Cole bindex.tex V3 - 07/28/2009 6:40pm Page 849 Numbers 3G (third generation) cellular technologies, 507 4G (fourth-generation) mobile devices, 464–468 802.11. See IEEE 802.11 802.11i, 496–503 802.1X, 491–492 A A records, 361 academic technologies/ideas, 155–158 acceptability, 101 access of attackers exploiting systems, 790–793 controlling. See access control future planning of, 846–847 in penetration testing, 785–786 in Windows security, 179 access control administrative, 113–114 audit trails and, 114 authentication in, 115–121 biometrics for, 116–117 centralized, 115 Challenge Handshake Authentication Protocol for, 125 to data, 123, 798 to databases, 121–123 decentralized, 115 detective, 114–115 discretionary, 110–111 identification in, 115–121 implementation types for, generally, 112 intrusion detection systems for, 114 Kerberos for, 118–121 KryptoKnight for, 121 mandatory, 111 models for, generally, 109–110 non-discretionary, 112 passwords for, 116, 125 physical, 115 preventive, 113–114 RADIUS for, 124 remote access in, 123–125 for server security, 415 SESAME for, 121 Single Sign-On for, 117–121 summary of, 125 TACACS and TACACS+, 124 technical, 113–114 violations reports in, 114 account harvesting, 315–316 accountability, 37 accounts for e-mails. See e-mail security accreditation. See also security assurance evaluation mechanisms certification and, 44–45 defined, 757 DIACAP for, 756–757, 760–763 NIACAP for, 756–759 overview of, 756–757, 763 acquisition phase, 56–58 acquisitions, 735–736 active attacks, 13–14, 40 active reconnaissance, 789–790 active response devices, 565–567 ActiveX, 278, 306–309 ad hoc mode, 479 ad support, 200–201 address autoconfiguration, 446–447 Address Resolution Protocol (ARP). See ARP (Address Resolution Protocol) addressees, 331 administrative security controls access control, 113–114 facility planning in, 102 facility security management in, 103 information system security management in, 102 of personnel, 102 administrator accounts, 184–185 advanced blocking techniques, 253, 548 Advanced Encryption Standard (AES), 496–500, 595 849 COPYRIGHTED MATERIAL
43
Embed
Numbers COPYRIGHTED MATERIAL · implementation types for, generally, 112 intrusion detection systems for, 114 Kerberos for, 118–121 KryptoKnight for, 121 mandatory, 111 models for,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 849
Numbers3G (third generation) cellular technologies, 5074G (fourth-generation) mobile devices, 464–468802.11. See IEEE 802.11802.11i, 496–503802.1X, 491–492
AA records, 361academic technologies/ideas, 155–158acceptability, 101access
of attackers exploiting systems, 790–793controlling. See access controlfuture planning of, 846–847in penetration testing, 785–786in Windows security, 179
access controladministrative, 113–114audit trails and, 114authentication in, 115–121biometrics for, 116–117centralized, 115Challenge Handshake Authentication Protocol
for, 125to data, 123, 798to databases, 121–123decentralized, 115detective, 114–115discretionary, 110–111identification in, 115–121implementation types for, generally, 112intrusion detection systems for, 114Kerberos for, 118–121KryptoKnight for, 121mandatory, 111models for, generally, 109–110non-discretionary, 112passwords for, 116, 125physical, 115
preventive, 113–114RADIUS for, 124remote access in, 123–125for server security, 415SESAME for, 121Single Sign-On for, 117–121summary of, 125TACACS and TACACS+, 124technical, 113–114violations reports in, 114
account harvesting, 315–316accountability, 37accounts for e-mails. See e-mail securityaccreditation. See also security assurance evaluation
mechanismscertification and, 44–45defined, 757DIACAP for, 756–757, 760–763NIACAP for, 756–759overview of, 756–757, 763
advanced settings for Internet Explorer, 285–286advisory policies, 75adware, 802AES (Advanced Encryption Standard), 496–500,
595Aircrack, 501aircraft systems, 83–85AirSnort, 501ALE (annual loss expectancy), 70–71algorithmic-based steganography, 647algorithms. See cryptographyALIGN, 307‘‘All People Seem To Need Data Processing’’,
432America On Line (AOL), 378–379AMPS (Advanced Mobile Phone System),
installing securely. See applications installationsecurity
in server security, 417–421testing questionable, 194upgrades for, 192–193versions of, 350in Web security, 310
applications installation securityantivirus protection for, 171–173personal firewalls for, 173–174Pretty Good Privacy and, 175secure FTP and, 175Secure Shell and, 174
APTools, 502architecture
of Domain Name System, 388–389in e-mail security, 350–351of networks. See network architecturein risk management, 27of system security, 46workstations in, 176–177
ARP (Address Resolution Protocol)introduction to, 438in network architecture, 517–518spoofing, 332–334
arpwatch, 228ASP (Appletalk Session Protocol), 435Assess Information Protection, 48–51assessment
National Institute of Standards and Technologyguidelines for, 756–757, 765–770
of network security, 404of risk. See risk assessmentin risk management, 27–31of security. See security assurance evaluation
mechanismsassociation in wireless communications, 479assurance of security. See security assurance
evaluation mechanismsasymmetric encryption
certificate authorities in, 598introduction to, 597–598primitives in cryptography, 597–599web of trust in, 598–599
ATAs (analog telephone adaptors), 450atd service, 228attachments to e-mails, 351
850
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 851
Index A
attack phase of pen testing, 785–786attackers exploiting systems. See also attacks
in configuration management, 89introduction to, 772passwords, 823process of, 773for server security, 416standards for, 772–773for Windows security, 197
Authenticated Post Office Protocol (APOP),346–347
851
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 852
A Index
authenticationin access control, 115–121browser protocols and, 262–263for cryptography, 575–576in e-mail security, 345of e-mails, 345enhancing, 265firewalls and, 531in information system security, 36integrating as security component, 823MAC layer for, 479mistakes to avoid in, 815primitives in cryptography for, 602–603in Public Key Infrastructure, 689in securing information technology, 54in WAP security layer, 505
as data protection, 799in e-mail security, 351in integration of security components, 828–829policies for, 29sites, 95–97systems, 414–415in UNIX/Linux security, 216in Windows security, 191
base practices, 752base transceiver stations (BTSs), 462baselines for security, 75–77bastion hosts, 386Bayesian logic, 337–338behavior-based anomaly detection, 565best practices for security
advanced techniques for, 548firewalls for, 253, 543–545generic exploit, 154incoming traffic, 248–250, 543–545IP addresses, 556logging in, 546–547outgoing traffic, 250–251, 545–546port, 162–163
Bluetooth, 503–504boot loader passwords, 213bootable CDs and USB drives, 172booting, 212–213boundlessness of Internet, 12bra-kets, 617breaches of security, 10–11. See also attacksbridges, 514
broadband wireless, 506–507browser security. See Web browser securitybrute-force attacks, 576–577bsd-airtools, 501Btscanner, 502BTSs (base transceiver stations), 462buffer overflow exploit prevention, 155Bush, Dr. Vannevar, 297business continuity planning
approval of plan in, 93–94business impact assessments in, 92–93development of plan in, 93goals of, 91implementation in, 93–94overview of, 90roles and responsibilities in, 94scope and plan initiation of, 92
business impact assessments, 92–93, 401business systems, 30business workstations, 170
CC and C++ languages, 406C&A (certification and accreditation), 44–45. See
certification. See also security assurance evaluationmechanisms
accreditation and, 44–45defined, 759DIACAP for, 756–757, 760–763DITSCAP for, 758–760documentation support, 761introduction to, 763NIACAP for, 756–759overview of, 756–757
ActiveX and, 306–309HTTP and, 304Java and, 304–309JavaScript and, 303–304permissions in, 305–306sandboxes for security of, 304–305Web security and, 303–309
client key exchange, 701client risk, 255–259. See also Web browser securityclient/server model of HTTP, 298–299Clinton, President William, 576clipping levels, 774closed-box penetration testing, 772closed-circuit televisions, 99close-in attacks, 40
Coordination Center (CERT/CC). SeeCERT/CC (Community EmergencyResponse Teams/Coordination Center)
company sensitive data, 186compliance, 799compression, 296computationally secure algorithms, 591computer crime types, 106computer forensics. See also digital forensics
defined, 729legal issues in, 105proactive, 746–748traditional, 730
computer incident response teams (CIRT), 708computer security teams
CERT/CC, 723–724Federal Computer Incident Response Center,
724Forum of Incident Response and Security Teams,
725computer-to-computer calls, 451confidentiality
cryptography for, 573–574of data, 262, 265in e-mail security, 338–339in future planning, 839in Public Key Infrastructure, 689–690in steganography, 641–642
in access control, 109with cryptography, 573in information system security, 35–37, 73in physical security, 413in Windows security, 191–192
configurationauditing, 89of browsers. See Web browser configurationscontrolling. See configuration controlidentification, 88management of. See configuration managementsecurity controls, 182–184security issues, 180–182status accounting, 89
configuration control. See also configurationmanagement
for server security, 402–404, 413–415status accounting in, 89for UNIX/Linux security, 217–224
Configuration Control Board (CCB), 89, 402–404configuration items (CIs), 88configuration management. See also configuration;
configuration controlauditing in, 89definitions in, 88documentation change control in, 89–90for hardening UNIX, 245–246identification in, 88in integration of security components, 832overview of, 87primary functions of, 88procedures of, 88security in, 180–184status accounting in, 89
configuration security controlsdigital certificate technology for, 183software on workstations in, 183–184user accounts on systems, 182–183
content settings for Internet Explorer, 285content-level inspections, 31contingency planning, 54, 90continuity of operations, 90control analysis, 65control categories, 69–70control recommendations, 68controlling
configurations. See configuration controloperations in packet inspection methods,
560–561processes in UNIX security. See controlling
processes in UNIX securityusers, 237–243
controlling processes in UNIX securitychkconfig commands in, 235–236init process in, 233–234netstat commands in, 230–232nmap commands in, 232–233overview of, 225processes controlling processes in,
233–237ps commands in, 230service commands in, 236–237service detection in, 230–233services for special purposes in, 228–230services to avoid for, 225–226services to use for, 226–228xinetd process in, 234–235
convenience of browsers, 256cookies
browser protocols and, 264cross-site scripting and, 407data handling practices in, 185domain of, 311encryption and, 410expiration of, 311Internet Explorer settings for, 284–285Netscape and, 281path for, 311security of, 312storing, 312–313in Web browser and client security, 260–262in Web browser configurations, 276–277in Web security generally, 310in Windows security, 201workings of, 310–312
algorithms for, 578–580, 603–606asymmetric encryption in, 597–599for authentication, 575–576availability issues in, 575block ciphers in, 593–595brute-force attacks and, 576–577building in, 580cast introduction in, 590–591certificate authorities in, 598ciphers in, 576–577, 586–587confidentiality, integrity, availability with,
573–574, 602–603crackability of, 580–581decryption of, 577defined, 54, 572encryption as, 577goals of, 573–576hash functions in, 607–608, 617for integrity of data, 574–575keys, 577MD4, MD5 attacks on, 608–613for non-repudiation, 576plain text in, 577primitives in, 587, 605–606principles of, 577proof of security in, 578proprietary algorithms in, 579, 606–607pros and cons of, 572–573pseudo random number generation, algorithms
for, 588–589quantum. See quantum cryptographyrandom number generators in, 585–586,
587–591for secret communications, 571–572Secure Socket Layer and, 580security of, 581SHA, attacks on, 614–616sharing keys in, 595–596steganography vs., 644–646stream ciphers in, 592–593
856
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 857
Index D
sub-goals of, 575–576substitution ciphers in, 581–587summary of, 628–629symmetric encryption in, 591–596terms in, 576–577two-key encryption in, 597–599user input generating numbers for, 589Vigenere cipher in, 582–585web of trust in, 598–599whitening functions in, 589–590XOR in, 585–586
ctrl-alt-del pseudofile, 224cups-lpd, 227current packet inspection methods, 557–558current state of security, 11–12custody, 731–734customer separation, 145–146cwd, 224cyber security
active attacks in, 13–14assessing risk management in, 27–31attack types, generally, 12–13attacks in, generally, 6–7background of, 4–6boundlessness of Internet and, 12breaches of, 10–11changes in, 16–17current state of, 11–12enterprise security methodologies for, 19–27future planning for, 836–837interfacing with organizations for, generally, 19new approaches to, generally, 9, 15overview of, 3–4passive attacks in, 14principles of, 15–16reactive security vs., 6risks in, 4state of, 3–8summary of, 7–8, 17–18, 32trends in, 6, 9–16
DDAA (Designated Approving Authority), 45DAC (discretionary access control), 110–111data collection, 212data confidentiality, 262, 265data encapsulation, 432Data Encryption Standard (DES). See DES (Data
data integrity, 331Data Link layer, 437–438data normalization, 123data protection
access in, 798anti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803awareness in, 799backing up as, 799centralized security management consoles for,
803client access controls for, 803compliance in, 799data usage policies for, 798encryption for, 798endpoint policies for, 804–805endpoint security for, 799–805hardening for, 798, 800–801host-based intrusion detection systems for, 802insider threats and, 805–806Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 798, 803–804remote access and, 805sensitive data in, 797summary of, 806–807user education on, 805validation of, 799virtual machines and, 805vulnerability assessments of, 804Windows and, 800
data remanence, 105data sharing server applications, 417–420data transfer, 479data types, 186data usage policies, 798data volume, 643data vulnerabilities, 324databases
de facto standard of security, 581decentralized access control, 115decryption, 577Defense-in-Depth strategy
attacks vs., 40in information system security principles, 38–41in integration of security components, 828operations and, 39–40overview of, 38people and, 39in server security, 398technology in, 39
definition phase, 757, 759DELETE requests, 289demilitarized zones (DMZs), 27, 513demon-dialing attacks, 136denial of applications, 28denial-of-service (DoS) attacks
Department of Defense Regulation 5000.2-R Change3, 80
Department of Defense Technology SecurityCertification and Accreditation Process(DITSCAP). See DITSCAP (Department ofDefense Technology Security Certificationand Accreditation Process)
Designated Approving Authority (DAA), 45designing server security, 396–413. See also server
securityawareness of need for, 399–400business impact assessments in, 401code cleanliness in, 406Configuration Control Board and, 402–404content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406
defense-in-depth principle in, 398development environment security for, 402development practices for, 405–411dynamic scripting in, 409encryption in, 409–411input validation in, 407language choice in, 406management and, 402network support for, 403–404overview of, 396–397respect for adversaries in, 399risk-based security controls for, 397–398screening input for, 409simplicity in, 399SQL injection in, 408stored procedures in, 408testing in, 411–413
desktop protections, 29desktops, 526despreading, 483destination IP addresses, 533detection
access control and, 114–115control of, 69–70of hardware changes, 214–215of intrusion. See intrusion detection systems
device loss and theft, 141DHCP (Dynamic Host Configuration Protocol),
518–519DIACAP (Department of Defense Information
Assurance Certification and AccreditationProcess)
certification documentation support in, 761challenges of, 762–763Implementation Plan of, 761introduction to, 756–757, 760phases of, 760–762Plan of Action and Milestones of, 761scorecard of, 761System Information Profile in, 761
digital forensics, 729–750acquisitions in, 734analysis in, 738–740chain of evidence in, 731–734
858
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 859
Index D
civil cases in, 745computer forensics and, 730criminal cases in, 746custody in, 731–734documentation in, 743–744evidence in, 730–731, 744forensic duplication in, 736full examination in, 741–743future research areas for, 748–750introduction to, 729–730legal closure in, 744–745life cycle of, 750limited examination in, 740live acquisition in, 736–737mirror images in, 736partial examination in, 740–741proactive, 746–748storage media for acquisitions, 737summary of, 750volatile information, 738
Digital Network Architecture Session ControlProtocol (DNA SCP), 435
Digital Picture Envelope (DPE), 665–669digital rights management (DRM)
background of, 422information control, building systems for,
423–426information control, challenges of, 422–423introduction to, 421–422
digital signaturesin cryptography, 598in e-mail security, 332–334, 339, 355in primitives, 599–600in Public Key Infrastructure, 690
digital watermarkingdefined, 673–674goals of, 676invisible, 675properties of, 674reasons for using, 674removing, 676–679steganography vs., 676–679types of, 675uses of, 676–677visible, 675
Control Protocol), 435DNS (Domain Name System). See Domain Name
System (DNS)DNS SEC (Domain Name System security
extensions)authentication chains in, 391implementation of, 392–393lookup process in, 391overview of, 381–382, 389–391pros and cons of, 392scalability of, 393trust anchors in, 391
Dobbertin, Hans, 610, 613document writing, 178documentation, 743–744documentation change control, 89–90dogs, 99domain dimension, 752domain name, 224domain name lookups, 513
859
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 860
D Index
Domain Name System (DNS)in Application layer, 433architecture of, 388–389attacks on, 384–386authentication chains in, 391basics of, 358–364cache poisoning, 385–388, 392designing, 386–387enumerating domain names in, 382forward lookups in, 366–371hijacking, 392introduction to, 357iterative queries and, 383lookup process in, 391master-slave relationships in, 388misconfiguration of, 379name resolution, alternative approaches to,
374–375predictable query IDs and, 382–383purpose of, generally, 364–366records, 360–361recursion and, 383–384reverse lookups in, 371–374security extensions of. See DNS SEC (Domain
Name System security extensions)security issues with, 377–384servers, 781setting up, 375–377split DNS design for, 386split-split DNS design for, 386–387spoofing, 385summary of, 393Transaction Signatures and, 380–381trust anchors in, 391updating, 414vulnerability statistics of, 384zone transfers, 379–382, 388
domain records, 360domains, world-wide, 367–370DoS (denial-of-service) attacks. See denial-of-service
(DoS) attacksdownloading from Internet, 172downtimes, 92DPE (Digital Picture Envelope), 665–669DRM (digital rights management). See digital rights
management (DRM)drop-off directories, 417DRPs (disaster recovery plans). See disaster recovery
491–492ease-of-use, 147Easter eggs, 639easy-to-obtain operating systems (OSs), 208eavesdropping
attacks, 135as browser vulnerability, 258Web bugs for, 313–314
ECD (electronic code book), 594Echo, 227, 414EIRs (equipment identity registers), 463electricity, 103, 580electromagnetic spectrum, 459–461electronic code book (ECD), 594electronic monitoring, 106–107Electronic Serial Number (ESN), 462elevating privileges, 792–793e-mail
applications for, 172, 682–685attachments to, 827copies of, 201in network architecture, 526protocols for. See e-mail protocolssecurity of. See e-mail securitystandard use of, 178in Windows security, 170
e-mail protocolsIMAP, 344–345POP/POP3, 343–344Simple Mail Transfer Protocol, 340–342
e-mail security+OK logged onPOP before SMTP, 348accounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351attachments, inspecting, 827Authenticated Post Office Protocol for, 346–347authentication in, 345auto-processing in, 323availability issues in, 339blacklisting, 337
860
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 861
Index E
collaboration tools vs. e-mail, generally,324–325
confidentiality in, 338–339data integrity in, 331data vulnerabilities in, 324Generic Security Services Application
Programming Interface for, 348GNU Privacy Guard for, 354–355IMAP, 344–345integrity of e-mails in, 339Kerberos, 348login authentication, 346mail client configurations in, 349–350malcode attacks in, 325–327man-in-the-middle attacks in, 332NT LanManager protocol in, 347opening e-mails, guidelines for, 349operating safely while e-mailing, 348–355plain login, 345–346POP/POP3, 343–344Pretty Good Privacy in, 354–355privacy data in, 327–335protocols in, 340–345replay attacks in, 332–335risks requiring, 323sacrificial e-mail addresses in, 349Simple Mail Transfer Protocol,
340–342social engineering in, 323spam in, 335–339SSH tunnels for, 351–354summary of, 334–335, 355
enablement vs. disablement, 814EnCase, 739–742encryption
as cryptography, 577for data protection, 798in e-mail security, 346–347in quantum cryptography, 626–628in risk management, 29for server security, 409–411two-key, 597–599in UNIX/Linux security, 243–245in Web browser configurations, 281
endpoint securityanti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803centralized security management consoles for,
803client access controls for, 803
for data protection, 799–805hardening operating systems for, 800–801host-based intrusion detection systems for, 802Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 803–804policies for, 804–805remote access and, 805user education on, 805virtual machines and, 805vulnerability assessments of, 804Windows and, 800
Engelbart, Doug, 298engineering principles, 54–56enrollment times, 100enterprise forensics. See digital forensicsenterprise security methodologies
audits in, 24–27business impacts in, 21–22controls in, 24exploits and, 21loss analysis in, 22–23mitigation in, 23–24overview of, 19–21risk assessment in, 22risk determination in, 23risk management questions, 27–31summary of, 32threats and, 21vulnerability and, 21
equipment identity registers (EIRs), 463ESN (Electronic Serial Number), 462espionage attacks, 138–140essential services only principle, 831–832ethical hacking, 770. See also penetration testingevaluation of risk. See risk assessmentevaluation of security, 769. See also security
Finger, 227, 414fingerprint systems, 101, 781FIPS (Federal Information Processing Standard),
763–764fire suppression, 104–105firewalls
advanced blocking techniques of, 548automated modification of rules for, 539–540blocking traffic with, 543–545corporate vs. home, 542–543disadvantages of, 536–537Iptables, 543–548logging blocked traffic, 546–547multiple entry points of, 538–539multiple heterogeneous rulesets for, 540overview of, 531–532packet-filtering, 533packet-filtering and, 532–534in penetration testing, 781personal, 542–548, 802policy conflicts in, 540–542proxy, 535–536in risk management, 31rules of, 537–542as security component, 832–833in server security, 404stateful packet -filtering and, 534–535summary of, 548tiered architecture of, 537–538, 540–542in Windows security, 149in workstations, 177
FIRST (Forum of Incident Response and SecurityTeams), 725
FITSAF (Federal Information Security AssessmentFramework), 755–756
862
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 863
Index H
FMDA (Frequency Division Multiple Access), 469forensic duplication, 736Forensic Tools Kit (FTKs), 739forensics, 105. See also digital forensicsforgery, 494formal processes, 37Forum of Incident Response and Security Teams
476–479, 503frequency of sine waves, 460FRRs (false rejection rates), 100FTKs (Forensic Tools Kits), 739FTP (File Transfer Protocol). See File Transfer
access in, 846–847availability in, 839confidentiality in, 839countermeasures in, 841–842cyber-security stance in, 836–837digital forensics in, 748–750failure points of, 844–847impact analysis in, 840–841integrity in, 839mission resilience in, 837–844organizational approach to, 835–836presentation of analysis results in,
843–844probability in, 840problems in, 835–837qualitative risk analysis in, 842–843quantitative risk analysis in, 843redundancy in, 845–846risk analysis in, 842–844risk in, 837–838summary of, 847
threats in, 838–839vulnerabilities in, 839–840of wireless security, 506
GG (generations) of wireless technology,
464games, 171, 178gateway interaction devices, 566gateways, 515general settings for Internet Explorer, 282generally accepted principles, 53‘‘Generally Accepted Principles and Practices for
HH.323 VoIP (Voice over Internet Protocol), 457handshakes, 265–266hardening
end points, 798hosts, 145–146, 149infrastructure, 798testing of, 175UNIX. See hardening UNIX
863
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 864
H Index
hardening, quick-startdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163printing files in, 161–162removing unneeded components for, 164–165security template for, 166service packs for, 161sharing files in, 161–162
hardening systemsAUTORUN vs., 167file allocation tables in, 167file permissions in, 167of operating systems, 800–801overview of, 166–167passwords in, 169–170Registry in, 167user groups rights in, 168user level accounts in, 168–169
hardening UNIXadvanced blocking techniques, 253blocking incoming traffic, 248–250blocking outgoing traffic, 250–251configuration items for, 245–246logging blocked traffic, 251–253packet filtering with iptables for, 247–253passwords in, 247TCP wrapper for, 247
attacks on, generally, 607–608encryption and, 410future of, 617MD4, attacks on, 608–610MD5, attacks on, 610–613in number generation, 589primitives in cryptography, 600–602SHA-1, attacks on, 616SHA-O, attacks on, 614–616
HEAD requests, 288header checksum fields, 448header condition signatures, 709header of IPv6 (Internet Protocol version 6), 448HEIGHT, 307heuristics, 802hidden fields, 315hidden frames, 314
Hide and Seek, 657–659hijacking attacks
on browsers, 268–269defined, 131on workstations, 204on zeroconf networks, 524
client content in, 304client/server model of, 298–299DELETE requests, 289GET method in, 288, 300HEAD requests, 288HTML and, 300–301httpd in, 229HTTPS tunneling in, 826implementation of, 292–294origins of, 297–298overview of, 287–289persistent connections in, 296–298POST requests, 289PUT method in, 289, 299–300
864
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 865
Index I
slow starts in, 295–296state in Web security, 309tunneling, 826in Web browser and client security, 259–261workings of, 289–292
hubs, 514humidity, 103Hyper Text Transfer Protocol (HTTP). See HTTP
(Hyper Text Transfer Protocol)Hypertext Markup Language (HTML), 259,
300–301
IIATF(Information Assurance Technical Framework),
38–42IBSS(Independent Basic Service Set), 479ICMP (Internet Control Message Protocol), 437ID, 307ID (intrusion detection). See intrusion detection (ID)Ideaflood, 365identification
in access control, 115–121in configuration management, 88in information system security, 36in securing information technology, 54of sensitive data, 797
IDSs (intrusion detection systems). See intrusiondetection systems (IDSs)
IEEE 802.11deployment of, 482–483Extensible Authentication Protocol in, 486–487introduction to, 485–486key management in, 487as LAN/WAN standard, 438–439Light Extensible Authentication Protocol in,
487–488management of, 482–483operational features of, 483–485overview of, 480–481physical security in, 486Protected Extensible Authentication Protocol in,
488Transport Layer Security in, 488Wired Equivalent Privacy standard for, 486,
489–496wireless channels and, 481–482wireless security of. See IEEE 802.11
IEEE 802.11iAES CCM and, 500AES Counter and, 497
cipher-block chaining and, 497–499Initialization Vector in, 500overview of, 496–497pre-authentication for roaming in, 500Pre-Shared Key mode of, 500testing tools of, 501–503
IEEE 802.20, 507IEEE wireless LAN specifications
MAC layer in, 478–480PHY layer in, 478for wireless security, 478–480
implementationalgorithms vs., 578–579of HTTP, 292–294phase of, 52, 56–57, 59of system security, 47–48types for, 112
Implementation Plan of DIACAP (DIP), 761IMPs (Information Management Policies), 44IMs (instant messages). See instant messages (IMs)IMSI (International Mobile Subscriber Identity), 462incident handling
automated notice and recovery mechanisms for,726–727
CERT/CC guidelines for, 717–722, 723–724Federal Computer Incident Response Center for,
724Forum of Incident Response and Security Teams
for, 725Internet Engineering Task Force guidelines for,
722introduction to, 716–717layered security approach to, 723security incident notification process in,
725–726incident response teams
CERT/CC, 723–724Federal Computer Incident Response Center,
724Forum of Incident Response and Security Teams,
725
865
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 866
I Index
Independent Basic Service Set (IBSS), 479index of coincidence, 583information assurance
Federal Information Security AssessmentFramework for, 755–756
introduction to, 751National Security Agency Infosec Assessment
Methodology for, 754–755Operationally Critical Threat, Asset, and
Vulnerability Evaluation for, 755Systems Security Engineering Maturity Model
for, 751–753Information Assurance Technical Framework (IATF),
38–42information control, 422–426information exchange, 209information leakage, 379Information Management Policies (IMPs), 44Information Protection Policies (IPPs), 44information system development cycle, 56–59information system security management
of administrative security controls, 102advisory policies in, 75baselines in, 75–77biometrics and, 100–102business continuity planning in, 90–94computer crime types, 106configuration management in, 87–90of data remanence, 105disaster recovery plans in, 90, 95–98of electrical power, 103electronic monitoring in, 106–107environmental issues in, 103–105facilities in, 102–103of fire suppression, 104–105guidelines for, 75–77of humidity, 103informative policies in, 75legal issues in, 105–107liability in, 107measuring security awareness, 78–79of object reuse, 105of personnel controls, 102physical security controls in, 98–103principles of. See information system security
principlesprocedures of, 75–77program managers in, 79–80regulatory policies in, 75security awareness in, 77–79security policies in, 73
senior management policy statements in, 74–75smart cards in, 100–101standards for, 75–77statements of work in, 82summary of, 107systems engineering management plans in,
80–87of technical efforts, 79–87technical performance measurements in, 85of technical security controls, 100test and evaluation master plans in, 85–87training in security awareness, 78U.S. government policies in, 75work breakdown structures for, 82–85
information system security principlesaccountability in, 37authentication in, 36authorization in, 37for calculating risk, 70–71confidentiality, integrity, availability, 35–37Defense-in-Depth strategy in, 38–41formal processes and, 37identification in, 36Information Assurance Technical Framework
and, 38–42in Information Systems Security Engineering. See
Information Systems Security Engineering(ISSE)
for information technology. See informationtechnology security
for risk management, 60summary of, 71systems development life cycle and, 51–59systems engineering processes and, 37–38,
41–42Information Systems Security Engineering (ISSE),
42–51architecture of system security in, 46Assess Information Protection effectiveness in,
48–51designing detailed security in, 46–47Discover Information Protection Needs in,
43–45implementing system security, 47–48overview of, 42requirements of system security in, 45–46
information technology securitycommon practices for, 53–54development cycle in, 56–59engineering principles for, 54–56
integration of security components, 809–834analysis of log data for, 812antivirus software in, 833auditing passwords in, 823authentication in, 815, 823awareness of what is running on systems,
817backups in, 828–829best security practices in, generally, 819binary code in HTTP headers, 826budgeting in, 810–811code in, 831configuration management in, 832content inspection in, 826–827corporate espionage and, 813–814cross-site scripting in, 827
defense-in-depth principle in, 816, 828detection in, 813–814, 817–818, 826disaster recovery plans in, 830e-mail attachments in, 827employee awareness in, 811–812enablement vs. disablement in, 814essential services only in, 831–832false alarms in, 815file transfers in, 827firewalls in, 832–833HTTP in, 826infrastructure assessments in, 820–821insider threats in, 815internal servers and outbound communications
in, 820intrusion detection systems in, 832–833life cycle of security in, 814logging in, 825–826malicious URLs in, 827mistakes to avoid, 814–815monitoring outgoing communications in, 826naming servers in, 834network diagrams in, 819–820password policy in, 821–823patches in, 818, 823–824perimeters in, 821, 832–833physical security in, 815, 830placement of systems in, 820policy statements in, 819principles of least privilege in, 816–817problems facing organizations in, 809remote access in, 827secure communications in, 828sensitive information in, 829service accounts in, 823single-use servers in, 832site protection in, 815–818summary of, 834system accounts protection in, 834system checks in, 818systems within enterprises, securing all,
813trust relationships in, 833tunneling, 826UNIX systems in, 831URL directory traversal in, 827URL header length in, 827user education in, 830–831volume of attacks in, 811vulnerability assessments in, 824–825
867
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 868
I Index
integrity of datacryptography for, 574–575in future planning, 839in information system security, 35–37primitives in cryptography for, 602in Public Key Infrastructure, 689in steganography, 642
integrity of e-mails, 339intellectual property, 839interfacing with organizations. See enterprise
security methodologiesinternal networks, 27internal penetration testing, 771internal servers and outbound communications, 820internal threats, 140–141. See also insider threatsInternational Mobile Subscriber Identity (IMSI), 462International Mobile Telephone Standard 2000,
471–472Internet, boundlessness of, 12Internet Control Message Protocol (ICMP), 437Internet Engineering Task Force (IETF), 722Internet Explorer configuration options, 282–286
Internet Message Access Protocol (IMAP), 344–345,682
Internet perimeter, 145–146Internet Protocol (IP), 442–449
addresses, 262, 532–533area codes, 449classless interdomain routing in, 443–444forwarding, 219history of, 443introduction to, 442–443IPv6 solution for, 445–448network address translation in, 444–445in Network layer, 436phones, 451version 7, 448–449zone codes, 449
Internet relay chats (IRCs), 178, 420–421Internet zones, 282–283intruders, acquiring information about, 556
intrusion, response to. See also intrusion detection(ID)
CERT/CC guidelines for, 717–722computer incident response teams for, 708incident handling, generally, 716–717Internet Engineering Task Force guidelines for,
722security incident notification process in,
726–727summary of, 727terminating connections with intruders, 556
intrusion detection (ID)antivirus approaches to, 707–708components of, 708honeypots for, 712–716mechanisms for, 707–712prevention vs. See intrusion prevention systems
(IPSs)response in. See intrusion, response tosummary of, 727systems for. See intrusion detection systems
(IDSs)virus prevention software for, 708virus scanners for, 707–708
intrusion detection systems (IDSs). See also intrusionprevention systems (IPSs)
for access control, 114anomaly detection in, 553–554architecture in, 561–564in Defense-in-Depth strategy, 41detection issues in, 555emerging technologies in, generally, 556–557host-based, 550–551, 802in integration of security components, 832–833issues of, 711–712layered security approach to, 723methods of, 553–555misuse detection in, 554–555modes of, 553–555network-based, 551–553next generation packet inspection in, 564–567overview of, 549–550packet inspection methods in, 557–561pattern matching detection in, 554–555for perimeter intrusions, 99responses to intrusions in. See intrusion,
intrusion prevention systems (IPSs). See alsointrusion detection systems (IDSs)
in data protection, 802exclude lists in, 567gateway interaction devices in, 566inline network devices and, 566packet inspection methods, 565–567session sniping, 566systems memory and process protection in, 566whitelists in, 567
inventory, 217investigative searching, 315–316invisible digital watermarking, 675IP (Internet Protocol). See Internet Protocol (IP)ipop services, 228IPPs (Information Protection Policies), 44IPSec-based virtual private networks (VPNs)
IPv6 (Internet Protocol version 6)address autoconfiguration in, 446–447anycast in, 446header of, 448multicast of, 446overview of, 445–446transition to, 447
LLamarr, Hedy, 473language settings, 285, 406LANMAN, 195LANs (local area networks)
cellular telephones and, 466–467in e-mail attacks, 332encryption in, 243future of, 506–507hubs connecting, 514IEEE wireless specifications, 478–480infrastructure-based wireless, 484internal, 532LAN-to-LAN virtual private networks, 694sniffing, 781switches connecting, 514trusted vs. untrusted, 150, 171virtual. See VLANs (virtual local area networks)viruses on, 172wireless, 459–460
laptops, 526layered architecture, 431–432. See also specific layerslayered defenses, 40layered security approach, 723LCG (linear congruent pseudorandom number
(LCG), 588Link Control Protocol, 438Linux security. See also UNIX security
boot loader passwords in, 213configuration control in, 218–224hardware changes detection in, 214nmap commands in, 232open source in, 207–208process control in, 225runlevels in, 233targeting, 209–210
live acquisition, 736–737local area networks (LANs). See LANs (local area
Acquisition Programs, 80Major Automated Information System (MAIS)
Acquisition Programs, 80malcode attacks
on browsers, 258in e-mail security, 325–327on home workstations, 170–171overview of, 127–129in UNIX, 225
malicious code, 127–129. See also malcode attacksmalicious data detection, 560malicious URLs, 827management
of configuration. See configuration managementconsoles for, 803of digital rights. See digital rights management
(DRM)Information Management Policies, 44of keys. See key managementof patches, 801reports to, 782of risk. See risk managementsecurity controls for, 69–70of server security, 402of users, 145–146
mandatory access control (MAC), 111Mandatory Procedures for Major Defense
availability in, 839confidentiality in, 839countermeasures in, 841–842future planning of, 837–844impact analysis in, 840–841integrity in, 839presentation of analysis results in, 843–844probability in, 840qualitative risk analysis in, 842–843quantitative risk analysis in, 843risk analysis in, 842–844risk in, 837–838threats in, 838–839vulnerabilities in, 839–840
misuse detection, 554–555mitigation of risk, 69–70. See also risk managementMLS (multi-level security). See multi-level security
Open System Interconnect (OSI)Application layer in, 433–434Data Link layer in, 437–438layers in, generally, 432–433model of, 432–433Network layer in, 436–437Physical layer in, 438–439Presentation layer in, 434Session layer in, 434–435Transport layer in, 435–436
open-box penetration testing, 772
873
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 874
O Index
opening e-mails, 349operating safely while e-mailing. See also e-mail
securityaccounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351GNU Privacy Guard for, 354–355mail client configurations in, 349–350opening e-mails in, 349Pretty Good Privacy in, 354–355sacrificial e-mail addresses in, 349SSH tunnels for, 351–354
operating servers safely. See also server securityaccess control for, 415auditing for, 416backing up systems for, 414–415configuration control for, 413–415logging in, 416monitoring in, 416passwords in, 415–416physical security and, 413–414service minimization for, 414users, controlling, 415
operating systems (OSs)attacks on, 791easy-to-obtain, 208fingerprinting, 781hardening, 151–154, 800–801out-of-the-box, 151–154system calls on, 156–157
operating UNIX safely. See also UNIX securitycertificates in, 243–245chkconfig commands in, 235–236chroot in, 240control in, 237–243controlling processes in, 225encryption in, 243–245files in, 237–239GNU Privacy Guard for, 244init process in, 233–234introduction to, 224–225netstat commands in, 230–232nmap commands in, 232–233processes controlling processes in, 233–237ps commands in, 230root access in, 240–243Secure Shell for, 244–245services in, 236–237Set UID in, 239–241xinetd process in, 234–235
operating Web browsers safely. See also Webbrowser security
network environments in, 273–274patches for, 271–272private data in, 274–275proxy servers in, 274recommended practices for, 275–276secure sites for, 272–273viruses in, 272
operating Windows safely. See also Windowssecurity
access to systems in, 179antivirus protection in, 180backups for, 191configuration issues in, 180–184data handling practices in, 185–186digital certificate technology for, 183introduction to, 177NetBIOS in, 189NULL sessions in, 190–191operating issues in, 184–191passwords in, 187–189physical security issues in, 179policy adherence for, 184risk behavior vs., 177–178software in, 183–184Trojan horses in, 186–187users in, 180–183viruses in, 186–187worms in, 186–187
operational security controls, 69–70Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE), 755operation/maintenance phase, 52, 56–59organizational approach to security, 835–836organizational criticality matrix, 754–755Orthogonal Frequency Division Multiplexing
(OFDM), 477–478Orwell, George, 201OS (operating system) fingerprinting, 781OSI (Open System Interconnect). See Open System
Interconnect (OSI)OSPF (Open Shortest Path First), 437OSs (operating systems). See operating systems
(OSs)outdated Windows systems, 195out-of-the-box operating system hardening,
asymmetric encryption in, 597–599block ciphers in, 593–595cast introduction in, 590–591certificate authorities in, 598confidentiality, integrity, availability with,
602–603digital signatures in, 599–600hash functions in, 600–602introduction to, 587keyed hash functions in, 601–602pseudo random number generation in, 588–589random number generators in, 587–591sharing keys in, 595–596stream ciphers in, 592–593symmetric encryption in, 591–596two-key encryption in, 597–599user input generating numbers for, 589web of trust in, 598–599whitening functions in, 589–590
principals, 686principle of least privilege, 803principles of security, 15–16print daemons, 227printers, 526prioritization of critical systems, 92Priority fields, 361–362Prismtumbler, 501
privacyof data, 327–335MAC layer for, 479Pretty Good Privacy. See Pretty Good Privacy
(PGP)settings for, 284–285in Web browser and client security, 256
435for e-mail security, 340–345Extensible Authentication, 486–488, 491–492File Transfer. See File Transfer Protocol (FTP)Hyper Text Transfer. See HTTP (Hyper Text
Transfer Protocol)Internet. See Internet Protocol (IP)Internet Control Message, 437Internet Message Access, 344–345Lightweight Directory Access, 229, 418–420Link Control, 438in network architecture, 526for networks. See network protocolspackets containing, 533Password Authentication, 125Point-to-Point, 438, 698Post Office, 343–344Reverse Address Resolution, 438Routing Information, 437Secure File Transfer, 175
877
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 878
P Index
protocols (continued)Serial Line Internet, 438session-initiate, 457Simple Mail Transfer. See Simple Mail Transfer
Protocol (SMTP)Simple Network Management, 434Temporal Key Integrity. See Temporal Key
Integrity Protocol (TKIP)Transmission Control. See TCP (Transmission
proxy firewalls, 535–536proxy servers, 274prudent man rule, 107ps commands, 230pseudo random number generation, 588–589PSK (Pre-Shared Key) mode, 500PTKs (pairwise transient keys), 496Public Key Infrastructure (PKI)
confidentiality in, 690defined, 41digital signatures in, 690introduction to, 688–689key management in, 691–692non-repudiation in, 691private keys vs., 689–690public keys in, 689–690
public networks, 510public-private key encryption, 338–339PUT method, 289, 299–300putting everything together. See integration of
security components
Qqualitative risk analysis, 842–843quantitative risk analysis, 843quantum bits, 617–622quantum cryptography. See also cryptography
biometrics in, 626bits in, 617–622blackmailing in, 626–627computation in, 617–622encryption, malicious uses of, 626–628fast factoring of large composites in, 621–622pass phrases in, 623–626passwords in, 622–623
secure communication channels in, 620secure tokens in, 624–626worms, encryption in, 627–628
quick-start hardeningdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163removing unneeded components for,
164–165security template for, 166service packs for, 161sharing files and printing, removal of,
161–162
Rr commands, 226RADIUS (Remote Authentication and Dial-In User
Service), 124random number generators
cast introduction in, 590–591in cryptography, 585–586introduction to, 587–588primitives and, 587–591pseudo random number generation and,
588–589user input generating numbers for, 589whitening functions in, 589–590
random script, 227RARP (Reverse Address Resolution Protocol), 438rawdevices, 227reactive security, 6real time communications, 436reasonable care, 107reassociation, 479rebooting, 212rebuilding systems, 196recognizance, 379records, 360–361recovery controls, 69–70recovery teams, 98recursion, 383–384Redfang v2.5, 502redundancy, 845–846re-evaluation of systems, 196Registry, 167regulatory policies, 75rekeying against key reuse, 495–496relational databases, 121–123
reporting, 114, 782, 787residual risks, 70, 769resource requirements, 92respect for adversaries, 399restoring compromised systems, 787restricted sites zone, 284results documentation, 68resurrecting duckling solution, 487Reverse Address Resolution Protocol (RARP), 438reverse DNS lookups, 371–374rexec, 228Rice Monarch Project, 502ring example, 645–646RIP (Routing Information Protocol), 229, 437risk analysis. See risk assessmentrisk assessment. See also risks
analysis in, 65, 842–844control recommendations in, 68in future planning, 837–838impact analysis in, 66–67likelihood determination in, 65–66in NIST SP 800–14, 768overview of, 63results documentation in, 68risk determination in, 67–68system characterization in, 63–64threat identification in, 64vulnerability identification in, 64–65
risk management. See also risksarchitecture of networks in, 27assessment for. See risk assessmentattack types in, 29–30
backdoors in, 31backup policies in, 29business systems in, 30calculating risk in, 70–71content-level inspections in, 31definitions in, 60–61demilitarized zones in, 27denial of applications and services in, 28desktop protections in, 29disaster recovery plans in, 29disposal of sensitive information in, 29encryption in, 29evaluation in, 70firewalls in, 31in information technology, 53in-house developed applications in, 31internal networks in, 27intrusion detection systems in, 28log reviews in, 30mitigation of risk in, 69–70, 768–769password policy in, 27–28phishing attacks in, 31physical security controls in, 30remote access in, 28security policy in, 27social-engineering attacks in, 31system patching in, 31systems development life cycle and, 61Trojans in, 31of VoIP, 455vulnerability scans in, 30wireless infrastructures in, 28
risk-based security controls, 397–398risks. See also threats
assessment of. See risk assessmentassigning value to, 811in cyber security, 4defined, 61in e-mail security, 323management of. See risk managementin server security, 395–396in Web browser and client security, 255–259in Windows security, 177–178
security awarenessin data protection, 799of employees, 811–812in information system security management,
77–79in planning, 94
880
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 881
Index S
server needs in, 399–400training in, 172
security extensions, 381–382security features of communication applications
for Authentication Servers, 685–686confidentiality in, 690digital signatures in, 690Domain Name System, 377–384for e-mail, 682–685Internet Explorer, 282–284introduction to, 681Kerberos, 684–685key management in, 691–692non-repudiation in, 691POP/IMAP protocols, 682Pretty Good Privacy, 682–684private keys in, 689–690Public Key Infrastructure, 688–690Secure Sockets Layer, 699–703summary of, 704Transport Layer, 699for virtual private networks (VPNs). See virtual
private networks (VPNs)VoIP, 454–455web of trust in, 692Wired Equivalent Privacy, 491working model of, 686–688
ActiveX and, 306–309client content and, 303–309Common Gateway Interface and, 301–302permissions in, 305–306PHP pages and, 302–303sandboxes for, 304–305security of. See server securityin Web security, generally, 301–303
server environments, 456server security, 395–427
access control for, 415applications in, 417–421auditing for, 416
awareness of need for, 399–400backing up systems for, 414–415business impact assessments in, 401code cleanliness in, 406configuration control for, 402–404, 413–415content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406, 417–420defense-in-depth principle in, 398designing for, generally, 396–397development practices for, 402, 405–411digital rights management in, 421–426dynamic scripting in, 409encryption for, 409–411FTP servers in, 417–418information control in, 422–426input validation in, 407instant messages in, 420–421Internet relay chats in, 420–421language choice in, 406Lightweight Directory Access Protocol in,
418–420logging in, 416management and, 402monitoring in, 416multi-level, 421–426network support for, 403–404operating servers safely for, 413–416passwords in, 415–416peer-to-peer applications in, 420physical security and, 413–414respect for adversaries in, 399risks requiring, 395–398screening input for, 409service minimization for, 414simplicity in, 399SQL injection in, 408stored procedures in, 408summary of, 427testing, 411–413users in, 415
defense-in-depth principle in, 816detection vs. prevention for, 817–818introduction to, 815–816patches in, 818principles of least privilege in, 816–817system checks in, 818
site-to-site virtual private networks (VPNs),694
SLE (single loss expectancy), 70–71SLIP (Serial Line Internet Protocol), 438slow starts, 295–296Slurpie, 247smart cards, 100–101smb, 229SMTP (Simple Mail Transfer Protocol). See Simple
Mail Transfer Protocol (SMTP)sniffing, 502, 781SNMP (Simple Network Management Protocol),
accounts of, 834accreditation of, 757attacks on, 791characterization of, 63–64development life cycle of. See systems
development life cycle (SDLC)engineering of, 37–38, 41–42hardening of. See hardening systemsinfrastructures of, 465–466management plans for, 80–87memory and process protection in, 566misuse of, 135patching, 31
systems development life cycle (SDLC)common practices and, 53–54engineering principles for, 53–56information system security and, 52–53of information technology, 56–59phases of, 51–52
Systems Security Engineering Capability MaturityModel (SSE-CMM), 751–753
system-specific policies, 75
Ttabletop exercises, 97TACACS and TACACS+ (Terminal Access Controller
Access Control Systems), 124TACS (Total Access Communication System), 471Tagged Image File Format (TIFF), 434talk, 228targeted hacks, 138–140targeting UNIX, 207–210TC (Trusted Computing), 421–423, 426TCO (total cost of ownership), 841TCP (Transmission Control Protocol)
attacks in, 131HTTP traffic on, 288, 293–298introduction to, 435sequence numbers, 136wrappers, 247
Initialization Vector in. See Initialization Vector(IV)
Message Integrity Codes and, 494–495per-packet mixing function of, 492–493rekeying against key reuse in, 495–496
temporal keys (TKs), 496TEMPS (test and evaluation master plans), 85–87Terminal Access Controller Access Control System
(TACACS), 124terminating connections with intruders, 556test and evaluation master plans (TEMPs), 85–87testing
environments for, 403security. See security assurance evaluation
mechanisms
884
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 885
Index T
server security, 411–413tools, 501–503in workstations, putting on networks, 175
testing Windows security. See also Windows securityauditing for, 197cleaning up systems for, 197–198logging in, 197monitoring in, 196–197outdated Windows systems and, 195performance issues in, 195questionable applications in, 194re-evaluation and rebuilding in, 196scanning for vulnerabilities, 194
TFTP (Trivial File Transfer Protocol), 175, 433theft, 141, 212threats, 127–142
unintentional filesharing, 140–141uniqueness of passwords, 822Universal Mobile Telecommunications Systems
(UMTS), 472–473UNIX security, 207–254
automatic update servers in, 218backups without detection in, 216blocking techniques in, 248–253configuration for, 245–246configuration for hardening, 217–224detection in, 217disk partitioning in, 215–216expert users in, 210file sharing/transfer in, 218files in, 210focus of, 207hardening for, 245–253hardware changes detection in, 214–215incoming traffic in, 248–250information exchange in, 209installed packages in, 217–218integrating components of, 831inventory in, 217kernel configurations in, 218–224limiting access for, 212–213logging blocked traffic, 251–253mail servers in, 217network and development tools in, 208open source in, 208, 210–212operating safely. See operating UNIX safelyoperating systems in, 208outgoing traffic in, 250–251packet filtering with iptables for, 247–253passwords in, 247physical security in, 212–217/proc file systems in, 223–224script techniques in, 210services in, 225–233summary of, 253–254system calls in, 221–223targeting UNIX, 207–210TCP wrapper for, 247versions and builds in, 209
upgradesof antivirus signatures, 193for applications, 192–193from Microsoft, 192–193for Windows security, 149of Windows versions, 194
attack phase of penetration testing in, 785–786automated vulnerability scanners for, 782–783of data protection, 799exploitation of systems and. See attackers
exploiting systemsflow in current penetration testing, 780–782manual penetration testing for, 782–783overview of, 777–779penetration testing, current state of, 780–783penetration testing, formal methodology of,
783–787penetration testing in, generally, 777–779post-attack phase of penetration testing in, 787pre-attack phase of penetration testing in,
784–785security assessments in, 779summary of, 795
validation phase, 757, 759van Dam, Dr. Andries, 298verification phase, 757, 759verifiers, 686de Vigenere, Blaise, 582Vigenere cipher, 582–585violations reports, 114violence settings, 285virtual local area network (VLAN) separation. See
VLANs (virtual local area networks)virtual machines, 805virtual private networks (VPNs)
Authentication Header of IPSec-based, 696–697design issues in, 693–694IPSec-based, 695–698overview of, 692–693
Point-to-Point Protocol for, 698Point-to-Point Tunneling Protocol and, 698Secure Shell for, 698–699transport mode of IPSec-based, 695tunneled mode of IPSec-based, 695–696
virus scanners, 707–708viruses
attacks of, 127–129avoiding, 186–187in e-mail security, 350software prevention for, 708in Web browser and client security, 272on workstations, 198–199
visibility, 643visible digital watermarking, 675visitor location registers (VLRs), 463VLANs (virtual local area networks)
in defense-in-depth methodology, 145–146network architecture and, 516–517in network design, 455in server security, 404
VLRs (visitor location registers), 463VoIP (Voice over Internet Protocol), 450–458
analog telephone adaptors and, 450circuit switching vs., 451–452computer-to-computer calls via, 451crossover requirements of, 456H.323, 457IP phones for, 451network design for, 455packet switching of, 452–453protocols of, 456–457reasons for using, 453risk factors of, 455security issues with, 454–455server environments of, 456session-initiate protocol for, 457softphones vs. hardware phones with, 456
volatile information, 738vulnerabilities
analysis of, 528assessment of, 93, 824–825of browsers, 258in data protection, 804defined, 61exploiting, 172in future planning, 839–840identification of, 64–65scanning for, 30, 194statistics on, 384of Windows, 154–158
ActiveX in, 278caches in, 281–282content settings, 285cookies, 281cookies in, 276–277encryption in, 281, 286histories in, 281for Internet Explorer, 282–286for Internet zones, 282–283Java, 278–279JavaScript, 279–280for local intranet zones, 283Netscape in, 281–282plugins, 277–280privacy settings, 284–285for restricted sites zone, 284for trusted sites zone, 283–284
Web browser security, 255–286attacks on browsers, 268–269caching in, 264configurations of browsers for. See Web browser
configurationsconvenience in., 256cookies in, 260–262encryption in, 286evolution of, 257functioning of browsers and, 259–265hijacking attacks in, 268–269
HTTP in, 259–261Internet Explorer in, 282–286maintaining state in, 262–264operating browsers safely for. See operating Web
browsers safelyparasites on browsers, 269patches for, 271–272privacy vs., 256productivity and popularity of browsers vs.,
256–257protections in browsers for, 258–259replay attacks on browsers, 269–270risks requiring, 255–259Secure Socket Layer in, 264–268summary of, 286Transport Layer Security in, 264–265vulnerabilities of browsers and, 258
Web browsersattacks on, 268–269caching by, 264configuring. See Web browser configurationscookies and, 260–262HTTP for, 259–261maintaining state of, 262–264operating safely, 271–276Secure Socket Layer in, 264–268security of. See Web browser securityTransport Layer Security for, 264–265
Web browsing, 170, 178Web bugs, 313–314web of trust, 598–599, 692Web search engines, 780Web security
account harvesting in, 315–316ActiveX and, 306–309attacks on Web servers, 315–317browsers and. See Web browser securityclient content and, 303–309Common Gateway Interface in, 301–302HTTP in. See HTTP (Hyper Text Transfer
Protocol)Java and, 304–309JavaScript and, 303–304permissions in, 305–306PHP pages and, 302–303sandboxes in, 304–305server content and, 301–303SQL injection in, 316–317state in. See state in Web securitysummary of, 321Web services, 317–321
888
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 889
Index W
Web servicesdescriptions of, 320–321discovery of, 321overview of, 317–319standards and protocols for, 319transport of, 319Web security, 317–321XML messaging and, 319–320
Web site maintenance, 178Wellenreiter, 501WEP (Wired Equivalent Privacy). See Wired
configuration of, 172data protection in, 800operating safely. See operating Windows safelysecurity of. See Windows securityupdates for, 149, 191–195upgrades of, 194
Windows, hardening. See also Windows securityhosts in, 145–146, 149out-of-the-box operating system in, 151–154quick-start, 160system hardening in, 166–170
Windows 2003, 158–160Windows security
ad support in, 200–201antivirus protection in, 149, 171–173applications in, 171–175, 192–194architecture in, 176–177attacks on, 198–205auditing for, 197AUTORUN vs., 167back door attacks on, 203for business workstations, 170cleaning up systems for, 197–198denial-of-service attacks on, 203disabling unneeded services for, 164ease-of-use and, 147
file extension attacks on, 204files in, 161–162, 167firewalls in, 149, 177hackers targeting, 147–148hardening for. See Windows, hardeninghijacking attacks on, 204for home workstations, 170–171intrusion detection systems for, 177logging in, 197maintaining, 194–198Microsoft recommendations for, 149–151monitoring in, 196–197operating Windows safely for. See operating
Windows safelyoverview of, 145–146packet sniffing attacks on, 204passwords in, 163–164, 169–170patches for, 161, 191–194performance issues in, 195personal firewalls for, 173–174physical security, 175–176, 202port blocking for, 162–163ports in, 159–160Pretty Good Privacy for, 175reasons for, 148–149re-evaluation and rebuilding in, 196Registry in, 167removing unneeded components for, 164–165scanning for, 194secure FTP for, 175Secure Shell for, 174security template for, 166service packs for, 161session replay attacks on, 204signatures for, 193social engineering attacks on, 204–205spyware, 200–202summary of, 205TEMPEST attacks on, 202–203testing. See testing Windows securityTrojan horses in, 200users and, 168–169viruses in, 198–199vulnerability protections in. See Windows
vulnerability protectionsworkstations and, 175–179worms in, 199–200
Windows vulnerability protections. See alsoWindows security
academic technologies/ideas for, 155–158canary values, 157
889
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 890
W Index
Windows vulnerability protections. See alsoWindows security (continued)
library call safety in, 158McAfee for, 155operating safely for. See operating Windows
safelystack data location rearrangement, 155–156Symantec for, 154system calls, 156–157vulnerability protections, 154–158
Wired Equivalent Privacy (WEP)802.1X authentication and, 491–492Crack in, 502for IEEE 802.11 wireless security, 486, 489–496Initialization Vector in, 489–492Message Integrity Codes and, 494–495open authentication in, 490overview of, 486, 489–490per-packet mixing function of, 492–493rekeying against key reuse in, 495–496security upgrades of, 491shared key authentication in, 490–491Temporal Key Integrity Protocol and, 492–496
3G cellular technologies in, 507Advanced Mobile Phone System in, 470–471Bluetooth in, 503–504cell phones and. See cellular telephonesCellular Digital Packet Data in, 471Code Division Multiple Access in, 469–470electromagnetic spectrum in, 459–461Frequency Division Multiple Access in, 469future of, 506IEEE 802.11 wireless security. See IEEE 802.11IEEE 802.20 for, 507IEEE wireless LAN specifications for, 478–480of International Mobile Telephone Standard
2000, 471–472MAC layer in, 478–480Nordic Mobile Telephone in, 471Personal Digital Cellular in, 471of pervasive wireless data network technologies,
473–478PHY layer in, 478
of spread spectrum technologies, 473–478summary of, 508Time Division Multiple Access in, 469Total Access Communication System in, 471of Universal Mobile Telecommunications System,
wireless transmission systems, 469–473wireless WAN (wide area networks), 488–489WireShark, 208word processing, 170work breakdown structures (WBSs), 82–85workstations
attacks on, 198–205back door attacks on, 203business, 170denial-of-service attacks on, 203firewalls in, 177hijacking attacks on, 204home, 170–171intrusion detection systems on, 177in network architecture, 176–177not is use, 179physical security in, 175–176putting on networks, 175–177social engineering attacks on, 204–205software on, 183–184testing, 175Trojan horses on, 200viruses on, 198–199worms attacking, 199–200
world category, 237World Wars I and II, 640worms
in quantum cryptography, 627–628on Windows, 186–187on workstations, 199–200
zip algorithms, 296zone files, 362–364zone records, 360–361zone transfers
alternatives to, 382Domain Name System in, 381–382, 388historical problems of, 380introduction to, 379–382master-slave relationships and, 388requiring certificates in, 380–381specifying transfer sites for, 380