Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Key Term
- war game A type of rehearsal that seeks to realistically simulate the circumstances needed to
- thoroughly test a plan.
- The primary goal of the readiness and review domain is to keep the information security
- program functioning as designed and improve it continuously over time. This goal can be
- accomplished by doing the following:
- ●
- Policy review: Policy needs to be reviewed and refreshed from time to time to ensure
- its soundness—in other words, it must provide a current foundation for the informa-
- tion security program.
- ●
- Program review: Major planning components should be reviewed on a periodic basis
- to ensure that they are current, accurate, and appropriate.
- ●
- Rehearsals: When possible, major plan elements should be rehearsed.
- The relationships among the sectors of the readiness and review domain are shown in Figure 12-9.
- As the diagram indicates, policy review is the primary initiator of this domain. As policy is revised
- or current policy is confirmed, the planning elements are reviewed for compliance, the information
- Security Management Maintenance Models 639
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- security program is reviewed, and rehearsals are held to make sure all participants are capable of
- responding as needed.
- Policy Review and Planning Review Policy needs to be reviewed periodically, as you
- learned in Chapter 4. The planning and review process for incident response, disaster recov-
- ery, and business continuity planning (IRP, DRP, and BCP) were also covered in Chapter 4.
- Program Review As policy needs shift, a thorough and independent review of the entire
- information security program is needed. While an exact timetable for review is not proposed
- here, many organizations find that the CISO should conduct a formal review annually. Ear-
- lier in this chapter, you learned about the role of the CISO in the maintenance process. The
- CISO uses the results of maintenance activities and the review of the information security
- program to determine if the status quo is adequate against the threats at hand.
- If the current information security program is not up to the challenges, the CISO must deter-
- mine if incremental improvements are possible or if it is time to restructure the information
- security function within the organization.
- Rehearsals and War Games Whenever possible, major planning elements should be
- rehearsed. Rehearsal adds value by exercising procedures, identifying shortcomings, and
- providing security personnel with the opportunity to improve the security plan before it
- is needed. In addition, rehearsals make people more effective when an actual event
- occurs. A type of rehearsal known as a war game or simulation puts a subset of plans in
- place to create a realistic test environment. This adds to the value of the rehearsal and
- can enhance training.
- Policy review
- Plan review for
- IRP, DRP, and BCP
- Security team maintains
- security programs and
- stays ready
- Rehearsals and
- war games
- Figure 12-9 Readiness and review
- © Cengage Learning
- 640 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- Digital Forensics
- Key Terms
- digital forensics The application of forensics techniques and methodologies to the
- preservation, identification, extraction, documentation, and interpretation of digital media for
- evidentiary and/or root-cause analysis.
- digital malfeasance A crime against or using digital media, computer technology, or related
- components.
- evidentiary material (EM) Any item or information that applies to an organization’s legal or
- policy-based case; also known as an item of potential evidentiary value.
- forensics The coherent application of methodical investigatory techniques to present evidence
- of crimes in a court or similar setting.
- Whether due to a character flaw, a need for vengeance, or simple curiosity, an employee
- or outsider may attack a physical asset or information asset. When the asset is in the pur-
- view of the CISO, he is expected to understand how policies and laws require the matter
- to be managed. To protect the organization and possibly assist law enforcement in an
- investigation, the CISO must document what happened and how. This process is called
- digital forensics.
- Digital forensics is based on the field of traditional forensics. Made popular by scientific detec-
- tive shows that focus on crime scene investigations, forensics involves the use of science to
- investigate events. Not all events involve crimes; some involve natural events, accidents, or sys-
- tem malfunctions. Forensics allows investigators to determine what happened by examining
- the results of an event. It also allows them to determine how the event happened by examin-
- ing activities, individual actions, physical evidence, and testimony related to the event. How-
- ever, forensics might not figure out the why of the event; that’s the focus of psychological,
- sociological, and criminal justice studies. Here, the focus is on the application of forensics
- techniques in the digital arena.
- Digital forensics involves the preservation, identification, extraction, documentation, and
- interpretation of digital media, including computer media, for evidentiary and/or root-
- cause analysis. Like traditional forensics, it follows clear, well-defined methodologies, but
- it still tends to be as much an art as a science. In other words, the natural curiosity and
- personal skill of the investigator play a key role in discovering potential evidentiary mate-
- rial (EM). An item does not become evidence until it is formally admitted by a judge or
- other ruling official.
- Digital forensics investigators use a variety of tools to support their work, as you will learn
- later in this chapter. However, the tools and methods used by attackers can be equally sophis-
- ticated. Digital forensics can be used for two key purposes:
- ●
- To investigate allegations of digital malfeasance. Such an investigation requires digital
- forensics to gather, analyze, and report the findings. This is the primary mission of law
- enforcement in investigating crimes that involve computer technologies or online
- information.
- ●
- To perform root-cause analysis. If an incident occurs and the organization suspects an
- attack was successful, digital forensics can be used to examine the path and
- Digital Forensics 641
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- methodology used to gain unauthorized access, and to determine how pervasive and
- successful the attack was. This type of analysis is used primarily by incident response
- teams to examine their equipment after an incident.
- Some investigations are undertaken by an organization’s own personnel, while others
- require the immediate involvement of law enforcement. In general, whenever investigators
- discover evidence of a crime, they should immediately notify management and recommend
- contacting law enforcement. Failure to do so could result in unfavorable action against the
- investigator or organization.
- The organization must choose one of two approaches when employing digital forensics:
- 1. Protect and forget. This approach, also known as patch and proceed, focuses on the
- defense of data and the systems that house, use, and transmit it. An investigation
- that takes this approach focuses on the detection and analysis of events to deter-
- mine how they happened and to prevent reoccurrence. Once the current event is
- over, who caused it or why is almost immaterial.
- 2. Apprehend and prosecute. This approach, also known as pursue and prosecute,
- focuses on the identification and apprehension of responsible parties, with
- additional attention to the collection and preservation of potential EM that
- might support administrative or criminal prosecution. This approach requires
- much more attention to detail to prevent contamination of evidence that might
- hinder prosecution.
- An organization might find it impossible to retain enough data to successfully handle
- even administrative penalties, but it should certainly adopt the latter approach if it
- wants to pursue formal administrative penalties, especially if the employee is likely to
- challenge them.
- For more information on digital forensics, visit the American Society of Digital Forensics and
- eDiscovery at www.asdfed.com.
- The Digital Forensics Team
- Most organizations cannot sustain a permanent digital forensics team; such expertise is so
- rarely called upon that it may be better to collect the data and then outsource the analysis
- component to a regional expert. The organization can then maintain an arm’s-length distance
- from the case and have additional expertise to call upon if the process ends in court. Even so,
- the information security group should contain members who are trained to understand and
- manage the forensics process. If the group receives a report of suspected misuse, either inter-
- nally or externally, a group member must be familiar with digital forensics procedures to
- avoid contaminating potential EM.
- This expertise can be obtained by sending staff members to a regional or national infor-
- mation security conference with a digital forensics track or to dedicated digital forensics
- training, as mentioned in Chapter 11. The organization should use caution in selecting
- training for the team or a specialist, as many forensics training programs begin with the
- analysis process and promote a specific tool rather than teaching management of the
- process.
- 642 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- Affidavits and Search Warrants
- Key Terms
- affidavit Sworn testimony that certain facts are in the possession of an investigating officer; an
- affidavit can be used to request a search warrant.
- search warrant A document issued by an authorized authority that allows law enforcement
- agents to search for EM at a specified location and seize specific items for official examination.
- Most investigations begin with an allegation or an indication of an incident. Whether via the
- help desk, the organization’s sexual harassment reporting channels, or a direct report, some-
- one alleges that a worker is performing actions explicitly prohibited by the organization or
- that make another worker uncomfortable in the workplace. The organization’s forensics
- team or other authorized entity must then request permission to examine digital media for
- potential EM. In law enforcement, the investigating agent would create an affidavit request-
- ing a search warrant. The affidavit summarizes the facts of the case, items relevant to the
- investigation, and the location of the event. When an approving authority signs the affidavit
- or creates a synopsis form based on the document, it becomes a search warrant. In corporate
- environments, the names of these documents may change, and in many cases written authori-
- zation may not be needed, but the process should be the same. Formal permission is obtained
- before an investigation occurs.
- Digital Forensics Methodology
- Key Terms
- chain of custody See chain of evidence.
- chain of evidence The detailed documentation of the collection, storage, transfer, and
- ownership of evidence from the crime scene through its presentation in court.
- In digital forensics, all investigations follow the same basic methodology:
- 1. Identify relevant EM.
- 2. Acquire (seize) the evidence without alteration or damage.
- 3. Take steps to assure that the evidence is verifiably authentic at every step and is
- unchanged from the time it was seized.
- 4. Analyze the data without risking modification or unauthorized access.
- 5. Report the findings to the proper authority.
- This process is illustrated in Figure 12-10.
- To support the selection and implementation of a methodology for forensics, the organiza-
- tion may want to seek legal advice or consult with local or state law enforcement. Other
- references that should become part of the organization’s library are:
- ●
- Electronic Crime Scene Investigation: A Guide for First Responders, July 2001 (www
- .ncjrs.gov/pdffiles1/nij/187736.pdf)
- Digital Forensics 643
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- ●
- First Responders Guide to Computer Forensics (resources.sei.cmu.edu/library/asset-
- view.cfm?assetid=7251)
- ●
- First Responders Guide to Computer Forensics: Advanced Topics (resources.sei.cmu
- .edu/library/asset-view.cfm?assetid=7261)
- ●
- Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal
- Investigations (www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf)
- ●
- Scientific Working Group on Digital Evidence: Best Practices for Computer Forensics
- (www.oas.org/juridico/spanish/cyb_best_pract.pdf).
- Identifying Relevant Items The affidavit or warrant that authorizes a search must
- identify what items of evidence can be seized and where they are located. Only EM that fits
- the description on the authorization can be seized. These seizures often occur under stressful
- circumstances and strict time constraints, so thorough item descriptions help the process
- function smoothly and ensure that critical evidence is not overlooked. Thorough descrip-
- tions also ensure that items are not wrongly included as EM, which could jeopardize the
- investigation.
- Because users have access to many online server locations via free e-mail archives, FTP ser-
- vers, and video archives, and could have terabytes of information stored in offsite locations
- across the Web or on their local systems, investigators must have an idea of what to look
- for or they may never find it.
- Acquiring the Evidence The principal responsibility of the response team is to
- acquire the information without altering it. Computers and users modify data constantly.
- Every time someone opens, modifies, or saves a file, or even opens a directory index to
- view the available files, the state of the system is changed. Normal system file changes may
- Prepare affidavit
- seeking
- authorization
- to investigate
- Policy violation or
- crime detected
- Investigation
- authorized?
- Collect evidence
- Security incident
- Triggers incident
- response process
- Archive
- Archive
- Produce report
- and submit
- for disposition
- Analyze evidence
- Either internal or external to the organization
- No
- Yes
- Figure 12-10 The digital forensics process
- © Cengage Learning
- 644 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- be difficult to explain to a layperson—for example, a jury member with little or no technical
- knowledge. A normal system consequence of the search for EM could be portrayed by a
- defense attorney as harmful to the EM’s authenticity or integrity, which could lead a jury
- to suspect it was planted or is otherwise suspect.
- Online Versus Offline Data Acquisition There are generally two methods of acquiring
- evidence from a system. The first is the offline model, in which the investigator removes the
- power source and then uses a utility or special device to make a bitstream, sector-by-sector
- copy of the hard drives on the system. By copying the drives at the sector level, you can
- ensure that any hidden or erased files are also captured. The copied drive then becomes the
- image that can be used for analysis, and the original drive is stored for safekeeping as true
- EM or possibly returned to service. For the purposes of this discussion, the term copy refers
- to a drive duplication technique, whereas an image is the file that contains all the information
- from the source drive.
- This approach requires the use of sound processes and techniques or read-only hardware
- known as write-blockers to prevent the accidental overwriting of data on the source drive.
- The use of these tools also allows investigators to assert that the EM was not modified dur-
- ing acquisition. In another offline approach, the investigator can reboot the system with an
- alternate operating system or a specialty boot disk like Helix or Knoppix. Still another
- approach involves specialty hardware that connects directly to a powered-down hard drive
- and provides direct power and data connections to copy data to an internal drive.
- In online or “live” data acquisition, investigators use network-based tools to acquire a
- protected copy of the information. The only real difference between the two methods is
- that the source system cannot be taken offline, and the tools must be sophisticated enough
- to avoid altering the system during data acquisition. Table 12-10 lists common methods of
- acquiring data.
- The creation of a copy or image can take a substantial amount of time. Users who have
- made USB copies of their data know how much time it takes to back up several gigabytes of
- data. When dealing with networked server drives, the data acquisition phase can take many
- hours to complete, which is one reason investigators prefer to seize drives and take them
- back to the lab to be imaged or copied.
- Other Potential Evidence Not all EM is on a suspect’s computer hard drive. A techni-
- cally savvy attacker is more likely to store incriminating evidence on other digital media,
- such as smart phones, removable drives, CDs, DVDs, flash drives, memory chips or sticks,
- or on other computers accessed across the organization’s networks or via the Internet. EM
- located outside the organization is particularly problematic because the organization cannot
- legally search systems it doesn’t own. However, the simple act of viewing EM on a system
- leaves clues about the location of the source material, and a skilled investigator can at least
- provide some assistance to law enforcement when conducting a preliminary investigation.
- Log files are another source of information about the access and location of EM, as well as
- what happened and when.
- Some evidence isn’t electronic or digital. Many suspects have been further incriminated when
- passwords to their digital media were discovered in the margins of user manuals, in calendars
- and day planners, and even on notes attached to their systems.
- Digital Forensics 645
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- EM Handling Once the evidence is acquired, both the copy image and the original drive
- should be handled properly to avoid legal challenges based on authenticity and preserva-
- tion of integrity. If the organization or law enforcement cannot demonstrate that no one
- had access to the evidence, they cannot provide strong assurances that it has not been
- altered. Such access can be physical or logical if the device is connected to a network.
- Once the evidence is in the possession of investigators, they must track its movement,
- storage, and access until the resolution of the event or case. This is typically accom-
- plished through chain of evidence or chain of custody procedures. The evidence is then
- tracked wherever it is located. When the evidence changes hands or is stored, the docu-
- mentation is updated.
- Not all evidence-handling requirements are met through the chain of custody process. Digital
- media must be stored in a specially designed environment that can be secured to prevent
- unauthorized access. For example, individual items might need to be stored in containers or
- bags that protect them from electrostatic discharge or magnetic fields. Additional details are
- provided in the nearby Technical Details feature.
- Method Advantages Disadvantages
- Use a dedicated forensic
- workstation to examine a write-
- protected hard drive or image of the
- suspect hard drive.
- No concern about the validity of
- software or hardware on the suspect
- host. Produces evidence most easily
- defended in court.
- Inconvenient, time-consuming. May
- result in loss of volatile information.
- Boot the system using a verified,
- write-protected CD or other media
- with kernel and tools.
- Convenient, quick. Evidence is
- defensible if suspect drives are
- mounted as read-only.
- Assumes that hardware has not
- been compromised because it is
- much less likely than compromised
- software. May result in loss of
- volatile information.
- Build a new system that contains an
- image of the suspect system and
- examine it.
- Completely replicates operating
- environment of suspect computer
- without running the risk of
- changing its information.
- Requires availability of hardware
- that is identical to that on the
- suspect computer. May result in loss
- of volatile information.
- Examine the system using external
- media with verified software.
- Convenient, quick. Allows
- examination of volatile information.
- If a kernel is compromised, results
- may be misleading. External media
- may not contain every necessary
- utility.
- Verify the software on the suspect
- system, and then use the verified
- local software to conduct the
- examination.
- Requires minimal preparation.
- Allows examination of volatile
- information. Can be performed
- remotely.
- Lack of write protection for suspect
- drives makes evidence difficult to
- defend in court. Finding sources for
- hash values and verifying the local
- software requires at least several
- hours, unless Tripwire was used
- ahead of time.
- Examine the suspect system using
- the software on it, without verifying
- the software.
- Requires least amount of
- preparation. Allows examination of
- volatile information. Can be
- performed remotely.
- Least reliable method. This is exactly
- what cyberattackers are hoping you
- will do. Often a complete waste of
- time.
- Table 12-10 Summary of Methods Employed to Acquire Forensic Data
- © Cengage Learning 2015
- 646 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- Authenticating the Recovered Evidence The copy or image is typically transferred to
- the laboratory for the next stage of authentication. Using cryptographic hash tools, the team
- must be able to demonstrate that any analyzed copy or image is a true and accurate replica
- of the source EM. As you learned in Chapter 8, the hash tool takes a variable-length file
- and creates a single numerical value, usually represented in hexadecimal notation, that func-
- tions like a digital fingerprint. By hashing the source file and the copy, the investigator can
- assert that the copy is a true and accurate duplicate of the source.
- Analyzing the Data The most complex part of an investigation is analyzing the copy or
- image for potential EM. While the process can be performed manually using simple utilities,
- two industry-leading applications dominate the market for digital forensics:
- ●
- Guidance Software’s EnCase (www.guidancesoftware.com)
- ●
- AccessData Forensics Tool Kit (FTK, at www.accessdata.com)
- Open source alternatives to these rather expensive tools include Autopsy and The Sleuth Kit,
- which are available from www.sleuthkit.org. Autopsy is a stand-alone GUI interface for The
- Sleuth Kit, which uses a command line. Each tool is designed to support an investigation and
- assist in the management of the entire case.
- General Procedures for Evidence Search and Seizure
- At the crime scene, complete the following tasks:
- 1. Secure the crime scene by clearing all unauthorized personnel, delimit the scene
- with tape or other markers, and post a guard or other person at the entrance.
- 2. Log into the crime scene by signing the entry/exit log.
- 3. Photograph the scene beginning at the doorway and covering the entire room
- in 360 degrees. Include specific photos of potential evidentiary material.
- 4. Sketch the layout for the room, including furniture and equipment.
- 5. Following proper procedure, begin searching for physical, documentary evi-
- dence to support your case, including papers, media such as CDs or flash mem-
- ory devices, or other artifacts. Identify the location of each piece of evidence
- with a marker or other designator and cross-reference it on the sketch. Photo-
- graph the item in situ to establish its location and state.
- 6. For each computer, first check for the presence of a screen saver by moving
- the mouse. Do not click the mouse or use the keyboard. If the screen is active,
- photograph the screen. Pull the power on permitted systems. Document each
- computer by taking a photograph and providing a detailed written description
- of the manufacturer, model number, serial number, and other details. Using
- (continues)
- OFFLINE
- Digital Forensics 647
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- The first component of the analysis phase is indexing. During indexing, many investigatory
- tools create an index of all text found on the drive, including data found in deleted files and in
- file slack space. This indexing is similar to that performed by Google Desktop or Windows
- Desktop Search tools. The index can then be used by the investigator to locate specific
- documents or document fragments. While indexing, the tools typically organize files into
- categories,suchasdocuments,images,andexecutables.Unfortunately,likeimaging,indexing
- is a time- and processor-consuming operation, and it could take days on images that are larger
- than 20 gigabytes.
- In some cases, the investigator may find password-protected files that the suspect used to
- protect the data. Several commercial password cracking tools can assist the investigator.
- Some are sold in conjunction with forensics tools, like the AccessData Password Recovery
- Tool Kit.
- sound processes, remove each disk drive and image it using the appropriate
- process and equipment. Document each source drive by photographing it and
- providing a detailed description of the manufacturer, serial number, and
- other details. Package and secure the image.
- 7. For each object found, complete the necessary evidence or chain of custody labels.
- 8. Log out of the crime scene by signing the entry/exit log.
- 9. Transfer all evidence to the lab for investigation or to a suitable evidence locker
- for storage. Store and transport all evidence, documentation, and photographic
- materials in a locked field evidence locker.
- Analyze the image:
- 1. Build the case file by entering background information, including investigator,
- suspect, date, time, and system analyzed.
- 2. Load the image file into the case file. Typical image files have .img, .e01, or .001
- extensions.
- 3. Index the image. Note that some systems use a database of known files to filter
- out files that are known to be applications, system files, or utilities. The use of
- this filter improves the quality and effectiveness of the indexing process.
- 4. Identify, export, and bookmark related text files by searching the index.
- 5. Identify, export, and bookmark related graphics by reviewing the images folder.
- If the suspect is accused of viewing child pornography, do not directly view the
- images. Some things you can’t “un-see.” Use the database of known images to
- compare hash values and tag them as suspect.
- 6. Identify, export, and bookmark other evidence files.
- 7. Integrate all exported and bookmarked material into the case report.
- 648 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- Reporting the Findings As investigators examine the analyzed copies or images and
- identify potential EM, they can tag it and add it to their case files. Once they have found a
- suitable amount of information, they can summarize their findings with a synopsis of their
- investigatory procedures in a report and submit it to the appropriate authority. This author-
- ity could be law enforcement or management. The suitable amount of EM is a flexible deter-
- mination made by the investigator. In certain cases, like child pornography, one file is suffi-
- cient to warrant turning over the entire investigation to law enforcement. On the other
- hand, dismissing an employee for the unauthorized sale of intellectual property may require
- a substantial amount of information to support the organization’s assertion. Reporting meth-
- ods and formats vary among organizations and should be specified in the digital forensics
- policy. A general guideline is that the report should be sufficiently detailed to allow a simi-
- larly trained person to repeat the analysis and achieve similar results.
- Evidentiary Procedures
- In information security, most operations focus on policies—documents that provide manage-
- rial guidance for ongoing implementation and operations. In digital forensics, however, the
- focus is on procedures. When investigating digital malfeasance or performing root-cause
- analysis, keep in mind that the results and methods of the investigation may end up in crimi-
- nal or civil court. For example, during a routine systems update, assume that a technician
- finds objectionable material on an employee’s computer. The employee is fired and promptly
- sues the organization for wrongful termination, so the investigation of the objectionable
- material comes under scrutiny by the plaintiff’s attorney, who will attempt to cast doubt on
- the ability of the investigator. While technically not illegal, the presence of the material may
- have been a clear violation of policy, prompting the dismissal of the employee. However, if
- an attorney can convince a jury or judge that someone else could have placed the material
- on the plaintiff’s system, the employee could win the case and potentially a large financial
- settlement.
- When the scenario involves criminal issues in which an employee discovers evidence of a
- crime, the situation changes somewhat. The investigation, analysis, and report are typically
- performed by law enforcement personnel. However, if the defense attorney can cast reason-
- able doubt on whether the organization’s information security professionals compromised
- the digital evidentiary material, the employee might win the case.
- How do you avoid these legal pitfalls? Strong procedures for handling potential evidentiary
- material can minimize the probability that an organization will lose a legal challenge.
- Organizations should develop specific procedures, along with guidance for their effective use.
- The policy document should specify the following:
- ●
- Who may conduct an investigation
- ●
- Who may authorize an investigation
- ●
- What affidavits and related documents are required
- ●
- What search warrants and related documents are required
- ●
- What digital media may be seized or taken offline
- ●
- What methodology should be followed
- ●
- What methods are required for chain of custody or chain of evidence
- ●
- What format the final report should take and to whom it should be given
- Digital Forensics 649
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- The policy document should be supported by a procedures manual and developed based on
- the documents discussed earlier, along with guidance from law enforcement or consultants.
- By creating and using these policies and procedures, an organization can best protect itself
- from challenges by employees who have been subject to unfavorable action from an
- investigation.
- Selected Readings
- ●
- Fighting Computer Crime: A New Framework for Protecting Information, by Donn B.
- Parker. 1998. John Wiley and Sons.
- ●
- Digital Evidence and Computer Crime, Third Edition, by Eoghan Casey. 2011.
- Academic Press.
- ●
- Guide to Computer Forensics and Investigations, Fourth Edition, by Amelia Phillips
- and Christopher Steuart. 2010. Course Technology.
- Chapter Summary
- ■ Change is inevitable, so organizations should have procedures to deal with changes in
- the operation and maintenance of the information security program.
- ■ The CISO decides whether the information security program can adapt to change as it
- is implemented or whether the macroscopic process of the SecSDLC must be started
- anew.
- ■ The maintenance model recommended in this chapter is made up of five subject areas
- or domains: external monitoring, internal monitoring, planning and risk assessment,
- vulnerability assessment and remediation, and readiness and review.
- ■ To stay current, the information security community of interest and the CISO must
- constantly monitor the three components of the security triple—threats, assets, and
- vulnerabilities.
- ■ To assist the information security community in managing and operating the ongoing
- security program, the organization should adopt a security management maintenance
- model. These models are frameworks that are structured by the tasks of managing a
- particular set of activities or business functions.
- ■ NIST SP 800-100, Information Security Handbook: A Guide for Managers, outlines
- managerial tasks performed after the program is operational. For each of the 13 areas
- of information security management presented in SP 800-100, there are specific moni-
- toring activities:
- 1. Information security governance
- 2. Systems development life cycle
- 3. Awareness and training
- 4. Capital planning and investment control
- 5. Interconnecting systems
- 650 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- 6. Performance measures
- 7. Security planning
- 8. Information technology contingency planning
- 9. Risk management
- 10. Certification, accreditation, and security assessments
- 11. Security services and products acquisition
- 12. Incident response
- 13. Configuration and change management
- ■ The objective of the external monitoring domain in the maintenance model is to pro-
- vide early awareness of new and emerging threats, threat agents, vulnerabilities, and
- attacks so that an effective and timely defense can be mounted.
- ■ The objective of the internal monitoring domain is an informed awareness of the state
- of the organization’s networks, information systems, and information security
- defenses. The security team documents and communicates this awareness, particularly
- when it concerns system components that face the external network.
- ■ The primary objective of the planning and risk assessment domain is to keep an eye on
- the entire information security program.
- ■ The primary objectives of the vulnerability assessment and remediation domain are to
- identify specific, documented vulnerabilities and remediate them in a timely fashion.
- ■ The primary objectives of the readiness and review domain are to keep the informa-
- tion security program functioning as designed and keep improving it over time.
- ■ Digital forensics is the investigation of wrongdoing in the arena of information secu-
- rity. Digital forensics requires the preservation, identification, extraction, documenta-
- tion, and interpretation of computer media for evidentiary and/or root-cause analysis.
- Review Questions
- 1. List and define the factors that are likely to shift in an organization’s information secu-
- rity environment.
- 2. Who decides if the information security program can adapt to change adequately?
- 3. List and briefly describe the five domains of the general security maintenance model, as
- identified in the text.
- 4. What are the three primary aspects of information security risk management? Why is
- each important?
- 5. What is a management maintenance model? What does it accomplish?
- 6. What changes need to be made to the model in SP 800-100 to adapt it for use in secu-
- rity management maintenance?
- 7. What ongoing responsibilities do security managers have in securing the SDLC?
- Review Questions 651
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 8. What is vulnerability assessment?
- 9. What is penetration testing?
- 10. What is the difference between configuration management and change management?
- 11. What is a performance baseline?
- 12. What is the difference between vulnerability assessment and penetration testing?
- 13. What is the objective of the external monitoring domain of the maintenance model?
- 14. List and describe four vulnerability intelligence sources. Which seems the most effec-
- tive? Why?
- 15. What does CERT stand for? Is there more than one CERT? What is the purpose of a CERT?
- 16. What is the primary objective of the internal monitoring domain?
- 17. What is the objective of the planning and risk assessment domain of the maintenance
- model? Why is this important?
- 18. What is the primary goal of the vulnerability assessment and remediation domain of
- the maintenance model? Is this important to an organization with an Internet pres-
- ence? Why?
- 19. List and describe the five vulnerability assessments described in the text. Can you think
- of other assessment processes that might exist?
- 20. What is digital forensics, and when is it used in a business setting?
- Exercises
- 1. Search the Web for the Forum of Incident Response and Security Teams (FIRST). In
- your own words, what is the forum’s mission?
- 2. Search the Web for two or more sites that discuss the ongoing responsibilities of the
- security manager. What other components of security management can be adapted for
- use in the security management model?
- 3. This chapter lists five tools that can be used by security administrators, network
- administrators, and attackers alike. Search the Web for three to five other tools that
- fit this description.
- 4. Using a Web browser and the names of the tools you found in Exercise 3, find a site
- that claims to be dedicated to supporting hackers. Do you find any references to other
- hacker tools? If you do, create a list of the tools along with a short description of what
- they do and how they work.
- 5. Using the components of risk assessment documentation presented in the chapter, draft
- a tentative risk assessment of a lab, department, or office at your university. Outline
- the critical risks you found and discuss them with your class.
- 652 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- Case Exercises
- Remember from the beginning of this book how Amy’s day started? Now imagine how it
- could have gone with better planning:
- For Amy, the day began like any other at the Sequential Label and Supply Company (SLS)
- help desk. Taking calls and helping office workers with computer problems was not glamor-
- ous, but she enjoyed the work; it was challenging and paid well enough. Some of her friends
- in the industry worked at bigger companies, some at cutting-edge tech companies, but they all
- agreed that technology jobs were a good way to pay the bills.
- The phone rang, as it did about four times an hour and 28 times a day. The first call of the
- day, from a user hoping Amy could help him out of a jam, seemed typical. The call display
- on her monitor showed some of the facts: the user’s name, his phone number and department,
- where his office was on the company campus, and a list of his past calls to the help desk.
- “Hi, Bob,” Amy said. “Did you get that document formatting problem squared away?”
- “Sure did, Amy. Hope we can figure out what’s going on this time.”
- “We’ll try, Bob. Tell me about it.”
- “Well, I need help setting a page break in this new spreadsheet template I’m working on,”
- Bob said.
- Amy smiled to herself. She knew spreadsheets well, so she would probably be able to close
- this call on the first contact. That would help her call statistics, which was one method of
- measuring her job performance.
- Little did Amy know that roughly four minutes before Bob’s phone call, a specially pro-
- grammed computer at the edge of the SLS network had made a programmed decision. This
- computer was generally known as postoffice.seqlbl.com, but it was called the “e-mail gate-
- way” by the networking, messaging, and information security teams at SLS. The decision
- was just like many thousands of other decisions it made in a typical day—that is, to block
- the transmission of a file that was attached to an e-mail addressed to
- Bob.Hulme@seqlbl.com. The gateway had determined that Bob didn’t need an executable pro-
- gram that had been attached to the e-mail message. The gateway had also determined that the
- message originated from somewhere on the Internet but contained a forged reply-to address
- from Davey Martinez at SLS. In other words, the gateway had delivered the e-mail to Bob
- Hulme, but not the attachment.
- When Bob got the e-mail, all he saw was another unsolicited commercial e-mail with an
- unwanted executable that had been blocked. He had deleted the nuisance message without a
- second thought. While she was talking to Bob, Amy looked up to see Charles Moody walking
- calmly down the hall. Charlie, as he liked to be called, was the senior manager of the server
- administration team and the company’s chief information security officer. Kelvin Urich and
- Iris Majwubu were trailing behind Charlie as he headed from his office to the door of the con-
- ference room. Amy thought, “It must be time for the weekly security status meeting.”
- She was the user representative on the company information security oversight committee, so
- she was due to attend this meeting. Amy continued talking Bob through the procedure for set-
- ting up a page break, and decided she would join the information security team for coffee and
- bagels as soon as she was finished.
- Case Exercises 653
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Discussion Questions
- 1. What area of the SP 800-100 management maintenance model addresses the actions of
- the content filter described here?
- 2. What recommendations would you give SLS for how it might select a security manage-
- ment maintenance model?
- Ethical Decision Making
- Referring back to the opening case of this chapter, suppose Charlie had just finished a search for
- a new job and knew that he would soon be leaving the company. When Iris came in to talk
- about the tedious and time-consuming review process, he put her off and asked her to schedule
- a meeting with him “in 2 or 3 weeks,” knowing full well that he would be gone by then.
- Do you think this kind of action is unethical because Charlie knows he is leaving soon?
- Endnotes
- 1. “Configuration Management.” Wikipedia. Accessed 14 April 2014 from en.wikipedia
- .org/wiki/Configuration_management.
- 2. Bowen, R., Hash, J., and Wilson, M. National Institute of Standards and Technology.
- Information Security Handbook: A Guide for Managers. SP 800-100. Accessed 16
- April 2014 from csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007
- .pdf.
- 3. Ibid.
- 4. Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., and Gulick, J. National
- Institute of Standards and Technology. Security Considerations in the Information
- System Development Life Cycle. SP 800-64, Rev. 2. October 2008. Accessed 14 April
- 2014 from csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
- 5. Bowen, P., Kissel, R., Scholl, M., Robinson W., Stansfield, J., and Vildish, L. National
- Institute of Standards and Technology. Recommendations for Integrating IT Security
- into the Capital Planning and Investment Control Process (Draft). SP 800-65, Rev. 1
- (DRAFT). July 2009. Accessed 5 August 2014 from csrc.nist.gov/publications/drafts
- /800-65-rev1/draft-sp800-65rev1.pdf.
- 6. Grance, T., Hash, J., Peck, S., Smith, J., and Karow-Diks, K. National Institute of
- Standards and Technology. Security Guide for Interconnecting Information
- Technology Systems. SP 800-47. August 2002. Accessed 5 August 2014 from
- csrc.nist.gov/publications/nistpubs/800-47/sp800-47.pdf.
- 7. Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W. National
- Institute of Standards and Technology. Performance Measurement Guide for
- Information Security. SP 800-55, Rev. 1. July 2008. Accessed 14 April 2014 from
- csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.
- 8. Bowen, R., Hash, J., and Wilson, M. National Institute of Standards and Technology.
- Information Security Handbook: A Guide for Managers. SP 800-100. Accessed 16 April
- 2014 from csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.
- 654 Chapter 12
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 12
- 9. Grance, T., Hash, J., Stevens, M., O’Neal, K., and Bartol, N. National Institute of
- Standards and Technology. Guide to Information Technology Security Services. SP
- 800-35. October 2003. Accessed 14 April 2014 from csrc.nist.gov/publications/nist-
- pubs/800-35/NIST-SP800-35.pdf.
- 10. Grance, T., Stevens, M., and Myers, M. National Institute of Standards and
- Technology. Guide to Selecting Information Technology Security Products. SP 800-
- 36. October 2003. Accessed 14 April 2014 from csrc.nist.gov/publications/nistpubs
- /800-36/NIST-SP800-36.pdf.
- 11. Cuff, Jeanne. “Grow Up: How Mature Is Your Help Desk?” Compass America, Inc.
- Accessed 14 April 2014 from fsz.ifas.ufl.edu/HD/GrowUpWP.pdf.
- 12. Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., and Gulick, J. National
- Institute of Standards and Technology. Security Considerations in the System Develop-
- ment Life Cycle. SP 800-64, Rev. 2. October 2008. Accessed 14 April 2014 from csrc
- .nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
- 13. Join Task Force Transformation Initiative. National Institute of Standards and
- Technology. Security and Privacy Controls for Federal Information Systems and Orga-
- nizations. SP 800-53, Rev. 4. April 2013. Accessed 14 April 2014 from nvlpubs.nist
- .gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
- 14. Readings and Cases in the Management of Information Security: Legal and Ethical
- Issues. 2010. Course Technology.
- 15. “Canon.” Accessed 14 April 2014 from dictionary.reference.com/browse/canon.
- 16. “Ethical.” Accessed 14 April 2014 from dictionary.reference.com/browse/ethical.
- 17. Multiple references, including www.edu-cyberpg.com/Technology/ethics.html. Accessed
- 14 April 2014.
- 18. “Hacking.” Accessed 14 April 2014 from dictionary.reference.com/search?q=hacking.
- 19. © 1986 Paramount Pictures.
- 20. © 1983 Metro-Goldwyn-Mayer Studios Inc./United Artists.
- 21. © 1995 Metro-Goldwyn-Mayer Studios Inc.
- 22. “Oxymoron.” Accessed 14 April 2014 from dictionary.reference.com/browse
- /oxymoron.
- 23. Levy, S. Hackers: Heroes of the Computer Revolution. 1984. Putnam, NY: Penguin.
- 24. “Authorization.” Accessed 14 April 2014 from dictionary.reference.com/browse
- /authorization.
- 25. “Hippocratic Oath.” Accessed 14 April 2014 from en.wikipedia.org/wiki/Hippocratic_
- Oath.
- 26. (ISC) 2 Code of Ethics. Accessed 14 April 2014 from www.isc2.org/ethics/default.aspx?
- terms=code%20of%20ethics.
- 27. “Professional.” Accessed 14 April 2014 from dictionary.reference.com/browse/professional.
- Endnotes 655
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Glossary
- 10.3 password rule An industry recommendation for pass-
- word structure and strength that specifies passwords should
- be at least 10 characters long and contain at least one
- uppercase letter, one lowercase letter, one number, and one
- special character.
- acceptance control strategy The risk control strategy that
- indicates an organization is willing to accept the current level
- of residual risk.
- access A subject or object’s ability to use, manipulate, mod-
- ify, or affect another subject or object.
- access control The selective method by which systems specify
- who may use a particular resource and how they may use it.
- access control list (ACL) A specification of an organization’s
- information asset, the users who may access and use it, and
- their rights and privileges for using the asset.
- access control matrix An integration of access control lists
- (focusing on assets) and capability tables (focusing on users)
- that results in a matrix with organizational assets listed in the
- column headings and users listed in the row headings. The
- matrix contains ACLs in columns for a particular device or
- asset and capability tables in rows for a particular user.
- accountability The access control mechanism that ensures all
- actions on a system—authorized or unauthorized—can be
- attributed to an authenticated identity. Also known as
- auditability.
- accreditation The process that authorizes an IT system to
- process, store, or transmit information.
- accuracy An attribute of information that describes how data
- is free of errors and has the value that the user expects.
- active vulnerability scanner An application that scans
- networks to identify exposed usernames and groups, open
- network shares, configuration problems, and other vulner-
- abilities in servers.
- address restrictions Firewall rules designed to prohibit
- packets with certain addresses or partial addresses from
- passing through the device.
- Advanced Encryption Standard (AES) The current federal
- standard for the encryption of data, as specified by NIST.
- AES is based on the Rijndael algorithm, which was developed
- by Vincent Rijmen and Joan Daemen.
- advance-fee fraud (AFF) A form of social engineering, typi-
- cally conducted via e-mail, in which an organization or some
- third party indicates that the recipient is due an exorbitant
- amount of money and needs only a small advance fee or
- personal banking information to facilitate the transfer.
- adverse event An event with negative consequences that
- could threaten the organization’s information assets or
- operations.
- adware Malware intended to provide undesired marketing
- and advertising, including popups and banners on a user’s
- screens.
- affidavit Sworn testimony that certain facts are in the pos-
- session of an investigating officer; an affidavit can be used to
- request a search warrant.
- after-action review A detailed examination and discussion
- of the events that occurred, from first detection to final
- recovery.
- aggregate information Collective data that relates to a
- group or category of people and that has been altered to
- remove characteristics or components that make it possible to
- identify individuals within the group. Not to be confused
- with information aggregation.
- air-aspirating detector A fire detection sensor used in high-
- sensitivity areas that works by taking in air, filtering it, and
- passing it through a chamber that contains a laser beam. The
- alarm triggers if the beam is broken.
- alarm clustering and compaction A process of grouping
- almost identical alarms that occur nearly at the same time
- into a single higher-level alarm.
- alarm filtering The process of classifying IDPS alerts so they
- can be more effectively managed.
- alert or alarm An indication that a system has just been
- attacked or is under attack. IDPS alerts and alarms take the
- form of audible signals, e-mail messages, pager notifications,
- or pop-up windows.
- alert message A scripted description of the incident that
- usually contains just enough information so that each person
- knows what portion of the IR plan to implement without
- slowing down the notification process.
- alert roster A document that contains contact information
- for people to be notified in the event of an incident.
- algorithm The steps used to convert an unencrypted message
- into an encrypted sequence of bits that represent the message;
- sometimes refers to the programs that enable the crypto-
- graphic processes.
- annualized cost of a safeguard (ACS) In a cost-benefit
- analysis, the total cost of a control or safeguard, including
- all purchase, maintenance, subscription, personnel, and
- support fees, divided by the total number of expected years
- of use.
- 657
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- annualized loss expectancy (ALE) In a cost-benefit analysis,
- the product of the annualized rate of occurrence and single
- loss expectancy.
- annualized rate of occurrence (ARO) In a cost-benefit anal-
- ysis, the expected frequency of an attack, expressed on a per-
- year basis.
- anomaly-based detection Also known as behavior-based
- detection, an IDPS detection method that compares current
- data and traffic patterns to an established baseline of
- normalcy.
- application firewall See application layer firewall.
- application header (AH) protocol In IPSec, a protocol that
- provides system-to-system authentication and data integrity
- verification, but does not provide secrecy for the content of a
- network communication.
- application layer firewall A firewall type capable of per-
- forming filtering at the application layer of the OSI model,
- most commonly based on the type of service (for example,
- HTTP, SMTP, or FTP). Also known as an application fire-
- wall. See also proxy server.
- application protocol verification The process of examining
- and verifying the higher-order protocols (HTTP, FTP, and
- Telnet) in network traffic for unexpected packet behavior or
- improper use.
- asset The organizational resource that is being protected.
- asset exposure See loss magnitude.
- asset valuation The process of assigning financial value or
- worth to each information asset.
- asymmetric encryption An encryption method that incor-
- porates mathematical operations involving both a public key
- and a private key to encipher or decipher a message. Either
- key can be used to encrypt a message, but then the other key
- is required to decrypt it.
- asynchronous token An authentication component in the
- form of a token—a card or key fob that contains a computer
- chip and a liquid crystal display and shows a computer-
- generated number used to support remote login authentica-
- tion. This token does not require calibration of the central
- authentication server; instead, it uses a challenge/response
- system.
- attack An intentional or unintentional act against an asset
- that can damage or otherwise compromise information and
- the systems that support it.
- attack protocol A logical sequence of steps or processes used
- by an attacker to launch an attack against a target system or
- network.
- attack success probability The number of successful attacks
- that are expected to occur within a specified time period.
- attack surface The functions and features that a system
- exposes to unauthenticated users.
- attribute A characteristic of a subject (user or system) that
- can be used to restrict access to an object. Also known as a
- subject attribute.
- attribute-based access control (ABAC) An access control
- approach whereby the organization specifies the use of
- objects based on some attribute of the user or system.
- auditability See accountability.
- auditing The review of a system’s use to determine if misuse
- or malfeasance has occurred.
- authentication The access control mechanism that requires
- the validation and verification of a supplicant’s purported
- identity.
- authentication factors Three mechanisms that provide
- authentication based on something a supplicant knows,
- something a supplicant has, and something a supplicant is.
- authenticity An attribute of information that describes how
- data is genuine or original rather than reproduced or
- fabricated.
- authorization The access control mechanism that represents
- the matching of an authenticated entity to a list of informa-
- tion assets and corresponding access levels.
- availability An attribute of information that describes how
- data is accessible and correctly formatted for use without
- interference or obstruction.
- availability disruption An interruption in service, usually
- from a service provider, which causes an adverse event within
- an organization.
- avoidance of competitive disadvantage The adoption and
- implementation of a business model, method, technique,
- resource, or technology to prevent being outperformed by a
- competing organization; working to keep pace with the com-
- petition through innovation, rather than falling behind.
- back door A malware payload that provides access to a sys-
- tem by bypassing normal access controls. A back door is also
- an intentional access control bypass left by a system designer
- to facilitate development.
- back hack The process of illegally attempting to determine
- the source of an intrusion by tracing it and trying to gain
- access to the originating system.
- baseline A performance value or metric used to compare
- changes in the object being measured.
- baselining The comparison of past security activities and
- events against the organization’s current performance.
- bastion host A firewall implementation strategy in which the
- device is connected directly to the untrusted area of the
- 658 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- organization’s network rather than being placed in a screened
- area. Also known as a sacrificial host.
- behavioral feasibility See operational feasibility.
- behavior-based detection See anomaly-based detection.
- benchmarking The process of comparing other organiza-
- tions’ activities against the practices used in one’s own orga-
- nization to produce results it would like to duplicate.
- best business practices Security efforts that seek to
- provide a superior level of performance in the protection of
- information. Also known as best practices or recommended
- practices.
- biometric access control An access control approach based
- on the use of a measurable human characteristic or trait to
- authenticate the identity of a proposed systems user (a
- supplicant).
- biometric lock A lock that reads a unique biological attribute
- such as a fingerprint, iris, retina, or palm and then uses that
- input as a key.
- bit stream cipher An encryption method that involves con-
- verting plaintext to ciphertext one bit at a time.
- blackout A long-term interruption (outage) in electrical
- power availability.
- block cipher An encryption method that involves dividing
- the plaintext into blocks or sets of bits and then converting
- the plaintext to ciphertext one block at a time.
- boot virus Also known as a boot sector virus, a type of virus
- that targets the boot sector or Master Boot Record (MBR) of
- a computer system’s hard drive or removable storage media.
- bot An abbreviation of robot, an automated software pro-
- gram that executes certain commands when it receives a spe-
- cific input. See also zombie.
- bottom-up approach A method of establishing security poli-
- cies that begins as a grassroots effort in which systems
- administrators attempt to improve the security of their
- systems.
- brownout A long-term decrease in electrical power
- availability.
- brute force password attack An attempt to guess a pass-
- word by attempting every possible combination of characters
- and numbers in it.
- buffer overrun (or buffer overflow) An application error
- that occurs when more data is sent to a program buffer than
- it is designed to handle.
- build A snapshot of a particular version of software assem-
- bled or linked from its component modules.
- build list A list of the versions of components that make up a
- build.
- bull’s-eye model A method for prioritizing a program of
- complex change; it requires that issues be addressed from the
- general to the specific and focuses on systematic solutions
- instead of individual problems.
- business continuity plan (BC plan) The documented product
- of business continuity planning; a plan that shows the orga-
- nization’s intended efforts if a disaster renders the organiza-
- tion’s primary operating location unusable.
- business continuity planning (BCP) The actions taken by
- senior management to specify the organization’s efforts if a
- disaster renders the organization’s primary operating location
- unusable.
- business impact analysis (BIA) An investigation and assess-
- ment of the various adverse events that can affect the organi-
- zation, conducted as a preliminary phase of the contingency
- planning process, which includes a determination of how
- critical a system or set of information is to the organization’s
- core processes and recovery priorities.
- business resumption planning (BRP) In some organizations,
- the combined functions of DRP and BCP.
- capability table A specification of an organization’s users,
- the information assets that users may access, and their rights
- and privileges for using the assets. Also known as user pro-
- files or user policies.
- centralized IDPS control strategy An IDPS implementation
- approach in which all control functions are implemented and
- managed in a central location.
- certificate authority (CA) In PKI, a third party that manages
- users’ digital certificates.
- certificate revocation list (CRL) In PKI, a published list of
- revoked or terminated digital certificates.
- certification In information security, the comprehensive
- evaluation of an IT system’s technical and nontechnical secu-
- rity controls that establishes the extent to which a particular
- design and implementation meets a set of predefined security
- requirements, usually in support of an accreditation process.
- chain of custody See chain of evidence.
- chain of evidence The detailed documentation of the collec-
- tion, storage, transfer, and ownership of evidence from the
- crime scene through its presentation in court.
- change control A method of regulating the modification of
- systems within the organization by requiring formal review
- and approval for each change.
- chief information officer (CIO) An executive-level position
- that oversees the organization’s computing technology and
- strives to create efficiency in the processing and access of the
- organization’s information.
- chief information security officer (CISO) Typically consid-
- ered the top information security officer in an organization.
- Glossary 659
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- The CISO is usually not an executive-level position, and fre-
- quently the person in this role reports to the CIO.
- C.I.A. triangle The industry standard for computer
- security since the development of the mainframe. The
- standard is based on three characteristics that describe
- the utility of information: confidentiality, integrity, and
- availability.
- cipher or cryptosystem An encryption method or process
- encompassing the algorithm, key(s) or cryptovariable(s), and
- procedures used to perform encryption and decryption.
- ciphertext or cryptogram The encoded message resulting
- from an encryption.
- civil law A wide variety of laws that govern a nation or state
- and deal with the relationships and conflicts between organi-
- zations and people.
- clean agent A fire suppression agent that does not leave any
- residue after use or interfere with the operation of electrical
- or electronic equipment.
- clean desk policy An organizational policy that specifies
- employees must inspect their work areas and ensure that all
- classified information, documents, and materials are secured
- at the end of every work day.
- clipping level A predefined assessment level that triggers a
- predetermined response when surpassed. Typically, the
- response is to notify an administrator.
- closed-circuit television (CCT) A video capture and record-
- ing system used to monitor a facility.
- code The process of converting components (words or
- phrases) of an unencrypted message into encrypted
- components.
- cold site An exclusive-use contingency strategy in which an
- organization leases a redundant facility without any systems,
- services, or equipment, requiring substantial purchases and
- effort to resume operations. Essentially, a cold site is an
- empty set of offices or rooms.
- command injection An application error that occurs when
- user input is passed directly to a compiler or interpreter
- without screening for content that may disrupt or compro-
- mise the intended function.
- communications security The protection of all communica-
- tions media, technology, and content.
- community of interest A group of people who are united by
- similar interests or values within an organization and who
- share a common goal of helping the organization to meet its
- objectives.
- competitive advantage The adoption and implementation
- of an innovative business model, method, technique,
- resource, or technology in order to outperform the
- competition.
- competitive intelligence The collection and analysis of
- information about an organization’s business competitors
- through legal and ethical means to gain business intelligence
- and competitive advantage.
- computer forensics The process of collecting, analyzing, and
- preserving computer-related evidence.
- computer security In the early days of computers, this term
- specified the need to secure the physical location of computer
- technology from outside threats. This term later came to rep-
- resent all actions taken to preserve computer systems from
- losses. It has evolved into the current concept of information
- security as the scope of protecting information in an organi-
- zation has expanded.
- confidence value The measure of an IDPS’s ability to cor-
- rectly detect and identify certain types of attacks.
- confidentiality An attribute of information that describes
- how data is protected from disclosure or exposure to unau-
- thorized individuals or systems.
- configuration A collection of components that make up a
- configuration item.
- configuration and change management (CCM) An
- approach to implementing system change that uses policies,
- procedures, techniques, and tools to manage and evaluate
- proposed changes, track changes through completion, and
- maintain systems inventory and supporting documentation.
- configuration item A hardware or software item that will be
- modified and revised throughout its life cycle.
- configuration management (CM) See configuration and
- change management (CCM).
- configuration rules The instructions a system administrator
- codes into a server, networking device, or security device to
- specify how it operates.
- contact and weight sensor An alarm sensor designed to
- detect increased pressure or contact at a specific location,
- such as a floor pad or a window.
- content filter A network filter that allows administrators to
- restrict access to external content from within a network.
- Also known as a reverse firewall.
- contingency plan The documented product of contingency
- planning; a plan that shows the organization’s intended
- efforts in reaction to adverse events.
- contingency planning (CP) The actions taken by senior man-
- agement to specify the organization’s efforts and actions if an
- adverse event becomes an incident or disaster. This planning
- includes incident response, disaster recovery, and business con-
- tinuity efforts, as well as preparatory business impact analysis.
- contingency planning management team (CPMT) The
- group of senior managers and project members organized to
- conduct and lead all CP efforts.
- 660 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- control, safeguard, or countermeasure A security mecha-
- nism, policy, or procedure that can successfully counter
- attacks, reduce risk, resolve vulnerabilities, and otherwise
- improve security within an organization.
- corporate governance Executive management’s responsibil-
- ity to provide strategic direction, ensure the accomplishment
- of objectives, oversee that risks are appropriately managed,
- and validate responsible resource use.
- cost avoidance The process of preventing the financial
- impact of an incident by implementing a control.
- cost-benefit analysis (CBA) Also known as an economic
- feasibility study, the formal assessment and presentation of
- the economic expenditures needed for a particular security
- control, contrasted with its projected value to the
- organization.
- covert channel Unauthorized or unintended methods of
- communications hidden inside a computer system.
- cracker A hacker who intentionally removes or bypasses
- software copyright protection designed to prevent unautho-
- rized duplication or use.
- cracking Attempting to reverse-engineer, remove, or bypass a
- password or other access control protection, such as the
- copyright protection on software. See cracker.
- criminal law Law that addresses activities and conduct
- harmful to society, and is actively enforced by the state. Law
- can also be categorized as private or public.
- crisis management The set of actions taken by an organiza-
- tion in response to an emergency to minimize injury or loss of
- life, preserve the organization’s image and market share, and
- complement its disaster recovery and business continuity
- processes.
- crossover error rate (CER) In biometric access controls, the
- level at which the number of false rejections equals the false
- acceptances. Also known as the equal error rate.
- cross-site scripting (XSS) A Web application fault that
- occurs when an application running on a Web server inserts
- commands into a user’s browser session and causes informa-
- tion to be sent to a hostile server.
- cryptanalysis The process of obtaining the plaintext message
- from a ciphertext message without knowing the keys used to
- perform the encryption.
- cryptography The process of making and using codes to
- secure the transmission of information.
- cryptology The science of encryption, which encompasses
- cryptography and cryptanalysis.
- cultural mores The fixed moral attitudes or customs of a
- particular group.
- cyberactivist See hacktivist.
- cyberterrorist A hacker who attacks systems to conduct ter-
- rorist activities via networks or Internet pathways.
- cyberwarfare Formally sanctioned offensive operations con-
- ducted by a government or state against information or sys-
- tems of another government or state.
- data Items of fact collected by an organization. Data includes
- raw numbers, facts, and words. Student quiz scores are a
- simple example of data.
- data classification scheme A formal access control method-
- ology used to assign a level of confidentiality to an informa-
- tion asset and thus restrict the number of people who can
- access it.
- data custodians People who are responsible for the storage,
- maintenance, and protection of information.
- data owners People who own the information and thus
- determine the level of classification for their data and approve
- its access authorization.
- data security Commonly used as a surrogate for information
- security, data security is the focus of protecting data or
- information in its various states—at rest (in storage), in pro-
- cessing, and in transmission (over networks).
- data users People who work with the information to per-
- form their daily jobs and support the mission of the
- organization.
- database security A subset of information security that
- focuses on the assessment and protection of information
- stored in data repositories like database management systems
- and storage media.
- database shadowing An improvement to the process of
- remote journaling, in which databases are backed up in near-
- real time to multiple servers at both local and remote sites.
- de facto standard A standard that has been widely adopted
- or accepted by a public group rather than a formal standards
- organization. Contrast with a de jure standard.
- de jure standard A standard that has been formally evalu-
- ated, approved, and ratified by a formal standards organiza-
- tion. Contrast with a de facto standard.
- decipher To decrypt, decode, or convert ciphertext into the
- equivalent plaintext.
- decrypt See decipher.
- defense control strategy The risk control strategy that
- attempts to eliminate or reduce any remaining uncontrolled
- risk through the application of additional controls and
- safeguards.
- defense in depth A strategy for the protection of informa-
- tion assets that uses multiple layers and different types of
- controls (managerial, operational, and technical) to provide
- optimal protection.
- Glossary 661
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- deliverable A completed document or program module that
- can either serve as the beginning point for a later task or
- become an element in the finished project.
- delta conversion online UPS An uninterruptible power sup-
- ply (UPS) that is similar to a double conversion online UPS
- except that it incorporates a delta transformer, which assists
- in powering the inverter while outside power is available.
- deluge system A fire suppression sprinkler system that keeps
- all individual sprinkler heads open and applies water to all
- areas when activated.
- demilitarized zone (DMZ) An intermediate area between two
- networks designed to provide servers and firewall filtering
- between a trusted internal network and the outside, untrusted
- network. Traffic on the outside network carries a higher level
- of risk.
- denial-of-service (DoS) attack An attack that attempts to
- overwhelm a computer target’s ability to handle incoming
- communications, prohibiting legitimate users from accessing
- those systems.
- dictionary password attack A variation of the brute force
- password attack that attempts to narrow the range of possi-
- ble passwords guessed by using a list of common passwords
- and possibly including attempts based on the target’s per-
- sonal information.
- difference analysis A procedure that compares the current
- state of a network segment against a known previous state of
- the same network segment (the baseline of systems and
- services).
- differential backup The archival of all files that have chan-
- ged or been added since the last full backup.
- Diffie-Hellman key exchange A hybrid cryptosystem that
- facilitates exchanging private keys using public-key
- encryption.
- digital certificates Public-key container files that allow PKI
- system components and end users to validate a public key
- and identify its owner.
- digital forensics The application of forensics techniques and
- methodologies to the preservation, identification, extraction,
- documentation, and interpretation of digital media for evi-
- dentiary and/or root-cause analysis.
- digital malfeasance A crime against or using digital media,
- computer technology, or related components.
- Digital Signature Standard (DSS) The NIST standard for
- digital signature algorithm usage by federal information sys-
- tems. DSS is based on a variant of the ElGamal signature
- scheme.
- digital signatures Encrypted message components that can
- be mathematically proven as authentic.
- direct changeover The conversion strategy that involves
- stopping the old system and starting the new one without any
- overlap.
- disaster An adverse event that could threaten the viability of
- the entire organization. A disaster may either escalate from an
- incident or be initially classified as a disaster.
- disaster recovery plan (DR plan) The documented product
- of disaster recovery planning; a plan that shows the organi-
- zation’s intended efforts in the event of a disaster.
- disaster recovery planning (DRP) The actions taken by
- senior management to specify the organization’s efforts in
- preparation for and recovery from a disaster.
- discretionary access controls (DACs) Controls that are
- implemented at the discretion or option of the data user.
- disk duplexing Disk mirroring in which each drive has its
- own controller to provide additional redundancy.
- disk mirroring A RAID implementation (typically referred to
- as RAID Level 1) in which the computer records all data to
- twin drives simultaneously, providing a backup if the primary
- drive fails.
- disk striping A RAID implementation (typically referred to
- as RAID Level 0) in which one logical volume is created by
- storing data across several available hard drives in segments
- called stripes.
- distributed denial-of-service (DDoS) attack A DoS attack in
- which a coordinated stream of requests is launched against a
- target from many locations at the same time using bots or
- zombies.
- Domain Name System (DNS) cache poisoning The inten-
- tional hacking and modification of a DNS database to redi-
- rect legitimate traffic to illegitimate Internet locations. Also
- known as DNS spoofing.
- double conversion online UPS A UPS in which the protected
- device draws power from an output inverter. The inverter is
- powered by the UPS battery, which is constantly recharged
- from the outside power.
- downtime The percentage of time a particular service is not
- available; the opposite of uptime.
- dry-pipe system A fire suppression sprinkler system that has
- pressurized air in all pipes. The air is released in the event of a
- fire, allowing water to flow from a central area.
- due care The legal standard that requires a prudent organi-
- zation and its employees to act legally and ethically and know
- the consequences of their actions. Also referred to as the
- standard of due care.
- due diligence Considered a subset of the standard of due
- care, the legal standard that requires a prudent organization
- and its employees to maintain the standard of due care and
- 662 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- ensure that their actions are effective. Also referred to as the
- standard of due diligence.
- dumb card An authentication card that contains digital user
- data, such as a personal identification number (PIN), against
- which user input is compared.
- dumpster diving An information attack that involves
- searching through a target organization’s trash and recycling
- bins for sensitive information.
- dynamic filtering A firewall type that can react to an adverse
- event and update or create its configuration rules to deal with
- that event.
- electromagnetic radiation (EMR) The transmission of radi-
- ant energy through space, commonly referred to as radio
- waves.
- electromechanical lock A lock that can accept a variety of
- inputs as keys, including magnetic strips on ID cards, radio
- signals from name badges, personal identification numbers
- (PINs) typed into a keypad, or some combination of these to
- activate an electrically powered locking mechanism.
- electronic vaulting The transfer of large batches of data to
- an off-site facility, typically during off-peak hours.
- electrostatic discharge (ESD) The release of ambient static
- electricity into a ground.
- encapsulating security payload (ESP) protocol In IPSec, a
- protocol that provides secrecy for the contents of network
- communications as well as system-to-system authentication
- and data integrity verification.
- encipher To encrypt, encode, or convert plaintext into the
- equivalent ciphertext.
- encrypt See encipher.
- enterprise information security policy (EISP) The high-level
- security policy that is based on and directly supports the
- mission, vision, and direction of the organization and sets the
- strategic direction, scope, and tone for all security efforts.
- enticement The act of attracting attention to a system by
- placing tantalizing information in key locations.
- entrapment The act of luring a person into committing a
- crime in order to get a conviction.
- ethics Codes or principles of an individual or group that
- regulate and define acceptable behavior.
- evasion The process by which attackers change the format and/
- or timing of their activities to avoid being detected by an IDPS.
- event Any occurrence within the organization’s operational
- environment.
- evidence A physical object or documented information that
- proves an action occurred or identifies the intent of a
- perpetrator.
- evidentiary material (EM) Any item or information that
- applies to an organization’s legal or policy-based case; also
- known as an item of potential evidentiary value.
- exclusive OR operation (XOR) A function within Boolean
- algebra used as an encryption function in which two bits are
- compared. If the two bits are identical, the result is a binary
- 0; otherwise, the result is a binary 1.
- exit interview A meeting with an employee who is leaving
- the organization to remind the employee of contractual obli-
- gations, such as nondisclosure agreements, and to obtain
- feedback about the employee’s tenure.
- expert hacker A hacker who uses extensive knowledge of the
- inner workings of computer hardware and software to gain
- unauthorized access to systems and information. Also known
- as elite hackers, expert hackers often create automated
- exploits, scripts, and tools used by other hackers.
- exploit A technique used to compromise a system; a vulner-
- ability that can be used to cause a loss to an asset.
- exposure A condition or state of being exposed; in informa-
- tion security, exposure exists when a vulnerability is known
- to an attacker.
- exposure factor (EF) In a cost-benefit analysis, the expected
- percentage of loss that would occur from a particular attack.
- external monitoring domain The component of the mainte-
- nance model that focuses on evaluating external threats to the
- organization’s information assets.
- extranet A segment of the DMZ where additional authenti-
- cation and authorization controls are put into place to pro-
- vide services that are not available to the general public.
- facilities management The aspect of organizational man-
- agement focused on the development and maintenance of its
- buildings and physical infrastructure.
- fail-safe lock An electromechanical device that automatically
- releases the lock protecting a control point if a power outage
- occurs. This type of lock is used for fire safety locations.
- fail-secure lock An electromechanical device that stays
- locked and maintains the security of the control point if a
- power outage occurs.
- false accept rate In biometric access controls, the percentage
- of identification instances in which unauthorized users are
- allowed access. Also known as a Type II error.
- false attack stimulus An event that triggers an alarm when
- no actual attack is in progress. Scenarios that test the config-
- uration of IDPSs may use false attack stimuli to determine if
- the IDPSs can distinguish between these stimuli and real
- attacks.
- false negative The failure of an IDPS to react to an actual
- attack event. This is the most grievous IDPS failure, given
- that its purpose is to detect and respond to attacks.
- Glossary 663
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- false positive An alert or alarm that occurs in the absence of
- an actual attack. A false positive can sometimes be produced
- when an IDPS mistakes normal system activity for an attack.
- False positives tend to make users insensitive to alarms and
- thus reduce their reactions to actual intrusion events.
- false reject rate In biometric access controls, the percentage
- of identification instances in which authorized users are
- denied access. Also known as a Type I error.
- fault A short-term interruption in electrical power
- availability.
- fingerprinting The systematic survey of a targeted organiza-
- tion’s Internet addresses collected during the footprinting
- phase to identify the network services offered by the hosts in
- that range.
- fire suppression systems Devices that are installed and
- maintained to detect and respond to a fire, potential fire, or
- combustion danger.
- firewall In information security, a combination of hardware
- and software that filters or prevents specific information from
- moving between the outside network and the inside network.
- Each organization defines its own firewall.
- fixed-temperature sensor A fire detection sensor that works
- by detecting the point at which the ambient temperature in an
- area reaches a predetermined level.
- flame detector A fire detection system that works by detect-
- ing the infrared or ultraviolet light produced by an open
- flame.
- footprinting The organized research of Internet addresses
- owned or controlled by a target organization.
- forensics The coherent application of methodical investiga-
- tory techniques to present evidence of crimes in a court or
- similar setting.
- full backup A complete backup of the entire system, includ-
- ing all applications, operating systems components, and data.
- fully distributed IDPS control strategy An IDPS implemen-
- tation approach in which all control functions are applied at
- the physical location of each IDPS component.
- gap analysis The process of comparing measured results
- against expected results, then using the resulting “gap” as a
- measure of project success and as feedback for project
- management.
- gaseous (or chemical gas) emission systems Fire suppres-
- sion systems that operate through the delivery of gases rather
- than water.
- goals Sometimes used synonymously with objectives; the
- desired end of a planning cycle.
- governance The set of responsibilities and practices exercised
- by the board and executive management with the goal of
- providing strategic direction, ensuring that objectives are
- achieved, ascertaining that risks are managed appropriately
- and verifying that the enterprise’s resources are used
- responsibly.
- ground fault circuit interruption A special circuit device
- designed to immediately disconnect a power supply when a
- sudden discharge (ground fault) is detected.
- guidelines Within the context of information security, a set
- of recommended actions to assist an organizational stake-
- holder in complying with policy.
- hacker A person who accesses systems and information
- without authorization and often illegally.
- hacktivist A hacker who seeks to interfere with or disrupt
- systems to protest the operations, policies, or actions of an
- organization or government agency.
- hash algorithms Public functions that create a hash value,
- also known as a message digest, by converting variable-length
- messages into a single fixed-length value.
- hash functions Mathematical algorithms that generate a
- message summary or digest (sometimes called a fingerprint)
- to confirm message identity and integrity.
- hash value See message digest.
- hierarchical roster An alert roster in which the first person
- calls a few other people on the roster, who in turn call others.
- This method typically uses the organizational chart as a
- structure.
- honeynet A collection of honeypot systems on a subnet.
- honeypots Decoy systems designed to lure potential attack-
- ers away from critical systems. Also known as decoys, lures,
- and flytraps.
- host-based IDPS (HIDPS) An IDPS that resides on a particu-
- lar computer or server, known as the host, and monitors
- activity only on that system. Also known as a system integrity
- verifier.
- hot site An exclusive-use contingency strategy in which an
- organization leases a redundant facility complete with all
- systems, services, and equipment needed to resume operations
- with minimal delay.
- hot swap A hard drive feature that allows individual drives
- to be replaced without fault and without powering down the
- entire system.
- humidity The amount of moisture in the air.
- hybrid VPN A combination of trusted and secure VPN
- implementations.
- identification The access control mechanism whereby unver-
- ified entities or supplicants who seek access to a resource pro-
- vide a label by which they are known to the system.
- 664 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- identification (ID) card A document used to verify the iden-
- tity of a member of an organization, group, or domain.
- identity theft The unauthorized taking of personally identi-
- fiable information with the intent of committing fraud and
- abuse of a person’s financial and personal reputation, pur-
- chasing goods and services without authorization, and gen-
- erally impersonating the victim for illegal or unethical
- purposes.
- incident An adverse event that could result in loss of an
- information asset or assets, but does not currently threaten
- the viability of the entire organization.
- incident candidate An adverse event that has strong poten-
- tial to meet the criteria to become an incident.
- incident classification The process of examining an incident
- candidate and determining whether it constitutes an actual
- incident.
- incident damage assessment The rapid determination of
- how seriously a breach of confidentiality, integrity, and
- availability affected information and information assets dur-
- ing an incident or just following one.
- incident response plan (IR plan) The documented product
- of incident response planning; a plan that shows the organi-
- zation’s intended efforts in the event of an incident.
- incident response planning (IRP) The actions taken by
- senior management to specify the organization’s processes
- and procedures to anticipate, detect, and mitigate the effects
- of an incident.
- incremental backup A backup that archives only the files
- that have been modified since the previous incremental
- backup.
- industrial espionage The collection and analysis of infor-
- mation about an organization’s business competitors, often
- through illegal or unethical means, to gain an unfair compet-
- itive advantage. Also known as corporate spying, which is
- distinguished from espionage for national security reasons.
- information Data that has been organized, structured, and
- presented to provide additional insight into its context,
- worth, and usefulness. For example, a student’s class average
- can be presented in the context of its value, as in “90 ¼ A.”
- information aggregation Pieces of nonprivate data that,
- when combined, may create information that violates pri-
- vacy. Not to be confused with aggregate information.
- information asset The focus of information security; infor-
- mation that has value to the organization, and the systems
- that store, process, and transmit the information.
- information assurance The affirmation or guarantee of the
- confidentiality, integrity, and availability of information in
- storage, processing, and transmission. This term is often used
- synonymously with information security.
- information extortion The act of an attacker or trusted
- insider who steals information from a computer system and
- demands compensation for its return or for an agreement not
- to disclose the information. Also known as cyberextortion.
- information security Protection of the confidentiality, integ-
- rity, and availability of information assets, whether in stor-
- age, processing, or transmission, via the application of policy,
- education, training and awareness, and technology.
- information security blueprint The basis for all security
- program elements; a scalable, upgradeable, comprehensive
- plan to meet the organization’s current and future informa-
- tion security needs.
- information security framework An outline or structure of
- the organization’s overall information security strategy that is
- used as a road map for planned changes to its information
- security environment; often developed as an adaptation or
- adoption of a popular methodology, like NIST’s security
- approach or the ISO 27000 series.
- information security governance The application of the
- principles of corporate governance to the information secu-
- rity function.
- information security model An established information
- security framework, often popular among other organizations
- and backed by a recognized security agency, with exemplar
- details an organization may want to emulate in creating its
- own framework and blueprint.
- information security policy A set of rules that protects an
- organization’s information assets.
- information system (IS) The entire set of software, hard-
- ware, data, people, procedures, and networks that enable the
- use of information resources in the organization.
- inline sensor An IDPS sensor intended for network perimeter
- use and deployed in close proximity to a perimeter firewall to
- detect incoming attacks that could overwhelm the firewall.
- integer bug A class of computational error caused by meth-
- ods that computers use to store and manipulate integer num-
- bers; this bug can be exploited by attackers.
- integrity An attribute of information that describes how data
- is whole, complete, and uncorrupted.
- intellectual property (IP) The creation, ownership, and con-
- trol of original ideas as well as the representation of those
- ideas.
- internal monitoring domain The component of the mainte-
- nance model that focuses on identifying, assessing, and man-
- aging the configuration and status of information assets in an
- organization.
- Internet Protocol Security (IPSec) An open-source protocol
- framework for security development within the TCP/IP family
- of protocol standards.
- Glossary 665
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Internet vulnerability assessment An assessment approach
- designed to find and document vulnerabilities that may be
- present in the organization’s public network.
- intranet vulnerability assessment An assessment approach
- designed to find and document selected vulnerabilities that are
- likely to be present on the organization’s internal network.
- intrusion An adverse event in which an attacker attempts to
- gain entry into an information system or disrupt its normal
- operations, almost always with the intent to do harm.
- intrusion detection and prevention system (IDPS) The
- general term for both intrusion detection systems and intru-
- sion prevention systems.
- intrusion detection system (IDS) A system capable of auto-
- matically detecting an intrusion into an organization’s net-
- works or host systems and notifying a designated authority.
- intrusion prevention system (IPS) An IDS system capable of
- automatically responding to a detected intrusion and pre-
- venting it from successfully attacking the organization by
- means of an active response.
- ionization sensor A fire detection sensor that works by
- exposing the ambient air to a small amount of a harmless
- radioactive material within a detection chamber; an alarm is
- triggered when the level of electrical conductivity changes
- within the chamber.
- issue-specific security policy (ISSP) Commonly referred to
- as a fair and responsible use policy; a policy designed to
- control constituents’ use of a particular resource, asset, or
- activity, and provided to support the organization’s goals and
- objectives.
- jailbreaking Escalating privileges to gain administrator-level
- control over a smartphone operating system (typically asso-
- ciated with Apple iOS smartphones). See also rooting.
- job rotation The requirement that every employee be able to
- perform the work of another employee. Also known as task
- rotation.
- jurisdiction A court’s right to hear a case if a wrong is com-
- mitted in its territory or involves its citizenry.
- Kerberos A remote authentication system that uses symmetric
- key encryption-based tickets managed in a central database to
- validate an individual user to various network resources.
- key or cryptovariable The information used in conjunction
- with an algorithm to create the ciphertext from the plaintext
- or derive the plaintext from the ciphertext. The key can be a
- series of bits used by a computer program, or it can be a
- passphrase used by people that is then converted into a series
- of bits used by a computer program.
- keyspace The entire range of values that can be used to con-
- struct an individual key.
- knowledge-based detection See signature-based detection.
- known vulnerability A published weakness or fault in an
- information asset or its protective systems that may be
- exploited and result in loss.
- lattice-based access control (LBAC) An access control
- approach that uses a matrix or lattice of subjects (users and
- systems needing access) and objects (resources) to assign pri-
- vileges. LBAC is an example of an NDAC.
- laws Rules that mandate or prohibit certain behavior and are
- enforced by the state.
- least privilege The process of ensuring that no unnecessary
- access to data exists; employees are able to perform only the
- minimum operations necessary on a set of data.
- liability The legal obligation of an entity that extends beyond
- criminal or contract law.
- likelihood The probability that a specific vulnerability within
- an organization will be the target of an attack.
- line-interactive UPS A UPS in which a pair of inverters and
- converters draw power from the outside source both to
- charge the battery and provide power to the internal pro-
- tected device.
- link encryption A series of encryptions and decryptions
- between a number of systems, wherein each system in a net-
- work decrypts the message sent to it and then reencrypts the
- message using different keys and sends it to the next neigh-
- bor. This process continues until the message reaches the final
- destination.
- log file monitor (LFM) An attack detection method that
- reviews the log files generated by computer systems, looking
- for patterns and signatures that may indicate an attack or
- intrusion is in process or has already occurred.
- long-arm jurisdiction The application of laws to people cur-
- rently residing outside a court’s normal jurisdiction, usually
- granted when a person performs an illegal action within the
- court’s jurisdiction and then leaves.
- loss A single instance of an information asset suffering dam-
- age or destruction, unintended or unauthorized modification
- or disclosure, or denial of use.
- loss frequency The calculation of the likelihood of an attack
- coupled with the attack frequency to determine the expected
- number of losses within a specified time range.
- loss magnitude Also known as event loss magnitude, the
- combination of an asset’s value and the percentage of it that
- might be lost in an attack.
- MAC layer firewall A firewall designed to operate at the
- media access control sublayer of the network’s data link layer
- (Layer 2).
- macro virus A type of virus written in a specific macro
- language to target applications that use the language. The
- virus is activated when the application’s product is opened.
- 666 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- A macro virus typically affects documents, slideshows,
- e-mails, or spreadsheets created by office suite applications.
- mail bomb An attack designed to overwhelm the receiver
- with excessive quantities of e-mail.
- maintenance hook See back door.
- major release A significant revision of a version from its
- previous state.
- malicious code See malware.
- malicious software See malware.
- malware Computer software specifically designed to perform
- malicious or unwanted actions.
- managerial controls Information security safeguards that
- focus on administrative planning, organizing, leading, and
- controlling, and that are designed by strategic planners and
- implemented by the organization’s security administration.
- These safeguards include governance and risk management.
- managerial guidance SysSP A systems-specific security pol-
- icy that expresses management’s intent for the acquisition,
- implementation, configuration, and management of a partic-
- ular technology, written from a business perspective.
- mandatory access control (MAC) An access control
- approach whereby the organization specifies use of resources
- based on the assignment of data classification schemes to
- resources and clearance levels to users. MAC is an example of
- an LBAC approach.
- man-in-the-middle A group of attacks whereby a person
- intercepts a communications stream and inserts himself in
- the conversation to convince each of the legitimate parties
- that he is the other communications partner. Some man-
- in-the-middle attacks involve encryption functions.
- mantrap A small room or enclosure with separate entry and
- exit points, designed to restrain a person who fails an access
- authorization attempt.
- maximum tolerable downtime (MTD) The total amount of
- time the system owner or authorizing official is willing to
- accept for a mission/business process outage or disruption,
- including all impact considerations.
- McCumber Cube A graphical representation of the architec-
- tural approach widely used in computer and information
- security; commonly shown as a cube composed of 3 ? 3 ? 3
- cells, similar to a Rubik’s Cube.
- mean time between failure (MTBF) The average amount of
- time between hardware failures, calculated as the total
- amount of operation time for a specified number of units
- divided by the total number of failures.
- mean time to diagnose (MTTD) The average amount of time
- a computer repair technician needs to determine the cause of
- a failure.
- mean time to failure (MTTF) The average amount of time
- until the next hardware failure.
- mean time to repair (MTTR) The average amount of time a
- computer repair technician needs to resolve the cause of a
- failure through replacement or repair of a faulty unit.
- mechanical lock A physical lock that may rely on either a
- key or numerical combination to rotate tumblers and release
- the hasp. Also known as a manual lock.
- memory-resident virus A virus that is capable of installing
- itself in a computer’s operating system, starting when the
- computer is activated, and residing in the system’s memory
- even after the host application is terminated. Also known as a
- resident virus.
- message authentication code (MAC) A key-dependent, one-
- way hash function that allows only specific recipients (sym-
- metric key holders) to access the message digest.
- message digest A value representing the application of a
- hash algorithm on a message that is transmitted with the
- message so it can be compared with the recipient’s locally
- calculated hash of the same message. If both hashes are
- identical after transmission, the message has arrived without
- modification. Also known as a hash value.
- methodology A formal approach to solving a problem based
- on a structured sequence of procedures.
- metrics-based measures Performance measures or metrics
- based on observed numerical data.
- milestone A specific point in the project plan when a task
- that has a noticeable impact on the plan’s progress is
- complete.
- minor release (update or patch) A minor revision of a ver-
- sion from its previous state.
- minutiae In biometric access controls, unique points of ref-
- erence that are digitized and stored in an encrypted format
- when the user’s system access credentials are created.
- misuse detection See signature-based detection.
- mitigation control strategy The risk control strategy that
- attempts to reduce the impact of a successful attack through
- planning and preparation.
- modem vulnerability assessment An assessment approach
- designed to find and document any vulnerability on dial-up
- modems connected to the organization’s networks.
- monitoring port Also known as a switched port analysis
- (SPAN) port or mirror port, a specially configured connection
- on a network device that can view all the traffic that moves
- through the device.
- monoalphabetic substitution A substitution cipher
- that only incorporates a single alphabet in the encryption
- process.
- Glossary 667
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- motion detector An alarm sensor designed to detect move-
- ment within a defined space.
- mutual agreement A contractual relationship between two
- or more organizations that specifies how each will assist the
- other in the event of a disaster; unaffected organizations are
- required to provide any needed resources to maintain the
- organization affected by the disaster.
- name badge An identification card typically worn in a visi-
- ble location to quickly verify an authorized member.
- need to know The requirement that an employee only has
- access to information necessary for performing his or her
- own work.
- Network Address Translation (NAT) A method of mapping
- valid external IP addresses to special ranges of nonroutable
- internal IP addresses, known as private addresses, on a one-
- to-one basis.
- network-based IDPS (NIDPS) An IDPS that resides on a
- computer or appliance connected to a segment of an organi-
- zation’s network and monitors traffic on that segment, look-
- ing for indications of ongoing or successful attacks.
- network security A subset of communications security; the
- protection of voice and data networking components, con-
- nections, and content.
- noise The presence of additional and disruptive signals in
- network communications or electrical power delivery. For an
- IDPS, unsuccessful attacks and other alarm events that are
- accurate and noteworthy but do not pose significant threats
- to information security.
- nondiscretionary access controls (NDACs) A strictly
- enforced version of MACs that are managed by a central
- authority in the organization and can be based on an indi-
- vidual user’s role or a specified set of tasks.
- non-memory-resident virus A virus that terminates after it
- has been activated, infected its host system, and replicated
- itself. NMR viruses do not reside in an operating system or
- memory after executing. Also known as a non-resident virus.
- nonrepudiation The process of reversing public-key encryp-
- tion to verify that a message was sent by the sender and thus
- cannot be refuted.
- novice hacker A relatively unskilled hacker who uses the
- work of expert hackers to perform attacks. Also known as a
- neophyte, n00b, or newbie. This category of hackers includes
- script kiddies and packet monkeys.
- objectives Sometimes used synonymously with goals; the
- intermediate states obtained to achieve progress toward a
- goal or goals.
- operational controls Information security safeguards focus-
- ing on lower-level planning that deals with the functionality
- of the organization’s security. These safeguards include
- disaster recovery and incident response planning.
- operational feasibility An assessment of user acceptance
- and support, management acceptance and support, and the
- overall requirements of the organization’s stakeholders.
- operational plan The documented product of operational
- planning; a plan for the organization’s intended operational
- efforts on a day-to-day basis for the next several months.
- operational planning The actions taken by management to
- specify the short-term goals and objectives of the organization
- in order to obtain specified tactical goals, followed by esti-
- mates and schedules for the allocation of resources necessary
- to achieve those goals and objectives.
- organizational feasibility An assessment of how well the
- proposed information security alternatives will contribute to
- the efficiency, effectiveness, and overall operation of an
- organization.
- packet-filtering firewall Also referred to as a filtering fire-
- wall, a networking device that examines the header informa-
- tion of data packets that come into a network and determines
- whether to drop them (deny) or forward them to the next
- network connection (allow), based on its configuration rules.
- packet monkey A script kiddie who uses automated exploits
- to engage in denial-of-service attacks.
- packet sniffer A software program or hardware appliance
- that can intercept, copy, and interpret network traffic. Also
- known as a network protocol analyzer.
- padded cell system A protected honeypot that cannot be
- easily compromised.
- parallel operations The conversion strategy that involves
- running the new system concurrently with the old system.
- partially distributed IDPS control strategy An IDPS imple-
- mentation approach that combines the best aspects of the
- centralized and fully distributed strategies.
- passive mode An IDPS sensor setting in which the device
- simply monitors and analyzes observed network traffic.
- passive vulnerability scanner A scanner that listens in on a
- network and identifies vulnerable versions of both server and
- client software.
- passphrase An authentication component that consists of an
- expression known only to the user, from which a virtual
- password is derived. See also virtual password.
- password An authentication component that consists of a
- private word or combination of characters that only the user
- should know.
- pen register An application that records information about
- outbound communications.
- 668 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- penetration tester An information security professional with
- authorization to attempt to gain system access in an effort to
- identify and recommend resolutions for vulnerabilities in
- those systems.
- penetration testing A set of security tests and evaluations
- that simulate attacks by a hacker or other malicious external
- source.
- performance gap The difference between an organization’s
- observed and desired performance.
- permutation cipher See transposition cipher.
- personally identifiable information (PII) Information about
- a person’s history, background, and attributes that can be used
- to commit identity theft. This information typically includes a
- person’s name, address, Social Security number, family infor-
- mation, employment history, and financial information.
- pharming The redirection of legitimate user Web traffic to
- illegitimate Web sites with the intent to collect personal
- information.
- phased implementation The conversion strategy that
- involves a measured rollout of the planned system; only part
- of the system is brought out and disseminated across an
- organization before the next piece is implemented.
- phishing A form of social engineering in which the attacker
- provides what appears to be a legitimate communication
- (usually e-mail), but it contains hidden or embedded code
- that redirects the reply to a third-party site in an effort to
- extract personal or confidential information.
- photoelectric sensor A fire detection sensor that works by
- projecting an infrared beam across an area. If the beam is
- interrupted, presumably by smoke, the alarm or suppression
- system is activated.
- phreaker A hacker who manipulates the public telephone
- system to make free calls or disrupt services.
- physical security The protection of physical items, objects,
- or areas from unauthorized access and misuse.
- pilot implementation The conversion strategy that involves
- implementing the entire system into a single office, depart-
- ment, or division, and dealing with issues that arise before
- expanding to the rest of the organization.
- plaintext or cleartext The original unencrypted message, or
- a message that has been successfully decrypted.
- planning and risk assessment domain The component of
- the maintenance model that focuses on identifying and plan-
- ning ongoing information security activities and identifying
- and managing risks introduced through IT information secu-
- rity projects.
- platform security validation (PSV) An assessment approach
- designed to find and document vulnerabilities that may be
- present because misconfigured systems are used within the
- organization.
- plenum A space between the ceiling in one level of a com-
- mercial building and the floor of the level above. The plenum
- is used for air return.
- policy A set of principles or courses of action from an orga-
- nization’s senior management intended to guide decisions,
- actions, and duties of constituents.
- policy administrator An employee responsible for the crea-
- tion, revision, distribution, and storage of a policy in an
- organization.
- political feasibility An assessment of which controls can and
- cannot occur based on the consensus and relationships
- among communities of interest.
- polyalphabetic substitution A substitution cipher that
- incorporates two or more alphabets in the encryption
- process.
- polymorphic threat Malware (a virus or worm) that over
- time changes the way it appears to antivirus software pro-
- grams, making it undetectable by techniques that look for
- preconfigured signatures.
- Port Address Translation (PAT) A method of mapping a sin-
- gle valid external IP address to special ranges of nonroutable
- internal IP addresses, known as private addresses, on a one-
- to-many basis, using port addresses to facilitate the mapping.
- port scanners Tools used both by attackers and defenders to
- identify or fingerprint active computers on a network, the
- active ports and services on those computers, the functions
- and roles of the machines, and other useful information. Port
- scanners are also known as port scanning utilities.
- possession An attribute of information that describes how
- the data’s ownership or control is legitimate or authorized.
- practices Within the context of information security, exem-
- plary actions that an organization identifies as ideal and seeks
- to emulate. These actions are typically employed by other
- organizations.
- pre-action system A fire suppression sprinkler system that
- employs a two-phase response to a fire. When a fire is
- detected anywhere in the facility, the system will first flood all
- pipes, then activate only the sprinkler heads in the area of the
- fire.
- predecessors Tasks or action steps that come before the
- specific task at hand.
- pretexting A form of social engineering in which the
- attacker pretends to be an authority figure who needs infor-
- mation to confirm the target’s identity, but the real object is
- to trick the target into revealing confidential information.
- Pretexting is commonly performed by telephone.
- Glossary 669
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- privacy In the context of information security, the right of
- individuals or groups to protect themselves and their infor-
- mation from unauthorized access, providing confidentiality.
- Privacy-Enhanced Mail (PEM) A standard proposed by the
- Internet Engineering Task Force (IETF) that uses 3DES sym-
- metric key encryption and RSA for key exchanges and digital
- signatures.
- private-key encryption or symmetric encryption An
- encryption method that incorporates mathematical opera-
- tions involving the same secret key both to encipher and
- decipher the message.
- private law Law that encompasses family law, commercial
- law, and labor law, and regulates the relationship between
- individuals and organizations.
- privilege escalation The unauthorized modification of an
- authorized or unauthorized system user account to gain
- advanced access and control over system resources.
- procedures Within the context of information security, a set
- of steps an organization’s stakeholders must follow to per-
- form a specified action or accomplish a defined task.
- process-based measures Performance measures or metrics
- based on intangible activities.
- professional hacker A hacker who conducts attacks for per-
- sonal financial benefit or for a crime organization or foreign
- government. Not to be confused with a penetration tester.
- project plan The documented instructions for participants
- and stakeholders of a project that provide details on goals,
- objectives, tasks, scheduling, and resource management.
- project scope A description of a project’s features, capabili-
- ties, functions, and quality level, used as the basis of a project
- plan.
- project team A small functional team of people who are expe-
- rienced in one or multiple facets of the required technical and
- nontechnical areas for the project to which they are assigned.
- project wrap-up A process of bringing a project to a conclu-
- sion, addressing any pending issues and the overall project
- effort, and identifying ways to improve the process in the
- future.
- projectitis A situation in project planning in which the proj-
- ect manager spends more time documenting project tasks,
- collecting performance measurements, recording project task
- information, and updating project completion forecasts in the
- project management software than accomplishing meaningful
- project work.
- protection profile or security posture The entire set of
- controls and safeguards, including policy, education, training
- and awareness, and technology, that the organization imple-
- ments to protect the asset.
- protocol stack verification The process of examining and
- verifying network traffic for invalid data packets—that is,
- packets that are malformed under the rules of the TCP/IP
- protocol.
- proximity reader An electronic signal receiver used with an
- electromechanical lock that allows users to place their cards
- within the reader’s range and release the locking mechanism.
- proxy server A server or firewall device capable of serving as
- an intermediary by retrieving information from one network
- segment and providing it to a requesting user on another.
- public-key encryption See asymmetric encryption.
- public key infrastructure (PKI) An integrated system of soft-
- ware, encryption methodologies, protocols, legal agreements,
- and third-party services that enables users to communicate
- securely through the use of digital certificates.
- public law Law that regulates the structure and administra-
- tion of government agencies and their relationships with citi-
- zens, employees, and other governments. Public law includes
- criminal, administrative, and constitutional law.
- qualitative assessment An asset valuation approach that
- uses categorical or non-numeric values rather than absolute
- numerical measures.
- quantitative assessment An asset valuation approach that
- attempts to assign absolute numerical measures.
- rainbow table A table of hash values and their correspond-
- ing plaintext values that can be used to look up password
- values if an attacker is able to steal a system’s encrypted
- password file.
- rate-of-rise sensor A fire detection sensor that works by
- detecting an unusually rapid increase in the area temperature
- within a relatively short period of time.
- recovery point objective (RPO) The point in time prior to a
- disruption or system outage to which mission/business pro-
- cess data can be recovered after an outage (given the most
- recent backup copy of the data).
- recovery time objective (RTO) The maximum amount of
- time that a system resource can remain unavailable before
- there is an unacceptable impact on other system resources,
- supported mission/business processes, and the MTD.
- redundancy Multiple types of technology that prevent the
- failure of one system from compromising the security of
- information.
- redundant array of independent disks (RAID) A system of
- drives that stores information across multiple units to spread
- out data and minimize the impact of a single drive failure.
- reference monitor The piece of the system that mediates all
- access to objects by subjects.
- 670 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- registration authority (RA) In PKI, a third party that oper-
- ates under the trusted collaboration of the certificate author-
- ity and handles day-to-day certification functions.
- remediation The processes of removing or repairing flaws in
- information assets that cause a vulnerability or removing the
- risk associated with the vulnerability.
- Remote Authentication Dial-In User Service (RADIUS)
- A computer connection system that centralizes the manage-
- ment of user authentication by placing the responsibility for
- authenticating each user on a central authentication server.
- remote journaling The transfer of live transactions rather
- than archived data to an off-site facility in near-real time.
- request for proposal (RFP) A document specifying the
- requirements of a project, provided to solicit bids from inter-
- nal or external contractors.
- residual risk The amount of risk that remains to an infor-
- mation asset even after the organization has applied its
- desired level of controls.
- resources Components required for the completion of a
- project, which could include skills, personnel, time, money,
- and material.
- restitution The legal obligation to compensate an injured
- party for wrongs committed.
- reverse firewall See content filter.
- reverse proxy A proxy server that most commonly retrieves
- information from inside an organization and provides it to a
- requesting user or system outside the organization.
- revision date The date associated with a particular version
- or build.
- risk The probability of an unwanted occurrence, such as an
- adverse event or loss.
- risk appetite The amount of risk an organization is willing
- to accept.
- risk assessment A determination of the extent to which an
- organization’s information assets are exposed to risk.
- risk control The application of controls that reduce the risks
- to an organization’s information assets to an acceptable level.
- risk identification The enumeration and documentation of
- risks to an organization’s information assets.
- risk management The process of identifying risk, assessing
- its relative magnitude, and taking steps to reduce it to an
- acceptable level.
- role-based access control (RBAC) An example of a nondis-
- cretionary control where privileges are tied to the role a user
- performs in an organization, and are inherited when a user is
- assigned to that role. Roles are considered more persistent
- than tasks. RBAC is an example of an LDAC.
- rooting Escalating privileges to gain administrator-level
- control over a computer system (including smartphones).
- Typically associated with Android OS smartphones. See
- also jailbreaking.
- sacrificial host See bastion host.
- sag A short-term decrease in electrical power availability.
- screened host firewall A single firewall or system designed
- to be externally accessible and protected by placement behind
- a filtering firewall.
- screened subnet An entire network segment that protects
- externally accessible systems by placing them in a demilitar-
- ized zone behind a filtering firewall and protects the internal
- networks by limiting how external connections can gain
- access to them.
- script kiddie A hacker of limited skill who uses expertly
- written software to attack a system. Also known as skids,
- skiddies, or script bunnies.
- search warrant A document issued by an authorized author-
- ity that allows law enforcement agents to search for EM at a
- specified location and seize specific items for official
- examination.
- secret key A key that can be used in symmetric encryption
- both to encipher and decipher the message.
- Secure Electronic Transactions (SET) A protocol developed
- by credit card companies to protect against electronic pay-
- ment fraud.
- secure facility A physical location that has controls in place
- to minimize the risk of attacks from physical threats.
- Secure Hash Standard (SHS) A standard issued by the
- National Institute of Standards and Technology (NIST)
- that specifies secure algorithms, such as SHA-1, for
- computing a condensed representation of a message or
- data file.
- Secure HTTP (S-HTTP) An extended version of Hypertext
- Transfer Protocol that provides for the encryption of pro-
- tected Web pages transmitted via the Internet between a client
- and server.
- Secure Multipurpose Internet Mail Extensions (S/MIME)
- A security protocol that builds on the encoding format
- of the Multipurpose Internet Mail Extensions (MIME)
- protocol and uses digital signatures based on public-key
- cryptosystems to secure e-mail.
- Secure Sockets Layer (SSL) A security protocol developed by
- Netscape to use public-key encryption to secure a channel
- over the Internet.
- secure VPN A VPN implementation that uses security proto-
- cols to encrypt traffic transmitted across unsecured public
- networks.
- Glossary 671
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- security A state of being secure and free from danger or
- harm. Also, the actions taken to make someone or something
- secure.
- security clearance A component of a data classification
- scheme that assigns a status level to employees to designate
- the maximum level of classified data they may access.
- security domain An area of trust within which information
- assets share the same level of protection. Each trusted net-
- work within an organization is a security domain. Commu-
- nication between security domains requires evaluation of
- communications traffic.
- security education, training, and awareness (SETA) A
- managerial program designed to improve the security of
- information assets by providing targeted knowledge, skills,
- and guidance for organizations.
- security perimeter The boundary between an organization’s
- security efforts and the outside world or untrusted network
- areas.
- security systems development life cycle (SecSDLC) A
- methodology for the design and implementation of security
- systems based on the systems development life cycle. The two
- life cycles contain the same general phases.
- separation of duties The principle that the completion of a
- significant task involving sensitive information requires at
- least two people.
- sequential roster An alert roster in which a single contact
- person calls each person on the roster.
- server fault tolerance A level of redundancy provided by
- mirroring entire servers called redundant servers.
- service bureau An agency that provides physical facilities in
- a disaster for a fee.
- service level agreement (SLA) A document or part of a
- document that specifies the expected level of service from a
- service provider. An SLA usually contains provisions for
- minimum acceptable availability and penalties or remediation
- procedures for downtime.
- session hijacking See TCP hijacking.
- session keys Limited-use symmetric keys for temporary
- communications during an online session.
- shoulder surfing The direct, covert observation of individual
- information or system use.
- signals intelligence The collection, analysis, and distribution
- of information from foreign communications networks for
- intelligence and counterintelligence purposes and in support
- of military operations. In recent years, the debate around the
- collection and use of signals intelligence has grappled with the
- integration of domestic intelligence gathering.
- signature-based detection Also known as knowledge-based
- detection or misuse detection, the examination of system or
- network data in search of patterns that match known attack
- signatures.
- signatures Patterns that correspond to a known attack.
- single loss expectancy (SLE) In a cost-benefit analysis, the
- calculated value associated with the most likely loss from an
- attack. The SLE is the product of the asset’s value and the
- exposure factor.
- site policy The rules and configuration guidelines governing
- the implementation and operation of IDPSs within the
- organization.
- site policy awareness An IDPS’s ability to dynamically
- modify its configuration in response to environmental activ-
- ity. A so-called dynamic IDPS can adapt its reactions in
- response to administrator guidance over time and the local
- environment.
- smart card An authentication component similar to a dumb
- card that contains a computer chip to verify and validate
- several pieces of information instead of just a PIN.
- smoke detection system A category of fire detection systems
- that focuses on detecting the smoke from a fire.
- sniffer See packet sniffer.
- social engineering The process of using social skills to con-
- vince people to reveal access credentials or other valuable
- information to an attacker.
- software assurance (SA) A methodological approach to the
- development of software that seeks to build security into the
- development life cycle rather than address it at later stages.
- SA attempts to intentionally create software free of vulner-
- abilities and provide effective, efficient software that users
- can deploy with confidence.
- software library A collection of configuration items that is
- usually controlled and that developers use to construct revi-
- sions and issue new configuration items.
- software piracy The unauthorized duplication, installation,
- or distribution of copyrighted computer software, which is a
- violation of intellectual property.
- spam Undesired e-mail, typically commercial advertising
- transmitted in bulk.
- spear phishing Any highly targeted phishing attack.
- spike A short-term increase in electrical power availability,
- also known as a swell.
- spoofing A technique for gaining unauthorized access to
- computers using a forged or modified source IP address to
- give the perception that messages are coming from a trusted
- host.
- 672 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- sprinkler system A fire suppression system designed to apply
- a liquid, usually water, to all areas in which a fire has been
- detected.
- spyware Any technology that aids in gathering information
- about people or organizations without their knowledge.
- standard The normal, targeted, or desired level to which a
- behavior or action must be performed.
- standby (or offline) UPS An offline battery backup that
- detects the interruption of power to equipment and activates
- a transfer switch that provides power from batteries through
- a DC to AC converter until normal power is restored or the
- computer is shut down.
- standby ferroresonant UPS A UPS in which the outside power
- source directly feeds the internal protected device. The UPS
- serves as a battery backup, incorporating a ferroresonant trans-
- former instead of a converter switch, providing line filtering and
- reducing the effect of some power problems, and reducing noise
- that may be present in the power as it is delivered.
- state table A tabular database of the state and context of
- each packet in a conversation between an internal and exter-
- nal user or system. A state table is used to expedite firewall
- filtering.
- stateful packet inspection (SPI) A firewall type that keeps
- track of each network connection between internal and
- external systems using a state table and that expedites the
- filtering of those communications. Also known as a stateful
- inspection firewall.
- stateful protocol analysis (SPA) The comparison of vendor-
- supplied profiles of protocol use and behavior against
- observed data and network patterns in an effort to detect
- misuse and attacks.
- static electricity An imbalance of electrical charges in the
- atmosphere or on the surface of a material, caused by
- triboelectrification.
- static filtering A firewall type that requires the configuration
- rules to be manually created, sequenced, and modified within
- the firewall.
- steganography A data hiding method that involves embed-
- ding messages and information within other files, such as
- digital pictures or other images.
- storage channel A covert channel that communicates by
- modifying a stored object.
- strategic plan The documented product of strategic plan-
- ning; a plan for the organization’s intended strategic efforts
- over the next several years.
- strategic planning The actions taken by senior management
- to specify the long-term goals and objectives of the organiza-
- tion, to plan its future direction, actions, and efforts, and to
- estimate and schedule the allocation of resources necessary to
- achieve those goals and objectives.
- strong authentication In access control, the use of at least
- two different authentication mechanisms drawn from two
- different factors of authentication.
- subject attribute See attribute.
- subjects and objects A computer can be either the subject of
- an attack—an agent entity used to conduct the attack—or the
- object of an attack.
- substitution cipher An encryption method in which one
- value is substituted for another.
- successors Tasks or action steps that come after the specific
- task at hand.
- sunset clause A component of policy or law that defines an
- expected end date for its applicability.
- surge A long-term increase in electrical power availability.
- synchronous token An authentication component in the
- form of a token—a card or key fob that contains a computer
- chip and a liquid crystal display and shows a computer-
- generated number used to support remote login authentica-
- tion. This token must be calibrated with the corresponding
- software on the central authentication server.
- systems development life cycle (SDLC) A methodology for
- the design and implementation of an information system. The
- SDLC contains different phases depending on the methodol-
- ogy deployed, but generally the phases address the investiga-
- tion, analysis, design, implementation, and maintenance of an
- information system.
- systems-specific security policies (SysSPs) Policy
- documents designed to bridge the gap between managerial
- guidance and technical implementation of a specific
- technology.
- tactical plan The documented product of tactical planning; a
- plan for the organization’s intended tactical efforts over the
- next few years.
- tactical planning The actions taken by management to spec-
- ify the intermediate goals and objectives of the organization
- in order to obtain specified strategic goals, followed by esti-
- mates and schedules for the allocation of resources necessary
- to achieve those goals and objectives.
- tailgating The process of gaining unauthorized entry into a
- facility by closely following another person through an
- entrance and using the credentials of the authorized person to
- bypass a control point.
- task-based access control (TBAC) An example of a nondis-
- cretionary control where privileges are tied to a task a user
- performs in an organization and are inherited when a user is
- assigned to that task. Tasks are considered more temporary
- than roles. TBAC is an example of an LDAC.
- task rotation See job rotation.
- Glossary 673
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- TCP hijacking A form of man-in-the-middle attack whereby
- the attacker inserts himself into TCP/IP-based communica-
- tions. TCP/IP is short for Transmission Control Protocol/
- Internet Protocol.
- technical controls Information security safeguards that
- focus on the application of modern technologies, systems,
- and processes to protect information assets. These
- safeguards include firewalls, virtual private networks,
- and IDPSs.
- technical feasibility An assessment of whether the organiza-
- tion can acquire the technology necessary to implement and
- support the proposed control.
- technical specifications SysSP A systems-specific security
- policy that expresses technical details for the acquisition,
- implementation, configuration, and management of a partic-
- ular technology, written from a technical perspective.
- Typically the policy includes details on configuration rules,
- systems policies, and access control.
- technology governance A process organizations use to
- manage the effects and costs of technology implementation,
- innovation, and obsolescence.
- telecommuting A work arrangement in which employees
- work from an off-site location and connect to an organiza-
- tion’s equipment electronically. Also known as telework.
- telework See telecommuting.
- TEMPEST A U.S. government program designed to protect
- computers from electronic remote eavesdropping by reducing
- EMR emissions.
- termination control strategy The risk control strategy that
- eliminates all risk associated with an information asset by
- removing it from service.
- theft The illegal taking of another’s property, which can be
- physical, electronic, or intellectual.
- thermal detection system A category of fire detection sys-
- tems that focuses on detecting the heat from a fire.
- thermal detector An alarm sensor designed to detect a
- defined rate of change in the ambient temperature within a
- defined space.
- threat A potential risk of an asset’s loss of value.
- threat agent A person or other entity that may cause a loss
- in an asset’s value.
- threat assessment An evaluation of the threats to informa-
- tion assets, including a determination of their potential to
- endanger the organization.
- threats-vulnerabilities-assets (TVA) triples A pairing of an
- asset with a threat and an identification of vulnerabilities that
- exist between the two. This pairing is often expressed in
- the format T x V y A z , where there may be one or more
- vulnerabilities between Threat X and Asset Z. For example,
- T1V1A2 would represent Threat 1 to Vulnerability 1 on
- Asset 2.
- threats-vulnerabilities-assets (TVA) worksheet A document
- that shows a comparative ranking of prioritized assets against
- prioritized threats, with an indication of any vulnerabilities in
- the asset/threat pairings.
- time-share The business continuity strategy that allows an
- organization to co-lease a hot, warm, or cold site in conjunc-
- tion with one or more business partners or other
- organizations.
- timing channel A covert channel that transmits information
- by managing the relative timing of events.
- top-down approach A methodology of establishing security
- policies that is initiated by upper management.
- transfer control strategy The risk control strategy that
- attempts to shift residual risk to other assets, other processes,
- or other organizations.
- transport mode An IPSec mode in which only the IP data is
- encrypted, not the IP headers.
- transposition cipher Also known as a permutation cipher,
- an encryption method that involves simply rearranging the
- values within a block based on an established pattern to cre-
- ate the ciphertext.
- trap-and-trace An application that uses a combination of
- techniques to detect an inbound communication and then
- trace it back to its source. The trap usually consists of a
- honeypot or padded cell and an alarm.
- trap door See back door.
- trespass Unauthorized entry into the real or virtual property
- of another party.
- triboelectrification The exchange of electrons between two
- materials when they make contact, resulting in one object
- becoming more positively charged and the other more nega-
- tively charged.
- Trojan horse A malware program that hides its true nature
- and reveals its designed behavior only when activated.
- true attack stimulus An event that triggers an alarm and
- causes an IDPS to react as if a real attack is in progress. The
- event may be an actual attack, in which an attacker is
- attempting a system compromise, or it may be a drill, in
- which security personnel are using hacker tools to test a net-
- work segment.
- trusted computing base (TCB) According to the TCSEC, the
- combination of all hardware, firmware, and software
- responsible for enforcing the security policy.
- 674 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- trusted network The system of networks inside the organi-
- zation that contains its information assets and is under the
- organization’s control.
- trusted VPN Also known as a legacy VPN, a VPN imple-
- mentation that uses leased circuits from a service provider
- who gives contractual assurance that no one else is allowed to
- use these circuits and that they are properly maintained and
- protected.
- tuning The process of adjusting an IDPS to maximize its
- efficiency in detecting true positives while minimizing false
- positives and false negatives.
- tunnel mode An IPSec mode in which the entire IP packet is
- encrypted and then placed into the content portion of another
- IP packet.
- two-person control The requirement that two employees
- review and approve each other’s work before the task is cat-
- egorized as finished.
- Unified Threat Management (UTM) A security approach that
- seeks a comprehensive solution for identifying and respond-
- ing to network-based threats from a variety of sources. UTM
- brings together firewall and IDPS technology with antimal-
- ware, load balancing, content filtering, and data loss preven-
- tion. UTM integrates these tools with management, control,
- and reporting functions.
- untrusted network The system of networks outside the
- organization over which the organization has no control. The
- Internet is an example of an untrusted network.
- uptime The percentage of time a particular service is avail-
- able; the opposite of downtime.
- utility An attribute of information that describes how data
- has value or usefulness for an end purpose.
- Vernam cipher An encryption process that generates a ran-
- dom substitution matrix between letters and numbers that is
- used only one time. Also called a one-time pad.
- version The recorded state of a particular revision of a soft-
- ware or hardware configuration item. The version number is
- often noted in a specific format, such as “M.N.b.” In this
- notation, “M” is the major release number and “N.b” can rep-
- resent various minor releases or builds within the major release.
- vibration sensor An alarm sensor designed to detect move-
- ment of the sensor rather than movement in the environment.
- Vigenère cipher An advanced type of substitution cipher that
- uses a simple polyalphabetic code.
- virtual organization A group of people brought together for
- a specific task, usually from different organizations, divisions,
- or departments.
- virtual password A password composed of a seemingly
- meaningless series of characters derived from a passphrase.
- virtual private network (VPN) A private and secure network
- connection between systems that uses the data communica-
- tion capability of an unsecured and public network.
- virus A type of malware that is attached to other executable
- programs. When activated, it replicates and propagates itself
- to multiple systems, spreading by multiple communications
- vectors. For example, a virus might send copies of itself to all
- users in the infected system’s e-mail program.
- virus hoax A message that reports the presence of a nonex-
- istent virus or worm and wastes valuable time as employees
- share the message.
- vulnerability A potential weakness or fault in an asset or its
- defensive control system(s) that opens it to attack or damage.
- vulnerability assessment (VA) The process of identifying
- and documenting specific and provable flaws in the organi-
- zation’s information asset environment.
- vulnerability assessment and remediation domain The
- component of the maintenance model focused on identifying
- specific, documented vulnerabilities and remediating them in
- a timely fashion.
- war dialer An automatic phone-dialing program that dials every
- number in a configured range to determine if one of the numbers
- belongs to a computer connection such as a dial-up line.
- war dialing The use of scripted dialing attacks against a pool
- of phone numbers in an effort to identify modem
- connections.
- war game A type of rehearsal that seeks to realistically sim-
- ulate the circumstances needed to thoroughly test a plan.
- warm site An exclusive-use contingency strategy in which an
- organization leases a redundant facility complete with some
- systems, services, and equipment needed to resume operations
- with a reasonable delay.
- water mist sprinkler A fire suppression sprinkler system that
- relies on ultra-fine mists to reduce the ambient temperature
- below that needed to sustain a flame.
- waterfall model A type of SDLC in which each phase of the
- process “flows from” the information gained in the previous
- phase, with multiple opportunities to return to previous
- phases and make adjustments.
- wet-pipe system A fire suppression sprinkler system that
- contains pressurized water in all pipes and has some form of
- valve in each protected area.
- wireless vulnerability assessment An assessment approach
- designed to find and document vulnerabilities that may be
- present in the organization’s wireless local area networks.
- work breakdown structure (WBS) A list of the tasks to be
- accomplished in the project, the skill sets or individual
- employees needed to perform the tasks, the start and end
- Glossary 675
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- dates for tasks, the estimated resources required, and the
- dependencies among tasks.
- work factor The amount of effort (usually in hours) required
- to perform cryptanalysis to decode an encrypted message
- when the key, the algorithm, or both are unknown.
- work recovery time (WRT) The amount of effort (expressed
- as elapsed time) necessary to make the business function
- operational after the technology element is recovered (as
- identified with RTO). Tasks include testing and validation of
- the system.
- worm A type of malware that is capable of activation
- and replication without being attached to an existing
- program.
- zombie See bot.
- 676 Glossary
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Index
- Note: Page numbers followed by f and t indicate figures and tables, respectively.
- A
- AAA (authentication, authorization,
- and accountability), 344
- acceptance control strategy, 270
- acceptance of risk, 638–639
- access
- defined, 11
- improper file, 96
- information security vs., 21–22, 22f
- remote, 342–346
- access control lists (ACLs), 167,
- 169–170, 298, 300
- access control matrix, 167, 169, 301, 305
- access controls
- accountability, 301, 305
- architecture models, 308–315
- auditability, 302, 305
- authentication, 302–305
- authorization, 302, 305
- biometrics, 305–308
- defined, 298, 299
- discretionary, 299
- identification, 302
- lattice-based, 299, 300
- mandatory, 299, 301
- matrix, 301, 305
- nondiscretionary, 299, 300–301
- TACACS, 343–344
- accountability, 301, 305
- accreditation. See also certifications
- vs. certifications, 527
- definition, 527
- ISO 27001/27002 Systems, 540
- NIST security life cycle approach,
- 527–532
- NSTISS, 532–540
- accuracy, defined, 14–15
- ACLU (American Civil Liberties Union),
- 16
- ACM (Association for Computing
- Machinery), 138
- acquired value, 275
- ACS (annualized cost of a safeguard),
- 272, 276
- active vulnerability scanners, 401, 404,
- 405
- address restrictions, 315, 318–319,
- 318t
- Advanced Encryption Standard (AES),
- 436–437, 439
- Advanced Research Projects Agency
- (ARPA), 4–6
- advance-fee fraud (AFF), 72, 73–74
- adverse events, 191, 192
- adware, 80, 81
- AES (Advanced Encryption Standard),
- 436–437, 439
- affidavit, 643
- after-action review (AAR), 208, 209
- aggregate information, 115
- Agreement on Trade-Related Aspects of
- Intellectual Property Rights
- (TRIPS), 128
- air-aspirating detector, 480
- Aircrack, 408
- AirSnare, 408, 409f
- alarm clustering/compaction, 358
- alarm filtering, 359
- alarm systems, 477
- ALE (annualized loss expectancy), 272,
- 276
- alert/alarm, 358
- algorithm, 422
- American Civil Liberties Union (ACLU),
- 16
- American Recovery and Reinvestment
- Act of 2009 (ARRA), 118
- American Society of International Law,
- 127
- amperage, 490
- analysis phase, 26, 27
- Andersen, Arthur, 159
- Anderson, James, 3, 21
- annualized cost of a safeguard (ACS),
- 272, 276
- annualized loss expectancy (ALE), 272,
- 276
- annualized rate of occurrence (ARO),
- 272, 276
- anomaly-based detection, 371, 372
- application firewalls, 320–321
- application header (AH) protocol, 457
- application layer firewall, 320–321
- application protocol verification, 362,
- 364, 365, 375, 399
- ARO (annualized rate of occurrence),
- 272, 276
- ARPANET, 4–5
- asset exposure, 260
- assets, 11, 232, 237–254. See also
- information
- categorization, 240
- inventory, 239–240
- prioritization, 249
- vulnerabilities, 251, 254, 255t
- asset valuation, 244–249
- assignees, 509
- Association for Computing Machinery
- (ACM), 138
- asymmetric encryption, 437–440
- asynchronous tokens, 302, 303, 304f
- attack protocol, 395, 397
- attacks. See also threats
- back doors, 87
- communication interception, 90–91
- defined, 12, 49
- denial-of-service, 88–89
- dictionary attack, 67
- direct/indirect, 12
- distributed denial-of-service (DDoS),
- 88
- e-mail, 89
- hoaxes, 87
- mail bombs, 89
- maintenance hook, 87
- man-in-the-middle, 90, 91
- password crack, 66–68
- pharming, 90
- phishing, 72
- social engineering, 72–76
- by software, 80–91
- spam, 89
- spoofing, 15, 90
- trap door, 87
- 677
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- attack success probability, 259–260
- attribute-based access control (ABAC),
- 299, 301
- attributes, 299, 300, 301
- auditability, 302, 305
- auditing, 593
- Australian computer security laws,
- 127–128
- Corporations Act 2001, 128
- Cybercrime Legislation Amendment
- Bill 2011, 128
- Privacy Act 1988, 127
- Spam Act 2003, 128
- Telecommunications Act 1997, 127
- authentication, 302–305, 342–346
- authentication, authorization, and
- accounting (AAA), 344
- authentication factors, 302–305
- authenticity, defined, 15
- authorization, 302, 305
- automated response, 212
- availability, 11–14
- availability disruption, 56
- AVG AntiVirus, 82
- avoidance of competitive disadvantage,
- 230, 231
- awareness and training, 598
- B
- back door virus/worm, 87
- background check, 575–576
- back hack, 393, 394
- backup media, 210
- backups, 212–214
- baseline, 282, 283
- baselining, 282–283
- basic input/output system (BIOS), 239
- bastion host, 326–327, 327–328, 328f
- behavioral feasibility, 283, 284
- behavior-based detection, 371, 372
- Bell Labs, 8
- Bell-LaPadula (BLP) confidentiality
- model, 312–313
- benchmarking, 278–280, 282
- best business practices, 278, 280
- best practices, 280–282
- best practices, firewalls, 332–333
- BIA (business impact analysis). See
- business impact analysis (BIA)
- Biba integrity model, 313
- biometric access control, defined, 305
- biometric locks, 470, 475
- biometrics, 305–308
- acceptability of, 308, 309t
- authentication technologies, 306
- effectiveness of, 307–308, 309t
- recognition, 306–307, 307f
- signature and voice recognition,
- 306–307
- BIOS (basic input/output system), 239
- bit stream cipher, 422
- blackout, 57, 58
- Blaster worm, 84
- block cipher, 422
- Bluetooth, 457
- book-based cipher, 431–432
- boot virus, 80, 82
- bottom-up approach, 22, 23, 24f
- Brewer-Nash model, 315
- brownouts, 57, 58
- brute force, 66
- brute force attacks, 66
- brute force password attack, 66
- buffer overruns/overflows, 94–95
- build, 596
- build list, 596
- bull’s-eye model, 520–522
- Bureau of the Census, 117
- business continuity plan (BC plan), 191,
- 193
- business continuity planning (BCP),
- 191, 192, 215–218, 270
- business impact analysis (BIA), 193,
- 195, 196, 197–200
- mission/business processes, 198–199
- recovery criticality, 198–199
- recovery priorities for system
- resources, 199
- resource requirements, 199–200
- business partners, 581
- business resumption planning (BRP),
- 191, 193
- Business Software Alliance (BSA), 53
- C
- CA (certificate authority), 442–443
- Caesar Cipher, 425
- Calce, Michael, 89
- Canaday, Rudd, 8
- capabilities tables, 168, 169
- capital planning and investment control
- (CPIC), 598–599
- catastrophic failures, 489
- CBA (cost-benefit analysis), 273, 274
- CCE (Certified Computer Examiner),
- 570–571
- CCM (configuration and change man-
- agement), 594
- CCRA (Common Criteria Recognition
- Agreement), 312
- CCT (closed-circuit television), 470, 476
- CD Universe, 77
- CEM (Common Methodology for
- Information Technology Security
- Evaluation), 312
- centralized IDPS control strategy, 382,
- 384–385, 384f
- CER (crossover error rate), 305, 308
- CERT/CC (Computer Emergency
- Response Team Coordination
- Center), 185
- certificate authority (CA), 442–443
- certificate revocation list (CRL), 442,
- 444
- certifications
- vs. accreditation, 527
- Associate of (ISC) 2 , 565
- Certified Computer Examiner (CCE),
- 570–571
- Certified Information Security
- Manager (CISM), 565
- Certified Information Systems
- Auditor (CISA), 566
- Certified Information Systems
- Security Professional (CISSP),
- 562–563
- Certified in Risk and Information
- Systems Control (CRISC), 567
- Certified in the Governance of Enter-
- prise IT (CGEIT), 566–567
- Certified Secure Software Lifecycle
- Professional (CSSLP), 564–565
- Chief Information Security Officer
- (CISO), 556–558
- Chief Security Officer (CSO),
- 558–559
- CompTIA, 569–570
- costs, 571
- definition, 527
- 678 Index
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- EC Council, 568–569
- ISO 27001/27002 Systems, 540
- NIST security life cycle approach,
- 527–532
- NSTISS, 532–540
- SSCP (Systems Security Certified
- Practitioner), 564
- Certified Computer Examiner (CCE),
- 570–571
- Certified Information Security Manager
- (CISM), 565
- Certified Information Systems Auditor
- (CISA), 566
- Certified Information Systems Security
- Professional (CISSP), 562–563
- Certified in Risk and Information
- Systems Control (CRISC), 567
- Certified in the Governance of Enter-
- prise IT (CGEIT), 566–567
- Certified Secure Software Lifecycle
- Professional (CSSLP), 564–565
- Certified Security Project Manager, 518
- CFA Act, 113
- CGEIT (Certified in the Governance of
- Enterprise IT ), 566–567
- chain of custody, 643, 646
- chain of evidence, 643, 646
- champion, 35
- change control, 96
- change control method, 522
- change management culture, 525
- chemical gas emission systems, 480,
- 486–487
- Chief Information Officer (CIO), 23, 35
- Chief Information Security Officer
- (CISO), 35, 36f, 155–156,
- 556–558
- Chief Security Officer (CSO), 558–559
- Chinese wall. See Brewer-Nash model
- ChoicePoint, 16
- C.I.A. triangle, 10–11, 11f, 231
- cipher
- bit stream, 422
- block, 422
- cipher methods
- book-based, 431–432
- exclusive OR operation, 428–429
- hash functions, 432–434
- substitution, 423–426
- transposition, 426–428
- Vernam, 429–431
- Vigenère, 425
- circuit gateway firewalls, 320
- circuit-level gateways, 331
- CISA (Certified Information Systems
- Auditor), 566
- CISM (Certified Information Security
- Manager), 565
- CISO (Chief Information Security
- Officer), 35, 36f, 155–156,
- 556–558
- CISSP (Certified Information Systems
- Security Professional), 562–563
- civil law, 112
- Clark-Wilson integrity model, 313–314
- classified data, 243–244
- clean agent, 480, 487
- clean desk policy, 243
- cleartext, 422
- Clipper Chip, 115, 116f
- clipping level, 371, 372
- closed-circuit television (CCT), 470, 476
- CM (configuration management), 594
- code, 422
- Code Red (worms), 83
- codes of ethics, 137–139
- cold sites, 216, 217
- color coding, 369
- combination SysSPs, 170–172
- command injection, 94, 95
- commercial off-the-shelf software
- (COTS), 31
- Committee on National Security Sys-
- tems (CNSS), 10, 17–18, 187
- Common Attack Pattern Enumeration
- and Classification (CAPEC), 52
- Common Criteria, 311–312
- Common Criteria Recognition Agree-
- ment (CCRA), 312
- Common Methodology for Information
- Technology Security Evaluation
- (CEM), 312
- communication interception attacks,
- 90–91
- communications security, 10
- communities of interest, 37–38, 233–234
- community clouds, 210
- competitive advantage, 230, 231
- competitive intelligence, 58
- Comptroller General, 117
- computer crime and security survey, 50
- Computer Emergency Response Team/
- Coordination Center (CERT/CC),
- 74, 185
- computer forensics, 208, 209
- Computer Fraud and Abuse Act of 1986
- (CFA Act), 113, 119t
- computer rooms, 477–478
- physical and environmental controls,
- 478
- computer security, defined, 3
- ComputerSecurityActof1987(CSAAct),
- 114, 119t
- Computer Security Institute (CSI), 50
- survey of types of attack or misuse, 51t
- computer viruses/worms, 16, 81–82
- COMSEC (communications security),
- 242
- confidence value, 359
- confidentiality, 15, 241–243
- configuration, 594
- configuration and change management
- (CCM), 594, 610–614
- configuration item, 594
- configuration management (CM), 594
- configuration rule policies, 168, 170
- Congress, 114, 117, 122, 123
- Consensus Roadmap for Defeating
- Distributed Denial of Service
- Attacks, 89
- consolidated contingency plan, 219–220
- consultants, 581
- contact and weight sensor, 471, 477
- content filters, 341–342
- contingency/continuity planning
- business continuity (BC) planning,
- 215–218
- business impact analysis (BIA), 193,
- 195, 196, 197–200
- components of, 193f
- consolidated, 219–220
- contingency planning management
- team (CPMT), 192, 193,
- 195–199
- incident response planning (IRP),
- 192
- major steps in, 195f
- overview, 191–196
- timeline, 194f
- contingency plan, 191, 192
- Index 679
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- contingency planning (CP)
- business impact analysis (BIA),
- 197–200
- defined, 191, 192
- incident response planning,
- 200–212
- information technology, 602
- policy, 196–197
- contingency planning management team
- (CPMT), 192, 193, 195–199
- contract employees, 580–581
- Controlling the Assault of Non-Solicited
- Pornography and Marketing Act of
- 2003 (CAN-SPAM Act), 120t
- control performance baselines and
- metrics, 601–602
- controls. See also access controls; risk
- control strategies
- defined, 12
- levels of, 187
- control strength (CS), 264
- Convention on Cybercrime, 128
- conversion strategies, 518–520
- copyright law, 124
- copyright protection, 53
- corporate governance, 156
- corporate resource misuse, 132
- cost avoidance, 272, 274
- cost-benefit analysis (CBA), 273, 274
- Council of Europe Convention on
- Cybercrime, 128
- countermeasures, 12, 268
- covert channel, 308, 310
- CPIC (capital planning and investment
- control), 598–599
- CPMT (contingency planning manage-
- ment team), 192, 193, 195–199
- cracker, 64, 65
- cracking, 66
- credit reporting agencies, 117
- criminal law, 112
- CRISC (Certified in Risk and Informa-
- tion Systems Control), 567
- crisis management, 218–219
- critical security control, 523–525
- CRL (certificate revocation list), 442
- crossover error rate (CER), 305, 308
- cross-site scripting (XSS), 94, 95
- cryptanalysis, 418–419
- cryptogram, 422
- cryptographic notation, 434
- cryptography
- algorithms, 434–442
- cipher methods, 422–434
- definition, 418
- foundations of, 419–422
- history of, 419–421
- tools for, 442–461
- cryptology, 418–419
- cryptotext, 422
- CSI (Computer Security Institute), 50
- CSO (Chief Security Officer), 558–559
- CSSLP (Certified Secure Software Life-
- cycle Professional), 564–565
- cultural differences, 129–130
- cultural mores, 110, 111
- customer information, 115
- cyberactivist, 78
- cyberactivist operations, 78
- cyberterrorism, 78–79
- cyberwarfare, 78, 80
- D
- damage assessment, 208–209
- Dan-0411 flag erratum, 92
- data
- classification and management,
- 241–244, 244f
- collection, 361
- custodians, 37
- in information systems, 20
- owners, 37
- responsibilities, 37
- risk management and, 240
- storage, 211, 218
- users, 37
- Database Right, 129
- database security, 47, 48
- database shadowing, 216, 218
- data classification and management,
- 241–244
- data classification scheme, 241
- data collection, 361
- data collection and management, 619
- Data Encryption Standard (DES), 435
- data interception, 493–495
- data security, 47, 48
- data sources, 615–618
- decipher, 422
- deep packet inspection, 372
- de facto standards, 158, 160
- defense control strategy, 268
- defense in depth, 185, 187, 188f
- de jure standards, 158, 160
- delayed failures, 489
- deliverable, 508–509
- delta conversion online UPS, 489, 492
- deluge system, 480, 483
- demilitarizedzones(DMZs),320,329–331
- denial-of-service (DoS) attacks, 88–89,
- 364, 368
- Department of Defense (DoD), 4, 6, 9,
- 30, 242
- Department of Homeland Security
- (DHS), 30, 113, 139–142
- DES (Data Encryption Standard), 435
- detecting differences, 621
- DHCP (Dynamic Host Configuration
- Protocol), 238
- Diameter protocol, 344
- dictionary attacks, 67
- dictionary password attack, 66, 67
- difference analysis
- definition, 619
- types of, 622t
- differential backups, 208, 211
- Diffie-Hellman key exchange, 448–449
- Digati, Anthony, 77
- digital certificates, 442, 446–448
- digital forensics, 641–650
- digital malfeasance, 641
- Digital Millennium Copyright Act
- (DMCA), 119t, 129
- digital signatures, 444–446
- Digital Signature Standard (DSS),
- 444–446
- direct changeover strategy, 518–519
- direct/indirect attacks, 12
- Directive 95/46/EC, 129
- direct observation method, 493–494
- disaster recovery (DR)
- mitigation and, 270
- overview, 214–215
- plan, 192
- recovery operations, 215
- disaster recovery planning (DRP), 192
- disasters, 192
- 680 Index
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- discretionary access controls (DACs), 299
- disk duplexing, 212, 213
- disk mirroring, 212, 213
- disk striping, 212
- distinguished name (DN), 448
- distributed denial-of-service (DDoS)
- attacks, 79, 88–89, 364, 368
- DMZs (demilitarized zones), 320,
- 329–331
- DN (distinguished name), 448
- DoD (Department of Defense), 4, 6, 9,
- 30, 242
- dogs, 473
- Domain Name System (DNS), 79, 98,
- 333
- Domain Name System (DNS) cache
- poisoning, 90
- doorknob rattling, 360
- double conversion online UPS, 489, 492
- downtime, 56, 57
- dry-pipe system, 480, 483
- DSS(DigitalSignatureStandard),444–446
- due care, 111
- due diligence, 111, 279
- dumb cards, 302, 303
- dumpster diving, 243, 244
- dust contamination, 70
- dynamic filtering, 315, 319
- Dynamic Host Configuration Protocol
- (DHCP), 238
- E
- earthquakes, 68, 69
- ECMA (European Computer Manufac-
- turers Association), 345–346
- Economic Espionage Act of 1996
- (EEA), 119t, 123
- education programs, 189
- EF (exposure factor), 273, 275
- EISP (enterprise information security
- policy), 163–164, 164t
- electromagnetic interception, 494
- electromagnetic radiation (EMR),
- 493–494
- electromechanical locks, 471, 474–475
- Electronic Communications Privacy Act
- of 1986 (ECPA), 117, 119t
- Electronic Frontier Foundation (EFF),
- 436, 451
- electronic monitoring, 476–477
- electronic push-button locks, 475
- electronic vaulting, 216, 218
- electrostatic discharge (ESD), 70, 488
- Eli Lilly and Co., 16
- Elmusharaf, Mudawi Mukhtar, 79
- EM (evidentiary material), 641
- e-mail attacks, 89
- e-mail spoofing, 15
- employees, 240. See also personnel
- contract, 580–581
- temporary, 580
- employment contracts, 576
- employment policies and practices,
- 573–579
- EMR (electromagnetic radiation),
- 493–494
- encapsulating security payload (ESP)
- protocol, 457, 459
- encapsulation, 347
- encipher, 422
- encryption
- asymmetric, 437–440
- key size, 440–442
- private-key, 435
- public-key, 437
- symmetric, 435–437
- VPNs and, 347
- end-user license agreement (EULA), 53
- end users, 36
- Enron, 159
- enterprise information security policy
- (EISP), 163–164, 164t
- enticement, 393, 395
- entrapment, 393, 395
- equipment policies, 166–167
- ESD (electrostatic discharge), 488
- espionage/trespass, 58–59, 122–123
- estimated capital expenses, 511
- estimated noncapital expenses, 511
- Ethernet, 5
- ethical hacking, 630–632
- ethical issues
- causes of unethical and illegal behav-
- ior, 136–137
- codes of ethics, 137–139
- cultural differences, 129–130
- education and, 135
- scenarios, 133–135
- ten commandments of, 130
- ethics, defined, 110, 111
- European Computer Manufacturers
- Association (ECMA), 345–346
- evasion, 359
- events, 192
- evidentiary procedures, 649–650
- evidence, defined, 208, 209. See also
- evidentiary material
- evidence search and seizure, 647–648
- evidentiary material (EM)
- definition, 641
- handling, 646
- reporting, 649
- exclusive OR operation (XOR), 428–429
- exit interview, 577–578
- expert hackers, 59, 60
- exploits, defined, 13, 49
- Export Administration Act (1979), 123
- export and espionage laws, 122–123
- exposure, defined, 13
- exposure factor (EF), 273, 275
- Express Scripts, Inc., 77
- external intelligence sources, 617t–618t
- external monitoring, 614–619
- external monitoring domain, 614–615
- extranet, 326, 331
- F
- facilities management, 470
- facility systems, maintenance, 493
- Factor Analysis of Information Risk
- (FAIR) methodology, 263–267
- fail-safe lock, 471, 475
- fail-secure lock, 471, 475
- FAIR (Factor Analysis of Information
- Risk) methodology, 263–267
- false accept rate, 306, 308
- false attack stimulus, 359
- false negative/positive, 359
- false reject rate, 306, 307
- FASP (Federal Agency Security Practices),
- 280
- fault, 57, 58
- FCO (field change order) numbers, 239
- feasibility studies, 283–285
- Federal Agency Security Practices (FASP),
- 280
- Federal Bureau of Investigation (FBI),
- 142–144
- Index 681
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Federal Communications Commission
- (FCC), 56
- Federal courts, 117
- Federal Privacy Act of 1974 (FPA), 117,
- 119t
- fencing, 472
- field change order (FCO) numbers, 239
- file corruption, 17
- file hashing, 16
- file transfer protocol (FTP) servers, 329
- filtration, 488
- financial considerations, 512–513
- financial reporting laws, 124
- Financial Services Modernization Act. See
- Gramm-Leach-Bliley Act (GLB Act)
- fingerprinting, 360, 395, 399
- fire detection systems, 481–482
- fires, 68, 69
- fire security and safety, 479–487
- fire suppression systems, 480, 482–486
- Firewalk, 400
- firewalls
- analysis tools, 400–401
- application, 320–321
- bastion host, 327–328, 328f
- best practices for, 332–333
- configuration, 332
- content filters, 341–342
- defined, 315, 316
- dynamic packet-filtering, 315, 319
- HTTP/HTTPS and, 333, 337, 338,
- 340
- hybrid, 321–322, 326–331
- MAC layer, 321
- packet-filtering, 315, 316–320, 318f
- packet-filtering routers, 327
- processing modes, 316–322
- residential vs. commercial, 322–326
- reverse, 341
- rules, 333–341
- screened host, 328–329, 329f
- screened subnet, 329–331, 330f
- selecting right, 331
- stateful inspection, 315, 319
- static, 315, 319
- fixed-temperature sensor, 480
- flame detector, 480
- floods, 68, 69
- footprinting, 360, 395, 397
- forces of nature, 68–70
- Foreign Intelligence Surveillance Act of
- 1978 (FISA), 113
- forensics, 641
- format strings, 96
- 4-1-9 fraud, 73–74
- Fourth Amendment, 117
- Fraud and Related Activity in Connec-
- tion with Access Devices, 119t
- Freedom of Information Act (FOIA),
- 119t, 124
- friendly departures, 579
- FTP (file transfer protocol) servers, 329
- FUD(fear,uncertainly,anddoubt)era,274
- full backups, 208, 211
- fully distributed IDPS control strategy,
- 382, 385–386, 385f
- G
- gap analysis, 515, 516f
- gaseous emission systems, 480,
- 486–487
- gates, 472
- General Electric (GE), 8
- Generally Accepted Security Principles
- and Practices for Securing Infor-
- mation Technology Systems (SP
- 800-14), 179
- Georgia Computer Systems Protection
- Act, 126
- GFCI (ground fault circuit interruption),
- 489–490
- GFI LANguard Network Security Scan-
- ner (NSS), 403
- GIAC (Global Information Assurance
- Certification), 137, 138
- GIAC Certified Project Manager, 517
- Global Information Assurance Certifi-
- cation (GIAC), 137, 138
- goals, defined, 154
- Goodtimes virus, 87
- governance, 156–158
- Graham-Denning access control model,
- 314
- Gramm-Leach-Bliley Act of 1999 (GLB
- Act), 118, 120t
- ground fault circuit interruption (GFCI),
- 489–490
- grounding, 490
- guards, 472
- Guide for Developing Security Plans for
- Federal Information Systems (SP
- 800-18 Rev. 1), 182
- guidelines, 158, 160, 160f
- H
- hacker, 49–50
- hackers/hacking, 49–52, 59–66, 394
- defined, 59, 60
- skills and abilities, 60–61, 64
- hacktivist, 78
- hardware
- asset identification, 238–239
- failures/errors, 92–93
- FCO numbers, 239
- in information systems, 20, 237f, 240
- Harrison-Ruzzo-Ullman (HRU) access
- control model, 315
- hash algorithms, 432
- hash functions, 432–434
- hash value, 16, 432
- healthcare organizations (HCOs), 118
- Health Information Technology for
- Economic and Clinical Health Act
- (HITECH), 118
- Health Insurance Portability and
- Accountability Act of 1996
- (HIPAA), 117–118, 119t
- heating, ventilation, and air condition-
- ing (HVAC) systems, 487–489
- hidden forms, 98–99
- hiring issues, 574f
- historical perspectives, 3–10
- hoaxes, 87
- honeynets, 391–392
- honeypots, 391–392
- host-based IDPSs (HIDPS), 362,
- 368–371, 389
- advantages of, 369–370
- disadvantages of, 370–371
- hostile departures, 578–579
- hot sites, 216–217
- hot swap, 212, 214
- HPING, 401
- HTTP/HTTPS, 333
- human error/failure, 71–76
- humidity, 488
- hurricanes, 70
- hybrid cryptography systems, 448–449
- 682 Index
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- hybrid firewalls, 321–322
- hybrid VPNs, 347
- HyperText Markup Language (HTML),
- 81
- I
- IAD (Information Assurance Director-
- ate), 146
- ICMP (Internet Control Message Pro-
- tocol), 333, 336, 337
- identification, 302
- identification (ID) card, 471, 473
- identity theft, 121–122
- Identity Theft and Assumption Deter-
- rence Act, 120t
- idle scanning, 400
- IDPSs (intrusion detection and preven-
- tion systems), 620–621
- IDSs (intrusion detection systems),
- 357–358. See also intrusion detec-
- tion and prevention systems
- IEC (International Electrotechnical
- Commission), 175
- illicit use, 132
- immediate failures, 489
- implementation of information security
- bull’s-eye model, 520–522
- certifications and accreditation,
- 527–540
- change control method, 522
- change management, 525
- conversion strategies, 518–520
- financial considerations, 512–513
- nontechnical aspects, 525–526
- organizational feasibility considera-
- tions, 514
- outsourcing, 522
- overview, 22–23
- priority considerations, 513
- procurement considerations, 514
- project management, 508–518
- project plan, 507
- project scope, 512
- staffing considerations, 513–514
- supervised, 515
- technical aspects, 518–525
- time and schedule considerations, 513
- training and indoctrination consid-
- erations, 514
- implementation phase, 26, 28
- incident response (IR), 606–610
- automated response, 212
- backup media, 210
- contingency/continuity planning and,
- 192, 200–212
- damage assessment, 208–209
- format and content, 201
- incident candidate, 203
- incident classification, 203
- incident detection, 203–206
- incident indicators, 203–206
- incident planning, 201
- incident reaction, 206–208
- incident recovery, 209–210
- mitigate control strategy and, 270
- online and cloud backup, 210
- plan, 201–203
- policy, 200–201
- prioritization of efforts, 208
- storage, 201–202
- system backups, 212–214
- testing, 202–203
- incident candidate, 203
- incident classification, 203
- incident damage assessment, 208–209
Add Comment
Please, Sign In to add comment