ebook img

Network security: a beginner's guide PDF

497 Pages·2003·6.5 MB·English
by  MaiwaldEric
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Network security: a beginner's guide

Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:i Network Security A Beginner’s Guide Second Edition Eric Maiwald McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:49 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:ii McGraw-Hill/Osborne 2100 Powell Street, 10thFloor Emeryville, California 94608 U.S.A. To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contactMcGraw-Hill/Osborne at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book. Network Security: A Beginner’s Guide, Second Edition Copyright © 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1234567890 FGR FGR 019876543 ISBN 0-07-222957-8 Publisher Brandon A. Nordin Vice President & Associate Publisher Scott Rogers Editorial Director Tracy Dunkelberger Executive Editor Jane Brownlow Project Editor Jody McKenzie Acquisitions Coordinator Athena Honore Contributing Author Philip Cox Technical Editors John Bock, Mariana Hentea Copy Editor Lunaea Weatherstone Proofreader Claire Splan Indexer Irv Hershman Computer Designers Carie Abrew, Tara A. Davis Illustrators Melinda Moore Lytle, Jackie Sieben, Lyssa Wald Series Design Jean Butterfield Cover Series Design Sarah F. Hinks This book was composed with Corel VENTURA™ Publisher. Information has been obtained byMcGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources,McGraw-Hill/Osborne, or others,McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:iii This book is dedicated to my wife, Kay, and my two sons, Steffan and Joel. The three of them support me during my work and have put up with the long hours I spent working on this book. P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:iv About the Author EricMaiwald,CISSP,istheDirectorofProductManagementandSupportforBluefireSecurity Technologies.Erichasmorethan15yearsofexperienceininformationsecuritythatincludes workinboththegovernmentandcommercialsectors.Hehasperformedassessments,developed policies,andimplementedsecuritysolutionsforlargefinancialinstitutions,healthcarefirms,and manufacturers.EricholdsaBachelorofSciencedegreeinelectricalengineeringfromRensselaer PolytechnicInstituteandaMasterofEngineeringdegreeinelectricalengineeringfromStevens InstituteofTechnology,andheisaCertifiedInformationSystemsSecurityProfessional.Ericis aregularpresenteratanumberofwell-knownsecurityconferences.HehasalsowrittenSecurity PlanningandDisasterRecovery(withWilliamSieglein),publishedbyMcGraw-Hill/Osborne, andisacontributing author forHacking Linux ExposedandHacker’s Challenge (McGraw-Hill/Osborne). He can be reached at [email protected]. About the Contributing Author Philip Coxis a consultant with SystemExperts Corporation. He is an industry-recognized consultant, author, and lecturer, with an extensive track record of hands-on accomplishment. PhilistheprimaryauthoroftheauthoritativeWindows2000SecurityHandbook(McGraw-Hill/ Osborne). Phil holds a Bachelor of Science degree in Computer Science from the College of Charleston and is a Microsoft Certified Systems Engineer. About the Technical Editors JohnBock,CISSP,isaR&DengineeratFoundstone,wherehespecializesinnetworkassessment technologies and wireless security. He is responsible for designing new assessment features in the Foundstone Enterprise Risk Solutions product line. John has a strong background in network security both as a consultant and lead for an enterprise security team. Before joining Foundstoneheperformedpenetrationtestingandsecurityassessments,andspokeaboutwireless security as a consultant for Internet Security Systems (ISS). Mariana Henteais Assistant Professor at Purdue University at Calumet, Indiana. She is a member of IEEE and SWE. She has an M.S. and Ph.D. in Computer Science from the Illinois Institute of Technology at Chicago, and a B.S. in Electrical Engineering and M.S. in Computer Engineering from Polytechnic Institute of Timisoara, Romania. She has published papers in a broad spectrum of computer software and engineering applications for telecommunications, steel, and chemical industries. In 1995, Mariana supported the design and implementation of the computer and network security for the Department of Defense (DoD). P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:v Contents Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii PART I Information Security Basics 1 What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Critical Skill 1.1Define Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Brief History of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Critical Skill 1.2Define Security as a Process, Not Point Products . . . . . . . . . . . . . . . 11 Anti-virus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Physical Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Project 1Examine Computer Security Certifications . . . . . . . . . . . . . . . . . . . . . . . . 15 Module 1 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 v P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:vi vi Network Security: A Beginner’s Guide 2 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Critical Skill 2.1Define Access Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 How Access Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Critical Skill 2.2Define Modification Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 How Modification Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Critical Skill 2.3Define Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Denial of Access to Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Denial of Access to Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Denial of Access to Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Denial of Access to Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 How Denial-of-Service Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . 29 Critical Skill 2.4Define Repudiation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Masquerading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Denying an Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 How Repudiation Attacks Are Accomplished . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Project 2Look at Your Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Module 2 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Hacker Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Critical Skill 3.1Identify a Hacker’s Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Greed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Malicious Intent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Critical Skill 3.2Learn Historical Hacking Techniques . . . . . . . . . . . . . . . . . . . . . . . . 38 Open Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Bad Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Programming Flaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Critical Skill 3.3Learn Advanced Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Sniffing Switch Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Critical Skill 3.4Identify Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:vii Contents vii Critical Skill 3.5Identify Methods of the Untargeted Hacker . . . . . . . . . . . . . . . . . . . 60 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Attack Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Use of Compromised Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Critical Skill 3.6Identify Methods of the Targeted Hacker . . . . . . . . . . . . . . . . . . . . . 69 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Attack Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Use of Compromised Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Project 3Conduct Reconnaissance of Your Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Module 3 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4 Information Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Critical Skill 4.1Define Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Confidentiality of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Confidentiality of Information in Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Traffic Flow Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Critical Skill 4.2Define Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Integrity of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Integrity of Information During Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Critical Skill 4.3Define Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Fail-Over . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Critical Skill 4.4Define Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Attacks that Can Be Prevented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Project 4Protect Your Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Module 4 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 PART II Groundwork 5 Legal Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Critical Skill 5.1Understand U.S. Criminal Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Computer Fraud and Abuse (18 US Code 1030) . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Credit Card Fraud (18 US Code 1029) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Copyrights (18 US Code 2319) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:viii viii Network Security: A Beginner’s Guide Interception (18 US Code 2511) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Access to Electronic Information (18 US Code 2701) . . . . . . . . . . . . . . . . . . . . . 96 Other Criminal Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Patriot Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Homeland Security Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Critical Skill 5.2Understand State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Critical Skill 5.3Understand Laws of Other Countries . . . . . . . . . . . . . . . . . . . . . . . . 100 Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 The People’s Republic of China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Critical Skill 5.4Understand Issues with Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . 102 Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Contacting Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Critical Skill 5.5Understand Civil Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Employee Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Downstream Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Critical Skill 5.6Understand Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Customer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Health Insurance Portability and Accountability Act . . . . . . . . . . . . . . . . . . . . . . 107 Addressable vs. Required Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Requirements of the Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 The Graham-Leach-Bliley Financial Services Modernization Act . . . . . . . . . . . . 110 Project 5Prosecute the Offender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Module 5 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 6 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Critical Skill 6.1Understand Why Policy Is Important . . . . . . . . . . . . . . . . . . . . . . . . 116 Defining What Security Should Be . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Putting Everyone on the Same Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Critical Skill 6.2Define Various Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Information Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Computer Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Internet Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 E-mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 User Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 System Administration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Incident Response Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Configuration Management Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Design Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM Color profile: Generic CMYK printer profile Begin8/ Network Security: A Beginner’s Guide / Maiwald / 222957-8 / Front Matter Composite Default screen Blind FolioFM:ix Contents ix Critical Skill 6.3Create Appropriate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Defining What Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Defining Acceptable Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Identifying Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Defining Appropriate Outlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Critical Skill 6.4Deploy Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Gaining Buy-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Critical Skill 6.5Use Policy Effectively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 New Systems and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Existing Systems and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Policy Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Project 6Develop an Internet Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Module 6 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 7 Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Critical Skill 7.1Define Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Threat + Vulnerability = Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Critical Skill 7.2Identify the Risk to an Organization . . . . . . . . . . . . . . . . . . . . . . . . . 150 Identifying Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Identifying Real Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Examining Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Critical Skill 7.3Measure Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Lost Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Methodology for Measuring Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Project 7Identifying Electronic Risks to Your Organization . . . . . . . . . . . . . . . . . . 158 Module 7 Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 8 Information Security Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Critical Skill 8.1Conduct an Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 P:\010Comp\Begin8\957-8\fm.vp Monday, May 12, 2003 12:30:50 PM

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.