ENGINEERING INFORMATION SECURITY IEEEPress 445HoesLane Piscataway,NJ08854 IEEEPressEditorialBoard LajosHanzo,EditorinChief R.Abari M.El-Hawary S.Nahavandi J.Anderson B.M.Hammerli W.Reeve F.Canavero M.Lanzerotti T.Samad T.G.Croda O.Malik G.Zobrist KennethMoore,DirectorofIEEEBookandInformationServices(BIS) IEEEPRESSSERIESONINFORMATION&COMMUNICATION NETWORKSSECURITY SERIESEDITOR StamatiosKartalopoulos SecurityofInformationandCommunicationNetworks StamatiosKartalopoulos EngineeringInformationSecurity:TheApplicationofSystemsEngineering ConceptstoAchieveInformationAssurance StuartJacobs ENGINEERING INFORMATION SECURITY The Application of Systems Engineering Concepts to Achieve Information Assurance Stuart Jacobs Copyright(cid:1)2011byInstituteofElectricalandElectronicsEngineers. Allrightsreserved. PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyform orbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptas permittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,withouteithertheprior writtenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copy feetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978)750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission shouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsin preparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessof thecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessfora particularpurpose.Nowarrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials. Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.Youshouldconsultwitha professionalwhereappropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orotherdamages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,pleasecontactour CustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidetheUnitedStatesat (317)572-3993orfax(317)572-4002. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmay notbeavailableinelectronicformats.FormoreinformationaboutWileyproducts,visitourwebsite at www.wiley.com. LibraryofCongressCataloging-in-PublicationData: Jacobs,Stuart. Engineeringinformationsecurity:Theapplicationofsystemsengineeringconceptstoachieveinformation assurance/StuartJacobs. p.cm. ISBN978-0-470-56512-4(hardback) 1. Computersecurity.2. Computernetworks–Securitymeasures.3. Informationtechnology–Security measures.4. Dataprotection. I. Title. QA76.9.A25J3252010 005.8–dc22 2010028408 oBookISBN:978-0-470-94791-3 ePDFISBN: 978-0-470-94783-8 ePubISBN: 978-1-118-00901-7 PrintedinSingapore. 10 9 8 7 6 5 4 3 2 1 This book is dedicated to my wife, Eileen, for her patience with my spending so much time at the keyboard rather than with her. CONTENTS Preface and Acknowledgments xxiii 1 WHAT ISSECURITY? 1 1.1 Introduction 1 1.2 The Subject ofSecurity 2 1.2.1 Branchesof Security 2 1.2.2 DefiningSecurityby Function 5 1.2.2.1 Risk Avoidance 5 1.2.2.2 Deterrence 5 1.2.2.3 Prevention 6 1.2.2.4 Detection 7 1.2.2.5 Recovery 7 1.2.3 The Common Body of Knowledge (CBK) Security Domains 7 1.2.3.1 Access ControlSystems and Methodology 8 1.2.3.2 Application and Systems DevelopmentSecurity 9 1.2.3.3 BusinessContinuityPlanningand DisasterRecovery Planning 10 1.2.3.4 Cryptography 10 1.2.3.5 InformationSecurity andRisk Management 11 1.2.3.6 Legal,Regulations, Compliance, and Investigations 11 1.2.3.7 Operations Security 12 1.2.3.8 PhysicalSecurity 13 1.2.3.9 SecurityArchitecture and Models 14 1.2.3.10 Telecommunicationsand NetworkSecurity 14 1.2.3.11 CBK Summary 15 1.3 ATwenty-First Century Tale 15 1.3.1 The Actors 15 1.3.1.1 Bob’s Story 15 1.3.1.2 Carol’s Story 16 1.3.1.3 Alice’s Story 17 vii viii CONTENTS 1.3.2 What Actually Occurred 17 1.3.3 HowCouldAll This HaveBeen Prevented? 19 1.3.4 TheyDid Not LiveHappily EverAfter 20 1.4 Why are You Important to Computer Security? 21 1.4.1 What are the Threats toYourComputer? 22 1.4.2 As a User, What toDo? 23 1.5 End ofthe Beginning 23 1.6 ChapterSummary 25 1.7 Further Reading and Resources 26 1.8 Questions 26 1.9 Exercises 27 2 SYSTEMS ENGINEERING 29 2.1 So What IsSystems Engineering? 29 2.1.1 SIMILARSystems EngineeringProcess 30 2.1.1.1 Statingthe Problem 32 2.1.1.2 InvestigateAlternativesand Model the System 33 2.1.1.3 Develop/Integrate 34 2.1.1.4 Launch the System 35 2.1.1.5 Assess Performance 36 2.1.1.6 Re-evaluate 36 2.1.2 Another Systems Engineering View 36 2.1.3 ProcessVariations 37 2.2 ProcessManagement 37 2.2.1 ISO 9000 Processes andProcedures 39 2.2.2 Capability MaturityModel (CMM) 41 2.3 Organization Environments 44 2.3.1 Economic, Legal,and Political Contexts 44 2.3.1.1 Regulations/Legislation 45 2.3.1.2 Market-BasedRegulations 47 2.3.1.3 TechnologyEvolution 48 2.3.1.4 Customer Demandsand Expectations 49 2.3.1.5 LegalLiability 49 2.3.1.6 Competition 49 2.3.1.7 Terrorism andCyberCrime 49 2.3.2 Business/Organizational Types 50 2.3.2.1 Commercial 51
Description: