Handbook of Information Security Management:Index

Table of Contents


Index

A

Access cards
dumb, 684
PCMCIA, 452, 461, 580
problems with, 46
smart, 11, 106, 168, 684
Access control list (ACL), 614–616, 706
Access controls
administration of, 12–17, 92–93, 175, 319, 371
architecture of, 367, 609–610
biometric. See Biometric access controls
cards. See Access cards
changes in, 670–672
channel control, 457–458
confidentiality and, 19–22, 101, 158, 170, 251
for data bases, 621–630
desktop computing and, 162–163
discretionary (DACs), 69–73, 77, 84–87, 622–623, 626–627
hardware and, 450, 672
implementation of, 83–98
integrity and, 24–29
Kerberos and, 102
keys. See Keys
legislation and, 535–538, 541–543
levels of, 663–665
list-based, 96–97
logical, 253–255, 577
malicious software and, 442–444
mandatory (MACs), 73–74, 77, 79, 84–87, 622–623, 627–628
matrix, 94–95
models of, 21–22, 87–90, 626
on networks, 156–157, 168–169
for object-oriented data bases, 621–623, 625–628
overview of, 1–2
passwords. See Passwords
point of control for, 370
portable computers and, 459–461, 702, 705–708
privileged-entity, 665–670
problem management in, 672–674
role-based (RBAC), 77–79, 605–619
rules-based, 371–372
at the server, 614–616
software for, 10, 30, 376
testing of, 686–687
users view of, 610–611, 623–624, 663
Accountability, 482–489, 607–609, 660–661
Accuracy of identification systems, 39–40, 48–53
Ace Server, 376
ACF2, 319
ACL (access control list), 614–616, 706
Air traffic control systems, 31
AIS (automated information systems), 491–492
American National Standards Institute (ANSI), 66, 639
Annualized loss expectancy (ALE), 229, 234, 261–262
Annualized rate of occurrence (ARO), 229
Antivirus software, 10, 443–444
Appletalk, 452
Application-gateway firewalls, 215–217
Appropriate use policy, 189–190
ARES, 263
ARO (annualized rate of occurrence), 229
Asset values
of intangible information, 246, 250–252, 660
of networks, 159
in risk management, 240, 244, 246–247, 250–255
tangible, 250
Assured pipelines, 139–140
Asymmetric systems, 375, 650–654
Asynchronous attacks, 527–529
ATMs (automated teller machines), 514, 684
AT&T 3600 Telephone Security Device, 641, 644
Attacks, types of, 405–408, 527–529. See also Malicious software
Audit trails
access control and, 608
integrity and, 24, 28
Internet use and, 190, 199–202
networks and, 156, 169–170
overview of, 12
in prosecution, 558, 562, 580
Audits, 123–130, 352, 576
Authentication of users. See also Access controls
accuracy of, 39–40, 48–53
biometric. See Biometric access controls
costs of, 685–686
definition of, 375
Kerberos and, 99–117
labor unions and, 41, 45
masquerading and, 514
in networks, 167–168
Personal Identification Number (PIN), 36–37, 47–54, 376
portable computers and, 705–707
products for, 376
servers and, 103–105, 194–196, 369, 372
strong, 370
Authentication Server (AS), 103–105
Authorization. See Access controls; Authentication of users
Automated information systems (AIS), 491–492
Automated teller machines (ATMs), 514, 684
Automaton theory, 25
Availability of computer systems, 29–31, 102, 158, 251–253, 504. See also Denial of service

B

Background investigations, 16. See also Personnel
Backup of files
for desktop data, 430–439
forensics and, 578
need for, 7, 171, 428, 480
remote, 438–439
storage of, 436–438
timing of, 435–436
types of, 433–435
Badge systems. See Access controls; Authentication of users
Banking, 491–492, 524–525, 536, 618
Banyan Vines, 156
Base relations, 68–71
Bayesian Decision Support System (BDSS), 263
BBBOnline, 191
Bell-LaPadula integrity model, 21, 24, 26–27, 88
Best Demonstrated Practices, 381
BIA. See Business impact analysis
Biba integrity model, 24, 26–28, 88–89
Binding, 404
Biometric access controls
background of, 36–39
benefits of, 46
characteristics of, 39–43
data collection for, 41–43, 46–47
historical problems with, 43–46
need for, 8, 35–36
in networks, 168
portable computers and, 706
types of, 47–54, 685–686
Body odor, 38
Boebert and Kain integrity implementation, 27–28
Boot sector viruses, 444–445
Branscomb, Anne W., 539
Brewer-Nash integrity model, 26
Browsing, 192–195, 406
The Buddy System Risk Assessment and Management System for Microcomputers, 263
Buffer storage, 413
Burdeau v. McDowell, 567
Bus networks, 153
Business continuity, 269–281
business impact analysis process and, 285–287
departmental planning for, 271–274
desktop computing and, 459
disaster recovery planning and, 14–15, 171, 255, 260, 269–271, 294
the distributed environment and, 275–279
risk assessment and, 269–270
testing of, 271, 279–280
Business impact analysis (BIA), 285–301. See also Business continuity; Risk management
business values and, 503–506
data classification and, 311–313, 317
integrity failures and, 501–503
interviews for, 287–289, 291–296, 301
overview of, 285–287, 299–301
physical security requirements and, 680–681
presentation of, 297–299
questionnaires for, 287–292
risk management and, 244–245, 483–484, 489
Business recovery planning. See Business continuity; Business impact analysis

C

Cables for networks, 151–152
Cache storage, 413
California, computer legislation in, 545–546, 573
Call-forwarding, 11
Callback systems, 11, 168, 461
Capabilities architecture, 28
Capstone, 654. See also Clipper chips
Carbon Copy, 152
CD-ROMs (compact-disk read-only memory), 411
CER (crossover error rate), 40
CERT (Computer Emergency Response Team), 202–204, 207, 348, 353
CERTs (computer emergency response teams), 129–130, 561, 570
Chain of Evidence, 558–559
Challenge-response tokens, 683–684
Change control analysts, 319
Checksums, 5, 29, 101, 129, 169
Chlorofluorocarbons, 8–9
CIAC (Computer Incident Advisory Capability), 202–203
Ciphertext, 11, 635. See also Encryption
Circuit-gateway firewalls, 217–218
Clark-Wilson integrity model, 25–28, 89–90
Cleartext, 635
Clipper chips, 57, 61, 635, 640–645. See also Encryption
Clipping levels, 662–663
Closed-circuit television monitors, 9
CM (Configuration Management) Plan, 475, 477–478, 486, 492–494
Code bombs (logic bombs), 440, 442, 527, 579
Code of Fair Information Practices, 597
Commerce Server, 193–194, 197
Common Authentication Technology Working Group, 106
Common Criteria, 390–392
Compact-disk read-only memory (CD-ROM), 411
Computer, definition of, 543
Computer abuse, 511–533, 537, 543–544. See also Hackers; Malicious software; Trojan horses; Viruses; Worms
Computer crime, 535–547, 551–584. See also Computer abuse
civil law and, 554–555
criminal law and, 552–554
definition of, 551–552
disclosure and, 563–564
evidence of, 555–561, 572–573
federal laws on, 535–538, 542, 547
forensics and, 574–581
information abuse, 543–544
investigation of, 561–581
legal proceedings and, 581–583
recovery of damages for, 582–583
state laws on, 538–547
Computer Emergency Response Team (CERT), 202–204, 207, 348, 353
Computer emergency response teams (CERTs), 129–130, 561, 570
Computer ethics, 587–600
Computer Ethics Institute, 595, 598–599
Computer Fraud and Abuse Act of 1986, 535–538, 547, 554
Computer games, ethics and, 589–591
Computer Incident Advisory Capability (CIAC), 202–203
Computer security. See also Access controls; Firewalls; Information security; Risk management; Safeguards
architectural elements of, 408–417
business impact analysis and, 680–681
Computer Systems Security Plans (CSSP), 177–178
for data bases, 621–629
default measures, 362–363
in distributed systems, 468–482, 486–489
enterprise-scale, 361–376
Information Protection Services (IPS), 343–360
overview of, 5, 403–405
theft and, 428–430, 438, 531, 540, 675, 682
Confidentiality, 19–22, 101, 158, 170, 251
Configuration Control Authority, 475, 477
Connectivity, 479–480, 482, 488
Constrained data items, 89
Construction companies, 617
Consultants, external, 344, 352, 358, 360
Contact persons, security, 388–389
Contingency and emergency plans, 14–15, 30, 171, 255, 294, 480. See also Computer emergency response teams
Control Matrix Methodology for Microcomputers, 263
Cookies, 203–204
Cooperative systems, 470–471, 473–474, 476, 480–489
COPS, 130
Corley, Eric, 590
Corrective controls, 5–6
COSSAC, 263
Costs
of biometric identification, 685–686
Kerberos and, 113–114
replacement, 251
risk mitigation and, 235–236
Counterfeiting, 42, 49–52, 516–517
Court orders, 646–647
Covert channels, 405
Crack, 126
CRAMM, 263
Crawler programs, 204
CREATE statements, 66, 70
Credit card fraud, 513, 536
Credit reports, 536, 538
Crimes. See Computer crime
CRITI-CALC, 263
Crossover error rate (CER), 40
Cryptography. See also Encryption
definition of, 375
digital signature systems, 486, 650–654
locks and, 683
overview of, 631, 635–637
public-key cryptosystems, 375, 650–654
single-key cryptosystems, 637–645
CSSP (Computer Systems Security Plans), 177–178
Cycle testing, 279–280

D

DACL (distributed access control list), 615
DACs (discretionary access controls), 69–73, 77, 84–87, 622–623, 626– 627
Daemon dialers, 125, 513
Data base administrator (DBA), 72
Data base management systems (DBMSs), 65–66, 71, 74–76, 94, 621–629
Data bases
access controls for, 621–629
attributes of, 63–65
denial of service in, 622
multilevel, 74–77
object-oriented (OO), 621–623, 625–629
relational, 63–79, 622–625
search engines for, 184
security for, 621–629
tuples of, 63–68, 73–74
Data classification, 307–323
access control and, 627–628
analysts and, 319–320
corporate policy on, 310–312
downgrading, 86, 88
federal law and, 535–536
the Internet and, 188–189
labeling, 86–87
minimum controls on, 314–316
networks and, 478–479
overview of, 307–308, 323
process of, 308–309, 313–323
Data disclosure, 528–530, 701–708
Data encryption standard (DES)
Kerberos and, 102, 111, 115–116
overview of, 60–62, 372, 638–639, 642
portable computers and, 707
Data entry, false, 516–518
Data modification, 22, 23, 161, 622, 702, 705
Data objects, 415–416
Data ransoming, 450
Data recovery, 578
Data theft, 708–709
Data transfer, 479–481, 488
DBA (data base administrator), 72
DB2 data base, 71–72
DBMS (data base management system), 65–66, 71, 74–76, 94, 621–629
DCE (Distributed Computing Environment), 116
DDT (domain definition table), 136–137
Debugging, computer abuse and, 526
Decentralized systems, 470–472, 476
DECnet, 112
Decryption, 636, 646–647. See also Cryptography; Encryption
Default security measures, 362–363
Delphi approach, 246, 252
Demon programs, 125, 513
Denial of service, 30, 134, 209, 622. See also Availability of computer systems
Department of Defense (DoD), 86, 135, 139–140, 328, 330, 405
Department of Defense Trusted Computer System Evaluation Criteria (Orange Book), 22, 392–393
DES. See Data encryption standard
Desktop computing
access controls and, 162–163
architecture of, 424–425
backup of files in, 430–439
local area networks and, 421–423
personal computers (PCs), 162–164, 421–462
security for, 425–427
vulnerability of, 421–425
Detective controls, 5, 9, 12, 15–17
Deterrent controls, 5–6
Diabetes, 45
Dial-back, 11, 168, 461
Dial-up access, 11, 125, 152–153, 164–165, 702
Dictionary attacks, 407–408
Diffle-Hellman key exchange, 641, 644
Diffle’s key solution, 60
Digital envelopes, 479
Digital Signature Standard (DSS), 652
Digital signatures, 486, 650–654
Disaster recovery, contingency, and emergency plans, 14–15, 30, 171, 255, 294, 480. See also Computer emergency response teams
Disaster Recovery Plan (DRP), 260, 269–281. See also Business continuity; Business impact analysis
Discovery crawler programs, 204
Discretionary access controls (DACs), 69–73, 77, 84–87, 622–623, 626– 627
Disk drives, 162–163
Disk failure, 170
Diskettes, 422–423, 431–432, 463, 523, 560
Dispersed systems, 470–471, 473, 476, 480
Distributed access control list (DACL), 615
Distributed Computing Environment (DCE), 116
Distributed Management Environment (DME), 116
Distributed systems
business continuity in, 269–281
computer security in, 468–482, 486–489
Configuration Management (CM) Plan, 475, 477–478, 486, 492–494
engineering integrity, 489–503
integrity in, 475–482
Kerberos in, 99–117
processing and security in, 468–482, 486–489
risk accountability in, 482–489
types of, 469–474
DIT (domain interaction table), 137
DME (Distributed Management Environment), 116
DNS (domain name service), 110, 208
Documentation, 173, 430
DoD (Department of Defense), 86, 135, 139–140, 328, 330, 405
Doe v. United States, 581
Domain definition table (DDT), 136–137
Domain interaction table (DIT), 137
Domain name service (DNS), 110, 208
Domains in computer systems, 408–410, 488
Double door systems, 7
Downloaded files, 20
Downsizing, information protection and, 343–345, 350
Downtime, 158, 285, 295. See also Business impact analysis (BIA)
DRP (Disaster Recovery Plan), 260, 269–281
DSS (Digital Signature Standard), 652
Due care concept, 484–485, 555
Dumb cards, 684

E

Ear shape, 38
Earthquake damage, 681–682
Eavesdropping, 101, 406, 511–513
Economic espionage, 333–336, 347. See also Information warfare
ECPA (Electronic Communications Privacy Act) of 1986, 512, 538, 554, 557, 574
Education. See Training
Educational organizations, 617
Eight little green men (8lgm), 348
Electrical power failures, 8, 162, 171–172, 273, 275, 682
Electron vaulting, 30
Electronic Communications Privacy Act (ECPA) of 1986, 512, 538, 554, 557, 574
Electronic shielding, 512
Electronic warfare, 329. See also Information warfare
E-mail, 155, 165
Emergency shutdown procedures, 275–276
Employment procedures. See Personnel
Encryption. See also Cryptography
computer theft and, 430, 450
data classification and, 188–189, 314–315
data encryption standard (DES). See Data encryption standard
decryption, 636, 646–647
digital signature systems, 486, 650–654
end-to-end, 170
escrowed, 640–647, 649–650, 654
fair public-key, 649–650
hackers and, 408
information warfare and, 332
the Internet and, 209–210
networks and, 29, 156, 170
overview of, 11, 57–58
personal computers and, 450–452
portable computers and, 707–708
secret messages and, 57–58
session keys for, 637–640, 644–649
End User’s Basic Tenets of Responsible Computing, 596
Enforcement of security, 90, 136–143, 389, 404–405
Enterprise security, 361–376
Entrust, 452
Environmental failures, 250, 681–682. See also Power failures
Equal error rate, 40
Escrowed encryption, 61, 640–647, 649–650, 654
Escrowed Encryption Standard, 61
Espionage Act, 512
Ethernet, 154, 168
Exception logs, 169–170
Exclusionary Rule, 557
Exposure factor (EF), 229
External sources (consultants), 279, 344, 352, 358, 360

F

Facial recognition, 38, 55–56, 686
Facial thermography, 38
Fair Credit Reporting Act of 1970, 59
Fault tolerance, 30, 277–278
Federal Bureau of Investigation (FBI), 352–353
Federal Communications Act of 1934, 59–60
Federal-interest computers, 536
Federal laws on computer crime, 535–538, 542, 547
Federal Rules of Evidence, 558
Federal Sentencing Guidelines, 564
Fences, 7
Fiber optic cables, 151–152
File allocation table (FAT), viruses and, 441
File copying, 430–431
File security on networks, 157
File transfer protocol (FTP), 111, 193, 216
Financial institutions, 491–492, 524–525, 536, 618
Fingerprint systems, 37–38, 42, 47–48, 55, 685
Finite-state machines, 409
Fire and smoke detectors, 9
Fire damage, 161–162, 171, 250, 275, 437, 681
Fire suppression systems, 8–9, 276
Firewalls
gateway-based, 210–211, 215–218
hybrid, 218
Internet and, 141–146, 191, 196–198, 200, 207–222
Kerberos and, 109–110
packet filtering, 213–215, 219, 221
portable computers and, 706
screened subnets, 212–213
security for, 133
Sidewinder, 141–146
types of, 210–219
use of, 219–220, 372–373
First Amendment rights, 591
Fisher v. United States, 581
Florida, computer legislation in, 546
Flow models, 21
FOIA (Freedom of Information Act), 566
Foreign keys, 64–66, 70
Forensics of computer crime, 574–581
Forgery, 516–517
Four Primary Values for Computing, 596
Fourth Amendment rights, 557, 566, 570
Fragmented data architecture, 76–77
Fraud, federal law and, 513–514, 535–538, 547, 554
Freedom of Information Act (FOIA), 566
FTP (file transfer protocol), 111, 193, 216

G

Generic security services applications programming interface (GSSAPI), 106, 109, 112, 372, 615
Globalization of technology, 346–347
Goguen-Meseguer integrity model, 25, 27
Gong integrity implementation, 29
Gopher, 184
GRANT statement, 70–72, 624, 626
Granularity of labeling, 73–74, 85
GRA/SYS, 263
Grouping mechanisms, 92–93
Group name service, 368–369, 371
GSSAPI (generic security services applications programming interface), 106, 109, 112, 372, 615

H

Hackers. See also Computer abuse
computer ethics and, 590–594
confidentiality and, 20
dial-in access and, 164
information warfare and, 328–329, 339–340
legislation against, 537–547. See also Computer crime
networks and, 454–457
profiles of, 124, 190, 463, 513–521, 525, 527–532
Sidewinder and, 141–146
techniques of, 124–130, 348, 405–408
temporary staff as, 344
war dialing by, 460, 579
Halon systems, 8–9
Hand geometry systems, 38, 48–49, 685–686
Harding, Tonya, 594
Hardware failure, 170
Hash functions, 650–653
Health maladies and security systems, 45, 51
Hearsay Rule, 557–558
Hold-harmless agreements, 692–693
Honey Pots, 574
Hospitals, 616–617
Hypertext, security policies in, 397–398
HyperText Markup Language (HTML), 202
Hypertext transfer protocol (HTTP), 193, 195–198, 200, 203–204, 216

I

Identification systems. See Authentication of users
IFIA (integrity failure impact assessments), 501–503
Illinois, computer legislation in, 545
Impoundment orders, 555
Inference, 622
Information abuse, 543–544
Information age warfare, 328–330. See also Information warfare
Information assets, 229–230
Information bucket principle, 134–140
Information classification. See Data classification
Information custodians, 317–318
Information Management Policy, 311
Information owners, 317–318, 321–322
Information Protection Services (IPS)
development of technology and, 343–348
organizational model for, 349–360
responses of, 349–350
sources for, 351–354
Virtual Protection Team (VPT) and, 351, 357–359
Information risk management (IRM) policy. See Risk management
Information security. See also Access controls; Computer security
Information Protection Services (IPS), 343–360
management, 5–17, 19–31, 483–484, 499–501
policy, 310–312. See also Data classification
professionals, 308–312, 319–320, 327–340, 349
Information technology (IT)
architecture of, 366–367
business continuity planning and, 272–274, 276
business impact assessment and, 292
data classification and, 309
traditional and modern environments of, 364–366
Information Technology Security Evaluation Criteria (ITSEC), 390–392
Information warfare (IW), 327–340
defense against, 338–339
economic espionage, 333–336, 347
hardening, 328
menu-driven, 332–333
military, 328–333
overview of, 327–330
techno-terrorism and, 329, 336–340
Informix, 79
Infrared light transmission, 151
Initial program loads (IPL), 673–674
Initialization vector (IV), 644
INSERT and DELETE statements, 66–67, 70
Insurance policies, 430, 555
Integrated data architecture, 74–75
Integrity. See also Systems integrity engineering
access controls and, 24–29
audit trails and, 24, 28
business impact analysis and, 501–503
business values and, 503–506
certification rules, 90
confidentiality and, 22–29
disaster planning and, 274, 277
in distributed systems, 475–482
engineering for, 489–503
entity, 65
failure impact assessments (IFIA), 501–503
Kerberos and, 101
models, 21, 23–29, 88–90
for networks, 158, 169
portable computers and, 702–705
referential, 65, 67
security of, 134, 485–489
during systems change, 489–491, 505–506. See also Life cycle analysis
valuation of, 251–252
Internal Revenue Service (IRS), 593
International security, 390–393
International Standards Organization (ISO), 66, 153
Internet
audit trails and, 190, 199–202
browser security in, 192–195
client authentication in, 193–194
data classification and, 188–189
denial of service and, 209
disabling servers, 134, 138–139, 144–146
encryption in the, 209–210
ethics and, 592, 596
firewalls in, 141–146, 191, 196–198, 200, 207–222
growth of, 183–185
hacker tools on, 125–130
Kerberos and, 100, 102, 106, 112
security policies and, 185–190, 195–198, 397
Sidewinder challenge on the, 146–147
Internet Activities Board, 596
Internet protocol (IP) spoofing, 128, 208
Internet service providers (ISPs), 208. See also Servers
Internetworking, 165
Interoperable systems, 470–471, 473–474, 476, 480–489
Interstate crimes, 536
Intranet
audit trails and, 199–202
growth of, 183, 345, 348
security for, 185–188, 195–198, 397
Intrusion analysis, 662
Intrusion detection systems, 5, 12
I/P accounting, 201
IP (internet protocol) spoofing, 128, 208
IPL (initial program loads), 673–674
IPS. See Information Protection Services
Iris recognition systems, 38, 42, 51–53, 55–56
IriScan system, 52, 56
IRM (information risk management) policy. See Risk management
IRS (Internal Revenue Service), 593
ISO (information security officer), 308–312
ISO (International Standards Organization), 66, 153
ISP (internet service provider), 208. See also Servers
ISS, 130
IST/RAMP, 263
IT. See Information technology
ITSEC (Information Technology Security Evaluation Criteria), 390–392
IV (initialization vector), 644
IW. See Information warfare

J

JAD (joint analysis development), 497
JANBER, 263
JAVA scripts, 198, 202–204
Joins, 68
Joint analysis development (JAD), 497
Jueneman integrity implementation, 29
Jukebox storage, 431, 463

K

Kansas, computer legislation in, 541
Karger integrity implementation, 28
Kerberos, 99–117, 369, 605
Key distribution center (KDC), 103–105, 107, 110–112, 114–115
Key exchange, 639, 641, 644
Keys. See also Locks and keys
encryption, 116, 375, 452, 637–640, 644–654
foreign, 64–66, 70
primary, 64–66
public, 116, 193, 639–640, 647–651, 653–654
session, 639–640, 644–649
single, 637–645
storage protection, 412
Keystroke dynamics, 38, 47
Keystroke logging, 126–127
Kinit, 103, 105–106

L

Labor unions, identification procedures and, 41, 45
LANs. See Local area networks
Laptop (portable) computers, 459–461, 701–710
Larceny, 428–430, 438, 531, 540, 675, 682
Lattice models, 87–88
Lattice principle, 21, 28
LAVA, 263
Law enforcement access field (LEAF), 61, 641, 644–647
Least privilege, 136
Lee and Shockley integrity implementation, 28
Legal proceedings, 581–583, 646–647. See also Computer crime
Legal requirements. See Regulatory requirements
8lgm (eight little green men), 348
Library control systems, 10
Life cycle analysis, 495–501, 559–561
Lightning, 682
Linux, 425, 489
Lip shape, 38
Lipner integrity implementation, 26–27
List-based control, 96–97
Local area networks (LANs)
access to, 152–153, 164–165, 167–168, 458
audit trails and, 156, 169–170
channel factor and, 456–458
confidentiality and, 20, 158, 170
desktop security and, 421–423
disaster planning and, 275–279
fire damage to, 161–162, 171, 275
multiplication factor in, 455–456
overview of, 149–158, 416
risk management in, 150, 158–159, 174, 178
safeguards for, 166–173, 452–459
security implementation for, 174–178, 195–198
server-based, 452–454
threats to, 158–162
value of, 159
vulnerabilities in, 161–165, 173, 454–455
wireless, 702
LOCK system, 136, 141
Locks and keys
development of, 36
employee termination and, 14
location of, 372
need for, 7–8, 683
in networks, 168
types of, 683
Logic bombs, 440, 442, 527, 579
Logical controls, 9–12, 17
Log-ons, 124–125, 362–363, 376
Logs, 145, 169–170, 200. See also Audit trails
Louisiana, computer legislation in, 546
LRAM, 263
Ludwig, Mark, 591

M

Macintosh, Kerberos and, 108
Macro viruses, 448–450
MACs (mandatory access controls), 73–74, 77, 79, 84–87, 622–623, 627–628
MACs (message authorization codes), 169, 637–638
Magnetic cards. See Access cards
Magnetic tapes, 437
Maine, computer legislation in, 545
Maintenance requirements, 44–45, 172–173
Malicious software. See also Computer abuse; Trojan horses; Viruses; Worms
defense against, 442–444
ethics and, 591–593
in the future, 533
in information warfare, 332, 338
legislation against, 544–546. See also Computer crime
in networks, 161
in personal computers, 164
types of, 405–408, 439–442, 527–529
Management, security and, 362, 366–367, 368, 562–563. See also Security policies
Mandatory access controls (MACs), 73–74, 77, 79, 84–87, 622–623, 627–628
MARION, 263
Masquerading, 20, 514
Maximum tolerable downtime (MTD), 158, 285, 295. See also Business impact analysis
Message authorization codes (MACs), 169, 637–638
Michelangelo, 445
Micro Secure Self Assessment, 263
Microcomputers. See Personal computers
Microsoft Windows, Kerberos and, 108
Microsoft Word viruses, 448–450
Military needs, 31
Minnesota, computer legislation in, 545
Mississippi, computer legislation in, 546
Missouri, computer legislation in, 546
Mitnik, Kevin, 463
Modified Delphi approach, 246, 252
Monkey.B, 445
Morris Worm, 339, 442
Motion detectors, 9
MTD (maximum tolerable downtime), 158, 285, 295
Multics System, 409
Mutation Engine, 447–448
MYK78 chip, 644

N

Naming, 92
NAPM (New Alliance Partnership Model), 491–501
National Bureau of Standard’s Data Encryption Standard. See Data Encryption Standard (DES)
National Computer Ethics and Responsibilities Campaign (NCERC), 598–599
National Computer Security Association (NCSA), 191, 599
National Computer Security Center (NCSC), 22, 88, 393
National Conference on Computing and Values, 596
National Institute of Standards and Technology (NIST), 66, 393, 619, 638
National Security Agency (NSA), 116, 639
NC (network computers), 424–425, 453–454. See also Desktop computing; Local area networks
NCERC (National Computer Ethics and Responsibilities Campaign), 598–599
NCSA (National Computer Security Association), 191, 599
NCSC (National Computer Security Center), 22, 88, 393
Nebraska, computer legislation in, 545
Need-to-know access, 23, 84
NetSP, 369, 376
NetView Access Services, 376
NetWare, 156, 452
Network computers (NC), 424–425, 453–454. See also Desktop computing; Local area networks
Network File System (NFS), 209
Network Information Service (NIS), 209
Network operating systems (NOS), 454
Network routers, 156, 201, 211, 215
Network snooping, 208
Network topology, 108–109, 111–113, 153
Networks. See Internet; Local area networks; Wide area networks
New Alliance Partnership Model (NAPM), 491–501
NextStep, 108
NFS (Network File System), 209
NIS (Network Information Service), 209
NIST (National Institute of Standards and Technology), 66, 393, 619, 638
Noncompetition clauses, 696
Nonrepudiation services, 102
Norton Utilities, 578
NOS (network operating systems), 454
Novell NetWare, 156
Novell servers, 363
Npasswd, 126
NSA (National Security Agency), 116, 639
NSClean, 204

O

Object code viruses, 447
Object creation, 86
Object-oriented data base management system (OODBMS), 621–623, 625–629
Ohio, computer legislation in, 546
Omniguard Enterprise Security Manager, 376
On-line documents, 394–395, 397–398. See also Security policies
On-line storage, 431
One-time pad, 636–637
OODBMS (object-oriented data base management system), 621–623, 625–629
Open Software Foundation Distributed Computed Environment (OSF/DCE), 369, 375, 605–606, 614
Open System Foundation (OSF), 116
Open Systems Interconnection (OSI) model, 153–155
Operations security, 659–674
Oracle, 71–72, 78–79, 201
Orange Book, 22, 392–393
ORION authorization model, 625, 627
OSF (Open System Foundation), 116
OSF/DCE (Open Software Foundation Distributed Computed Environment), 369, 375, 605–606, 614
OSI (Open Systems Interconnection) model, 153–155
Outside/In, 579
Outsourcing, emergency, 279. See also External sources

P

PAC (Privilege Attribute Certificate), 608, 616
Packet filtering firewalls, 213–215, 219, 221
Packet sniffing, 127
Palm scans, 685–686
PANIX, 462
Parasitic viruses, 445–446
Passwd+, 126
Passwords. See also Access controls; Authentication of users
forensics and, 577–578
hackers and, 125–128, 406–408
in the Internet, 210
in networks, 164, 167–168, 458
on personal computers, 451
on portable computers, 705
types of, 10–11, 706
for Windows 95 screen-saver, 451
PC Anywhere, 152
PCMCIA cards, 452, 461, 580
PCs (personal computers), 162–164, 421–462. See also Desktop computing
PDR (prevention, detection, recovery) strategy, 499–502
People, threats from, 159–160. See also Hackers
People v. Sanchez, 581
Performance evaluations, 15–16
Personal computers (PCs), 162–164, 421–462. See also Desktop computing
Personal Identification Number (PIN), 36–37, 47–54, 376
Personal NetWare, 452
Personnel
in disaster planning, 279
hiring practices, 13, 166, 691–693
noncompetition clauses and, 279, 696
policy, 16, 380, 691–692, 697
for security, 7, 166, 376
termination of, 13–14, 695, 697
trade secrets and, 354, 693–696
PGP (Pretty Good Privacy), 707
Physical security, 6–9, 17, 428–430, 679–680
Piggybacking, 515–516
PIN (Personal Identification Number), 36–37, 47–54, 376
Ping packets, 209
Pipelines, assured, 139–140
PKCS (Public Key Cryptography Standards), 116
PKZIP 3.0, 441
Plaintext, 635. See also Encryption
Playback, fraud and, 514
Point of control, 370
Police departments, 568
Policy manuals, 393–394. See also Security policies
Polyinstantiation, 628
Polymorphic viruses, 447–448
Portable computers, 459–461, 701–710
Power failures, 8, 162, 171–172, 273, 275, 682
Predictor, 263
Pretty Good Privacy (PGP), 707
Prevention, detection, recovery (PDR) strategy, 499–502
Preventive controls, 5–7, 10–13, 16–17
Preventive maintenance, 170
Primary keys, 64–66
PRISM, 263
Privacy, 19, 58–60, 639
Privacy Act of 1974, 58
Privacy Enhanced Mail, 639
Privilege Attribute Certificate (PAC), 608, 616
Privilege Attribute Service, 606–607
Privileged-entity access controls, 665–670
Product line managers, 320–321
Productivity, security and, 5
Professional behavior policy, 380
Program development, access control during, 85
Program status word, 410
Project Athena, 99–100, 114, 117
Proxy servers, 215
Public Key Cryptography Standards (PKCS), 116
Public Key/Private Key architecture, 193

Q

Quality assurance (QA), 491–494
Query modification, 624
Questionnaires for security assessment, 174, 177, 287–291
QuikRisk, 263

R

RACF, 319
Radio frequency transmission, 151
Radius, 376
RAD (rapid application development), 497
RAID (redundant array of inexpensive disks), 431–432, 463
Rainbow Series, 393
Random access memory (RAM), 172, 411, 424
RANK-IT, 263
Rapid application development (RAD), 497
RAS, 376
RA/SYS, 263
RBAC (role-based access controls), 77–79, 605–619
RDBMS (relational data base management system), 622–625
Read-only memory (ROM), 411
Recovery controls, 5–6
Recovery planning, 260, 269–281. See also Business continuity; Business impact analysis
Recruitment procedures. See Personnel
Red Book, 22
Red Box, 573
Redundant array of inexpensive disks (RAID), 431–432, 463
Reference monitors, 94
REFERENCES statement, 70
Register storage, 410
Regulatory requirements
data classification and, 309
for data protection, 660
federal laws, 535–538, 542, 547
security policies and, 379, 381–383
state laws, 538–547
Relational data bases, 63–79, 622–625
Repairs of equipment, 163–164
Replicated data architecture, 77–78
Resource owners, 606–607
Resource protection, 659–665
RESOURCE statement, 71
Retina scans, 38, 42–43, 45, 50–51, 685
REVOKE statement, 71, 624, 626
Revolution in Military Affairs (RMA), 339. See also Information warfare
Rightsizing, information protection during, 343–345, 350
Rimage Corporation, 439
@RISK, 263
Risk analysis and assessment, 227–264
Risk management
acceptance criteria and, 235
accountability and, 482–489, 607–609, 660–661
assessment of risk, 234–235, 505
automated tools for, 263
business continuity and, 244–248, 269–270
department planning in, 271–274
in distributed systems, 481–489
for networks, 150, 158–159, 174, 178, 198–199
overview of, 227–232
performance monitoring of, 236–237
policy for, 232–235, 368
portable computers and, 703–704
probability and, 231
qualitative/quantitative, 230, 234, 239–247, 255–258
resistance to, 237–239, 245–248
risk mitigation, 235–236, 258–262, 270
tasks of, 232–237, 248–258
threat analysis, 249–250, 253–255, 309, 354–357
uncertainty and, 232, 504–505
RISKCALC, 263
RISKPAC, 263
RISKWATCH, 263
RMA (Revolution in Military Affairs), 339
Robustness of security systems, 44
Role-based access controls (RBAC), 77–79, 605–619
Roles
defining, 611–612
engineering, 613–617
examples of, 617–618
hierarchies of, 612–613
mapping, 614–616
overview of, 605–611
ROM (read-only memory), 411
Rosenberg v. Collins, 556
Rotation of duties, 16, 23
Routers, 156, 201, 211, 215
RSA system, 647–649, 651–652
RYO, 376

S

Sabotage of systems, 45
Safeguards
analysis and costing of, 258–262
business continuity planning and, 274
engineering of, 499
for networks, 166–173
overview of, 231–232
resource protection, 659–665
SafeNet, 438
Salami techniques, 524–525
SAM (Security Administration Manager), 376
SATAN, 130, 348
Scanning, 513
Scavenging, 518–520
Schwartau, Winn, 329–330
Scoped access control, 665. See also Access controls
Screened subnets, 212–213
Search warrants, 555, 566–567, 574
Secret-key systems, 637–645
Secure channels, 101
Secure European System for Applications in a Multivendor Environment (SESAME), 116, 369, 375, 605–606, 608, 614–615
Secure hash algorithm (SHA), 650, 652–653
Secure Hypertext Transfer Protocol (S-HTTP), 195–198, 200, 203
Secure Object-Oriented Data Base (SODA) model, 628
Secure Sockets Layer (SSL) trust model, 193–195
SecurID, 461, 683
Security architecture, 195–198, 363–364, 375
Security assessments, 83–84, 92, 173–174
Security associations, 181
Security awareness, 5, 13, 166, 427. See also Training
Security clearances, 73
Security domains, 409–410
Security levels, 175–176
Security personnel, 7, 166, 319, 376, 483–484
Security policies
for desktop computing, 425–427
examples of, 389–393, 426
implementation of, 174–177
integrity and, 485–489
procedures in, 14
publication of, 393–397
purposes of, 379–381, 398
types of, 381–384
writing techniques for, 387–389
Security systems. See Kerberos
SELECT statement, 67–68, 70–72
Self-hack audits (SHA), 123–130
Sendmail servers, 144–146, 209
Sensor signal parasites, 332
Sensors and alarms, 9
Separation of duties, 13, 23, 25, 28, 167, 607–609
Servers
Ace, 376
authentication and, 103–105, 194–196, 369, 372
logs of, 200
Novell, 363
overview of, 425
proxy, 215
security for, 192–195, 614–616
Sendmail, 144–146, 209
SESAME (Secure European System for Applications in a Multivendor Environment), 116, 369, 375, 605–606, 608, 614–615
Session hijacking, 208
Set user ID (SUID) files, 129
Seven-layer communications model, 153–155
SHA (secure hash algorithm), 650, 652–653
SHA (self-hack audits), 123–130
Shifting_Objectives, 447
Shoulder surfing, 512, 701
S-HTTP (Secure Hypertext Transfer Protocol), 195–198, 200, 203
Sidewinder, 141–147
Sign-ons, 124–125, 362–363, 376
Signature recognition, 38, 47
Single loss expectancy (SLE), 229, 232, 244
Site selection, security and, 8
SKIPJACK, 61, 640, 642–645, 654. See also Clipper chips
Skytale, 57
SLE (single loss expectancy), 229, 232, 244
Smart cards, 11, 106, 168, 684
Smoke detectors, 9
SNA, Kerberos and, 112
Snooping, 208
Social engineering, 209
SOCKS, 217
SODA (Secure Object-Oriented Data Base) model, 628
Software
access control, 10, 30, 376
antivirus, 10, 443–444
cleanroom for, 497
forensic, 585
life cycle of, 495–501
malicious. See Malicious software
piracy of, 529–531, 538, 592–593
theft of, 708–709
SORION, 627
South Dakota, computer legislation in, 541
Spoofing, 128, 208, 406
Sprinkler systems, 8, 276
Spying (eavesdropping), 101, 406, 511–513
SQL language, 63, 65–73, 619, 624
SSL (Secure Sockets Layer) trust model, 193–195
SSO DACS, 376
Star networks, 153
Star property, 73, 75, 88
State laws on computer crime, 538–547
State vectors, 410
States in computer systems, 409
Stealth viruses, 447–448
Steganography, 578, 581
Sting operations, 574
Stoned and Form, 445
Storage
of backup files, 436–438
of identification data, 42
objects, 414–415
protection for, 412
types of, 410–414, 431
Storm damage, 250
Stream ciphers (one-time pads), 636–637
Strokes, 45
SUID (set user ID) files, 129
Sun JAVA language, 198, 202–204
Superusers, 165
Supervision, 14
Superzapping, 517–519
Surge protection, 171–172, 682
Surveillance, 573–574
Suspend programs, 91
Sutherland integrity model, 25
Symmetric systems, 637–645
SYN packets, 209
System administrators, 351
System logs, 145, 169
Systems integrity engineering, 467–506. See also Integrity

T

TACACS, 376
Tailgating, 515–516
Take-Grant model, 89
Tax returns, 593
Tcpdump, 127
TCP/IP, 109–110, 112, 116, 193
TCSEC (Trusted Computer Security Evaluation Criteria), 390–392
Technical controls, 9–12, 17
Techno-terrorism, 329, 336–340
Telecommunications Act, 190
Telecommuting, 459–461
Telephone taps, 574
Telephones, encryption and, 61–62, 641, 644
Telnet, 138, 193, 216
Temporary staff, security and, 344
Ten Commandments of Computer Ethics, 595
Tequila, 446
Terminals (network computers), 424–425, 453–454. See also Desktop computing; Local area networks
Termination of personnel, 13–14, 695, 697
Texas, computer legislation in, 545
TFTP (Trivial File Transfer Protocol), 111
Threat Research Center, 247, 250
Ticket granting service (TGS), 103–107
Ticket granting ticket (TGT), 104–107, 111
Time stamps, 99, 110
Toffler, Alvin and Heidi, 327, 329
Token-Ring network, 153–154, 168
Tokens, 153–154, 168, 683–684
Tool list for audits, 576
Top Secret, 319
Tort law, 554–555
TouchSafe, 55
TP (transaction processing) systems, 605
Trade secret protection, 354, 693–696
Training programs
data classification and, 321
for desktop policies, 427
malicious software and, 443
need for, 13, 355–356
for networks, 166, 178
portable computers and, 709–710
for security awareness, 5, 13, 166, 427
Transaction processing (TP) systems, 605
Transborder data security, 390–393
Trapdoors, 525–527
Triples, 89–90
Trivial File Transfer Protocol (TFTP), 111
Trojan horses. See also Malicious software; Viruses
access control and, 72–73, 88
confidentiality and, 20
detection and prevention of, 520–522, 579
in networks, 161
overview of, 407, 439, 441, 519–520
passwords and, 126
salami techniques and, 524–525
systems availability and, 30
trapdoors and, 525
viruses in, 445
TrueFace, 55
Trust, 114–115, 504
Trusted Computer Security Evaluation Criteria (TCSEC), 390–392
Trusted Computer System Evaluation Criteria (Orange Book), 22, 392–393
Trusted computing, 392
Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (Red Book), 22
Trustworthiness, 31, 501
Tuples of data bases, 63–68, 73–74
Type enforcement, 133, 136–143

U

UDP protocol, 214
UIDs (user identities), 614–617, 642–645
Unattended terminals, 90–92, 128–129
Unauthorized user activity, 20
Uninterruptible power supplies (UPS), 171–172, 273, 275, 682
Unions, identification procedures and, 41, 45
United States v. David, 567
United States v. Doe, 581
UNIX
on desktop machines, 424–425
hackers and, 125–127, 142, 165
Kerberos and, 106, 108, 111, 115
Sidewinder and, 141–144
structure of, 141
unenforced restrictions in, 405
UPDATE statement, 68, 70
UPS (uninterruptible power supplies), 171–172, 273, 275, 682
User identities (UIDs), 614–617, 642–645. See also Authentication of users
User managers, 318–320
User name, definition of, 375
User name service, 368
User registration, 15

V

Vacation requirements, 16
Variance detection, 172
Verification procedures, 25
Vermont, computer crime in, 553
Vietnam War, computer abuse during, 529
Views, 68–69, 94
Violation tracking and processing, 12, 661–663
Virginia, computer legislation in, 543
Virtual comporations, 348
Virtual Private Networks (VPNs), 218–219, 221
Virtual Protection Team (VPT), 351, 357–359
Virtual storage, 413
Viruses. See also Trojan horses
antivirus certification, 450
availability and, 30
boot sector, 444–445
control of, 6, 439–450
data classification and, 316
detection and prevention of, 522–524
ethics and, 592–593
legislation against, 544–546
macro, 448–450
in Microsoft Word, 448–450
in networks, 161, 173, 356
overview of, 407, 439–441, 521–522
personal computers and, 164
portable computers and, 702–703, 708
software against, 10, 443–444
types of, 444–450, 463
VMS, Kerberos and, 108
Voice pattern systems, 38, 49–50, 686
Von Neumann architecture, 414
VPN (Virtual Private Network), 218–219, 221
VPT (Virtual Protection Team), 351, 357–359
Vulnerability analysis, 230, 232, 246, 252–255, 354–357

W

WAIS (Wide Area Information System), 184
WANs. See Wide area networks
Water damage, 161–162, 250, 682
Web browsers, security for, 192–195
Web servers. See Servers
Well-formed transactions, 25
Whale virus, 448
Wide Area Information System (WAIS), 184
Wide area networks (WANs). See also Local area networks
confidentiality for, 158, 170
fire damage to, 161–162, 171, 275
overview of, 149–158
safeguards for, 166–173
security implementation for, 174–178
threats to, 158–162
values of, 159
vulnerabilities in, 162–165
Windows for Workgroups, 452
Windows NT, 200
Winword.Concept virus, 449
WinWord.Nuclear virus, 450
Wire-tapping (eavesdropping), 101, 406, 511–513, 538
Working Group on Computer Ethics, 596
World Wide Web (WWW)
audit trails and, 199–202
growth and applications of, 183–185
security for, 181–205
type enforcement and, 136–138
vulnerabilities in, 202–204
Worms. See also Malicious software
Morris, 339
in networks, 161
overview of, 407, 439, 442
Trojan horses and, 521–522
Write-once/read-many (WORM) storage, 411
WWW. See World Wide Web
Wyoming, computer legislation in, 546

X

XOR operation, 636, 641, 643–645
X-Windows, 214


Table of Contents



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.