Untitled

Key Term
war game A type of rehearsal that seeks to realistically simulate the circumstances needed to
thoroughly test a plan.
The primary goal of the readiness and review domain is to keep the information security
program functioning as designed and improve it continuously over time. This goal can be
accomplished by doing the following:
●
Policy review: Policy needs to be reviewed and refreshed from time to time to ensure
its soundness—in other words, it must provide a current foundation for the informa-
tion security program.
●
Program review: Major planning components should be reviewed on a periodic basis
to ensure that they are current, accurate, and appropriate.
●
Rehearsals: When possible, major plan elements should be rehearsed.
The relationships among the sectors of the readiness and review domain are shown in Figure 12-9.
As the diagram indicates, policy review is the primary initiator of this domain. As policy is revised
or current policy is confirmed, the planning elements are reviewed for compliance, the information
Security Management Maintenance Models 639
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
security program is reviewed, and rehearsals are held to make sure all participants are capable of
responding as needed.
Policy Review and Planning Review Policy needs to be reviewed periodically, as you
learned in Chapter 4. The planning and review process for incident response, disaster recov-
ery, and business continuity planning (IRP, DRP, and BCP) were also covered in Chapter 4.
Program Review As policy needs shift, a thorough and independent review of the entire
information security program is needed. While an exact timetable for review is not proposed
here, many organizations find that the CISO should conduct a formal review annually. Ear-
lier in this chapter, you learned about the role of the CISO in the maintenance process. The
CISO uses the results of maintenance activities and the review of the information security
program to determine if the status quo is adequate against the threats at hand.
If the current information security program is not up to the challenges, the CISO must deter-
mine if incremental improvements are possible or if it is time to restructure the information
security function within the organization.
Rehearsals and War Games Whenever possible, major planning elements should be
rehearsed. Rehearsal adds value by exercising procedures, identifying shortcomings, and
providing security personnel with the opportunity to improve the security plan before it
is needed. In addition, rehearsals make people more effective when an actual event
occurs. A type of rehearsal known as a war game or simulation puts a subset of plans in
place to create a realistic test environment. This adds to the value of the rehearsal and
can enhance training.
Policy review
Plan review for
IRP, DRP, and BCP
Security team maintains
security programs and
stays ready
Rehearsals and
war games
Figure 12-9 Readiness and review
© Cengage Learning
640 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
Digital Forensics
Key Terms
digital forensics The application of forensics techniques and methodologies to the
preservation, identification, extraction, documentation, and interpretation of digital media for
evidentiary and/or root-cause analysis.
digital malfeasance A crime against or using digital media, computer technology, or related
components.
evidentiary material (EM) Any item or information that applies to an organization’s legal or
policy-based case; also known as an item of potential evidentiary value.
forensics The coherent application of methodical investigatory techniques to present evidence
of crimes in a court or similar setting.
Whether due to a character flaw, a need for vengeance, or simple curiosity, an employee
or outsider may attack a physical asset or information asset. When the asset is in the pur-
view of the CISO, he is expected to understand how policies and laws require the matter
to be managed. To protect the organization and possibly assist law enforcement in an
investigation, the CISO must document what happened and how. This process is called
digital forensics.
Digital forensics is based on the field of traditional forensics. Made popular by scientific detec-
tive shows that focus on crime scene investigations, forensics involves the use of science to
investigate events. Not all events involve crimes; some involve natural events, accidents, or sys-
tem malfunctions. Forensics allows investigators to determine what happened by examining
the results of an event. It also allows them to determine how the event happened by examin-
ing activities, individual actions, physical evidence, and testimony related to the event. How-
ever, forensics might not figure out the why of the event; that’s the focus of psychological,
sociological, and criminal justice studies. Here, the focus is on the application of forensics
techniques in the digital arena.
Digital forensics involves the preservation, identification, extraction, documentation, and
interpretation of digital media, including computer media, for evidentiary and/or root-
cause analysis. Like traditional forensics, it follows clear, well-defined methodologies, but
it still tends to be as much an art as a science. In other words, the natural curiosity and
personal skill of the investigator play a key role in discovering potential evidentiary mate-
rial (EM). An item does not become evidence until it is formally admitted by a judge or
other ruling official.
Digital forensics investigators use a variety of tools to support their work, as you will learn
later in this chapter. However, the tools and methods used by attackers can be equally sophis-
ticated. Digital forensics can be used for two key purposes:
●
To investigate allegations of digital malfeasance. Such an investigation requires digital
forensics to gather, analyze, and report the findings. This is the primary mission of law
enforcement in investigating crimes that involve computer technologies or online
information.
●
To perform root-cause analysis. If an incident occurs and the organization suspects an
attack was successful, digital forensics can be used to examine the path and
Digital Forensics 641
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
methodology used to gain unauthorized access, and to determine how pervasive and
successful the attack was. This type of analysis is used primarily by incident response
teams to examine their equipment after an incident.
Some investigations are undertaken by an organization’s own personnel, while others
require the immediate involvement of law enforcement. In general, whenever investigators
discover evidence of a crime, they should immediately notify management and recommend
contacting law enforcement. Failure to do so could result in unfavorable action against the
investigator or organization.
The organization must choose one of two approaches when employing digital forensics:
1. Protect and forget. This approach, also known as patch and proceed, focuses on the
defense of data and the systems that house, use, and transmit it. An investigation
that takes this approach focuses on the detection and analysis of events to deter-
mine how they happened and to prevent reoccurrence. Once the current event is
over, who caused it or why is almost immaterial.
2. Apprehend and prosecute. This approach, also known as pursue and prosecute,
focuses on the identification and apprehension of responsible parties, with
additional attention to the collection and preservation of potential EM that
might support administrative or criminal prosecution. This approach requires
much more attention to detail to prevent contamination of evidence that might
hinder prosecution.
An organization might find it impossible to retain enough data to successfully handle
even administrative penalties, but it should certainly adopt the latter approach if it
wants to pursue formal administrative penalties, especially if the employee is likely to
challenge them.
For more information on digital forensics, visit the American Society of Digital Forensics and
eDiscovery at www.asdfed.com.
 The Digital Forensics Team
Most organizations cannot sustain a permanent digital forensics team; such expertise is so
rarely called upon that it may be better to collect the data and then outsource the analysis
component to a regional expert. The organization can then maintain an arm’s-length distance
from the case and have additional expertise to call upon if the process ends in court. Even so,
the information security group should contain members who are trained to understand and
manage the forensics process. If the group receives a report of suspected misuse, either inter-
nally or externally, a group member must be familiar with digital forensics procedures to
avoid contaminating potential EM.
This expertise can be obtained by sending staff members to a regional or national infor-
mation security conference with a digital forensics track or to dedicated digital forensics
training, as mentioned in Chapter 11. The organization should use caution in selecting
training for the team or a specialist, as many forensics training programs begin with the
analysis process and promote a specific tool rather than teaching management of the
process.
642 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
 Affidavits and Search Warrants
Key Terms
affidavit Sworn testimony that certain facts are in the possession of an investigating officer; an
affidavit can be used to request a search warrant.
search warrant A document issued by an authorized authority that allows law enforcement
agents to search for EM at a specified location and seize specific items for official examination.
Most investigations begin with an allegation or an indication of an incident. Whether via the
help desk, the organization’s sexual harassment reporting channels, or a direct report, some-
one alleges that a worker is performing actions explicitly prohibited by the organization or
that make another worker uncomfortable in the workplace. The organization’s forensics
team or other authorized entity must then request permission to examine digital media for
potential EM. In law enforcement, the investigating agent would create an affidavit request-
ing a search warrant. The affidavit summarizes the facts of the case, items relevant to the
investigation, and the location of the event. When an approving authority signs the affidavit
or creates a synopsis form based on the document, it becomes a search warrant. In corporate
environments, the names of these documents may change, and in many cases written authori-
zation may not be needed, but the process should be the same. Formal permission is obtained
before an investigation occurs.
 Digital Forensics Methodology
Key Terms
chain of custody See chain of evidence.
chain of evidence The detailed documentation of the collection, storage, transfer, and
ownership of evidence from the crime scene through its presentation in court.
In digital forensics, all investigations follow the same basic methodology:
1. Identify relevant EM.
2. Acquire (seize) the evidence without alteration or damage.
3. Take steps to assure that the evidence is verifiably authentic at every step and is
unchanged from the time it was seized.
4. Analyze the data without risking modification or unauthorized access.
5. Report the findings to the proper authority.
This process is illustrated in Figure 12-10.
To support the selection and implementation of a methodology for forensics, the organiza-
tion may want to seek legal advice or consult with local or state law enforcement. Other
references that should become part of the organization’s library are:
●
Electronic Crime Scene Investigation: A Guide for First Responders, July 2001 (www
.ncjrs.gov/pdffiles1/nij/187736.pdf)
Digital Forensics 643
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
●
First Responders Guide to Computer Forensics (resources.sei.cmu.edu/library/asset-
view.cfm?assetid=7251)
●
First Responders Guide to Computer Forensics: Advanced Topics (resources.sei.cmu
.edu/library/asset-view.cfm?assetid=7261)
●
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations (www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf)
●
Scientific Working Group on Digital Evidence: Best Practices for Computer Forensics
(www.oas.org/juridico/spanish/cyb_best_pract.pdf).
Identifying Relevant Items The affidavit or warrant that authorizes a search must
identify what items of evidence can be seized and where they are located. Only EM that fits
the description on the authorization can be seized. These seizures often occur under stressful
circumstances and strict time constraints, so thorough item descriptions help the process
function smoothly and ensure that critical evidence is not overlooked. Thorough descrip-
tions also ensure that items are not wrongly included as EM, which could jeopardize the
investigation.
Because users have access to many online server locations via free e-mail archives, FTP ser-
vers, and video archives, and could have terabytes of information stored in offsite locations
across the Web or on their local systems, investigators must have an idea of what to look
for or they may never find it.
Acquiring the Evidence The principal responsibility of the response team is to
acquire the information without altering it. Computers and users modify data constantly.
Every time someone opens, modifies, or saves a file, or even opens a directory index to
view the available files, the state of the system is changed. Normal system file changes may
Prepare affidavit
seeking
authorization
to investigate
Policy violation or
crime detected
Investigation
authorized?
Collect evidence
Security incident
Triggers incident
response process
Archive
Archive
Produce report
and submit
for disposition
Analyze evidence
Either internal or external to the organization
No
Yes
Figure 12-10 The digital forensics process
© Cengage Learning
644 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
be difficult to explain to a layperson—for example, a jury member with little or no technical
knowledge. A normal system consequence of the search for EM could be portrayed by a
defense attorney as harmful to the EM’s authenticity or integrity, which could lead a jury
to suspect it was planted or is otherwise suspect.
Online Versus Offline Data Acquisition There are generally two methods of acquiring
evidence from a system. The first is the offline model, in which the investigator removes the
power source and then uses a utility or special device to make a bitstream, sector-by-sector
copy of the hard drives on the system. By copying the drives at the sector level, you can
ensure that any hidden or erased files are also captured. The copied drive then becomes the
image that can be used for analysis, and the original drive is stored for safekeeping as true
EM or possibly returned to service. For the purposes of this discussion, the term copy refers
to a drive duplication technique, whereas an image is the file that contains all the information
from the source drive.
This approach requires the use of sound processes and techniques or read-only hardware
known as write-blockers to prevent the accidental overwriting of data on the source drive.
The use of these tools also allows investigators to assert that the EM was not modified dur-
ing acquisition. In another offline approach, the investigator can reboot the system with an
alternate operating system or a specialty boot disk like Helix or Knoppix. Still another
approach involves specialty hardware that connects directly to a powered-down hard drive
and provides direct power and data connections to copy data to an internal drive.
In online or “live” data acquisition, investigators use network-based tools to acquire a
protected copy of the information. The only real difference between the two methods is
that the source system cannot be taken offline, and the tools must be sophisticated enough
to avoid altering the system during data acquisition. Table 12-10 lists common methods of
acquiring data.
The creation of a copy or image can take a substantial amount of time. Users who have
made USB copies of their data know how much time it takes to back up several gigabytes of
data. When dealing with networked server drives, the data acquisition phase can take many
hours to complete, which is one reason investigators prefer to seize drives and take them
back to the lab to be imaged or copied.
Other Potential Evidence Not all EM is on a suspect’s computer hard drive. A techni-
cally savvy attacker is more likely to store incriminating evidence on other digital media,
such as smart phones, removable drives, CDs, DVDs, flash drives, memory chips or sticks,
or on other computers accessed across the organization’s networks or via the Internet. EM
located outside the organization is particularly problematic because the organization cannot
legally search systems it doesn’t own. However, the simple act of viewing EM on a system
leaves clues about the location of the source material, and a skilled investigator can at least
provide some assistance to law enforcement when conducting a preliminary investigation.
Log files are another source of information about the access and location of EM, as well as
what happened and when.
Some evidence isn’t electronic or digital. Many suspects have been further incriminated when
passwords to their digital media were discovered in the margins of user manuals, in calendars
and day planners, and even on notes attached to their systems.
Digital Forensics 645
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
EM Handling Once the evidence is acquired, both the copy image and the original drive
should be handled properly to avoid legal challenges based on authenticity and preserva-
tion of integrity. If the organization or law enforcement cannot demonstrate that no one
had access to the evidence, they cannot provide strong assurances that it has not been
altered. Such access can be physical or logical if the device is connected to a network.
Once the evidence is in the possession of investigators, they must track its movement,
storage, and access until the resolution of the event or case. This is typically accom-
plished through chain of evidence or chain of custody procedures. The evidence is then
tracked wherever it is located. When the evidence changes hands or is stored, the docu-
mentation is updated.
Not all evidence-handling requirements are met through the chain of custody process. Digital
media must be stored in a specially designed environment that can be secured to prevent
unauthorized access. For example, individual items might need to be stored in containers or
bags that protect them from electrostatic discharge or magnetic fields. Additional details are
provided in the nearby Technical Details feature.
Method Advantages Disadvantages
Use a dedicated forensic
workstation to examine a write-
protected hard drive or image of the
suspect hard drive.
No concern about the validity of
software or hardware on the suspect
host. Produces evidence most easily
defended in court.
Inconvenient, time-consuming. May
result in loss of volatile information.
Boot the system using a verified,
write-protected CD or other media
with kernel and tools.
Convenient, quick. Evidence is
defensible if suspect drives are
mounted as read-only.
Assumes that hardware has not
been compromised because it is
much less likely than compromised
software. May result in loss of
volatile information.
Build a new system that contains an
image of the suspect system and
examine it.
Completely replicates operating
environment of suspect computer
without running the risk of
changing its information.
Requires availability of hardware
that is identical to that on the
suspect computer. May result in loss
of volatile information.
Examine the system using external
media with verified software.
Convenient, quick. Allows
examination of volatile information.
If a kernel is compromised, results
may be misleading. External media
may not contain every necessary
utility.
Verify the software on the suspect
system, and then use the verified
local software to conduct the
examination.
Requires minimal preparation.
Allows examination of volatile
information. Can be performed
remotely.
Lack of write protection for suspect
drives makes evidence difficult to
defend in court. Finding sources for
hash values and verifying the local
software requires at least several
hours, unless Tripwire was used
ahead of time.
Examine the suspect system using
the software on it, without verifying
the software.
Requires least amount of
preparation. Allows examination of
volatile information. Can be
performed remotely.
Least reliable method. This is exactly
what cyberattackers are hoping you
will do. Often a complete waste of
time.
Table 12-10 Summary of Methods Employed to Acquire Forensic Data
© Cengage Learning 2015
646 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
Authenticating the Recovered Evidence The copy or image is typically transferred to
the laboratory for the next stage of authentication. Using cryptographic hash tools, the team
must be able to demonstrate that any analyzed copy or image is a true and accurate replica
of the source EM. As you learned in Chapter 8, the hash tool takes a variable-length file
and creates a single numerical value, usually represented in hexadecimal notation, that func-
tions like a digital fingerprint. By hashing the source file and the copy, the investigator can
assert that the copy is a true and accurate duplicate of the source.
Analyzing the Data The most complex part of an investigation is analyzing the copy or
image for potential EM. While the process can be performed manually using simple utilities,
two industry-leading applications dominate the market for digital forensics:
●
Guidance Software’s EnCase (www.guidancesoftware.com)
●
AccessData Forensics Tool Kit (FTK, at www.accessdata.com)
Open source alternatives to these rather expensive tools include Autopsy and The Sleuth Kit,
which are available from www.sleuthkit.org. Autopsy is a stand-alone GUI interface for The
Sleuth Kit, which uses a command line. Each tool is designed to support an investigation and
assist in the management of the entire case.
General Procedures for Evidence Search and Seizure
At the crime scene, complete the following tasks:
1. Secure the crime scene by clearing all unauthorized personnel, delimit the scene
with tape or other markers, and post a guard or other person at the entrance.
2. Log into the crime scene by signing the entry/exit log.
3. Photograph the scene beginning at the doorway and covering the entire room
in 360 degrees. Include specific photos of potential evidentiary material.
4. Sketch the layout for the room, including furniture and equipment.
5. Following proper procedure, begin searching for physical, documentary evi-
dence to support your case, including papers, media such as CDs or flash mem-
ory devices, or other artifacts. Identify the location of each piece of evidence
with a marker or other designator and cross-reference it on the sketch. Photo-
graph the item in situ to establish its location and state.
6. For each computer, first check for the presence of a screen saver by moving
the mouse. Do not click the mouse or use the keyboard. If the screen is active,
photograph the screen. Pull the power on permitted systems. Document each
computer by taking a photograph and providing a detailed written description
of the manufacturer, model number, serial number, and other details. Using
(continues)
OFFLINE
Digital Forensics 647
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
The first component of the analysis phase is indexing. During indexing, many investigatory
tools create an index of all text found on the drive, including data found in deleted files and in
file slack space. This indexing is similar to that performed by Google Desktop or Windows
Desktop Search tools. The index can then be used by the investigator to locate specific
documents or document fragments. While indexing, the tools typically organize files into
categories,suchasdocuments,images,andexecutables.Unfortunately,likeimaging,indexing
is a time- and processor-consuming operation, and it could take days on images that are larger
than 20 gigabytes.
In some cases, the investigator may find password-protected files that the suspect used to
protect the data. Several commercial password cracking tools can assist the investigator.
Some are sold in conjunction with forensics tools, like the AccessData Password Recovery
Tool Kit.
sound processes, remove each disk drive and image it using the appropriate
process and equipment. Document each source drive by photographing it and
providing a detailed description of the manufacturer, serial number, and
other details. Package and secure the image.
7. For each object found, complete the necessary evidence or chain of custody labels.
8. Log out of the crime scene by signing the entry/exit log.
9. Transfer all evidence to the lab for investigation or to a suitable evidence locker
for storage. Store and transport all evidence, documentation, and photographic
materials in a locked field evidence locker.
Analyze the image:
1. Build the case file by entering background information, including investigator,
suspect, date, time, and system analyzed.
2. Load the image file into the case file. Typical image files have .img, .e01, or .001
extensions.
3. Index the image. Note that some systems use a database of known files to filter
out files that are known to be applications, system files, or utilities. The use of
this filter improves the quality and effectiveness of the indexing process.
4. Identify, export, and bookmark related text files by searching the index.
5. Identify, export, and bookmark related graphics by reviewing the images folder.
If the suspect is accused of viewing child pornography, do not directly view the
images. Some things you can’t “un-see.” Use the database of known images to
compare hash values and tag them as suspect.
6. Identify, export, and bookmark other evidence files.
7. Integrate all exported and bookmarked material into the case report.
648 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
Reporting the Findings As investigators examine the analyzed copies or images and
identify potential EM, they can tag it and add it to their case files. Once they have found a
suitable amount of information, they can summarize their findings with a synopsis of their
investigatory procedures in a report and submit it to the appropriate authority. This author-
ity could be law enforcement or management. The suitable amount of EM is a flexible deter-
mination made by the investigator. In certain cases, like child pornography, one file is suffi-
cient to warrant turning over the entire investigation to law enforcement. On the other
hand, dismissing an employee for the unauthorized sale of intellectual property may require
a substantial amount of information to support the organization’s assertion. Reporting meth-
ods and formats vary among organizations and should be specified in the digital forensics
policy. A general guideline is that the report should be sufficiently detailed to allow a simi-
larly trained person to repeat the analysis and achieve similar results.
 Evidentiary Procedures
In information security, most operations focus on policies—documents that provide manage-
rial guidance for ongoing implementation and operations. In digital forensics, however, the
focus is on procedures. When investigating digital malfeasance or performing root-cause
analysis, keep in mind that the results and methods of the investigation may end up in crimi-
nal or civil court. For example, during a routine systems update, assume that a technician
finds objectionable material on an employee’s computer. The employee is fired and promptly
sues the organization for wrongful termination, so the investigation of the objectionable
material comes under scrutiny by the plaintiff’s attorney, who will attempt to cast doubt on
the ability of the investigator. While technically not illegal, the presence of the material may
have been a clear violation of policy, prompting the dismissal of the employee. However, if
an attorney can convince a jury or judge that someone else could have placed the material
on the plaintiff’s system, the employee could win the case and potentially a large financial
settlement.
When the scenario involves criminal issues in which an employee discovers evidence of a
crime, the situation changes somewhat. The investigation, analysis, and report are typically
performed by law enforcement personnel. However, if the defense attorney can cast reason-
able doubt on whether the organization’s information security professionals compromised
the digital evidentiary material, the employee might win the case.
How do you avoid these legal pitfalls? Strong procedures for handling potential evidentiary
material can minimize the probability that an organization will lose a legal challenge.
Organizations should develop specific procedures, along with guidance for their effective use.
The policy document should specify the following:
●
Who may conduct an investigation
●
Who may authorize an investigation
●
What affidavits and related documents are required
●
What search warrants and related documents are required
●
What digital media may be seized or taken offline
●
What methodology should be followed
●
What methods are required for chain of custody or chain of evidence
●
What format the final report should take and to whom it should be given
Digital Forensics 649
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
The policy document should be supported by a procedures manual and developed based on
the documents discussed earlier, along with guidance from law enforcement or consultants.
By creating and using these policies and procedures, an organization can best protect itself
from challenges by employees who have been subject to unfavorable action from an
investigation.
Selected Readings
●
Fighting Computer Crime: A New Framework for Protecting Information, by Donn B.
Parker. 1998. John Wiley and Sons.
●
Digital Evidence and Computer Crime, Third Edition, by Eoghan Casey. 2011.
Academic Press.
●
Guide to Computer Forensics and Investigations, Fourth Edition, by Amelia Phillips
and Christopher Steuart. 2010. Course Technology.
Chapter Summary
■ Change is inevitable, so organizations should have procedures to deal with changes in
the operation and maintenance of the information security program.
■ The CISO decides whether the information security program can adapt to change as it
is implemented or whether the macroscopic process of the SecSDLC must be started
anew.
■ The maintenance model recommended in this chapter is made up of five subject areas
or domains: external monitoring, internal monitoring, planning and risk assessment,
vulnerability assessment and remediation, and readiness and review.
■ To stay current, the information security community of interest and the CISO must
constantly monitor the three components of the security triple—threats, assets, and
vulnerabilities.
■ To assist the information security community in managing and operating the ongoing
security program, the organization should adopt a security management maintenance
model. These models are frameworks that are structured by the tasks of managing a
particular set of activities or business functions.
■ NIST SP 800-100, Information Security Handbook: A Guide for Managers, outlines
managerial tasks performed after the program is operational. For each of the 13 areas
of information security management presented in SP 800-100, there are specific moni-
toring activities:
1. Information security governance
2. Systems development life cycle
3. Awareness and training
4. Capital planning and investment control
5. Interconnecting systems
650 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
6. Performance measures
7. Security planning
8. Information technology contingency planning
9. Risk management
10. Certification, accreditation, and security assessments
11. Security services and products acquisition
12. Incident response
13. Configuration and change management
■ The objective of the external monitoring domain in the maintenance model is to pro-
vide early awareness of new and emerging threats, threat agents, vulnerabilities, and
attacks so that an effective and timely defense can be mounted.
■ The objective of the internal monitoring domain is an informed awareness of the state
of the organization’s networks, information systems, and information security
defenses. The security team documents and communicates this awareness, particularly
when it concerns system components that face the external network.
■ The primary objective of the planning and risk assessment domain is to keep an eye on
the entire information security program.
■ The primary objectives of the vulnerability assessment and remediation domain are to
identify specific, documented vulnerabilities and remediate them in a timely fashion.
■ The primary objectives of the readiness and review domain are to keep the informa-
tion security program functioning as designed and keep improving it over time.
■ Digital forensics is the investigation of wrongdoing in the arena of information secu-
rity. Digital forensics requires the preservation, identification, extraction, documenta-
tion, and interpretation of computer media for evidentiary and/or root-cause analysis.
Review Questions
1. List and define the factors that are likely to shift in an organization’s information secu-
rity environment.
2. Who decides if the information security program can adapt to change adequately?
3. List and briefly describe the five domains of the general security maintenance model, as
identified in the text.
4. What are the three primary aspects of information security risk management? Why is
each important?
5. What is a management maintenance model? What does it accomplish?
6. What changes need to be made to the model in SP 800-100 to adapt it for use in secu-
rity management maintenance?
7. What ongoing responsibilities do security managers have in securing the SDLC?
Review Questions 651
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
8. What is vulnerability assessment?
9. What is penetration testing?
10. What is the difference between configuration management and change management?
11. What is a performance baseline?
12. What is the difference between vulnerability assessment and penetration testing?
13. What is the objective of the external monitoring domain of the maintenance model?
14. List and describe four vulnerability intelligence sources. Which seems the most effec-
tive? Why?
15. What does CERT stand for? Is there more than one CERT? What is the purpose of a CERT?
16. What is the primary objective of the internal monitoring domain?
17. What is the objective of the planning and risk assessment domain of the maintenance
model? Why is this important?
18. What is the primary goal of the vulnerability assessment and remediation domain of
the maintenance model? Is this important to an organization with an Internet pres-
ence? Why?
19. List and describe the five vulnerability assessments described in the text. Can you think
of other assessment processes that might exist?
20. What is digital forensics, and when is it used in a business setting?
Exercises
1. Search the Web for the Forum of Incident Response and Security Teams (FIRST). In
your own words, what is the forum’s mission?
2. Search the Web for two or more sites that discuss the ongoing responsibilities of the
security manager. What other components of security management can be adapted for
use in the security management model?
3. This chapter lists five tools that can be used by security administrators, network
administrators, and attackers alike. Search the Web for three to five other tools that
fit this description.
4. Using a Web browser and the names of the tools you found in Exercise 3, find a site
that claims to be dedicated to supporting hackers. Do you find any references to other
hacker tools? If you do, create a list of the tools along with a short description of what
they do and how they work.
5. Using the components of risk assessment documentation presented in the chapter, draft
a tentative risk assessment of a lab, department, or office at your university. Outline
the critical risks you found and discuss them with your class.
652 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
Case Exercises
Remember from the beginning of this book how Amy’s day started? Now imagine how it
could have gone with better planning:
For Amy, the day began like any other at the Sequential Label and Supply Company (SLS)
help desk. Taking calls and helping office workers with computer problems was not glamor-
ous, but she enjoyed the work; it was challenging and paid well enough. Some of her friends
in the industry worked at bigger companies, some at cutting-edge tech companies, but they all
agreed that technology jobs were a good way to pay the bills.
The phone rang, as it did about four times an hour and 28 times a day. The first call of the
day, from a user hoping Amy could help him out of a jam, seemed typical. The call display
on her monitor showed some of the facts: the user’s name, his phone number and department,
where his office was on the company campus, and a list of his past calls to the help desk.
“Hi, Bob,” Amy said. “Did you get that document formatting problem squared away?”
“Sure did, Amy. Hope we can figure out what’s going on this time.”
“We’ll try, Bob. Tell me about it.”
“Well, I need help setting a page break in this new spreadsheet template I’m working on,”
Bob said.
Amy smiled to herself. She knew spreadsheets well, so she would probably be able to close
this call on the first contact. That would help her call statistics, which was one method of
measuring her job performance.
Little did Amy know that roughly four minutes before Bob’s phone call, a specially pro-
grammed computer at the edge of the SLS network had made a programmed decision. This
computer was generally known as postoffice.seqlbl.com, but it was called the “e-mail gate-
way” by the networking, messaging, and information security teams at SLS. The decision
was just like many thousands of other decisions it made in a typical day—that is, to block
the transmission of a file that was attached to an e-mail addressed to
Bob.Hulme@seqlbl.com. The gateway had determined that Bob didn’t need an executable pro-
gram that had been attached to the e-mail message. The gateway had also determined that the
message originated from somewhere on the Internet but contained a forged reply-to address
from Davey Martinez at SLS. In other words, the gateway had delivered the e-mail to Bob
Hulme, but not the attachment.
When Bob got the e-mail, all he saw was another unsolicited commercial e-mail with an
unwanted executable that had been blocked. He had deleted the nuisance message without a
second thought. While she was talking to Bob, Amy looked up to see Charles Moody walking
calmly down the hall. Charlie, as he liked to be called, was the senior manager of the server
administration team and the company’s chief information security officer. Kelvin Urich and
Iris Majwubu were trailing behind Charlie as he headed from his office to the door of the con-
ference room. Amy thought, “It must be time for the weekly security status meeting.”
She was the user representative on the company information security oversight committee, so
she was due to attend this meeting. Amy continued talking Bob through the procedure for set-
ting up a page break, and decided she would join the information security team for coffee and
bagels as soon as she was finished.
Case Exercises 653
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Discussion Questions
1. What area of the SP 800-100 management maintenance model addresses the actions of
the content filter described here?
2. What recommendations would you give SLS for how it might select a security manage-
ment maintenance model?
Ethical Decision Making
Referring back to the opening case of this chapter, suppose Charlie had just finished a search for
a new job and knew that he would soon be leaving the company. When Iris came in to talk
about the tedious and time-consuming review process, he put her off and asked her to schedule
a meeting with him “in 2 or 3 weeks,” knowing full well that he would be gone by then.
Do you think this kind of action is unethical because Charlie knows he is leaving soon?
Endnotes
1. “Configuration Management.” Wikipedia. Accessed 14 April 2014 from en.wikipedia
.org/wiki/Configuration_management.
2. Bowen, R., Hash, J., and Wilson, M. National Institute of Standards and Technology.
Information Security Handbook: A Guide for Managers. SP 800-100. Accessed 16
April 2014 from csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007
.pdf.
3. Ibid.
4. Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., and Gulick, J. National
Institute of Standards and Technology. Security Considerations in the Information
System Development Life Cycle. SP 800-64, Rev. 2. October 2008. Accessed 14 April
2014 from csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
5. Bowen, P., Kissel, R., Scholl, M., Robinson W., Stansfield, J., and Vildish, L. National
Institute of Standards and Technology. Recommendations for Integrating IT Security
into the Capital Planning and Investment Control Process (Draft). SP 800-65, Rev. 1
(DRAFT). July 2009. Accessed 5 August 2014 from csrc.nist.gov/publications/drafts
/800-65-rev1/draft-sp800-65rev1.pdf.
6. Grance, T., Hash, J., Peck, S., Smith, J., and Karow-Diks, K. National Institute of
Standards and Technology. Security Guide for Interconnecting Information
Technology Systems. SP 800-47. August 2002. Accessed 5 August 2014 from
csrc.nist.gov/publications/nistpubs/800-47/sp800-47.pdf.
7. Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W. National
Institute of Standards and Technology. Performance Measurement Guide for
Information Security. SP 800-55, Rev. 1. July 2008. Accessed 14 April 2014 from
csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.
8. Bowen, R., Hash, J., and Wilson, M. National Institute of Standards and Technology.
Information Security Handbook: A Guide for Managers. SP 800-100. Accessed 16 April
2014 from csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.
654 Chapter 12
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12
9. Grance, T., Hash, J., Stevens, M., O’Neal, K., and Bartol, N. National Institute of
Standards and Technology. Guide to Information Technology Security Services. SP
800-35. October 2003. Accessed 14 April 2014 from csrc.nist.gov/publications/nist-
pubs/800-35/NIST-SP800-35.pdf.
10. Grance, T., Stevens, M., and Myers, M. National Institute of Standards and
Technology. Guide to Selecting Information Technology Security Products. SP 800-
36. October 2003. Accessed 14 April 2014 from csrc.nist.gov/publications/nistpubs
/800-36/NIST-SP800-36.pdf.
11. Cuff, Jeanne. “Grow Up: How Mature Is Your Help Desk?” Compass America, Inc.
Accessed 14 April 2014 from fsz.ifas.ufl.edu/HD/GrowUpWP.pdf.
12. Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., and Gulick, J. National
Institute of Standards and Technology. Security Considerations in the System Develop-
ment Life Cycle. SP 800-64, Rev. 2. October 2008. Accessed 14 April 2014 from csrc
.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
13. Join Task Force Transformation Initiative. National Institute of Standards and
Technology. Security and Privacy Controls for Federal Information Systems and Orga-
nizations. SP 800-53, Rev. 4. April 2013. Accessed 14 April 2014 from nvlpubs.nist
.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
14. Readings and Cases in the Management of Information Security: Legal and Ethical
Issues. 2010. Course Technology.
15. “Canon.” Accessed 14 April 2014 from dictionary.reference.com/browse/canon.
16. “Ethical.” Accessed 14 April 2014 from dictionary.reference.com/browse/ethical.
17. Multiple references, including www.edu-cyberpg.com/Technology/ethics.html. Accessed
14 April 2014.
18. “Hacking.” Accessed 14 April 2014 from dictionary.reference.com/search?q=hacking.
19. © 1986 Paramount Pictures.
20. © 1983 Metro-Goldwyn-Mayer Studios Inc./United Artists.
21. © 1995 Metro-Goldwyn-Mayer Studios Inc.
22. “Oxymoron.” Accessed 14 April 2014 from dictionary.reference.com/browse
/oxymoron.
23. Levy, S. Hackers: Heroes of the Computer Revolution. 1984. Putnam, NY: Penguin.
24. “Authorization.” Accessed 14 April 2014 from dictionary.reference.com/browse
/authorization.
25. “Hippocratic Oath.” Accessed 14 April 2014 from en.wikipedia.org/wiki/Hippocratic_
Oath.
26. (ISC) 2 Code of Ethics. Accessed 14 April 2014 from www.isc2.org/ethics/default.aspx?
terms=code%20of%20ethics.
27. “Professional.” Accessed 14 April 2014 from dictionary.reference.com/browse/professional.
Endnotes 655
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Glossary
10.3 password rule An industry recommendation for pass-
word structure and strength that specifies passwords should
be at least 10 characters long and contain at least one
uppercase letter, one lowercase letter, one number, and one
special character.
acceptance control strategy The risk control strategy that
indicates an organization is willing to accept the current level
of residual risk.
access A subject or object’s ability to use, manipulate, mod-
ify, or affect another subject or object.
access control The selective method by which systems specify
who may use a particular resource and how they may use it.
access control list (ACL) A specification of an organization’s
information asset, the users who may access and use it, and
their rights and privileges for using the asset.
access control matrix An integration of access control lists
(focusing on assets) and capability tables (focusing on users)
that results in a matrix with organizational assets listed in the
column headings and users listed in the row headings. The
matrix contains ACLs in columns for a particular device or
asset and capability tables in rows for a particular user.
accountability The access control mechanism that ensures all
actions on a system—authorized or unauthorized—can be
attributed to an authenticated identity. Also known as
auditability.
accreditation The process that authorizes an IT system to
process, store, or transmit information.
accuracy An attribute of information that describes how data
is free of errors and has the value that the user expects.
active vulnerability scanner An application that scans
networks to identify exposed usernames and groups, open
network shares, configuration problems, and other vulner-
abilities in servers.
address restrictions Firewall rules designed to prohibit
packets with certain addresses or partial addresses from
passing through the device.
Advanced Encryption Standard (AES) The current federal
standard for the encryption of data, as specified by NIST.
AES is based on the Rijndael algorithm, which was developed
by Vincent Rijmen and Joan Daemen.
advance-fee fraud (AFF) A form of social engineering, typi-
cally conducted via e-mail, in which an organization or some
third party indicates that the recipient is due an exorbitant
amount of money and needs only a small advance fee or
personal banking information to facilitate the transfer.
adverse event An event with negative consequences that
could threaten the organization’s information assets or
operations.
adware Malware intended to provide undesired marketing
and advertising, including popups and banners on a user’s
screens.
affidavit Sworn testimony that certain facts are in the pos-
session of an investigating officer; an affidavit can be used to
request a search warrant.
after-action review A detailed examination and discussion
of the events that occurred, from first detection to final
recovery.
aggregate information Collective data that relates to a
group or category of people and that has been altered to
remove characteristics or components that make it possible to
identify individuals within the group. Not to be confused
with information aggregation.
air-aspirating detector A fire detection sensor used in high-
sensitivity areas that works by taking in air, filtering it, and
passing it through a chamber that contains a laser beam. The
alarm triggers if the beam is broken.
alarm clustering and compaction A process of grouping
almost identical alarms that occur nearly at the same time
into a single higher-level alarm.
alarm filtering The process of classifying IDPS alerts so they
can be more effectively managed.
alert or alarm An indication that a system has just been
attacked or is under attack. IDPS alerts and alarms take the
form of audible signals, e-mail messages, pager notifications,
or pop-up windows.
alert message A scripted description of the incident that
usually contains just enough information so that each person
knows what portion of the IR plan to implement without
slowing down the notification process.
alert roster A document that contains contact information
for people to be notified in the event of an incident.
algorithm The steps used to convert an unencrypted message
into an encrypted sequence of bits that represent the message;
sometimes refers to the programs that enable the crypto-
graphic processes.
annualized cost of a safeguard (ACS) In a cost-benefit
analysis, the total cost of a control or safeguard, including
all purchase, maintenance, subscription, personnel, and
support fees, divided by the total number of expected years
of use.
657
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
annualized loss expectancy (ALE) In a cost-benefit analysis,
the product of the annualized rate of occurrence and single
loss expectancy.
annualized rate of occurrence (ARO) In a cost-benefit anal-
ysis, the expected frequency of an attack, expressed on a per-
year basis.
anomaly-based detection Also known as behavior-based
detection, an IDPS detection method that compares current
data and traffic patterns to an established baseline of
normalcy.
application firewall See application layer firewall.
application header (AH) protocol In IPSec, a protocol that
provides system-to-system authentication and data integrity
verification, but does not provide secrecy for the content of a
network communication.
application layer firewall A firewall type capable of per-
forming filtering at the application layer of the OSI model,
most commonly based on the type of service (for example,
HTTP, SMTP, or FTP). Also known as an application fire-
wall. See also proxy server.
application protocol verification The process of examining
and verifying the higher-order protocols (HTTP, FTP, and
Telnet) in network traffic for unexpected packet behavior or
improper use.
asset The organizational resource that is being protected.
asset exposure See loss magnitude.
asset valuation The process of assigning financial value or
worth to each information asset.
asymmetric encryption An encryption method that incor-
porates mathematical operations involving both a public key
and a private key to encipher or decipher a message. Either
key can be used to encrypt a message, but then the other key
is required to decrypt it.
asynchronous token An authentication component in the
form of a token—a card or key fob that contains a computer
chip and a liquid crystal display and shows a computer-
generated number used to support remote login authentica-
tion. This token does not require calibration of the central
authentication server; instead, it uses a challenge/response
system.
attack An intentional or unintentional act against an asset
that can damage or otherwise compromise information and
the systems that support it.
attack protocol A logical sequence of steps or processes used
by an attacker to launch an attack against a target system or
network.
attack success probability The number of successful attacks
that are expected to occur within a specified time period.
attack surface The functions and features that a system
exposes to unauthenticated users.
attribute A characteristic of a subject (user or system) that
can be used to restrict access to an object. Also known as a
subject attribute.
attribute-based access control (ABAC) An access control
approach whereby the organization specifies the use of
objects based on some attribute of the user or system.
auditability See accountability.
auditing The review of a system’s use to determine if misuse
or malfeasance has occurred.
authentication The access control mechanism that requires
the validation and verification of a supplicant’s purported
identity.
authentication factors Three mechanisms that provide
authentication based on something a supplicant knows,
something a supplicant has, and something a supplicant is.
authenticity An attribute of information that describes how
data is genuine or original rather than reproduced or
fabricated.
authorization The access control mechanism that represents
the matching of an authenticated entity to a list of informa-
tion assets and corresponding access levels.
availability An attribute of information that describes how
data is accessible and correctly formatted for use without
interference or obstruction.
availability disruption An interruption in service, usually
from a service provider, which causes an adverse event within
an organization.
avoidance of competitive disadvantage The adoption and
implementation of a business model, method, technique,
resource, or technology to prevent being outperformed by a
competing organization; working to keep pace with the com-
petition through innovation, rather than falling behind.
back door A malware payload that provides access to a sys-
tem by bypassing normal access controls. A back door is also
an intentional access control bypass left by a system designer
to facilitate development.
back hack The process of illegally attempting to determine
the source of an intrusion by tracing it and trying to gain
access to the originating system.
baseline A performance value or metric used to compare
changes in the object being measured.
baselining The comparison of past security activities and
events against the organization’s current performance.
bastion host A firewall implementation strategy in which the
device is connected directly to the untrusted area of the
658 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
organization’s network rather than being placed in a screened
area. Also known as a sacrificial host.
behavioral feasibility See operational feasibility.
behavior-based detection See anomaly-based detection.
benchmarking The process of comparing other organiza-
tions’ activities against the practices used in one’s own orga-
nization to produce results it would like to duplicate.
best business practices Security efforts that seek to
provide a superior level of performance in the protection of
information. Also known as best practices or recommended
practices.
biometric access control An access control approach based
on the use of a measurable human characteristic or trait to
authenticate the identity of a proposed systems user (a
supplicant).
biometric lock A lock that reads a unique biological attribute
such as a fingerprint, iris, retina, or palm and then uses that
input as a key.
bit stream cipher An encryption method that involves con-
verting plaintext to ciphertext one bit at a time.
blackout A long-term interruption (outage) in electrical
power availability.
block cipher An encryption method that involves dividing
the plaintext into blocks or sets of bits and then converting
the plaintext to ciphertext one block at a time.
boot virus Also known as a boot sector virus, a type of virus
that targets the boot sector or Master Boot Record (MBR) of
a computer system’s hard drive or removable storage media.
bot An abbreviation of robot, an automated software pro-
gram that executes certain commands when it receives a spe-
cific input. See also zombie.
bottom-up approach A method of establishing security poli-
cies that begins as a grassroots effort in which systems
administrators attempt to improve the security of their
systems.
brownout A long-term decrease in electrical power
availability.
brute force password attack An attempt to guess a pass-
word by attempting every possible combination of characters
and numbers in it.
buffer overrun (or buffer overflow) An application error
that occurs when more data is sent to a program buffer than
it is designed to handle.
build A snapshot of a particular version of software assem-
bled or linked from its component modules.
build list A list of the versions of components that make up a
build.
bull’s-eye model A method for prioritizing a program of
complex change; it requires that issues be addressed from the
general to the specific and focuses on systematic solutions
instead of individual problems.
business continuity plan (BC plan) The documented product
of business continuity planning; a plan that shows the orga-
nization’s intended efforts if a disaster renders the organiza-
tion’s primary operating location unusable.
business continuity planning (BCP) The actions taken by
senior management to specify the organization’s efforts if a
disaster renders the organization’s primary operating location
unusable.
business impact analysis (BIA) An investigation and assess-
ment of the various adverse events that can affect the organi-
zation, conducted as a preliminary phase of the contingency
planning process, which includes a determination of how
critical a system or set of information is to the organization’s
core processes and recovery priorities.
business resumption planning (BRP) In some organizations,
the combined functions of DRP and BCP.
capability table A specification of an organization’s users,
the information assets that users may access, and their rights
and privileges for using the assets. Also known as user pro-
files or user policies.
centralized IDPS control strategy An IDPS implementation
approach in which all control functions are implemented and
managed in a central location.
certificate authority (CA) In PKI, a third party that manages
users’ digital certificates.
certificate revocation list (CRL) In PKI, a published list of
revoked or terminated digital certificates.
certification In information security, the comprehensive
evaluation of an IT system’s technical and nontechnical secu-
rity controls that establishes the extent to which a particular
design and implementation meets a set of predefined security
requirements, usually in support of an accreditation process.
chain of custody See chain of evidence.
chain of evidence The detailed documentation of the collec-
tion, storage, transfer, and ownership of evidence from the
crime scene through its presentation in court.
change control A method of regulating the modification of
systems within the organization by requiring formal review
and approval for each change.
chief information officer (CIO) An executive-level position
that oversees the organization’s computing technology and
strives to create efficiency in the processing and access of the
organization’s information.
chief information security officer (CISO) Typically consid-
ered the top information security officer in an organization.
Glossary 659
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
The CISO is usually not an executive-level position, and fre-
quently the person in this role reports to the CIO.
C.I.A. triangle The industry standard for computer
security since the development of the mainframe. The
standard is based on three characteristics that describe
the utility of information: confidentiality, integrity, and
availability.
cipher or cryptosystem An encryption method or process
encompassing the algorithm, key(s) or cryptovariable(s), and
procedures used to perform encryption and decryption.
ciphertext or cryptogram The encoded message resulting
from an encryption.
civil law A wide variety of laws that govern a nation or state
and deal with the relationships and conflicts between organi-
zations and people.
clean agent A fire suppression agent that does not leave any
residue after use or interfere with the operation of electrical
or electronic equipment.
clean desk policy An organizational policy that specifies
employees must inspect their work areas and ensure that all
classified information, documents, and materials are secured
at the end of every work day.
clipping level A predefined assessment level that triggers a
predetermined response when surpassed. Typically, the
response is to notify an administrator.
closed-circuit television (CCT) A video capture and record-
ing system used to monitor a facility.
code The process of converting components (words or
phrases) of an unencrypted message into encrypted
components.
cold site An exclusive-use contingency strategy in which an
organization leases a redundant facility without any systems,
services, or equipment, requiring substantial purchases and
effort to resume operations. Essentially, a cold site is an
empty set of offices or rooms.
command injection An application error that occurs when
user input is passed directly to a compiler or interpreter
without screening for content that may disrupt or compro-
mise the intended function.
communications security The protection of all communica-
tions media, technology, and content.
community of interest A group of people who are united by
similar interests or values within an organization and who
share a common goal of helping the organization to meet its
objectives.
competitive advantage The adoption and implementation
of an innovative business model, method, technique,
resource, or technology in order to outperform the
competition.
competitive intelligence The collection and analysis of
information about an organization’s business competitors
through legal and ethical means to gain business intelligence
and competitive advantage.
computer forensics The process of collecting, analyzing, and
preserving computer-related evidence.
computer security In the early days of computers, this term
specified the need to secure the physical location of computer
technology from outside threats. This term later came to rep-
resent all actions taken to preserve computer systems from
losses. It has evolved into the current concept of information
security as the scope of protecting information in an organi-
zation has expanded.
confidence value The measure of an IDPS’s ability to cor-
rectly detect and identify certain types of attacks.
confidentiality An attribute of information that describes
how data is protected from disclosure or exposure to unau-
thorized individuals or systems.
configuration A collection of components that make up a
configuration item.
configuration and change management (CCM) An
approach to implementing system change that uses policies,
procedures, techniques, and tools to manage and evaluate
proposed changes, track changes through completion, and
maintain systems inventory and supporting documentation.
configuration item A hardware or software item that will be
modified and revised throughout its life cycle.
configuration management (CM) See configuration and
change management (CCM).
configuration rules The instructions a system administrator
codes into a server, networking device, or security device to
specify how it operates.
contact and weight sensor An alarm sensor designed to
detect increased pressure or contact at a specific location,
such as a floor pad or a window.
content filter A network filter that allows administrators to
restrict access to external content from within a network.
Also known as a reverse firewall.
contingency plan The documented product of contingency
planning; a plan that shows the organization’s intended
efforts in reaction to adverse events.
contingency planning (CP) The actions taken by senior man-
agement to specify the organization’s efforts and actions if an
adverse event becomes an incident or disaster. This planning
includes incident response, disaster recovery, and business con-
tinuity efforts, as well as preparatory business impact analysis.
contingency planning management team (CPMT) The
group of senior managers and project members organized to
conduct and lead all CP efforts.
660 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
control, safeguard, or countermeasure A security mecha-
nism, policy, or procedure that can successfully counter
attacks, reduce risk, resolve vulnerabilities, and otherwise
improve security within an organization.
corporate governance Executive management’s responsibil-
ity to provide strategic direction, ensure the accomplishment
of objectives, oversee that risks are appropriately managed,
and validate responsible resource use.
cost avoidance The process of preventing the financial
impact of an incident by implementing a control.
cost-benefit analysis (CBA) Also known as an economic
feasibility study, the formal assessment and presentation of
the economic expenditures needed for a particular security
control, contrasted with its projected value to the
organization.
covert channel Unauthorized or unintended methods of
communications hidden inside a computer system.
cracker A hacker who intentionally removes or bypasses
software copyright protection designed to prevent unautho-
rized duplication or use.
cracking Attempting to reverse-engineer, remove, or bypass a
password or other access control protection, such as the
copyright protection on software. See cracker.
criminal law Law that addresses activities and conduct
harmful to society, and is actively enforced by the state. Law
can also be categorized as private or public.
crisis management The set of actions taken by an organiza-
tion in response to an emergency to minimize injury or loss of
life, preserve the organization’s image and market share, and
complement its disaster recovery and business continuity
processes.
crossover error rate (CER) In biometric access controls, the
level at which the number of false rejections equals the false
acceptances. Also known as the equal error rate.
cross-site scripting (XSS) A Web application fault that
occurs when an application running on a Web server inserts
commands into a user’s browser session and causes informa-
tion to be sent to a hostile server.
cryptanalysis The process of obtaining the plaintext message
from a ciphertext message without knowing the keys used to
perform the encryption.
cryptography The process of making and using codes to
secure the transmission of information.
cryptology The science of encryption, which encompasses
cryptography and cryptanalysis.
cultural mores The fixed moral attitudes or customs of a
particular group.
cyberactivist See hacktivist.
cyberterrorist A hacker who attacks systems to conduct ter-
rorist activities via networks or Internet pathways.
cyberwarfare Formally sanctioned offensive operations con-
ducted by a government or state against information or sys-
tems of another government or state.
data Items of fact collected by an organization. Data includes
raw numbers, facts, and words. Student quiz scores are a
simple example of data.
data classification scheme A formal access control method-
ology used to assign a level of confidentiality to an informa-
tion asset and thus restrict the number of people who can
access it.
data custodians People who are responsible for the storage,
maintenance, and protection of information.
data owners People who own the information and thus
determine the level of classification for their data and approve
its access authorization.
data security Commonly used as a surrogate for information
security, data security is the focus of protecting data or
information in its various states—at rest (in storage), in pro-
cessing, and in transmission (over networks).
data users People who work with the information to per-
form their daily jobs and support the mission of the
organization.
database security A subset of information security that
focuses on the assessment and protection of information
stored in data repositories like database management systems
and storage media.
database shadowing An improvement to the process of
remote journaling, in which databases are backed up in near-
real time to multiple servers at both local and remote sites.
de facto standard A standard that has been widely adopted
or accepted by a public group rather than a formal standards
organization. Contrast with a de jure standard.
de jure standard A standard that has been formally evalu-
ated, approved, and ratified by a formal standards organiza-
tion. Contrast with a de facto standard.
decipher To decrypt, decode, or convert ciphertext into the
equivalent plaintext.
decrypt See decipher.
defense control strategy The risk control strategy that
attempts to eliminate or reduce any remaining uncontrolled
risk through the application of additional controls and
safeguards.
defense in depth A strategy for the protection of informa-
tion assets that uses multiple layers and different types of
controls (managerial, operational, and technical) to provide
optimal protection.
Glossary 661
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
deliverable A completed document or program module that
can either serve as the beginning point for a later task or
become an element in the finished project.
delta conversion online UPS An uninterruptible power sup-
ply (UPS) that is similar to a double conversion online UPS
except that it incorporates a delta transformer, which assists
in powering the inverter while outside power is available.
deluge system A fire suppression sprinkler system that keeps
all individual sprinkler heads open and applies water to all
areas when activated.
demilitarized zone (DMZ) An intermediate area between two
networks designed to provide servers and firewall filtering
between a trusted internal network and the outside, untrusted
network. Traffic on the outside network carries a higher level
of risk.
denial-of-service (DoS) attack An attack that attempts to
overwhelm a computer target’s ability to handle incoming
communications, prohibiting legitimate users from accessing
those systems.
dictionary password attack A variation of the brute force
password attack that attempts to narrow the range of possi-
ble passwords guessed by using a list of common passwords
and possibly including attempts based on the target’s per-
sonal information.
difference analysis A procedure that compares the current
state of a network segment against a known previous state of
the same network segment (the baseline of systems and
services).
differential backup The archival of all files that have chan-
ged or been added since the last full backup.
Diffie-Hellman key exchange A hybrid cryptosystem that
facilitates exchanging private keys using public-key
encryption.
digital certificates Public-key container files that allow PKI
system components and end users to validate a public key
and identify its owner.
digital forensics The application of forensics techniques and
methodologies to the preservation, identification, extraction,
documentation, and interpretation of digital media for evi-
dentiary and/or root-cause analysis.
digital malfeasance A crime against or using digital media,
computer technology, or related components.
Digital Signature Standard (DSS) The NIST standard for
digital signature algorithm usage by federal information sys-
tems. DSS is based on a variant of the ElGamal signature
scheme.
digital signatures Encrypted message components that can
be mathematically proven as authentic.
direct changeover The conversion strategy that involves
stopping the old system and starting the new one without any
overlap.
disaster An adverse event that could threaten the viability of
the entire organization. A disaster may either escalate from an
incident or be initially classified as a disaster.
disaster recovery plan (DR plan) The documented product
of disaster recovery planning; a plan that shows the organi-
zation’s intended efforts in the event of a disaster.
disaster recovery planning (DRP) The actions taken by
senior management to specify the organization’s efforts in
preparation for and recovery from a disaster.
discretionary access controls (DACs) Controls that are
implemented at the discretion or option of the data user.
disk duplexing Disk mirroring in which each drive has its
own controller to provide additional redundancy.
disk mirroring A RAID implementation (typically referred to
as RAID Level 1) in which the computer records all data to
twin drives simultaneously, providing a backup if the primary
drive fails.
disk striping A RAID implementation (typically referred to
as RAID Level 0) in which one logical volume is created by
storing data across several available hard drives in segments
called stripes.
distributed denial-of-service (DDoS) attack A DoS attack in
which a coordinated stream of requests is launched against a
target from many locations at the same time using bots or
zombies.
Domain Name System (DNS) cache poisoning The inten-
tional hacking and modification of a DNS database to redi-
rect legitimate traffic to illegitimate Internet locations. Also
known as DNS spoofing.
double conversion online UPS A UPS in which the protected
device draws power from an output inverter. The inverter is
powered by the UPS battery, which is constantly recharged
from the outside power.
downtime The percentage of time a particular service is not
available; the opposite of uptime.
dry-pipe system A fire suppression sprinkler system that has
pressurized air in all pipes. The air is released in the event of a
fire, allowing water to flow from a central area.
due care The legal standard that requires a prudent organi-
zation and its employees to act legally and ethically and know
the consequences of their actions. Also referred to as the
standard of due care.
due diligence Considered a subset of the standard of due
care, the legal standard that requires a prudent organization
and its employees to maintain the standard of due care and
662 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
ensure that their actions are effective. Also referred to as the
standard of due diligence.
dumb card An authentication card that contains digital user
data, such as a personal identification number (PIN), against
which user input is compared.
dumpster diving An information attack that involves
searching through a target organization’s trash and recycling
bins for sensitive information.
dynamic filtering A firewall type that can react to an adverse
event and update or create its configuration rules to deal with
that event.
electromagnetic radiation (EMR) The transmission of radi-
ant energy through space, commonly referred to as radio
waves.
electromechanical lock A lock that can accept a variety of
inputs as keys, including magnetic strips on ID cards, radio
signals from name badges, personal identification numbers
(PINs) typed into a keypad, or some combination of these to
activate an electrically powered locking mechanism.
electronic vaulting The transfer of large batches of data to
an off-site facility, typically during off-peak hours.
electrostatic discharge (ESD) The release of ambient static
electricity into a ground.
encapsulating security payload (ESP) protocol In IPSec, a
protocol that provides secrecy for the contents of network
communications as well as system-to-system authentication
and data integrity verification.
encipher To encrypt, encode, or convert plaintext into the
equivalent ciphertext.
encrypt See encipher.
enterprise information security policy (EISP) The high-level
security policy that is based on and directly supports the
mission, vision, and direction of the organization and sets the
strategic direction, scope, and tone for all security efforts.
enticement The act of attracting attention to a system by
placing tantalizing information in key locations.
entrapment The act of luring a person into committing a
crime in order to get a conviction.
ethics Codes or principles of an individual or group that
regulate and define acceptable behavior.
evasion The process by which attackers change the format and/
or timing of their activities to avoid being detected by an IDPS.
event Any occurrence within the organization’s operational
environment.
evidence A physical object or documented information that
proves an action occurred or identifies the intent of a
perpetrator.
evidentiary material (EM) Any item or information that
applies to an organization’s legal or policy-based case; also
known as an item of potential evidentiary value.
exclusive OR operation (XOR) A function within Boolean
algebra used as an encryption function in which two bits are
compared. If the two bits are identical, the result is a binary
0; otherwise, the result is a binary 1.
exit interview A meeting with an employee who is leaving
the organization to remind the employee of contractual obli-
gations, such as nondisclosure agreements, and to obtain
feedback about the employee’s tenure.
expert hacker A hacker who uses extensive knowledge of the
inner workings of computer hardware and software to gain
unauthorized access to systems and information. Also known
as elite hackers, expert hackers often create automated
exploits, scripts, and tools used by other hackers.
exploit A technique used to compromise a system; a vulner-
ability that can be used to cause a loss to an asset.
exposure A condition or state of being exposed; in informa-
tion security, exposure exists when a vulnerability is known
to an attacker.
exposure factor (EF) In a cost-benefit analysis, the expected
percentage of loss that would occur from a particular attack.
external monitoring domain The component of the mainte-
nance model that focuses on evaluating external threats to the
organization’s information assets.
extranet A segment of the DMZ where additional authenti-
cation and authorization controls are put into place to pro-
vide services that are not available to the general public.
facilities management The aspect of organizational man-
agement focused on the development and maintenance of its
buildings and physical infrastructure.
fail-safe lock An electromechanical device that automatically
releases the lock protecting a control point if a power outage
occurs. This type of lock is used for fire safety locations.
fail-secure lock An electromechanical device that stays
locked and maintains the security of the control point if a
power outage occurs.
false accept rate In biometric access controls, the percentage
of identification instances in which unauthorized users are
allowed access. Also known as a Type II error.
false attack stimulus An event that triggers an alarm when
no actual attack is in progress. Scenarios that test the config-
uration of IDPSs may use false attack stimuli to determine if
the IDPSs can distinguish between these stimuli and real
attacks.
false negative The failure of an IDPS to react to an actual
attack event. This is the most grievous IDPS failure, given
that its purpose is to detect and respond to attacks.
Glossary 663
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
false positive An alert or alarm that occurs in the absence of
an actual attack. A false positive can sometimes be produced
when an IDPS mistakes normal system activity for an attack.
False positives tend to make users insensitive to alarms and
thus reduce their reactions to actual intrusion events.
false reject rate In biometric access controls, the percentage
of identification instances in which authorized users are
denied access. Also known as a Type I error.
fault A short-term interruption in electrical power
availability.
fingerprinting The systematic survey of a targeted organiza-
tion’s Internet addresses collected during the footprinting
phase to identify the network services offered by the hosts in
that range.
fire suppression systems Devices that are installed and
maintained to detect and respond to a fire, potential fire, or
combustion danger.
firewall In information security, a combination of hardware
and software that filters or prevents specific information from
moving between the outside network and the inside network.
Each organization defines its own firewall.
fixed-temperature sensor A fire detection sensor that works
by detecting the point at which the ambient temperature in an
area reaches a predetermined level.
flame detector A fire detection system that works by detect-
ing the infrared or ultraviolet light produced by an open
flame.
footprinting The organized research of Internet addresses
owned or controlled by a target organization.
forensics The coherent application of methodical investiga-
tory techniques to present evidence of crimes in a court or
similar setting.
full backup A complete backup of the entire system, includ-
ing all applications, operating systems components, and data.
fully distributed IDPS control strategy An IDPS implemen-
tation approach in which all control functions are applied at
the physical location of each IDPS component.
gap analysis The process of comparing measured results
against expected results, then using the resulting “gap” as a
measure of project success and as feedback for project
management.
gaseous (or chemical gas) emission systems Fire suppres-
sion systems that operate through the delivery of gases rather
than water.
goals Sometimes used synonymously with objectives; the
desired end of a planning cycle.
governance The set of responsibilities and practices exercised
by the board and executive management with the goal of
providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately
and verifying that the enterprise’s resources are used
responsibly.
ground fault circuit interruption A special circuit device
designed to immediately disconnect a power supply when a
sudden discharge (ground fault) is detected.
guidelines Within the context of information security, a set
of recommended actions to assist an organizational stake-
holder in complying with policy.
hacker A person who accesses systems and information
without authorization and often illegally.
hacktivist A hacker who seeks to interfere with or disrupt
systems to protest the operations, policies, or actions of an
organization or government agency.
hash algorithms Public functions that create a hash value,
also known as a message digest, by converting variable-length
messages into a single fixed-length value.
hash functions Mathematical algorithms that generate a
message summary or digest (sometimes called a fingerprint)
to confirm message identity and integrity.
hash value See message digest.
hierarchical roster An alert roster in which the first person
calls a few other people on the roster, who in turn call others.
This method typically uses the organizational chart as a
structure.
honeynet A collection of honeypot systems on a subnet.
honeypots Decoy systems designed to lure potential attack-
ers away from critical systems. Also known as decoys, lures,
and flytraps.
host-based IDPS (HIDPS) An IDPS that resides on a particu-
lar computer or server, known as the host, and monitors
activity only on that system. Also known as a system integrity
verifier.
hot site An exclusive-use contingency strategy in which an
organization leases a redundant facility complete with all
systems, services, and equipment needed to resume operations
with minimal delay.
hot swap A hard drive feature that allows individual drives
to be replaced without fault and without powering down the
entire system.
humidity The amount of moisture in the air.
hybrid VPN A combination of trusted and secure VPN
implementations.
identification The access control mechanism whereby unver-
ified entities or supplicants who seek access to a resource pro-
vide a label by which they are known to the system.
664 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
identification (ID) card A document used to verify the iden-
tity of a member of an organization, group, or domain.
identity theft The unauthorized taking of personally identi-
fiable information with the intent of committing fraud and
abuse of a person’s financial and personal reputation, pur-
chasing goods and services without authorization, and gen-
erally impersonating the victim for illegal or unethical
purposes.
incident An adverse event that could result in loss of an
information asset or assets, but does not currently threaten
the viability of the entire organization.
incident candidate An adverse event that has strong poten-
tial to meet the criteria to become an incident.
incident classification The process of examining an incident
candidate and determining whether it constitutes an actual
incident.
incident damage assessment The rapid determination of
how seriously a breach of confidentiality, integrity, and
availability affected information and information assets dur-
ing an incident or just following one.
incident response plan (IR plan) The documented product
of incident response planning; a plan that shows the organi-
zation’s intended efforts in the event of an incident.
incident response planning (IRP) The actions taken by
senior management to specify the organization’s processes
and procedures to anticipate, detect, and mitigate the effects
of an incident.
incremental backup A backup that archives only the files
that have been modified since the previous incremental
backup.
industrial espionage The collection and analysis of infor-
mation about an organization’s business competitors, often
through illegal or unethical means, to gain an unfair compet-
itive advantage. Also known as corporate spying, which is
distinguished from espionage for national security reasons.
information Data that has been organized, structured, and
presented to provide additional insight into its context,
worth, and usefulness. For example, a student’s class average
can be presented in the context of its value, as in “90 ¼ A.”
information aggregation Pieces of nonprivate data that,
when combined, may create information that violates pri-
vacy. Not to be confused with aggregate information.
information asset The focus of information security; infor-
mation that has value to the organization, and the systems
that store, process, and transmit the information.
information assurance The affirmation or guarantee of the
confidentiality, integrity, and availability of information in
storage, processing, and transmission. This term is often used
synonymously with information security.
information extortion The act of an attacker or trusted
insider who steals information from a computer system and
demands compensation for its return or for an agreement not
to disclose the information. Also known as cyberextortion.
information security Protection of the confidentiality, integ-
rity, and availability of information assets, whether in stor-
age, processing, or transmission, via the application of policy,
education, training and awareness, and technology.
information security blueprint The basis for all security
program elements; a scalable, upgradeable, comprehensive
plan to meet the organization’s current and future informa-
tion security needs.
information security framework An outline or structure of
the organization’s overall information security strategy that is
used as a road map for planned changes to its information
security environment; often developed as an adaptation or
adoption of a popular methodology, like NIST’s security
approach or the ISO 27000 series.
information security governance The application of the
principles of corporate governance to the information secu-
rity function.
information security model An established information
security framework, often popular among other organizations
and backed by a recognized security agency, with exemplar
details an organization may want to emulate in creating its
own framework and blueprint.
information security policy A set of rules that protects an
organization’s information assets.
information system (IS) The entire set of software, hard-
ware, data, people, procedures, and networks that enable the
use of information resources in the organization.
inline sensor An IDPS sensor intended for network perimeter
use and deployed in close proximity to a perimeter firewall to
detect incoming attacks that could overwhelm the firewall.
integer bug A class of computational error caused by meth-
ods that computers use to store and manipulate integer num-
bers; this bug can be exploited by attackers.
integrity An attribute of information that describes how data
is whole, complete, and uncorrupted.
intellectual property (IP) The creation, ownership, and con-
trol of original ideas as well as the representation of those
ideas.
internal monitoring domain The component of the mainte-
nance model that focuses on identifying, assessing, and man-
aging the configuration and status of information assets in an
organization.
Internet Protocol Security (IPSec) An open-source protocol
framework for security development within the TCP/IP family
of protocol standards.
Glossary 665
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Internet vulnerability assessment An assessment approach
designed to find and document vulnerabilities that may be
present in the organization’s public network.
intranet vulnerability assessment An assessment approach
designed to find and document selected vulnerabilities that are
likely to be present on the organization’s internal network.
intrusion An adverse event in which an attacker attempts to
gain entry into an information system or disrupt its normal
operations, almost always with the intent to do harm.
intrusion detection and prevention system (IDPS) The
general term for both intrusion detection systems and intru-
sion prevention systems.
intrusion detection system (IDS) A system capable of auto-
matically detecting an intrusion into an organization’s net-
works or host systems and notifying a designated authority.
intrusion prevention system (IPS) An IDS system capable of
automatically responding to a detected intrusion and pre-
venting it from successfully attacking the organization by
means of an active response.
ionization sensor A fire detection sensor that works by
exposing the ambient air to a small amount of a harmless
radioactive material within a detection chamber; an alarm is
triggered when the level of electrical conductivity changes
within the chamber.
issue-specific security policy (ISSP) Commonly referred to
as a fair and responsible use policy; a policy designed to
control constituents’ use of a particular resource, asset, or
activity, and provided to support the organization’s goals and
objectives.
jailbreaking Escalating privileges to gain administrator-level
control over a smartphone operating system (typically asso-
ciated with Apple iOS smartphones). See also rooting.
job rotation The requirement that every employee be able to
perform the work of another employee. Also known as task
rotation.
jurisdiction A court’s right to hear a case if a wrong is com-
mitted in its territory or involves its citizenry.
Kerberos A remote authentication system that uses symmetric
key encryption-based tickets managed in a central database to
validate an individual user to various network resources.
key or cryptovariable The information used in conjunction
with an algorithm to create the ciphertext from the plaintext
or derive the plaintext from the ciphertext. The key can be a
series of bits used by a computer program, or it can be a
passphrase used by people that is then converted into a series
of bits used by a computer program.
keyspace The entire range of values that can be used to con-
struct an individual key.
knowledge-based detection See signature-based detection.
known vulnerability A published weakness or fault in an
information asset or its protective systems that may be
exploited and result in loss.
lattice-based access control (LBAC) An access control
approach that uses a matrix or lattice of subjects (users and
systems needing access) and objects (resources) to assign pri-
vileges. LBAC is an example of an NDAC.
laws Rules that mandate or prohibit certain behavior and are
enforced by the state.
least privilege The process of ensuring that no unnecessary
access to data exists; employees are able to perform only the
minimum operations necessary on a set of data.
liability The legal obligation of an entity that extends beyond
criminal or contract law.
likelihood The probability that a specific vulnerability within
an organization will be the target of an attack.
line-interactive UPS A UPS in which a pair of inverters and
converters draw power from the outside source both to
charge the battery and provide power to the internal pro-
tected device.
link encryption A series of encryptions and decryptions
between a number of systems, wherein each system in a net-
work decrypts the message sent to it and then reencrypts the
message using different keys and sends it to the next neigh-
bor. This process continues until the message reaches the final
destination.
log file monitor (LFM) An attack detection method that
reviews the log files generated by computer systems, looking
for patterns and signatures that may indicate an attack or
intrusion is in process or has already occurred.
long-arm jurisdiction The application of laws to people cur-
rently residing outside a court’s normal jurisdiction, usually
granted when a person performs an illegal action within the
court’s jurisdiction and then leaves.
loss A single instance of an information asset suffering dam-
age or destruction, unintended or unauthorized modification
or disclosure, or denial of use.
loss frequency The calculation of the likelihood of an attack
coupled with the attack frequency to determine the expected
number of losses within a specified time range.
loss magnitude Also known as event loss magnitude, the
combination of an asset’s value and the percentage of it that
might be lost in an attack.
MAC layer firewall A firewall designed to operate at the
media access control sublayer of the network’s data link layer
(Layer 2).
macro virus A type of virus written in a specific macro
language to target applications that use the language. The
virus is activated when the application’s product is opened.
666 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
A macro virus typically affects documents, slideshows,
e-mails, or spreadsheets created by office suite applications.
mail bomb An attack designed to overwhelm the receiver
with excessive quantities of e-mail.
maintenance hook See back door.
major release A significant revision of a version from its
previous state.
malicious code See malware.
malicious software See malware.
malware Computer software specifically designed to perform
malicious or unwanted actions.
managerial controls Information security safeguards that
focus on administrative planning, organizing, leading, and
controlling, and that are designed by strategic planners and
implemented by the organization’s security administration.
These safeguards include governance and risk management.
managerial guidance SysSP A systems-specific security pol-
icy that expresses management’s intent for the acquisition,
implementation, configuration, and management of a partic-
ular technology, written from a business perspective.
mandatory access control (MAC) An access control
approach whereby the organization specifies use of resources
based on the assignment of data classification schemes to
resources and clearance levels to users. MAC is an example of
an LBAC approach.
man-in-the-middle A group of attacks whereby a person
intercepts a communications stream and inserts himself in
the conversation to convince each of the legitimate parties
that he is the other communications partner. Some man-
in-the-middle attacks involve encryption functions.
mantrap A small room or enclosure with separate entry and
exit points, designed to restrain a person who fails an access
authorization attempt.
maximum tolerable downtime (MTD) The total amount of
time the system owner or authorizing official is willing to
accept for a mission/business process outage or disruption,
including all impact considerations.
McCumber Cube A graphical representation of the architec-
tural approach widely used in computer and information
security; commonly shown as a cube composed of 3 ? 3 ? 3
cells, similar to a Rubik’s Cube.
mean time between failure (MTBF) The average amount of
time between hardware failures, calculated as the total
amount of operation time for a specified number of units
divided by the total number of failures.
mean time to diagnose (MTTD) The average amount of time
a computer repair technician needs to determine the cause of
a failure.
mean time to failure (MTTF) The average amount of time
until the next hardware failure.
mean time to repair (MTTR) The average amount of time a
computer repair technician needs to resolve the cause of a
failure through replacement or repair of a faulty unit.
mechanical lock A physical lock that may rely on either a
key or numerical combination to rotate tumblers and release
the hasp. Also known as a manual lock.
memory-resident virus A virus that is capable of installing
itself in a computer’s operating system, starting when the
computer is activated, and residing in the system’s memory
even after the host application is terminated. Also known as a
resident virus.
message authentication code (MAC) A key-dependent, one-
way hash function that allows only specific recipients (sym-
metric key holders) to access the message digest.
message digest A value representing the application of a
hash algorithm on a message that is transmitted with the
message so it can be compared with the recipient’s locally
calculated hash of the same message. If both hashes are
identical after transmission, the message has arrived without
modification. Also known as a hash value.
methodology A formal approach to solving a problem based
on a structured sequence of procedures.
metrics-based measures Performance measures or metrics
based on observed numerical data.
milestone A specific point in the project plan when a task
that has a noticeable impact on the plan’s progress is
complete.
minor release (update or patch) A minor revision of a ver-
sion from its previous state.
minutiae In biometric access controls, unique points of ref-
erence that are digitized and stored in an encrypted format
when the user’s system access credentials are created.
misuse detection See signature-based detection.
mitigation control strategy The risk control strategy that
attempts to reduce the impact of a successful attack through
planning and preparation.
modem vulnerability assessment An assessment approach
designed to find and document any vulnerability on dial-up
modems connected to the organization’s networks.
monitoring port Also known as a switched port analysis
(SPAN) port or mirror port, a specially configured connection
on a network device that can view all the traffic that moves
through the device.
monoalphabetic substitution A substitution cipher
that only incorporates a single alphabet in the encryption
process.
Glossary 667
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
motion detector An alarm sensor designed to detect move-
ment within a defined space.
mutual agreement A contractual relationship between two
or more organizations that specifies how each will assist the
other in the event of a disaster; unaffected organizations are
required to provide any needed resources to maintain the
organization affected by the disaster.
name badge An identification card typically worn in a visi-
ble location to quickly verify an authorized member.
need to know The requirement that an employee only has
access to information necessary for performing his or her
own work.
Network Address Translation (NAT) A method of mapping
valid external IP addresses to special ranges of nonroutable
internal IP addresses, known as private addresses, on a one-
to-one basis.
network-based IDPS (NIDPS) An IDPS that resides on a
computer or appliance connected to a segment of an organi-
zation’s network and monitors traffic on that segment, look-
ing for indications of ongoing or successful attacks.
network security A subset of communications security; the
protection of voice and data networking components, con-
nections, and content.
noise The presence of additional and disruptive signals in
network communications or electrical power delivery. For an
IDPS, unsuccessful attacks and other alarm events that are
accurate and noteworthy but do not pose significant threats
to information security.
nondiscretionary access controls (NDACs) A strictly
enforced version of MACs that are managed by a central
authority in the organization and can be based on an indi-
vidual user’s role or a specified set of tasks.
non-memory-resident virus A virus that terminates after it
has been activated, infected its host system, and replicated
itself. NMR viruses do not reside in an operating system or
memory after executing. Also known as a non-resident virus.
nonrepudiation The process of reversing public-key encryp-
tion to verify that a message was sent by the sender and thus
cannot be refuted.
novice hacker A relatively unskilled hacker who uses the
work of expert hackers to perform attacks. Also known as a
neophyte, n00b, or newbie. This category of hackers includes
script kiddies and packet monkeys.
objectives Sometimes used synonymously with goals; the
intermediate states obtained to achieve progress toward a
goal or goals.
operational controls Information security safeguards focus-
ing on lower-level planning that deals with the functionality
of the organization’s security. These safeguards include
disaster recovery and incident response planning.
operational feasibility An assessment of user acceptance
and support, management acceptance and support, and the
overall requirements of the organization’s stakeholders.
operational plan The documented product of operational
planning; a plan for the organization’s intended operational
efforts on a day-to-day basis for the next several months.
operational planning The actions taken by management to
specify the short-term goals and objectives of the organization
in order to obtain specified tactical goals, followed by esti-
mates and schedules for the allocation of resources necessary
to achieve those goals and objectives.
organizational feasibility An assessment of how well the
proposed information security alternatives will contribute to
the efficiency, effectiveness, and overall operation of an
organization.
packet-filtering firewall Also referred to as a filtering fire-
wall, a networking device that examines the header informa-
tion of data packets that come into a network and determines
whether to drop them (deny) or forward them to the next
network connection (allow), based on its configuration rules.
packet monkey A script kiddie who uses automated exploits
to engage in denial-of-service attacks.
packet sniffer A software program or hardware appliance
that can intercept, copy, and interpret network traffic. Also
known as a network protocol analyzer.
padded cell system A protected honeypot that cannot be
easily compromised.
parallel operations The conversion strategy that involves
running the new system concurrently with the old system.
partially distributed IDPS control strategy An IDPS imple-
mentation approach that combines the best aspects of the
centralized and fully distributed strategies.
passive mode An IDPS sensor setting in which the device
simply monitors and analyzes observed network traffic.
passive vulnerability scanner A scanner that listens in on a
network and identifies vulnerable versions of both server and
client software.
passphrase An authentication component that consists of an
expression known only to the user, from which a virtual
password is derived. See also virtual password.
password An authentication component that consists of a
private word or combination of characters that only the user
should know.
pen register An application that records information about
outbound communications.
668 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
penetration tester An information security professional with
authorization to attempt to gain system access in an effort to
identify and recommend resolutions for vulnerabilities in
those systems.
penetration testing A set of security tests and evaluations
that simulate attacks by a hacker or other malicious external
source.
performance gap The difference between an organization’s
observed and desired performance.
permutation cipher See transposition cipher.
personally identifiable information (PII) Information about
a person’s history, background, and attributes that can be used
to commit identity theft. This information typically includes a
person’s name, address, Social Security number, family infor-
mation, employment history, and financial information.
pharming The redirection of legitimate user Web traffic to
illegitimate Web sites with the intent to collect personal
information.
phased implementation The conversion strategy that
involves a measured rollout of the planned system; only part
of the system is brought out and disseminated across an
organization before the next piece is implemented.
phishing A form of social engineering in which the attacker
provides what appears to be a legitimate communication
(usually e-mail), but it contains hidden or embedded code
that redirects the reply to a third-party site in an effort to
extract personal or confidential information.
photoelectric sensor A fire detection sensor that works by
projecting an infrared beam across an area. If the beam is
interrupted, presumably by smoke, the alarm or suppression
system is activated.
phreaker A hacker who manipulates the public telephone
system to make free calls or disrupt services.
physical security The protection of physical items, objects,
or areas from unauthorized access and misuse.
pilot implementation The conversion strategy that involves
implementing the entire system into a single office, depart-
ment, or division, and dealing with issues that arise before
expanding to the rest of the organization.
plaintext or cleartext The original unencrypted message, or
a message that has been successfully decrypted.
planning and risk assessment domain The component of
the maintenance model that focuses on identifying and plan-
ning ongoing information security activities and identifying
and managing risks introduced through IT information secu-
rity projects.
platform security validation (PSV) An assessment approach
designed to find and document vulnerabilities that may be
present because misconfigured systems are used within the
organization.
plenum A space between the ceiling in one level of a com-
mercial building and the floor of the level above. The plenum
is used for air return.
policy A set of principles or courses of action from an orga-
nization’s senior management intended to guide decisions,
actions, and duties of constituents.
policy administrator An employee responsible for the crea-
tion, revision, distribution, and storage of a policy in an
organization.
political feasibility An assessment of which controls can and
cannot occur based on the consensus and relationships
among communities of interest.
polyalphabetic substitution A substitution cipher that
incorporates two or more alphabets in the encryption
process.
polymorphic threat Malware (a virus or worm) that over
time changes the way it appears to antivirus software pro-
grams, making it undetectable by techniques that look for
preconfigured signatures.
Port Address Translation (PAT) A method of mapping a sin-
gle valid external IP address to special ranges of nonroutable
internal IP addresses, known as private addresses, on a one-
to-many basis, using port addresses to facilitate the mapping.
port scanners Tools used both by attackers and defenders to
identify or fingerprint active computers on a network, the
active ports and services on those computers, the functions
and roles of the machines, and other useful information. Port
scanners are also known as port scanning utilities.
possession An attribute of information that describes how
the data’s ownership or control is legitimate or authorized.
practices Within the context of information security, exem-
plary actions that an organization identifies as ideal and seeks
to emulate. These actions are typically employed by other
organizations.
pre-action system A fire suppression sprinkler system that
employs a two-phase response to a fire. When a fire is
detected anywhere in the facility, the system will first flood all
pipes, then activate only the sprinkler heads in the area of the
fire.
predecessors Tasks or action steps that come before the
specific task at hand.
pretexting A form of social engineering in which the
attacker pretends to be an authority figure who needs infor-
mation to confirm the target’s identity, but the real object is
to trick the target into revealing confidential information.
Pretexting is commonly performed by telephone.
Glossary 669
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
privacy In the context of information security, the right of
individuals or groups to protect themselves and their infor-
mation from unauthorized access, providing confidentiality.
Privacy-Enhanced Mail (PEM) A standard proposed by the
Internet Engineering Task Force (IETF) that uses 3DES sym-
metric key encryption and RSA for key exchanges and digital
signatures.
private-key encryption or symmetric encryption An
encryption method that incorporates mathematical opera-
tions involving the same secret key both to encipher and
decipher the message.
private law Law that encompasses family law, commercial
law, and labor law, and regulates the relationship between
individuals and organizations.
privilege escalation The unauthorized modification of an
authorized or unauthorized system user account to gain
advanced access and control over system resources.
procedures Within the context of information security, a set
of steps an organization’s stakeholders must follow to per-
form a specified action or accomplish a defined task.
process-based measures Performance measures or metrics
based on intangible activities.
professional hacker A hacker who conducts attacks for per-
sonal financial benefit or for a crime organization or foreign
government. Not to be confused with a penetration tester.
project plan The documented instructions for participants
and stakeholders of a project that provide details on goals,
objectives, tasks, scheduling, and resource management.
project scope A description of a project’s features, capabili-
ties, functions, and quality level, used as the basis of a project
plan.
project team A small functional team of people who are expe-
rienced in one or multiple facets of the required technical and
nontechnical areas for the project to which they are assigned.
project wrap-up A process of bringing a project to a conclu-
sion, addressing any pending issues and the overall project
effort, and identifying ways to improve the process in the
future.
projectitis A situation in project planning in which the proj-
ect manager spends more time documenting project tasks,
collecting performance measurements, recording project task
information, and updating project completion forecasts in the
project management software than accomplishing meaningful
project work.
protection profile or security posture The entire set of
controls and safeguards, including policy, education, training
and awareness, and technology, that the organization imple-
ments to protect the asset.
protocol stack verification The process of examining and
verifying network traffic for invalid data packets—that is,
packets that are malformed under the rules of the TCP/IP
protocol.
proximity reader An electronic signal receiver used with an
electromechanical lock that allows users to place their cards
within the reader’s range and release the locking mechanism.
proxy server A server or firewall device capable of serving as
an intermediary by retrieving information from one network
segment and providing it to a requesting user on another.
public-key encryption See asymmetric encryption.
public key infrastructure (PKI) An integrated system of soft-
ware, encryption methodologies, protocols, legal agreements,
and third-party services that enables users to communicate
securely through the use of digital certificates.
public law Law that regulates the structure and administra-
tion of government agencies and their relationships with citi-
zens, employees, and other governments. Public law includes
criminal, administrative, and constitutional law.
qualitative assessment An asset valuation approach that
uses categorical or non-numeric values rather than absolute
numerical measures.
quantitative assessment An asset valuation approach that
attempts to assign absolute numerical measures.
rainbow table A table of hash values and their correspond-
ing plaintext values that can be used to look up password
values if an attacker is able to steal a system’s encrypted
password file.
rate-of-rise sensor A fire detection sensor that works by
detecting an unusually rapid increase in the area temperature
within a relatively short period of time.
recovery point objective (RPO) The point in time prior to a
disruption or system outage to which mission/business pro-
cess data can be recovered after an outage (given the most
recent backup copy of the data).
recovery time objective (RTO) The maximum amount of
time that a system resource can remain unavailable before
there is an unacceptable impact on other system resources,
supported mission/business processes, and the MTD.
redundancy Multiple types of technology that prevent the
failure of one system from compromising the security of
information.
redundant array of independent disks (RAID) A system of
drives that stores information across multiple units to spread
out data and minimize the impact of a single drive failure.
reference monitor The piece of the system that mediates all
access to objects by subjects.
670 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
registration authority (RA) In PKI, a third party that oper-
ates under the trusted collaboration of the certificate author-
ity and handles day-to-day certification functions.
remediation The processes of removing or repairing flaws in
information assets that cause a vulnerability or removing the
risk associated with the vulnerability.
Remote Authentication Dial-In User Service (RADIUS)
A computer connection system that centralizes the manage-
ment of user authentication by placing the responsibility for
authenticating each user on a central authentication server.
remote journaling The transfer of live transactions rather
than archived data to an off-site facility in near-real time.
request for proposal (RFP) A document specifying the
requirements of a project, provided to solicit bids from inter-
nal or external contractors.
residual risk The amount of risk that remains to an infor-
mation asset even after the organization has applied its
desired level of controls.
resources Components required for the completion of a
project, which could include skills, personnel, time, money,
and material.
restitution The legal obligation to compensate an injured
party for wrongs committed.
reverse firewall See content filter.
reverse proxy A proxy server that most commonly retrieves
information from inside an organization and provides it to a
requesting user or system outside the organization.
revision date The date associated with a particular version
or build.
risk The probability of an unwanted occurrence, such as an
adverse event or loss.
risk appetite The amount of risk an organization is willing
to accept.
risk assessment A determination of the extent to which an
organization’s information assets are exposed to risk.
risk control The application of controls that reduce the risks
to an organization’s information assets to an acceptable level.
risk identification The enumeration and documentation of
risks to an organization’s information assets.
risk management The process of identifying risk, assessing
its relative magnitude, and taking steps to reduce it to an
acceptable level.
role-based access control (RBAC) An example of a nondis-
cretionary control where privileges are tied to the role a user
performs in an organization, and are inherited when a user is
assigned to that role. Roles are considered more persistent
than tasks. RBAC is an example of an LDAC.
rooting Escalating privileges to gain administrator-level
control over a computer system (including smartphones).
Typically associated with Android OS smartphones. See
also jailbreaking.
sacrificial host See bastion host.
sag A short-term decrease in electrical power availability.
screened host firewall A single firewall or system designed
to be externally accessible and protected by placement behind
a filtering firewall.
screened subnet An entire network segment that protects
externally accessible systems by placing them in a demilitar-
ized zone behind a filtering firewall and protects the internal
networks by limiting how external connections can gain
access to them.
script kiddie A hacker of limited skill who uses expertly
written software to attack a system. Also known as skids,
skiddies, or script bunnies.
search warrant A document issued by an authorized author-
ity that allows law enforcement agents to search for EM at a
specified location and seize specific items for official
examination.
secret key A key that can be used in symmetric encryption
both to encipher and decipher the message.
Secure Electronic Transactions (SET) A protocol developed
by credit card companies to protect against electronic pay-
ment fraud.
secure facility A physical location that has controls in place
to minimize the risk of attacks from physical threats.
Secure Hash Standard (SHS) A standard issued by the
National Institute of Standards and Technology (NIST)
that specifies secure algorithms, such as SHA-1, for
computing a condensed representation of a message or
data file.
Secure HTTP (S-HTTP) An extended version of Hypertext
Transfer Protocol that provides for the encryption of pro-
tected Web pages transmitted via the Internet between a client
and server.
Secure Multipurpose Internet Mail Extensions (S/MIME)
A security protocol that builds on the encoding format
of the Multipurpose Internet Mail Extensions (MIME)
protocol and uses digital signatures based on public-key
cryptosystems to secure e-mail.
Secure Sockets Layer (SSL) A security protocol developed by
Netscape to use public-key encryption to secure a channel
over the Internet.
secure VPN A VPN implementation that uses security proto-
cols to encrypt traffic transmitted across unsecured public
networks.
Glossary 671
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
security A state of being secure and free from danger or
harm. Also, the actions taken to make someone or something
secure.
security clearance A component of a data classification
scheme that assigns a status level to employees to designate
the maximum level of classified data they may access.
security domain An area of trust within which information
assets share the same level of protection. Each trusted net-
work within an organization is a security domain. Commu-
nication between security domains requires evaluation of
communications traffic.
security education, training, and awareness (SETA) A
managerial program designed to improve the security of
information assets by providing targeted knowledge, skills,
and guidance for organizations.
security perimeter The boundary between an organization’s
security efforts and the outside world or untrusted network
areas.
security systems development life cycle (SecSDLC) A
methodology for the design and implementation of security
systems based on the systems development life cycle. The two
life cycles contain the same general phases.
separation of duties The principle that the completion of a
significant task involving sensitive information requires at
least two people.
sequential roster An alert roster in which a single contact
person calls each person on the roster.
server fault tolerance A level of redundancy provided by
mirroring entire servers called redundant servers.
service bureau An agency that provides physical facilities in
a disaster for a fee.
service level agreement (SLA) A document or part of a
document that specifies the expected level of service from a
service provider. An SLA usually contains provisions for
minimum acceptable availability and penalties or remediation
procedures for downtime.
session hijacking See TCP hijacking.
session keys Limited-use symmetric keys for temporary
communications during an online session.
shoulder surfing The direct, covert observation of individual
information or system use.
signals intelligence The collection, analysis, and distribution
of information from foreign communications networks for
intelligence and counterintelligence purposes and in support
of military operations. In recent years, the debate around the
collection and use of signals intelligence has grappled with the
integration of domestic intelligence gathering.
signature-based detection Also known as knowledge-based
detection or misuse detection, the examination of system or
network data in search of patterns that match known attack
signatures.
signatures Patterns that correspond to a known attack.
single loss expectancy (SLE) In a cost-benefit analysis, the
calculated value associated with the most likely loss from an
attack. The SLE is the product of the asset’s value and the
exposure factor.
site policy The rules and configuration guidelines governing
the implementation and operation of IDPSs within the
organization.
site policy awareness An IDPS’s ability to dynamically
modify its configuration in response to environmental activ-
ity. A so-called dynamic IDPS can adapt its reactions in
response to administrator guidance over time and the local
environment.
smart card An authentication component similar to a dumb
card that contains a computer chip to verify and validate
several pieces of information instead of just a PIN.
smoke detection system A category of fire detection systems
that focuses on detecting the smoke from a fire.
sniffer See packet sniffer.
social engineering The process of using social skills to con-
vince people to reveal access credentials or other valuable
information to an attacker.
software assurance (SA) A methodological approach to the
development of software that seeks to build security into the
development life cycle rather than address it at later stages.
SA attempts to intentionally create software free of vulner-
abilities and provide effective, efficient software that users
can deploy with confidence.
software library A collection of configuration items that is
usually controlled and that developers use to construct revi-
sions and issue new configuration items.
software piracy The unauthorized duplication, installation,
or distribution of copyrighted computer software, which is a
violation of intellectual property.
spam Undesired e-mail, typically commercial advertising
transmitted in bulk.
spear phishing Any highly targeted phishing attack.
spike A short-term increase in electrical power availability,
also known as a swell.
spoofing A technique for gaining unauthorized access to
computers using a forged or modified source IP address to
give the perception that messages are coming from a trusted
host.
672 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
sprinkler system A fire suppression system designed to apply
a liquid, usually water, to all areas in which a fire has been
detected.
spyware Any technology that aids in gathering information
about people or organizations without their knowledge.
standard The normal, targeted, or desired level to which a
behavior or action must be performed.
standby (or offline) UPS An offline battery backup that
detects the interruption of power to equipment and activates
a transfer switch that provides power from batteries through
a DC to AC converter until normal power is restored or the
computer is shut down.
standby ferroresonant UPS A UPS in which the outside power
source directly feeds the internal protected device. The UPS
serves as a battery backup, incorporating a ferroresonant trans-
former instead of a converter switch, providing line filtering and
reducing the effect of some power problems, and reducing noise
that may be present in the power as it is delivered.
state table A tabular database of the state and context of
each packet in a conversation between an internal and exter-
nal user or system. A state table is used to expedite firewall
filtering.
stateful packet inspection (SPI) A firewall type that keeps
track of each network connection between internal and
external systems using a state table and that expedites the
filtering of those communications. Also known as a stateful
inspection firewall.
stateful protocol analysis (SPA) The comparison of vendor-
supplied profiles of protocol use and behavior against
observed data and network patterns in an effort to detect
misuse and attacks.
static electricity An imbalance of electrical charges in the
atmosphere or on the surface of a material, caused by
triboelectrification.
static filtering A firewall type that requires the configuration
rules to be manually created, sequenced, and modified within
the firewall.
steganography A data hiding method that involves embed-
ding messages and information within other files, such as
digital pictures or other images.
storage channel A covert channel that communicates by
modifying a stored object.
strategic plan The documented product of strategic plan-
ning; a plan for the organization’s intended strategic efforts
over the next several years.
strategic planning The actions taken by senior management
to specify the long-term goals and objectives of the organiza-
tion, to plan its future direction, actions, and efforts, and to
estimate and schedule the allocation of resources necessary to
achieve those goals and objectives.
strong authentication In access control, the use of at least
two different authentication mechanisms drawn from two
different factors of authentication.
subject attribute See attribute.
subjects and objects A computer can be either the subject of
an attack—an agent entity used to conduct the attack—or the
object of an attack.
substitution cipher An encryption method in which one
value is substituted for another.
successors Tasks or action steps that come after the specific
task at hand.
sunset clause A component of policy or law that defines an
expected end date for its applicability.
surge A long-term increase in electrical power availability.
synchronous token An authentication component in the
form of a token—a card or key fob that contains a computer
chip and a liquid crystal display and shows a computer-
generated number used to support remote login authentica-
tion. This token must be calibrated with the corresponding
software on the central authentication server.
systems development life cycle (SDLC) A methodology for
the design and implementation of an information system. The
SDLC contains different phases depending on the methodol-
ogy deployed, but generally the phases address the investiga-
tion, analysis, design, implementation, and maintenance of an
information system.
systems-specific security policies (SysSPs) Policy
documents designed to bridge the gap between managerial
guidance and technical implementation of a specific
technology.
tactical plan The documented product of tactical planning; a
plan for the organization’s intended tactical efforts over the
next few years.
tactical planning The actions taken by management to spec-
ify the intermediate goals and objectives of the organization
in order to obtain specified strategic goals, followed by esti-
mates and schedules for the allocation of resources necessary
to achieve those goals and objectives.
tailgating The process of gaining unauthorized entry into a
facility by closely following another person through an
entrance and using the credentials of the authorized person to
bypass a control point.
task-based access control (TBAC) An example of a nondis-
cretionary control where privileges are tied to a task a user
performs in an organization and are inherited when a user is
assigned to that task. Tasks are considered more temporary
than roles. TBAC is an example of an LDAC.
task rotation See job rotation.
Glossary 673
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
TCP hijacking A form of man-in-the-middle attack whereby
the attacker inserts himself into TCP/IP-based communica-
tions. TCP/IP is short for Transmission Control Protocol/
Internet Protocol.
technical controls Information security safeguards that
focus on the application of modern technologies, systems,
and processes to protect information assets. These
safeguards include firewalls, virtual private networks,
and IDPSs.
technical feasibility An assessment of whether the organiza-
tion can acquire the technology necessary to implement and
support the proposed control.
technical specifications SysSP A systems-specific security
policy that expresses technical details for the acquisition,
implementation, configuration, and management of a partic-
ular technology, written from a technical perspective.
Typically the policy includes details on configuration rules,
systems policies, and access control.
technology governance A process organizations use to
manage the effects and costs of technology implementation,
innovation, and obsolescence.
telecommuting A work arrangement in which employees
work from an off-site location and connect to an organiza-
tion’s equipment electronically. Also known as telework.
telework See telecommuting.
TEMPEST A U.S. government program designed to protect
computers from electronic remote eavesdropping by reducing
EMR emissions.
termination control strategy The risk control strategy that
eliminates all risk associated with an information asset by
removing it from service.
theft The illegal taking of another’s property, which can be
physical, electronic, or intellectual.
thermal detection system A category of fire detection sys-
tems that focuses on detecting the heat from a fire.
thermal detector An alarm sensor designed to detect a
defined rate of change in the ambient temperature within a
defined space.
threat A potential risk of an asset’s loss of value.
threat agent A person or other entity that may cause a loss
in an asset’s value.
threat assessment An evaluation of the threats to informa-
tion assets, including a determination of their potential to
endanger the organization.
threats-vulnerabilities-assets (TVA) triples A pairing of an
asset with a threat and an identification of vulnerabilities that
exist between the two. This pairing is often expressed in
the format T x V y A z , where there may be one or more
vulnerabilities between Threat X and Asset Z. For example,
T1V1A2 would represent Threat 1 to Vulnerability 1 on
Asset 2.
threats-vulnerabilities-assets (TVA) worksheet A document
that shows a comparative ranking of prioritized assets against
prioritized threats, with an indication of any vulnerabilities in
the asset/threat pairings.
time-share The business continuity strategy that allows an
organization to co-lease a hot, warm, or cold site in conjunc-
tion with one or more business partners or other
organizations.
timing channel A covert channel that transmits information
by managing the relative timing of events.
top-down approach A methodology of establishing security
policies that is initiated by upper management.
transfer control strategy The risk control strategy that
attempts to shift residual risk to other assets, other processes,
or other organizations.
transport mode An IPSec mode in which only the IP data is
encrypted, not the IP headers.
transposition cipher Also known as a permutation cipher,
an encryption method that involves simply rearranging the
values within a block based on an established pattern to cre-
ate the ciphertext.
trap-and-trace An application that uses a combination of
techniques to detect an inbound communication and then
trace it back to its source. The trap usually consists of a
honeypot or padded cell and an alarm.
trap door See back door.
trespass Unauthorized entry into the real or virtual property
of another party.
triboelectrification The exchange of electrons between two
materials when they make contact, resulting in one object
becoming more positively charged and the other more nega-
tively charged.
Trojan horse A malware program that hides its true nature
and reveals its designed behavior only when activated.
true attack stimulus An event that triggers an alarm and
causes an IDPS to react as if a real attack is in progress. The
event may be an actual attack, in which an attacker is
attempting a system compromise, or it may be a drill, in
which security personnel are using hacker tools to test a net-
work segment.
trusted computing base (TCB) According to the TCSEC, the
combination of all hardware, firmware, and software
responsible for enforcing the security policy.
674 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
trusted network The system of networks inside the organi-
zation that contains its information assets and is under the
organization’s control.
trusted VPN Also known as a legacy VPN, a VPN imple-
mentation that uses leased circuits from a service provider
who gives contractual assurance that no one else is allowed to
use these circuits and that they are properly maintained and
protected.
tuning The process of adjusting an IDPS to maximize its
efficiency in detecting true positives while minimizing false
positives and false negatives.
tunnel mode An IPSec mode in which the entire IP packet is
encrypted and then placed into the content portion of another
IP packet.
two-person control The requirement that two employees
review and approve each other’s work before the task is cat-
egorized as finished.
Unified Threat Management (UTM) A security approach that
seeks a comprehensive solution for identifying and respond-
ing to network-based threats from a variety of sources. UTM
brings together firewall and IDPS technology with antimal-
ware, load balancing, content filtering, and data loss preven-
tion. UTM integrates these tools with management, control,
and reporting functions.
untrusted network The system of networks outside the
organization over which the organization has no control. The
Internet is an example of an untrusted network.
uptime The percentage of time a particular service is avail-
able; the opposite of downtime.
utility An attribute of information that describes how data
has value or usefulness for an end purpose.
Vernam cipher An encryption process that generates a ran-
dom substitution matrix between letters and numbers that is
used only one time. Also called a one-time pad.
version The recorded state of a particular revision of a soft-
ware or hardware configuration item. The version number is
often noted in a specific format, such as “M.N.b.” In this
notation, “M” is the major release number and “N.b” can rep-
resent various minor releases or builds within the major release.
vibration sensor An alarm sensor designed to detect move-
ment of the sensor rather than movement in the environment.
Vigenère cipher An advanced type of substitution cipher that
uses a simple polyalphabetic code.
virtual organization A group of people brought together for
a specific task, usually from different organizations, divisions,
or departments.
virtual password A password composed of a seemingly
meaningless series of characters derived from a passphrase.
virtual private network (VPN) A private and secure network
connection between systems that uses the data communica-
tion capability of an unsecured and public network.
virus A type of malware that is attached to other executable
programs. When activated, it replicates and propagates itself
to multiple systems, spreading by multiple communications
vectors. For example, a virus might send copies of itself to all
users in the infected system’s e-mail program.
virus hoax A message that reports the presence of a nonex-
istent virus or worm and wastes valuable time as employees
share the message.
vulnerability A potential weakness or fault in an asset or its
defensive control system(s) that opens it to attack or damage.
vulnerability assessment (VA) The process of identifying
and documenting specific and provable flaws in the organi-
zation’s information asset environment.
vulnerability assessment and remediation domain The
component of the maintenance model focused on identifying
specific, documented vulnerabilities and remediating them in
a timely fashion.
war dialer An automatic phone-dialing program that dials every
number in a configured range to determine if one of the numbers
belongs to a computer connection such as a dial-up line.
war dialing The use of scripted dialing attacks against a pool
of phone numbers in an effort to identify modem
connections.
war game A type of rehearsal that seeks to realistically sim-
ulate the circumstances needed to thoroughly test a plan.
warm site An exclusive-use contingency strategy in which an
organization leases a redundant facility complete with some
systems, services, and equipment needed to resume operations
with a reasonable delay.
water mist sprinkler A fire suppression sprinkler system that
relies on ultra-fine mists to reduce the ambient temperature
below that needed to sustain a flame.
waterfall model A type of SDLC in which each phase of the
process “flows from” the information gained in the previous
phase, with multiple opportunities to return to previous
phases and make adjustments.
wet-pipe system A fire suppression sprinkler system that
contains pressurized water in all pipes and has some form of
valve in each protected area.
wireless vulnerability assessment An assessment approach
designed to find and document vulnerabilities that may be
present in the organization’s wireless local area networks.
work breakdown structure (WBS) A list of the tasks to be
accomplished in the project, the skill sets or individual
employees needed to perform the tasks, the start and end
Glossary 675
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
dates for tasks, the estimated resources required, and the
dependencies among tasks.
work factor The amount of effort (usually in hours) required
to perform cryptanalysis to decode an encrypted message
when the key, the algorithm, or both are unknown.
work recovery time (WRT) The amount of effort (expressed
as elapsed time) necessary to make the business function
operational after the technology element is recovered (as
identified with RTO). Tasks include testing and validation of
the system.
worm A type of malware that is capable of activation
and replication without being attached to an existing
program.
zombie See bot.
676 Glossary
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Index
Note: Page numbers followed by f and t indicate figures and tables, respectively.
A
AAA (authentication, authorization,
and accountability), 344
acceptance control strategy, 270
acceptance of risk, 638–639
access
defined, 11
improper file, 96
information security vs., 21–22, 22f
remote, 342–346
access control lists (ACLs), 167,
169–170, 298, 300
access control matrix, 167, 169, 301, 305
access controls
accountability, 301, 305
architecture models, 308–315
auditability, 302, 305
authentication, 302–305
authorization, 302, 305
biometrics, 305–308
defined, 298, 299
discretionary, 299
identification, 302
lattice-based, 299, 300
mandatory, 299, 301
matrix, 301, 305
nondiscretionary, 299, 300–301
TACACS, 343–344
accountability, 301, 305
accreditation. See also certifications
vs. certifications, 527
definition, 527
ISO 27001/27002 Systems, 540
NIST security life cycle approach,
527–532
NSTISS, 532–540
accuracy, defined, 14–15
ACLU (American Civil Liberties Union),
16
ACM (Association for Computing
Machinery), 138
acquired value, 275
ACS (annualized cost of a safeguard),
272, 276
active vulnerability scanners, 401, 404,
405
address restrictions, 315, 318–319,
318t
Advanced Encryption Standard (AES),
436–437, 439
Advanced Research Projects Agency
(ARPA), 4–6
advance-fee fraud (AFF), 72, 73–74
adverse events, 191, 192
adware, 80, 81
AES (Advanced Encryption Standard),
436–437, 439
affidavit, 643
after-action review (AAR), 208, 209
aggregate information, 115
Agreement on Trade-Related Aspects of
Intellectual Property Rights
(TRIPS), 128
air-aspirating detector, 480
Aircrack, 408
AirSnare, 408, 409f
alarm clustering/compaction, 358
alarm filtering, 359
alarm systems, 477
ALE (annualized loss expectancy), 272,
276
alert/alarm, 358
algorithm, 422
American Civil Liberties Union (ACLU),
16
American Recovery and Reinvestment
Act of 2009 (ARRA), 118
American Society of International Law,
127
amperage, 490
analysis phase, 26, 27
Andersen, Arthur, 159
Anderson, James, 3, 21
annualized cost of a safeguard (ACS),
272, 276
annualized loss expectancy (ALE), 272,
276
annualized rate of occurrence (ARO),
272, 276
anomaly-based detection, 371, 372
application firewalls, 320–321
application header (AH) protocol, 457
application layer firewall, 320–321
application protocol verification, 362,
364, 365, 375, 399
ARO (annualized rate of occurrence),
272, 276
ARPANET, 4–5
asset exposure, 260
assets, 11, 232, 237–254. See also
information
categorization, 240
inventory, 239–240
prioritization, 249
vulnerabilities, 251, 254, 255t
asset valuation, 244–249
assignees, 509
Association for Computing Machinery
(ACM), 138
asymmetric encryption, 437–440
asynchronous tokens, 302, 303, 304f
attack protocol, 395, 397
attacks. See also threats
back doors, 87
communication interception, 90–91
defined, 12, 49
denial-of-service, 88–89
dictionary attack, 67
direct/indirect, 12
distributed denial-of-service (DDoS),
88
e-mail, 89
hoaxes, 87
mail bombs, 89
maintenance hook, 87
man-in-the-middle, 90, 91
password crack, 66–68
pharming, 90
phishing, 72
social engineering, 72–76
by software, 80–91
spam, 89
spoofing, 15, 90
trap door, 87
677
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
attack success probability, 259–260
attribute-based access control (ABAC),
299, 301
attributes, 299, 300, 301
auditability, 302, 305
auditing, 593
Australian computer security laws,
127–128
Corporations Act 2001, 128
Cybercrime Legislation Amendment
Bill 2011, 128
Privacy Act 1988, 127
Spam Act 2003, 128
Telecommunications Act 1997, 127
authentication, 302–305, 342–346
authentication, authorization, and
accounting (AAA), 344
authentication factors, 302–305
authenticity, defined, 15
authorization, 302, 305
automated response, 212
availability, 11–14
availability disruption, 56
AVG AntiVirus, 82
avoidance of competitive disadvantage,
230, 231
awareness and training, 598
B
back door virus/worm, 87
background check, 575–576
back hack, 393, 394
backup media, 210
backups, 212–214
baseline, 282, 283
baselining, 282–283
basic input/output system (BIOS), 239
bastion host, 326–327, 327–328, 328f
behavioral feasibility, 283, 284
behavior-based detection, 371, 372
Bell Labs, 8
Bell-LaPadula (BLP) confidentiality
model, 312–313
benchmarking, 278–280, 282
best business practices, 278, 280
best practices, 280–282
best practices, firewalls, 332–333
BIA (business impact analysis). See
business impact analysis (BIA)
Biba integrity model, 313
biometric access control, defined, 305
biometric locks, 470, 475
biometrics, 305–308
acceptability of, 308, 309t
authentication technologies, 306
effectiveness of, 307–308, 309t
recognition, 306–307, 307f
signature and voice recognition,
306–307
BIOS (basic input/output system), 239
bit stream cipher, 422
blackout, 57, 58
Blaster worm, 84
block cipher, 422
Bluetooth, 457
book-based cipher, 431–432
boot virus, 80, 82
bottom-up approach, 22, 23, 24f
Brewer-Nash model, 315
brownouts, 57, 58
brute force, 66
brute force attacks, 66
brute force password attack, 66
buffer overruns/overflows, 94–95
build, 596
build list, 596
bull’s-eye model, 520–522
Bureau of the Census, 117
business continuity plan (BC plan), 191,
193
business continuity planning (BCP),
191, 192, 215–218, 270
business impact analysis (BIA), 193,
195, 196, 197–200
mission/business processes, 198–199
recovery criticality, 198–199
recovery priorities for system
resources, 199
resource requirements, 199–200
business partners, 581
business resumption planning (BRP),
191, 193
Business Software Alliance (BSA), 53
C
CA (certificate authority), 442–443
Caesar Cipher, 425
Calce, Michael, 89
Canaday, Rudd, 8
capabilities tables, 168, 169
capital planning and investment control
(CPIC), 598–599
catastrophic failures, 489
CBA (cost-benefit analysis), 273, 274
CCE (Certified Computer Examiner),
570–571
CCM (configuration and change man-
agement), 594
CCRA (Common Criteria Recognition
Agreement), 312
CCT (closed-circuit television), 470, 476
CD Universe, 77
CEM (Common Methodology for
Information Technology Security
Evaluation), 312
centralized IDPS control strategy, 382,
384–385, 384f
CER (crossover error rate), 305, 308
CERT/CC (Computer Emergency
Response Team Coordination
Center), 185
certificate authority (CA), 442–443
certificate revocation list (CRL), 442,
444
certifications
vs. accreditation, 527
Associate of (ISC) 2 , 565
Certified Computer Examiner (CCE),
570–571
Certified Information Security
Manager (CISM), 565
Certified Information Systems
Auditor (CISA), 566
Certified Information Systems
Security Professional (CISSP),
562–563
Certified in Risk and Information
Systems Control (CRISC), 567
Certified in the Governance of Enter-
prise IT (CGEIT), 566–567
Certified Secure Software Lifecycle
Professional (CSSLP), 564–565
Chief Information Security Officer
(CISO), 556–558
Chief Security Officer (CSO),
558–559
CompTIA, 569–570
costs, 571
definition, 527
678 Index
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
EC Council, 568–569
ISO 27001/27002 Systems, 540
NIST security life cycle approach,
527–532
NSTISS, 532–540
SSCP (Systems Security Certified
Practitioner), 564
Certified Computer Examiner (CCE),
570–571
Certified Information Security Manager
(CISM), 565
Certified Information Systems Auditor
(CISA), 566
Certified Information Systems Security
Professional (CISSP), 562–563
Certified in Risk and Information
Systems Control (CRISC), 567
Certified in the Governance of Enter-
prise IT (CGEIT), 566–567
Certified Secure Software Lifecycle
Professional (CSSLP), 564–565
Certified Security Project Manager, 518
CFA Act, 113
CGEIT (Certified in the Governance of
Enterprise IT ), 566–567
chain of custody, 643, 646
chain of evidence, 643, 646
champion, 35
change control, 96
change control method, 522
change management culture, 525
chemical gas emission systems, 480,
486–487
Chief Information Officer (CIO), 23, 35
Chief Information Security Officer
(CISO), 35, 36f, 155–156,
556–558
Chief Security Officer (CSO), 558–559
Chinese wall. See Brewer-Nash model
ChoicePoint, 16
C.I.A. triangle, 10–11, 11f, 231
cipher
bit stream, 422
block, 422
cipher methods
book-based, 431–432
exclusive OR operation, 428–429
hash functions, 432–434
substitution, 423–426
transposition, 426–428
Vernam, 429–431
Vigenère, 425
circuit gateway firewalls, 320
circuit-level gateways, 331
CISA (Certified Information Systems
Auditor), 566
CISM (Certified Information Security
Manager), 565
CISO (Chief Information Security
Officer), 35, 36f, 155–156,
556–558
CISSP (Certified Information Systems
Security Professional), 562–563
civil law, 112
Clark-Wilson integrity model, 313–314
classified data, 243–244
clean agent, 480, 487
clean desk policy, 243
cleartext, 422
Clipper Chip, 115, 116f
clipping level, 371, 372
closed-circuit television (CCT), 470, 476
CM (configuration management), 594
code, 422
Code Red (worms), 83
codes of ethics, 137–139
cold sites, 216, 217
color coding, 369
combination SysSPs, 170–172
command injection, 94, 95
commercial off-the-shelf software
(COTS), 31
Committee on National Security Sys-
tems (CNSS), 10, 17–18, 187
Common Attack Pattern Enumeration
and Classification (CAPEC), 52
Common Criteria, 311–312
Common Criteria Recognition Agree-
ment (CCRA), 312
Common Methodology for Information
Technology Security Evaluation
(CEM), 312
communication interception attacks,
90–91
communications security, 10
communities of interest, 37–38, 233–234
community clouds, 210
competitive advantage, 230, 231
competitive intelligence, 58
Comptroller General, 117
computer crime and security survey, 50
Computer Emergency Response Team/
Coordination Center (CERT/CC),
74, 185
computer forensics, 208, 209
Computer Fraud and Abuse Act of 1986
(CFA Act), 113, 119t
computer rooms, 477–478
physical and environmental controls,
478
computer security, defined, 3
ComputerSecurityActof1987(CSAAct),
114, 119t
Computer Security Institute (CSI), 50
survey of types of attack or misuse, 51t
computer viruses/worms, 16, 81–82
COMSEC (communications security),
242
confidence value, 359
confidentiality, 15, 241–243
configuration, 594
configuration and change management
(CCM), 594, 610–614
configuration item, 594
configuration management (CM), 594
configuration rule policies, 168, 170
Congress, 114, 117, 122, 123
Consensus Roadmap for Defeating
Distributed Denial of Service
Attacks, 89
consolidated contingency plan, 219–220
consultants, 581
contact and weight sensor, 471, 477
content filters, 341–342
contingency/continuity planning
business continuity (BC) planning,
215–218
business impact analysis (BIA), 193,
195, 196, 197–200
components of, 193f
consolidated, 219–220
contingency planning management
team (CPMT), 192, 193,
195–199
incident response planning (IRP),
192
major steps in, 195f
overview, 191–196
timeline, 194f
contingency plan, 191, 192
Index 679
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
contingency planning (CP)
business impact analysis (BIA),
197–200
defined, 191, 192
incident response planning,
200–212
information technology, 602
policy, 196–197
contingency planning management team
(CPMT), 192, 193, 195–199
contract employees, 580–581
Controlling the Assault of Non-Solicited
Pornography and Marketing Act of
2003 (CAN-SPAM Act), 120t
control performance baselines and
metrics, 601–602
controls. See also access controls; risk
control strategies
defined, 12
levels of, 187
control strength (CS), 264
Convention on Cybercrime, 128
conversion strategies, 518–520
copyright law, 124
copyright protection, 53
corporate governance, 156
corporate resource misuse, 132
cost avoidance, 272, 274
cost-benefit analysis (CBA), 273, 274
Council of Europe Convention on
Cybercrime, 128
countermeasures, 12, 268
covert channel, 308, 310
CPIC (capital planning and investment
control), 598–599
CPMT (contingency planning manage-
ment team), 192, 193, 195–199
cracker, 64, 65
cracking, 66
credit reporting agencies, 117
criminal law, 112
CRISC (Certified in Risk and Informa-
tion Systems Control), 567
crisis management, 218–219
critical security control, 523–525
CRL (certificate revocation list), 442
crossover error rate (CER), 305, 308
cross-site scripting (XSS), 94, 95
cryptanalysis, 418–419
cryptogram, 422
cryptographic notation, 434
cryptography
algorithms, 434–442
cipher methods, 422–434
definition, 418
foundations of, 419–422
history of, 419–421
tools for, 442–461
cryptology, 418–419
cryptotext, 422
CSI (Computer Security Institute), 50
CSO (Chief Security Officer), 558–559
CSSLP (Certified Secure Software Life-
cycle Professional), 564–565
cultural differences, 129–130
cultural mores, 110, 111
customer information, 115
cyberactivist, 78
cyberactivist operations, 78
cyberterrorism, 78–79
cyberwarfare, 78, 80
D
damage assessment, 208–209
Dan-0411 flag erratum, 92
data
classification and management,
241–244, 244f
collection, 361
custodians, 37
in information systems, 20
owners, 37
responsibilities, 37
risk management and, 240
storage, 211, 218
users, 37
Database Right, 129
database security, 47, 48
database shadowing, 216, 218
data classification and management,
241–244
data classification scheme, 241
data collection, 361
data collection and management, 619
Data Encryption Standard (DES), 435
data interception, 493–495
data security, 47, 48
data sources, 615–618
decipher, 422
deep packet inspection, 372
de facto standards, 158, 160
defense control strategy, 268
defense in depth, 185, 187, 188f
de jure standards, 158, 160
delayed failures, 489
deliverable, 508–509
delta conversion online UPS, 489, 492
deluge system, 480, 483
demilitarizedzones(DMZs),320,329–331
denial-of-service (DoS) attacks, 88–89,
364, 368
Department of Defense (DoD), 4, 6, 9,
30, 242
Department of Homeland Security
(DHS), 30, 113, 139–142
DES (Data Encryption Standard), 435
detecting differences, 621
DHCP (Dynamic Host Configuration
Protocol), 238
Diameter protocol, 344
dictionary attacks, 67
dictionary password attack, 66, 67
difference analysis
definition, 619
types of, 622t
differential backups, 208, 211
Diffie-Hellman key exchange, 448–449
Digati, Anthony, 77
digital certificates, 442, 446–448
digital forensics, 641–650
digital malfeasance, 641
Digital Millennium Copyright Act
(DMCA), 119t, 129
digital signatures, 444–446
Digital Signature Standard (DSS),
444–446
direct changeover strategy, 518–519
direct/indirect attacks, 12
Directive 95/46/EC, 129
direct observation method, 493–494
disaster recovery (DR)
mitigation and, 270
overview, 214–215
plan, 192
recovery operations, 215
disaster recovery planning (DRP), 192
disasters, 192
680 Index
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
discretionary access controls (DACs), 299
disk duplexing, 212, 213
disk mirroring, 212, 213
disk striping, 212
distinguished name (DN), 448
distributed denial-of-service (DDoS)
attacks, 79, 88–89, 364, 368
DMZs (demilitarized zones), 320,
329–331
DN (distinguished name), 448
DoD (Department of Defense), 4, 6, 9,
30, 242
dogs, 473
Domain Name System (DNS), 79, 98,
333
Domain Name System (DNS) cache
poisoning, 90
doorknob rattling, 360
double conversion online UPS, 489, 492
downtime, 56, 57
dry-pipe system, 480, 483
DSS(DigitalSignatureStandard),444–446
due care, 111
due diligence, 111, 279
dumb cards, 302, 303
dumpster diving, 243, 244
dust contamination, 70
dynamic filtering, 315, 319
Dynamic Host Configuration Protocol
(DHCP), 238
E
earthquakes, 68, 69
ECMA (European Computer Manufac-
turers Association), 345–346
Economic Espionage Act of 1996
(EEA), 119t, 123
education programs, 189
EF (exposure factor), 273, 275
EISP (enterprise information security
policy), 163–164, 164t
electromagnetic interception, 494
electromagnetic radiation (EMR),
493–494
electromechanical locks, 471, 474–475
Electronic Communications Privacy Act
of 1986 (ECPA), 117, 119t
Electronic Frontier Foundation (EFF),
436, 451
electronic monitoring, 476–477
electronic push-button locks, 475
electronic vaulting, 216, 218
electrostatic discharge (ESD), 70, 488
Eli Lilly and Co., 16
Elmusharaf, Mudawi Mukhtar, 79
EM (evidentiary material), 641
e-mail attacks, 89
e-mail spoofing, 15
employees, 240. See also personnel
contract, 580–581
temporary, 580
employment contracts, 576
employment policies and practices,
573–579
EMR (electromagnetic radiation),
493–494
encapsulating security payload (ESP)
protocol, 457, 459
encapsulation, 347
encipher, 422
encryption
asymmetric, 437–440
key size, 440–442
private-key, 435
public-key, 437
symmetric, 435–437
VPNs and, 347
end-user license agreement (EULA), 53
end users, 36
Enron, 159
enterprise information security policy
(EISP), 163–164, 164t
enticement, 393, 395
entrapment, 393, 395
equipment policies, 166–167
ESD (electrostatic discharge), 488
espionage/trespass, 58–59, 122–123
estimated capital expenses, 511
estimated noncapital expenses, 511
Ethernet, 5
ethical hacking, 630–632
ethical issues
causes of unethical and illegal behav-
ior, 136–137
codes of ethics, 137–139
cultural differences, 129–130
education and, 135
scenarios, 133–135
ten commandments of, 130
ethics, defined, 110, 111
European Computer Manufacturers
Association (ECMA), 345–346
evasion, 359
events, 192
evidentiary procedures, 649–650
evidence, defined, 208, 209. See also
evidentiary material
evidence search and seizure, 647–648
evidentiary material (EM)
definition, 641
handling, 646
reporting, 649
exclusive OR operation (XOR), 428–429
exit interview, 577–578
expert hackers, 59, 60
exploits, defined, 13, 49
Export Administration Act (1979), 123
export and espionage laws, 122–123
exposure, defined, 13
exposure factor (EF), 273, 275
Express Scripts, Inc., 77
external intelligence sources, 617t–618t
external monitoring, 614–619
external monitoring domain, 614–615
extranet, 326, 331
F
facilities management, 470
facility systems, maintenance, 493
Factor Analysis of Information Risk
(FAIR) methodology, 263–267
fail-safe lock, 471, 475
fail-secure lock, 471, 475
FAIR (Factor Analysis of Information
Risk) methodology, 263–267
false accept rate, 306, 308
false attack stimulus, 359
false negative/positive, 359
false reject rate, 306, 307
FASP (Federal Agency Security Practices),
280
fault, 57, 58
FCO (field change order) numbers, 239
feasibility studies, 283–285
Federal Agency Security Practices (FASP),
280
Federal Bureau of Investigation (FBI),
142–144
Index 681
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Federal Communications Commission
(FCC), 56
Federal courts, 117
Federal Privacy Act of 1974 (FPA), 117,
119t
fencing, 472
field change order (FCO) numbers, 239
file corruption, 17
file hashing, 16
file transfer protocol (FTP) servers, 329
filtration, 488
financial considerations, 512–513
financial reporting laws, 124
Financial Services Modernization Act. See
Gramm-Leach-Bliley Act (GLB Act)
fingerprinting, 360, 395, 399
fire detection systems, 481–482
fires, 68, 69
fire security and safety, 479–487
fire suppression systems, 480, 482–486
Firewalk, 400
firewalls
analysis tools, 400–401
application, 320–321
bastion host, 327–328, 328f
best practices for, 332–333
configuration, 332
content filters, 341–342
defined, 315, 316
dynamic packet-filtering, 315, 319
HTTP/HTTPS and, 333, 337, 338,
340
hybrid, 321–322, 326–331
MAC layer, 321
packet-filtering, 315, 316–320, 318f
packet-filtering routers, 327
processing modes, 316–322
residential vs. commercial, 322–326
reverse, 341
rules, 333–341
screened host, 328–329, 329f
screened subnet, 329–331, 330f
selecting right, 331
stateful inspection, 315, 319
static, 315, 319
fixed-temperature sensor, 480
flame detector, 480
floods, 68, 69
footprinting, 360, 395, 397
forces of nature, 68–70
Foreign Intelligence Surveillance Act of
1978 (FISA), 113
forensics, 641
format strings, 96
4-1-9 fraud, 73–74
Fourth Amendment, 117
Fraud and Related Activity in Connec-
tion with Access Devices, 119t
Freedom of Information Act (FOIA),
119t, 124
friendly departures, 579
FTP (file transfer protocol) servers, 329
FUD(fear,uncertainly,anddoubt)era,274
full backups, 208, 211
fully distributed IDPS control strategy,
382, 385–386, 385f
G
gap analysis, 515, 516f
gaseous emission systems, 480,
486–487
gates, 472
General Electric (GE), 8
Generally Accepted Security Principles
and Practices for Securing Infor-
mation Technology Systems (SP
800-14), 179
Georgia Computer Systems Protection
Act, 126
GFCI (ground fault circuit interruption),
489–490
GFI LANguard Network Security Scan-
ner (NSS), 403
GIAC (Global Information Assurance
Certification), 137, 138
GIAC Certified Project Manager, 517
Global Information Assurance Certifi-
cation (GIAC), 137, 138
goals, defined, 154
Goodtimes virus, 87
governance, 156–158
Graham-Denning access control model,
314
Gramm-Leach-Bliley Act of 1999 (GLB
Act), 118, 120t
ground fault circuit interruption (GFCI),
489–490
grounding, 490
guards, 472
Guide for Developing Security Plans for
Federal Information Systems (SP
800-18 Rev. 1), 182
guidelines, 158, 160, 160f
H
hacker, 49–50
hackers/hacking, 49–52, 59–66, 394
defined, 59, 60
skills and abilities, 60–61, 64
hacktivist, 78
hardware
asset identification, 238–239
failures/errors, 92–93
FCO numbers, 239
in information systems, 20, 237f, 240
Harrison-Ruzzo-Ullman (HRU) access
control model, 315
hash algorithms, 432
hash functions, 432–434
hash value, 16, 432
healthcare organizations (HCOs), 118
Health Information Technology for
Economic and Clinical Health Act
(HITECH), 118
Health Insurance Portability and
Accountability Act of 1996
(HIPAA), 117–118, 119t
heating, ventilation, and air condition-
ing (HVAC) systems, 487–489
hidden forms, 98–99
hiring issues, 574f
historical perspectives, 3–10
hoaxes, 87
honeynets, 391–392
honeypots, 391–392
host-based IDPSs (HIDPS), 362,
368–371, 389
advantages of, 369–370
disadvantages of, 370–371
hostile departures, 578–579
hot sites, 216–217
hot swap, 212, 214
HPING, 401
HTTP/HTTPS, 333
human error/failure, 71–76
humidity, 488
hurricanes, 70
hybrid cryptography systems, 448–449
682 Index
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
hybrid firewalls, 321–322
hybrid VPNs, 347
HyperText Markup Language (HTML),
81
I
IAD (Information Assurance Director-
ate), 146
ICMP (Internet Control Message Pro-
tocol), 333, 336, 337
identification, 302
identification (ID) card, 471, 473
identity theft, 121–122
Identity Theft and Assumption Deter-
rence Act, 120t
idle scanning, 400
IDPSs (intrusion detection and preven-
tion systems), 620–621
IDSs (intrusion detection systems),
357–358. See also intrusion detec-
tion and prevention systems
IEC (International Electrotechnical
Commission), 175
illicit use, 132
immediate failures, 489
implementation of information security
bull’s-eye model, 520–522
certifications and accreditation,
527–540
change control method, 522
change management, 525
conversion strategies, 518–520
financial considerations, 512–513
nontechnical aspects, 525–526
organizational feasibility considera-
tions, 514
outsourcing, 522
overview, 22–23
priority considerations, 513
procurement considerations, 514
project management, 508–518
project plan, 507
project scope, 512
staffing considerations, 513–514
supervised, 515
technical aspects, 518–525
time and schedule considerations, 513
training and indoctrination consid-
erations, 514
implementation phase, 26, 28
incident response (IR), 606–610
automated response, 212
backup media, 210
contingency/continuity planning and,
192, 200–212
damage assessment, 208–209
format and content, 201
incident candidate, 203
incident classification, 203
incident detection, 203–206
incident indicators, 203–206
incident planning, 201
incident reaction, 206–208
incident recovery, 209–210
mitigate control strategy and, 270
online and cloud backup, 210
plan, 201–203
policy, 200–201
prioritization of efforts, 208
storage, 201–202
system backups, 212–214
testing, 202–203
incident candidate, 203
incident classification, 203
incident damage assessment, 208–209