THE INFORMATION SYSTEMS SECURITY OFFICER’S GUIDE Establishing and Managing a Cyber Security Program THIRD EDITION DR. GERALD L. KOVACICH Amsterdam • Boston • Heidelberg • London New York • Oxford • Paris • San Diego San Francisco • Singapore • Sydney • Tokyo Butterworth-Heinemann is an imprint of Elsevier Butterworth-Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2016, 2003, 1998 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. ISBN: 978-0-12-802190-3 British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress For information on all Butterworth-Heinemann publications visit our website at http://store.elsevier.com/ DEDICATION To all the cyber security officers and information warriors fighting the good fight against all odds. ABOUT THE AUTHOR Dr. Gerald L. Kovacich graduated from the University of Maryland with a bachelor’s degree in history and politics with empha- sis in Asia, the University of Northern Colorado with a master’s degree in social science with emphasis in public adminis- tration, Golden Gate University with a master’s degree in telecommunications management, the DOD Language Institute (Chinese Mandarin), and August Vollmer University with a doctorate degree in criminology. He was also a Certified Fraud Examiner, Certified Protection Professional, and a Certified Informa- tion Systems Security Professional.1 Dr. Gerald L. Kovacich has more than 40 years of experience in industrial security, investigations, information systems security, and information warfare as a special agent in the U.S. government; a tech- nologist and manager for numerous technology-based international cor- porations; and an information systems security officer, security, audit, and investigations manager, and consultant to U.S. and foreign govern- ment agencies and corporations. He has also developed and managed several internationally based information systems security programs for Fortune 500 corporations and managed several information systems security organizations, including providing service and support for their information warfare products and services. Dr. Gerald L. Kovacich has taught both graduate and undergraduate courses in criminal justice, technology crimes investigations, and security for Los Angeles City College, DeAnza College, Golden Gate University, and August Vollmer University. He has also lectured internationally and pre- sented workshops on these topics for national and international conferences, as well as writing numerous published articles on high-tech crime investiga- tions, information systems security, and information warfare, both nationally and internationally. He has written more than 100 security-related articles that have been published in various international magazines. 1 Now retired from all three. xiii xiv About the Author Dr. Gerald L. Kovacich currently spends his time on Whidbey Island, Washington. He continues to conduct research, write, consult, and lecture internationally on such topics as: • Global and nation-state information systems security; • Corporate information systems security; • Corporate and government fraud; • Corporate security; • High-tech crime investigations; • Information assurance; • Proprietary information protection; • Espionage–including “Netspionage,” economic, and industrial; and • Information warfare–offensive and defensive. He is also the founder of ShockwaveWriters, an informal association of trusted cyber security and global information warfare professionals, writers, researchers, and lecturers who concentrate on these topics. He can also be found on LinkedIn. Dr. Gerald L. Kovacich has begun to expand his writings into the world of poetry and fiction. I guess this is what happens when one “matures” in age and longs for writing genres other than that of the security realm. All his writings can be found on the usual Web sites, for example, amazon.com. OTHER BOOKS AUTHORED OR COAUTHORED BY DR. GERALD L. KOVACICH 1. Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program (Elsevier; 1998; ISBN: 0-7506-9896-9), Kovacich 2. Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program (second edition; Elsevier; 2003; ISBN: 0-7506-7656-6), Kovacich 3. High-Technology Crime Investigator’s Handbook: Working in the Global Information Environment (Elsevier; 2000; ISBN: 13: 978-0-7506-7086-9; 10: 0-7506-7086-X), Kovacich/Boni 4. High-Technology Crime Investigator’s Handbook: Establishing and Managing a High-Technology Crime Prevention Program (Elsevier; 2006; ISBN: 13: 978-0-7506-7929-9; 10: 0-7506-7929-8), Kovacich/Jones 5. The Manager’s Handbook for Corporate Security: Establishing and Managing a Successful Assets Protection Program (Elsevier; 2003; ISBN: 0-7506- 7487-3), Kovacich/Halibozek About the Author xv 6. The Manager’s Handbook for Corporate Security: Establishing and Managing a Successful Assets Protection Program (Instructor’s Manual) (Elsevier; 2005; ISBN: 13: 978-0-750-67038-1; 10: 0-750-67938-7), Kovacich/Halibozek 7. I-Way Robbery: Crime on the Internet (Elsevier; 1999; ISBN: 0-7506- 7029-0), Kovacich/Boni 8. Netspionage: The Global Threat to Information (Elsevier; 2000; ISBN: 0-7506-7257-9), Kovacich/Boni 9. Information Assurance: Surviving in the Information Environment (Springer- Verlag; 2001; ISBN: 1-85233-326-X), Kovacich/Blyth 10. Information Assurance: Security in the Information Environment (second edi- tion; Springer-Verlag; 2006; ISBN: 10: 1-84628-266-7; 13: 978-1- 84628-266-9), Kovacich/Blyth 11. Global Information Warfare: How Businesses, Governments and Others Achieve Global Objectives and Attain a Competitive Advantage (Auerbach/ CRC Press; 2002; ISBN: 0-8493-1114-4), Kovacich/Jones/Luzwick 12. Global Information Warfare: How Businesses, Governments and Others Achieve Global Objectives and Attain a Competitive Advantage (second edi- tion; Auerbach/CRC Press; 2015; 9781498703253), Kovacich/Jones 13. The Corporate Security Professional’s Handbook on Terrorism (Elsevier; 2008; ISBN: 978-0-7506-8257-2), Kovacich/Halibozek 14. Mergers and Acquisitions Security: Corporate Restructuring and Security Man- agement (Elsevier; 2005; ISBN: 0-7506-7805-4), Kovacich/Halibozek 15. Fighting Fraud: How to Establish and Manage an Anti-Fraud Program (Elsevier; 2008; ISBN: 978-0-12-370868-7), Kovacich 16. Poems of Life: Thoughts of Human Experiences (AuthorHouse; 2012; ISBN: 978-1-4772-9634-9; 978-1-4772-9633-2; 978-1-4772-9632-5), Kovacich 17. I-Way Robbery: Crime on the Internet (2000; Japanese Translation; http://www.horei.com; ISBN: 4-89346-698-4), Kovacich/Boni 18. High-Technology Crime Investigation (2009; Chinese Translation; http:// www.sciencep.com), Kovacich/Jones 19. Fighting Fraud (2010; Russian Translation; Ernst & Young; ISBN: 978-5- 903271-31-30), Kovacich 20. The Corporate Security Professional’s Handbook on Terrorism: Protect Your Employees and Other Assets against Acts of Terrorism (Elsevier; 2007; ISBN 978-0-7506-8257-2), Jones A, Kovacich G, Halibozek E. PREFACE The purpose of this book is to provide information systems security officers—today often called cyber security officers, professors, students, other security professionals, information warfare specialists, related managers, auditors, and general management an awareness and basic approach to establishing and managing what had been known as an information systems protection program, but is now commonly called a “cyber security” p rogram, for a government agency or international or national corporation. It can also be used by any group wanting to protect its networks and information. It reportedly has been, and can always be, used as a textbook by university professors to teach a basic course on this and related topics, as well as recommended reading for related courses. It provides, I hope, an easy-to-read, understandable implementation plan for establishing a basis—a foundation—for a cyber security program, espe- cially for those who have little or no knowledge on the topic or how to proceed. It also provides information that can be used by intermediate and advanced professionals, students, and other types of professionals in this and related topics of business security and information warfare, for example, defensive measures. There are many books on the market related to computer security, information systems protection, cyber security, and the like; however, this is one of the first and best approaching the topic in the manner that it does and is now considered a “classic” since first published in 1998. If not, there wouldn’t have been a second and now a third edition. This book has been updated where deemed appropriate and new chapters have been added, with little or no major change in format, as why mess with a well-selling, popular “classic”? Just so there is no misunderstanding, this a basic book on building a cyber security program and a primer on being a cyber security officer. There is much in this edition that is as true today as it was in the first edition back in 1998. Therefore, the basics of it all are still the same, with new stuff added to keep this “classic” up to date. This third edition, as with the past two editions, will provide the reader with the information to help meet the twenty-first century cyber security and related management challenges. xvii xviii Preface Key words, as a minimum, that the reader should know are: 1. Security 2. Cyber security 3. Cyber security officer 4. Computer security 5. Information systems security 6. Information warfare 7. Auditing 8. Managing assets protection 9. Managing information systems organization 10. Managing computer security organization 11. Assets security 12. Audit trails 13. Information protection 14. Privacy 15. Malware 16. Hacker 17. Phishing As with any book, sometimes the readers are critical. That’s fine. Variety is the spice of life, as they say, and everyone is entitled to their own opinion. If one can sit down and discuss cyber security and cyber security officers’ responsibilities with the critics it would be great to share information. After all, they may have important points that could be considered when updating the book. However, that is usually not possible. So, with all that said, let me state for the record what this book is not: • It is not a book that is the “end all and be all” of a cyber security officer’s functions, duties, and responsibilities. The rapid changes in cyber envi- ronments, high technology, etc., make such a book impossible to remain current. Note: In this environment, beware of anyone considering themselves “experts.” I, for one, confess I have never considered myself one (although working in the field since 1980) and correct anyone who introduces me as such. Nor will I ever consider myself to be one. Too much to know and all rapidly changing. • It is not a technical book and does not purport to be—it will not tell you how to install a firewall, for example. The rationale is that there are many good books on the market that cover specific aspects of cyber security, narrowly focused and technical. It is expected that the cyber security Preface xix officer will read and understand these books as needed based on specific cyber security needs. In short, this book’s goal is to provide a basic overview of the cyber security officer’s world, duties, responsibilities, and challenges in the twenty- first century. It is a primer. It is also about the cyber security officer who must establish and manage a cyber security program for an international corporation, although all of the material is applicable to various work envi- ronments, such as government agencies or charitable organizations. This is the third edition of this book and has been updated where appropriate, and where the baseline still fits the current environment, it has only been “tweaked,” as what has been provided from the beginning is still valid today. This is primarily relevant to Section II, which is the heart of the book, and the establishment and management of a cyber security (formerly known as InfoSec) program. What was written in the first and second edition is still valid in this third edition. Therefore, it has been modified, but the basics of what is covered have not changed. What has changed is the environment of the world of the cyber security officer. Therefore, that was the focus of the changes in this third edition. It was written because over the years many associates and I had to estab- lish and manage such organizations and found no primer to guide us. So, over the many years that I have been involved in various aspects of security, eventually focusing on cyber security—and its related functions since about 1980—I think I have developed a basic approach that has been successful. Others who have read this book, who have listened to my lectures based on what became this book, and whom I have mentored over the years have agreed with me. It also successfully worked for me when I had to establish a basic program for a corporation or government agency, from aerospace to Wall Street to the Pentagon, as well as being a consultant. So, if you are a cyber security “techie,” “engineer,” or the like and look- ing for the Holy Grail of information assets protection or cyber security, that is not what this book is about. However, if you want a cyber security officer career, want to know what the cyber security officer’s profession is all about—especially from a management perspective—and want to be able to build a foundation for a successful cyber security program and organiza- tion, then yes, this book is for you. This book was also written for non-cyber security professionals in man- agement positions who are responsible overall for a government agency or business and therefore its assets protection–cyber security program. These professionals should also know what the cyber security profession is all xx Preface about and the basics of information-related computers and networks pro- cessing, transmitting, and storing information, data, knowledge, or whatever term suits them. Why? Because they manage a business, and today a success- ful business must include a cyber security program if it is to avoid disasters, since technology, for example, networked computers, is an integral part of a business these days. This book can also be used as a textbook or “recommended reading” for university courses related to general security, assets protection, cyber secu- rity, information systems security, or information warfare (although my coauthored book on Global Information Warfare, first and second editions, may better serve the reader’s purpose). I hope you enjoy it. After reading it, please drop me an e-mail through my publisher and let me know: • Any questions you may have; • What you liked about it; • More importantly, what you didn’t like; • Why you liked or disliked it; • What ideas presented were most important to you; • Your implementation of some of the ideas presented, and your result; and • What I should include or cover differently in a fourth edition. After all, I want you to be able to use this book in the real world of global information sharing, cyber warfare, and cyber security battles. All feedback is welcome. Thanks! Jerry Dr. Gerald L. Kovacich, ShockwaveWriter Whidbey Island, Washington, USA