The Security Organization p. 1 Anecdote p. 2. Introduction



Similar documents
A Decision Maker s Guide to Securing an IT Infrastructure

External Supplier Control Requirements

Information Security Policy

Architecture Overview

SECURITY. Risk & Compliance Services

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Security Controls What Works. Southside Virginia Community College: Security Awareness

External Supplier Control Requirements

Chapter 1 The Principles of Auditing 1

Using Free Tools To Test Web Application Security

IDS / IPS. James E. Thiel S.W.A.T.

Web App Security Audit Services

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

How to Build a Trusted Application. John Dickson, CISSP

Understanding Security Testing

What is Web Security? Motivation

Passing PCI Compliance How to Address the Application Security Mandates

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Secure Software Programming and Vulnerability Analysis

QRadar SIEM 6.3 Datasheet

INTRUSION DETECTION SYSTEMS and Network Security

Implementing Database Security and Auditing

SNAP WEBHOST SECURITY POLICY

Web Application Security

Integrigy Corporate Overview

05.0 Application Development

locuz.com Professional Services Security Audit Services

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur


How To Protect A Network From Attack From A Hacker (Hbss)

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Strategic Information Security. Attacking and Defending Web Services

I n f o r m a t i o n S e c u r i t y

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

WEB APPLICATION SECURITY

FISMA / NIST REVISION 3 COMPLIANCE

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

New IBM Security Scanning Software Protects Businesses From Hackers

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Why The Security You Bought Yesterday, Won t Save You Today

Information Technology Policy

Course Title: Penetration Testing: Security Analysis

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Application Intrusion Detection

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Certified Ethical Hacker (CEH)

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Rational AppScan & Ounce Products

(Instructor-led; 3 Days)

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

CompTIA Security+ (Exam SY0-410)

BUY ONLINE FROM:

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 614 Advanced Network Defense. Make The Difference CAST. EC-Council

Application Code Development Standards

THE ROLE OF IDS & ADS IN NETWORK SECURITY

How To Manage Security On A Networked Computer System

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Network/Cyber Security

University of Pittsburgh Security Assessment Questionnaire (v1.5)

CONSULTING IMAGE PLACEHOLDER

Secure Code Development

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Security Services. 30 years of experience in IT business

Module 1: Introduction to Designing Security

INCIDENT RESPONSE CHECKLIST

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Vendor Audit Questionnaire

Need for Database Security. Whitepaper

Web Engineering Web Application Security Issues

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network/Internet Forensic and Intrusion Log Analysis

Securing Web Applications...at the Network Layer

Information Security Services

Network Security Audit. Vulnerability Assessment (VA)

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Transcription:

Preface p. xxiii Introduction p. xxv The Security Organization p. 1 Anecdote p. 2 Introduction p. 2 Where to Put the Security Team p. 2 Where Should Security Sit? Below the IT Director Report p. 3 Where Should Security Sit? Below the Head of Audit p. 5 Where Should Security Sit? Below the CEO, CTO, or CFO p. 6 Your Mission-If You Choose to Accept It p. 7 Role of the Security Function: What's in a Job? p. 7 Incident Management and Investigations p. 8 Legal and Regulatory Considerations p. 9 Policy, Standards, and Baselines Development p. 10 Business Consultancy p. 10 Architecture and Research p. 11 Assessments and Audits p. 11 Operational Security p. 12 The Hybrid Security Team: Back to Organizational Studies p. 12 Making Friends p. 14 The Board p. 15 Internal Audit p. 15 Legal p. 15 IT p. 15 What Makes a Good CISO? p. 17 Summary p. 18 The Information Security Policy p. 19 Anecdote p. 20 Introduction p. 20 Policy, Strategy, and Standards: Business Theory p. 21 Strategy p. 22 Tactics and Policy p. 23 Operations: Standards and Procedures p. 24 Back to Security p. 25 The Security Strategy and the Security Planning Process p. 25 Security Tools p. 29 Security Policy Revisited p. 30 Policy Statements p. 32 Security Standards Revisited p. 36 Compliance and Enforcement p. 37 Information Security Awareness: The Carrot p. 38

Active Enforcement: The Stick p. 40 Summary p. 42 Jargon, Principles, and Concepts p. 49 Anecdote p. 50 Introduction p. 50 CIA: Confidentiality, Integrity, and Availability p. 51 The Vulnerability Cycle p. 54 Types of Controls p. 56 Protective Control p. 57 Detective Control p. 57 Recovery Controls p. 58 Administrative Control p. 58 Risk Analysis p. 58 Types of Risk Analysis p. 59 Quantitative Analysis p. 59 Qualitative Analysis p. 60 How It Really Works: Strengths and Weaknesses p. 61 So What Now? p. 62 AAA p. 63 Authentication p. 63 Authorization p. 64 Accounting p. 65 AAA in Real Life p. 65 Other Concepts You Need to Know p. 66 Least Privilege p. 66 Defense in Depth p. 66 Failure Stance p. 67 Security through Obscurity p. 67 Generic Types of Attack p. 67 Network Enumeration and Discovery p. 67 Message Interception p. 68 Message Injection/Address Spoofing p. 68 Session Hijacking p. 68 Denial of Service p. 68 Message Replay p. 69 Social Engineering p. 69 Brute-Force Attacks on Authenticated Services p. 69 Summary p. 70 Information Security Laws and Regulations p. 71 Anecdote p. 72 Introduction p. 73

U.K. Legislation p. 73 Computer Misuse Act 1990 p. 73 The Data Protection Act 1998 p. 75 Other U.K. Acts p. 77 U.S. Legislation p. 82 California SB 1386 p. 83 Sarbanes-Oxley 2002 p. 83 Gramm-Leach-Bliley Act (GLBA) p. 84 Health Insurance Portability and Accountability Act (HIPAA) p. 85 USA Patriot Act 2001 p. 85 Summary p. 86 Information Security Standards and Audits p. 87 Anecdote p. 88 Introduction p. 89 BS 7799 and ISO 17799 p. 89 ISO/IEC 27001:2005: What Now for BS 7799? p. 98 PAS 56 p. 99 What Is PAS 56? p. 99 The Stages of the BCM Life Cycle p. 100 FIPS 140-2 p. 102 Should I Bother with FIPS 140-2? p. 102 What Are the Levels? p. 102 Common Criteria Certification p. 103 Other CC Jargon p. 103 Types of Audit p. 104 Computer Audit as Part of the Financial Audit p. 104 Section 39 Banking Audit p. 105 SAS 70 p. 106 Other Types of Audits p. 107 Tips for Managing Audits p. 108 Summary p. 110 Interviews, Bosses, and Staff p. 111 Anecdote p. 112 Introduction p. 112 Interviews as the Interviewee p. 112 Preinterview Questionnaires p. 117 Interviews as the Interviewer p. 119 Bosses p. 120 Runner-up for the Worst Boss in the World p. 120 Worst Boss in the World p. 120 Worst Employees p. 122

Summary p. 122 Infrastructure Security p. 123 Anecdote p. 124 Introduction p. 124 Network Perimeter Security p. 124 The Corporate Firewall p. 126 Remote Access DMZ p. 131 E-commerce p. 133 Just Checking p. 140 Summary p. 140 Firewalls p. 143 Anecdote p. 144 Introduction p. 144 What Is a Firewall, and What Does It Do? p. 144 Why Do We Need Firewalls? p. 146 Firewall Structure and Design p. 147 Firewall Types p. 147 So What Are the Features You Want from a Firewall? p. 151 Other Types of Firewalls p. 157 Stealth Firewalls p. 157 Virtualized Firewalls p. 158 Commercial Firewalls p. 158 The Cisco PIX p. 158 Check Point Fire Wall-1 p. 164 Summary p. 174 Intrusion Detection Systems: Theory p. 175 Anecdote p. 176 Introduction p. 177 Why Bother with an IDS? p. 178 Problems with Host-Based IDSes p. 179 NIDS in Your Hair p. 181 Detection Flaws p. 182 Poor Deployment p. 188 Poor Configuration p. 193 For the Technically Minded p. 199 Snort p. 199 RealSecure p. 201 Summary p. 204 Intrusion Detection Systems: In Practice p. 205 Anecdote p. 206 Introduction: Tricks, Tips, and Techniques p. 206

Deploying a NIDS: Stealth Mode p. 206 Spanning Ports p. 207 Tap Technology p. 209 Asymmetric Routing p. 212 IDS Deployment Methodology p. 213 The Methodology p. 214 Selection p. 215 Deployment p. 216 Planning Sensor Position and Assigning Positional Risk p. 217 Establish Monitoring Policy and Attack Gravity p. 219 Reaction p. 223 Further Action: IPS p. 223 Information Management p. 225 Log Management p. 225 Console Management p. 226 Incident Response and Crisis Management p. 227 Identification p. 229 Documentation p. 229 Notification p. 229 Containment p. 229 Assessment p. 229 Recovery p. 230 Eradication p. 230 Other Valuable Tips p. 230 Test and Tune p. 231 Tune p. 231 Test p. 232 Summary p. 234 Intrusion Prevention and Protection p. 235 Anecdote p. 236 Introduction p. 237 What Is an IPS? p. 237 Active Response: What Can an IPS Do? p. 238 A Quick Tour of IPS Implementations p. 239 Traditional IDSes with Active Response p. 240 In-Line Protection p. 241 Deception Technology p. 245 Extended Host OS Protection p. 246 Example Deployments p. 247 Dealing with DDoS Attacks p. 247 An Open Source In-Line IDS/IPS: Hogwash p. 250

Summary p. 254 Network Penetration Testing p. 255 Anecdote p. 256 Introduction p. 257 Types of Penetration Testing p. 258 Network Penetration Test p. 258 Application Penetration Test p. 258 Periodic Network Vulnerability Assessment p. 258 Physical Security p. 259 Network Penetration Testing p. 259 An Internet Testing Process p. 259 Test Phases p. 259 Internal Penetration Testing p. 270 Application Penetration Testing p. 270 Controls and the Paperwork You Need p. 274 Indemnity and Legal Protection p. 274 Scope and Planning p. 275 What's the Difference between a Pen Test and Hacking? p. 276 Who Is the Hacker? p. 276 Summary p. 280 Application Security Flaws and Application Testing p. 281 Anecdote p. 282 Introduction p. 282 The Vulnerabilities p. 283 Configuration Management p. 284 Unvalidated Input p. 285 Buffer Overflows p. 286 Cross-Site Scripting p. 288 SQL Injection p. 291 Command Injection p. 294 Bad Identity Control p. 295 Forceful Browsing p. 296 URL Parameter Tampering p. 297 Insecure Storage p. 297 Fixing Things p. 298 Qwik Fix p. 299 For the More Technically Minded p. 299 Does It Work? p. 301 Summary p. 302 Index p. 303 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information