The Security Organization p. 1 Anecdote p. 2. Introduction

Size: px

Start display at page:

Download "The Security Organization p. 1 Anecdote p. 2. Introduction"

Jodie Barrett
8 years ago
Views:

1 Preface p. xxiii Introduction p. xxv The Security Organization p. 1 Anecdote p. 2 Introduction p. 2 Where to Put the Security Team p. 2 Where Should Security Sit? Below the IT Director Report p. 3 Where Should Security Sit? Below the Head of Audit p. 5 Where Should Security Sit? Below the CEO, CTO, or CFO p. 6 Your Mission-If You Choose to Accept It p. 7 Role of the Security Function: What's in a Job? p. 7 Incident Management and Investigations p. 8 Legal and Regulatory Considerations p. 9 Policy, Standards, and Baselines Development p. 10 Business Consultancy p. 10 Architecture and Research p. 11 Assessments and Audits p. 11 Operational Security p. 12 The Hybrid Security Team: Back to Organizational Studies p. 12 Making Friends p. 14 The Board p. 15 Internal Audit p. 15 Legal p. 15 IT p. 15 What Makes a Good CISO? p. 17 Summary p. 18 The Information Security Policy p. 19 Anecdote p. 20 Introduction p. 20 Policy, Strategy, and Standards: Business Theory p. 21 Strategy p. 22 Tactics and Policy p. 23 Operations: Standards and Procedures p. 24 Back to Security p. 25 The Security Strategy and the Security Planning Process p. 25 Security Tools p. 29 Security Policy Revisited p. 30 Policy Statements p. 32 Security Standards Revisited p. 36 Compliance and Enforcement p. 37 Information Security Awareness: The Carrot p. 38

7 Role of the Security Function: What's in a Job? p. 7 Incident Management and Investigations p. 8 Legal and Regulatory Considerations p. 9 Policy, Standards, and Baselines Development p.

2 Active Enforcement: The Stick p. 40 Summary p. 42 Jargon, Principles, and Concepts p. 49 Anecdote p. 50 Introduction p. 50 CIA: Confidentiality, Integrity, and Availability p. 51 The Vulnerability Cycle p. 54 Types of Controls p. 56 Protective Control p. 57 Detective Control p. 57 Recovery Controls p. 58 Administrative Control p. 58 Risk Analysis p. 58 Types of Risk Analysis p. 59 Quantitative Analysis p. 59 Qualitative Analysis p. 60 How It Really Works: Strengths and Weaknesses p. 61 So What Now? p. 62 AAA p. 63 Authentication p. 63 Authorization p. 64 Accounting p. 65 AAA in Real Life p. 65 Other Concepts You Need to Know p. 66 Least Privilege p. 66 Defense in Depth p. 66 Failure Stance p. 67 Security through Obscurity p. 67 Generic Types of Attack p. 67 Network Enumeration and Discovery p. 67 Message Interception p. 68 Message Injection/Address Spoofing p. 68 Session Hijacking p. 68 Denial of Service p. 68 Message Replay p. 69 Social Engineering p. 69 Brute-Force Attacks on Authenticated Services p. 69 Summary p. 70 Information Security Laws and Regulations p. 71 Anecdote p. 72 Introduction p. 73

58 Types of Risk Analysis p. 59 Quantitative Analysis p. 59 Qualitative Analysis p. 60 How It Really Works: Strengths and Weaknesses p. 61 So What Now? p. 62 AAA p. 63 Authentication p.

3 U.K. Legislation p. 73 Computer Misuse Act 1990 p. 73 The Data Protection Act 1998 p. 75 Other U.K. Acts p. 77 U.S. Legislation p. 82 California SB 1386 p. 83 Sarbanes-Oxley 2002 p. 83 Gramm-Leach-Bliley Act (GLBA) p. 84 Health Insurance Portability and Accountability Act (HIPAA) p. 85 USA Patriot Act 2001 p. 85 Summary p. 86 Information Security Standards and Audits p. 87 Anecdote p. 88 Introduction p. 89 BS 7799 and ISO p. 89 ISO/IEC 27001:2005: What Now for BS 7799? p. 98 PAS 56 p. 99 What Is PAS 56? p. 99 The Stages of the BCM Life Cycle p. 100 FIPS p. 102 Should I Bother with FIPS 140-2? p. 102 What Are the Levels? p. 102 Common Criteria Certification p. 103 Other CC Jargon p. 103 Types of Audit p. 104 Computer Audit as Part of the Financial Audit p. 104 Section 39 Banking Audit p. 105 SAS 70 p. 106 Other Types of Audits p. 107 Tips for Managing Audits p. 108 Summary p. 110 Interviews, Bosses, and Staff p. 111 Anecdote p. 112 Introduction p. 112 Interviews as the Interviewee p. 112 Preinterview Questionnaires p. 117 Interviews as the Interviewer p. 119 Bosses p. 120 Runner-up for the Worst Boss in the World p. 120 Worst Boss in the World p. 120 Worst Employees p. 122

87 Anecdote p. 88 Introduction p. 89 BS 7799 and ISO 17799 p. 89 ISO/IEC 27001:2005: What Now for BS 7799? p. 98 PAS 56 p. 99 What Is PAS 56? p. 99 The Stages of the BCM Life Cycle p.

4 Summary p. 122 Infrastructure Security p. 123 Anecdote p. 124 Introduction p. 124 Network Perimeter Security p. 124 The Corporate Firewall p. 126 Remote Access DMZ p. 131 E-commerce p. 133 Just Checking p. 140 Summary p. 140 Firewalls p. 143 Anecdote p. 144 Introduction p. 144 What Is a Firewall, and What Does It Do? p. 144 Why Do We Need Firewalls? p. 146 Firewall Structure and Design p. 147 Firewall Types p. 147 So What Are the Features You Want from a Firewall? p. 151 Other Types of Firewalls p. 157 Stealth Firewalls p. 157 Virtualized Firewalls p. 158 Commercial Firewalls p. 158 The Cisco PIX p. 158 Check Point Fire Wall-1 p. 164 Summary p. 174 Intrusion Detection Systems: Theory p. 175 Anecdote p. 176 Introduction p. 177 Why Bother with an IDS? p. 178 Problems with Host-Based IDSes p. 179 NIDS in Your Hair p. 181 Detection Flaws p. 182 Poor Deployment p. 188 Poor Configuration p. 193 For the Technically Minded p. 199 Snort p. 199 RealSecure p. 201 Summary p. 204 Intrusion Detection Systems: In Practice p. 205 Anecdote p. 206 Introduction: Tricks, Tips, and Techniques p. 206

147 Firewall Types p. 147 So What Are the Features You Want from a Firewall? p. 151 Other Types of Firewalls p. 157 Stealth Firewalls p. 157 Virtualized Firewalls p. 158 Commercial Firewalls p.

5 Deploying a NIDS: Stealth Mode p. 206 Spanning Ports p. 207 Tap Technology p. 209 Asymmetric Routing p. 212 IDS Deployment Methodology p. 213 The Methodology p. 214 Selection p. 215 Deployment p. 216 Planning Sensor Position and Assigning Positional Risk p. 217 Establish Monitoring Policy and Attack Gravity p. 219 Reaction p. 223 Further Action: IPS p. 223 Information Management p. 225 Log Management p. 225 Console Management p. 226 Incident Response and Crisis Management p. 227 Identification p. 229 Documentation p. 229 Notification p. 229 Containment p. 229 Assessment p. 229 Recovery p. 230 Eradication p. 230 Other Valuable Tips p. 230 Test and Tune p. 231 Tune p. 231 Test p. 232 Summary p. 234 Intrusion Prevention and Protection p. 235 Anecdote p. 236 Introduction p. 237 What Is an IPS? p. 237 Active Response: What Can an IPS Do? p. 238 A Quick Tour of IPS Implementations p. 239 Traditional IDSes with Active Response p. 240 In-Line Protection p. 241 Deception Technology p. 245 Extended Host OS Protection p. 246 Example Deployments p. 247 Dealing with DDoS Attacks p. 247 An Open Source In-Line IDS/IPS: Hogwash p. 250

225 Log Management p. 225 Console Management p. 226 Incident Response and Crisis Management p. 227 Identification p. 229 Documentation p. 229 Notification p. 229 Containment p. 229 Assessment p.

6 Summary p. 254 Network Penetration Testing p. 255 Anecdote p. 256 Introduction p. 257 Types of Penetration Testing p. 258 Network Penetration Test p. 258 Application Penetration Test p. 258 Periodic Network Vulnerability Assessment p. 258 Physical Security p. 259 Network Penetration Testing p. 259 An Internet Testing Process p. 259 Test Phases p. 259 Internal Penetration Testing p. 270 Application Penetration Testing p. 270 Controls and the Paperwork You Need p. 274 Indemnity and Legal Protection p. 274 Scope and Planning p. 275 What's the Difference between a Pen Test and Hacking? p. 276 Who Is the Hacker? p. 276 Summary p. 280 Application Security Flaws and Application Testing p. 281 Anecdote p. 282 Introduction p. 282 The Vulnerabilities p. 283 Configuration Management p. 284 Unvalidated Input p. 285 Buffer Overflows p. 286 Cross-Site Scripting p. 288 SQL Injection p. 291 Command Injection p. 294 Bad Identity Control p. 295 Forceful Browsing p. 296 URL Parameter Tampering p. 297 Insecure Storage p. 297 Fixing Things p. 298 Qwik Fix p. 299 For the More Technically Minded p. 299 Does It Work? p. 301 Summary p. 302 Index p. 303 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.

270 Application Penetration Testing p. 270 Controls and the Paperwork You Need p. 274 Indemnity and Legal Protection p. 274 Scope and Planning p.

The monsters under the bed are real... 2004 World Tour

Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures