ebook img

Principles of information security PDF

721 Pages·2016·31.122 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Principles of information security

fifth edition P r i n c i P l e s o f i n f o r m a t i o n s e c u r i t y To register or access your online learning solution or purchase materials for your course, visit www.cengagebrain.com. Whitman mattord 48367_cvr_ptg01_hires.indd 1 16/10/14 7:37 PM Principles of Information Security Fifth Edition Michael E. Whitman, Ph.D., CISM, CISSP Herbert J. Mattord, Ph.D., CISM, CISSP Kennesaw State University Australia(cid:129)Brazil(cid:129)Mexico(cid:129)Singapore(cid:129)UnitedKingdom(cid:129)UnitedStates PrinciplesofInformationSecurity, ©2016,2012CengageLearning FifthEdition WCN:01-100-101 MichaelE.Whitmanand HerbertJ.Mattord ALLRIGHTSRESERVED.Nopartofthisworkcoveredbythe copyrighthereinmaybereproduced,transmitted,stored,orusedin SVP,GMSkills&GlobalProductManagement: anyformorbyanymeans—graphic,electronic,ormechanical, DawnGerrain includingbutnotlimitedtophotocopying,recording,scanning, ProductDevelopmentManager:LeighHefferon digitizing,taping,Webdistribution,informationnetworks,or SeniorContentDeveloper:NataliePashoukos informationstorageandretrievalsystems,exceptaspermittedunder DevelopmentEditor:DanSeiter Section107or108ofthe1976UnitedStatesCopyrightAct—without thepriorwrittenpermissionofthepublisher. ProductAssistant:ScottFinger VicePresident,MarketingServices: Forproductinformationandtechnologyassistance,contactusat JenniferAnnBaker CengageLearningCustomer&SalesSupport,1-800-354-9706 SeniorMarketingManager:EricLaScola Forpermissiontousematerialfromthistextorproduct,submitall SeniorProductionDirector:WendyTroeger requestsonlineatwww.cengage.com/permissions. ProductionDirector:PattyStephan Furtherpermissionquestionscanbee-mailedto [email protected] SeniorContentProjectManager: BrookeGreenhouse LibraryofCongressControlNumber:2014944986 ManagingArtDirector:JackPendleton ISBN:978-1-2854-4836-7 SoftwareDevelopmentManager:PavanEthakota Coverimage(s):©iStockphoto.com/Vertigo3d CengageLearning 20ChannelCenterStreet Boston,MA02210 USA CengageLearningisaleadingproviderofcustomizedlearning solutionswithofficelocationsaroundtheglobe,includingSingapore, theUnitedKingdom,Australia,Mexico,Brazil,andJapan.Locateyour localofficeat:www.cengage.com/global. CengageLearningproductsarerepresentedinCanadaby NelsonEducation,Ltd. TolearnmoreaboutCengageLearning,visitwww.cengage.com Purchaseanyofourproductsatyourlocalcollegestoreoratour preferredonlinestorewww.cengagebrain.com. NoticetotheReader Publisherdoesnotwarrantorguaranteeanyoftheproductsdescribedhereinorperformanyindependentanalysisinconnectionwithanyoftheproduct informationcontainedherein.Publisherdoesnotassume,andexpresslydisclaims,anyobligationtoobtainandincludeinformationotherthanthatprovided toitbythemanufacturer.Thereaderisexpresslywarnedtoconsiderandadoptallsafetyprecautionsthatmightbeindicatedbytheactivitiesdescribed hereinandtoavoidallpotentialhazards.Byfollowingtheinstructionscontainedherein,thereaderwillinglyassumesallrisksinconnectionwithsuch instructions.Thepublishermakesnorepresentationsorwarrantiesofanykind,includingbutnotlimitedto,thewarrantiesoffitnessforparticularpurposeor merchantability,norareanysuchrepresentationsimpliedwithrespecttothematerialsetforthherein,andthepublishertakesnoresponsibilitywithrespect tosuchmaterial.Thepublishershallnotbeliableforanyspecial,consequential,orexemplarydamagesresulting,inwholeorpart,fromthereaders’useof, orrelianceupon,thismaterial. Printed in the United States of America Print Number: 01 Print Year: 2014 To Rhonda, Rachel, Alex, and Meghan, thank you for your loving support. —MEW To my granddaughter Ellie; the future is yours. —HJM Brief Table of Contents PREFACE. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... xvii CHAPTER 1 Introductionto Information Security ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. 1 CHAPTER 2 TheNeedforSecurity . ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 45 CHAPTER 3 Legal,Ethical, andProfessionalIssuesinInformation Security.. ... ... .. ... ... .. ... ... .. ... 109 CHAPTER 4 PlanningforSecurity .. ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 153 CHAPTER 5 RiskManagement . ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 229 CHAPTER 6 SecurityTechnology:FirewallsandVPNs... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 297 CHAPTER 7 SecurityTechnology:Intrusion DetectionandPreventionSystems,andOther SecurityTools.. ... 355 CHAPTER 8 Cryptography... .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 417 CHAPTER 9 PhysicalSecurity. .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 467 CHAPTER 10 ImplementingInformation Security . ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 505 CHAPTER 11 SecurityandPersonnel. ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 547 CHAPTER 12 InformationSecurityMaintenance.. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 591 GLOSSARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 v Table of Contents PREFACE. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... xvii CHAPTER1 Introductionto Information Security ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. 1 Introduction......................................................................... 3 TheHistoryofInformationSecurity ....................................................... 3 The1960s....................................................................... 4 The1970sand80s................................................................. 5 The1990s....................................................................... 9 2000toPresent ................................................................... 9 WhatIsSecurity?.................................................................... 10 KeyInformationSecurityConcepts .................................................... 11 CriticalCharacteristicsofInformation.................................................. 14 CNSSSecurityModel................................................................. 17 ComponentsofanInformationSystem..................................................... 19 Software ....................................................................... 19 Hardware ...................................................................... 20 Data.......................................................................... 20 People......................................................................... 20 Procedures...................................................................... 21 Networks ...................................................................... 21 BalancingInformationSecurityandAccess.................................................. 21 ApproachestoInformationSecurityImplementation........................................... 22 SecurityintheSystemsLifeCycle ........................................................ 23 TheSystemsDevelopmentLifeCycle................................................... 24 TheSecuritySystemsDevelopmentLifeCycle............................................. 27 SoftwareAssurance—SecurityintheSDLC............................................... 28 SoftwareDesignPrinciples .......................................................... 30 TheNISTApproachtoSecuringtheSDLC............................................... 31 SecurityProfessionalsandtheOrganization................................................. 34 SeniorManagement............................................................... 35 InformationSecurityProjectTeam..................................................... 36 DataResponsibilities .............................................................. 37 CommunitiesofInterest ............................................................... 37 InformationSecurityManagementandProfessionals........................................ 37 InformationTechnologyManagementandProfessionals..................................... 38 OrganizationalManagementandProfessionals............................................ 38 InformationSecurity:IsItanArtoraScience?............................................... 38 SecurityasArt................................................................... 38 SecurityasScience ................................................................ 39 SecurityasaSocialScience.......................................................... 39 SelectedReadings.................................................................... 39 ChapterSummary ................................................................... 40 ReviewQuestions.................................................................... 40 Exercises.......................................................................... 41 CaseExercises...................................................................... 42 Endnotes.......................................................................... 42 vii viii TableofContents CHAPTER2 TheNeedforSecurity ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. ... ... .. ... .. 45 Introduction........................................................................ 47 BusinessNeedsFirst............................................................... 47 ThreatsandAttacks.................................................................. 49 2.5BillionPotentialHackers......................................................... 49 OtherStudiesofThreats............................................................ 50 CommonAttackPatternEnumerationandClassification(CAPEC).............................. 52 The12CategoriesofThreats ........................................................ 52 CompromisestoIntellectualProperty...................................................... 52 SoftwarePiracy .................................................................. 53 CopyrightProtectionandUserRegistration .............................................. 53 DeviationsinQualityofService.......................................................... 56 InternetServiceIssues.............................................................. 56 CommunicationsandOtherServiceProviderIssues......................................... 57 PowerIrregularities ............................................................... 57 EspionageorTrespass ................................................................ 58 Hackers........................................................................ 59 HackerVariants.................................................................. 64 PasswordAttacks................................................................. 66 ForcesofNature .................................................................... 68 Fire........................................................................... 69 Floods......................................................................... 69 Earthquakes..................................................................... 69 Lightning....................................................................... 69 LandslidesorMudslides............................................................ 69 TornadosorSevereWindstorms ...................................................... 69 Hurricanes,Typhoons,andTropicalDepressions .......................................... 70 Tsunamis....................................................................... 70 ElectrostaticDischarge ............................................................. 70 DustContamination............................................................... 70 HumanErrororFailure............................................................... 71 SocialEngineering ................................................................ 72 InformationExtortion................................................................. 76 SabotageorVandalism................................................................ 77 OnlineActivism.................................................................. 78 SoftwareAttacks .................................................................... 80 Malware....................................................................... 80 BackDoors..................................................................... 87 Denial-of-Service(DoS)andDistributedDenial-of-Service(DDoS)Attacks ........................ 88 E-mailAttacks................................................................... 89 CommunicationsInterceptionAttacks .................................................. 90 TechnicalHardwareFailuresorErrors .................................................... 92 TheIntelPentiumCPUFailure ....................................................... 92 MeanTimeBetweenFailure ......................................................... 93 TechnicalSoftwareFailuresorErrors ..................................................... 93 TheOWASPTop10 .............................................................. 93 TheDeadlySinsinSoftwareSecurity................................................... 94 TechnologicalObsolescence ............................................................ 99 Theft............................................................................ 101 SelectedReadings................................................................... 101 TableofContents ix ChapterSummary .................................................................. 101 ReviewQuestions................................................................... 102 Exercises......................................................................... 104 CaseExercises..................................................................... 104 Endnotes......................................................................... 105 CHAPTER3 Legal,Ethical, andProfessionalIssuesinInformation Security.. ... ... .. ... ... .. ... ... .. ... 109 Introduction....................................................................... 110 LawandEthicsinInformationSecurity................................................... 110 OrganizationalLiabilityandtheNeedforCounsel........................................ 111 PolicyVersusLaw ............................................................... 112 TypesofLaw................................................................... 112 RelevantU.S.Laws ................................................................. 113 GeneralComputerCrimeLaws...................................................... 113 ExportandEspionageLaws ........................................................ 122 U.S.CopyrightLaw.............................................................. 124 FinancialReporting .............................................................. 124 FreedomofInformationActof1966.................................................. 124 PaymentCardIndustryDataSecurityStandards(PCIDSS).................................. 124 StateandLocalRegulations ........................................................ 126 InternationalLawsandLegalBodies..................................................... 127 U.K.ComputerSecurityLaws....................................................... 127 AustralianComputerSecurityLaws................................................... 127 CouncilofEuropeConventiononCybercrime ........................................... 128 WorldTradeOrganizationandtheAgreementonTrade-RelatedAspectsofIntellectualPropertyRights.. 128 DigitalMillenniumCopyrightAct.................................................... 129 EthicsandInformationSecurity......................................................... 129 EthicalDifferencesAcrossCultures ................................................... 129 EthicsandEducation ............................................................. 135 DeterringUnethicalandIllegalBehavior ............................................... 136 CodesofEthicsatProfessionalOrganizations............................................... 137 MajorInformationSecurityProfessionalOrganizations..................................... 138 KeyU.S.FederalAgencies............................................................. 139 DepartmentofHomelandSecurity.................................................... 139 U.S.SecretService ............................................................... 142 FederalBureauofInvestigation(FBI).................................................. 142 NationalSecurityAgency(NSA) ..................................................... 145 SelectedReadings................................................................... 146 ChapterSummary .................................................................. 147 ReviewQuestions................................................................... 147 Exercises......................................................................... 148 CaseExercises..................................................................... 149 Endnotes......................................................................... 149 CHAPTER4 PlanningforSecurity .. ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 153 Introduction....................................................................... 154 InformationSecurityPlanningandGovernance.............................................. 154

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.