 42
Twofish, 43
weaknesses of, 61
systems (PKI), 55
system-specific security policies, 323
T
TACACS+ (Terminal Access Controller Access Control System +), 118-120
tampering, 367
tape vaulting, 372
target tests, 450
Tavares, Stafford, 43
TCA (third-party connection agreement), 269
TCO (total cost of ownership), 419
TCSEC (Trusted Computer System Evaluation Criteria), 190
TDMA (Time Division Multiple Access), 498
technical deployment models, 539-546
Teredo, 112
testing
validation testing, 522
third-party outsourcing
downstream liability, 273
due care, 274
due diligence, 274
threats
APTs
intelligence, 406
sources of, 406
zero-day attacks, mitigating, 398-399
non-malicious threats, 380
situational awareness, 397-398
throughput rate, 568
time of check/time of use attacks, 242-243
TLS (Transport Layer Security), 38, 68-69
top-down policy development, 332
top-level management, influence on security policies, 277
topics covered on exam, 628-638
TOS (trusted operating system), 190-191
CC, 190
examples, 191
TCSEC, 190
TPM (Trusted Platform Module) chips, 208-209
IMA, 218
transaction log backups, 370
transfer strategy for risk analysis, 311
transport encryption
3-D Secure, 39
FTP, 113
HTTP, 39
HTTPS, 39
SET, 39
SHTTP, 39
transposition, 49
trends
trusted third-party model, 581
TSIG (Transaction Signature), 554
Twofish, 43
Type I errors, 569
Type I hypervisor, 210
Type II errors, 569
U
UEFI (Unified Extensible Firmware Interface), 218-219
UMTS (Universal Mobile Telecommunications System), 499
unified collaboration tools, securing
instant messaging, 481
social media, 489
Unix
chroot, 210
command shell restrictions, 202-203
password storage, 566
updates, 193
US-CERT (U.S. Computer Emergency Readiness Team), 404
USA PATRIOT Act, 340
USB devices, restricting, 206
user accounts
provisioning, 544
user behaviors, risk management, 268
UTM (unified threat management), 122-123
V
V-shaped software development model, 249
validation testing, 522
VDI (virtual desktop infrastructures), 221
vertical privilege escalation, 237
video conferences, securing, 479-480
virtual devices, provisioning, 544
virtualization
client-based application virtualization, 222
container-based virtualization, 211
server virtualization, 209-211
Type I hypervisor, 210
Type II hypervisor, 211
server-based application virtualization, 222
VDI, 221
virtual computing, 156
virtual environments, securing, 545
virtual proxy servers, 156
virtual wireless controllers, 155
VMs, 209
live migration, 220
vulnerabilities
single physical server hosting multiple companies’ VMs, 541-542
single platform hosting multiple companies’ VMs, 542
VM escape attacks, 219
VMs (virtual machines), 209
live migration, 220
VNC (Virtual Network Computing), 109-110
MPLS, 108
site-to-site VPNs, 494
SSL, 495
VSANs (virtual storage area networks), 86
VTY ports, 205
vulnerabilities
of hashing, 33
of hosts with differing security requirements, 219-221
data remnants, 221
live VM migration, 220
privilege elevation, 220
VM escape attacks, 219
of virtualization
single physical server hosting multiple companies’ VMs, 541-542
single platform hosting multiple companies’ VMs, 542
situational awareness, 397-398
vulnerability assessment, 445-446
vulnerability management systems, 398
vulnerability scanning, 434
W
WAFs (web application firewalls), 131-132, 255
Walt Disney Magic Band, 527
warchalking, 505
wardriving, 505
WASC (Web Application Security Consortium), 245-246
Waterfall software development method, 248-249, 523-524
watermarking, 67
WAYF (Where Are You From?), 584-585
weaknesses
of asymmetric algorithms, 61
of symmetric algorithms, 61
weaknesses of industry-accepted development practices, OWASP, 246
web applications
ActiveX, 257
AJAX, 258
Flash, 257
HTML5, 257
Java applets, 257
client-side processing, 255-260
industry-accepted development practices
JavaScript, 260
JSON, 256
REST, 256
security issues, 230
cookies, storing, 239
server-side processing, 255-260
SOAP, 259
state management, 260
WAFs, 255
web conferences, securing, 478-479
WEP (Wired Equivalent Privacy), 502-503
whaling, 486
WhatsUp Gold, 436
white box testing, 451
white hats, 406
whitelisting
application whitelisting, 199
character whitelisting, 235
Windows
password storage, 566
WIPS (wireless intrusion prevention systems), 505
WLANs (wireless LANs), 497-505
802.11 standard, 498
access points, 499
ad hoc mode, 499
Bluetooth, 502
CDMA, 498
FDMA, 498
GPRS, 499
GSM, 499
infrared, 502
infrastructure mode, 499
MAC filters, 504
OFDMA, 498
rogue access points, 505
satellite connections, 504
SSID, 499
TDMA, 498
UMTS, 499
warchalking, 505
wardriving, 505
wireless attacks, 505
WPA, 503
WPA2, 503
worst-case scenario planning, 299-301
WPA (Wi-Fi Protected Access), 503
WPA2, 503
WSUS (Windows Server Update Service), 203
X
X.500 standard, 586
XACML (Extensible Access Control Markup Language), 577-578
XML, AJAX, 258
XOR operation, 56
XSS (cross-site scripting), 231-232
Y-Z
Zenmap, 432
Zero Knowledge Proof, 47
zero-day attacks, mitigating, 398-399
zero-knowledge tests, 450