Table Of ContentColor profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:i
Network Security
A Beginner’s Guide
Second Edition
Eric Maiwald
McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:49 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:ii
McGraw-Hill/Osborne
2100 Powell Street, 10thFloor
Emeryville, California 94608
U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please
contactMcGraw-Hill/Osborne at the above address. For information on translations or
book distributors outside the U.S.A., please see the International Contact Information page
immediately following the index of this book.
Network Security: A Beginner’s Guide, Second Edition
Copyright © 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the
United States of America. Except as permitted under the Copyright Act of 1976, no part of
this publication may be reproduced or distributed in any form or by any means, or stored in
a database or retrieval system, without the prior written permission of publisher, with the
exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
1234567890 FGR FGR 019876543
ISBN 0-07-222957-8
Publisher Brandon A. Nordin
Vice President & Associate Publisher Scott Rogers
Editorial Director Tracy Dunkelberger
Executive Editor Jane Brownlow
Project Editor Jody McKenzie
Acquisitions Coordinator Athena Honore
Contributing Author Philip Cox
Technical Editors John Bock, Mariana Hentea
Copy Editor Lunaea Weatherstone
Proofreader Claire Splan
Indexer Irv Hershman
Computer Designers Carie Abrew, Tara A. Davis
Illustrators Melinda Moore Lytle, Jackie Sieben, Lyssa Wald
Series Design Jean Butterfield
Cover Series Design Sarah F. Hinks
This book was composed with Corel VENTURA™ Publisher.
Information has been obtained byMcGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility
of human or mechanical error by our sources,McGraw-Hill/Osborne, or others,McGraw-Hill/Osborne does not guarantee the
accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained
from the use of such information.
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:iii
This book is dedicated to my wife, Kay, and my two sons,
Steffan and Joel. The three of them support me during my work
and have put up with the long hours I spent working on this book.
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:iv
About the Author
EricMaiwald,CISSP,istheDirectorofProductManagementandSupportforBluefireSecurity
Technologies.Erichasmorethan15yearsofexperienceininformationsecuritythatincludes
workinboththegovernmentandcommercialsectors.Hehasperformedassessments,developed
policies,andimplementedsecuritysolutionsforlargefinancialinstitutions,healthcarefirms,and
manufacturers.EricholdsaBachelorofSciencedegreeinelectricalengineeringfromRensselaer
PolytechnicInstituteandaMasterofEngineeringdegreeinelectricalengineeringfromStevens
InstituteofTechnology,andheisaCertifiedInformationSystemsSecurityProfessional.Ericis
aregularpresenteratanumberofwell-knownsecurityconferences.HehasalsowrittenSecurity
PlanningandDisasterRecovery(withWilliamSieglein),publishedbyMcGraw-Hill/Osborne,
andisacontributing author forHacking Linux ExposedandHacker’s Challenge
(McGraw-Hill/Osborne). He can be reached at emaiwald@fred.net.
About the Contributing Author
Philip Coxis a consultant with SystemExperts Corporation. He is an industry-recognized
consultant, author, and lecturer, with an extensive track record of hands-on accomplishment.
PhilistheprimaryauthoroftheauthoritativeWindows2000SecurityHandbook(McGraw-Hill/
Osborne). Phil holds a Bachelor of Science degree in Computer Science from the College of
Charleston and is a Microsoft Certified Systems Engineer.
About the Technical Editors
JohnBock,CISSP,isaR&DengineeratFoundstone,wherehespecializesinnetworkassessment
technologies and wireless security. He is responsible for designing new assessment features
in the Foundstone Enterprise Risk Solutions product line. John has a strong background in
network security both as a consultant and lead for an enterprise security team. Before joining
Foundstoneheperformedpenetrationtestingandsecurityassessments,andspokeaboutwireless
security as a consultant for Internet Security Systems (ISS).
Mariana Henteais Assistant Professor at Purdue University at Calumet, Indiana. She is a
member of IEEE and SWE. She has an M.S. and Ph.D. in Computer Science from the Illinois
Institute of Technology at Chicago, and a B.S. in Electrical Engineering and M.S. in Computer
Engineering from Polytechnic Institute of Timisoara, Romania. She has published papers in a
broad spectrum of computer software and engineering applications for telecommunications,
steel, and chemical industries. In 1995, Mariana supported the design and implementation of
the computer and network security for the Department of Defense (DoD).
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:v
Contents
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
PART I
Information Security Basics
1 What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Critical Skill 1.1Define Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Brief History of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Critical Skill 1.2Define Security as a Process, Not Point Products . . . . . . . . . . . . . . . 11
Anti-virus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Physical Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Project 1Examine Computer Security Certifications . . . . . . . . . . . . . . . . . . . . . . . . 15
Module 1 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
v
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:vi
vi Network Security: A Beginner’s Guide
2 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Critical Skill 2.1Define Access Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
How Access Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Critical Skill 2.2Define Modification Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
How Modification Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Critical Skill 2.3Define Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Denial of Access to Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Denial of Access to Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Denial of Access to Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Denial of Access to Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
How Denial-of-Service Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . 29
Critical Skill 2.4Define Repudiation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Masquerading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Denying an Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
How Repudiation Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Project 2Look at Your Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Module 2 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3 Hacker Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Critical Skill 3.1Identify a Hacker’s Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Greed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Malicious Intent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Critical Skill 3.2Learn Historical Hacking Techniques . . . . . . . . . . . . . . . . . . . . . . . . 38
Open Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Bad Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Programming Flaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Critical Skill 3.3Learn Advanced Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Sniffing Switch Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Critical Skill 3.4Identify Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:vii
Contents vii
Critical Skill 3.5Identify Methods of the Untargeted Hacker . . . . . . . . . . . . . . . . . . . 60
Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Attack Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Use of Compromised Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Critical Skill 3.6Identify Methods of the Targeted Hacker . . . . . . . . . . . . . . . . . . . . . 69
Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Attack Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Use of Compromised Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Project 3Conduct Reconnaissance of Your Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Module 3 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4 Information Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Critical Skill 4.1Define Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Confidentiality of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Confidentiality of Information in Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Traffic Flow Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Critical Skill 4.2Define Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Integrity of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Integrity of Information During Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Critical Skill 4.3Define Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Fail-Over . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Critical Skill 4.4Define Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Project 4Protect Your Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Module 4 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
PART II
Groundwork
5 Legal Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Critical Skill 5.1Understand U.S. Criminal Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Computer Fraud and Abuse (18 US Code 1030) . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Credit Card Fraud (18 US Code 1029) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Copyrights (18 US Code 2319) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:viii
viii Network Security: A Beginner’s Guide
Interception (18 US Code 2511) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Access to Electronic Information (18 US Code 2701) . . . . . . . . . . . . . . . . . . . . . 96
Other Criminal Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Patriot Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Homeland Security Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Critical Skill 5.2Understand State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Critical Skill 5.3Understand Laws of Other Countries . . . . . . . . . . . . . . . . . . . . . . . . 100
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
The People’s Republic of China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Critical Skill 5.4Understand Issues with Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . 102
Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Contacting Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Critical Skill 5.5Understand Civil Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Employee Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Downstream Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Critical Skill 5.6Understand Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Customer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Health Insurance Portability and Accountability Act . . . . . . . . . . . . . . . . . . . . . . 107
Addressable vs. Required Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Requirements of the Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
The Graham-Leach-Bliley Financial Services Modernization Act . . . . . . . . . . . . 110
Project 5Prosecute the Offender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Module 5 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Critical Skill 6.1Understand Why Policy Is Important . . . . . . . . . . . . . . . . . . . . . . . . 116
Defining What Security Should Be . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Putting Everyone on the Same Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Critical Skill 6.2Define Various Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Information Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Computer Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Internet Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
E-mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
User Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
System Administration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Incident Response Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuration Management Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Design Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter
Composite Default screen Blind FolioFM:ix
Contents ix
Critical Skill 6.3Create Appropriate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Defining What Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Defining Acceptable Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Identifying Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Defining Appropriate Outlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Critical Skill 6.4Deploy Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Gaining Buy-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Critical Skill 6.5Use Policy Effectively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
New Systems and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Existing Systems and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Policy Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Project 6Develop an Internet Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Module 6 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
7 Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Critical Skill 7.1Define Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Threat + Vulnerability = Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Critical Skill 7.2Identify the Risk to an Organization . . . . . . . . . . . . . . . . . . . . . . . . . 150
Identifying Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Identifying Real Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Examining Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Critical Skill 7.3Measure Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Lost Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Methodology for Measuring Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Project 7Identifying Electronic Risks to Your Organization . . . . . . . . . . . . . . . . . . 158
Module 7 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
8 Information Security Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Critical Skill 8.1Conduct an Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
P:\010Comp\Begin8\957-8\fm.vp
Monday, May 12, 2003 12:30:50 PM
