信息安全原理 影印本PDF电子书下载

Table of Contents 1

Chapter 1 Introduction to Information Security 1

Introduction 3

The History of Information Security 4

The 1960s 5

The 1970s and 80s 6

The 1990s 8

The Present 9

What Is Security? 9

What Is Information Security? 10

Critical Characteristics of Information 10

Authenticity 11

Accuracy 11

Availability 11

Confidentiality 12

Integrity 13

Utility 14

Possession 14

NSTISSC Security Model 15

Components of an Information System 15

Software 16

Hardware 16

Data 17

People 17

Procedures 17

Securing the Components 18

Balancing Security and Access 19

Top-Down Approach to Security Implementation 20

The Systems Development Life Cycle 21

Methodology 21

Phases 21

Investigation 22

Analysis 23

Logical Design 23

Physical Design 23

Implementation 23

Analysis 24

Investigation 24

The Security Systems Development Life Cycle 24

Maintenance and Change 24

Logical Design 25

Physical Design 25

Implementation 25

Maintenance and Change 26

Key Terms 28

Security Professionals and the Organization 30

Senior Management 30

Security Project Team 32

Data Ownership 32

Organizational Management and Professionals 33

Information Technology Management and Professionals 33

Information Security Management and Professionals 33

Communities of Interest 33

Information Security:Is It an Art or a Science? 34

Security as Art 34

Security as Science 34

Security as a Social Science 35

Chapter Summary 35

Review Questions 36

Exercises 37

Case Exercises 37

Chapter 2 The Need for Security 41

Business Needs First,Technology Needs Last 43

Protecting the Ability of the Organization to Function 43

Introduction 43

Enabling the Safe Operation of Applications 44

Protecting Data that Organizations Collect and Use 44

Safeguarding Technology Assets in Organizations 44

Threats 45

Threat Group 1:Inadvertent Acts 46

Threat Group 2:Deliberate Acts 49

Threat Group 3:Acts of God 64

Threat Group 4:Technical Failures 66

Threat Group 5:Management Failures 67

Attacks 68

Malicious Code 68

Brute Force 69

Password Crack 69

Hoaxes 69

Back Doors 69

Dictionary 70

Denial-of-Service(DoS)and Distributed Denial-of-Service(DDoS) 70

Spoofing 71

Man-in-the-Middle 71

Spam 72

Mail bombing 72

Sniffers 72

Social Engineering 73

Buffer Overflow 74

Review Questions 75

Chapter Summary 75

Timing Attack 75

Case Exercises 77

Chapter 3 Legal,Ethical and Professional Issues in Information Security 83

Introduction 84

Law and Ethics in Information Security 85

Types Of Law 85

Relevant U.S.Laws 85

General Computer Crime Laws 86

Privacy 86

Export and Espionage Laws 91

U.S.Copyright Law 92

International Laws and Legal Bodies 94

European Council Cyber-Crime Convention 95

Digital Millennium Copyright Act(DMCA) 96

United Nations Charter 96

Policy Versus Law 97

Ethical Concepts in Information Security 97

Cultural Differences in Ethical Concepts 97

Software License Infringement 98

Illicit Use 99

Misuse of Corporate Resources 99

Ethics and Education 102

Deterrence to Unethical and Illegal Behavior 102

Codes of Ethics,Certifications,and Professional Organizations 103

Other Security Organizations 109

Key U.S.Federal Agencies 111

Organizational Liability and the Need for Counsel 114

Chapter Summary 114

Review Questions 115

Exercises 116

Case Exercises 116

Chapter 4 Risk Management:Identifying and Assessing Risk 121

Introduction 122

Chapter Organization 123

Risk Management 124

Know the Enemy 125

All Communities of Interest are Accountable 125

Know Yourself 125

Integrating Risk Management into the SecSDLC 126

Risk Identification 127

Asset Identification and Valuation 127

Automated Risk Management Tools 131

Information Asset Classification 131

Information Asset Valuation 132

Listing Assets in Order of Importance 134

Data Classification and Management 135

Security Clearances 137

Management of Classified Data 137

Identify And Prioritize Threats and Threat Agents 139

Threat Identification 139

Vulnerability Identification 143

Risk Assessment 145

Introduction to Risk Assessment 145

Likelihood 145

Valuation of Information Assets 146

Percentage of Risk Mitigated by Current Controls 147

Risk Determination 147

Identify Possible Controls 147

Access Controls 148

Documenting Results of Risk Assessment 150

Chapter Summary 151

Review Questions 153

Case Exercises 154

Exercises 154

Chapter 5 Risk Management:Assessing and Controlling Risk 158

Introduction 159

Risk Control Strategies 160

Avoidance 161

Transference 163

Mitigation 164

Acceptance 166

Risk Mitigation Strategy Selection 167

Evaluation,Assessment,and Maintenance of Risk Controls 168

Control Function 169

Architectural Layer 169

Categories of Controls 169

Strategy Layer 170

Information Security Principles 170

Feasibility Studies 171

Cost Benefit Analysis(CBA) 171

Other Feasibility Studies 183

Risk Management Discussion Points 185

Risk Appetite 185

Residual Risk 186

Documenting Results 187

Recommended Practices in Controlling Risk 187

Delphi Technique 188

Risk Management and the SecSDLC 188

Qualitative Measures 188

Chapter Summary 189

Review Questions 190

Exercises 191

Case Exercises 193

Chapter 6 Blueprint For Security 198

Introduction 199

Information Security Policy,Standards,and Practices 199

Definitions 201

Security Program Policy(SPP) 202

Issue-Specific Security Policy(ISSP) 203

Systems-Specific Policy(SysSP) 206

Policy Management 210

Information Classification 212

Systems Design 213

Information Security Blueprints 215

ISO 17799/BS 7799 215

NIST Security Models 217

NIST Special Publication SP 800-12 217

NIST Special Publication 800-14 218

IETF Security Architecture 222

VISA International Security Model 222

Baselining and Best Business Practices 223

Hybrid Framework for a Blueprint of an Information Security System 224

Security Education,Training,and Awareness Program 227

Security Education 228

Security Awareness 229

Security Training 229

Design of Security Architecture 230

Defense in Depth 230

Security Perimeter 231

Key Technology Components 231

Chapter Summary 234

Review Questions 236

Exercises 237

Case Exercises 237

Chapter 7 Planning for Continuity 241

Introduction 242

Continuity Strategy 243

Business Impact Analysis 246

Threat Attack Identification and Prioritization 247

Business Unit Analysis 247

Attack Success Scenario Development 248

Potential Damage Assessment 248

Subordinate Plan Classification 248

Incident Response Planning 249

Incident Planning 250

Incident Detection 253

When Does an Incident Become a Disaster? 256

Incident Reaction 256

Notification of Key Personnel 256

Incident Containment Strategies 257

Documenting an Incident 257

Incident Recovery 259

Prioritization of Efforts 259

Damage Assessment 259

Recovery 260

Backup Media 263

Automated Response 264

Disaster Recovery Planning 265

The Disaster Recovery Plan 265

Crisis Management 266

Recovery Operations 267

Developing Continuity Programs(BCPs) 268

Continuity Strategies 268

Business Continuity Planning 268

Model for a Consolidated Contingency Plan 271

The Planning Document 271

Law Enforcement Involvement 273

Local,State,or Federal Authorities 273

Benefits and Drawbacks of Law Enforcement Involvement 274

Chapter Summary 275

Review Questions 276

Exercises 277

Case Exercises 278

Chapter 8 Security Technology 281

Introduction 282

Physical Design of the SecSDLC 283

Development of Firewalls 284

Firewalls 284

Firewall Architectures 287

Configuring and Managing Firewalls 291

Dial-up Protection 293

RADIUS and TACACS 294

Intrusion Detection Systems(IDS) 295

Host-based IDS 295

Network-based IDS 296

Signature-based IDS 297

Statistical Anomaly-based IDS 298

Scanning and Analysis Tools 299

Port Scanners 300

Vulnerability Scanners 301

Packet Sniffers 302

Content Filters 303

Trap and Trace 304

Cryptography and Encryption-based Solutions 304

Encryption Definitions 305

Encryption Operations 307

Vernam Cipher 308

Book or Running Key Cipher 308

Symmetric Encryption 310

Asymmetric Encryption 312

Digital Signatures 313

RSA 313

What are Digital Certificates and Certificate Authorities? 314

PKI 314

Hybrid Systems 316

Securing E-mail 317

Securing the Web 317

Securing Authentication 319

Sesame 321

Access Control Devices 321

Authentication 321

Effectiveness of Biometrics 324

Acceptability of Biometrics 325

Chapter Summary 325

Review Questions 327

Case Exercises 328

Exercises 328

Chapter 9 Physical Security 332

Introduction 334

Access Controls 335

Controls for Protecting the Secure Facility 336

Fire Safety 343

Fire Detection and Response 343

Failure of Supporting Utilities and Structural Collapse 350

Heating,Ventilation,and Air Conditioning 350

Power Management and Conditioning 351

Testing Facility Systems 356

Interception of Data 356

Mobile and Portable Systems 357

Remote Computing Security 359

Special Considerations for Physical Security Threats 361

Inventory Management 362

Chapter Summary 362

Review Questions 363

Exercises 365

Case Exercises 366

Chapter 10 Implementing Security 369

Introduction 371

Project Management in the Implementation Phase 372

Developing the Project Plan 373

Project Planning Considerations 378

Executing the Plan 382

The Need for Project Management 382

Supervising Implementation 382

Wrap-up 383

Technical Topics of Implementation 384

Conversion Strategies 384

The Bull s-eye Model for Information Security Project Planning 385

To Outsource or Not 386

Technology Governance and Change Control 387

Nontechnical Aspects of Implementation 387

The Culture of Change Management 387

Considerations for Organizational Change 389

Chapter Summary 390

Review Questions 392

Exercises 393

Case Exercises 394

Chapter 11 Security and Personnel 397

Introduction 399

The Security Function Within an Organization s Structure 399

Staffing the Security Function 400

Qualifications and Requirements 401

Entry into the Security Profession 402

Information Security Positions 403

Credentials of Information Security Professionals 407

Certified Information Systems Security Professional(CISSP)and Systems Security Certified 408

Practitioner(SSCP) 408

Security Certified Professional 410

TruSecure ICSA Certified Security Associate(T.I.C.S.A.)and TruSecure ICSA Certified Security 411

Expert(T.I.C.S.E.) 411

Security+ 412

Certified Information Systems Auditor(CISA) 413

Certified Information Systems Forensics Investigator 413

Related Certifications 414

Cost of Being Certified 414

Advice for Information Security Professionals 415

Employment Policies and Practices 416

Hiring and Termination Issues 417

Performance Evaluation 420

Termination 420

Security Considerations for Nonemployees 421

Contract Employees 422

Temporary Employees 422

Consultants 423

Business Partners 423

Separation of Duties and Collusion 424

Privacy and the Security of Personnel Data 425

Chapter Summary 426

Review Questions 427

Exercises 429

Case Exercises 429

Chapter 12 Information Security Maintenance 433

Introduction 434

Security Management Models 436

Managing for Change 436

The ISO Network Management Model 437

The Maintenance Model 446

Monitoring the External Environment 447

Monitoring the Internal Environment 452

Planning and Risk Assessment 455

Vulnerability Assessment and Remediation 462

Readiness and Review 470

Chapter Summary 473

Review Questions 474

Exercises 475

Case Exercises 475

Introduction 478

Appendix A Cryptography 478

Definitions 481

Types of Ciphers 483

Polyalphabetic Substitution Ciphers 484

Transposition Ciphers 485

Cryptographic Algorithms 486

Asymmetric Cryptography or Public Key Cryptography 489

Hybrid Cryptosystems 489

Popular Cryptographic Algoritms 490

Data Encryption Standard(DES) 490

Data Encryption Core Process 493

Public Key Infrastructure(PKI) 499

Digital Certificates 500

Digital Signatures 500

Pretty Good Privacy(PGP) 502

PGP Suite of Security Solutions 502

Protocols for Secure Communications 503

S-HTTP and SSL 503

Secure/Multipurpose Internet Mail Extension(S/MIME) 504

Internet Protocol Security(IPSec) 505

Attacks on Cryptosystems 507

Man-in-the-Middle Attack 507

Correlation Attacks 507

Dictionary Attacks 508

Timing Attacks 508

Glossary 510