Index

separation of duties and Numbers responsibilities, 626 3DES (Triple DES), 177, 220, 222–223 CIA Triad and, 581–582 802.1X/EAP, 478 compensating control, 583 802.11 standard, 473 corrective control, 583 DAC (Discretionary Access Control), 628, 629 A defense-in-depth, 627–628 detective control, 582–583 AAA services, 8, 11 deterrent control, 583 AACS (Advanced Access Content System), directive control, 583 260 logical control, 584 abstraction, 13, 43 nondiscretionary, 630–635 acceptable use policies, 28 ABAC (Attribute Based Access access abuses, 410–411 Control), 629 access control Attribute Based, 633 administrative control, 583–584 MAC (Mandatory Access Control), assets, 580–581 629, 633–635 attacks, 635–636 RBAC (Role Based Access Control), access aggregation, 641 628, 630–632 asset identification, 637–638 rule-based access control, 628, 632 password attacks, 641–648 permissions, 624 risk elements, 636 physical control, 584 smartcard attacks, 651–652 preventive control, 582 social engineering attacks, privilege creep, 631 649–651 privileges, 625 spoofing attacks, 648 protection methods threat identification, 638–640 account lockout, 653 vulnerability analysis, 640 electronic access, 652 authorization logon notification, 653 access control matrix,COPYRIGHTED 625 MATERIAL multifactor authentication, 652–653 ACL, 625 password hashing, 652 capability tables, 625 password masking, 652 constrained interface, 625–626 password policies, 652 content-dependent control, 626 password salting, 652 context-dependent control, 626 physical access, 652 implicit deny, 625 user education, 653 need to know, 626 recovery control, 583 principle of lease privilege, 626 review question answers, 971–973

bindex.indd 06/27/2018 Page 1001 1002 access control matrix – Application layer (OSI)

rights, 624–625 advisory policies, 27 security policies, 626–627 adware, 928 steps, 582 AES (Advanced Encryption Standard), 220, technical control, 584 224–225 written lab answers, 996 agents, 565 access control matrix, 286–288, 625 aggregation, 700 access points, 473–475 Agile development approach, 884–885 ad hoc mode, 475 ALE (annualized loss expectancy), 70–71, 110 enterprise extended mode, 475 algorithms ESSID, 475 asymmetric key, 216–219 infrastructure mode, 475 hashing algorithms, 219 rogue access points, 484–485 memorization chart, 246 SSID, 475 key spaces, 201 stand-alone mode, 475 alternate processing sites, 820–821 wired extension mode, 475 cloud computing, 824 access review audits, 785 cold sites, 821–822 account lockout, 653 hot sites, 822–823 account management reviews, 689 mobile sites, 823–824 accountability, 11, 43 service bureaus, 824 AAA services, 8 warm sites, 823 authorization and, 586–587 analytic attacks, 265 accreditation, 306–307 AND operation, 202–203 CNSS (Committee on National Security antivirus Systems), 308 heuristic-based detection, 921 DIACAP (DoD Information Assurance Kaspersky Lab, 920–921 Certification and Accreditation signature-based detection, 921 Process), 308 Tripwire, 922 DITSCAP (Defense Information APIPA (Automatic Private IP Addressing), Technology Security Certification 552–553 and Accreditation Process), 308 application attacks NIACAP (National Information back doors, 934–935 Assurance Certification and buffer overflows, 933–934 Accreditation Process), 308 escalation of privilege, 935 RMF (Risk Management Framework), rootkits, 935 308 TOCTTOU, 934 ACL (access control lists), 625 written lab answers, 1000 active monitoring, 687 Application layer (OSI) ADEPT (Adobe Digital Experience EDI (Electronic Data Interchange), 451 Protection Technology), 261 FTP (), 451 Adleman, Leonard, 239 HTTP (Hypertext Transfer Protocol), 451 administrative access control, 583–584 IMAP (Internet Message Access administrative controls, 78–79 Protocol), 451 physical, 403 LPD (Line Print Daemon), 451 administrative investigations, 846–847 NNTP (Network News Transport administrative law, 128–129 Protocol), 451

bindex.indd 06/27/2018 Page 1002 Application (Process) layer (TCP/IP model) – assurance 1003

POP3 ( version 3), 451 cloud-based, 713–714 SET (Secure Electronic Transaction), 451 data classification, 162 SMTP (Simple Mail Transfer Protocol), confidential, 162, 164 451 defining, 165 SNMP (Simple Network Management FOIA (Freedom of Information Act), 163 Protocol), 451 FOUO (for official use only), 163 S-RPC (Secure Remote Procedure Call), 451 private, 164 , 451 proprietary, 164 TFTP (Trivial File Transfer Protocol), 451 public, 165 Application (Process) layer (TCP/IP model) SBU (sensitive but unclassified), 163 DHCP (Dynamic Host Configuration secret, 162 Protocol), 462 sensitive, 164 FTP (File Transfer Protocol), 462 top secret, 162 HTTP (Hypertext Transport Protocol), unclassified, 163 462 data security controls, 165–167 IMAP (Internet Message Access devices, 580 Protocol), 462 facilities, 580 LPD (Line Print Daemon), 463 files, 581 NFS (Network File System), 463 hardware inventories, 710–711 POP3 (Post Office Protocol), 462 information, 580 SMTP (Simple Mail Transfer Protocol), media management, 714–715 462 flash drives, 715 SNMP (Simple Network Management lifecycle, 717 Protocol), 463 mobile devices, 716–717 SSL (Secure Sockets Layer), 462 tape media, 716 Telnet, 462 objects, 581 TFTP (Trivial File Transfer Protocol), 462 owners, 179–180 X Window, 463 personnel, 580 application logs, 774 PHI (protected health information), 161 application-level gateway firewalls, 489 physical assets, 711–712 APTs (advanced persistent threats), 705, 858, PII (personally identifiable information), 917 160–161 architecture, 320–321 proprietary data, 161–162 distributed, 351 retaining, 175–176 review question answers, 966–967 review question answers, 956–958 written lab answers, 994–995 sensitive ARO (annualized rate of occurrence), 70, 109 handling, 170–171 ARP (Address Resolution Protocol), 445, marking, 169–170 446–447, 461–462, 567–568 software, licensing, 711 artificial identifiers, 183 subjects, 581 ASCII (American Standard Code for systems, 580 Information Interchange), 450 valuation, 65 asset-focused threats, 31 virtual assets,712 assets, 64 written lab answers, 991 access control, 580 assurance, 281

bindex.indd 06/27/2018 Page 1003 1004 asymmetric cryptography – attacks

asymmetric cryptography incremental, 387–388 El Gamal, 241 input checking, 386–387 elliptic curve, 242 maintenance hooks and, 387 key length, 240–241 parameter checking, 386–387 Merkle-Hellman Knapsack, 240–241 privileged programs, 387 private keys, 238–239 salami attack, 388 public keys, 238–239 state attacks, 389 RSA algorithm, 239–241 trusted recovery and, 386 asymmetric cryptosystems, 199 computer crime asymmetric key algorithms, 216–219 APTs, 858 key management, 253–254 business, 858 asynchronous dynamic password tokens, 593 corporate espionage, 858 ATO (authorization to operate), 63 financial, 859 attacker-focused threats, 31 grudge, 859–861 attacks, 66, 635–636. See also malicious hacktivists, 861 code industrial espionage, 858 access aggregation, 641 insider threats, 860 access control, 635–636 intelligence, 857–858 access aggregation, 641 military, 857–858 asset identification, 637–638 script kiddies, 861, 916–917 password attacks, 641–648 terrorist, 859 risk elements, 636 thrill, 861 smartcard attacks, 651–652 cryptography social engineering attacks, 649–651 analytic, 265 spoofing attacks, 648 birthday, 267–268 threat identification, 638–640 brute force, 265–266 vulnerability analysis, 640 chosen ciphertext, 267 agents, 565 chosen plaintext, 267 application attacks ciphertext only, 266–267 back doors, 934–935 collision attack, 267–268 buffer overflows, 933–934 frequency, 266–267 escalation of privilege, 935 implementation, 265 rootkits, 935 known plaintext, 267 TOCTTOU, 934 man in the middle, 267 APTs (advanced persistent threats), 858 meet in the middle, 267 ARP (Address Resolution Protocol), replay, 268 567–568 reverse hash matching attack, 267–268 asset identification, 637–638 statistical, 265 botnets, 565, 747–748 DDoS (distributed denial of service), bots, 565 564–565 business, 858 DNS poisoning, 568 computer architecture DNS spoofing, 568 buffer overflow, 386–387 DoS (denial of service), 564–565, data diddling, 387–388 748–749 design-based attacks, 385–388 eavesdropping, 565–566

bindex.indd 06/27/2018 Page 1004 auditing – auditing 1005

espionage, 755–756 terrorist, 859 financial, 859 threat identification fraggle attacks, 751 APTs, 639–640 grudge, 859–861 thread modeling, 638–639 hijacking, 568 thread modeling approaches, 640 hyperlink spoofing, 568–569 thrill, 861 impersonation, 566–567 unskilled attackers, 457 insider threats, 860 VoIP (Voice over Internet Protocol), 525 intelligence, 857–858 vulnerability analysis, 640 land attacks, 752 wireless networking, 482–483 malicious code, 753–754 evil twins, 485 drive-by downloads, 753 IV (initialization vector), 484 man-in-the-middle, 754–755 replay attacks, 484 masquerading, 566–567 rogue access points, 484–485 military, 857–858 war chalking, 483 modification attacks, 567 war driving, 483 password attacks, 641–643 written lab answers, 995 birthday attacks, 645–646 zero-day exploits, 752–753, 928 brute-force attacks, 644–645 zombies, 565 dictionary attacks, 643 auditing, 42, 783 PBKDFw, 646 AAA services, 8, 10–11 pepper, 647 access review audits, 785 rainbow table attacks, 646 auditors, 784 sniffer attacks, 647 change management, 788 wireshark capture, 647–648 COBIT (Control Objectives for phishing, 569 Information and related ping floods, 751 Technologies), 667 ping of death, 751–752 configuration management, 788 replay attacks, 567 external, 666 review question answers, 968–969 inspection audits, 784–785 risk elements, 636 internal, 665–666 sabotage, 755 job descriptions, 56 smartcard attacks, side-channel attacks, job responsibilities, 56 651–652 monitoring, 11 smurf attacks, 751 patch management, 787 social engineering attacks privileged groups, 786–787 phishing, 649–650 privileges, 56 shoulder surfing, 649 reporting spear phishing, 650 distributing, 789 vishing, 651 external auditors, 789–790 whaling, 651 results protection, 788–789 spoofing attacks, 648 third-party, 666–667 SYN flood attacks, 749–750 user entitlement audits, 786 TCP reset, 750 vulnerability management, 788 teardrop, 752 work tasks, 56

bindex.indd 06/27/2018 Page 1005 1006 AUP (Agile Unified Process) – backups

AUP (Agile Unified Process), 885 Type 1, 587 authentication, 42, 584–585 Type 2, 587 AAA services, 8–10 Type 3, 587 authentication factor, 9 written lab answers, 996 biometrics, 588, 595–596 authentication protocols crossover error rate, 598 CHAP (Challenge Handshake face scans, 596 Authentication Protocol), 524 false acceptance rate, 598 EAP (Extensible Authentication Protocol), false rejection rate, 598 524 fingerprints, 596 LEAP, 524 hand geometry, 597 PAP (Password Authentication Protocol), heart/pulse patterns, 597 524 iris scans, 596–597 PEAP, 524 keystroke patterns, 598 authorization, 42 palm scans, 597 AAA services, 8, 10 registration, 599 access control matrix, 10, 625 retina scans, 596 accountability and, 586–587 signature dynamics, 597 ACL, 625 voice pattern recognition, 597 capability tables, 625 challenge-response, 200 constrained interface, 625–626 context-aware, 588 content-dependent control, 626 cryptography and, 200 context-dependent control, 626 device, 600–601 DAC and, 10 identification and, 9–10 implicit deny, 625 multifactor, 599–600 MAC and, 10 passwords need to know, 626 age, 590–591 principle of lease privilege, 626 cognitive, 592 privileges, 10 complexity, 591 RBAC and, 10 history, 591 separation of duties and responsibilities, length, 591 626 phrases, 591 auxiliary station alarm systems, 428 static, 588–589 availability, 42 review question answers, 969–971 CIA Triad, 2–3, 6–7 service, 601 smartcards, 592–593 somewhere you are, 588 B tokens back doors, 934–935 asynchronous dynamic password, 593 backbone distribution system, 407 one-time passwords, 593 background checks, 55 synchronous dynamic password, 593 backups two-factor, 599–600 differential backups, 830 two-step full backups, 830 HOTP, 594 incremental backups, 830 TOTP, 594–595 verification, 690

bindex.indd 06/27/2018 Page 1006 badges – botnets 1007

badges, 427 Bell-LaPadula security model, 288–290 baseband cabling, 497–498 BGP (Border Gateway Protocol), 447 baselines, 28 BIA (business impact assessment), 105, security control baselines, 186–187 110–111 scoping, 187 AV (asset value), 106 standards, 187 cloud and, 108 tailoring, 187 MTD (maximum tolerable downtime), BCM (business continuity management), 802 106 BCP (business continuity planning), 98–99 MTO (maximum tolerable outage), 106 buildings, 113 priorities, 106–107 continuity goals, 115 qualitative analysis, 105 documentation, 115 quantitative analysis, 105 versus DRP (disaster recovery planning), resource prioritization, 110 98–99 RTO (recovery time objective), 107 emergency response guidelines, 118 Biba security model, 290–292 exercises, 119 biometrics, 595–596 facilities, 113 crossover error rate, 598 infrastructure, 113–114 face scans, 596 legal requirements, 104–105 false acceptance rate, 598 likelihood assessment, 108–109 false rejection rate, 598 maintenance, 118 fingerprints, 596 organization analysis, 100 hand geometry, 597 people, 112–113 heart/pulse patterns, 597 plan approval, 114 iris scans, 596–597 plan implementation, 114 keystroke patterns, 598 regulatory requirements, 104–105 palm scans, 597 resources, 103–104 registration, 599 review question answers, 952–954 retina scans, 596 risk acceptance, 117 signature dynamics, 597 risk assessment, 116–117 voice pattern recognition, 597 risk identification, 107–108 BIOS (basic input/output system), 341–342 risk mitigation, 117 birthday attacks, 267–268 senior management and, 102–103 bit sizes, 201 statement of importance, 116 black box penetration testing, 681 statement of organizational responsibility, block ciphers, 213 116 Blowfish, 177, 220, 223 statement of priorities, 116 Bluetooth, 506–507 statement of urgency and timing, 116 Boehm, Barry, 883 strategy development, 112 bombings/explosions, 808 team selection, 101–103 Boolean mathematics, logical operations testing, 119 AND, 202–203 training and education, 115 NOT, 204 vital records, 117–118 OR, 203 written lab answers, 989 XOR (exclusive OR), 204 behavior modification, 86 botnets, 565

bindex.indd 06/27/2018 Page 1007 1008 bots – certification

bots, 565 conductors, 499–500 bottom-up approach to security, 16 plenum, 499 bounds, 279–280 twisted-pair, 498–499 branch coverage analysis, 687 Caesar cipher, 196–197 breaches, 66 CALEA (Communications Assistance for Brewer and Nash security model, 293 Law Enforcement Act), 142 BRI (Basic Rate Interface), 557 capabilities, 282 bridge routers, 448 capability tables, 625 broadband cabling, 497–498 capacitance motion detectors, 427 broadcast domains, 492 captive portals, 481 brute force attacks, 265–266 CAs (certificate authorities), 250–251 buffer overflows, 933–934 CPS (Certificate Practice Statement), 252 bus topology, 501–502 CPV (certificate path validation), 251 business attacks, 858 CRLs (Certificate Revocation Lists), 253 business/mission owners, 180–181 enrollment, 251 BYOD (bring your own device) OCSP (Online Certificate Status acceptable use policy, 375 Protocol), 253 antivirus management, 374 RAs (registration authorities), 250–251 architecture/infrastructure and, 375 revocation, 252–253 camera, 375 CRLs, 253 corporate policies, 374 OCSP, 253 data ownership and, 373 verification, 252 forensics, 374 CRLs, 251 legal issues, 375 OCSP, 251 off-boarding, 374 CBC (Cipher Block Chaining) mode, 221 on-boarding, 374 CBK (Common Body of Knowledge), 2 patch management, 373 CCCA (Comprehensive Crime Control Act), privacy, 374 130 support ownership and, 373 CCE (Common Configuration user acceptance, 374 Enumeration), 668 video, 375 CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol), 478 C CCTV (closed-circuit television), 403, 411 cable plant management policy CDDI (Copper DDI), 445 backbone distribution system, 407 CDN (content distribution network), 472 entrance facility, 407 cell phones, 504 equipment room, 407 ITU-R, 506 horizontal distribution system, 407 mobile service technologies, 505 telecommunications room, 407 updates disabled, 740–741 cabling central station alarm systems, 428 5-4-3 rule, 500 centralized access control, 602 baseband, 497–498 certification, 306–307 broadband, 497–498 CNSS (Committee on National Security coaxial cable, 496–497 Systems), 308

bindex.indd 06/27/2018 Page 1008 CFAA (Computer Fraud and Abuse Act) – client-server model 1009

DIACAP (DoD Information Assurance one-time pads, 211–212 Certification and Accreditation running key ciphers, 212–213 Process), 308 stream ciphers, 213 DITSCAP (Defense Information substitution, 209–211 Technology Security Certification transpositions, 208 and Accreditation Process), 308 ciphertext, 201 NIACAP (National Information ciphertext only attacks, 266–267 Assurance Certification and circuit encryption Accreditation Process), 308 end-to-end encryption, 262 RMF (Risk Management Framework), link encryption, 262 308 circuit switching, 554 CFAA (Computer Fraud and Abuse Act), versus packet switching, 555 130–131 circuit-level gateway firewalls, 489 CFB (Cipher Feedback) mode, 221 CISO (chief information security officer), 16 challenge-response authentication protocol, civil investigations, 847 200 civil law, 128 change logs, 774–775 Clark-Wilson security model, 292 change management, 719–721 access control triple, 292 change approval/rejection, 721–722 CDI (constrained data item), 292 change documentation, 722 IVP (integrity verification procedure), 293 change implementation, 722 restricted interface model, 293 change request, 721 TPs (transformation procedures), 293 change review, 721 UDI (unconstrained data item), 292 change scheduling, 722 clearing data, 173 change testing, 722 client-based vulnerabilities configuration documentation, 723 applets, 342–344 goal, 18 local caches reviews, 788 ARP cache poisoning, 344 security impact analysis, 721–722 caching DNS server, 345 versioning, 722–723 DNS cache poisoning, 344–345 CHAP (Challenge Handshake FQDN, 345 Authentication Protocol), 524 HOSTS file, 345 Chauvaud, Pascal, 245 primary authoritative DNS server, 345 Chinese Wall security model, 293 split-DNS systems, 346 chosen ciphertext attacks, 267 temporary Internet files, 346 chosen plaintext attacks, 267 client-server model, 350–351 CIA Triad, 2–3, 42 cloud computing access controls and, 581–582 CASB, 356 availability, 6–7 cloud services, 355 integrity, 4–5 cloud shared responsibility model, 357 priority, 7–8 cloud solution, 354–355 CIDR (Classless Inter-Domain Routing), 460 cloud storage, 353 ciphers, 207–208 elasticity, 354 block ciphers, 213 hosted solution, 354 versus codes, 208 hypervisor, 353

bindex.indd 06/27/2018 Page 1009 1010 closed systems – compliance

IaaS, 354 COBIT (Control Objectives for Information on-premise solution, 354 and Related Technologies), 25, 181, 667 PaaS, 354 code repositories, 893–894 SaaS, 354 cognitive passwords, 592 SECaaS, 357 collision attack, 267–268 snapshots, 356 collision domains, 492 VMM (virtual machine monitor), 353 collusion, 52, 54–55 distributed architectures, 351 combination locks, 426 grid computing, 357–358 commercial business/private classification P2P (peer-to-peer) technologies, 358 ownership, 23 closed systems, 277–278 private, 22 closed-source solutions, 278 public, 23 cloud, BIA and, 108 sensitive, 23 cloud computing Common Criteria, 296 CASB (cloud access security broker), 356 EALs (Evaluation Assurance Levels), 303, cloud services 304 community cloud, 355 guidelines, 302 hybrid cloud, 355 Introduction and General Model, 303 private cloud, 355 Security Assurance, 303 public cloud, 355 Security Functional Requirements, 303 cloud shared responsibility model, 357 PPs (protection profiles), 303 cloud solution, 354–355 STs (security targets), 303 cloud storage, 353 communications elasticity, 354 protocols hosted solution, 354 IPsec, 523 hypervisor Kerberos, 523 type I hypervisor, 353 Signal Protocol, 523 type II hypervisor, 353 S-RPC (Secure Remote Procedure IaaS (infrastructure as a service), 354 Call), 523 on-premise solution, 354 SSH (Secure Shell), 523 PaaS (platform as a service), 354 SSL (Secure Sockets Layer), 523 SaaS (software as a service), 354 TLS (), 523 SECaaS (security as a service), 357 review question answers, 968–969 snapshots, 356 written lab answers, 995 VMM (virtual machine monitor), 353 community cloud, 714 cloud-based assets companion viruses, 919 community cloud, 714 compartmentalized environment, MAC hybrid cloud, 714 model, 635 IaaS (infrastructure as a service), 714 compensating access control, 583 PaaS (platform as a service), 713 compensating controls, 80 private cloud, 714 compiled languages, 873 public cloud, 714 compliance SaaS (software as a service), 713 policies, 60–61, 149–150 CNSS (Committee on National Security review question answers, 954–956 Systems), 308 written lab answers, 990

bindex.indd 06/27/2018 Page 1010 composition theories of security models – COPPA 1011

composition theories of security models CFAA (Computer Fraud and Abuse Act), cascading, 286 130–131 feedback, 286 computer security incidents, 738 hookup, 286 concealment, confidentiality and, 4 computer architecture, 320–321 condition coverage analysis, 687 attacks confidentiality, 3, 42 buffer overflow, 386–387 CIA Triad, 2–3 data diddling, 387–388 concealment, 4 incremental, 387–388 countermeasures, 4 input checking, 386–387 criticality, 4 maintenance hooks and, 387 cryptography and, 198–199 parameter checking, 386–387 discretion, 4 privileged programs, 387 integrity and, 5–6 salami attack, 388 isolation, 4 state attacks, 389 privacy, 4 trusted recovery and, 386 seclusion, 4 BIOS (basic input/output system), secrecy, 4 341–342 sensitivity, 4 communication disconnects, 389 violations, 3 covert channels, 385 configuration documentation, 723 design-based attacks, 385–388 configuration management electromagnetic radiation, 389–390 baselining, 718–719 firmware, 341 reviews, 788 device firmware, 342 confinement, 279 hardware, processor, 321–333 confusion, cryptography and, 213 process integration, 389 constrained interface, authorization and, programming flaws, 388 625–626 state changes, 389 content-dependent control, authorization technology integration, 389 and, 626 timing flaws, 389 context-dependent control, authorization computer crime, 129–130 and, 626 attacks contracting, 150–151 APTs, 858 control zone, TEMPEST countermeasure, business, 858 412 corporate espionage, 858 controls, 280 financial, 859 converged protocols, 470 grudge, 859–861 FCoE (Fibre Channel over Ethernet), 471 hacktivists, 861 iSCSI (Internet Small Computer System industrial espionage, 858 Interface), 471 insider threats, 860 MPLS (Multiprotocol Label Switching), intelligence, 857–858 471 military, 857–858 SDN (software-defined networking), 472 script kiddies, 861, 916–917 VoIP (Voice over IP), 471 terrorist, 859 COPPA (Children’s Online Privacy thrill, 861 Protection Act), 144

bindex.indd 06/27/2018 Page 1011 1012 cordless phones – cryptography

cordless phones, 508 one-way functions, 205–206 corporate espionage attacks, 858 split knowledge, 207 corporate property, 403 work function, 207 corrective access control, 583 zero-knowledge proof, 206–207 corrective controls, 80 cryptographic salt, 266 countermeasures cryptography. See also encryption availability, 7 AES (Advanced Encryption Standard), 220 confidentiality and, 4 algorithms, 201 integrity and, 5 American Civil War, 197 measurement and, 81 asymmetric monitoring and, 81 El Gamal, 241 review question answers, 963–964 elliptic curve, 242 selecting, 77–78 key length, 240–241 written lab answers, 993 Merkle-Hellman Knapsack, 240–241 CPE (Common Platform Enumeration), 668 private keys, 238–239 CPTED (Crime Prevention through public keys, 238–239 Environmental Design), 403 RSA algorithm, 239–241 CPU (central processing unit), 320–321 asymmetric key algorithms, 216–219 criminal investigations, 847 attacks criminal law, 126–128 analytic, 265 critical path analysis, 401 birthday, 267–268 criticality, confidentiality and, 4 brute force, 265–266 CRLs (Certificate Revocation Lists), 253 chosen ciphertext, 267 crossover error rate of biometrics, 598 chosen plaintext, 267 cross-training, 54 ciphertext only, 266–267 cryptanalysis, 201 collision, 267–268 cryptographic applications frequency, 266–267 review question answers, 960–961 implementation, 265 written lab answers, 992 known plaintext, 267 cryptographic lifecycle, 228–229 man in the middle, 267 cryptographic mathematics meet in the middle, 267 Boolean mathematics, logical operations, replay, 268 202–204 reverse hash matching, 267–268 ciphers, 207–208 statistical, 265 block ciphers, 213 authentication and, 200 versus codes, 208 Caesar cipher, 196–197 one-time pads, 211–212 ciphertext, 201 running key ciphers, 212–213 confidentiality and, 198–199 stream ciphers, 213 digital signatures, 199–200, 246–247 substitution, 209–211 DSS, 248–249 transposition, 208–209 HMAC, 247–248 confusion, 213 DRM (digital rights management) diffusion, 213 documents, 261–262 modulo function, 205 e-books, 261 nonce, 206 movies, 260

bindex.indd 06/27/2018 Page 1012 cryptology – data classification 1013

music, 259–260 cryptology, 201 video games, 261 cryptosystems, 201 asymmetric, 199 PGP, 255–256 symmetric, 199 S/MIME, 256 cryptovariables, 201 Enigma codes, 198 CSO (chief security officer), 16 goals, 198–200 CTR (Counter) mode, 221 hash functions, 242–244 CVE (Common Vulnerabilities and MD2 (Message Digest 2), 244–245 Exposures), 668 MD4 (Message Digest 4), 245 CVSS (Common Vulnerability Scoring MD5 (Message Digest 5), 245–246 System), 668 SHA (Secure Hash Algorithms), 244 cyber-physical systems, 376 hashing algorithms, 219 IoT (Internet of Things), 377 integrity and, 199–200 Japanese Purple Machine, 198 Kerckhoffs’s principle, 201 D key escrow, 207 DAA (designated approving authority), 307 keys, 201, 214–215 DAC (Discretionary Access Control), 10 networking damage potential, 37 circuit encryption, 262 DARPA model, 441, 451 IPsec, 263–264 data ISAKMP, 264 clearing, 173 wireless networking, 264–265 declassification, 175 nonrepudiation, 200 degaussing, 174 plaintext and, 200–201 destruction, 174–175 portable devices, 254–255 erasing, 173 private key, 215–216 overwriting, 173 review question answers, 958–959 purging, 174 ROT3 (Rotate 3), 197 sensitive secret key, 215–216 destroying, 172 symmetric, 219–220 marking, 169–170 3DES, 220, 222–223 storage, 171–172 AES, 220, 224–225 data at rest, 168 Blowfish, 220, 223 cryptography and, 199 DES, 220–221 data breach notification, 143–144 IDEA, 220, 223 data centers, physical security, 407–409 key management, 226–228 data classification, 19–20, 44, 162 RC5 (Rivest Cipher 5), 224 commercial business/private Skipjack, 220, 223–224 confidential, 22 symmetric key, 215–216 ownership, 23 Ultra, Enigma codes and, 198 private, 22 web applications, 256–257 public, 23 steganography, 257–259 sensitive, 23 watermarking, 257–259 confidential, 162, 164 written lab answers, 991–992 declassification, 20

bindex.indd 06/27/2018 Page 1013 1014 data controller – DBMS (database management system)

defining, 165 data remanance, 172–175, 339 government/military, 22 data retention, 855–856 confidential, 21 data security controls, 165–167 FOUO, 21 data states, 168 secret, 21, 162 data storage sensitive but classified, 21 nonvolatile storage, 905 top secret, 21, 162 primary memory, 905 unclassified, 21, 163 random access storage, 905 phases, 20 secondary storage, 905 private, 164 sequential access storage, 905 proprietary, 164 threats, 905–906 public, 165 virtual memory, 905 sensitive, 164 virtual storage, 905 data controller, 181 volatile storage, 905 data emanation, 473 data stream, 443 data flow paths, 37 databases data hiding, 13, 43 cell suppression, 902–903 data in motion, cryptography and, 199 contamination, 901 data in transit, 168 multilevel, concurrency and, 901–902 data in use, 168 NoSQL, 904 cryptography and, 199 ODBC (Open Database Connectivity), data integrity, 855–856 903–904 Data Link layer (OSI) polyinstantiation, 903 ARP (Address Resolution Protocol), 445, recovery, 825 446–447 electronic vaulting, 826 ISDN (Integrated Services Digital remote journaling, 826 Network), 445 remote mirroring, 826–827 L2F (Layer 2 Forwarding), 445 security L2TP (Layer 2 Tunneling Protocol), 445 aggregation, 347–348 MAC addresses, 445–446 data analytics, big data, 349 OUI (Organizationally Unique Identifier), data dictionary, 348 446 data mining, 348–349 PPP (Point-to-Point Protocol), 445 data warehouses, 348 PPTP (Point-to-Point Tunneling inference, 348 Protocol), 445 parallel computing, 350 SLIP (Serial Line Internet Protocol), 445 semantic integrity, 902 data owners, 179 time and date stamps, 902 data processors, 181–182 transactions, 899–900 anonymization, 183–184 ACID model, 900 pseudonymization, 182–183 views, 901 data protection vulnerability scans, 677–678 symmetric encryption, 176–177 DBMS (database management system), 895 transport encryption, 177–178 distributed databases, 896 Data Protection Directive (EU Directive hierarchical databases, 896 95/46/EC), 62 normalization, 899

bindex.indd 06/27/2018 Page 1014 DDL (Data Definition Language) – DLP (data loss prevention) 1015

OOP and, 897 differential backups, 830 RDBMS (relative database management diffusion, cryptography and, 213 systems), 896 digital certificates, 249–250 relational databases, 897–899 digital signatures, 199–200, 246–247 DDL (Data Definition Language), 899 DSS (Digital Signature Standard), DDoS (distributed denial-of-service) attacks, 248–249 564–565 HMAC (hashed message authentication decentralized access control, 602 code), 247–248 declassification, 175 directive access control, 583 decomposing applications, 36–37 directive controls, 81 deep packet inspection firewalls, 489 DISA (Direct Inward System Access), defense in depth, 12–13, 352, 627–628 528–529 degaussers, 172 disasters delay controls, physical security, 404 man-made Delta rule, 908 bombings/explosions, 808 denial, physical security, 404 fires, 807 DES (Data Encryption Standard), 177, 215, 220 hardware failures, 810 CBC (Cipher Block Chaining) mode, 221 infrastructure failures, 809 CFB (Cipher Feedback) mode, 221 network failures, 809 CTR (Counter) mode, 221 NYC blackout, 810 ECB (Electronic Code Book) mode, power outages, 808–809 220–221 software failures, 810 OFB (output feedback) mode, 221 strikes/picketing, 811 detective access control, 582–583 terrorist acts, 807–808 detective controls, 80 theft, 811–812 physical security, 404 utility failures, 809 deterrent access control, 583 vandalism, 811–812 deterrent alarms, 428 natural disasters deterrent controls, 79 earthquakes, 803–804 physical security, 404 fires, 806 device authentication, 600–601 floods, 804–805 device firmware, 342 regional events, 806–807 DHCP (Dynamic Host Configuration storms, 805–806 Protocol), 462 discoverability, 38 DIACAP (DoD Information Assurance discretion, confidentiality and, 4 Certification and Accreditation distributed access control, 602 Process), 308 distributed architectures, 351 diagrams, attack potential, 35–36 DITSCAP (Defense Information Technology dial-up encapsulation protocols Security Certification and Accreditation PPP (Point-to-Point), 561 Process), 308 SLIP (Serial Line Internet Protocol), 561 diversity of defense, 352 dial-up protocols DKIM (DomainKeys Identified Mail), 533 PPP (Point-to-Point Protocol), 539 DLP (data loss prevention) SLIP (Serial Line Internet Protocol), endpoint-based DLP, 782 539–540 network-based DLP, 782

bindex.indd 06/27/2018 Page 1015 1016 DML (Data Manipulation Language) – DRP (disaster recovery planning)

DML (Data Manipulation Language), 899 differential backups, 830 DMZ (demilitarized zone), 362 disk-to-disk, 832 DNP3 (Distributed Network Protocol), 465 full backups, 830 DNS (), 465 incremental backups, 830 DNS poisoning, 468–470 tapes, 831–833 DNSSEC (Domain Name System Security using, 830 Extensions), 468 versus BCP, 98–99 FQDNS (fully qualified domain names), BIA (business impact assessment), 819 466–467 checklists and, 828–829 HOSTS file, 468 communication and, 828 permanent addresses, 466 communications, external, 833–834 primary authoritative names server, 467 crisis management, 819–820 resource records, 467 database recovery, 825–827 secondary authoritative names server, 467 emergency communications, 820 temporary addresses, 466 emergency response, 828 TLD (top-level domain), 466–467 fault tolerance and, 812 zone files, 467 hard drive protection, 813–814 DNS poisoning, 568 logistics, 834 DNS spoofing, 568 MAAs (mutual assistance agreements), 825 Dobbertin, Hans, 245 maintenance, 837–838 documentation review, 63 MTO (maximum tolerable outage), 819 documenting, investigations, 856 MTTR (mean time to recovery), 819 DOD model, 451 personnel and, 828 domain hijacking, 470 power source protection, 815–816 DoS (denial-of-service) attacks, 32–33, priorities, 818–819 564–565 QoS (quality of service) DREAD threat modeling, 33, 37–38 bandwidth and, 817 DRM (digital rights management), interference and, 817 cryptography jitter and, 817 documents, 261–262 latency and, 817 e-books, 261 packet loss and, 817 movies, 260 reciprocal agreements, 825 music, 259–260 recovery versus restoration, 834–835 video games, 261 review question answers, 980–981 DRP (disaster recovery planning), 802 server protection, 814–815 alternate processing sites, 820–821 single point of failure and, 812 cloud computing, 824 software escrow arrangement, 833 cold sites, 821–822 supplies, 834 hot sites, 822–823 system resilience and, 812 mobile sites, 823–824 testing service bureaus, 824 full-interruption test, 837 warm sites, 823 parallel test, 837 assessment, 829 read-through test, 836 backups, 829 simulation test, 837 best practices, 832 structured walk-through, 837

bindex.indd 06/27/2018 Page 1016 DSDM (Dynamic Systems Development Model) – emergency management 1017

training and, 835–836 electronic vaulting database recovery and, trusted recovery 826 automated, 817 elevation of privilege threats, 33 fail secure systems, 816 EM (electromagnetic) radiation, 389–390 fail-open systems, 816 email firewalls, 816 attachments, 534 function, 817 blacklist services, 535 manual, 817 cryptography utilities, 834 PGP, 255–256 workgroups, 820 S/MIME, 256 written lab answers, 999 DKIM (DomainKeys Identified Mail), DSDM (Dynamic Systems Development 533 Model), 885 IMAP (Internet Message Access DSS (Digital Signature Standard), 248–249 Protocol), 530 DSSS (Direct Sequence Spread MOSS (MIME Object Security Services), Spectrum), 504 533 due care, 25, 698 Opportunistic TLS for SMTP Gateways, due diligence, 25, 698 534 duress systems, 708 PEM (Privacy Enhanced Mail), 533 dynamic NAT, 552 PGP (Pretty Good Privacy), 533, 534 POP3 (Post Office Protocol version 3), 530 E repudiation filtering, 535 EAC (electronic access control) lock, 426 security goals, 531–532 EAP (Extensible Authentication Protocol), security issues, 532–533 478, 524 sendmail, 531 earthquakes, 803–804 S/MIME (Secure Multipurpose Internet eavesdropping, 565–566 Mail Extensions), 533 EBCDICM (Extended Binary-Coded SMTP (Simple Mail Transfer Protocol), Decimal Interchange Mode), 450 530–531 ECB (Electronic Code Book) mode, SPF (Sender Policy Framework), 534 220–221 emanation security, 411–412 ECC (elliptic curve cryptography), 242 embedded systems, 375–376 Economic Espionage Act, 142 application firewalls, 378 ECPA (Electronic Communications Privacy cyber-physical systems, 376–377 Act), 142 diversity control, 379 EDI (Electronic Data Interchange), 451 firmware version control, 379 EF (exposure factor), 70, 110 manual updates, 378 egress monitoring monitoring, 379 DLP, 782–783 network segmentation, 378 steganography, 783 redundancy control, 379 watermarking, 783 security layers, 378 El Gamal, T., 241 wrappers, 379 electronic discovery, investigations and, emergency management, personnel and, 848–849 709–710

bindex.indd 06/27/2018 Page 1017 1018 EMI (electromagnetic interference) – facility design

EMI (electromagnetic interference), 416 documentary, 849–850 coaxial cabling and, 497 forensic procedures, 851–852 employment agreements, 55–57 gathering, 853–854 encrypted viruses, 923 hearsay, 851 encryption, 14, 43. See also cryptography real, 849 3DES (Triple DES), 177, 220 storage, 413 AES (Advanced Encryption Standard), testimonial, 851 177, 220 evil twin wireless attack, 485 Blowfish, 177, 220 expert systems, 907 ciphertext, 201 exploitability, 38 circuit encryption exposure, 65 end-to-end encryption, 262 external audits, 666 link encryption, 262 extranets, 486 DES (Data Encryption Standard), 177, 220 FDE (full disk encryption), 254 IDEA (International Data Encryption F Algorithm), 220 face scans, 596 PKI (public-key infrastructure), 249 facility design, 402. See also physical plaintext and, 201 security Skipjack, 220 access abuses, 410–411 SSH (Secure Shell), 262 CPTED (Crime Prevention through symmetric, 176–177 Environmental Design), 403 transport, 177–178 emanation security, 411–412 endpoint security, 491–492 EMI (electromagnetic interference), 416 endpoint-based DLP, 782 equipment failure and, 404–405 end-to-end encryption, 262 evidence storage, 413 entitlement, 700 fire entrance facility, 407 damage, 421–422 environmental security, 400 detection, 419 equipment failure, 404–405 detection systems, 420 equipment room, 407 extinguishers, 419 erasing data, 173 prevention, 417–419 escalation of privilege attacks, 935 stages, 418–419 ESSID (extended service set identifier), 475 suppression, 417–421 ethics, 861 humidity, 416–417 IAB (Internet Advisory Board), 862–863 HVAC issues, 416–417 (ISC)2 Code of Ethics, 862 IDSs (intrusion detection systems), 410 review question answers, 981–983 media storage, 412–413 written lab answers, 999–1000 natural disasters and, 402 EU Directive 95/46/EC (Data Protection noise, 416 Directive), 62 restricted areas, 413–414 evidence, 849 review question answers, 961–962 admissible, 849 RFI (radio-frequency interference), 416 chain of evidence, 850 SCIF (Sensitive Compartmented collection, 851–852 Information Facility), 414

bindex.indd 06/27/2018 Page 1018 false acceptance rate of biometrics – fortress mentality 1019

security, 400, 401 FHSS (Frequency Hopping Speed site selection, 401–402 Spectrum), 504 smartcards, 409 file infector viruses, 919 static, 416–417 financial attacks, 859 temperature, 416–417 fingerprints, 596 utilities FIPS (Federal Information Processing power issues, 415 Standard), 201 UPS, 414–415 fire, 806, 807 visibility, 402 damage, 421–422 water issues, 417 detection, 419 wiring closets, 405–407 detection systems work areas, 413–414 fixed-temperature detection, 420 false acceptance rate of biometrics, 598 flame-actuated, 420 false rejection rate of biometrics, 598 rate-of-rise detection, 420 Faraday cage, 411 smoke-actuated, 420 EM (electromagnetic) radiation, 390 extinguisher classes, 419 fault tolerance, 310 prevention, 417–419 leased lines, 557 stages, 418–419 fax security, 535–536 suppression, 417–421 FCoE (Fibre Channel over Ethernet), 471 logs, 774 FDDI (Fiber Distributed Data Interface), 445 firewalls, 487–488 FDE (full disk encryption), 254 application-level gateway, 489 FDIM (federated identity management), circuit-level gateway, 489 605–606 deep packet inspection, 489 GML (Generalized Markup Language), deployment architecture, 490–491 606 DMZ (demilitarized zone), 490 HTML (Hypertext Markup Language), multihomed, 490 606 Next-Gen, 489 OAuth, 606–607 screening routers, 489 OpenID, 607 stateful inspection, 489 OpenID Connect, 607 static packet-filtering, 488–489 SAML (Security Assertion Markup firmware, 341 Language), 606 device firmware, 342 SGML (Standard Generalized Markup FISMA (Federal Information Security Language), 606 Management Act), 132–133 SPML (Service Provisioning Markup FISMA (Federal Information Security Language), 606 Modernization Act), 133–134 Twitter, 607 flash drives, 715 XML (Extensible Markup Language), floods, 804–805 606 FOIA (Freedom of Information Act), 163 Federal Sentencing Guidelines, 131–132 forensic procedures feedback loop, waterfall model, 882 hardware/embedded device analysis, 852 fences, 422–423 network analysis, 852 FERPA (Family Educational Rights and software analysis, 852 Privacy Act), 62, 145 fortress mentality, 352

bindex.indd 06/27/2018 Page 1019 1020 FOUO (for official use only) – Hz (Hertz)

FOUO (for official use only), 163 inventories, 710–711 FTP (File Transfer Protocol), 451, 462 memory, 333–338 full backups, 830 processor, 321–332 function coverage analysis, 687 storage, 338–340 fuzz testing, 31 hash functions, 242–246 bit flipping, 684 hashing algorithms, 219 generational (intelligent) fuzzing, 684 HDCP (High-Bandwidth Digital Content mutation (dumb) fuzzing, 684 Protection), 260 prefuzzing input file, 685 HDLC (High-Level Data Link Control), 561 zzuf tool, 685 heartbeat sensor, 410 heart/pulse patterns, 597 heat-based motion detectors, 427 G hierarchical environment, MAC model, Gantt charts, 887–888 635 gates, 423 hijacking, 568 GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and 129, 146–148, 178 Accountability Act), 62, 142–143, 161 data processors, 181 hiring pseudonymization, 182–183 background checks, 55 GLBA (Gramm-Leach-Bliley Act), 144 candidate screening, 55 Goguen-Meseguer security model, 294 employment agreements, 55–57 governance job descriptions, 51–52 review question answers, 950–951 position descriptions, 51–52 written lab answers, 988 HITECH (Health Information Technology government/military classification, 22 for Economic and Clinical Health) confidential, 21 Act, 143 FOUO, 21 HMAC (Hash-based Message secret, 21 Authentication Code), 594 sensitive but classified, 21 HMAC (hashed message authentication unclassified, 21 code), 247–248 Graham-Denning Model, 294 horizontal distribution system, 407 Gramm-Leach-Bliley Act, 62 HOTP (HMAC-based One-Time gray box penetration testing, 681 Password), 594 grid computing, 357–358 HSM (hardware security module), 310 grudge attacks, 859–861 HSMs (hardware security modules), 254 guidelines, 28 HTTP (Hypertext Transfer Protocol), 451 HTTP (Hypertext Transport Protocol), 462 HTTPS (Hypertext Transfer Protocol H Secure), 177, 257 hacking, threat modeling and, 31 HVAC (heating, ventilation, and air hand geometry scans, 597 conditioning), 403, 416–417 hard drive, clearing, 174 hybrid cloud, 714 hardware hybrid environment, MAC model, 635 failures, 810 hyperlink spoofing, 568–569 input/output devices, 340–341 Hz (Hertz), 503

bindex.indd 06/27/2018 Page 1020 IaaS (infrastructure as a service) – incident response 1021

distributed access control, 602 I integrating services, 608 IaaS (infrastructure as a service), 714 RADIUS (Remote Authentication Dial-in IAB (Internet Advisory Board), 862–863 Service), 609–610 IAM (identity and access management) review question answers, 969–971 system, 57, 580 session management, 608–609 IANA (International Assigned Numbers TACACS+, 610 Authority), 454 written lab answers, 996 IC (integrated circuit) cards, 409 Identity Theft and Assumption Deterrence ICMP (Internet Control Message Protocol), Act, 145 447, 460–461 identity tokens, 409 ICS (industrial control system), 359 IDF (intermediate distribution facilities), 405 DCSs (distributed control systems), 359 IDSs (intrusion detection systems), 410 PLCs (programmable logic controllers), IEEE, 802.11 standards, 473 359 IETF (Internet Engineering Task Force), 177, SCADA (supervisory control and data 263 acquisition), 359 IGMP (Internet Group Management IDEA (International Data Encryption Protocol), 447, 460, 461 Algorithm), 220, 223 IM (instant messaging), 530 IDEAL model, 886 IMAP (Internet Message Access Protocol), identification, 42, 584–585 451, 462, 530 AAA services, 8 impact assessment, 110–111 registration and, 585–586 impersonation attacks, 566–567 subject, 9 implementation attacks, 265 identity and access provisioning lifecycle, 611 implicit deny, 625 accounts incident response, 738–739 review, 612–613 auditing, 783 revocation, 613–614 access review audits, 785 creeping privileges, 613 auditors, 784 excessive privilege, 612–613 change management, 788 privilege creep, 613 configuration management, 788 provisioning, 611–612 inspection audits, 784–785 identity management patch management, 787 AAA protocols, 609 privileged groups, 786–787 centralized access control, 602 reporting, 788–790 FDIM (federated identity user entitlement audits, 786 management), 605–607 vulnerability management, 788 Kerberos, 603–605 cellphone updates, 740–741 LDAP and, 602–603 computer security incidents, 738 PKIs, LDAP and, 603 delegation to users, 745 scripted access, 607 detection SSO (single-sign on), 602 audit log scans, 740 credential management systems, 607–608 intrusion detection, 740 decentralized access control, 602 malware detection, 740 diameter, 610–611 user reports, 740

bindex.indd 06/27/2018 Page 1021 1022 incidents – integrity

IDPSs (intrusion detection and prevention penetration testing, 768–772 systems), 756 protocols, 746 IDSs (intrusion detection systems), 756 sandboxing, 768 anomaly analysis, 758 services, 746 behavior-based detection, 757–758 system management, 746 host-based, 760–762 systems, 746 knowledge-based detection, 757 third-party security services, 768 network-based, 760–762 warning banners, 764–765 response, 759 whitelisting, 766–767 IPSs (intrusion prevention systems), 756, recovery, 743 762–763 remediation, 744 lessons learned, 744 reporting, 742–743 logging response, 741–742 application logs, 774 review question answers, 977–980 change logs, 774–775 security incidents, 738 data protection, 775–776 SIEM (security information and event Event Viewer, 773–774 management) system, 758–759 firewall logs, 774 written lab answers, 998 proxy logs, 774 incidents security logs, 774 computer security incidents, 738 system logs, 774 definition, 738–739 mitigation, 742 security incidents, 738 monitoring incremental backups, 830 accountability and, 777 industrial espionage attacks, 858 audit trails, 776 information disclosure threats, 32 clipping levels, 780 information flow security model, 285 data extraction, 780 information lifecycle management, 706–707 egress monitoring, 781–783 informative policies, 27 investigations and, 778 InfoSec (information security), 16 keystroke monitoring, 781 infrared motion detectors, 427 log analysis, 779 infrastructure failures, 809 problem identification and, 778 input points, 37 sampling, 780 input/output devices SEIM, 779–780 keyboards, 341 traffic analysis, 781 mice, 341 trend analysis, 781 modems, 341 preventive measures, 745–746 monitors, 340 anti-malware software, 746, 765–766 printers, 340–341 applications, 746 insider threats, 860 attacks, 747–756 inspection audits, 784–785 blacklisting, 766–767 integrity, 4–5, 42 configuration management, 746 accountability and, 6 firewalls, 746, 767–768 accuracy and, 5 honeypots/honeynets, 763–764 authenticity and, 5 intrusion detection and prevention, 746 CIA Triad, 2–3

bindex.indd 06/27/2018 Page 1022 intelligence attacks – ISO (information security officer) 1023

completeness and, 6 reporting, 856 comprehensiveness and, 6 review question answers, 981–983 confidentiality and, 5–6 search warrant, 853 cryptography and, 199–200 subpoena, 853 nonrepudiation and, 6 written lab answers, 999–1000 responsibility and, 6 IoT (Internet of Things), 358–359 truthfulness and, 5 cyber-physical systems, 377 validity and, 6 IP (Internet Protocol), 447, 458 verification, 562 ARP (Address Resolution Protocol), intelligence attacks, 857–858 461–462 interface testing, 686 CIDR (Classless Inter-Domain Routing), internal audits, 665–666 460 internal security controls, 425 classes, 459–460 badges, 427 ICMP (Internet Control Message combination locks, 426 Protocol), 460–461 EAC (electronic access control) lock, 426 IGMP (Internet Group Management intrusion alarms, 428 Protocol), 460 keys, 426 loopback address, 460 motion detectors, 427 IP addressing secondary verification, 428–429 APIPA (Automatic Private IP Addressing), interpreted languages, 873 552–553 intranets, 486 loopback address, 553 intrusion alarms, 428 IP probes, 940 investigations IP spoofing, 942 administrative, 846–847 IPsec (Internet Protocol Security), 178, 263, civil, 847 447, 523 conducting, 855 AH (Authentication Header), 544 criminal, 847 ESP (Encapsulating Security Payload), data integrity, 855–856 544 data retention, 855–856 IPX (Internetwork Packet Exchange), 447 documenting, 856 iris scans, 596–597 electronic discovery, 848–849 ISACA (Information Systems Audit and evidence, 849 Control Association), 25 admissible, 849 ISAKMP (Internet Security Association and chain of evidence, 850 Key Management Protocol), 262, 264 collection, 851–852 ISC2 (International Information Systems documentary, 849–850 Security Certification Consortium), 98 forensic procedures, 851–852 Code of Ethics, 862 gathering, 853–854 iSCSI (Internet Small Computer System hearsay, 851 Interface), 471 real, 849 ISDN (Integrated Services Digital Network), testimonial, 851 445 interviews, 855 BRI (Basic Rate Interface), 557 law enforcement request, 854–855 PRI (Primary Rate Interface), 557 regulatory, 848 ISO (information security officer), 16

bindex.indd 06/27/2018 Page 1023 1024 ISO (International Organization for Standardization) – laws

ISO (International Organization for Koblitz, Neal, 242 Standardization), 305–306, 440 KRACK (Key Reinstallation AttaCKs), 478 ISO/IEC 27002, 25 isolation, 280 confidentiality and, 4 L issue-specific security policies, 27 L2F (Layer 2 Forwarding), 445 ITIL (Information Technology Infrastructure L2TP (Layer 2 Tunneling Protocol), 445, Library), 25 544 ITRC (Identify Theft Resource Center), 168 labeling sensitive data and assets, ITSEC (Information Technology Security 169–170 Evaluation and Criteria), 28, 296 labels, security labels, 282 Common Criteria comparison, 305 LANs (local area networks), 496 TCSEC comparison, 301–302, 305 CSMA (Carrier-Sense Multiple Access), TOE (target of evaluation), 301 512 IV (initialization vector) wireless attacks, 484 CSMA/CA (Carrier-Sense Multiple Access with Collision Avoidance), 512 CSMA/CD (Carrier-Sense Multiple J Access with Collision Detection), 512 jailbreaking, 767 Ethernet, 509 job responsibilities, 53 FDDI (Fiber Distributed Data Interface), job rotation, 53–54 510 JPEG (Joint Photographic Experts Group), polling, 513 450 subtechnologies analog communications, 510 asynchronous communications, 511 K baseband, 511 Kaspersky Lab, 920–921 broadband, 511 Kerberos, 523 broadcast, 511 AES (Advanced Encryption Standard) digital communications, 510 and, 603 multicast, 511 authentication service, 603 synchronous communications, 511 database, 604 unicast, 511 KDC (key distribution center), 603 token passing, 513 ST (service ticket), 604 token ring, 509 TGT (Ticket-Granting Ticket), 604 lattice-based access controls, 289 tickets, 604 classification levels, 289 Kerckhoffs’s principle of cryptography, 201 laws kernels, 284 administrative law, 128–129 key escrow, 207 civil law, 128 key spaces, algorithms, 201 computer crime, 129–131 keyboards, 341 criminal, 126–128 keys, 426 Economic Espionage Act of 1996, 139 keystroke patterns, 598 Federal Sentencing Guidelines, 131–132 knowledge-based systems, 906–909 FISMA (Federal Information Security known plaintext attacks, 267 Management Act), 132–133

bindex.indd 06/27/2018 Page 1024 layering – malicious code 1025

GDPR (General Data Protection loss Regulation), 129 availability, 582 import/export, 140–141 confidentiality, 581 intellectual property, 134–136 integrity, 582 licensing, 139–140 LPD (Line Print Daemon), 451, 463 National Information Infrastructure Protection Act, 132 patents, 137–138 M privacy, 141–148 MAC (Mandatory Access Control), 10 review question answers, 954–956 compartmentalized environment, 635 trade secrets, 138 hierarchical environment, 635 trademarks, 136–137 hybrid environment, 635 written lab answers, 990 MAC addresses, 445–446 layering, 12–13, 43 MAC filter, 479 multilayered solutions, 12–13 machine language, 873 LEAP (Lightweight Extensible machine learning techniques, 908 Authentication Protocol), 478–479, 524 macro viruses, 919–920 learning rule, 908 magnetic fields, data remanence and, 172 least privilege, 53, 626, 698, 699 malicious code. See also attacks legally defensible security, 12 adware, 928 Lenstra, Arjen, 245 application attacks, 933–935 lighting, perimeter security and, 424 APTs (advanced persistent threats), 917 link encryption, 262 Kaspersky Lab and, 920–921 local alarm systems, 428 logic bombs, 923–924 log reviews, 688 masquerading attacks, 941–942 logging IP spoofing, 942 application logs, 774 session hijacking, 942 change logs, 774–775 password attacks data protection, 775–776 countermeasures, 932–933 Event Viewer, 773–774 dictionary attacks, 930–931 firewall logs, 774 guessing, 929–930 proxy logs, 774 social engineering, 931–932 security logs, 774 reconnaissance attacks system logs, 774 IP probes, 940 logic bombs, 923–924 port scans, 940–941 logical access control, 584 vulnerability scans, 941 logical operations (Boolean) review question answers, 984–986 AND, 202–203 sources, 916–917 NOT, 204 spyware, 928 OR, 203 Trojan horses, 924–925 XOR (exclusive OR), 204 viruses, 917–918 logical/technical controls, 78–79 antivirus, 920–922 logon notification, 653 companion viruses, 919 loop coverage analysis, 687 encrypted, 923 loopback address, 460, 553 file infector viruses, 919

bindex.indd 06/27/2018 Page 1025 1026 man in the middle attacks – military attacks

hoaxes, 923 flash drives, 715 macro viruses, 919–920 lifecycle, 717 multipartite, 922 mobile devices, 716–717 polymorphic, 923 tape media, 716 service injection viruses, 920 media storage, 412–413 stealth, 922–923 meet in the middle attacks, 267 vulnerable platforms, 920 Meltdown, 309 web applications memory dynamic Web applications, 937–938 memory addressing SQL injection, 937, 938–940 base-offset addressing, 336 XSRF/CSRF, 936–937 direct addressing, 336 XSS attacks, 935–936 immediate addressing, 336 worms, 925 indirect addressing, 336 Code Red, 926–927 register addressing, 336 RTM, 926–927 primary, 905 Stuxnet, 927–928 RAM (random access memory), written lab answers, 1000 334–335 zero-day vulnerabilities, 928 registers, 336 Zeus Trojan horse, 917 ROM (read-only) man in the middle attacks, 267 EEPROM, 334 man-made disasters EPROM, 334 bombings/explosions, 808 flash, 334 fires, 807 PROM, 333–334 hardware failures, 810 secondary addressing, 337 infrastructure failures, 809 security issues, 337–338 network failures, 809 virtual, 905 NYC blackout, 810 memory cards, 409 power outages, 808–809 memory protection, 309 software failures, 810 constrained interface, 310 strikes/picketing, 811 fault tolerance, 310 terrorist acts, 807–808 HSM (hardware security module), 310 theft, 811–812 Meltdown, 309 utility failures, 809 restricted interface, 310 vandalism, 811–812 Spectre, 309 mantraps, 423–424 TPM (Trusted Platform Module), 310 masked data, 184 virtualization, 310 masquerading attacks, 410, 566–567, 941 Merkle-Hellman Knapsack algorithm, 240 IP spoofing, 942 mesh topology, 503 session hijacking, 942 metacharacters, 362 MBR viruses, 918–919 Metasploit, 679–680 MD2 (Message Digest 2), 244–245 mice, 341 MD4 (Message Digest 4), 245 Microsoft Hyper-V, 310 MD5 (Message Digest 5), 245–246 MIDI (Musical Instrument Digital media, zeroization, 412 Interface), 450 media management, 714–715 military attacks, 857–858

bindex.indd 06/27/2018 Page 1026 mobile devices – multipartite viruses 1027

mobile devices, 365, 508–509 modification attacks, 567 Android, 366 modulo function, 205 application security, 371–372 monitoring, 11 BYOD (bring your own device), 372–373, accountability and, 777 716–717 audit trails, 776 acceptable use policy, 375 clipping levels, 780 antivirus management, 374 data extraction, 780 architecture/infrastructure and, 375 egress monitoring, 781–782 camera, 375 DLP, 782–783 corporate policies, 374 steganography, 783 data ownership and, 373 watermarking, 783 forensics, 374 investigations and, 778 legal issues, 375 keystroke monitoring, 781 off-boarding, 374 log analysis, 779 on-boarding, 374 problem identification and, 778 patch management, 373 sampling, 780 privacy, 374 SEIM (Security Information and Event support ownership and, 373 Management), 779 user acceptance, 374 SIM (Security Information Management), video, 375 779 COPE (company-owned personally traffic analysis, 781 enabled), 372 trend analysis, 781 corporate-owned mobile strategy, 372 monitors, 340 CYOD (choose your own device), 372, monolithic security stance, 352 716–717 MOSS (MIME Object Security Services), device security 533 access control, 369–370 motion detectors, 427 application control, 368 MPEG (Moving Picture Experts Group), 450 asset tracking, 369 MPLS (Multiprotocol Label Switching), 471 disabling features, 370 MTBF (mean time between failures), full device encryption, 367 equipment, 405 GPS, 368 MTD (maximum tolerable downtime), 106 inventory control, 369 MTO (maximum tolerable outage), 106 lockout, 367 MTTF (mean time to failure), equipment, MDM (mobile device management), 405 369 MTTR (mean time to repair), equipment, remote wiping, 367 405 removable storage, 370 multifactor authentication, 599–600, screen locks, 367–368 652–653 storage segmentation, 369 multihomed, 490 iOS, 366 multilayered defense, 352 PEDs (portable electronic devices), 366–367 multilayered protocols, 463–465 VDI (virtual desktop infrastructure), 372 multilayered solutions, 12–13 VMI (virtual mobile infrastructure), 373 multimedia collaboration, 529–530 modems, 341 multipartite viruses, 922

bindex.indd 06/27/2018 Page 1027 1028 NAC (network access control) – networks

non-IP protocols, 447–448 N OSPF (Open Shortest Path First), 447 NAC (network access control), 487 RIP (Routing Information Protocol), 447 NAT (Network Address Translation), 447, routers, 448 549–550 SKIP (Simple Key Management for APIPA (Automatic Private IP Addressing), Internet Protocols), 447 552–553 network vulnerability scan dynamic, 552 authenticated scans, 674 IP addresses, private, 550–551 false negative reports, 673 PAT (port address translation), 551–552 false positive reports, 673 stateful, 551–552 Nessus, 675 static, 552 TCP ports, 675 National Information Infrastructure network-based DLP, 782 Protection Act, 132 networking, cryptography natural disasters circuit encryption, 262 earthquakes, 803–804 IPsec, 263–264 fires, 806 ISAKMP, 264 floods, 804–805 wireless networking, 264–265 regional events, 806–807 networks site design and, 402 amplifiers, 493 storms, 805–806 bridges, 493 NCA (noncompete agreement), 56 broadcast domains, 492 NCSC (National Computer Security Center), brouters, 494 296 cabling NDAs (nondisclosure agreements), 56 baseband, 497–498 need to know, 626, 698, 699 broadband, 497–498 NetFlow logs, 688 coaxial cable, 496–497 network discovery scans conductors, 499–500 nmap, 670–673 twisted-pair, 498–499 TCP ACK scanning, 669 collision domains, 492 TCP connect scanning, 669 communication, 486 TCP SYN scanning, 669 concentrators, 493 Xmas scanning, 669 endpoint security, 491–492 network failures, 809 firewalls, 487–488 Network layer (OSI) application-level gateway, 489 BGP (Border Gateway Protocol), 447 circuit-level gateway, 489 bridge routers, 448 deep packet inspection, 489 ICMP (Internet Control Message deployment architecture, 490–491 Protocol), 447 multihomed, 490 IGMP (Internet Group Management Next-Gen, 489 Protocol), 447 screening routers, 489 IP (Internet Protocol), 447 stateful inspection, 489 IPSec (Internet Protocol Security), 447 static packet-filtering, 488–489 IPX (Internetwork Packet Exchange), 447 gateways, 494 NAT (Network Address Translation), 447 hubs, 493

bindex.indd 06/27/2018 Page 1028 neural networks – organizational processes 1029

LANs (local area networks) NIACAP (National Information Assurance Ethernet, 509 Certification and Accreditation Extenders, 495 Process), 308 FDDI, 510 NIST (National Institute of Standards and subtechnologies, 510–513 Technology), 28 token ring, 509 assessments, 664 modems, 493 FISMA and, 132–133 NAC (network access control), 487 NNTP (Network News Transport Protocol), performance boosts, 486 451 proxies, 494–495 nonces, 206 repeaters, 493 noninterference security model, 285–286 routers, 494 nonrepudiation, 43 security, 486 cryptography and, 200 segments, 486 nonvolatile storage, 905 switches, 493–494 NoSQL, 904 topologies NOT operation, 204 bus, 501–502 notification alarms, 428 mesh, 503 NYC blackout, 810 ring, 500–501 star, 502 transmission media, 496–500 O wireless communications objects, 277 Bluetooth, 506–507 OCSP (Online Certificate Status Protocol), cell phones, 504 253 ITU-R, 506 ODBC (Open Database Connectivity), mobile service technologies, 505 903–904 cordless phones, 508 OFB (output feedback) mode, 221 DSSS (Direct Sequence Spread OFDM (Orthogonal Frequency-Division Spectrum), 504 Multiplexing), 504 FHSS (Frequency Hopping Speed offboarding employees, 57 Spectrum), 504 onboarding employees, 57 Hz (Hertz), 503 one-time pad substitution cipher, 211–212 mobile devices, 508–509 one-way functions, 205–206 NFC (near-field communication), OOP (object-oriented programming), 507 874–875, 897 OFDM (Orthogonal Frequency- open systems, 277–278 Division Multiplexing), 504 open-source solutions, 278 PANs (personal area networks), operational plans, 16, 17 506–507 Opportunistic TLS for SMTP Gateways, RFID (radio-frequency 534 identification), 507 OR operation, 203 neural networks, 908 Oracle VirtualBox, 310 Next-Gen firewalls, 489 Orange Book, 296 NFC (near-field communication), 507 organizational processes, 17–18 NFS (Network File System), 449, 463 change management, 18–19

bindex.indd 06/27/2018 Page 1029 1030 organizational security policies – password salting

data classification, 19–23 output devices commercial business/private, 22–23 keyboards, 341 declassification, 20 mice, 341 government/military, 21–22 modems, 341 phases, 20 monitors, 340 organizational security policies, 27 printers, 340–341 OSA (open system authentication), 476 OVAL (Open Vulnerability and Assessment OSI (Open Systems Interconnection) Language), 668 Model, 440 overwriting data, 173 Application layer, 443, 450 ownership of data, 178 data stream, 443 administrators, 184 protocols, 451 asset owners, 179–180 DARPA model and, 441 business/mission owners, 180–181 Data Link layer, 445 custodians, 184–185 ARP, 446–447 data owners, 179 frames, 443 data processors, 181–184 MAC addresses, 445–446 protecting privacy, 185–186 network hardware, 445 users, 185 OUI, 446 protocols, 445 data names, 444 P data stream, 443 PaaS (platform as a service), 713 deencapsulation, 442–444 packet switching, 554–555 encapsulation, 442–444 palm scans, 597 layers, 441–442 PANs (personal area networks), Network layer 506–507 bridge routers, 448 PAP (Password Authentication Protocol), non-IP protocols, 447–448 524 packets, 443 parallel configurations, 13 routers, 448 Parallels Desktop for Mac, 310 routing protocols, 447–448 passive audio motion detectors, 427 Physical layer, 444–445 passive website monitoring, 687 bits, 443 password attacks Presentation layer, format standards, 450 common passwords, 929–930 Session layer, protocols, 449 countermeasures, 932–933 TCP/IP model and, 441, 452 dictionary attacks, 930–931 Transport layer guessing, 929–930 datagrams, 443 rainbow tables, 931 protocols, 449 social engineering segments, 443 dumpster diving, 932 OSPF (Open Shortest Path First), 447 phishing, 931–932 OSSTMM (Open Source Security Testing password hashing, 652 Methodology Manual), 25 password masking, 652 OUI (Organizationally Unique Identifier), password policies, 652 446 password salting, 652

bindex.indd 06/27/2018 Page 1030 PASTA (Process for Attack Simulation and Threat Analysis) – physical security 1031

PASTA (Process for Attack Simulation and permissions, 624 Threat Analysis), 33 personal property, 403 PAT (port address translation), 551–552 personnel patch management candidate screening, 55 embedded systems, 723–724 collusion, 52, 54–55 program steps, 724–725 cross-training, 54 reviews, 787 employment agreements, 55–57 systems to manage, 723–724 hiring, 51–52, 55 PBX (private branch exchange), 525, 536 job responsibilities, 53 fraud/abuse, 527–529 job rotation, 53–54 PCI DSS (Payment Card Industry Data offboarding, 57 Security Standard), 62, 305–306 onboarding, 57 PDU (protocol data unit), 443 separation of duties, 52, 53 PEAP (Protected Extensible Authentication termination, 57–59 Protocol), 478, 524 personnel security/safety PEDs (portable electronic devices), 366 duress systems, 708 war driving and, 483 emergency management, 709–710 PEM (Privacy Enhanced Mail), 533 review question answers, penetration testing 951–952 black box, 681 training, 710 ethical hacking, 772 travelling, 709 exploitation, 679–680 written lab answers, 988–989 full-knowledge team, 771 PERT (Program Evaluation Review gray box, 681 Technique), 887–888 information gathering and discovery, 679–680 PGP (Pretty Good Privacy), 255–256, Metasploit, 679–680 533, 534 partial-knowledge team, 771 PHI (protected health information), 161 permission, 770 phishing, 569, 931–932 planning, 679–680 spear phishing, 931 report protection, 772 vishing, 931 reporting, 679–680 whaling, 931 risks, 769–770 photoelectric motion detectors, 427 threat modeling and, 31 phreakers, 527 vulnerability scanning, 679–680 physical access control, 584 white box, 681 physical assets, 711–712 zero-knowledge team, 770–771 physical controls, 78–79 perimeter security controls, 422 physical security, 403 fences, 422–423 regulatory requirements, 431 gates, 423 physical security, 400. See also lighting, 424 environmental security; facility design; mantraps, 423–424 site design security bollards, 424 access abuses, 410–411 security dogs, 424–425 CCTV, 411 security guards, 424–425 data centers, 407–409 turnstiles, 423 delay, 404

bindex.indd 06/27/2018 Page 1031 1032 piggybacking – port scans

denial, 404 restricted areas, 413–414 detection, 404 review question answers, 965–966 deterrence, 404 RFI (radio-frequency interference), 416 emanation security, 411–412 RFID (radio-frequency identification), 410 EMI (electromagnetic interference), 416 SCIF (Sensitive Compartmented environment safety, 429–430 Information Facility), 414 evidence storage, 413 secure facility plan, 401 fire server rooms, 407–409 damage, 421–422 server vaults, 407–409 detection, 419–420 smartcards, 409 extinguishers, 419 static, 416–417 prevention, 417 temperature, 416–417 stages, 418–419 utilities, 414–415 suppression, 417–421 water issues, 417 functional order of use, 404 work areas, 413–414 humidity, 416–417 written lab answers, 994 HVAC issues, 416–417 piggybacking, 410 IDSs (intrusion detection systems), 410 PII (personally identifiable information), 61, internal security controls, 425 160–161 badges, 427 PKI (public-key infrastructure), 249 combination locks, 426 asymmetric key management, 253–254 EAC (electronic access control) lock, CAs (certificate authorities), 250–253 426 digital certificates, 249–250 intrusion alarms, 428 review question answers, 960–961 keys, 426 written lab answers, 992 motion detectors, 427 plaintext, cryptography and, 200–201 secondary verification, 428–429 plenum cable, 499 legal requirements, 430 policies life safety, 429–430 security masquerading, 410 acceptable use, 28 media storage, 412–413 advisory, 27 memory cards, 409 component relationships, 30 noise, 416 individuals and, 27 perimeter security controls, 422 informative, 27 fences, 422–423 issue-specific, 27 gates, 423 organizational, 27 lighting, 424 regulatory, 27 mantraps, 423–424 system-specific, 27 security bollards, 424 security policies, 15, 26 security dogs, 424–425 polymorphic viruses, 923 security guards, 424–425 POODLE (Padding Oracle On Downgraded turnstiles, 423 Legacy Encryption) attack, 177 piggybacking, 410 POP3 (Post Office Protocol version 3), 451, privacy and, 430 462, 530 proximity readers, 409–410 port scans, 940–941

bindex.indd 06/27/2018 Page 1032 POTS (plain old telephone service) – privacy laws 1033

POTS (plain old telephone service), 536, next-generation firewall, 767 537–538 stateful inspection firewalls, 767 POTS/PSTN, 525 UTM (unified threat management), 767 power outages, 808–809 honeypots/honeynets, 763 PPP (Point-to-Point Protocol), 445 padded cells, 764 PPTP (Point-to-Point Tunneling Protocol), pseudo flaws, 764 445, 543 intrusion detection and prevention, 746 premises wire distribution room, 405 penetration testing, 768 Presentation layer (OSI) ethical hacking, 772 ASCII (American Standard Code for permission, 770 Information Interchange), 450 report protection, 772 EBCDICM (Extended Binary-Coded risks, 769–770 Decimal Interchange Mode), 450 techniques, 770–771 JPEG (Joint Photographic Experts protocols, 746 Group), 450 sandboxing, 768 MIDI (Musical Instrument Digital services, 746 Interface), 450 system management, 746 MPEG (Moving Picture Experts Group), 450 systems, 746 TIFF (Tagged Image File Format), 450 third-party security services, 768 preventive access control, 582 warning banners, 764–765 preventive controls, 80 whitelisting, 766–767 preventive measures, 745–746 PRI (Primary Rate Interface), 557 anti-malware software, 746, 765–766 primary memory, 905 applications, 746 principle of least privilege. See least privilege attacks printers, 340–341 botnets, 747–748 privacy DoS (denial of service), 748–749 confidentiality and, 4 espionage, 755–756 employees’ rights, 146 fraggle attacks, 751 European Union, 146–148 land attacks, 752 Privacy Act of 1974, 142 malicious code, 753–754 privacy laws, U.S. man-in-the-middle, 754–755 CALEA, 142 ping floods, 751 COPPA, 144 ping of death, 751–752 data breach notification, 143–144 sabotage, 755 Economic Espionage Act, 142 smurf attacks, 751 ECPA, 142 SYN flood attacks, 749–750 FERPA, 145 TCP reset, 750 Fourth amendment, 141–142 teardrop, 752 GLBA, 144 zero-day exploits, 752–753 HIPAA, 142–143 blacklisting, 766–767 HITECH, 143 configuration management, 746 Identity Theft and Assumption firewalls, 746 Deterrence Act, 145 circuit-level gateway firewalls, 767 Privacy Act of 1974, 142 IANA, 767 USA PATRIOT Act, 145

bindex.indd 06/27/2018 Page 1033 1034 privacy policies – protocols

privacy policies, 61–62 operating states, 327 private cloud, 714 policy mechanisms private key cryptography, 215–216 accountability, 384 privileged operations, 37 principle of least privilege, 383 privileges separation of privilege, 384 access control and, 624 problem state, 327 escalation, 935 process scheduler, 328–329 least privilege, 53, 626, 698, 699–700 process states, 327 privilege creep, 631 program executive, 328 separation of privilege, 701 protection rings, 325 proactive approach to threat modeling, 30 kernel, 325 procedures, 28–29. See also SOP (standard kernel mode, 326 operation procedures) mediated-access model, 326 processor, 321 privileged mode, 326 execution types system call, 327 MPP, 322–323 user mode, 326 multicore, 322 ready state, 327 multiprocessing, 322 running state, 328 multiprogramming, 323 security modes, 329 multitasking, 322 comparison, 332 multithreading, 323–324 stopped state, 328 SMP, 322 supervisor state, 327 microprocessor, 321 supervisory state, 328 operating modes system hide mode, 330 privileged mode, 332–333 technical mechanisms user mode, 332 abstraction, 381–382 processing types data hiding, 382 multi-state, 324 hardware segmentation, 382–383 single-state, 324 layering, 380–381 protection mechanisms process isolation, 382 process states, 327–332 waiting state, 327–328 protection rings, 325–327 protocols, 440 procurement, 150–151 authentication programming flaws, 388 CHAP, 524 programming languages, 872–873 EAP, 524 compiled languages, 873 PAP, 524 interpreted languages, 873 communications machine language, 873 IPsec, 523 protection mechanisms, 12, 379–380 Kerberos, 523 CMWs (compartmented mode Signal Protocol, 523 workstations), 331 S-RPC, 523 compartmented mode, 330 SSH, 523 computer architecture, 383 SSL, 523 dedicated mode, 330 TLS, 523 multilevel mode, 331 converged protocols, 470–471

bindex.indd 06/27/2018 Page 1034 proximity readers – remote access 1035

FCoE (Fibre Channel over Ethernet), RC5 (Rivest Cipher 5), 224 471 reactive approach to threat modeling, 31 iSCSI (Internet Small Computer reconnaissance attacks System Interface), 471 IP probes, 940 MPLS (Multiprotocol Label port scans, 940–941 Switching), 471 vulnerability scans, 941 SDN (software-defined networking), record retention, 175–176 472 recovery access control, 583 VoIP (Voice over IP), 471 recovery controls, 80 discovery, 457–458 reduction analysis, threat modeling, 36–37 proximity readers, 409–410 reference monitors, 284 proxy logs, 774 regional disasters, 806–807 PSTN (public switched telephone network), registration, 585–586 536, 537–538, 554 biometrics, 599 public cloud, 714 regulatory investigations, 848 public key algorithms, 216–219 regulatory policies, 27 PVCs (permanent virtual circuits), 555 compliance, 149–150 review question answers, 954–956 written lab answers, 990 Q relational databases candidate keys, 898 qualitative risk analysis, 68, 75 cardinality, 897 quantitative risk analysis, 68–69, 75 degrees, 897 ALE (annualized loss expectancy), 70–71 domains, 897 ARO (annualized rate of occurrence), 70, fields, 897 109 foreign keys, 898 EF (exposure factor), 70 primary keys, 898 formulas, 73 referential integrity, 898 safeguard cost/benefit, 72 SQL, 898–899 safeguard costs, 71–72 tuples, 897 SLE (single loss expectancy), 70 remote access, 536 authentication protection, 538 authentication services, 540 R dial-up protocols RADIUS (Remote Authentication Dial-In PPP, 539 User Service), 540 SLIP, 539–540 RAID (redundant array of inexpensive RADIUS (Remote Authentication Dial-In disks), 310 User Service), 540 rainbow series, 296, 299–300 remote connectivity technology, 538 Green Book, 299 remote control, 537 Orange Book, 298 remote node operation, 537 Red Book, 299 remote user assistance, 538–539 random access storage, 905 scraping, 537 ransomware, WannaCry, 167 screen scraper, 537 RBAC (Role Based Access Control), 10 security plan, 538–539

bindex.indd 06/27/2018 Page 1035 1036 remote journaling database recovery and – risk management

service specific, 537 incident response, 977–980 TACACS+ (Terminal Access Controller investigations, 981–983 Access-Control System), 540 laws, 954–956 transmission protection, 538 malicious code, 984–986 VLANs, 545–546 network architecture, 966–967 VPNs, 540–541 network attacks, 968–969 overview, 542–543 network components, 966–967 protocols, 543–545 personnel security, 951–952 tunneling, 541–542 physical security, 965–966 remote journaling database recovery and, PKI (public-key infrastructure), 960–961 826 regulations, 954–956 remote meetings, 529–530 risk management, 951–952 remote mirroring database recovery and, security assessment, 973–974 826–827 security capabilities, 961–962 repellant alarms, 428 security design, 961–962 replay attacks, 268, 484, 567 security models, 961–962 reporting security operations, 975–977 audit results software development security, 983–984 distribution, 789 symmetric key algorithms, 958–959 external auditors, 789–790 testing, 973–974 protecting, 788–789 threats, 963–964 investigations, 856 vulnerabilities, 963–964 reproducibility, 37 reviews repudiation, 200 account management reviews, 689 repudiation threats, 32 backup verification, 689 restricted area security, 413–414 key performance indicators, 690 retina scans, 596 log reviews reverse hash matching attack, 267–268 GPOs (Group Policy Objects), 688 review question answers NetFlow logs, 688 access control, 971–973 NTP (Network Time Protocol), 688 application attacks, 984–986 SIEM (security incident and event asset security, 956–958 management) packages, 688 authentication, 969–971 risk indicators, 690 BCP (business continuity planning), RFI (radio-frequency interference), 416 952–954 RFID (radio-frequency identification), communications, 968–969 410, 507 compliance, 954–956 ID tags, 414 countermeasures, 963–964 rights, access control and, 624 cryptographic applications, 960–961 ring topology, 500–501 cryptography, 958–959 RIP (Routing Information Protocol), 447 DRP (disaster recovery planning), risk, 65 980–981 risk framework. See RMF (Risk ethics, 981–983 Management Framework) governance, 950–951 risk management, 63–64 identity management, 969–971 asset valuation, 65, 82

bindex.indd 06/27/2018 Page 1036 risk-based management – SCP (Secure Copy) 1037

assets, 64 threat events, 65–66 attacks, 66 threat identification, 67–68 breaches, 66 threats, 65 countermeasures, selecting, 77–78 total risk, 77 exposure, 65 vulnerability, 65 qualitative risk analysis, 68, 75 written lab answers, 988–989 Delphi technique, 75 risk-based management, 38–40 scenarios, 74–75 Rivest, Ronald, 239, 244 quantitative risk analysis, 68–69, 75 RMF (Risk Management Framework), ALE (annualized loss expectancy), 83–84, 308 70–71 Rogier, Nathalie, 245 ARO (annualized rate of occurrence), rogue access points, 484–485 70, 109 ROI (return on investment), 17 EF (exposure factor), 70 ROM (read-only memory) formulas, 73 EEPROM (Electronically Erasable safeguard cost/benefit, 72 Programmable Read-Only Memory), safeguard costs, 71–72 334 SLE (single loss expectancy), 70 EPROM (Erasable Programmable Read- residual risk, 77 Only Memory), 334 review question answers, 951–952 flash, 334 risk, 65 PROM (programmable read-only risk acceptance, 76 memory), 333–334 risk assignment, 76 rootkits and, 935 risk avoidance, 77 ROT3 (Rotate 3), 197 risk deterrence, 77 routers, 448 risk mitigation, 76 screening routers, 489 risk rejection, 77 Royce, Winston, 882 risk reporting, 83 RPC (Remote Procedure Call), 449 safeguards, 66 RSA public key algorithm, 239–241 security controls RTO (recovery time objective), 107 administrative, 78–79 running key ciphers, 212–213 compensating controls, 80 corrective controls, 80 detective controls, 80 S deterrent controls, 79 SA (security association), 264 directive controls, 81 SaaS (software as a service), 713 logical/technical, 78–79 safeguards, 66 measurement and, 81 sandboxing, 279 monitoring and, 81 SBU (sensitive but unclassified), 163 physical, 78–79 SCA (security control assessment), 81 preventive controls, 80 Schneier, Bruce, 177, 223 recovery controls, 80 SCIF (Sensitive Compartmented Information SCA (security control assessment), 81 Facility), 414 threat actors, 65–66 scoping, security baselines, 187 threat agents, 65–66 SCP (Secure Copy), 178

bindex.indd 06/27/2018 Page 1037 1038 screening routers – security controls

screening routers, 489 personal property, 403 script kiddies, 916–917 policies, 15, 26, 43 Scrum, 885 acceptable use, 28 SD3+C, 30 advisory, 27 SDH (Synchronous Digital Hierarchy), component relationships, 30 559–560 individuals and, 27 SDL (Security Development Lifecycle), 30 informative, 27 SDLC (Synchronous Data Link Control), issue-specific, 27 560 organizational, 27 SDN (software-defined networking), 472, regulatory, 27 548 system-specific, 27 SDNs (software-defined networks), 712 protection mechanisms, 12 seclusion, confidentiality and, 4 senior management and, 16 secondary data storage, 905 serial configurations, 13 secondary verification mechanisms, strategic plans, 16, 17 428–429 tactical plans, 16, 17 secrecy, confidentiality and, 4 top-down approach, 15 secret key cryptography, 215–216 training, 86–87 Secure by Design, Secure by Default, Secure security applications, 909 in Deployment and Communication. See security assessment, 664 SD3+C review question answers, 973–974 secure facility plan, 401 written lab answers, 997 security. See also physical security security audits abstraction, 13 auditing standards, COBIT, 667 awareness, 86 external, 666 behavior modification, 86 internal, 665–666 bottom-up approach, 16 third-party, 666–667 business cases, 15 security awareness training, 43 CISO (chief information security officer), security bollards, 424 16 security boundaries, 563–564 corporate property, 403 security capabilities CSO (chief security officer), 16 review question answers, 961–962 data hiding, 13 written lab answers, 992–993 due care, 25 security controls, 12 due diligence, 25 administrative, 78–79 education, 87 administrative physical controls, 403 encryption, 14 baselines, 186–187 ISO (information security officer), 16 scoping, 187 layering, 12–13 standards, 187 legally defensible security, 12 tailoring, 187 operational plans, 16, 17 compensating controls, 80 organizational processes, 17–18 corrective controls, 80 change management, 18–19 data, 165–167 data classification, 19–23 detective controls, 80 parallel configurations, 13 deterrent controls, 79

bindex.indd 06/27/2018 Page 1038 security dogs – security operations 1039

directive controls, 81 restricted interface model, 293 frameworks, 25 TPs (transformation procedures), 293 logical/technical, 78–79 UDI (unconstrained data item), 292 measurement and, 81 composition theories monitoring and, 81 cascading, 286 physical, 78–79, 403 feedback, 286 preventive controls, 80 hookup, 286 recovery controls, 80 Goguen-Meseguer model, 294 SCA (security control assessment), 81 Graham-Denning Model, 294 technical physical controls, 403 information flow model, 285 security dogs, 424–425 kernels, 284 security governance, 14–15, 42, 62 lattice-based access controls, 289 ATO (authorization to operate), 63 classification levels, 289 compliance policies, 61–62 noninterference model, 285–286 contracting and, 150–151 reference monitors, 284 documentation review, 63 review question answers, 961–962 procurement and, 150–151 security perimeter, 283 third-party governance, 62–63 state machine models security guards, 424–425 FSM, 284 security incidents, 738 secure state machine, 285 security labels, 282 state transition, 284–285 security logs, 774 states, 284 security models, 281–282 Sutherland Model, 294 access control matrix, 286, 288 Take-Grant model, 286 ACLs, 287 directed graph, 287 capabilities list, 287 TCB (trusted computing base), 282–283 mandatory, 287 written lab answers, 992–993 rule-based, 287 security operations Bell-LaPadula model, 288 aggregation, 700 * (star) Security Property, 289 due care, 698 classification levels, 289 due diligence, 698 Discretionary Security Property, 289 entitlement, 700 Simple Security Property, 289 information lifecycle management trusted subject, 290 archive, 707 Biba model, 290 capture, 706 * (star) Integrity Property, 290 classification, 706 drawbacks, 291–292 creation, 706 Simple Integrity Property, 290 destruction, 707 Brewer and Nash model, 293 purging, 707 Chinese Wall model, 293 storage, 707 Clark-Wilson model, 292 usage, 707 access control triple, 292 job rotation, 703 CDI (constrained data item), 292 least privilege, 698, 699–700 IVP (integrity verification procedure), mandatory vacations, 703–704 293 need to know, 698, 699

bindex.indd 06/27/2018 Page 1039 1040 security perimeter – site design

personnel security/safety static testing, 683 duress systems, 708 test coverage analysis, 686–687 emergency management, 709–710 website monitoring, 687 training, 710 security through obscurity, 13 travelling, 709 segregation of duties, 701 privileged account management, 704–706 control matrix, 702 review question answers, 975–977 sendmail, 531 segregation of duties, 701–703 sensitivity, confidentiality and, 4 separation of duties and responsibilities, separation of duties and responsibilities, 52, 700–701 53, 626, 700–701 separation of privilege, 701 sequential access storage, 905 SLAs (service-level agreements), 707–708 serial configurations, 13 transitive trust, 700 server rooms, physical security, 407–409 two-person control, 703 server-based vulnerabilities, 346–347 written lab answers, 997–998 service authentication, 601 security perimeter, 283 session hijacking, 942 security policies, 626–627 Session layer (OSI) security roles NFS (Network File System), 449 auditor, 24 RPC (Remote Procedure Call), 449 CIRT (computer incident response team), SQL (Structured Query Language), 449 24 SET (Secure Electronic Transaction), 451 data custodian, 24 SFTP (Secure File Transfer Protocol), 178 data owner, 24 SHA (Secure Hash Algorithms), 244 InfoSec (information security) officer, 24 Shamir, Adi, 239 security professional, 24 SHS (Secure Hash Standard), 244 senior manager, 23 SIEM (security incident and event user, 24 management) packages, 688 security testing, 662–663 Signal Protocol, 523 penetration testing signature dynamics, 597 black box, 681 site design. See also physical security exploitation, 679–680 access abuses, 410–411 gray box, 681 emanation security, 411–412 information gathering and discovery, EMI (electromagnetic interference), 416 679–680 evidence storage, 413 Metasploit, 679–680 fire damage, 421–422 planning, 679–680 fire detection, 419, 420 reporting, 679–680 fire extinguishers, 419 vulnerability scanning, 679–680 fire prevention, 417–419 white box, 681 fire stages, 418–419 software, 681–682 fire suppression, 417–418 code review, 682–683 gas discharge systems, 421 dynamic testing, 683–684 water, 420–421 fuzz testing, 684–685 humidity, 416–417 interface testing, 686 HVAC issues, 416–417 misuse case testing, 686 IDSs (intrusion detection systems), 410

bindex.indd 06/27/2018 Page 1040 SKA (shared key authentication) – software development 1041

media storage, 412–413 software natural disasters and, 402 ConfigMgr, 711 noise, 416 licensing, 711 restricted areas, 413–414 SCCM (System Center Configuration review question answers, 961–962 Manager), 711 RFI (radio-frequency interference), 416 software development SCIF (Sensitive Compartmented APIs (application programming Information Facility), 414 interfaces), 890–891 security, 400 assurance, 875 site selection, 401–402 change management, 888–889 smartcards, 409 code repositories, 893–894 static, 416–417 configuration management, 888–889 temperature, 416–417 development lifecycle, 878–879 utilities Agile model, 884–885 power issues, 415 change management, 881 UPS, 414–415 code review, 881 visibility, 402 control specifications, 880 water issues, 417 design review, 880–881 work areas, 413–414 functional requirements, 879–880 written lab answers, 992–993 Gantt charts, 887–888 SKA (shared key authentication), 476 IDEAL model, 886–887 SKIP (Simple Key Management for Internet maintenance, 881 Protocols), 447 PERT, 887–888 Skipjack, 220, 223–224 software capability maturity model, SLAs (service-level agreements), 40, 60, 885 707–708 spiral model, 883 equipment failure and, 405 user acceptance testing, 881 software development, 894 waterfall model, 882–883 SLE (single loss expectancy), 70, 110 DevOps approach, 889–890 SLIP (Serial Line Internet Protocol), 445 OOP (object-oriented programming) smart devices, 358 behaviors, 874 PIV (Personal Identity Verification) cards, classes, 874 593 cohesion, 875 smartcards, 409 coupling, 875 CACs (Common Access Cards), 593 delegation, 875 S/MIME (Secure Multipurpose Internet Mail inheritance, 875 Extensions), 256, 533 instances, 874 SMTP (Simple Mail Transfer Protocol), 451, messages, 874 462, 530–531 methods, 874 sniffers, 565–566 objects, 874 SNMP (Simple Network Management polymorphism, 875 Protocol), 451, 463 programming languages, 872–873 SOA (service-oriented architecture), 389 compiled languages, 873 social engineering, 526–527 interpreted languages, 873 phreakers, 527 machine language, 873

bindex.indd 06/27/2018 Page 1041 1042 software failures – standards

review question answers, 983–984 test coverage analysis, 686 SLAs (service-level agreements), 894 branch coverage, 687 software acquisition, 894–895 condition coverage, 687 system failure function coverage, 687 avoiding, 875–878 loop coverage, 687 mitigating, 875–878 statement coverage, 687 testing threat modeling and, 31 black-box testing, 892 vulnerability scanning, 679–680 dynamic testing, 892 website monitoring gray-box testing, 892 active monitoring, 687 reasonableness check, 891–892 passive monitoring, 687 static testing, 892 synthetic monitoring, 687 white-box testing, 892 white box, 681 written lab answers, 1000 zero-knowledge team, 770–771 software failures, 810 SONET (Synchronous Optical Networking), software focused threats, 31 559–560 software security testing, 681–682 SOP (standard operation procedures), 28–29 black box, 681 source code review, threat modeling and, 31 code review, 682–683 SOX (Sarbanes-Oxley Act of 2002), 62 dynamic testing, 683–684 Spectre, 309 ethical hacking, 772 SPF (Sender Policy Framework), 534 exploitation, 679–680 spiral lifecycle model, 883 full-knowledge team, 771 split knowledge, 207 fuzz testing, 684 spoofing, 32 bit flipping, 684 SPX (Sequenced Packet Exchange), 449 generational (intelligent) fuzzing, 684 spyware, 928 mutation (dumb) fuzzing, 684 SQL (Structured Query Language), 449 prefuzzing input file, 685 SQL injection attacks, 937, 938–939 zzuf tool, 685 account privilege limits, 940 gray box, 681 dynamic Web applications, 937–938 information gathering and discovery, input validation and, 939–940 679–680 prepared statements and, 939 interface testing S-RPC (Secure Remote Procedure Call), 451, APIs, 686 523 physical interfaces, 686 SSAA (System Security Authorization UIs, 686 Agreement), 308 Metasploit, 679–680 SSDs (solid state drives), 173 misuse case testing, 686 SSH (Secure Shell), 262, 523 partial-knowledge team, 771 SSID (service set identifier), 475–476 permission, 770 beacon frame, 475 planning, 679–680 disabling broadcast, 476 report protection, 772 SSL (Secure Sockets Layer), 177, 257, 449, reporting, 679–680 462, 523 risks, 769–770 standards, 28 static testing, 683 security baselines, 187

bindex.indd 06/27/2018 Page 1042 star topology – Take-Grant security model 1043

star topology, 502 packet switching, 554–555 state attacks, 389 virtual circuits, 555–556 state machine security models symmetric cryptography FSM (finite state machine), 284 Diffie-Hellman, 226–227 secure state machine, 285 escrow encryption standard, 228 state transition, 284–285 fair cryptosystems, 228 states, 284 key management stateful inspection firewalls, 489 creation, 226–227 statement coverage analysis, 687 destruction, 227 static NAT, 552 distribution, 226–227 static packet-filtering firewalls, 488–489 key escrow, 228 static passwords, 588–589 recovery, 228 static systems, 376–377 storage, 227 application firewalls, 378 offline distribution, 226 diversity control, 379 public key encryption, 226 firmware version control, 379 split-knowledge, 227 manual updates, 378 symmetric cryptosystems, 199 monitoring, 379 symmetric encryption, 176–177 network segmentation, 378 symmetric key algorithms, 215 redundancy control, 379 review question answers, 958–959 security layers, 378 weaknesses, 216 wrappers, 379 written lab answers, 991–992 statistical attacks, 265 synchronous dynamic password tokens, 593 stealth viruses, 922–923 synthetic website monitoring, 687 steganography, 257–259, 783 system failure storage authentication, 876 evidence, 413 error handling, 876 media storage, physical, 412–413 fail-open failure state, 877–878 sensitive data, 171–172 fail-secure failure state, 877–878 storms, 805–806 input validation and, 875–876 STP (shielded twisted-pair) cabling, 498 limit checks, 875 strategic plans, 17 logging, 877 stream ciphers, 213 OWASP guidelines, 877 STRIDE threat modeling, 32–33 session management, 876 strikes/picketing, 811 system logs, 774 subjects, 277, 624 system-specific security policies, 27 substitution ciphers, 209–211 supply chain, risk-based management and, 38–40 T Sutherland Model, 294 TACACS+ (Terminal Access Controller SVCs (switched virtual circuits), 555 Access-Control System), 540 SW-CMM (Software Capability Maturity tactical plans, 17 Model), 885 tailoring, security baselines, 187 switching technologies, 553 Take-Grant security model, 286 circuit switching, 554 directed graph, 287

bindex.indd 06/27/2018 Page 1043 1044 tampering threats – test coverage analysis

tampering threats, 32 Link layer, 451 tape backups, 831 multilayer protocols, 463–465 best practices, 832 Network layer, 458–459 disk-to-disk, 832 OSI model comparison, 452 rotating random ports, 454 GFS strategy, 832 registered software ports, 454 HSM (hierarchical storage service ports, 453 management), 833 TCP (Transmission Control Protocol), Six Cartridge Weekly Backup strategy, 453 832 Transport (Host-to-Host) layer, 451 Tower of Hanoi strategy, 832 UDP (User Datagram Protocol), tape media, 716 453, 458 TATO (temporary ATO), 63 VPN links, 453 TCB (trusted computing base), 282–283 vulnerabilities, 463–465 TCP (Transmission Control Protocol), 449 well-known ports, 453 headers, 455–457 TCSEC (Trusted Computer System port scans, 675 Evaluation Criteria), 28, 297 three-way handshake, 454 Common Criteria, 295 TCP wrappers, 453 comparison, 305 TCP/IP model, 441, 451 discretionary protection, 297 Application (Process) layer, 451 ITSEC comparison, 301–302, 305 protocols, 462–463 mandatory protection DNS (Domain Name System), 465 labeled security, 298 DNS poisoning, 468–470 security domains, 298 DNSSEC, 468 structured protection, 298 FQDNS, 466–467 minimal protection, 297 HOSTS file, 468 rainbow series, 296, 299–300 permanent addresses, 466 verified protection, 298 primary authoritative names server, 467 technical access control, 584 resource records, 467 technical physical security controls, 403 secondary authoritative names server, technology convergence, 401 467 telecommunications room, 407 temporary addresses, 466 telecommuting, 536. See also remote access TLD, 466–467 telephony, 536 zone files, 467 Telnet, 451, 462 dynamic ports, 454 TEMPEST countermeasures, 411 ephemeral ports, 454 termination of employees, 57–58 Internet (Internetworking) layer, 451 complexities, 59 IP (Internet Protocol), 458 exit interviews, 58 ARP, 461–462 terrorist acts, 807–808 CIDR, 460 terrorist attacks, 859 classes, 459–460 test coverage analysis ICMP, 460–461 branch coverage, 687 IGMP, 461 condition coverage, 687 loopback address, 460 function coverage, 687

bindex.indd 06/27/2018 Page 1044 testing – TKIP (Temporal Key Integrity Protocol) 1045

loop coverage, 687 theft, 811–812 statement coverage, 687 third-party audits, 39–40, 666 testing, 662–663 third-party governance, 62–63 DRP (disaster recovery and planning) threat actors, 65–66 full-interruption test, 837 threat agents, 65–66 parallel test, 837 threat events, 65–66 read-through test, 836 threat identification simulation test, 837 DoS (denial of service), 32–33 structured walk-through, 837 DREAD, 33 penetration testing elevation of privilege, 33 black box, 681 ethical hacking and, 31 ethical hacking, 772 fuzz testing and, 31 exploitation, 679–680 individuals, 34–35 gray box, 681 risk management and, 67–68 information gathering and discovery, threat modeling, 30, 44 679–680 asset focus, 31 Metasploit, 679–680 attacker focus, 31 permission, 770 decomposition, 36–37 planning, 679–680 diagramming potential attacks, report protection, 772 35–36 reporting, 679–680 information disclosure, 32 risks, 769–770 PASTA (Process for Attack Simulation techniques, 770–771 and Threat Analysis), 33 vulnerability scanning, 679–680 penetration testing and, 31 white box, 681 prioritization, 37–38 review question answers, 973–974 proactive approach, 30 software, 681–682 reactive approach, 31 code review, 682–683 reduction analysis, 36–37 dynamic testing, 683–684 repudiation, 32 fuzz testing, 684–685 responses, 37–38 interface testing, 686 software focus, 31 misuse case testing, 686 source code review and, 31 static testing, 683 spoofing, 32 test coverage analysis, 686–687 STRIDE, 32–33 website monitoring, 687 tampering, 32 software development trike, 33 black-box testing, 892 VAST (visual, agile, and Simple Threat), dynamic testing, 892 34 gray-box testing, 892 threats, 65 reasonableness check, 891–892 review question answers, 963–964 static testing, 892 written lab answers, 993 white-box testing, 892 three dumb routers, 359 written lab answers, 997 thrill attacks, 861 TFTP (Trivial File Transfer Protocol), TIFF (Tagged Image File Format), 450 451, 462 TKIP (Temporal Key Integrity Protocol), 479

bindex.indd 06/27/2018 Page 1045 1046 TLS (Transport Layer Security) – viruses

TLS (Transport Layer Security), 257, 449, 523 U TOC (time of check), 389 UDP (User Datagram Protocol), 449, 458 TOCTTOU (time of check to time of use), USA PATRIOT Act (Uniting and 389, 934 Strengthening America by Providing tokenization, 183 Appropriate Tools Required to Intercept tokens, 282 and Obstruct Terrorism), 145 asynchronous dynamic password, 593 user education, 653 synchronous dynamic password, 593 user entitlement audits, 786 top-down approach to security, 15 utilities topologies failures, 809 bus, 501–502 power issues, 415 mesh, 503 UPS (uninterruptible power supply), ring, 500–501 414–415 star, 502 UTP (unshielded twisted-pair) cabling, 498 TOTP (Time-based One-Time Password), 594 TOU (time of use), 389 TPM (Trusted Platform Module), 254, 255, V 310 vandalism, 811–812 training, personnel, 710 VDIs (virtual desktop infrastructures), 712 transitive trust, 277, 700 VENOM (Virtualized Environment transmission mechanisms, 562–563 Neglected Operations Manipulations), transparency, 561 547 transport encryption, 177–178 versioning, 722–723 Transport layer (OSI) virtual assets SPX (Sequenced Packet Exchange), 449 SDNs (software-defined networks), 712 SSL (Secure Sockets Layer), 449 VDIs (virtual desktop infrastructures), TCP (Transmission Control Protocol), 712 449 VMs (virtual machines), 712 TLS (Transport Layer Security), 449 VSANs (virtual storage area networks), UDP (User Datagram Protocol), 449 712 transposition ciphers, 208 virtual circuits, 555–556 travelling personnel, 709 PVCs (permanent virtual circuits), 555 Trojan horses, 924–925 SVCs (switched virtual circuits), 555 botnets, 925 virtual memory, 905 trust boundaries, 37 virtual storage, 905 trusted systems, 281 virtualization, 310, 546 tunneling, VPNs, 541–542 virtual networking, SDN (software- Turing, Alan, 198 defined networking), 548 turnstiles, 423 VM escaping, 547 twisted-pair cabling viruses, 917–918 STP (shielded twisted-pair), 498 antivirus, 920 UTP (unshielded twisted-pair), 498 heuristic-based detection, 921 two-factor authentication, 599–600 Kaspersky Lab, 920–921

bindex.indd 06/27/2018 Page 1046 VLANs (virtual local area networks) – vulnerability scans 1047

signature-based detection, 921 PPTP (Point-to-Point Tunneling Tripwire, 922 Protocol), 453 companion viruses, 919 protocols encrypted, 923 IPsec, 544–545 file infector viruses, 919 L2TP, 544 hoaxes, 923 PPTP, 543 Kaspersky Lab and, 920–921 SSH (Secure Shell), 453 macro viruses, 919–920 tunneling, 541–542 MBR viruses, 918–919 VSANs (virtual storage area networks), 712 multipartite, 922 vulnerabilities polymorphic, 923 client-based service injection viruses, 920 applets, 342–344 stealth, 922–923 local caches, 344–346 vulnerable platforms, 920 review question answers, 963–964 VLANs (virtual local area networks), server-based, data flow control, 346–347 545–546 written lab answers, 993 virtual applications, desktops, 547–548 vulnerability, 65 VMs (virtual machines), 712 vulnerability assessments, 726–727 VMware Fusion for Mac, 310 descriptions, 668 VMware vSphere, 310 CCE, 668 VMware vSphere Hypervisor, 310 CPE, 668 VMware Workstation Pro, 310 CVE, 668 voice communications CVSS, 668 abuse, 527–529 OVAL, 668 fraud, 527–529 XCCDF, 668 PBX (private branch exchange), 525 scans, 668–669, 726–727 POTS/PSTN, 525 database vulnerability scans, social engineering, 526–527 677–678 DISA (Direct Inward System Access), network discovery scans, 669–673 528–529 network vulnerability scans, 673–675 phreakers, 527 vulnerability management workflow, VoIP (Voice over Internet Protocol), 678–679 525–526 web vulnerability scans, 676–677 SRTP, 526 vulnerability management, 725–726 voice pattern recognition, 597 CVE (Common Vulnerability and VoIP (Voice over IP), 471, 525–526, 536 Exposures) dictionary, 728 SRTP (Secure Real-Time Transport reviews, 788 Protocol), 526 systems to manage, 723–724 volatile storage, 905 vulnerability assessments, 727–728 VPNs (virtual private networks), 178, 536, vulnerability scans, 726–727 540–541 workflow IPSec, 453 detection, 678 L2TP (Layer 2 Tunneling Protocol), 453 remediation, 679 OpenVPN, 453 validation, 678 overview, 542–543 vulnerability scans, 941

bindex.indd 06/27/2018 Page 1047 1048 WannaCry ransomware – wireless networking

web vulnerability scanning, 676–677 W web-based systems WannaCry ransomware, 167 directory traversal attack, 363 WANs (wide area networks), 496 DMZ (demilitarized zone), 362 ATM (asynchronous transfer mode), 559 injection attacks, 361–363 CIR (committed information rate), 559 account privileges limiting, 362 dedicated lines, 556 input validation, 362 dial-up encapsulation protocols LDAP injection, 363 PPP, 561 XML injection, 363 SLIP, 561 OWASP (Open Web Application Security DSL (digital subscriber line), 557 Project), 360–361 Frame Relay connections, 558–559 XML exploitation, 363–364 HDLC (High-Level Data Link Control), XSRF (cross-site request forgery), 364 561 XSS (cross-site scripting), 364 ISDN (Integrated Services Digital website monitoring Network), 557 active monitoring, 687 leased lines, 556 passive monitoring, 687 fault tolerance, 557 synthetic monitoring, 687 nondedicated lines, 556 WEP (Wired Equivalent Privacy), 264, point-to-point links, 556 476–477 SDH (Synchronous Digital Hierarchy), white box penetration testing, 681 559–560 white noise, 411 SDLC (Synchronous Data Link Control), wireless communications 560 Bluetooth, 506–507 SMDS (Switched Multimegabit Data cell phones, 504 Service), 559 ITU-R, 506 SONET (Synchronous Optical mobile service technologies, 505 Networking), 559–560 cordless phones, 508 X.25 connections, 558 DSSS (Direct Sequence Spread Spectrum), WAPs (wireless access points), 474 504 SSID (service set identifier), 474 FHSS (Frequency Hopping Speed war chalking, 483 Spectrum), 504 war driving, 483 Hz (Hertz), 503 waterfall lifecycle model, 882–883 mobile devices, 508–509 watermarking, 257–259, 783 NFC (near-field communication), 507 wave pattern motion detectors, 427 OFDM (Orthogonal Frequency-Division web applications Multiplexing), 504 cryptography, 256–257 PANs (personal area networks), 506–507 steganography, 257–259 RFID (radio-frequency identification), 507 watermarking, 257–259 wireless networking, 472–473 security 802.1X/EAP, 478 dynamic Web applications, 937–938 access points, 473 SQL injection, 937, 938–940 ad hoc mode, 475 XSRF/CSRF, 936–937 enterprise extended mode, 475 XSS attacks, 935–936 ESSID, 475

bindex.indd 06/27/2018 Page 1048 wiring closets – written lab answers 1049

infrastructure mode, 475 work functions, 207 power level controls, 480 worms, 925 SSID, 475 Code Red, 926–927 stand-alone mode, 475 RTM, 926–927 wired extension mode, 475 Stuxnet, 927–928 antennas WPA (WiFi Protected Access), 265, 477–478 placement, 479–480 WPA2 (Wi-Fi Protected Access 2), 478 types, 480 WPS (WiFi Protected Setup), 481 attacks, 482–483 written lab answers evil twins, 485 access control, 996 IV (initialization vector), 484 application attacks, 1000 replay attacks, 484 asset security, 991 rogue access points, 484–485 authentication, 996 war chalking, 483 BCP (business continuity planning), 989 war driving, 483 communications, 995 captive portals, 481 compliance, 990 CCMP, 478, 479 countermeasures, 993 channels, 475 cryptographic applications, 992 data emanation and, 473 cryptography, 991–992 EAP (Extensible Authentication DRP (disaster recovery planning), 999 Protocol), 478 ethics, 999–1000 encryption protocols, 476 governance, 988 KRACK (Key Reinstallation AttaCKs), 478 identity management, 996 LEAP (Lightweight Extensible incident response, 998 Authentication Protocol), 478–479 investigations, 999–1000 MAC filter, 479 laws, 990 OSA (open system authentication), 476 malicious code, 1000 PEAP (Protected Extensible network architecture, 994–995 Authentication Protocol), 478 network attacks, 995 site surveys, 476 network components, 994–995 SKA (shared key authentication), 476 personnel security, 988–989 SSID (service set identifier), 475–476 physical security, 994 TKIP (Temporal Key Integrity Protocol), PKI (public-key infrastructure), 992 265, 479 regulations, 990 WEP (Wired Equivalent Privacy), 264, risk management, 988–989 476–477 security assessment, 997 WPA (WiFi Protected Access), 265, 477–478 security capabilities, 992–993 WPA2 (Wi-Fi Protected Access 2), 478 security design, 992–993 as security feature, 482 security models, 992–993 WPS (WiFi Protected Setup), 481 security operations, 997–998 wiring closets, 407 software development security, 1000 IDF (intermediate distribution facilities), symmetric key algorithms, 991–992 405 testing, 997 premises wire distribution room, 405 threats, 993 work area security, 413–414 vulnerabilities, 993

bindex.indd 06/27/2018 Page 1049 1050 X Window – zombies

XSS (cross-site scripting), 364 X XSS (cross-site scripting) attacks, X Window, 463 935–936 XCCDF (Extensible Configuration checklist Description Format), 668 XenServer, 310 Z XOR (exclusive OR) operation, 204 zero-day attacks, 928 XP (Extreme Programming), 885 zeroization of media, 412 XSRF (cross-site request forgery), 364 zero-knowledge proofs, 206–207 XSRF/CSRF (cross-site request forgery) Zimmerman, Phil, 255 attacks, 936–937 zombies, 565

bindex.indd 06/27/2018 Page 1050