Foundations of Information Security: A Straightforward Introduction

Brief Contents
Content in Detail
Acknowledgments
Introduction
Who Should Read This Book?
About This Book
Chapter 1: What Is Information Security?
Defining Information Security
When Are You Secure?
Models for Discussing Security Issues
The Confidentiality, Integrity, and Availability Triad
The Parkerian Hexad
Attacks
Types of Attacks
Threats, Vulnerabilities, and Risk
Risk Management
Incident Response
Defense in Depth
Summary
Exercises
Chapter 2: Identification and Authentication
Identification
Who We Claim to Be
Identity Verification
Falsifying Identification
Authentication
Factors
Multifactor Authentication
Mutual Authentication
Common Identification and Authentication Methods
Passwords
Biometrics
Hardware Tokens
Summary
Exercises
Chapter 3: Authorization and Access Controls
What Are Access Controls?
Implementing Access Controls
Access Control Lists
Capabilities
Access Control Models
Discretionary Access Control
Mandatory Access Control
Rule-Based Access Control
Role-Based Access Control
Attribute-Based Access Control
Multilevel Access Control
Physical Access Controls
Summary
Exercises
Chapter 4: Auditing and Accountability
Accountability
Security Benefits of Accountability
Nonrepudiation
Deterrence
Intrusion Detection and Prevention
Admissibility of Records
Auditing
What Do You Audit?
Logging
Monitoring
Auditing with Assessments
Summary
Exercises
Chapter 5: Cryptography
The History of Cryptography
The Caesar Cipher
Cryptographic Machines
Kerckhoffs’s Principles
Modern Cryptographic Tools
Keyword Ciphers and One-Time Pads
Symmetric and Asymmetric Cryptography
Hash Functions
Digital Signatures
Certificates
Protecting Data at Rest, in Motion, and in Use
Protecting Data at Rest
Protecting Data in Motion
Protecting Data in Use
Summary
Exercises
Chapter 6: Compliance, Laws, and Regulations
What Is Compliance?
Types of Compliance
Consequences of Noncompliance
Achieving Compliance with Controls
Types of Controls
Key vs. Compensating Controls
Maintaining Compliance
Laws and Information Security
Government-Related Regulatory Compliance
Industry-Specific Regulatory Compliance
Laws Outside of the United States
Adopting Frameworks for Compliance
International Organization for Standardization
National Institute of Standards and Technology
Custom Frameworks
Compliance amid Technological Changes
Compliance in the Cloud
Compliance with Blockchain
Compliance with Cryptocurrencies
Summary
Exercises
Chapter 7: Operations Security
The Operations Security Process
Identification of Critical Information
Analysis of Threats
Analysis of Vulnerabilities
Assessment of Risks
Application of Countermeasures
Laws of Operations Security
First Law: Know the Threats
Second Law: Know What to Protect
Third Law: Protect the Information
Operations Security in Our Personal Lives
Origins of Operations Security
Sun Tzu
George Washington
Vietnam War
Business
Interagency OPSEC Support Staff
Summary
Exercises
Chapter 8: Human Element Security
Gathering Information for Social Engineering Attacks
Human Intelligence
Open Source Intelligence
Other Kinds of Intelligence
Types of Social Engineering Attacks
Pretexting
Phishing
Tailgating
Building Security Awareness with Security Training Programs
Passwords
Social Engineering Training
Network Usage
Malware
Personal Equipment
Clean Desk Policies
Familiarity with Policy and Regulatory Knowledge
Summary
Exercises
Chapter 9: Physical Security
Identifying Physical Threats
Physical Security Controls
Deterrent Controls
Detective Controls
Preventive Controls
Using Physical Access Controls
Protecting People
Physical Concerns for People
Ensuring Safety
Evacuation
Administrative Controls
Protecting Data
Physical Concerns for Data
Accessibility of Data
Residual Data
Protecting Equipment
Physical Concerns for Equipment
Site Selection
Securing Access
Environmental Conditions
Summary
Exercises
Chapter 10: Network Security
Protecting Networks
Designing Secure Networks
Using Firewalls
Implementing Network Intrusion Detection Systems
Protecting Network Traffic
Using Virtual Private Networks
Protecting Data over Wireless Networks
Using Secure Protocols
Network Security Tools
Wireless Protection Tools
Scanners
Packet Sniffers
Honeypots
Firewall Tools
Summary
Exercises
Chapter 11: Operating System Security
Operating System Hardening
Remove All Unnecessary Software
Remove All Unessential Services
Alter Default Accounts
Apply the Principle of Least Privilege
Perform Updates
Turn On Logging and Auditing
Protecting Against Malware
Anti-malware Tools
Executable Space Protection
Software Firewalls and Host Intrusion Detection
Operating System Security Tools
Scanners
Vulnerability Assessment Tools
Exploit Frameworks
Summary
Exercises
Chapter 12: Mobile, Embedded, and Internet of Things Security
Mobile Security
Protecting Mobile Devices
Mobile Security Issues
Embedded Security
Where Embedded Devices Are Used
Embedded Device Security Issues
Internet of Things Security
What Is an IoT Device?
IoT Security Issues
Summary
Exercises
Chapter 13: Application Security
Software Development Vulnerabilities
Buffer Overflows
Race Conditions
Input Validation Attacks
Authentication Attacks
Authorization Attacks
Cryptographic Attacks
Web Security
Client-Side Attacks
Server-Side Attacks
Database Security
Protocol Issues
Unauthenticated Access
Arbitrary Code Execution
Privilege Escalation
Application Security Tools
Sniffers
Web Application Analysis Tools
Fuzzers
Summary
Exercises
Chapter 14: Assessing Security
Vulnerability Assessment
Mapping and Discovery
Scanning
Technological Challenges for Vulnerability Assessment
Penetration Testing
The Penetration Testing Process
Classifying Penetration Tests
Targets of Penetration Tests
Bug Bounty Programs
Technological Challenges for Penetration Testing
Does This Really Mean You’re Secure?
Realistic Testing
Can You Detect Your Own Attacks?
Secure Today Doesn’t Mean Secure Tomorrow
Fixing Security Holes Is Expensive
Summary
Exercises
Notes
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Index