Security_Management.zip 16.20MB 2013-07-11 21:54:51
TeAM
YYeP
G
Digitally signed by
TeAM YYePG
DN: cn=TeAM YYePG,
c=US, o=TeAM
YYePG, ou=TeAM
YYePG,
email=yyepg@msn.
com
Reason: I attest to the
accuracy and integrity
of this document
Date: 2005.09.26
16:49:39 +08'00'
Information
Security
Management
Handbook
Fifth Edition
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Asset Protection and Security Management
Handbook
POA Publishing
ISBN: 0-8493-1603-0
Information Technology Control and Audit
Fredrick Gallegos, Daniel Manson,
and Sandra Allen-Senft
ISBN: 0-8493-9994-7
Building a Global Information Assurance
Program
Raymond J. Curts and Douglas E. Campbell
ISBN: 0-8493-1368-6
Investigator's Guide to Steganography
Gregory Kipper
0-8493-2433-5
Building an Information Security Awareness
Program
Mark B. Desman
ISBN: 0-8493-0116-5
Critical Incident Management
Alan B. Sterneckert
ISBN: 0-8493-0010-X
Cyber Crime Investigator's Field Guide
Bruce Middleton
ISBN: 0-8493-1192-6
Cyber Forensics: A Field Manual for Collecting,
Examining, and Preserving Evidence of
Computer Crimes
Albert J. Marcella, Jr. and Robert S. Greenfield
ISBN: 0-8493-0955-7
The Ethical Hack: A Framework for Business
Value Penetration Testing
James S. Tiller
ISBN: 0-8493-1609-X
The Hacker's Handbook: The Strategy Behind
Breaking into and Defending Networks
Susan Young and Dave Aitel
ISBN: 0-8493-0888-7
Information Security Architecture:
An Integrated Approach to Security in the
Organization
Jan Killmeyer Tudor
ISBN: 0-8493-9988-2
Information Security Fundamentals
Thomas R. Peltier
ISBN: 0-8493-1957-9
Information Security Management Handbook,
5th Edition
Harold F. Tipton and Micki Krause
ISBN: 0-8493-1997-8
Information Security Policies, Procedures, and
Standards: Guidelines for Effective Information
Security Management
Thomas R. Peltier
ISBN: 0-8493-1137-3
Managing a Network Vulnerability Assessment
Thomas Peltier, Justin Peltier, and John A. Blackley
ISBN: 0-8493-1270-1
Network Perimeter Security: Building Defense
In-Depth
Cliff Riggs
ISBN: 0-8493-1628-6
The Practical Guide to HIPAA Privacy and
Security Compliance
Kevin Beaver and Rebecca Herold
ISBN: 0-8493-1953-6
A Practical Guide to Security Engineering and
Information Assurance
Debra S. Herrmann
ISBN: 0-8493-1163-2
The Privacy Papers: Managing Technology,
Consumer, Employee and Legislative Actions
Rebecca Herold
ISBN: 0-8493-1248-5
Public Key Infrastructure: Building Trusted
Applications and Web Services
John R. Vacca
ISBN: 0-8493-0822-4
Securing and Controlling Cisco Routers
Peter T. Davis
ISBN: 0-8493-1290-6
Strategic Information Security
John Wylder
ISBN: 0-8493-2041-0
Surviving Security: How to Integrate People,
Process, and Technology, Second Edition
Amanda Andress
ISBN: 0-8493-2042-9
A Technical Guide to IPSec Virtual
Private Networks
James S. Tiller
ISBN: 0-8493-0876-3
Using the Common Criteria for IT Security
Evaluation
Debra S. Herrmann
ISBN: 0-8493-1404-6
Information Security Risk Analysis
Thomas R. Peltier
ISBN: 0-8493-0880-1
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: orders@crcpress.com
Information
Security
Management
Handbook
Fifth Edition
Edited by
Harold F. Tipton, CISSP
Micki Krause, CISSP
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.
This edition published in the Taylor & Francis e-Library, 2005.
“To purchase your own copy of this or any of Taylor & Francis or Routledge’s
collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.”
Library of Congress Cataloging-in-Publication Data
Information security management handbook / Harold F. Tipton, Micki Krause, editors.—5th ed.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-1997-8 (alk. paper)
1. Computer security—Management—Handbooks, manuals, etc. 2. Data
protection—Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki.
QA76.9.A25I54165 2003
658¢.0558—dc22
2003061151
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with
permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish
reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials
or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior
permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific
clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance
Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is
ISBN 0-8493-1997-8 /03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been
granted a photocopy license by the CCC, a separate system of payment has been arranged.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works,
or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation, without intent to infringe.
Visit the CRC Press Web site at www.crcpress.com
© 2004 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0-8493-1997-8
Library of Congress Card Number 2003061151
ISBN 0-203-32543-5 Master e-book ISBN
Chapter 1, “Enhancing Security through Biometric Technology,” by Stephen D. Fried, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 18, “Packet Sniffers and Network Monitors,” by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP,
©Lucent Technologies. All rights reserved.
Chapter 30, “ISO/OSI Layers and Characteristics,” by George G. McBride, CISSP, ©Lucent Technologies. All
rights reserved.
Chapter 32, “IPSec Virtual Private Networks,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 58, “Security Patch Management,” by Jeffrey Davis, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 62, “Trust Governance in a Web Services World,” by Daniel D. Houser, CISSP, MBA, e-Biz+, ©Nationwide Mutual Insurance Company. All rights reserved.
Chapter 68, “Security Assessment,” by Sudhanshu Kairab, ©Copyright 2003 INTEGRITY. All rights reserved.
Chapter 70, “A Progress Report on the CVE Initiative,” by Robert Martin, Steven Christey, and David Baker,
©Copyright 2003 MITRE Corp. All rights reserved.
Chapter 87, “How to Work with a Managed Security Service Provider,” by Laurie Hill McQuillan, ©2003. Laurie
Hill McQuillan. All rights reserved.
Chapter 99, “Digital Signatures in Relational Database Applications,” by Mike R. Prevost, ©2002 Mike R. Prevost
and Gradkell Systems, Inc. Used with permission.
Chapter 108, “Three New Models for the Application of Cryptography,” by Jay Heiser, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 110, “Message Authentication,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New
Approaches,” by Steven Hofmeyr, Ph.D., ©2003 Sana Security. All rights reserved.
Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,”
by Chris Hare, CISSP, CISA, ©International Network Services. All rights reserved.
Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” by Dorsey Morrow, JD, CISSP, ©2003.
Dorsey Morrow. All rights reserved.
Chapter 152, “CIRT: Responding to Attack,” by Chris Hare, CISSP, CISA, ©International Network Services. All
rights reserved.
Chapter 156, “Software Forensics,” by Robert M. Slade, ©Robert M. Slade. All rights reserved.
v
This page intentionally left blank
Table of Contents
Contributors .......................................................................................................... xxiii
Introduction
........................................................................................................... xli
1 ACCESS CONTROL SYSTEMS AND METHODOLOGY
......... 1
Section 1.1 Access Control Techniques
1 Enhancing Security through Biometric Technology........................................ 5
Stephen D. Fried, CISSP
2 Biometrics: What’s New?................................................................................. 21
Judith M. Myerson
3 Controlling FTP: Providing Secured Data Transfers ..................................... 27
Chris Hare, CISSP, CISA
Section 1.2 Access Control Administration
4 Privacy in the Healthcare Industry................................................................. 45
Kate Borten, CISSP
5 The Case for Privacy........................................................................................ 55
Michael J. Corby, CISSP
Section 1.3 Identification and Authentication Techniques
6 Biometric Identification................................................................................... 61
Donald R. Richards, CPP
7 Single Sign-On for the Enterprise ................................................................... 77
Ross A. Leo, CISSP
Section 1.4 Access Control Methodologies and Implementation
8 Centralized Authentication Services (RADIUS, TACACS, DIAMETER) .............. 97
William Stackpole, CISSP
vii
9 An Introduction to Secure Remote Access .................................................. 109
Christina M. Bird, Ph.D., CISSP
Section 1.5 Methods of Attack
10 Hacker Tools and Techniques ..................................................................... 121
Ed Skoudis, CISSP
11 A New Breed of Hacker Tools and Defenses ............................................. 135
Ed Skoudis, CISSP
12 Social Engineering: The Forgotten Risk ..................................................... 147
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
13 Breaking News: The Latest Hacker Attacks and Defenses ...................... 155
Ed Skoudis, CISSP
14 Counter-Economic Espionage...................................................................... 165
Craig A. Schiller, CISSP
Section 1.6 Monitoring and Penetration Testing
15 Penetration Testing ...................................................................................... 179
Stephen D. Fried, CISSP
16 Penetration Testing ...................................................................................... 191
Chuck Bianco, FTTR, CISA, CISSP
2 TELECOMMUNICATIONS, NETWORK, AND
INTERNET SECURITY ................................................................................. 197
Section 2.1 Communications and Network Security
17 Understanding SSL ....................................................................................... 203
Chris Hare, CISSP, CISA
18 Packet Sniffers and Network Monitors...................................................... 217
James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP
19 Secured Connections to External Networks.............................................. 235
Steven F. Blanding
20 Security and Network Technologies........................................................... 249
Chris Hare, CISSP, CISA
21 Wired and Wireless Physical Layer Security Issues .................................. 269
James Trulove
viii
22 Network Router Security ............................................................................ 277
Steven F. Blanding
23 What’s Not So Simple about SNMP? ......................................................... 287
Chris Hare, CISSP, CISA
24 Network and Telecommunications Media: Security from the
Ground Up.................................................................................................... 297
Samuel Chun, CISSP
25 Security and the Physical Network Layer ................................................. 311
Matthew J. Decker, CISSP, CISA, CBCP
26 Security of Wireless Local Area Networks ................................................ 319
Franjo Majstor, CISSP
27 Securing Wireless Networks ....................................................................... 329
Sandeep Dhameja, CISSP
28 Wireless Security Mayhem: Restraining the Insanity
of Convenience............................................................................................. 339
Mark T. Chapman, MSCS, CISSP, IAM
29 Wireless LAN Security Challenge .............................................................. 349
Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP
30 ISO/OSI Layers and Characteristics ........................................................... 363
George G. McBride, CISSP
Section 2.2 Internet/Intranet/Extranet
31 Enclaves: The Enterprise as an Extranet .................................................... 373
Bryan T. Koch, CISSP
32 IPSec Virtual Private Networks .................................................................. 383
James S. Tiller, CISA, CISSP
33 Firewalls: An Effective Solution for Internet Security.............................. 407
E. Eugene Schultz, Ph.D., CISSP
34 Internet Security: Securing the Perimeter.................................................. 413
Douglas G. Conorich
35 Extranet Access Control Issues................................................................... 423
Christopher King, CISSP
36 Application-Layer Security Protocols for Networks ................................. 435
William Stackpole, CISSP
ix
37 Application Layer: Next Level of Security................................................. 447
Keith Pasley, CISSP
38 Security of Communication Protocols and Services ................................. 457
William Hugh Murray, CISSP
39 An Introduction to IPSec ............................................................................. 467
William Stackpole, CISSP
40 VPN Deployment and Evaluation Strategy................................................ 475
Keith Pasley, CISSP
41 How to Perform a Security Review of a Checkpoint Firewall................. 493
Ben Rothke, CISSP
42 Comparing Firewall Technologies .............................................................. 513
Per Thorsheim
43 The (In) Security of Virtual Private Networks .......................................... 523
James S. Tiller, CISA, CISSP
44 Cookies and Web Bugs................................................................................. 539
William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.
45 Leveraging Virtual Private Networks ......................................................... 549
James S. Tiller, CISA, CISSP
46 Wireless LAN Security ................................................................................ 561
Mandy Andress, CISSP, SSCP, CPA, CISA
47 Security for Broadband Internet Access Users........................................... 567
James Trulove
48 New Perspectives on VPNs ......................................................................... 575
Keith Pasley, CISSP
49 An Examination of Firewall Architectures ................................................ 581
Paul A. Henry, CISSP, CNE
Section 2.3 E-mail Security
50 Instant Messaging Security Issues .............................................................. 601
William Hugh Murray, CISSP
Section 2.4 Secure Voice Communications
51 Voice Security............................................................................................... 617
Chris Hare, CISSP, CISA
x
52 Secure Voice Communications (VoI) .......................................................... 627
Valene Skerpac, CISSP
Section 2.5 Network Attacks and Countermeasures
53 Packet Sniffers: Use and Misuse................................................................. 639
Steve A. Rodgers, CISSP
54 ISPs and Denial-of-Service Attacks ............................................................ 649
K. Narayanaswamy, Ph.D.
3 INFORMATION SECURITY MANAGEMENT ............................ 667
Section 3.1 Security Management Concepts and Principles
55 The Human Side of Information Security.................................................. 663
Kevin Henry, CISA, CISSP
56 Security Management .................................................................................. 677
Ken Buszta, CISSP
57 Measuring ROI on Security ......................................................................... 685
Carl F. Endorf, CISSP, SSCP, GSEC
58 Security Patch Management........................................................................ 689
Jeffrey Davis, CISSP
Section 3.2 Change Control Management
59 Configuration Management: Charting the Course for the
Organization ................................................................................................. 697
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
Section 3.3 Data Classification
60 Information Classification: A Corporate Implementation
Guide............................................................................................................. 715
Jim Appleyard
Section 3.4 Risk Management
61 A Matter of Trust......................................................................................... 727
Ray Kaplan, CISSP, CISA, CISM
xi
62 Trust Governance in a Web Services World .............................................. 741
Daniel D. Houser, CISSP, MBA, e-Biz+
63 Risk Management and Analysis ................................................................. 751
Kevin Henry, CISA, CISSP
64 New Trends in Information Risk Management......................................... 759
Brett Regan Young, CISSP, CBCP
65 Information Security in the Enterprise ...................................................... 767
Duane E. Sharp
66 Managing Enterprise Security Information ................................................ 779
Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA
67 Risk Analysis and Assessment ................................................................... 795
Will Ozier
68 Security Assessment .................................................................................... 821
Sudhanshu Kairab, CISSP, CISA
69 Cyber-Risk Management: Technical and Insurance Controls
for Enterprise-Level Security....................................................................... 829
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
Section 3.5 Employment Policies and Practices
70 A Progress Report on the CVE Initiative ................................................... 845
Robert Martin, Steven Christey, and David Baker
71 Roles and Responsibilities of the Information Systems
Security Officer ............................................................................................ 865
Carl Burney, CISSP
72 Information Protection: Organization, Roles, and Separation
of Duties ...................................................................................................... 871
Rebecca Herold, CISSP, CISA, FLMI
73 Organizing for Success: Some Human Resources Issues
in Information Security ............................................................................... 887
Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM
74 Ownership and Custody of Data ................................................................ 899
William Hugh Murray, CISSP
75 Hiring Ex-Criminal Hackers........................................................................ 907
Ed Skoudis, CISSP
xii
Section 3.6 Risk Management
76 Information Security Policies from the Ground Up ................................. 917
Brian Shorten, CISSP, CISA
77 Policy Development..................................................................................... 925
Chris Hare, CISSP, CISA
78 Toward Enforcing Security Policy: Encouraging Personal
Accountability for Corporate Information Security Policy ...................... 945
John O. Wylder, CISSP
79 The Common Criteria for IT Security Evaluation .................................... 953
Debra S. Herrmann
80 A Look at the Common Criteria ................................................................ 969
Ben Rothke, CISSP
81 The Security Policy Life Cycle: Functions
and Responsibilities ..................................................................................... 979
Patrick D. Howard, CISSP
Section 3.7 Security Awareness Training
82 Maintaining Management’s Commitment................................................. 989
William Tompkins, CISSP, CBCP
83 Making Security Awareness Happen .......................................................... 999
Susan D. Hansche, CISSP
84 Making Security Awareness Happen: Appendices................................... 1011
Susan D. Hansche, CISSP
Section 3.8 Security Management Planning
85 Maintaining Information Security during Downsizing........................... 1023
Thomas J. Bray, CISSP
86 The Business Case for Information Security: Selling
Management on the Protection of Vital Secrets
and Products ............................................................................................... 1029
Sanford Sherizen, Ph.D., CISSP
87 How to Work with a Managed Security Service Provider ...................... 1035
Laurie Hill McQuillan, CISSP
xiii
88 Considerations for Outsourcing Security ................................................. 1047
Michael J. Corby, CISSP
89 Outsourcing Security ................................................................................. 1061
James S. Tiller, CISA, CISSP
4 APPLICATION PROGRAM SECURITY ........................................ 1073
Section 4.1 APPLICATION ISSUES
90 Security Models for Object-Oriented Databases...................................... 1077
James Cannady
91 Web Application Security.......................................................................... 1083
Mandy Andress, CISSP, SSCP, CPA, CISA
92 Security for XML and Other Metadata Languages .................................. 1093
William Hugh Murray, CISSP
93 XML and Information Security ................................................................. 1101
Samuel C. McClintock
94 Application Security .................................................................................. 1109
Walter S. Kobus, Jr., CISSP
95 Covert Channels......................................................................................... 1115
Anton Chuvakin, Ph.D., GCIA, GCIH
96 Security as a Value Enhancer in Application Systems
Development .............................................................................................. 1123
Lowell Bruce McCulley, CISSP
97 Open Source versus Closed Source........................................................... 1139
Ed Skoudis, CISSP
Section 4.2 Databases and Data Warehousing
98 Reflections on Database Integrity............................................................. 1157
William Hugh Murray, CISSP
99 Digital Signatures in Relational Database Applications......................... 1165
Mike R. Prevost
100 Security and Privacy for Data Warehouses:
Opportunity or Threat? ............................................................................. 1175
David Bonewell, CISSP, CISA, Karen Gibbs, and Adriaan Veldhuisen
xiv
Section 4.3 Systems Development Controls
101 Enterprise Security Architecture............................................................. 1193
William Hugh Murray, CISSP
102 Certification and Accreditation Methodology ....................................... 1205
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
103 System Development Security Methodology......................................... 1221
Ian Lim, CISSP and Ioana V. Carastan, CISSP
104 A Security-Oriented Extension of the Object Model for the
Development of an Information System................................................ 1235
Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov
Section 4.4 Malicious Code
105 A Look at Java Security ........................................................................... 1251
Ben Rothke, CISSP
106 Malware and Computer Viruses ............................................................. 1257
Robert M. Slade, CISSP
Section 4.5 Methods of Attack
107 Methods of Auditing Applications ......................................................... 1287
David C. Rice, CISSP and Graham Bucholz
5 CRYPTOGRAPHY ......................................................................................... 295
Section 5.1 Use of Cryptography
108 Three New Models for the Application of Cryptography..................... 1299
Jay Heiser, CISSP
109 Auditing Cryptography: Assessing System Security ............................. 1309
Steve Stanek
Section 5.2
Cryptographic Concepts, Methodologies, and Practices
110 Message Authentication .......................................................................... 1313
James S. Tiller, CISA, CISSP
111 Steganography: The Art of Hiding Messages ......................................... 1327
Mark Edmead, CISSP, SSCP, TICSA
xv
112 An Introduction to Cryptography ........................................................... 1333
Javek Ikbel, CISSP
113 Hash Algorithms: From Message Digests to Signatures ....................... 1349
Keith Pasley, CISSP
114 A Look at the Advanced Encryption Standard (AES) ............................ 1357
Ben Rothke, CISSP
Section 5.3 Private Key Algorithms
115 Principles and Applications of Cryptographic Key
Management ............................................................................................. 1365
William Hugh Murray, CISSP
Section 5.4 Public Key Infrastructure (PKI)
116 Preserving Public Key Hierarchy ............................................................ 1379
Geoffrey C. Grabow, CISSP
117 PKI Registration ....................................................................................... 1385
Alex Golod, CISSP
Section 5.5 System Architecture for Implementing Cryptographic
Functions
118 Implementing Kerberos in Distributed Systems ................................... 1397
Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM
Section 5.6 Methods of Attack
119 Methods of Attacking and Defending Cryptosystems ......................... 1447
Joost Houwen, CISSP
6 ENTERPRISE SECURITY ARCHITECTURE ................................. 146
Section 6.1 Principles of Computer and Network Organizations,
Architectures, and Designs
120 Security Infrastructure: Basics of Intrusion Detection Systems .......... 1465
Ken M. Shaurette, CISSP, CISA, NSA, IAM
xvi
121 Firewalls, 10 Percent of the Solution: A Security
Architecture Primer ................................................................................. 1475
Chris Hare, CISSP, CISA
122 The Reality of Virtual Computing.......................................................... 1489
Chris Hare, CISSP, CISA
123 Overcoming Wireless LAN Security Vulnerabilities............................. 1507
Gilbert Held
Section 6.2 Principles of Security Models, Architectures and
Evaluation Criteria
124 Formulating an Enterprise Information Security Architecture ............ 1513
Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM
125 Security Architecture and Models .......................................................... 1531
Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.
Section 6.3 Common Flaws and Security Issues — System
Architecture and Design
126 Common System Design Flaws and Security Issues............................. 1547
William Hugh Murray, CISSP
7 OPERATIONS SECURITY ...................................................................... 1555
Section 7.1 Concepts
127 Operations: The Center of Support and Control ................................... 1559
Kevin Henry, CISA, CISSP
128 Why Today’s Security Technologies Are So Inadequate: History,
Implications, and New Approaches....................................................... 1565
Steven Hofmeyr, Ph.D.
Section 7.2 Resource Protection Requirements
129 Physical Access Control .......................................................................... 1569
Dan M. Bowers, CISSP
xvii
Section 7.3 Auditing
130 Auditing the Electronic Commerce Environment ................................ 1585
Chris Hare, CISSP, CISA
Section 7.4 Intrusion Detection
131 Improving Network-Level Security through Real-Time
Monitoring and Intrusion Detection ...................................................... 1601
Chris Hare, CISSP, CISA
132 Intelligent Intrusion Analysis: How Thinking Machines Can
Recognize Computer Intrusions ............................................................. 1619
Bryan D. Fish, CISSP
Section 7.5 Operations Controls
133 Directory Security .................................................................................... 1633
Ken Buszta, CISSP
8 BUSINESS CONTINUITY PLANNING .........................................
1641
Section 8.1 Business Continuity Planning
134 Reengineering the Business Continuity Planning Process ................... 1645
Carl B. Jackson, CISSP, CBCP
135 The Changing Face of Continuity Planning .......................................... 1657
Carl B. Jackson, CISSP, CBCP
136 The Role of Continuity Planning in the Enterprise Risk
Management Structure ............................................................................ 1667
Carl B. Jackson, CISSP, CBCP
Section 8.2 Disaster Recovery Planning
137 Restoration Component of Business Continuity Planning................... 1679
John Dorf, ARM and Martin Johnson, CISSP
138 Business Resumption Planning and Disaster Recovery:
A Case History ......................................................................................... 1689
Kevin Henry, CISA, CISSP
139 Business Continuity Planning: A Collaborative Approach................... 1699
Kevin Henry, CISA, CISSP
xviii
Section 8.3 Elements of Business Continuity Planning
140 The Business Impact Assessment Process ............................................. 1709
Carl B. Jackson, CISSP, CBCP
9 LAW, INVESTIGATION, AND ETHICS .......................................
1725
Section 9.1 Information Law
141 Jurisdictional Issues in Global Transmissions ....................................... 1729
Ralph Spencer Poore, CISSP, CISA, CFE
142 Liability for Lax Computer Security in DDoS Attacks ........................ 1737
Dorsey Morrow, JD, CISSP
143 The Final HIPAA Security Rule Is Here! Now What?.......................... 1743
Todd Fitzgerald, CISSP, CISA
144 HIPAA 201: A Framework Approach to HIPAA Security Readiness... 1759
David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP
Section 9.2 Investigations
145 Computer Crime Investigations: Managing a Process
without Any Golden Rules ..................................................................... 1771
George Wade, CISSP
146 Computer Crime Investigation and Computer Forensics..................... 1785
Thomas Welch, CISSP, CPP
147 Operational Forensics .............................................................................. 1813
Michael J. Corby, CISSP
148 What Happened ........................................................................................ 1819
Kelly J. Kuchta, CPP, CFE
Section 9.3 Major Categories of Computer Crime
149 The International Dimensions of Cybercrime....................................... 1823
Ed Gabrys, CISSP
Section 9.4 Incident Handling
150 Honeypot Essentials................................................................................. 1841
Anton Chuvakin, Ph.D., GCIA, GCIH
xix
151 CIRT: Responding to Attack ................................................................... 1847
Chris Hare, CISSP, CISA
152 Incident Response Management ............................................................. 1861
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
153 Managing the Response to a Computer Security Incident ................... 1871
Michael Vangelos, CISSP
154 Cyber Crime: Response, Investigation, and Prosecution ...................... 1881
Thomas Akin, CISSP
155 Incident Response Exercises.................................................................... 1887
Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach
156 Software Forensics.................................................................................... 1897
Robert M. Slade, CISSP
Section 9.5 Ethics
157 Ethics and the Internet ............................................................................ 1911
Micki Krause, CISSP
10 PHYSICAL SECURITY ........................................................................... 1921
Section 10.1 Facility Requirements
158 Physical Security: A Foundation for Information Security .................. 1925
Christopher Steinke, CISSP
159 Physical Security: Controlled Access and Layered Defense ................. 1935
Bruce R. Mathews, CISSP
160 Computing Facility Physical Security .................................................... 1947
Alan Brusewitz, CISSP, CBCP
161 Closed Circuit Television and Video Surveillance ................................ 1957
David Litzau, CISSP
xx
Section 10.2 Technical Controls
162 Types of Information Security Controls................................................. 1965
Harold F. Tipton, CISSP
Section 10.3 Environment and Life Safety
163 Physical Security: The Threat after September 11th ............................ 1975
Jaymes Williams, CISSP
Index ........................................................................................................................ 1997
xxi
This page intentionally left blank
Contributors
Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding director of
the Southeast Cybercrime Institute, where he also serves as chairman for the Institute's Board of Advisors. He
is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education
committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. He has
published several articles on Information Security and is the author of Hardening Cisco Routers. He developed
Kennesaw State University’s highly successful UNIX and Cisco training programs and, in addition to his security
certifications, is also certified in Solaris, Linux, and AIX; is a Cisco Certified Academic Instructor (CCAI), and
is a Certified Network Expert (CNX). He can be reached at takin@kennesaw.edu.
Mandy Andress, CISSP, SSCP, CPA, CISA, is Founder and President of ArcSec Technologies, a security consulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, Mandy worked
for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. After
leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy start-up in San Jose. At
Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions,
increase physical security, secure product design, and periodic network vulnerability testing. Mandy has written
numerous security product and technology reviews for various computer trade publications. A member of the
Network World Global Test Alliance, she is also a frequent presenter at conferences, including Networld+Interop, Black Hat, and TISC. Mandy holds a BBA in accounting and an MS in MIS from Texas A&M
University. She is the author of Surviving Security, 2nd Edition (Auerbach Publications, 2003).
Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting practice.
With 33 years of technical and management experience in information technology, he specializes in enterprisewide information security policies and security architecture design. He has specific expertise in developing
information security policies, procedures, and standards; conducting business impact analysis; performing
enterprisewide security assessments; and designing data classification and security awareness programs.
David W. Baker is a member of the CVE Editorial Board. As a Lead INFOSEC Engineer in MITRE’s Security
and Information Operations Division, he has experience in deployment and operation of large-scale intrusion
detection systems, critical infrastructure protection efforts, and digital forensics research. A member of the
American Academy of Forensic Sciences, Baker holds a bachelor’s degree from The State University of New
York, and a Master of Forensic Science degree from George Washington University.
Dencho N. Batanov is with the school of Advanced Technologies at the Asian Institute of Technology in
Pathumthani, Thailand.
John Berti, CISSP, is a Senior Manager in the Winnipeg Office of Deloitte & Touche LLP’s Security Services
consulting practice. John has extensive experience in information security including E-business security controls, network security reviews, intrusion and penetration testing, risk analysis, policy development, security
awareness, and information security assurance programs. John has over 18 years of Information Security
experience and is presently a Senior Lead Instructor for (ISC)2, the organization responsible for worldwide
CISSP certification of Information Security professionals. John is also an invited lecturer at some of the largest
security conferences and has provided expert witness testimony and technical forensic assistance for various
xxiii
law enforcement agencies in Canada. John also possesses extensive investigative experience in dealing with
various information security-related incidents for a large telecommunications company in Manitoba, relating
to computer and toll fraud crimes.
Chuck Bianco, FTTR, CISA, CISSP, is an IT Examination Manager for the Office of Thrift Supervision in
Dallas, Texas. He has represented his agency on the IT Subcommittee of the FFIEC. Bianco has experienced
more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery
Bulletin, and led the Interagency Symposium resulting in SP–5. He was awarded the FFIEC Outstanding
Examiner Award for significant contributions, and received two Department of the Treasury Awards for
Outstanding Performance.
Christina M. Bird, Ph.D., CISSP, is a senior security analyst with Counterpane Internet Security in San Jose,
California. She has implemented and managed a variety of wide-area-network security technologies, such as
firewalls, VPN packages and authentication systems; built and supported Internet-based remote access systems;
and developed, implemented, and enforced corporate IS security policies in a variety of environments. Tina
is the moderator of the Virtual Private Networks mailing list, and the owner of "VPN Resources on the World
Wide Web," a highly regarded vendor neutral source of information about VPN technology. Tina has a BS in
physics from Notre Dame and an MS and Ph.D. in astrophysics from the University of Minnesota.
Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the Regional
Director of Technology for Arthur Andersen, based in Houston, Texas. Steve has 25 years of experience in the
areas of financial auditing, systems auditing, quality assurance, information security, and business resumption
planning for large corporations in the consulting services, financial services, manufacturing, retail electronics,
and defense contract industries. Steve earned a BS in accounting from Virginia Tech and an MS in business
information systems from Virginia Commonwealth University.
David Bonewell, CISSP, CISA, is a chief security architect with Teradata, Cincinnati, Ohio.
Kate Borten, CISSP, a nationally recognized expert in health information security and privacy, is president of
The Marblehead Group. She has over 20 years at Harvard University teaching hospitals, health centers, and
physician practices; as information security head at Massachusetts General Hospital, and Chief Information
Security Officer at CareGroup in Boston. She is a frequent speaker at conferences sponsored by AHIMA, AMIA,
CHIM, CHIME, CPRI, and HIMSS, and an advisor and contributor to “Briefings on HIPAA.”
Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.
Thomas J. Bray, CISSP, is a Principal Security Consultant with SecureImpact. He has more than 13 years of
information security experience in banking, information technology, and consulting. Tom can be reached at
tjbray@secureimpact.com. SecureImpact is a company dedicated to providing premier security consulting
expertise and advice. SecureImpact has created its information and network service offerings to address the
growing proliferation of security risks being experienced by small to mid-sized companies. Information about
SecureImpact can be obtained by visiting www.secureimpact.com.
Allen Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities,
including system development, EDP auditing, computer operations, and information security. He has continued his professional career leading consulting teams in cyber-security services with an emphasis on E-commerce
security. He also participates in business continuity planning projects and is charged with developing that
practice with his current company for delivery to commercial organizations.
Graham Bucholz is a computer security research for the U.S. government in Baltimore, Maryland.
Carl Burney, CISSP, is a Senior Internet Security Analyst with IBM in Salt Lake City, Utah.
xxiv
Ken Buszta, CISSP, is Chief Information Security Officer for the City of Cincinnati, Ohio, and has more than
ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s intelligence
community before entering the consulting field in 1994. Should you have any questions or comments, he can
be reached at Infosecguy@att.net.
James Cannady is a research scientist at Georgia Tech Research Institute. For the past seven years he has focused
on developing and implementing innovative approaches to computer security in sensitive networks and systems
in military, law enforcement, and commercial environments
Ioana V. Carastan, CISSP, is a manager with Accenture’s global security consulting practice. She has written
security policies, standards, and processes for clients in a range of industries, including financial services, hightech, resources, and government
Mark T. Chapman, CISSP, CISM, IAM, is the Director of Information Security Solutions for Omni Tech
Corporation in Waukesha, Wisconsin. Mark holds an MS in computer science from the University of Wisconsin,
Milwaukee, in the area of cryptography and information security. He has published several papers and has
presented research at conferences in the United States, Asia, and Europe. He is the author of several securityrelated software suites, including the NICETEXT linguistic steganography package available at www.nicetext.com. Mark is a member of the executive planning committee for the Eastern Wisconsin Chapter of
InfraGard. For questions or comments, contact Mark at mark.chapman@omnitechcorp.com.
Steven Christey is the editor of the CVE List and the chair of the CVE Editorial Board. His operational
experience is in vulnerability scanning and incident response. His research interests include automated vulnerability analysis of source code, reverse-engineering of malicious executable code, and responsible vulnerability disclosure practices. He is a Principal INFOSEC Engineer in MITRE's Security and Information
Operations Division. He holds a BS in computer science from Hobart College.
Samuel Chun, CISSP, is director for a technology consulting firm in the Washington, D.C., area
Anton Chuvakin, Ph.D., GCIA, GCIH, is a senior security analyst with a major information security company.
His areas of InfoSec expertise include intrusion detection, UNIX security, forensics, and honeypots. In his
spare time, he maintains his security portal, www.infosecure.org.
Douglas G. Conorich, the Global Solutions Manager for IBM Global Service’s Managed Security Services, with
over 30 years of experience with computer security holding a variety of technical and management positions,
has responsibility for developing new security offerings, ensuring that the current offerings are standardized
globally, and oversees training of new members of the MSS team worldwide. Mr. Conorich teaches people how
to use the latest vulnerability testing tools to monitor Internet and intranet connections and develop vulnerably
assessments suggesting security-related improvements. Mr. Conorich is also actively engaged in the research
of bugs and vulnerabilities in computer operating systems and Internet protocols and is involved in the
development of customized alerts notifying clients of new potential risks to security. He has presented papers
at over 400 conferences, has published numerous computer security-related articles on information security
in various magazines and periodicals, and has held associate professor positions at several colleges and universities.
Michael J. Corby, CISSP, is Director of META Group Consulting. He was most recently president of QinetiQ
Trusted Information Management and prior to that, vice president of the Netigy Global Security Practice, CIO
for Bain & Company, and the Riley Stoker division of Ashland Oil. He has more than 30 years of experience
in the information security field and has been a senior executive in several leading IT and security consulting
organizations. He was a founding officer of (ISC)2, developer of the CISSP program, and was named the first
recipient of the CSI Lifetime Achievement Award. A frequent speaker and prolific author, Corby graduated
from WPI in 1972 with a degree in electrical engineering
xxv
Kellina M. Craig-Henderson, Ph.D., is an Associate Professor of Social Psychology at Howard University in
Washington, D.C. Craig-Henderson’s work has been supported by grants from the National Science Foundation
and the Center for Human Resource Management at the University of Illinois.
Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior
manager at Lucent Technologies, involved with intrusion detection, anti-virus, and threat assessment. He holds
a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute
of Technology
Matthew J. Decker, CISSP, CISA, CBCP, has 17 years of professional experience in information security. He
has advised private industry and local government on information security issues for the past six years with
International Network Services, Lucent Technologies, and KPMG LLP. Prior to this, he devoted two years to
the United States Special Operations Command (USSOCOM) as a contractor for Booz Allen Hamilton, and
served nine years with the NSA. He earned a BSEE in 1985 from Florida Atlantic University and an MBA in
1998 from Nova Southeastern University. In 1992, the NSA’s Engineering and Physical Science Career Panel
awarded him Certified Cryptologic Engineer (CCE) stature. A former president of the ISSA Tampa Bay chapter,
he is a member of ISSA and ISACA.
David Deckter, CISSP, a manager with Deloitte & Touche Enterprise Risk Services, has extensive experience
in information systems security disciplines, controlled penetration testing, secure operating system, application
and internetworking architecture and design, risk and vulnerability assessments, and project management.
Deckter has obtained ISC2 CISSP certification. He has performed numerous network security assessments for
emerging technologies and electronic commerce initiatives in the banking, insurance, telecommunications,
healthcare, and financial services industries, and has been actively engaged in projects requiring HIPAA security
solutions.
Gildas Deograt, CISSP, is a CISSP Common Body of Knowledge (CBK) seminar instructor. He has been
working in the IT field for more than ten years, with a focus over the past five years on information security.
His experience includes network design and implementation, security policy development and implementation,
developing security awareness program, network security architecture, assessment and integration, and also
firewall deployment. At present, he is an Information System Security Officer for Total Exploration and
Production. Before moving to France, he was the Chief Information Security Officer at TotalFinaElf E&P
Indonesia and also a board member of the Information System Security Association (ISSA), Indonesia
Sandeep Dhameja, CISSP, is responsible for implementation, management of data, network security, and
information security at Morningstar. With more than ten years of IT experience, including five years in
information security, Dhameja has held several executive and consulting positions. He is widely published with
the IEEE, International Engineering Consortium (IEC), Society of Automotive Engineers (SAE), and at international conferences.
John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in
insurance underwriting and risk management consulting, John earned his 19 years of experience as a risk
manager at several Fortune 500 financial service and manufacturing fir
YYeP
G
Digitally signed by
TeAM YYePG
DN: cn=TeAM YYePG,
c=US, o=TeAM
YYePG, ou=TeAM
YYePG,
email=yyepg@msn.
com
Reason: I attest to the
accuracy and integrity
of this document
Date: 2005.09.26
16:49:39 +08'00'
Information
Security
Management
Handbook
Fifth Edition
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Asset Protection and Security Management
Handbook
POA Publishing
ISBN: 0-8493-1603-0
Information Technology Control and Audit
Fredrick Gallegos, Daniel Manson,
and Sandra Allen-Senft
ISBN: 0-8493-9994-7
Building a Global Information Assurance
Program
Raymond J. Curts and Douglas E. Campbell
ISBN: 0-8493-1368-6
Investigator's Guide to Steganography
Gregory Kipper
0-8493-2433-5
Building an Information Security Awareness
Program
Mark B. Desman
ISBN: 0-8493-0116-5
Critical Incident Management
Alan B. Sterneckert
ISBN: 0-8493-0010-X
Cyber Crime Investigator's Field Guide
Bruce Middleton
ISBN: 0-8493-1192-6
Cyber Forensics: A Field Manual for Collecting,
Examining, and Preserving Evidence of
Computer Crimes
Albert J. Marcella, Jr. and Robert S. Greenfield
ISBN: 0-8493-0955-7
The Ethical Hack: A Framework for Business
Value Penetration Testing
James S. Tiller
ISBN: 0-8493-1609-X
The Hacker's Handbook: The Strategy Behind
Breaking into and Defending Networks
Susan Young and Dave Aitel
ISBN: 0-8493-0888-7
Information Security Architecture:
An Integrated Approach to Security in the
Organization
Jan Killmeyer Tudor
ISBN: 0-8493-9988-2
Information Security Fundamentals
Thomas R. Peltier
ISBN: 0-8493-1957-9
Information Security Management Handbook,
5th Edition
Harold F. Tipton and Micki Krause
ISBN: 0-8493-1997-8
Information Security Policies, Procedures, and
Standards: Guidelines for Effective Information
Security Management
Thomas R. Peltier
ISBN: 0-8493-1137-3
Managing a Network Vulnerability Assessment
Thomas Peltier, Justin Peltier, and John A. Blackley
ISBN: 0-8493-1270-1
Network Perimeter Security: Building Defense
In-Depth
Cliff Riggs
ISBN: 0-8493-1628-6
The Practical Guide to HIPAA Privacy and
Security Compliance
Kevin Beaver and Rebecca Herold
ISBN: 0-8493-1953-6
A Practical Guide to Security Engineering and
Information Assurance
Debra S. Herrmann
ISBN: 0-8493-1163-2
The Privacy Papers: Managing Technology,
Consumer, Employee and Legislative Actions
Rebecca Herold
ISBN: 0-8493-1248-5
Public Key Infrastructure: Building Trusted
Applications and Web Services
John R. Vacca
ISBN: 0-8493-0822-4
Securing and Controlling Cisco Routers
Peter T. Davis
ISBN: 0-8493-1290-6
Strategic Information Security
John Wylder
ISBN: 0-8493-2041-0
Surviving Security: How to Integrate People,
Process, and Technology, Second Edition
Amanda Andress
ISBN: 0-8493-2042-9
A Technical Guide to IPSec Virtual
Private Networks
James S. Tiller
ISBN: 0-8493-0876-3
Using the Common Criteria for IT Security
Evaluation
Debra S. Herrmann
ISBN: 0-8493-1404-6
Information Security Risk Analysis
Thomas R. Peltier
ISBN: 0-8493-0880-1
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: orders@crcpress.com
Information
Security
Management
Handbook
Fifth Edition
Edited by
Harold F. Tipton, CISSP
Micki Krause, CISSP
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.
This edition published in the Taylor & Francis e-Library, 2005.
“To purchase your own copy of this or any of Taylor & Francis or Routledge’s
collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.”
Library of Congress Cataloging-in-Publication Data
Information security management handbook / Harold F. Tipton, Micki Krause, editors.—5th ed.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-1997-8 (alk. paper)
1. Computer security—Management—Handbooks, manuals, etc. 2. Data
protection—Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki.
QA76.9.A25I54165 2003
658¢.0558—dc22
2003061151
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with
permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish
reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials
or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior
permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific
clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance
Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is
ISBN 0-8493-1997-8 /03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been
granted a photocopy license by the CCC, a separate system of payment has been arranged.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works,
or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation, without intent to infringe.
Visit the CRC Press Web site at www.crcpress.com
© 2004 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0-8493-1997-8
Library of Congress Card Number 2003061151
ISBN 0-203-32543-5 Master e-book ISBN
Chapter 1, “Enhancing Security through Biometric Technology,” by Stephen D. Fried, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 18, “Packet Sniffers and Network Monitors,” by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP,
©Lucent Technologies. All rights reserved.
Chapter 30, “ISO/OSI Layers and Characteristics,” by George G. McBride, CISSP, ©Lucent Technologies. All
rights reserved.
Chapter 32, “IPSec Virtual Private Networks,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 58, “Security Patch Management,” by Jeffrey Davis, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 62, “Trust Governance in a Web Services World,” by Daniel D. Houser, CISSP, MBA, e-Biz+, ©Nationwide Mutual Insurance Company. All rights reserved.
Chapter 68, “Security Assessment,” by Sudhanshu Kairab, ©Copyright 2003 INTEGRITY. All rights reserved.
Chapter 70, “A Progress Report on the CVE Initiative,” by Robert Martin, Steven Christey, and David Baker,
©Copyright 2003 MITRE Corp. All rights reserved.
Chapter 87, “How to Work with a Managed Security Service Provider,” by Laurie Hill McQuillan, ©2003. Laurie
Hill McQuillan. All rights reserved.
Chapter 99, “Digital Signatures in Relational Database Applications,” by Mike R. Prevost, ©2002 Mike R. Prevost
and Gradkell Systems, Inc. Used with permission.
Chapter 108, “Three New Models for the Application of Cryptography,” by Jay Heiser, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 110, “Message Authentication,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New
Approaches,” by Steven Hofmeyr, Ph.D., ©2003 Sana Security. All rights reserved.
Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,”
by Chris Hare, CISSP, CISA, ©International Network Services. All rights reserved.
Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” by Dorsey Morrow, JD, CISSP, ©2003.
Dorsey Morrow. All rights reserved.
Chapter 152, “CIRT: Responding to Attack,” by Chris Hare, CISSP, CISA, ©International Network Services. All
rights reserved.
Chapter 156, “Software Forensics,” by Robert M. Slade, ©Robert M. Slade. All rights reserved.
v
This page intentionally left blank
Table of Contents
Contributors .......................................................................................................... xxiii
Introduction
........................................................................................................... xli
1 ACCESS CONTROL SYSTEMS AND METHODOLOGY
......... 1
Section 1.1 Access Control Techniques
1 Enhancing Security through Biometric Technology........................................ 5
Stephen D. Fried, CISSP
2 Biometrics: What’s New?................................................................................. 21
Judith M. Myerson
3 Controlling FTP: Providing Secured Data Transfers ..................................... 27
Chris Hare, CISSP, CISA
Section 1.2 Access Control Administration
4 Privacy in the Healthcare Industry................................................................. 45
Kate Borten, CISSP
5 The Case for Privacy........................................................................................ 55
Michael J. Corby, CISSP
Section 1.3 Identification and Authentication Techniques
6 Biometric Identification................................................................................... 61
Donald R. Richards, CPP
7 Single Sign-On for the Enterprise ................................................................... 77
Ross A. Leo, CISSP
Section 1.4 Access Control Methodologies and Implementation
8 Centralized Authentication Services (RADIUS, TACACS, DIAMETER) .............. 97
William Stackpole, CISSP
vii
9 An Introduction to Secure Remote Access .................................................. 109
Christina M. Bird, Ph.D., CISSP
Section 1.5 Methods of Attack
10 Hacker Tools and Techniques ..................................................................... 121
Ed Skoudis, CISSP
11 A New Breed of Hacker Tools and Defenses ............................................. 135
Ed Skoudis, CISSP
12 Social Engineering: The Forgotten Risk ..................................................... 147
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
13 Breaking News: The Latest Hacker Attacks and Defenses ...................... 155
Ed Skoudis, CISSP
14 Counter-Economic Espionage...................................................................... 165
Craig A. Schiller, CISSP
Section 1.6 Monitoring and Penetration Testing
15 Penetration Testing ...................................................................................... 179
Stephen D. Fried, CISSP
16 Penetration Testing ...................................................................................... 191
Chuck Bianco, FTTR, CISA, CISSP
2 TELECOMMUNICATIONS, NETWORK, AND
INTERNET SECURITY ................................................................................. 197
Section 2.1 Communications and Network Security
17 Understanding SSL ....................................................................................... 203
Chris Hare, CISSP, CISA
18 Packet Sniffers and Network Monitors...................................................... 217
James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP
19 Secured Connections to External Networks.............................................. 235
Steven F. Blanding
20 Security and Network Technologies........................................................... 249
Chris Hare, CISSP, CISA
21 Wired and Wireless Physical Layer Security Issues .................................. 269
James Trulove
viii
22 Network Router Security ............................................................................ 277
Steven F. Blanding
23 What’s Not So Simple about SNMP? ......................................................... 287
Chris Hare, CISSP, CISA
24 Network and Telecommunications Media: Security from the
Ground Up.................................................................................................... 297
Samuel Chun, CISSP
25 Security and the Physical Network Layer ................................................. 311
Matthew J. Decker, CISSP, CISA, CBCP
26 Security of Wireless Local Area Networks ................................................ 319
Franjo Majstor, CISSP
27 Securing Wireless Networks ....................................................................... 329
Sandeep Dhameja, CISSP
28 Wireless Security Mayhem: Restraining the Insanity
of Convenience............................................................................................. 339
Mark T. Chapman, MSCS, CISSP, IAM
29 Wireless LAN Security Challenge .............................................................. 349
Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP
30 ISO/OSI Layers and Characteristics ........................................................... 363
George G. McBride, CISSP
Section 2.2 Internet/Intranet/Extranet
31 Enclaves: The Enterprise as an Extranet .................................................... 373
Bryan T. Koch, CISSP
32 IPSec Virtual Private Networks .................................................................. 383
James S. Tiller, CISA, CISSP
33 Firewalls: An Effective Solution for Internet Security.............................. 407
E. Eugene Schultz, Ph.D., CISSP
34 Internet Security: Securing the Perimeter.................................................. 413
Douglas G. Conorich
35 Extranet Access Control Issues................................................................... 423
Christopher King, CISSP
36 Application-Layer Security Protocols for Networks ................................. 435
William Stackpole, CISSP
ix
37 Application Layer: Next Level of Security................................................. 447
Keith Pasley, CISSP
38 Security of Communication Protocols and Services ................................. 457
William Hugh Murray, CISSP
39 An Introduction to IPSec ............................................................................. 467
William Stackpole, CISSP
40 VPN Deployment and Evaluation Strategy................................................ 475
Keith Pasley, CISSP
41 How to Perform a Security Review of a Checkpoint Firewall................. 493
Ben Rothke, CISSP
42 Comparing Firewall Technologies .............................................................. 513
Per Thorsheim
43 The (In) Security of Virtual Private Networks .......................................... 523
James S. Tiller, CISA, CISSP
44 Cookies and Web Bugs................................................................................. 539
William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.
45 Leveraging Virtual Private Networks ......................................................... 549
James S. Tiller, CISA, CISSP
46 Wireless LAN Security ................................................................................ 561
Mandy Andress, CISSP, SSCP, CPA, CISA
47 Security for Broadband Internet Access Users........................................... 567
James Trulove
48 New Perspectives on VPNs ......................................................................... 575
Keith Pasley, CISSP
49 An Examination of Firewall Architectures ................................................ 581
Paul A. Henry, CISSP, CNE
Section 2.3 E-mail Security
50 Instant Messaging Security Issues .............................................................. 601
William Hugh Murray, CISSP
Section 2.4 Secure Voice Communications
51 Voice Security............................................................................................... 617
Chris Hare, CISSP, CISA
x
52 Secure Voice Communications (VoI) .......................................................... 627
Valene Skerpac, CISSP
Section 2.5 Network Attacks and Countermeasures
53 Packet Sniffers: Use and Misuse................................................................. 639
Steve A. Rodgers, CISSP
54 ISPs and Denial-of-Service Attacks ............................................................ 649
K. Narayanaswamy, Ph.D.
3 INFORMATION SECURITY MANAGEMENT ............................ 667
Section 3.1 Security Management Concepts and Principles
55 The Human Side of Information Security.................................................. 663
Kevin Henry, CISA, CISSP
56 Security Management .................................................................................. 677
Ken Buszta, CISSP
57 Measuring ROI on Security ......................................................................... 685
Carl F. Endorf, CISSP, SSCP, GSEC
58 Security Patch Management........................................................................ 689
Jeffrey Davis, CISSP
Section 3.2 Change Control Management
59 Configuration Management: Charting the Course for the
Organization ................................................................................................. 697
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
Section 3.3 Data Classification
60 Information Classification: A Corporate Implementation
Guide............................................................................................................. 715
Jim Appleyard
Section 3.4 Risk Management
61 A Matter of Trust......................................................................................... 727
Ray Kaplan, CISSP, CISA, CISM
xi
62 Trust Governance in a Web Services World .............................................. 741
Daniel D. Houser, CISSP, MBA, e-Biz+
63 Risk Management and Analysis ................................................................. 751
Kevin Henry, CISA, CISSP
64 New Trends in Information Risk Management......................................... 759
Brett Regan Young, CISSP, CBCP
65 Information Security in the Enterprise ...................................................... 767
Duane E. Sharp
66 Managing Enterprise Security Information ................................................ 779
Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA
67 Risk Analysis and Assessment ................................................................... 795
Will Ozier
68 Security Assessment .................................................................................... 821
Sudhanshu Kairab, CISSP, CISA
69 Cyber-Risk Management: Technical and Insurance Controls
for Enterprise-Level Security....................................................................... 829
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
Section 3.5 Employment Policies and Practices
70 A Progress Report on the CVE Initiative ................................................... 845
Robert Martin, Steven Christey, and David Baker
71 Roles and Responsibilities of the Information Systems
Security Officer ............................................................................................ 865
Carl Burney, CISSP
72 Information Protection: Organization, Roles, and Separation
of Duties ...................................................................................................... 871
Rebecca Herold, CISSP, CISA, FLMI
73 Organizing for Success: Some Human Resources Issues
in Information Security ............................................................................... 887
Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM
74 Ownership and Custody of Data ................................................................ 899
William Hugh Murray, CISSP
75 Hiring Ex-Criminal Hackers........................................................................ 907
Ed Skoudis, CISSP
xii
Section 3.6 Risk Management
76 Information Security Policies from the Ground Up ................................. 917
Brian Shorten, CISSP, CISA
77 Policy Development..................................................................................... 925
Chris Hare, CISSP, CISA
78 Toward Enforcing Security Policy: Encouraging Personal
Accountability for Corporate Information Security Policy ...................... 945
John O. Wylder, CISSP
79 The Common Criteria for IT Security Evaluation .................................... 953
Debra S. Herrmann
80 A Look at the Common Criteria ................................................................ 969
Ben Rothke, CISSP
81 The Security Policy Life Cycle: Functions
and Responsibilities ..................................................................................... 979
Patrick D. Howard, CISSP
Section 3.7 Security Awareness Training
82 Maintaining Management’s Commitment................................................. 989
William Tompkins, CISSP, CBCP
83 Making Security Awareness Happen .......................................................... 999
Susan D. Hansche, CISSP
84 Making Security Awareness Happen: Appendices................................... 1011
Susan D. Hansche, CISSP
Section 3.8 Security Management Planning
85 Maintaining Information Security during Downsizing........................... 1023
Thomas J. Bray, CISSP
86 The Business Case for Information Security: Selling
Management on the Protection of Vital Secrets
and Products ............................................................................................... 1029
Sanford Sherizen, Ph.D., CISSP
87 How to Work with a Managed Security Service Provider ...................... 1035
Laurie Hill McQuillan, CISSP
xiii
88 Considerations for Outsourcing Security ................................................. 1047
Michael J. Corby, CISSP
89 Outsourcing Security ................................................................................. 1061
James S. Tiller, CISA, CISSP
4 APPLICATION PROGRAM SECURITY ........................................ 1073
Section 4.1 APPLICATION ISSUES
90 Security Models for Object-Oriented Databases...................................... 1077
James Cannady
91 Web Application Security.......................................................................... 1083
Mandy Andress, CISSP, SSCP, CPA, CISA
92 Security for XML and Other Metadata Languages .................................. 1093
William Hugh Murray, CISSP
93 XML and Information Security ................................................................. 1101
Samuel C. McClintock
94 Application Security .................................................................................. 1109
Walter S. Kobus, Jr., CISSP
95 Covert Channels......................................................................................... 1115
Anton Chuvakin, Ph.D., GCIA, GCIH
96 Security as a Value Enhancer in Application Systems
Development .............................................................................................. 1123
Lowell Bruce McCulley, CISSP
97 Open Source versus Closed Source........................................................... 1139
Ed Skoudis, CISSP
Section 4.2 Databases and Data Warehousing
98 Reflections on Database Integrity............................................................. 1157
William Hugh Murray, CISSP
99 Digital Signatures in Relational Database Applications......................... 1165
Mike R. Prevost
100 Security and Privacy for Data Warehouses:
Opportunity or Threat? ............................................................................. 1175
David Bonewell, CISSP, CISA, Karen Gibbs, and Adriaan Veldhuisen
xiv
Section 4.3 Systems Development Controls
101 Enterprise Security Architecture............................................................. 1193
William Hugh Murray, CISSP
102 Certification and Accreditation Methodology ....................................... 1205
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
103 System Development Security Methodology......................................... 1221
Ian Lim, CISSP and Ioana V. Carastan, CISSP
104 A Security-Oriented Extension of the Object Model for the
Development of an Information System................................................ 1235
Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov
Section 4.4 Malicious Code
105 A Look at Java Security ........................................................................... 1251
Ben Rothke, CISSP
106 Malware and Computer Viruses ............................................................. 1257
Robert M. Slade, CISSP
Section 4.5 Methods of Attack
107 Methods of Auditing Applications ......................................................... 1287
David C. Rice, CISSP and Graham Bucholz
5 CRYPTOGRAPHY ......................................................................................... 295
Section 5.1 Use of Cryptography
108 Three New Models for the Application of Cryptography..................... 1299
Jay Heiser, CISSP
109 Auditing Cryptography: Assessing System Security ............................. 1309
Steve Stanek
Section 5.2
Cryptographic Concepts, Methodologies, and Practices
110 Message Authentication .......................................................................... 1313
James S. Tiller, CISA, CISSP
111 Steganography: The Art of Hiding Messages ......................................... 1327
Mark Edmead, CISSP, SSCP, TICSA
xv
112 An Introduction to Cryptography ........................................................... 1333
Javek Ikbel, CISSP
113 Hash Algorithms: From Message Digests to Signatures ....................... 1349
Keith Pasley, CISSP
114 A Look at the Advanced Encryption Standard (AES) ............................ 1357
Ben Rothke, CISSP
Section 5.3 Private Key Algorithms
115 Principles and Applications of Cryptographic Key
Management ............................................................................................. 1365
William Hugh Murray, CISSP
Section 5.4 Public Key Infrastructure (PKI)
116 Preserving Public Key Hierarchy ............................................................ 1379
Geoffrey C. Grabow, CISSP
117 PKI Registration ....................................................................................... 1385
Alex Golod, CISSP
Section 5.5 System Architecture for Implementing Cryptographic
Functions
118 Implementing Kerberos in Distributed Systems ................................... 1397
Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM
Section 5.6 Methods of Attack
119 Methods of Attacking and Defending Cryptosystems ......................... 1447
Joost Houwen, CISSP
6 ENTERPRISE SECURITY ARCHITECTURE ................................. 146
Section 6.1 Principles of Computer and Network Organizations,
Architectures, and Designs
120 Security Infrastructure: Basics of Intrusion Detection Systems .......... 1465
Ken M. Shaurette, CISSP, CISA, NSA, IAM
xvi
121 Firewalls, 10 Percent of the Solution: A Security
Architecture Primer ................................................................................. 1475
Chris Hare, CISSP, CISA
122 The Reality of Virtual Computing.......................................................... 1489
Chris Hare, CISSP, CISA
123 Overcoming Wireless LAN Security Vulnerabilities............................. 1507
Gilbert Held
Section 6.2 Principles of Security Models, Architectures and
Evaluation Criteria
124 Formulating an Enterprise Information Security Architecture ............ 1513
Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM
125 Security Architecture and Models .......................................................... 1531
Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.
Section 6.3 Common Flaws and Security Issues — System
Architecture and Design
126 Common System Design Flaws and Security Issues............................. 1547
William Hugh Murray, CISSP
7 OPERATIONS SECURITY ...................................................................... 1555
Section 7.1 Concepts
127 Operations: The Center of Support and Control ................................... 1559
Kevin Henry, CISA, CISSP
128 Why Today’s Security Technologies Are So Inadequate: History,
Implications, and New Approaches....................................................... 1565
Steven Hofmeyr, Ph.D.
Section 7.2 Resource Protection Requirements
129 Physical Access Control .......................................................................... 1569
Dan M. Bowers, CISSP
xvii
Section 7.3 Auditing
130 Auditing the Electronic Commerce Environment ................................ 1585
Chris Hare, CISSP, CISA
Section 7.4 Intrusion Detection
131 Improving Network-Level Security through Real-Time
Monitoring and Intrusion Detection ...................................................... 1601
Chris Hare, CISSP, CISA
132 Intelligent Intrusion Analysis: How Thinking Machines Can
Recognize Computer Intrusions ............................................................. 1619
Bryan D. Fish, CISSP
Section 7.5 Operations Controls
133 Directory Security .................................................................................... 1633
Ken Buszta, CISSP
8 BUSINESS CONTINUITY PLANNING .........................................
1641
Section 8.1 Business Continuity Planning
134 Reengineering the Business Continuity Planning Process ................... 1645
Carl B. Jackson, CISSP, CBCP
135 The Changing Face of Continuity Planning .......................................... 1657
Carl B. Jackson, CISSP, CBCP
136 The Role of Continuity Planning in the Enterprise Risk
Management Structure ............................................................................ 1667
Carl B. Jackson, CISSP, CBCP
Section 8.2 Disaster Recovery Planning
137 Restoration Component of Business Continuity Planning................... 1679
John Dorf, ARM and Martin Johnson, CISSP
138 Business Resumption Planning and Disaster Recovery:
A Case History ......................................................................................... 1689
Kevin Henry, CISA, CISSP
139 Business Continuity Planning: A Collaborative Approach................... 1699
Kevin Henry, CISA, CISSP
xviii
Section 8.3 Elements of Business Continuity Planning
140 The Business Impact Assessment Process ............................................. 1709
Carl B. Jackson, CISSP, CBCP
9 LAW, INVESTIGATION, AND ETHICS .......................................
1725
Section 9.1 Information Law
141 Jurisdictional Issues in Global Transmissions ....................................... 1729
Ralph Spencer Poore, CISSP, CISA, CFE
142 Liability for Lax Computer Security in DDoS Attacks ........................ 1737
Dorsey Morrow, JD, CISSP
143 The Final HIPAA Security Rule Is Here! Now What?.......................... 1743
Todd Fitzgerald, CISSP, CISA
144 HIPAA 201: A Framework Approach to HIPAA Security Readiness... 1759
David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP
Section 9.2 Investigations
145 Computer Crime Investigations: Managing a Process
without Any Golden Rules ..................................................................... 1771
George Wade, CISSP
146 Computer Crime Investigation and Computer Forensics..................... 1785
Thomas Welch, CISSP, CPP
147 Operational Forensics .............................................................................. 1813
Michael J. Corby, CISSP
148 What Happened ........................................................................................ 1819
Kelly J. Kuchta, CPP, CFE
Section 9.3 Major Categories of Computer Crime
149 The International Dimensions of Cybercrime....................................... 1823
Ed Gabrys, CISSP
Section 9.4 Incident Handling
150 Honeypot Essentials................................................................................. 1841
Anton Chuvakin, Ph.D., GCIA, GCIH
xix
151 CIRT: Responding to Attack ................................................................... 1847
Chris Hare, CISSP, CISA
152 Incident Response Management ............................................................. 1861
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
153 Managing the Response to a Computer Security Incident ................... 1871
Michael Vangelos, CISSP
154 Cyber Crime: Response, Investigation, and Prosecution ...................... 1881
Thomas Akin, CISSP
155 Incident Response Exercises.................................................................... 1887
Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach
156 Software Forensics.................................................................................... 1897
Robert M. Slade, CISSP
Section 9.5 Ethics
157 Ethics and the Internet ............................................................................ 1911
Micki Krause, CISSP
10 PHYSICAL SECURITY ........................................................................... 1921
Section 10.1 Facility Requirements
158 Physical Security: A Foundation for Information Security .................. 1925
Christopher Steinke, CISSP
159 Physical Security: Controlled Access and Layered Defense ................. 1935
Bruce R. Mathews, CISSP
160 Computing Facility Physical Security .................................................... 1947
Alan Brusewitz, CISSP, CBCP
161 Closed Circuit Television and Video Surveillance ................................ 1957
David Litzau, CISSP
xx
Section 10.2 Technical Controls
162 Types of Information Security Controls................................................. 1965
Harold F. Tipton, CISSP
Section 10.3 Environment and Life Safety
163 Physical Security: The Threat after September 11th ............................ 1975
Jaymes Williams, CISSP
Index ........................................................................................................................ 1997
xxi
This page intentionally left blank
Contributors
Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding director of
the Southeast Cybercrime Institute, where he also serves as chairman for the Institute's Board of Advisors. He
is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education
committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. He has
published several articles on Information Security and is the author of Hardening Cisco Routers. He developed
Kennesaw State University’s highly successful UNIX and Cisco training programs and, in addition to his security
certifications, is also certified in Solaris, Linux, and AIX; is a Cisco Certified Academic Instructor (CCAI), and
is a Certified Network Expert (CNX). He can be reached at takin@kennesaw.edu.
Mandy Andress, CISSP, SSCP, CPA, CISA, is Founder and President of ArcSec Technologies, a security consulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, Mandy worked
for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. After
leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy start-up in San Jose. At
Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions,
increase physical security, secure product design, and periodic network vulnerability testing. Mandy has written
numerous security product and technology reviews for various computer trade publications. A member of the
Network World Global Test Alliance, she is also a frequent presenter at conferences, including Networld+Interop, Black Hat, and TISC. Mandy holds a BBA in accounting and an MS in MIS from Texas A&M
University. She is the author of Surviving Security, 2nd Edition (Auerbach Publications, 2003).
Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting practice.
With 33 years of technical and management experience in information technology, he specializes in enterprisewide information security policies and security architecture design. He has specific expertise in developing
information security policies, procedures, and standards; conducting business impact analysis; performing
enterprisewide security assessments; and designing data classification and security awareness programs.
David W. Baker is a member of the CVE Editorial Board. As a Lead INFOSEC Engineer in MITRE’s Security
and Information Operations Division, he has experience in deployment and operation of large-scale intrusion
detection systems, critical infrastructure protection efforts, and digital forensics research. A member of the
American Academy of Forensic Sciences, Baker holds a bachelor’s degree from The State University of New
York, and a Master of Forensic Science degree from George Washington University.
Dencho N. Batanov is with the school of Advanced Technologies at the Asian Institute of Technology in
Pathumthani, Thailand.
John Berti, CISSP, is a Senior Manager in the Winnipeg Office of Deloitte & Touche LLP’s Security Services
consulting practice. John has extensive experience in information security including E-business security controls, network security reviews, intrusion and penetration testing, risk analysis, policy development, security
awareness, and information security assurance programs. John has over 18 years of Information Security
experience and is presently a Senior Lead Instructor for (ISC)2, the organization responsible for worldwide
CISSP certification of Information Security professionals. John is also an invited lecturer at some of the largest
security conferences and has provided expert witness testimony and technical forensic assistance for various
xxiii
law enforcement agencies in Canada. John also possesses extensive investigative experience in dealing with
various information security-related incidents for a large telecommunications company in Manitoba, relating
to computer and toll fraud crimes.
Chuck Bianco, FTTR, CISA, CISSP, is an IT Examination Manager for the Office of Thrift Supervision in
Dallas, Texas. He has represented his agency on the IT Subcommittee of the FFIEC. Bianco has experienced
more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery
Bulletin, and led the Interagency Symposium resulting in SP–5. He was awarded the FFIEC Outstanding
Examiner Award for significant contributions, and received two Department of the Treasury Awards for
Outstanding Performance.
Christina M. Bird, Ph.D., CISSP, is a senior security analyst with Counterpane Internet Security in San Jose,
California. She has implemented and managed a variety of wide-area-network security technologies, such as
firewalls, VPN packages and authentication systems; built and supported Internet-based remote access systems;
and developed, implemented, and enforced corporate IS security policies in a variety of environments. Tina
is the moderator of the Virtual Private Networks mailing list, and the owner of "VPN Resources on the World
Wide Web," a highly regarded vendor neutral source of information about VPN technology. Tina has a BS in
physics from Notre Dame and an MS and Ph.D. in astrophysics from the University of Minnesota.
Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the Regional
Director of Technology for Arthur Andersen, based in Houston, Texas. Steve has 25 years of experience in the
areas of financial auditing, systems auditing, quality assurance, information security, and business resumption
planning for large corporations in the consulting services, financial services, manufacturing, retail electronics,
and defense contract industries. Steve earned a BS in accounting from Virginia Tech and an MS in business
information systems from Virginia Commonwealth University.
David Bonewell, CISSP, CISA, is a chief security architect with Teradata, Cincinnati, Ohio.
Kate Borten, CISSP, a nationally recognized expert in health information security and privacy, is president of
The Marblehead Group. She has over 20 years at Harvard University teaching hospitals, health centers, and
physician practices; as information security head at Massachusetts General Hospital, and Chief Information
Security Officer at CareGroup in Boston. She is a frequent speaker at conferences sponsored by AHIMA, AMIA,
CHIM, CHIME, CPRI, and HIMSS, and an advisor and contributor to “Briefings on HIPAA.”
Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.
Thomas J. Bray, CISSP, is a Principal Security Consultant with SecureImpact. He has more than 13 years of
information security experience in banking, information technology, and consulting. Tom can be reached at
tjbray@secureimpact.com. SecureImpact is a company dedicated to providing premier security consulting
expertise and advice. SecureImpact has created its information and network service offerings to address the
growing proliferation of security risks being experienced by small to mid-sized companies. Information about
SecureImpact can be obtained by visiting www.secureimpact.com.
Allen Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities,
including system development, EDP auditing, computer operations, and information security. He has continued his professional career leading consulting teams in cyber-security services with an emphasis on E-commerce
security. He also participates in business continuity planning projects and is charged with developing that
practice with his current company for delivery to commercial organizations.
Graham Bucholz is a computer security research for the U.S. government in Baltimore, Maryland.
Carl Burney, CISSP, is a Senior Internet Security Analyst with IBM in Salt Lake City, Utah.
xxiv
Ken Buszta, CISSP, is Chief Information Security Officer for the City of Cincinnati, Ohio, and has more than
ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s intelligence
community before entering the consulting field in 1994. Should you have any questions or comments, he can
be reached at Infosecguy@att.net.
James Cannady is a research scientist at Georgia Tech Research Institute. For the past seven years he has focused
on developing and implementing innovative approaches to computer security in sensitive networks and systems
in military, law enforcement, and commercial environments
Ioana V. Carastan, CISSP, is a manager with Accenture’s global security consulting practice. She has written
security policies, standards, and processes for clients in a range of industries, including financial services, hightech, resources, and government
Mark T. Chapman, CISSP, CISM, IAM, is the Director of Information Security Solutions for Omni Tech
Corporation in Waukesha, Wisconsin. Mark holds an MS in computer science from the University of Wisconsin,
Milwaukee, in the area of cryptography and information security. He has published several papers and has
presented research at conferences in the United States, Asia, and Europe. He is the author of several securityrelated software suites, including the NICETEXT linguistic steganography package available at www.nicetext.com. Mark is a member of the executive planning committee for the Eastern Wisconsin Chapter of
InfraGard. For questions or comments, contact Mark at mark.chapman@omnitechcorp.com.
Steven Christey is the editor of the CVE List and the chair of the CVE Editorial Board. His operational
experience is in vulnerability scanning and incident response. His research interests include automated vulnerability analysis of source code, reverse-engineering of malicious executable code, and responsible vulnerability disclosure practices. He is a Principal INFOSEC Engineer in MITRE's Security and Information
Operations Division. He holds a BS in computer science from Hobart College.
Samuel Chun, CISSP, is director for a technology consulting firm in the Washington, D.C., area
Anton Chuvakin, Ph.D., GCIA, GCIH, is a senior security analyst with a major information security company.
His areas of InfoSec expertise include intrusion detection, UNIX security, forensics, and honeypots. In his
spare time, he maintains his security portal, www.infosecure.org.
Douglas G. Conorich, the Global Solutions Manager for IBM Global Service’s Managed Security Services, with
over 30 years of experience with computer security holding a variety of technical and management positions,
has responsibility for developing new security offerings, ensuring that the current offerings are standardized
globally, and oversees training of new members of the MSS team worldwide. Mr. Conorich teaches people how
to use the latest vulnerability testing tools to monitor Internet and intranet connections and develop vulnerably
assessments suggesting security-related improvements. Mr. Conorich is also actively engaged in the research
of bugs and vulnerabilities in computer operating systems and Internet protocols and is involved in the
development of customized alerts notifying clients of new potential risks to security. He has presented papers
at over 400 conferences, has published numerous computer security-related articles on information security
in various magazines and periodicals, and has held associate professor positions at several colleges and universities.
Michael J. Corby, CISSP, is Director of META Group Consulting. He was most recently president of QinetiQ
Trusted Information Management and prior to that, vice president of the Netigy Global Security Practice, CIO
for Bain & Company, and the Riley Stoker division of Ashland Oil. He has more than 30 years of experience
in the information security field and has been a senior executive in several leading IT and security consulting
organizations. He was a founding officer of (ISC)2, developer of the CISSP program, and was named the first
recipient of the CSI Lifetime Achievement Award. A frequent speaker and prolific author, Corby graduated
from WPI in 1972 with a degree in electrical engineering
xxv
Kellina M. Craig-Henderson, Ph.D., is an Associate Professor of Social Psychology at Howard University in
Washington, D.C. Craig-Henderson’s work has been supported by grants from the National Science Foundation
and the Center for Human Resource Management at the University of Illinois.
Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior
manager at Lucent Technologies, involved with intrusion detection, anti-virus, and threat assessment. He holds
a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute
of Technology
Matthew J. Decker, CISSP, CISA, CBCP, has 17 years of professional experience in information security. He
has advised private industry and local government on information security issues for the past six years with
International Network Services, Lucent Technologies, and KPMG LLP. Prior to this, he devoted two years to
the United States Special Operations Command (USSOCOM) as a contractor for Booz Allen Hamilton, and
served nine years with the NSA. He earned a BSEE in 1985 from Florida Atlantic University and an MBA in
1998 from Nova Southeastern University. In 1992, the NSA’s Engineering and Physical Science Career Panel
awarded him Certified Cryptologic Engineer (CCE) stature. A former president of the ISSA Tampa Bay chapter,
he is a member of ISSA and ISACA.
David Deckter, CISSP, a manager with Deloitte & Touche Enterprise Risk Services, has extensive experience
in information systems security disciplines, controlled penetration testing, secure operating system, application
and internetworking architecture and design, risk and vulnerability assessments, and project management.
Deckter has obtained ISC2 CISSP certification. He has performed numerous network security assessments for
emerging technologies and electronic commerce initiatives in the banking, insurance, telecommunications,
healthcare, and financial services industries, and has been actively engaged in projects requiring HIPAA security
solutions.
Gildas Deograt, CISSP, is a CISSP Common Body of Knowledge (CBK) seminar instructor. He has been
working in the IT field for more than ten years, with a focus over the past five years on information security.
His experience includes network design and implementation, security policy development and implementation,
developing security awareness program, network security architecture, assessment and integration, and also
firewall deployment. At present, he is an Information System Security Officer for Total Exploration and
Production. Before moving to France, he was the Chief Information Security Officer at TotalFinaElf E&P
Indonesia and also a board member of the Information System Security Association (ISSA), Indonesia
Sandeep Dhameja, CISSP, is responsible for implementation, management of data, network security, and
information security at Morningstar. With more than ten years of IT experience, including five years in
information security, Dhameja has held several executive and consulting positions. He is widely published with
the IEEE, International Engineering Consortium (IEC), Society of Automotive Engineers (SAE), and at international conferences.
John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in
insurance underwriting and risk management consulting, John earned his 19 years of experience as a risk
manager at several Fortune 500 financial service and manufacturing fir