Au9561 title page 11/15/05 9:46 AM Page 1 Fifth Edition, Volume 3 ® PRESS Edited by Boca Raton New York AU9561_Discl.fm Page 1 Tuesday, November 8, 2005 4:11 PM Chapter 18, Enterprise Security Management Program, by George G. McBride © 2005 Copyright Lucent Technologies. Chapter 23, Beyond Information Security Awareness Training: It Is Time To Change the Culture, by Stan Stahl © Copyright 2005, Citadel Information Group, Inc. Chapter 25, System Development Security Methodology, by Ian Lim and Ioana V. Bazavan © Copyright 2003 Accenture. All rights reserved. Used by permission. Published in 2006 by Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-10: 0-8493-9561-5 (Hardcover) International Standard Book Number-13: 978-0-8493-9561-1 (Hardcover) Library of Congress Card Number 2003061151 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Information security management handbook / Harold F. Tipton, Micki Krause, editors.--5th ed. p. cm. Includes bibliogaphical references and index. ISBN 0-8493-9561-5 (alk. paper) 1. Computer security--Management--Handbooks, manuals, etc. 2. Data protection--Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki. QA76.9.A25I54165 2003 658’.0558--dc22 2003061151 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group and the Auerbach Publications Web site at is the Academic Division of Informa plc. http://www.auerbach-publications.com Table of Contents About the Editors ......................................................................................................................xi Contributors ...............................................................................................................................xiii Introduction .............................................................................................................................xxiii 1 ACCESS CONTROL SYSTEMS AND METHODOLOGY .................1 Section 1.1 Access Control Techniques 1 Sensitive or Critical Data Access Controls...........................................................................5 Mollie E. Krehnke and David C. Krehnke 2 An Introduction to Role-Based Access Control................................................................17 Ian Clark 3 Smart Cards..........................................................................................................................31 Jim Tiller 4 A Guide to Evaluating Tokens............................................................................................41 Joseph T. Hootman Section 1.2 Access Control Administration 5 Identity Management: Benefits and Challenges................................................................51 Lynda L. McGhie 2 TELECOMMUNICATIONS AND NETWORK SECURITY ...........69 Section 2.1 Communications and Network Security 6 An Examination of Firewall Architectures........................................................................73 Paul A. Henry 7 The Five W’s and Designing a Secure, Identity-Based, Self-Defending Network (5W Network)..........................................................................119 Samuel W. Chun v 8 Maintaining Network Security: Availability via Intelligent Agents................................131 Robby Fussell 9 PBX Firewalls: Closing the Back Door............................................................................139 William A. Yarberry, Jr. Section 2.2 Internet, Intranet, Extranet Security 10 Voice over WLAN..............................................................................................................145 Bill Lipiczky 11 Spam Wars: How To Deal with Junk E-Mail...................................................................155 Al Bredenberg Section 2.3 Network Attacks and Countermeasures 12 Auditing the Telephony System: Defenses against Communications Security Breaches and Toll Fraud.......................................................161 William A. Yarberry, Jr. 3 SECURITY MANAGEMENT PRACTICES ...............................................175 Section 3.1 Security Management Concepts and Principles 13 The Controls Matrix..........................................................................................................179 Robert M. Slade 14 Information Security Governance....................................................................................183 Ralph Spencer Poore 15 Belts and Suspenders: Diversity in Information Technology Security..........................189 Jeffrey Davis 16 Building Management Commitment through Security Councils, or Security Council Critical Success Factors..................................................197 Todd Fitzgerald Section 3.4 Risk Management 17 Developing and Conducting a Security Test and Evaluation.........................................213 Sean M. Price 18 Enterprise Security Management Program.....................................................................223 George G. McBride 19 Technology Convergence and Security: A Simplified Risk Management Model..........233 Ken M. Shaurette Section 3.5 Employment Policies and Practices 20 People, Processes, and Technology: A Winning Combination.......................................241 Felicia M. Nicastro vi Section 3.6 Policies, Standards, Procedures, and Guidelines 21 Building an Effective Privacy Program............................................................................251 Rebecca Herold 22 Training Employees To Identify Potential Fraud and How To Encourage Them To Come Forward..........................................................265 Rebecca Herold Section 3.8 Security Management Planning 23 Beyond Information Security Awareness Training: It Is Time To Change the Culture....................................................................................285 Stan Stahl 24 Establishing a Successful Security Awareness Program..................................................295 Charles R. Hudson, Jr. 4 APPLICATIONS AND SYSTEMS DEVELOPMENT SECURITY .............................................................................305 Section 4.3 System Development Controls 25 System Development Security Methodology...................................................................309 Ian Lim and Ioana V. Bazavan 26 Software Engineering Institute Capability Maturity Model................................................325 Matt Nelson Section 4.4 Malicious Code 27 Organized Crime and Malware........................................................................................339 Michael Pike Section 4.5 Methods of Attack 28 Enabling Safer Deployment of Internet Mobile Code Technologies.............................351 Ron Moritz 5 CRYPTOGRAPHY ......................................................................................................363 Section 5.2 Crypto Concepts, Methodologies and Practices 29 Blind Detection of Steganographic Content in Digital Images Using Cellular Automata.....................................................................367 Sasan Hamidi 30 An Overview of Quantum Cryptography........................................................................373 Ben Rothke vii 31 Elliptic Curve Cryptography: Delivering High-Performance Security for E-Commerce and Communications............................................................385 Paul Lambert 6 SECURITY ARCHITECTURE AND MODELS ......................................393 Section 6.1 Principles of Computer and Network Organizations, Architectures, and Designs 32 Enterprise Assurance: A Framework Explored................................................................397 Bonnie A. Goins 7 OPERATIONS SECURITY ...................................................................................403 Section 7.1 Operations Controls 33 Managing Unmanaged Systems........................................................................................407 Bill Stackpole and Man Nguyen Section 7.2 Resource Protection Requirements 34 Understanding Service Level Agreements........................................................................423 Gilbert Held 8 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING ..............................................429 Section 8.1 Business Continuity Planning 35 Building Maintenance Processes for Business Continuity Plans...................................433 Ken Doughty 36 Identifying Critical Business Functions...........................................................................445 Bonnie A. Goins 37 Selecting the Right Business Continuity Strategy...........................................................451 Ken Doughty Section 8.2 Disaster Recovery Planning 38 Contingency at a Glance...................................................................................................457 Ken M. Shaurette and Thomas J. Schleppenbach 39 The Business Impact Assessment Process and the Importance of Using Business Process Mapping............................................................465 Carl Jackson 40 How To Test Business Continuity and Disaster Recovery Plans and How Often........483 James S. Mitts viii 9 LAW, INVESTIGATION, AND ETHICS ....................................................497 Section 9.1 Information Law 41 Sarbanes–Oxley Compliance: A Technology Practitioner’s Guide.................................501 Bonnie A. Goins 42 Health Insurance Portability and Accountability Act Security Rule..............................511 Lynda L. McGhie 43 The Ethical and Legal Concerns of Spyware...................................................................525 Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli Section 9.3 Major Categories of Computer Crime 44 The Evolution of the Sploit..............................................................................................537 Ed Skoudis 45 Computer Crime...............................................................................................................551 Christopher A. Pilewski 46 Phishing: A New Twist to an Old Game..........................................................................559 Stephen D. Fried 47 It’s All about Power: Information Warfare Tactics by Terrorists, Activists, and Miscreants............................................................................579 Gerald L. Kovacich, Andy Jones, and Perry G. Luzwick Section 9.4 Incident Handling 48 DCSA: A Practical Approach to Digital Crime Scene Analysis......................................601 Marcus K. Rogers 49 What a Computer Security Professional Needs To Know about E-Discovery and Digital Forensics........................................................615 Larry R. Leibrock 50 How To Begin a Non-Liturgical Forensic Examination.................................................621 Carol Stucki 10 PHYSICAL SECURITY ............................................................................................637 Section 10.1 Elements of Physical Security 51 Physical Security for Mission-Critical Facilities and Data Centers...............................641 Gerald Bowman INDEX ............................................................................................................................................663 ix About the Editors Harold F. Tipton, CISSP, currently an independent consultant and past president of the International Information System Security Certification Consortium, (ISC)2, was Director of Computer Security for Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security program in 1977 and then continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994. He has been a member of the Information Systems Security Association (ISSA) since 1982, was president of the Los Angeles Chapter in 1984, and was president of the national organization of ISSA from 1987 to 1989. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received the Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2“Hal Tipton Award” in 2001. He was a member of the National Institute for Standards and Technology (NIST) Computer and Telecommunications Security Council and the National Research Council Secure Systems Study Committee (for the National Academy of Science). He has a bachelor’s of science degree in engineering from the U.S. Naval Academy, a master’s degree in personnel administration from George Washington University, and a certificate in computer science from the University of California, Irvine. He has published several papers on information security issues in the Information Security Management Handbook, Data Security Management, Information Systems Security, and the National Academy of Sci- ences report Computers at Risk. He has been a speaker at all of the major information security conferences, including the Computer Security Institute, ISSA Annual Working Conference, Computer Security Work- shop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit Users Conference, and Industrial Security Awareness Conference. He has conducted and participated in infor- mation security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for International Research. He is currently serving as editor of the Information Security Man- agement Handbook. Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She is currently the Chief Information Security Officer at Pacific Life Insurance Company in Newport Beach, California, where she is accountable for directing their information protection and security program enterprisewide. Micki has held several leadership roles in industry-influential groups including the Information Systems Security Association (ISSA) and the International Information System Security Certification Consortium, (ISC)2, and is a long-term advocate for professional security education and certification. In 2003, Krause received industry recognition as a recipient of the “Women of Vision” award given by Information Security magazine. In 2002, Krause was honored as the second recipient of the Harold F. Tipton Award in recognition of sustained career excellence and outstanding contributions to the profession. She is a reputed speaker, published author, and co-editor of the Information Security Management Handbook series. xi Contributors Ioana V. Bazavan, CISSP, is the Manager of Information Security Access Services at Safeway, Inc. She manages a team of 18 people who are charged with providing systems access to all of Safeway’s users and applications. She has been heavily involved in the design and implementation of Safeway’s Identity Management strategy and technologies. Previously, Ioana was a manager in Accenture’s global security practice, specializing in holistic security solutions that focus on users and organizations, as well as on systems. She gained extensive experience in security policy, standards, and process design and imple- mentation; compliance solutions based on industry and regulatory standards; security organization design; user training and awareness; incident response; risk assessment; user management systems; infrastructure security; systems development methodology; and security strategy. Ioana has industry experience in financial services, government, high-tech, resources, and retail. Gerald Bowman is currently the North American Director of ACE and Advanced Technologies for SYSTIMAX® Solutions for the design professional community and advanced technology in the corporate enterprise. Jerry joined the SYSTIMAX team from Superior Systems Technologies, where he was Chief Operating Officer. Prior to that, he was Vice President of Engineering for Riser Management Systems, a telecommunications design, engineering, management, and consulting firm responsible for consulting engineering projects for 78 of the tallest buildings in the United States, including 12 Carrier Hotels, numerous data centers for ISPs, high-end telecom real estate, and other corporate enterprises. Al Bredenberg is a writer, Web developer, and Internet marketing consultant. He is author of The Small Business Guide to Internet Marketing and editor of The NET Results News Service, both of which are electronic publications available over the Internet. He can be reached at [email protected] or through his World Wide Web site at http://www.copywriter.com. Samuel W. Chun, CISSP, is Director of Network Services at Digital Support Corporation, a TechTeam Global Company. Ian Clark is Head of IT Quality Assurance for GE Consumer Finance. While at Nokia, he was the Security Portfolio Manager for Nokia’s business infrastructure, working on global security projects. Prior to Nokia, he worked for EDS and spent 11 years in the British army specializing in secure communications. Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior manager at Lucent Technologies and is involved with intrusion detection, anti-virus, and threat assessment. He holds a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute of Technology. Ken Doughty is the Manager of Disaster Recovery for Colonial, one of Australia’s largest financial institutions in the banking, insurance, and investment services sector. He has over 20 years of information xiii systems auditing experience and 12 years business continuity planning experience in the public and private sectors. Todd Fitzgerald, CISSP, CISA, CISM, is the Director of Systems Security and Systems Security Officer for United Government Services, LLC. He has over 25 years of broad-based information technology experience and has held senior information technology management positions with Fortune 500 and Global Fortune 250 companies. Todd is a member of the Board of Directors and security taskforce co- chair for the HIPAA Collaborative of Wisconsin (HIPAA COW); a participant in the CMS/Gartner Security Best Practices Group, Blue Cross Blue Shield Association Information Security Advisory Group; a previous board member for several information systems security associations; and a frequent speaker and writer on security issues. Todd focuses largely on issues related to security management, risk assess- ments, policy development, organizing security, security assessments, regulatory compliance (HIPAA, CAST, NIST, ISO17799), security awareness, and developing security programs. Todd can be reached at todd_fi[email protected]. Stephen D. Fried, CISSP, CISM, is the Vice President for Information Security and Privacy at Metavante Corporation. He is a seasoned information security professional with over 20 years’ experience in information technology. For the past ten years he has concentrated his efforts on providing effective information security management to large organizations. Stephen has led the creation of security pro- grams for two Fortune 500 companies and has extensive experience in such diverse security issues as risk assessment and management, security policy development, security architecture, infrastructure and perimeter security design, outsource relationship security, offshore development, intellectual property protection, security technology development, business continuity, secure E-business design, and infor- mation technology auditing. A frequent speaker at conferences in the United States and internationally, Stephen is active in many security industry organizations. Robby Fussell is at the School of Computer and Information Sciences at Nova Southeastern University in Fort Lauderdale, Florida. Bonnie A. Goins, BS7799 Certified Lead Auditor, CISSP, CISM, GIAC, ISS, NSA IAM, is a Principal Consultant with HotSkills, Inc. As a Senior Security Strategist at Isthmus Group, Inc., she was the co- practice leader for IGI’s Security Practice. She has over 15 years of experience in the areas of information security; secure network design and implementation; risk, business impact, and security assessment methods; project management; executive strategy and management consulting; and information tech- nology. She also has extensive working experience in regulated industries. She has functioned as a National Security Practice competency leader for multiple companies and has also established premier partnerships with Novell and Microsoft, across the business continuity/disaster recovery and security disciplines. She is a coauthor of the Digital Crime Prevention Lab and a contributing reviewer for SANS’ HIPAA Step- by-Step. Sasan Hamidi, Ph.D., is Chief Security Officer at Interval International, Inc. Gilbert Held is an award-winning author and lecturer. Gil is the author of over 50 books and 500 technical articles. Some of Gil’s recent publications include Building the Wireless Office and The ABCs of TCP/IP, both published by Auerbach Publications. Gil can be contacted via e-mail at [email protected]. xiv