Numbers COPYRIGHTED MATERIAL · implementation types for, generally, 112 intrusion detection...
Transcript of Numbers COPYRIGHTED MATERIAL · implementation types for, generally, 112 intrusion detection...
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 849
Numbers3G (third generation) cellular technologies, 5074G (fourth-generation) mobile devices, 464–468802.11. See IEEE 802.11802.11i, 496–503802.1X, 491–492
AA records, 361academic technologies/ideas, 155–158acceptability, 101access
of attackers exploiting systems, 790–793controlling. See access controlfuture planning of, 846–847in penetration testing, 785–786in Windows security, 179
access controladministrative, 113–114audit trails and, 114authentication in, 115–121biometrics for, 116–117centralized, 115Challenge Handshake Authentication Protocol
for, 125to data, 123, 798to databases, 121–123decentralized, 115detective, 114–115discretionary, 110–111identification in, 115–121implementation types for, generally, 112intrusion detection systems for, 114Kerberos for, 118–121KryptoKnight for, 121mandatory, 111models for, generally, 109–110non-discretionary, 112passwords for, 116, 125physical, 115
preventive, 113–114RADIUS for, 124remote access in, 123–125for server security, 415SESAME for, 121Single Sign-On for, 117–121summary of, 125TACACS and TACACS+, 124technical, 113–114violations reports in, 114
account harvesting, 315–316accountability, 37accounts for e-mails. See e-mail securityaccreditation. See also security assurance evaluation
mechanismscertification and, 44–45defined, 757DIACAP for, 756–757, 760–763NIACAP for, 756–759overview of, 756–757, 763
acquisition phase, 56–58acquisitions, 735–736active attacks, 13–14, 40active reconnaissance, 789–790active response devices, 565–567ActiveX, 278, 306–309ad hoc mode, 479ad support, 200–201address autoconfiguration, 446–447Address Resolution Protocol (ARP). See ARP
(Address Resolution Protocol)addressees, 331administrative security controls
access control, 113–114facility planning in, 102facility security management in, 103information system security management in, 102of personnel, 102
administrator accounts, 184–185advanced blocking techniques, 253, 548Advanced Encryption Standard (AES), 496–500,
595
849
COPYRIG
HTED M
ATERIAL
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 850
A Index
Advanced Mobile Phone System (AMPS),470–471
advanced settings for Internet Explorer, 285–286advisory policies, 75adware, 802AES (Advanced Encryption Standard), 496–500,
595Aircrack, 501aircraft systems, 83–85AirSnort, 501ALE (annual loss expectancy), 70–71algorithmic-based steganography, 647algorithms. See cryptographyALIGN, 307‘‘All People Seem To Need Data Processing’’,
432America On Line (AOL), 378–379AMPS (Advanced Mobile Phone System),
470–471anacron, 228analog telephone adaptors (ATAs), 450analysis
control of, 65cryptanalysis, 577in digital forensics, 738–746, 748impact of, 66–67of loss, 22–23of penetration testing, 787of results, 93, 843–844of risk, 842–844of vulnerabilities, 528
annual loss expectancy (ALE), 70–71anomaly detection, 553–554, 565anonymous authentication, 505anonymous FTP (File Transfer Protocol),
418anonymous usernames, 417Antheil, George, 473anti-spyware/adware tools, 802antivirus protection
applications for, 172intrusion detection for, 707–708signatures for, 193software for, 149, 801–802, 833in Windows security, 171–173, 180
anycasts, 446AOL (America On Line), 378–379apmd daemon, 229APOP (Authenticated Post Office Protocol),
346–347Appletalk Session Protocol (ASP), 435
Application layer, 433–434, 504application proxies, 558application-level attacks, 792applications
installing securely. See applications installationsecurity
in server security, 417–421testing questionable, 194upgrades for, 192–193versions of, 350in Web security, 310
applications installation securityantivirus protection for, 171–173personal firewalls for, 173–174Pretty Good Privacy and, 175secure FTP and, 175Secure Shell and, 174
APTools, 502architecture
of Domain Name System, 388–389in e-mail security, 350–351of networks. See network architecturein risk management, 27of system security, 46workstations in, 176–177
ARP (Address Resolution Protocol)introduction to, 438in network architecture, 517–518spoofing, 332–334
arpwatch, 228ASP (Appletalk Session Protocol), 435Assess Information Protection, 48–51assessment
National Institute of Standards and Technologyguidelines for, 756–757, 765–770
of network security, 404of risk. See risk assessmentin risk management, 27–31of security. See security assurance evaluation
mechanismsassociation in wireless communications, 479assurance of security. See security assurance
evaluation mechanismsasymmetric encryption
certificate authorities in, 598introduction to, 597–598primitives in cryptography, 597–599web of trust in, 598–599
ATAs (analog telephone adaptors), 450atd service, 228attachments to e-mails, 351
850
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 851
Index A
attack phase of pen testing, 785–786attackers exploiting systems. See also attacks
access of, 790–793active reconnaissance of, 789–790application-level attacks of, 792back doors of, 793–794covering tracks by, 794–795denial-of-service and, 793elevating privileges of, 792–793introduction to, 787–788misconfiguration attacks of, 792operating systems attacks of, 791passive reconnaissance of, 788–789program attacks of, 792scripts in attacks of, 792Trojan horses of, 794uploading programs by, 793
attacks, 127–142. See also attackers exploitingsystems
account harvesting, 315–316ad support in, 200–201application-level, 792back door, 130, 203, 793–794birthday, 133–134, 386on browsers, 268–269buffering against, 351common types of, generally, 129in cyber security, 6–7demon-dialing, 136denial-of-service, 129–130, 203, 793device loss and theft, 141distributed denial-of-service, 136–138,
528on Domain Name System, 384–386dumpster diving, 133eavesdropping, 135espionage, 138–140external, 136–140file extensions in, 204fragmentation, 131–132on hash functions, generally, 607–608hijacking, 131, 204, 268–269internal threats, 140–141malicious code, 127–129man-in-the-middle, 130mathematical, 132on MD4, 608–610on MD5, 610–613misconfiguration, 792network architecture and, 528–529on operating systems, 791
overview of, 12–14packet sniffing, 204parasites, 269password guessing, 133–134penetration testing for. See penetration
testingphysical, 202port scanning, 133preparing for, 198program, 792replay, 131, 269–270scripts in, 792session replay, 204on SHA, 614–616social engineering, 132–133, 204–205software exploitation, 134–135spoofing, 130spyware, 200–202SQL injection, 316–317summary of, 142system misuse, 135targeted hacks, 138–140TCP, 131, 136TEMPEST, 202–203Trojan horse, 200, 794types of, 29–30, 780–782unintentional filesharing, 140–141viruses, 127–129, 198–199war driving, 136war-dialing, 136weak keys, 132on Web servers, 315–317against workstations, 198–205worms, 199–200on zeroconf networks, 524
AuCs (authentication centers), 463audit trails
access control, 114in securing information technology, 54as security assurance evaluation mechanisms,
773auditing
in configuration management, 89introduction to, 772passwords, 823process of, 773for server security, 416standards for, 772–773for Windows security, 197
Authenticated Post Office Protocol (APOP),346–347
851
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 852
A Index
authenticationin access control, 115–121browser protocols and, 262–263for cryptography, 575–576in e-mail security, 345of e-mails, 345enhancing, 265firewalls and, 531in information system security, 36integrating as security component, 823MAC layer for, 479mistakes to avoid in, 815primitives in cryptography for, 602–603in Public Key Infrastructure, 689in securing information technology, 54in WAP security layer, 505
authentication centers (AuCs), 463authentication chains, 391Authentication Headers, 696–697Authentication Servers, 685–686authorization
faulty, 316in information system security, 37system security, 757
autocorrelation, 583autofs, 228automated data protection tools, 801–803automated intrusion notice and recovery
mechanisms, 726–727automated modification of firewall rules, 539–540automated vulnerability scanners, 782–783automatic population of databases, 327automatic update servers, 218auto-processing, 323AUTORUN, 167availability issues
in cryptography, 575in e-mail security, 339in future planning, 839in information system security, 35–37steganography, 642
awarenessin data protection, 799of employees, 811–812in information system security management,
77–79of security plans, 94of server security needs, 399–400training in, 172of what is running on systems, 817
Bback door attacks
of attackers exploiting systems, 793–794defined, 130in risk management, 31on workstations, 203
background checks, 4–6backups
as data protection, 799in e-mail security, 351in integration of security components, 828–829policies for, 29sites, 95–97systems, 414–415in UNIX/Linux security, 216in Windows security, 191
base practices, 752base transceiver stations (BTSs), 462baselines for security, 75–77bastion hosts, 386Bayesian logic, 337–338behavior-based anomaly detection, 565best practices for security
antivirus software, 833auditing passwords, 823authentication, 823backups, 828–829binary code in HTTP headers, 826code reviews, 831configuration management, 832content inspection, 826–827cross-site scripting, 827defense-in-depth, 828detection methods, using multiple, 826disaster recovery plans, 830e-mail attachment inspection, 827essential services only, 831–832file transfer inspection, 827firewalls, 832–833HTTP/HTTPS tunneling, 826infrastructure assessments, 820–821internal servers protected from outbound
communications, 820intrusion detection systems, 832–833logging, 825–826malicious URL detection, 827naming servers, 834network diagrams, 819–820outgoing communications, monitoring, 826password policy, 821–823patching policies, 823–824
852
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 853
Index C
perimeter protection, 821, 832–833physical security, 830placement of systems, 820policy statements, 819remote access, 827secure communications, 828sensitive information protection, 829service accounts, 823single-use servers, 832system accounts protection, 834trust relationships, 833UNIX systems, 831URLs, 827user education, 830–831vulnerability assessments, 824–825
Big Brother, 200–201Biham, Eli, 616binary code in HTTP headers, 826BIND service, 375biometrics
for access control, 116–117in information system security management,
100–102in pass phrases, 626in quantum cryptography, 626
BIOS. See also NetBIOSchanging settings of, 213control of, 212enabling password for, 213
birthday attacks, 133–134, 386black-box penetration testing, 772blacklisting, 337blackmailing, 626–627block ciphers, 593–595blocking
advanced techniques for, 548firewalls for, 253, 543–545generic exploit, 154incoming traffic, 248–250, 543–545IP addresses, 556logging in, 546–547outgoing traffic, 250–251, 545–546port, 162–163
Bluetooth, 503–504boot loader passwords, 213bootable CDs and USB drives, 172booting, 212–213boundlessness of Internet, 12bra-kets, 617breaches of security, 10–11. See also attacksbridges, 514
broadband wireless, 506–507browser security. See Web browser securitybrute-force attacks, 576–577bsd-airtools, 501Btscanner, 502BTSs (base transceiver stations), 462buffer overflow exploit prevention, 155Bush, Dr. Vannevar, 297business continuity planning
approval of plan in, 93–94business impact assessments in, 92–93development of plan in, 93goals of, 91implementation in, 93–94overview of, 90roles and responsibilities in, 94scope and plan initiation of, 92
business impact assessments, 92–93, 401business systems, 30business workstations, 170
CC and C++ languages, 406C&A (certification and accreditation), 44–45. See
also certificationcable locks, 100cache poisoning, 385–388caching, 264, 281–282Caesar’s encryption scheme, 581–582calculating risk, 70–71. See also risk assessmentcallback functions, 543camouflage, 640–641Camouflage, 669canary values, 157capability dimension, 752, 755–756care-of addresses, 466Carnegie Mellon University, 717cast introduction, 590–591(CBC) cipher-block chaining, 497–499, 594CDMA (Code Division Multiple Access)
in cellular network technology, 464–468FHSS and, 483spread spectrum technologies as. See spread
spectrum technologiesversions of, 473in wireless transmission systems, 469–473
CDPD (Cellular Digital Packet Data), 471cell phones. See cellular telephonescell towers, 462Cellular Digital Packet Data (CDPD), 471
853
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 854
C Index
cellular telephones4G for, 464–465calling with, 464fault tolerance and, 467–468history of, 464–465local area networks and, 466–467location discovery and handoff with, 466networks for, 462–463system infrastructure of, 465–466
centralized access control, 115centralized security management consoles, 803CERs (crossover error rates), 100CERT (Community Emergency Response Teams),
350, 388CERT/CC (Community Emergency Response
Teams/Coordination Center)analyzing information, 719communications with incident response team,
719–720eliminating intruder access, 721implementing security lessons learned, 721–722normalizing operations, 721preparing to respond to intrusion, 718–719protecting information, 720recommended practices of, 717–718response policies and procedures, 718short-term containment solutions, 720
certificate authorities (CAs)in cryptography, 598e-mails security and, 684in key management, 691–692
Certificate Revocation Lists (CRLs), 691–692certificates
in Java sandbox, 305in Secure Socket Layer, 266–267in UNIX/Linux security, 243–245
certification. See also security assurance evaluationmechanisms
accreditation and, 44–45defined, 759DIACAP for, 756–757, 760–763DITSCAP for, 758–760documentation support, 761introduction to, 763NIACAP for, 756–759overview of, 756–757
CFB (cipher feedback), 594CGI (Common Gateway Interface) scripts, 301–302Chabaud, Florent, 615–616chain of evidence, 731–734
Challenge Handshake Authentication Protocol(CHAP), 125
chaos attacks, 524CHAP (Challenge Handshake Authentication
Protocol), 125Chargen, 227, 414checklist reviews, 97Chen, Rafi, 616Chinese Remainder Theorem, 604chipping code, 476chkconfig commands, 235–236chroot, 240CIA (confidentiality, integrity, availability). See
confidentiality, integrity, availability (CIA)CIDR (classless interdomain routing), 517cipher feedback (CFB), 594cipher text, 576–577cipher-block chaining (CBC), 497–499, 594ciphers
block, 593–595historical impact of, 586–587history of, 586–587stream, 592–593substitution, 581–587
circuit switching, 451–452CIRT (computer incident response teams), 708CIs (configuration items), 88civil cases, 745classical TC (Trusted Computing), 421–423, 426CLASSID, 307classifying sensitive data, 797classless interdomain routing (CIDR), 517cleaning up systems, 197–198client access controls, 803client authentication, 505client content
ActiveX and, 306–309HTTP and, 304Java and, 304–309JavaScript and, 303–304permissions in, 305–306sandboxes for security of, 304–305Web security and, 303–309
client key exchange, 701client risk, 255–259. See also Web browser securityclient/server model of HTTP, 298–299Clinton, President William, 576clipping levels, 774closed-box penetration testing, 772closed-circuit televisions, 99close-in attacks, 40
854
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 855
Index C
CLRs (Certificate Revocation Lists), 691–692cmdline, 223–224CNAME (Canonical Name) records, 362–364code cleanliness, 406Code Division Multiple Access (CDMA). See CDMA
(Code Division Multiple Access)code reviews, 831code stores, 305CODEBASE, 307cold sites, 96collaboration tools
integrity of data in, 331–334malcode attacks on, 325–327overview of, 324–325privacy of data in, 327–331
collision-resistance one-way functions, 600color tables, 653–654combustible materials, 104Common Gateway Interface (CGI) scripts, 301–302Community Emergency Response Teams (CERT),
350, 388Community Emergency Response Teams/
Coordination Center (CERT/CC). SeeCERT/CC (Community EmergencyResponse Teams/Coordination Center)
company sensitive data, 186compliance, 799compression, 296computationally secure algorithms, 591computer crime types, 106computer forensics. See also digital forensics
defined, 729legal issues in, 105proactive, 746–748traditional, 730
computer incident response teams (CIRT), 708computer security teams
CERT/CC, 723–724Federal Computer Incident Response Center,
724Forum of Incident Response and Security Teams,
725computer-to-computer calls, 451confidentiality
cryptography for, 573–574of data, 262, 265in e-mail security, 338–339in future planning, 839in Public Key Infrastructure, 689–690in steganography, 641–642
confidentiality, integrity, availability (CIA), 589,602–603
in access control, 109with cryptography, 573in information system security, 35–37, 73in physical security, 413in Windows security, 191–192
configurationauditing, 89of browsers. See Web browser configurationscontrolling. See configuration controlidentification, 88management of. See configuration managementsecurity controls, 182–184security issues, 180–182status accounting, 89
configuration control. See also configurationmanagement
for server security, 402–404, 413–415status accounting in, 89for UNIX/Linux security, 217–224
Configuration Control Board (CCB), 89, 402–404configuration items (CIs), 88configuration management. See also configuration;
configuration controlauditing in, 89definitions in, 88documentation change control in, 89–90for hardening UNIX, 245–246identification in, 88in integration of security components, 832overview of, 87primary functions of, 88procedures of, 88security in, 180–184status accounting in, 89
configuration security controlsdigital certificate technology for, 183software on workstations in, 183–184user accounts on systems, 182–183
configuration security issuesantivirus protection, 180user accounts, managing, 181–182user rights, limiting, 180confirmations, 689connections, defined, 534contemporary TC (Trusted Computing), 421–423,
426content injection, 407–409content inspection, 826–827content matching, 561
855
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 856
C Index
content settings for Internet Explorer, 285content-level inspections, 31contingency planning, 54, 90continuity of operations, 90control analysis, 65control categories, 69–70control recommendations, 68controlling
configurations. See configuration controloperations in packet inspection methods,
560–561processes in UNIX security. See controlling
processes in UNIX securityusers, 237–243
controlling processes in UNIX securitychkconfig commands in, 235–236init process in, 233–234netstat commands in, 230–232nmap commands in, 232–233overview of, 225processes controlling processes in,
233–237ps commands in, 230service commands in, 236–237service detection in, 230–233services for special purposes in, 228–230services to avoid for, 225–226services to use for, 226–228xinetd process in, 234–235
convenience of browsers, 256cookies
browser protocols and, 264cross-site scripting and, 407data handling practices in, 185domain of, 311encryption and, 410expiration of, 311Internet Explorer settings for, 284–285Netscape and, 281path for, 311security of, 312storing, 312–313in Web browser and client security, 260–262in Web browser configurations, 276–277in Web security generally, 310in Windows security, 201workings of, 310–312
corporate firewalls, 542–543countermeasures, 841–842cover channels, 638–639covering tracks, 794–795
covert communications. See steganographyCrack, 247crackability, 580–581crackers, 532criminal cases, 746critical security ratings, 192crond service, 229crossover error rates (CERs), 100cross-site scripting (XSS), 407–408, 827cryptanalysis, 577cryptography
algorithms for, 578–580, 603–606asymmetric encryption in, 597–599for authentication, 575–576availability issues in, 575block ciphers in, 593–595brute-force attacks and, 576–577building in, 580cast introduction in, 590–591certificate authorities in, 598ciphers in, 576–577, 586–587confidentiality, integrity, availability with,
573–574, 602–603crackability of, 580–581decryption of, 577defined, 54, 572encryption as, 577goals of, 573–576hash functions in, 607–608, 617for integrity of data, 574–575keys, 577MD4, MD5 attacks on, 608–613for non-repudiation, 576plain text in, 577primitives in, 587, 605–606principles of, 577proof of security in, 578proprietary algorithms in, 579, 606–607pros and cons of, 572–573pseudo random number generation, algorithms
for, 588–589quantum. See quantum cryptographyrandom number generators in, 585–586,
587–591for secret communications, 571–572Secure Socket Layer and, 580security of, 581SHA, attacks on, 614–616sharing keys in, 595–596steganography vs., 644–646stream ciphers in, 592–593
856
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 857
Index D
sub-goals of, 575–576substitution ciphers in, 581–587summary of, 628–629symmetric encryption in, 591–596terms in, 576–577two-key encryption in, 597–599user input generating numbers for, 589Vigenere cipher in, 582–585web of trust in, 598–599whitening functions in, 589–590XOR in, 585–586
ctrl-alt-del pseudofile, 224cups-lpd, 227current packet inspection methods, 557–558current state of security, 11–12custody, 731–734customer separation, 145–146cwd, 224cyber security
active attacks in, 13–14assessing risk management in, 27–31attack types, generally, 12–13attacks in, generally, 6–7background of, 4–6boundlessness of Internet and, 12breaches of, 10–11changes in, 16–17current state of, 11–12enterprise security methodologies for, 19–27future planning for, 836–837interfacing with organizations for, generally, 19new approaches to, generally, 9, 15overview of, 3–4passive attacks in, 14principles of, 15–16reactive security vs., 6risks in, 4state of, 3–8summary of, 7–8, 17–18, 32trends in, 6, 9–16
DDAA (Designated Approving Authority), 45DAC (discretionary access control), 110–111data collection, 212data confidentiality, 262, 265data encapsulation, 432Data Encryption Standard (DES). See DES (Data
Encryption Standard)data handling, 185–186, 405–406
data integrity, 331Data Link layer, 437–438data normalization, 123data protection
access in, 798anti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803awareness in, 799backing up as, 799centralized security management consoles for,
803client access controls for, 803compliance in, 799data usage policies for, 798encryption for, 798endpoint policies for, 804–805endpoint security for, 799–805hardening for, 798, 800–801host-based intrusion detection systems for, 802insider threats and, 805–806Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 798, 803–804remote access and, 805sensitive data in, 797summary of, 806–807user education on, 805validation of, 799virtual machines and, 805vulnerability assessments of, 804Windows and, 800
data remanence, 105data sharing server applications, 417–420data transfer, 479data types, 186data usage policies, 798data volume, 643data vulnerabilities, 324databases
accessing, 121–123automatic population of, 327object-oriented, 123relational, 121–123SQL injection of, 316–317whois, 780
datagrams, 436dates, 262daytime, 227
857
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 858
D Index
DDoS (distributed denial-of-service) attacks,136–138, 528
de facto standard of security, 581decentralized access control, 115decryption, 577Defense-in-Depth strategy
attacks vs., 40in information system security principles, 38–41in integration of security components, 828operations and, 39–40overview of, 38people and, 39in server security, 398technology in, 39
definition phase, 757, 759DELETE requests, 289demilitarized zones (DMZs), 27, 513demon-dialing attacks, 136denial of applications, 28denial-of-service (DoS) attacks
distributed, 136–138Domain Name System and, 379in network architecture, 528overview of, 129–130, 793in penetration testing, 781in risk management, 28on workstations, 203on zeroconf networks, 524
Department of Defense Regulation 5000.2-R Change3, 80
Department of Defense Technology SecurityCertification and Accreditation Process(DITSCAP). See DITSCAP (Department ofDefense Technology Security Certificationand Accreditation Process)
departmental restricted data, 186depth, 584, 588DES (Data Encryption Standard)
as block cipher, 595keys of, 592security of, 581
Designated Approving Authority (DAA), 45designing server security, 396–413. See also server
securityawareness of need for, 399–400business impact assessments in, 401code cleanliness in, 406Configuration Control Board and, 402–404content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406
defense-in-depth principle in, 398development environment security for, 402development practices for, 405–411dynamic scripting in, 409encryption in, 409–411input validation in, 407language choice in, 406management and, 402network support for, 403–404overview of, 396–397respect for adversaries in, 399risk-based security controls for, 397–398screening input for, 409simplicity in, 399SQL injection in, 408stored procedures in, 408testing in, 411–413
desktop protections, 29desktops, 526despreading, 483destination IP addresses, 533detection
access control and, 114–115control of, 69–70of hardware changes, 214–215of intrusion. See intrusion detection systems
(IDSs)methods of, integrating, 826of steganography, 643–644
developmentenvironments, 402phase, 52, 56–58practices, 405–411
device loss and theft, 141DHCP (Dynamic Host Configuration Protocol),
518–519DIACAP (Department of Defense Information
Assurance Certification and AccreditationProcess)
certification documentation support in, 761challenges of, 762–763Implementation Plan of, 761introduction to, 756–757, 760phases of, 760–762Plan of Action and Milestones of, 761scorecard of, 761System Information Profile in, 761
digital forensics, 729–750acquisitions in, 734analysis in, 738–740chain of evidence in, 731–734
858
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 859
Index D
civil cases in, 745computer forensics and, 730criminal cases in, 746custody in, 731–734documentation in, 743–744evidence in, 730–731, 744forensic duplication in, 736full examination in, 741–743future research areas for, 748–750introduction to, 729–730legal closure in, 744–745life cycle of, 750limited examination in, 740live acquisition in, 736–737mirror images in, 736partial examination in, 740–741proactive, 746–748storage media for acquisitions, 737summary of, 750volatile information, 738
Digital Network Architecture Session ControlProtocol (DNA SCP), 435
Digital Picture Envelope (DPE), 665–669digital rights management (DRM)
background of, 422information control, building systems for,
423–426information control, challenges of, 422–423introduction to, 421–422
digital signaturesin cryptography, 598in e-mail security, 332–334, 339, 355in primitives, 599–600in Public Key Infrastructure, 690
digital watermarkingdefined, 673–674goals of, 676invisible, 675properties of, 674reasons for using, 674removing, 676–679steganography vs., 676–679types of, 675uses of, 676–677visible, 675
digital-coded cards, 101DIP (DIACAP Implementation Plan), 761direct sequence spread spectrum technologies,
476directories, enumerating, 315disablement, 164, 814
disaster recovery plans (DRPs)backup sites and, 95–97development of, 95goals of, 95implementation of, 97–98in integration of security components, 830introduction to, 90in risk management, 29testing of, 97timing objectives in, 95–96
Discover Information Protection Needs, 43–45discovery
in penetration testing, 780–781in pre-attack phase of pen testing, 784–785of Web services, 321
discrete logarithm problems, 596discretionary access control (DAC), 110–111disk partitioning, 215–216disposal, 29disposal phase, 52, 56–57, 59distributed denial-of-service (DDoS) attacks,
136–138, 528distribution attacks, 40DITSCAP (Department of Defense Technology
Security Certification and AccreditationProcess)
introduction to, 758–759phases of, 758–760roles of, 760
DMZs (demilitarized zones), 27DNA SCP (Digital Network Architecture Session
Control Protocol), 435DNS (Domain Name System). See Domain Name
System (DNS)DNS SEC (Domain Name System security
extensions)authentication chains in, 391implementation of, 392–393lookup process in, 391overview of, 381–382, 389–391pros and cons of, 392scalability of, 393trust anchors in, 391
Dobbertin, Hans, 610, 613document writing, 178documentation, 743–744documentation change control, 89–90dogs, 99domain dimension, 752domain name, 224domain name lookups, 513
859
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 860
D Index
Domain Name System (DNS)in Application layer, 433architecture of, 388–389attacks on, 384–386authentication chains in, 391basics of, 358–364cache poisoning, 385–388, 392designing, 386–387enumerating domain names in, 382forward lookups in, 366–371hijacking, 392introduction to, 357iterative queries and, 383lookup process in, 391master-slave relationships in, 388misconfiguration of, 379name resolution, alternative approaches to,
374–375predictable query IDs and, 382–383purpose of, generally, 364–366records, 360–361recursion and, 383–384reverse lookups in, 371–374security extensions of. See DNS SEC (Domain
Name System security extensions)security issues with, 377–384servers, 781setting up, 375–377split DNS design for, 386split-split DNS design for, 386–387spoofing, 385summary of, 393Transaction Signatures and, 380–381trust anchors in, 391updating, 414vulnerability statistics of, 384zone transfers, 379–382, 388
domain records, 360domains, world-wide, 367–370DoS (denial-of-service) attacks. See denial-of-service
(DoS) attacksdownloading from Internet, 172downtimes, 92DPE (Digital Picture Envelope), 665–669DRM (digital rights management). See digital rights
management (DRM)drop-off directories, 417DRPs (disaster recovery plans). See disaster recovery
plans (DRPs)dry contact switches, 99due care, 107
dumpster diving attacks, 133, 780Dynamic Host Configuration Protocol (DHCP),
518–519dynamic outbound packets, 513dynamic scripting, 409
EEAP (Extensible Authentication Protocol), 486–488,
491–492ease-of-use, 147Easter eggs, 639easy-to-obtain operating systems (OSs), 208eavesdropping
attacks, 135as browser vulnerability, 258Web bugs for, 313–314
ECD (electronic code book), 594Echo, 227, 414EIRs (equipment identity registers), 463electricity, 103, 580electromagnetic spectrum, 459–461electronic code book (ECD), 594electronic monitoring, 106–107Electronic Serial Number (ESN), 462elevating privileges, 792–793e-mail
applications for, 172, 682–685attachments to, 827copies of, 201in network architecture, 526protocols for. See e-mail protocolssecurity of. See e-mail securitystandard use of, 178in Windows security, 170
e-mail protocolsIMAP, 344–345POP/POP3, 343–344Simple Mail Transfer Protocol, 340–342
e-mail security+OK logged onPOP before SMTP, 348accounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351attachments, inspecting, 827Authenticated Post Office Protocol for, 346–347authentication in, 345auto-processing in, 323availability issues in, 339blacklisting, 337
860
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 861
Index E
collaboration tools vs. e-mail, generally,324–325
confidentiality in, 338–339data integrity in, 331data vulnerabilities in, 324Generic Security Services Application
Programming Interface for, 348GNU Privacy Guard for, 354–355IMAP, 344–345integrity of e-mails in, 339Kerberos, 348login authentication, 346mail client configurations in, 349–350malcode attacks in, 325–327man-in-the-middle attacks in, 332NT LanManager protocol in, 347opening e-mails, guidelines for, 349operating safely while e-mailing, 348–355plain login, 345–346POP/POP3, 343–344Pretty Good Privacy in, 354–355privacy data in, 327–335protocols in, 340–345replay attacks in, 332–335risks requiring, 323sacrificial e-mail addresses in, 349Simple Mail Transfer Protocol,
340–342social engineering in, 323spam in, 335–339SSH tunnels for, 351–354summary of, 334–335, 355
enablement vs. disablement, 814EnCase, 739–742encryption
as cryptography, 577for data protection, 798in e-mail security, 346–347in quantum cryptography, 626–628in risk management, 29for server security, 409–411two-key, 597–599in UNIX/Linux security, 243–245in Web browser configurations, 281
endpoint securityanti-spyware/adware tools for, 802antivirus software for, 801–802automated tools for, 801–803centralized security management consoles for,
803client access controls for, 803
for data protection, 799–805hardening operating systems for, 800–801host-based intrusion detection systems for, 802Linux and, 801network access control and, 805patch management in, 801personal firewalls for, 802physical security for, 803–804policies for, 804–805remote access and, 805user education on, 805virtual machines and, 805vulnerability assessments of, 804Windows and, 800
Engelbart, Doug, 298engineering principles, 54–56enrollment times, 100enterprise forensics. See digital forensicsenterprise security methodologies
audits in, 24–27business impacts in, 21–22controls in, 24exploits and, 21loss analysis in, 22–23mitigation in, 23–24overview of, 19–21risk assessment in, 22risk determination in, 23risk management questions, 27–31summary of, 32threats and, 21vulnerability and, 21
enumerationof directories, 315of domain names, 382in penetration testing, 781, 785
environmental issues, 103–105data remanence, 105electrical power, 103fire suppression, 104–105humidity, 103object reuse, 105
equipment identity registers (EIRs), 463ESN (Electronic Serial Number), 462espionage attacks, 138–140essential services only principle, 831–832ethical hacking, 770. See also penetration testingevaluation of risk. See risk assessmentevaluation of security, 769. See also security
assurance evaluation mechanismsevidence collection, 730–731
861
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 862
E Index
evidence retention, 744evolution of browsers, 257exclude lists, 567executables, 259expert users, 210expiration, 262exploitation of systems. See attackers exploiting
systemsExtensible Authentication Protocol (EAP), 486–488,
491–492Extensible Markup Language (XML),
319–320external attack methodologies, 136–140external penetration testing, 771eyes only data, 186EZ-Stego, 663–664
Ffacility planning, 102facility security management, 103failure points in future planning
access, 846–847limiting generally, 844–847redundancy, 845–846
Fake AP, 502false acceptance rates (FARs), 100false alarms, 815false negative detection results, 555false positive detection results, 555false rejection rates (FRRs), 100FARs (false acceptance rates), 100fast factoring, 621–622fault tolerance, 467–468faulty authorization, 316FDD (Frequency Division Duplex), 472FedCIRC (Federal Computer Incident Response
Center), 724Federal Information Processing Standard (FIPS),
763–764Federal Information Security Assessment Framework
(FITSAF), 755–756felony boxes, 422fencing, 99Ferguson, Niels, 495FHSS (frequency hopping spread spectrum),
476–479, 503file allocation tables, 167file extension attacks, 204file ownership, 210file permissions, 167, 237–239
file sharingapplications for, 172in UNIX/Linux security, 218in Windows security, 170
File Transfer Protocol (FTP)in Application layer, 433file transfers via, 226in server security, 414–418
file transfersinspecting, 827in UNIX/Linux security, 218in Windows security, 170
financeson e-mail, 178information about, 331responsibilities regarding, 400
Finger, 227, 414fingerprint systems, 101, 781FIPS (Federal Information Processing Standard),
763–764fire suppression, 104–105firewalls
advanced blocking techniques of, 548automated modification of rules for, 539–540blocking traffic with, 543–545corporate vs. home, 542–543disadvantages of, 536–537Iptables, 543–548logging blocked traffic, 546–547multiple entry points of, 538–539multiple heterogeneous rulesets for, 540overview of, 531–532packet-filtering, 533packet-filtering and, 532–534in penetration testing, 781personal, 542–548, 802policy conflicts in, 540–542proxy, 535–536in risk management, 31rules of, 537–542as security component, 832–833in server security, 404stateful packet -filtering and, 534–535summary of, 548tiered architecture of, 537–538, 540–542in Windows security, 149in workstations, 177
FIRST (Forum of Incident Response and SecurityTeams), 725
FITSAF (Federal Information Security AssessmentFramework), 755–756
862
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 863
Index H
FMDA (Frequency Division Multiple Access), 469forensic duplication, 736Forensic Tools Kit (FTKs), 739forensics, 105. See also digital forensicsforgery, 494formal processes, 37Forum of Incident Response and Security Teams
(FIRST), 725fourth-generation (4G) mobile devices, 464–468fragmentation attacks, 131–132frequencies, 460frequency analysis, 583Frequency Division Duplex (FDD), 472Frequency Division Multiple Access (FMDA), 469frequency hopping, 476–477frequency hopping spread spectrum (FHSS),
476–479, 503frequency of sine waves, 460FRRs (false rejection rates), 100FTKs (Forensic Tools Kits), 739FTP (File Transfer Protocol). See File Transfer
Protocol (FTP)full examination, 741–743full knowledge in security assessments, 780full knowledge penetration testing, 771full-interruption tests, 97full-scale exercises, 97fully qualified domain names, 364–365functional drills, 97future planning, 835–847
access in, 846–847availability in, 839confidentiality in, 839countermeasures in, 841–842cyber-security stance in, 836–837digital forensics in, 748–750failure points of, 844–847impact analysis in, 840–841integrity in, 839mission resilience in, 837–844organizational approach to, 835–836presentation of analysis results in,
843–844probability in, 840problems in, 835–837qualitative risk analysis in, 842–843quantitative risk analysis in, 843redundancy in, 845–846risk analysis in, 842–844risk in, 837–838summary of, 847
threats in, 838–839vulnerabilities in, 839–840of wireless security, 506
GG (generations) of wireless technology,
464games, 171, 178gateway interaction devices, 566gateways, 515general settings for Internet Explorer, 282generally accepted principles, 53‘‘Generally Accepted Principles and Practices for
Securing Information TechnologySystems’’, 51
generation steganography, 652–653generations (G) of wireless technology, 464generic exploit blocking, 154Generic Practices (GPs), 752–753Generic Security Services Application Programming
Interface (GSSAPI), 348GET lines, 263–264GET method, 288, 300GID flags, 239–241Gif Shuffle, 669–671Gkrellm wireless plug-ins, 502GNOME Wireless Applet, 502GNU Privacy Guard (GPG), 244, 354–355Google, 780GPG (GNU Privacy Guard), 244, 354–355gpm service, 229GPs (Generic Practices), 752–753grammar-based steganography, 648gray-box penetration testing, 772group category, 237GSSAPI (Generic Security Services Application
Programming Interface), 348guards, 99
HH.323 VoIP (Voice over Internet Protocol), 457handshakes, 265–266hardening
end points, 798hosts, 145–146, 149infrastructure, 798testing of, 175UNIX. See hardening UNIX
863
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 864
H Index
hardening, quick-startdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163printing files in, 161–162removing unneeded components for, 164–165security template for, 166service packs for, 161sharing files in, 161–162
hardening systemsAUTORUN vs., 167file allocation tables in, 167file permissions in, 167of operating systems, 800–801overview of, 166–167passwords in, 169–170Registry in, 167user groups rights in, 168user level accounts in, 168–169
hardening UNIXadvanced blocking techniques, 253blocking incoming traffic, 248–250blocking outgoing traffic, 250–251configuration items for, 245–246logging blocked traffic, 251–253packet filtering with iptables for, 247–253passwords in, 247TCP wrapper for, 247
hardware changes detection, 214–215hardware phones, 456hash codes, 683hash functions
attacks on, generally, 607–608encryption and, 410future of, 617MD4, attacks on, 608–610MD5, attacks on, 610–613in number generation, 589primitives in cryptography, 600–602SHA-1, attacks on, 616SHA-O, attacks on, 614–616
HEAD requests, 288header checksum fields, 448header condition signatures, 709header of IPv6 (Internet Protocol version 6), 448HEIGHT, 307heuristics, 802hidden fields, 315hidden frames, 314
Hide and Seek, 657–659hijacking attacks
on browsers, 268–269defined, 131on workstations, 204on zeroconf networks, 524
histories in Web browsers, 281HLRs (home location registers), 462–463home firewalls, 542–543home location registers (HLRs), 462–463home workstations, 170–171Honeyd, 716Honeynet Project, 716honeynets, 714honeypots
categories of, 713–714detecting attacks, 713high-interaction, 714Honeyd, 716Honeynet Project, 716introduction to, 712low-interaction, 713–714preventing attacks, 713purposes of, 712–713responding to attacks, 713when to use, 714–715
hooks, 543host name, 224host services, 225host-based intrusion detection systems (IDSs),
550–551, 708–710host-based intrusion prevention systems (HIPS), 149hot sites, 96Hotspotter, 501HTML (Hypertext Markup Language), 259,
300–301HTTP (Hyper Text Transfer Protocol)
client content in, 304client/server model of, 298–299DELETE requests, 289GET method in, 288, 300HEAD requests, 288HTML and, 300–301httpd in, 229HTTPS tunneling in, 826implementation of, 292–294origins of, 297–298overview of, 287–289persistent connections in, 296–298POST requests, 289PUT method in, 289, 299–300
864
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 865
Index I
slow starts in, 295–296state in Web security, 309tunneling, 826in Web browser and client security, 259–261workings of, 289–292
hubs, 514humidity, 103Hyper Text Transfer Protocol (HTTP). See HTTP
(Hyper Text Transfer Protocol)Hypertext Markup Language (HTML), 259,
300–301
IIATF(Information Assurance Technical Framework),
38–42IBSS(Independent Basic Service Set), 479ICMP (Internet Control Message Protocol), 437ID, 307ID (intrusion detection). See intrusion detection (ID)Ideaflood, 365identification
in access control, 115–121in configuration management, 88in information system security, 36in securing information technology, 54of sensitive data, 797
IDSs (intrusion detection systems). See intrusiondetection systems (IDSs)
IEEE 802.11deployment of, 482–483Extensible Authentication Protocol in, 486–487introduction to, 485–486key management in, 487as LAN/WAN standard, 438–439Light Extensible Authentication Protocol in,
487–488management of, 482–483operational features of, 483–485overview of, 480–481physical security in, 486Protected Extensible Authentication Protocol in,
488Transport Layer Security in, 488Wired Equivalent Privacy standard for, 486,
489–496wireless channels and, 481–482wireless security of. See IEEE 802.11
IEEE 802.11iAES CCM and, 500AES Counter and, 497
cipher-block chaining and, 497–499Initialization Vector in, 500overview of, 496–497pre-authentication for roaming in, 500Pre-Shared Key mode of, 500testing tools of, 501–503
IEEE 802.20, 507IEEE wireless LAN specifications
MAC layer in, 478–480PHY layer in, 478for wireless security, 478–480
IETF (Internet Engineering Task Force), 722Image Hide, 664–665images, 259IMAP (Internet Message Access Protocol), 344–345,
682imap(s), 227impact analysis
defined, 61in future planning, 840–841in risk assessment, 66–67
implementationalgorithms vs., 578–579of HTTP, 292–294phase of, 52, 56–57, 59of system security, 47–48types for, 112
Implementation Plan of DIACAP (DIP), 761IMPs (Information Management Policies), 44IMs (instant messages). See instant messages (IMs)IMSI (International Mobile Subscriber Identity), 462incident handling
automated notice and recovery mechanisms for,726–727
CERT/CC guidelines for, 717–722, 723–724Federal Computer Incident Response Center for,
724Forum of Incident Response and Security Teams
for, 725Internet Engineering Task Force guidelines for,
722introduction to, 716–717layered security approach to, 723security incident notification process in,
725–726incident response teams
CERT/CC, 723–724Federal Computer Incident Response Center,
724Forum of Incident Response and Security Teams,
725
865
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 866
I Index
Independent Basic Service Set (IBSS), 479index of coincidence, 583information assurance
Federal Information Security AssessmentFramework for, 755–756
introduction to, 751National Security Agency Infosec Assessment
Methodology for, 754–755Operationally Critical Threat, Asset, and
Vulnerability Evaluation for, 755Systems Security Engineering Maturity Model
for, 751–753Information Assurance Technical Framework (IATF),
38–42information control, 422–426information exchange, 209information leakage, 379Information Management Policies (IMPs), 44Information Protection Policies (IPPs), 44information system development cycle, 56–59information system security management
of administrative security controls, 102advisory policies in, 75baselines in, 75–77biometrics and, 100–102business continuity planning in, 90–94computer crime types, 106configuration management in, 87–90of data remanence, 105disaster recovery plans in, 90, 95–98of electrical power, 103electronic monitoring in, 106–107environmental issues in, 103–105facilities in, 102–103of fire suppression, 104–105guidelines for, 75–77of humidity, 103informative policies in, 75legal issues in, 105–107liability in, 107measuring security awareness, 78–79of object reuse, 105of personnel controls, 102physical security controls in, 98–103principles of. See information system security
principlesprocedures of, 75–77program managers in, 79–80regulatory policies in, 75security awareness in, 77–79security policies in, 73
senior management policy statements in, 74–75smart cards in, 100–101standards for, 75–77statements of work in, 82summary of, 107systems engineering management plans in,
80–87of technical efforts, 79–87technical performance measurements in, 85of technical security controls, 100test and evaluation master plans in, 85–87training in security awareness, 78U.S. government policies in, 75work breakdown structures for, 82–85
information system security principlesaccountability in, 37authentication in, 36authorization in, 37for calculating risk, 70–71confidentiality, integrity, availability, 35–37Defense-in-Depth strategy in, 38–41formal processes and, 37identification in, 36Information Assurance Technical Framework
and, 38–42in Information Systems Security Engineering. See
Information Systems Security Engineering(ISSE)
for information technology. See informationtechnology security
for risk management, 60summary of, 71systems development life cycle and, 51–59systems engineering processes and, 37–38,
41–42Information Systems Security Engineering (ISSE),
42–51architecture of system security in, 46Assess Information Protection effectiveness in,
48–51designing detailed security in, 46–47Discover Information Protection Needs in,
43–45implementing system security, 47–48overview of, 42requirements of system security in, 45–46
information technology securitycommon practices for, 53–54development cycle in, 56–59engineering principles for, 54–56
informative policies, 75
866
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 867
Index I
INFOSEC assessment, 754infrastructure assessments, 820–821infrastructure mode, 479in-house developed applications, 31init process, 233–234initial authentication, 262Initialization Vector (IV)
in 802.11i, 500in AES-CBC mode, 497–499sequencing discipline of, 493–495in TKIP upgrades, 492–493in WEP security, 489–492
initiation phase, 56–57inline network devices, 566innd, 229input validation, 407insertion, steganography, 648–651insertion-based, steganography, 647insider threats. See also internal threats
data protection and, 805–806Defense-in-Depth strategy vs., 40network architecture and, 525–528physical security in, 815
installed packages, 217–218installing applications securely
antivirus protection, 171–173application installation, 171–175personal firewalls, 173–174Pretty Good Privacy, 175secure FTP, 175Secure Shell, 174
instant messages (IMs)copies of, 202in network architecture, 526in server security, 420–421
integration of security components, 809–834analysis of log data for, 812antivirus software in, 833auditing passwords in, 823authentication in, 815, 823awareness of what is running on systems,
817backups in, 828–829best security practices in, generally, 819binary code in HTTP headers, 826budgeting in, 810–811code in, 831configuration management in, 832content inspection in, 826–827corporate espionage and, 813–814cross-site scripting in, 827
defense-in-depth principle in, 816, 828detection in, 813–814, 817–818, 826disaster recovery plans in, 830e-mail attachments in, 827employee awareness in, 811–812enablement vs. disablement in, 814essential services only in, 831–832false alarms in, 815file transfers in, 827firewalls in, 832–833HTTP in, 826infrastructure assessments in, 820–821insider threats in, 815internal servers and outbound communications
in, 820intrusion detection systems in, 832–833life cycle of security in, 814logging in, 825–826malicious URLs in, 827mistakes to avoid, 814–815monitoring outgoing communications in, 826naming servers in, 834network diagrams in, 819–820password policy in, 821–823patches in, 818, 823–824perimeters in, 821, 832–833physical security in, 815, 830placement of systems in, 820policy statements in, 819principles of least privilege in, 816–817problems facing organizations in, 809remote access in, 827secure communications in, 828sensitive information in, 829service accounts in, 823single-use servers in, 832site protection in, 815–818summary of, 834system accounts protection in, 834system checks in, 818systems within enterprises, securing all,
813trust relationships in, 833tunneling, 826UNIX systems in, 831URL directory traversal in, 827URL header length in, 827user education in, 830–831volume of attacks in, 811vulnerability assessments in, 824–825
867
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 868
I Index
integrity of datacryptography for, 574–575in future planning, 839in information system security, 35–37primitives in cryptography for, 602in Public Key Infrastructure, 689in steganography, 642
integrity of e-mails, 339intellectual property, 839interfacing with organizations. See enterprise
security methodologiesinternal networks, 27internal penetration testing, 771internal servers and outbound communications, 820internal threats, 140–141. See also insider threatsInternational Mobile Subscriber Identity (IMSI), 462International Mobile Telephone Standard 2000,
471–472Internet, boundlessness of, 12Internet Control Message Protocol (ICMP), 437Internet Engineering Task Force (IETF), 722Internet Explorer configuration options, 282–286
advanced settings, 285–286content settings, 285encryption, 286general settings, 282Internet zones, 282–283local intranet zone, 283privacy settings, 284–285restricted sites zone, 284security settings, 282–284trusted sites zone, 283–284
Internet Message Access Protocol (IMAP), 344–345,682
Internet perimeter, 145–146Internet Protocol (IP), 442–449
addresses, 262, 532–533area codes, 449classless interdomain routing in, 443–444forwarding, 219history of, 443introduction to, 442–443IPv6 solution for, 445–448network address translation in, 444–445in Network layer, 436phones, 451version 7, 448–449zone codes, 449
Internet relay chats (IRCs), 178, 420–421Internet zones, 282–283intruders, acquiring information about, 556
intrusion, response to. See also intrusion detection(ID)
CERT/CC guidelines for, 717–722computer incident response teams for, 708incident handling, generally, 716–717Internet Engineering Task Force guidelines for,
722security incident notification process in,
726–727summary of, 727terminating connections with intruders, 556
intrusion detection (ID)antivirus approaches to, 707–708components of, 708honeypots for, 712–716mechanisms for, 707–712prevention vs. See intrusion prevention systems
(IPSs)response in. See intrusion, response tosummary of, 727systems for. See intrusion detection systems
(IDSs)virus prevention software for, 708virus scanners for, 707–708
intrusion detection systems (IDSs). See also intrusionprevention systems (IPSs)
for access control, 114anomaly detection in, 553–554architecture in, 561–564in Defense-in-Depth strategy, 41detection issues in, 555emerging technologies in, generally, 556–557host-based, 550–551, 802in integration of security components, 832–833issues of, 711–712layered security approach to, 723methods of, 553–555misuse detection in, 554–555modes of, 553–555network-based, 551–553next generation packet inspection in, 564–567overview of, 549–550packet inspection methods in, 557–561pattern matching detection in, 554–555for perimeter intrusions, 99responses to intrusions in. See intrusion,
response toin risk management, 28summary of, 567–568types of, 550workstations, putting on networks, 177
868
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 869
Index K
intrusion prevention systems (IPSs). See alsointrusion detection systems (IDSs)
in data protection, 802exclude lists in, 567gateway interaction devices in, 566inline network devices and, 566packet inspection methods, 565–567session sniping, 566systems memory and process protection in, 566whitelists in, 567
inventory, 217investigative searching, 315–316invisible digital watermarking, 675IP (Internet Protocol). See Internet Protocol (IP)ipop services, 228IPPs (Information Protection Policies), 44IPSec-based virtual private networks (VPNs)
Authentication Header of, 696–697Encapsulating Security Payload of, 697–698header modes of, 695overview of, 695transport mode of, 695tunneled mode of, 695–696
IPSs (intrusion prevention systems). See intrusionprevention systems (IPSs)
iptablesadvanced blocking techniques, 253, 548blocking incoming traffic, 248–250, 543–545blocking outgoing traffic, 250–251, 545–546for defense-in-depth, 226defined, 219logging blocked traffic, 251–253, 546–547packet filtering with, 247–253
IPv6 (Internet Protocol version 6)address autoconfiguration in, 446–447anycast in, 446header of, 448multicast of, 446overview of, 445–446transition to, 447
IRCs (Internet relay chats), 178, 420–421irda, 229ISSE (Information Systems Security Engineering).
See Information Systems SecurityEngineering (ISSE)
issue-specific policies, 75iterative queries, 383IV (Initialization Vector). See Initialization Vector
(IV)IV sequencing discipline, 493–494
JJava
ActiveX and, 306–309HTTP and, 304permissions in, 305–306sandbox in, 304–305in Web browser configurations, 278–279
JavaScript, 279–280, 303–304John The Ripper, 247Joint Photographic Experts Group (JPEG),
434journaling, 215Joux, Antoine, 615–616JPEG (Joint Photographic Experts Group),
434Jsteg, 659–663jumbograms, 562
KKCKs (key confirmation keys), 496kcore, 224KEKs (key encryption keys), 496Kerberos
for access control, 118–121e-mail security and, 348security features of, 684–685
kernel configurationsmodules in, 220–221options in, 219–220overview of, 218–219/proc file systems in, 223–224system calls in, 221–223
kets, 617key confirmation keys (KCKs), 496key encryption keys (KEKs), 496key management. See also keys
in communication applications, 691–692in IEEE 802.11 wireless security, 487in Public Key Infrastructure, 691–692
keyed hash functions, 601–602keys
agreements for, 596in cryptography, 577encryption of, 495–496key confirmation, 496key encryption, 496management of. See key managementpairwise master, 496pairwise transient, 496
869
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 870
K Index
keys (continued)pre-master, 701Pre-Shared, 500public key infrastructure. See Public Key
Infrastructure (PKI)sharing, 595–596stores of, 305temporal, 492–496
keytable, 226Kismet, 501knowledge-based detection, 708KOrinoco, 502KryptoKnight, 121ksh scripting language, 209ktalk, 228kudzu, 214, 226
LLamarr, Hedy, 473language settings, 285, 406LANMAN, 195LANs (local area networks)
cellular telephones and, 466–467in e-mail attacks, 332encryption in, 243future of, 506–507hubs connecting, 514IEEE wireless specifications, 478–480infrastructure-based wireless, 484internal, 532LAN-to-LAN virtual private networks, 694sniffing, 781switches connecting, 514trusted vs. untrusted, 150, 171virtual. See VLANs (virtual local area networks)viruses on, 172wireless, 459–460
laptops, 526layered architecture, 431–432. See also specific layerslayered defenses, 40layered security approach, 723LCG (linear congruent pseudorandom number
generator), 588LDAP (Lightweight Directory Access Protocol), 229,
418–420LEAP (Light Extensible Authentication Protocol),
487–488legal issues, 105–107
civil cases, 745closure, 744–745
computer crime types, 106criminal cases, 746electronic monitoring, 106–107liability in, 107
liability, 107library calls, 158life cycles
in digital forensics, 750planning for, 53–54in security, 814
Light Extensible Authentication Protocol (LEAP),487–488
lighting, 99Lightweight Directory Access Protocol (LDAP), 229,
418–420likelihood determination, 65–66limited examination, 740limiting access, 212–213linear congruent pseudorandom number generator
(LCG), 588Link Control Protocol, 438Linux security. See also UNIX security
boot loader passwords in, 213configuration control in, 218–224hardware changes detection in, 214nmap commands in, 232open source in, 207–208process control in, 225runlevels in, 233targeting, 209–210
live acquisition, 736–737local area networks (LANs). See LANs (local area
networks)local hidden variables, 619local intranet zones, 283location discovery, 466locks, 99logging
blocked traffic, 251–253, 546–547in integration of security components, 825–826reviews of, 30in server security, 416in Windows security, 197
logical access control, 54Logical Link layer, 437login authentication, 346lookup process, 391loss of devices, 141low security ratings, 192
870
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 871
Index M
MMAC (mandatory access control), 111MAC layer, 478–480mail client configurations, 349–350Mail eXchanger (MX) records, 361–362mail proxies, 350mail servers, 217mail-relaying, 348, 350maintaining state, 262–264maintenance of security plans, 94MAIS (Major Automated Information System)
Acquisition Programs, 80Major Automated Information System (MAIS)
Acquisition Programs, 80malcode attacks
on browsers, 258in e-mail security, 325–327on home workstations, 170–171overview of, 127–129in UNIX, 225
malicious code, 127–129. See also malcode attacksmalicious data detection, 560malicious URLs, 827management
of configuration. See configuration managementconsoles for, 803of digital rights. See digital rights management
(DRM)Information Management Policies, 44of keys. See key managementof patches, 801reports to, 782of risk. See risk managementsecurity controls for, 69–70of server security, 402of users, 145–146
mandatory access control (MAC), 111Mandatory Procedures for Major Defense
Acquisition Programs (MDAPs), 80man-in-the-middle attacks
in browsers, 258defined, 130in e-mail, 332–333
mantraps, 99master-slave relationships, 388mathematical attacks, 132maturity levels, 752–753, 755Maximum Transmission Units (MTUs), 501McAfee System Protection-McAfee Intercept Server
and Desktop Agents, 155McAfee-Internet Security Suite, 155
MD (Message Digest) hash functions, 607MD4, 608–610MD5, 610–613MDAPs (Mandatory Procedures for Major Defense
Acquisition Programs), 80measuring security awareness, 78–79Media Access Control (MAC), 517–518Media Access layer, 437memory protection, 566Message Digest (MD) hash functions, 607Message Integrity Codes (MIC), 494–495Metasploit, 781MIC (Message Integrity Codes), 494–495Microsoft
Outlook, 324–325upgrades from, 192–193Windows security recommendations, 149–151
MIME (Multipurpose Internet Mail Extensions),434
minimum length of passwords, 822Ministumbler, 502mirror images, 736misconfiguration attacks, 792mission resilience
availability in, 839confidentiality in, 839countermeasures in, 841–842future planning of, 837–844impact analysis in, 840–841integrity in, 839presentation of analysis results in, 843–844probability in, 840qualitative risk analysis in, 842–843quantitative risk analysis in, 843risk analysis in, 842–844risk in, 837–838threats in, 838–839vulnerabilities in, 839–840
misuse detection, 554–555mitigation of risk, 69–70. See also risk managementMLS (multi-level security). See multi-level security
(MLS)mobile backups, 96mobile stations, 462mobile switching centers (MSCs), 462Mockapetris, Paul, 357modems (modulators-demodulators), 513–514,
781moderate security ratings, 192modulators-demodulators (modems), 513–514,
781
871
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 872
M Index
monitoringoutgoing communications, 826security assurance evaluation mechanisms for,
774in server security, 416in Windows security, 196–197
Motion Picture Experts Group (MPEG), 434MPEG (Motion Picture Experts Group), 434MSCs (mobile switching centers), 462MTUs (Maximum Transmission Units), 438multicast, 446multi-level security (MLS)
background of, 422information control, building systems for,
423–426information control, challenges of,
422–423introduction to, 421–422
multimedia, 178Multimode Terminal mode, 472multiple entry points, 538–539multiple heterogeneous rulesets, 540multiple lines of defense, 814multiple locations in defense strategies, 40multiple-center processing, 96multiprocessors support, 219Multipurpose Internet Mail Extensions (MIME),
434mutual aid agreements, 96MX (Mail eXchanger) records, 361–362mysqld, 229
NNAC (network access control), 805name resolution, 374–375Name Server (NS) records, 362named, 229namespaces, 358naming servers, 834NAT (Network Address Translation),
511–513National Information Assurance Certification and
Accreditation Process (NIACAP),756–757
National Institute of Standards and Technology(NIST). See also security assuranceevaluation mechanisms
assessment guidelines of, 765–766introduction to, 51, 756–757Special Publication 800–14, 766
Special Publication 800–27, 766Special Publication 800–30, 766–769Special Publication 800–64, 769–770
National Security Agency Infosec AssessmentMethodology (NSA-IAM), 754–755
NCP (Network Control Protocol), 438neighbor discovery, 447Nelson, Ted, 297nessus, 209net subdirectory, 224NetBIOS, 189netfs, 229Netscape, 281–282Netstat, 230–232, 414NetStumbler, 502network access control (NAC), 805Network Address Translation (NAT), 511–513network architecture
Address Resolution Protocol and, 517–518attack prevention in, 528–529basic issues in, 513–515Dynamic Host Configuration Protocol and,
518–519insider threats and, 525–528Media Access Control and, 517–518Network Address Translation in, 511–513network segments in, 510–511overview of, 509perimeter defense of, 511of private networks, 511of public networks, 510of semi-private networks, 510subnetting in, 516–517summary of, 529switching in, 516–517VLANs and, 516–517of zero configuration networks, 519–524
Network Control Protocol (NCP), 438Network File System (NFS), 226, 435Network layer, 436–437network protocols, 431–458
analog telephone adaptor, 450in Application layer, 433–434for circuit switching, 451–454for computer-to-computer calls, 451in Data Link layer, 437–438defined, 431–432H.323, 457Internet Protocol, 442–449for IP phones, 451IPv7, 448–449
872
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 873
Index O
IPv8, 448–449network design and, 455in Network layer, 436–437Open Systems Interconnect model for,
432–433for packet switching, 451–454in Physical layer, 438–441in Presentation layer, 434risk factors of, 455security issues with, 454–455server environments and, 456in Session layer, 434–435session-initiate protocol, 457softphones vs. hardware phones, 456summary of, 457–458in TCP/IP layers, 439–442in Transport layer, 435–436in VoIP, 450–458
network-based intrusion detection systems (IDSs),551–553, 708–709
networksarchitecture of. See network architecturefor cellular telephones, 462–463diagrams of, 819–820environments of, 273–274mapping of, 781protocols for. See network protocolssecurity of. See cyber securitysegments of, 510–511steganography and, 641–643support for, 403–404in UNIX/Linux security, 208for VoIP, 455
newsgroups, 780next generation packet inspection, 564–567NFS (Network File System), 226, 435NIACAP (National Information Assurance
Certification and Accreditation Process),756–757
NIST (National Institute of Standards andTechnology). See National Institute ofStandards and Technology (NIST)
nmapin penetration testing, 781in UNIX/Linux security, 209,
232–233in vulnerability assessments, 804
NMT (Nordic Mobile Telephone), 471nonces, 347non-dictionary words in passwords,
822
non-discretionary access control, 112non-repudiation
for cryptography, 576in Public Key Infrastructure, 689, 691
Nordic Mobile Telephone (NMT), 471NS (Name Server) records, 362NSA-IAM (National Security Agency Infosec
Assessment Methodology),754–755
nscd, 229NT LanManager (NTLM) protocol, 347ntalk, 228ntpd, 229nudity settings, 285NULL sessions, 190–191
Oobject reuse, 105object-oriented databases (OODB), 123OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation), 755OFB (output feedback), 594OFDM (Orthogonal Frequency Division
Multiplexing), 477–478Office of Management and Budget (OMB) Circular
A-130, 764–765+OK logged onPOP before SMTP, 348OMB (Office of Management and Budget) Circular
A-130, 764–765one-time pads, 585one-way functions, 600onsite phase, 754OODB (object-oriented databases), 123open authentication, 490Open Shortest Path First (OSPF), 437open source
algorithms, 606–607in UNIX/Linux security, 208, 210–212
Open System Interconnect (OSI)Application layer in, 433–434Data Link layer in, 437–438layers in, generally, 432–433model of, 432–433Network layer in, 436–437Physical layer in, 438–439Presentation layer in, 434Session layer in, 434–435Transport layer in, 435–436
open-box penetration testing, 772
873
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 874
O Index
opening e-mails, 349operating safely while e-mailing. See also e-mail
securityaccounts for e-mails in, 349application versions in, 350architectural considerations in, 350–351GNU Privacy Guard for, 354–355mail client configurations in, 349–350opening e-mails in, 349Pretty Good Privacy in, 354–355sacrificial e-mail addresses in, 349SSH tunnels for, 351–354
operating servers safely. See also server securityaccess control for, 415auditing for, 416backing up systems for, 414–415configuration control for, 413–415logging in, 416monitoring in, 416passwords in, 415–416physical security and, 413–414service minimization for, 414users, controlling, 415
operating systems (OSs)attacks on, 791easy-to-obtain, 208fingerprinting, 781hardening, 151–154, 800–801out-of-the-box, 151–154system calls on, 156–157
operating UNIX safely. See also UNIX securitycertificates in, 243–245chkconfig commands in, 235–236chroot in, 240control in, 237–243controlling processes in, 225encryption in, 243–245files in, 237–239GNU Privacy Guard for, 244init process in, 233–234introduction to, 224–225netstat commands in, 230–232nmap commands in, 232–233processes controlling processes in, 233–237ps commands in, 230root access in, 240–243Secure Shell for, 244–245services in, 236–237Set UID in, 239–241xinetd process in, 234–235
operating Web browsers safely. See also Webbrowser security
network environments in, 273–274patches for, 271–272private data in, 274–275proxy servers in, 274recommended practices for, 275–276secure sites for, 272–273viruses in, 272
operating Windows safely. See also Windowssecurity
access to systems in, 179antivirus protection in, 180backups for, 191configuration issues in, 180–184data handling practices in, 185–186digital certificate technology for, 183introduction to, 177NetBIOS in, 189NULL sessions in, 190–191operating issues in, 184–191passwords in, 187–189physical security issues in, 179policy adherence for, 184risk behavior vs., 177–178software in, 183–184Trojan horses in, 186–187users in, 180–183viruses in, 186–187worms in, 186–187
operational security controls, 69–70Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE), 755operation/maintenance phase, 52, 56–59organizational approach to security, 835–836organizational criticality matrix, 754–755Orthogonal Frequency Division Multiplexing
(OFDM), 477–478Orwell, George, 201OS (operating system) fingerprinting, 781OSI (Open System Interconnect). See Open System
Interconnect (OSI)OSPF (Open Shortest Path First), 437OSs (operating systems). See operating systems
(OSs)outdated Windows systems, 195out-of-the-box operating system hardening,
151–154output feedback (OFB), 594overhead, 436owner category, 237
874
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 875
Index P
PP2P (peer-to-peer) applications, 420packet filtering
firewalls, 533–534iptables and. See packet filtering with iptablesin packet inspection methods, 558
packet filtering with iptables, 247–253advanced blocking techniques, 253blocking incoming traffic, 248–250blocking outgoing traffic, 250–251for hardening UNIX, 247–253logging blocked traffic, 251–253
packet inspection methods, 557–567anomaly detection in, 565application proxies in, 558behavior-based anomaly detection in, 565content matching in, 561controlling operations in, 560–561current, 558emerging, 558–561exclude lists in, 567gateway interaction devices and, 566inline network devices and, 566intrusion prevention systems and, 565–567malicious data detection by, 560next generation of, 564–567overview of, 557packet filters in, 558protocol anomaly detection by, 559–560security architecture and hardware for,
561–564session sniping, 566standards compliance of, 559stateful filtering in, 558systems memory and process protection in,
566traffic-based anomaly detection in, 565whitelists in, 567
packet sniffing attacks, 204packet switching, 452–453pairwise master keys (PMKs), 496pairwise transient keys (PTKs), 496parallel tests, 97parasite attacks, 269parked slaves, 504partial examination, 740–741partial knowledge penetrating testing, 772pass phrases, 623–626passive attacks, 14, 40passive reconnaissance, 788–789Password Authentication Protocol (PAP), 125
passwordsfor access control, 116aging of, 822attacks, 781guessing attacks, 133–134in hardening systems, 169–170, 247in operating Windows safely, 187–189policies for, 27–28, 821–823in quantum cryptography, 622–623in quick-start hardening, 163–164in server security, 415–416SQL injection and, 408
patchesantivirus signatures and, 193for applications, 192–193applying, 184introduction to, 191–192management of, 801from Microsoft, 192–193policies for, 823–824for quick-start hardening, 161for Web browser and client security, 271–272
patents, 365pattern matching detection, 554–555, 708. See also
intrusion detection systems (IDSs)PC (personal computer) physical controls, 100PCMCIA (Personal Computer Memory Card
International Association), 220, 226PDC (Personal Digital Cellular), 471PEAP (Protected Extensible Authentication
Protocol), 488peer-to-peer (P2P) applications, 420pen testing. See penetration testingpenetration testing. See also security assurance
evaluation mechanismsattack phase of, 785–786automated vulnerability scanners vs., 782–783black-box, 772closed-box, 772current state of, 780–783external, 771flow in, 780–782formal methodology of, 783–787full knowledge, 771gray-box, 772internal, 771introduction to, 770–771manual, 782–783open-box, 772partial knowledge, 772post-attack phase of, 787
875
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 876
P Index
penetration testing. See also security assuranceevaluation mechanisms (continued)
pre-attack phase of, 784–785security assurance evaluation mechanisms,
770–772for validating security, 777–779white-box, 771zero knowledge, 772
performance issues, 195, 267–268perimeters
defense of, 511in integration of security components, 832–833intrusion detection systems, 99protection of, 821
period of sine waves, 460peripheral switch controls, 100Perl, 209permissions, 305–306per-packet mixing function, 492–493persistent connections, 296–298persistent data, 185Personal Computer Memory Card International
Association (PCMCIA), 220, 226personal computer (PC) physical controls, 100personal data, 186Personal Digital Cellular (PDC), 471personal firewalls, 542–548, 802personnel, 54, 102pervasive wireless data network technologies,
473–478PGP (Pretty Good Privacy). See Pretty Good Privacy
(PGP)phishing attacks, 31photo processing, 178photoelectric sensors, 99photo-image cards, 101PHP pages, 302–303PHY layer, 478physical issues
access control, 115attacks, 202break-ins, 780controls for, 527–528environment, 830security as. See physical security
Physical layer, 438–441physical security
controls for, 30, 98–103for data protection, 798, 803–804in IEEE 802.11 wireless security, 486mistakes to avoid in, 815
in operations, 179for server security, 413–414in UNIX/Linux security, 212–217of workstations, 175–176
piconets, 503ping, 374–375pipelines, 563pirated software, 178PKI (Public Key Infrastructure). See Public Key
Infrastructure (PKI)placement of systems, 820placing calls, 464plain login, 345–346plain text, 577Plan of Action and Milestones (POA&M), 761plugins, 277–280PMKs (pairwise master keys), 496POA&M (Plan of Action and Milestones), 761Point-to-Point Protocol (PPP), 438, 698Point-to-Point Tunneling Protocol (PPTP), 698policies
adherence to, 184files of, 305for securing information technology, 53statements of, 819in tiered architecture, 540–542
POP (Post Office Protocol), 343–344, 346–348,682
pop services, 228popularity of browsers, 256–257Port 1025, 159Port 1026, 160Port 135 - loc-srv/epmap, 158–159Port 139 - Net BIOS Session (TCP), 159Port 139 - Net BIOS Session (UDP), 159Port 445, 159port blocking, 162–163port controls, 100port scanning, 133, 781port signatures, 709portmap, 226post accreditation phase, 757, 759POST data, 264Post Office Protocol (POP), 343–344, 682POST requests, 289postassessment phase, 754post-attack phase of pen testing, 787postgresql, 229PPP (Point-to-Point Protocol), 438, 698PPTP (Point-to-Point Tunneling Protocol), 698preassessment phase, 754
876
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 877
Index P
pre-attack phase of pen testingdiscovery in, 784–785enumeration in, 785scanning in, 785scope of assessment for, 784vulnerability mapping in, 785
pre-authentication for roaming, 500predictable query IDs, 382–383pre-master keys, 701preparing for attacks, 216–217Presentation layer, 434presentation of analysis results, 843–844Pre-Shared Key (PSK) mode, 500pre-shared secrets, 596pretexting, 400Pretty Good Privacy (PGP)
of communication applications, 682–684in e-mail security, 354–355in Windows security, 175
prevention of intrusion. See intrusion preventionsystems (IPSs)
preventive controls, 69–70, 113–114previewing e-mails, 349–350primitives
asymmetric encryption in, 597–599block ciphers in, 593–595cast introduction in, 590–591certificate authorities in, 598confidentiality, integrity, availability with,
602–603digital signatures in, 599–600hash functions in, 600–602introduction to, 587keyed hash functions in, 601–602pseudo random number generation in, 588–589random number generators in, 587–591sharing keys in, 595–596stream ciphers in, 592–593symmetric encryption in, 591–596two-key encryption in, 597–599user input generating numbers for, 589web of trust in, 598–599whitening functions in, 589–590
principals, 686principle of least privilege, 803principles of security, 15–16print daemons, 227printers, 526prioritization of critical systems, 92Priority fields, 361–362Prismtumbler, 501
privacyof data, 327–335MAC layer for, 479Pretty Good Privacy. See Pretty Good Privacy
(PGP)settings for, 284–285in Web browser and client security, 256
private data, 186, 274–275private keys, 689–690private networks, 511proactive computer forensics, 746–748probability, 840/proc file systems, 223–224process areas (PAs), 752Process IDs, 223processes controlling processes, 233–237productivity of browsers, 256–257program attacks, 792program management, 53, 79–80program policies, 75proof of security, 578proprietary algorithms, 579, 606–607Protected Extensible Authentication Protocol
(PEAP), 488protection domains, 305protocol anomaly detection, 559–560protocols
Address Resolution. See ARP (Address ResolutionProtocol)
Challenge Handshake Authentication, 125Digital Network Architecture Session Control,
435for e-mail security, 340–345Extensible Authentication, 486–488, 491–492File Transfer. See File Transfer Protocol (FTP)Hyper Text Transfer. See HTTP (Hyper Text
Transfer Protocol)Internet. See Internet Protocol (IP)Internet Control Message, 437Internet Message Access, 344–345Lightweight Directory Access, 229, 418–420Link Control, 438in network architecture, 526for networks. See network protocolspackets containing, 533Password Authentication, 125Point-to-Point, 438, 698Post Office, 343–344Reverse Address Resolution, 438Routing Information, 437Secure File Transfer, 175
877
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 878
P Index
protocols (continued)Serial Line Internet, 438session-initiate, 457Simple Mail Transfer. See Simple Mail Transfer
Protocol (SMTP)Simple Network Management, 434Temporal Key Integrity. See Temporal Key
Integrity Protocol (TKIP)Transmission Control. See TCP (Transmission
Control Protocol)Trivial File Transfer, 175, 433User Datagram, 436of VoIP, 456–457Wireless Application, 504–505
proxy firewalls, 535–536proxy servers, 274prudent man rule, 107ps commands, 230pseudo random number generation, 588–589PSK (Pre-Shared Key) mode, 500PTKs (pairwise transient keys), 496Public Key Infrastructure (PKI)
confidentiality in, 690defined, 41digital signatures in, 690introduction to, 688–689key management in, 691–692non-repudiation in, 691private keys vs., 689–690public keys in, 689–690
public networks, 510public-private key encryption, 338–339PUT method, 289, 299–300putting everything together. See integration of
security components
Qqualitative risk analysis, 842–843quantitative risk analysis, 843quantum bits, 617–622quantum cryptography. See also cryptography
biometrics in, 626bits in, 617–622blackmailing in, 626–627computation in, 617–622encryption, malicious uses of, 626–628fast factoring of large composites in, 621–622pass phrases in, 623–626passwords in, 622–623
secure communication channels in, 620secure tokens in, 624–626worms, encryption in, 627–628
quick-start hardeningdisabling unneeded services for, 164overview of, 160passwords in, 163–164patches for, 161port blocking for, 162–163removing unneeded components for,
164–165security template for, 166service packs for, 161sharing files and printing, removal of,
161–162
Rr commands, 226RADIUS (Remote Authentication and Dial-In User
Service), 124random number generators
cast introduction in, 590–591in cryptography, 585–586introduction to, 587–588primitives and, 587–591pseudo random number generation and,
588–589user input generating numbers for, 589whitening functions in, 589–590
random script, 227RARP (Reverse Address Resolution Protocol), 438rawdevices, 227reactive security, 6real time communications, 436reasonable care, 107reassociation, 479rebooting, 212rebuilding systems, 196recognizance, 379records, 360–361recovery controls, 69–70recovery teams, 98recursion, 383–384Redfang v2.5, 502redundancy, 845–846re-evaluation of systems, 196Registry, 167regulatory policies, 75rekeying against key reuse, 495–496relational databases, 121–123
878
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 879
Index R
remote accessin access control, 123–125data protection and, 805in integration of security components, 827in risk management, 28
remote access virtual private networks (VPNs), 694Remote Authentication and Dial-In User Service
(RADIUS), 124remote login (rlogin), 228, 434Remote Procedure Call (RPC)
in Session layer, 435in UNIX/Linux security, 226updating, 414
removing unneeded components, 164–165, 644replay attacks
on browsers, 269–270defined, 131by e-mail, 332–335Kerberos preventing, 685secure tokens and, 625
reporting, 114, 782, 787residual risks, 70, 769resource requirements, 92respect for adversaries, 399restoring compromised systems, 787restricted sites zone, 284results documentation, 68resurrecting duckling solution, 487Reverse Address Resolution Protocol (RARP), 438reverse DNS lookups, 371–374rexec, 228Rice Monarch Project, 502ring example, 645–646RIP (Routing Information Protocol), 229, 437risk analysis. See risk assessmentrisk assessment. See also risks
analysis in, 65, 842–844control recommendations in, 68in future planning, 837–838impact analysis in, 66–67likelihood determination in, 65–66in NIST SP 800–14, 768overview of, 63results documentation in, 68risk determination in, 67–68system characterization in, 63–64threat identification in, 64vulnerability identification in, 64–65
risk management. See also risksarchitecture of networks in, 27assessment for. See risk assessmentattack types in, 29–30
backdoors in, 31backup policies in, 29business systems in, 30calculating risk in, 70–71content-level inspections in, 31definitions in, 60–61demilitarized zones in, 27denial of applications and services in, 28desktop protections in, 29disaster recovery plans in, 29disposal of sensitive information in, 29encryption in, 29evaluation in, 70firewalls in, 31in information technology, 53in-house developed applications in, 31internal networks in, 27intrusion detection systems in, 28log reviews in, 30mitigation of risk in, 69–70, 768–769password policy in, 27–28phishing attacks in, 31physical security controls in, 30remote access in, 28security policy in, 27social-engineering attacks in, 31system patching in, 31systems development life cycle and, 61Trojans in, 31of VoIP, 455vulnerability scans in, 30wireless infrastructures in, 28
risk-based security controls, 397–398risks. See also threats
assessment of. See risk assessmentassigning value to, 811in cyber security, 4defined, 61in e-mail security, 323management of. See risk managementin server security, 395–396in Web browser and client security, 255–259in Windows security, 177–178
Rivest, Ronald, 690rlogin (remote login), 228, 434robustness of security, 41rolling backups, 96Roman Empire, 639–640root access, 240–243router solicitation, 447routers, 515, 533
879
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 880
R Index
Routing Information Protocol (RIP), 229, 437RPC (Remote Procedure Call). See Remote
Procedure Call (RPC)rsh, 228rsync, 228runlevels, 233
Ssacrificial e-mail addresses, 349salting, 601salvage teams, 98sandboxes, 304–305scalability, 393scanning
firewalls and, 532in network architecture, 528–529in pre-attack phase of pen testing, 785for vulnerabilities, 194
Schuba, Christopher, 388scope of assessments, 784scorecards, 761screen snapshots, 202screening input, 409screensavers, 178script kiddies, 146scripts
in attacks, 792browser protocols and, 259in e-mail security, 351techniques for, 210
SDLC (systems development life cycle). See systemsdevelopment life cycle (SDLC)
searching, 315–316secret communications. See cryptographysecure communications, 620, 828Secure European System for Applications in a
Multivendor Environment (SESAME), 121Secure File Transfer Protocol (SFTP), 175, 434Secure Hash Algorithms (SHA)
defined, 607–608hash-generating with, 690SHA-1, 616SHA-O, 614–616
Secure Shell (SSH)servers, 227tunnels, 351–354for UNIX/Linux security, 244–245for virtual private networks (VPNs), 698–699for Windows security, 174
secure sites, 272–273
Secure Sockets Layer (SSL)communication applications in, 699–700cryptography in, 580encryption and, 410–411Handshake, 700–703in Web browser security, 264–268
secure tokens, 624–626security assessments, 779security assurance evaluation mechanisms, 751–774
for accreditation, generally, 756–757, 763for auditing, 772–773black-box penetration testing, 772for certification, generally, 756–757, 763closed-box penetration testing, 772DIACAP, 756–757, 760–763DITSCAP, 758–760external penetration testing, 771Federal Information Processing Standard,
763–764Federal Information Security Assessment
Framework, 755–756full knowledge penetration testing, 771gray-box penetration testing, 772for information assurance, 751–756internal penetration testing, 771introduction to, 751for monitoring, 774National Security Agency Infosec Assessment
Methodology, 754–755NIACAP, 756–759NIST assessment guidelines, generally, 756–757,
765–766Office of Management and Budget Circular
A-130, 764–765open-box penetration testing, 772Operationally Critical Threat, Asset, and
Vulnerability Evaluation, 755partial knowledge penetrating testing, 772penetration testing, 770–772Special Publications for, 766–770summary of, 774Systems Security Engineering Maturity Model,
751–753white-box penetration testing, 771zero knowledge penetration testing, 772
security awarenessin data protection, 799of employees, 811–812in information system security management,
77–79in planning, 94
880
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 881
Index S
server needs in, 399–400training in, 172
security extensions, 381–382security features of communication applications
for Authentication Servers, 685–686confidentiality in, 690digital signatures in, 690Domain Name System, 377–384for e-mail, 682–685Internet Explorer, 282–284introduction to, 681Kerberos, 684–685key management in, 691–692non-repudiation in, 691POP/IMAP protocols, 682Pretty Good Privacy, 682–684private keys in, 689–690Public Key Infrastructure, 688–690Secure Sockets Layer, 699–703summary of, 704Transport Layer, 699for virtual private networks (VPNs). See virtual
private networks (VPNs)VoIP, 454–455web of trust in, 692Wired Equivalent Privacy, 491working model of, 686–688
security incident notification, 726–727Security layer, 505security templates, 166semi-private networks, 510sendmail, 229senior management, 74–75, 94sensitive data, 797, 829Sequenced Packet Exchange (SPX), 436sequencing discipline, 493–495server authentication, 505server content
ActiveX and, 306–309client content and, 303–309Common Gateway Interface and, 301–302permissions in, 305–306PHP pages and, 302–303sandboxes for, 304–305security of. See server securityin Web security, generally, 301–303
server environments, 456server security, 395–427
access control for, 415applications in, 417–421auditing for, 416
awareness of need for, 399–400backing up systems for, 414–415business impact assessments in, 401code cleanliness in, 406configuration control for, 402–404, 413–415content injection in, 407–409cross-site scripting in, 407–408data handling in, 405–406, 417–420defense-in-depth principle in, 398designing for, generally, 396–397development practices for, 402, 405–411digital rights management in, 421–426dynamic scripting in, 409encryption for, 409–411FTP servers in, 417–418information control in, 422–426input validation in, 407instant messages in, 420–421Internet relay chats in, 420–421language choice in, 406Lightweight Directory Access Protocol in,
418–420logging in, 416management and, 402monitoring in, 416multi-level, 421–426network support for, 403–404operating servers safely for, 413–416passwords in, 415–416peer-to-peer applications in, 420physical security and, 413–414respect for adversaries in, 399risks requiring, 395–398screening input for, 409service minimization for, 414simplicity in, 399SQL injection in, 408stored procedures in, 408summary of, 427testing, 411–413users in, 415
server separation, 145–146servers, 228service accounts, 823service bureaus, 97service commands, 236–237service detection, 230–233service minimization, 414service packs, 161service redirection, 379Service Set Identity (SSID), 490, 502
881
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 882
S Index
SESAME (Secure European System for Applicationsin a Multivendor Environment), 121
Session IDs, 262, 700session keys, 683–684, 686Session layer, 434–435, 504session replay attacks, 204session sniping, 566Set UID, 239–241sexual settings, 285SFTP (Secure File Transfer Protocol), 175, 434sgi_fam, 228sh scripting language, 209SHA (Secure Hash Algorithms). See Secure Hash
Algorithms (SHA)Shannon/Hartley equation, 473–475shared key authentication, 490–491sharing files, 161–162sharing keys, 595–596ships, 640Shor’s algorithm, 621–622short-term containment solutions, 720shutdown, 326signal-to-noise (SNR) tool, 502signature-based intrusion detection systems (IDSs),
708, 710SIM (subscriber identity module), 462Simple Mail Transfer Protocol (SMTP)
+OK logged onPOP before, 348in Application layer, 434defined, 414in e-mail security, 340–342
Simple Network Management Protocol (SNMP),230, 434
simulation tests, 97sine waves, 460single loss expectancy (SLE), 70–71Single Sign-On (SSO), 117–121single-use servers, 832SIP (session-initiate protocol), 457site accreditation, 757site protection
awareness of what is running on systems,817
defense-in-depth principle in, 816detection vs. prevention for, 817–818introduction to, 815–816patches in, 818principles of least privilege in, 816–817system checks in, 818
site-to-site virtual private networks (VPNs),694
SLE (single loss expectancy), 70–71SLIP (Serial Line Internet Protocol), 438slow starts, 295–296Slurpie, 247smart cards, 100–101smb, 229SMTP (Simple Mail Transfer Protocol). See Simple
Mail Transfer Protocol (SMTP)sniffing, 502, 781SNMP (Simple Network Management Protocol),
230, 434SNR (signal-to-noise) tool, 502SOA (Start of Authority) records, 362social engineering attacks
defined, 780in e-mail security, 323overview of, 132–133in risk management, 31on workstations, 204–205
softphones, 456software, 184, 531software exploitation attacks, 134–135source IP addresses, 532–533source-routed frames, 219spam
denial of service attacks, 336in e-mail security, 335–339filters for, 337in network architecture, 528
Spam Mimic, 671–673Special Publications (SPs)
800-14, 766800-27, 766800-30, 766–769800-64, 769–770
split DNS design, 386split-split DNS design, 386–387spoofing
in AOL e-mail, 378–379attacks, 130Domain Name System and, 385firewalls and, 532on zeroconf networks, 524
spread spectrum technologiesdirect sequence, 476frequency hopping, 476–477Orthogonal Frequency Division Multiplexing as,
477–478overview of, 473–476of wireless security, 473–478
SPs (Special Publications), 769–770
882
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 883
Index S
SPX (Sequenced Packet Exchange), 436spyware, 200–202, 802SQL (Structured Query Language)
injection, 316–317, 408in Session layer, 435
SSAA (System Security Authorization Agreement),757
SSE-CMM (Systems Security Engineering CapabilityMaturity Model), 751–753
SSH (Secure Shell). See Secure Shell (SSH)sshd servers, 227SSID (Service Set Identity), 490, 502SSL (Secure Sockets Layer). See Secure Sockets
Layer (SSL)SSO (Single Sign-On), 117–121stack data location, 155–156standards
for auditing, 772–773for packet inspection methods, 559for security, 75–77for Web services, 319
Start of Authority (SOA) records, 362state in Web security, 309–315
applications requiring, 310cookies and, 310–313defined, 309hidden fields for, 315hidden frames for, 314HTTP and, 309tracking of, 310URL tracking and, 314Web bugs and, 313–314
state of network security, 3–8attacks in, 6–7background of, 4–6overview of, 3–4reactive security vs., 6risks in, 4summary of, 7–8trends in, 6
stateful autoconfiguration, 447stateful packet filtering, 534–535, 558stateless autoconfiguration, 447statements of work, 82static IP addresses, 359static method, 513statistical anomaly-based intrusion detection systems
(IDSs), 708, 710–711status accounting, 89steganography, 631–679
algorithmic-based, 647
availability and, 642camouflage and, 640–641, 669classification schemes of, 647–653color tables in, 653–654confidentiality and, 641–642cover channels vs., 638–639cryptography vs., 644–646data volume in, 643detection of, 643–644Digital Picture Envelope and, 665–669digital watermarking vs.. See digital
watermarkingdirection of, 633–634Easter eggs vs., 639EZ-Stego and, 663–664generation, 652–653Gif Shuffle and, 669–671grammar-based, 648hidden data in, 631–633Hide and Seek and, 657–659history of, 633, 639–641Image Hide and, 664–665implementing, generally, 654–655insertion-based, 647–651integrity of data and, 642introduction to, 631Jsteg and, 659–663network security and, 641–643new classification scheme of, 648–653original classification scheme of, 647–648overview of, 634–635principles of, 643–644pros and cons of, 636–637reasons for using, 635–636removal of, 644ring example of, 645–646in Roman Empire, 639–640in ships, 640Spam Mimic and, 671–673S-Tools and, 655–657substitution, 651–652summary of, 679survivability and, 642–643Trojan horses vs., 637–638types of, 646–654visibility of, 643during World Wars I and II, 640
sticky bits, 239–241S-Tools, 655–657storage media, 737stored procedures, 408
883
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 884
S Index
strace, 221–223stream ciphers, 589, 592–593string signatures, 709Structured Query Language (SQL). See SQL
(Structured Query Language)subnetting, 516–517subscriber identity module (SIM), 462substitution, 581–587, 651–652survivability, 642–643switch controls, 100switches, 514–517Symantec, 154symmetric encryption
block ciphers in, 593–595introduction to, 591–592primitives and, 591–596sharing keys in, 595–596stream ciphers in, 592–593
symmetric master keys, 496sys directory, 224syslog, 227Systat, 414system calls, 156–157, 221–223System Information Profile (SIP), 761System Security Authorization Agreement (SSAA),
757systems
accounts of, 834accreditation of, 757attacks on, 791characterization of, 63–64development life cycle of. See systems
development life cycle (SDLC)engineering of, 37–38, 41–42hardening of. See hardening systemsinfrastructures of, 465–466management plans for, 80–87memory and process protection in, 566misuse of, 135patching, 31
systems development life cycle (SDLC)common practices and, 53–54engineering principles for, 53–56information system security and, 52–53of information technology, 56–59phases of, 51–52
Systems Security Engineering Capability MaturityModel (SSE-CMM), 751–753
system-specific policies, 75
Ttabletop exercises, 97TACACS and TACACS+ (Terminal Access Controller
Access Control Systems), 124TACS (Total Access Communication System), 471Tagged Image File Format (TIFF), 434talk, 228targeted hacks, 138–140targeting UNIX, 207–210TC (Trusted Computing), 421–423, 426TCO (total cost of ownership), 841TCP (Transmission Control Protocol)
attacks in, 131HTTP traffic on, 288, 293–298introduction to, 435sequence numbers, 136wrappers, 247
tcpdump, 208tcpreplay, 209TDD (Time Division Duplex), 472technical performance measurements (TPMs), 85technical security management, 79–87
controls in, 69, 100–102program management in, 79–80statements of work in, 82systems engineering management plans for,
80–87technical performance measurements in, 85test and evaluation master plans in, 85–87work breakdown structures in, 82–85
technology in Defense-in-Depth strategy, 39telecommunications, 527telnet, 226, 228Telnet, 414TEMPEST, 103, 202–203Temporal Key Integrity Protocol (TKIP), 492–496
Initialization Vector in. See Initialization Vector(IV)
Message Integrity Codes and, 494–495per-packet mixing function of, 492–493rekeying against key reuse in, 495–496
temporal keys (TKs), 496TEMPS (test and evaluation master plans), 85–87Terminal Access Controller Access Control System
(TACACS), 124terminating connections with intruders, 556test and evaluation master plans (TEMPs), 85–87testing
environments for, 403security. See security assurance evaluation
mechanisms
884
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 885
Index T
server security, 411–413tools, 501–503in workstations, putting on networks, 175
testing Windows security. See also Windows securityauditing for, 197cleaning up systems for, 197–198logging in, 197monitoring in, 196–197outdated Windows systems and, 195performance issues in, 195questionable applications in, 194re-evaluation and rebuilding in, 196scanning for vulnerabilities, 194
TFTP (Trivial File Transfer Protocol), 175, 433theft, 141, 212threats, 127–142
back door, 130birthday, 133–134defined, 61demon-dialing, 136denial-of-service, 129–130device loss and theft, 141distributed denial-of-service, 136–138, 528dumpster diving, 133eavesdropping, 135espionage, 138–140evaluating. See risk assessmentexternal attack methodologies, 136–140fragmentation, 131–132in future planning, 838–839hijacking, 131identification of, 64internal threats, 140–141malicious code, 127–129man-in-the-middle, 130mathematical, 132password guessing, 133–134physical, 98port scanning, 133replay, 131social engineering, 132–133software exploitation, 134–135sources of, 61spoofing, 130summary of, 142system misuse, 135targeted hacks, 138–140Transmission Control Protocol, 131, 136types of, generally, 129unintentional filesharing, 140–141viruses, 127–129
war driving, 136war-dialing, 136weak keys, 132
throughput rates, 101ticket-granting tickets, 687–688tickets, 686tiered architecture, 537–538, 540–542TIFF (Tagged Image File Format), 434time, 228, 262Time Division Duplex (TDD), 472Time Division Multiple Access (TMDA), 469timing objectives, 95–96TKIP (Temporal Key Integrity Protocol). See
Temporal Key Integrity Protocol (TKIP)TKs (temporal keys), 496TLS (Transport Layer Security), 488, 703TMDA (Time Division Multiple Access), 469top-level domains, 365–370Total Access Communication System (TACS), 471total cost of ownership (TCO), 841TPMs (technical performance measurements), 85tracking, 310trade secrets, 839traffic
blocking, 248–251, 546–547HTTP, 293–298incoming, 248–250logging, 546–547outgoing, 250–251
traffic-based anomaly detection, 565training in security awareness, 78, 172Transaction layer, 505Transaction Signatures (TSIGs), 380–381Transmission Control Protocol (TCP). See TCP
(Transmission Control Protocol)Transport layer, 435–436, 505Transport Layer Security (TLS)
in IEEE 802.11 wireless security, 488security features of communication applications
for, 699SSL Handshake and, 703in Web browser security, 264–265
transport mode of IPSec-based VPNs, 695transport of Web services, 319trends in cyber security, 9–17
active attacks in, 13–14attack types in, 12–14boundlessness of Internet and, 12breaches of security and, 10–11changes as, 16–17current state of, 11–12
885
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 886
T Index
trends in cyber security, (continued)introduction to, 6new approaches as, 15passive attacks in, 14principles of, 15–16summary of, 17–18
Trivial File Transfer Protocol (TFTP), 175, 433Trojan horses
avoiding, 186–187exploiting systems, 794in risk management, 31steganography vs., 637–638on workstations, 200
true negative detection results, 555true positive detection results, 555trust anchors, 391trust boundaries, 399trust relationships, 815, 833Trusted Computing (TC), 421–423, 426trusted signature introducers, 692trusted sites zone, 283–284(TSIGs) Transaction Signatures, 380–381tunneled mode of IPSec-based VPNs, 695–696Tunneled TLS (Transport Layer Security), 488tunneling, 826tunnels in Secure Shell (SSH), 351–354
configuring e-mail clients for, 353–354establishing SSH sessions and, 353overview of, 351–353pros and cons of, 354
two-key encryptioncertificate authorities in, 598introduction to, 597–598in primitives, 597–599web of trust in, 598–599
two-way authentication, 505TYPE, 307type accreditation, 757Type I errors, 100Type II errors, 100
UUDP (User Datagram Protocol), 436UHF (Ultra-High Frequency), 460–461UID (User Identifier), 239–241Ultra-High Frequency (UHF), 460–461UMTS (Universal Mobile Telecommunications
Systems), 472–473Uniform Resource Locators (URLs), 314, 827
unintentional filesharing, 140–141uniqueness of passwords, 822Universal Mobile Telecommunications Systems
(UMTS), 472–473UNIX security, 207–254
automatic update servers in, 218backups without detection in, 216blocking techniques in, 248–253configuration for, 245–246configuration for hardening, 217–224detection in, 217disk partitioning in, 215–216expert users in, 210file sharing/transfer in, 218files in, 210focus of, 207hardening for, 245–253hardware changes detection in, 214–215incoming traffic in, 248–250information exchange in, 209installed packages in, 217–218integrating components of, 831inventory in, 217kernel configurations in, 218–224limiting access for, 212–213logging blocked traffic, 251–253mail servers in, 217network and development tools in, 208open source in, 208, 210–212operating safely. See operating UNIX safelyoperating systems in, 208outgoing traffic in, 250–251packet filtering with iptables for, 247–253passwords in, 247physical security in, 212–217/proc file systems in, 223–224script techniques in, 210services in, 225–233summary of, 253–254system calls in, 221–223targeting UNIX, 207–210TCP wrapper for, 247versions and builds in, 209
upgradesof antivirus signatures, 193for applications, 192–193from Microsoft, 192–193for Windows security, 149of Windows versions, 194
uploading programs, 793URLs (Uniform Resource Locators), 314, 827
886
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 887
Index V
U.S. government policies, 75user accounts, 181–183User Datagram Protocol (UDP), 436User Identifier (UID), 239–241user level accounts, 168–169users
controlling, 415education of, 805, 830–831groups of, 168input of generating numbers, 589issues of, 54keystrokes of, 201managing, 145–146rights of, 180
Vvalidating security, 777–795
attack phase of penetration testing in, 785–786automated vulnerability scanners for, 782–783of data protection, 799exploitation of systems and. See attackers
exploiting systemsflow in current penetration testing, 780–782manual penetration testing for, 782–783overview of, 777–779penetration testing, current state of, 780–783penetration testing, formal methodology of,
783–787penetration testing in, generally, 777–779post-attack phase of penetration testing in, 787pre-attack phase of penetration testing in,
784–785security assessments in, 779summary of, 795
validation phase, 757, 759van Dam, Dr. Andries, 298verification phase, 757, 759verifiers, 686de Vigenere, Blaise, 582Vigenere cipher, 582–585violations reports, 114violence settings, 285virtual local area network (VLAN) separation. See
VLANs (virtual local area networks)virtual machines, 805virtual private networks (VPNs)
Authentication Header of IPSec-based, 696–697design issues in, 693–694IPSec-based, 695–698overview of, 692–693
Point-to-Point Protocol for, 698Point-to-Point Tunneling Protocol and, 698Secure Shell for, 698–699transport mode of IPSec-based, 695tunneled mode of IPSec-based, 695–696
virus scanners, 707–708viruses
attacks of, 127–129avoiding, 186–187in e-mail security, 350software prevention for, 708in Web browser and client security, 272on workstations, 198–199
visibility, 643visible digital watermarking, 675visitor location registers (VLRs), 463VLANs (virtual local area networks)
in defense-in-depth methodology, 145–146network architecture and, 516–517in network design, 455in server security, 404
VLRs (visitor location registers), 463VoIP (Voice over Internet Protocol), 450–458
analog telephone adaptors and, 450circuit switching vs., 451–452computer-to-computer calls via, 451crossover requirements of, 456H.323, 457IP phones for, 451network design for, 455packet switching of, 452–453protocols of, 456–457reasons for using, 453risk factors of, 455security issues with, 454–455server environments of, 456session-initiate protocol for, 457softphones vs. hardware phones with, 456
volatile information, 738vulnerabilities
analysis of, 528assessment of, 93, 824–825of browsers, 258in data protection, 804defined, 61exploiting, 172in future planning, 839–840identification of, 64–65scanning for, 30, 194statistics on, 384of Windows, 154–158
887
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 888
V Index
vulnerability mapping, 781, 785vulnerability scanners, 781
WW97M_SPY.A, 270walk-through tests, 97WAN (wide area networks), 145–146,
488–489Wang, Xiaoyun, 616WAP (Wireless Application Protocol),
504–505war driving attacks, 136war-dialing, 136warez lists, 418warm sites, 96wavelength of sine waves, 460Wavemon, 502WBSs (work breakdown structures), 82–85weak keys, 132Web activity, 526Web application attacks, 781Web browser configurations, 276–286
ActiveX in, 278caches in, 281–282content settings, 285cookies, 281cookies in, 276–277encryption in, 281, 286histories in, 281for Internet Explorer, 282–286for Internet zones, 282–283Java, 278–279JavaScript, 279–280for local intranet zones, 283Netscape in, 281–282plugins, 277–280privacy settings, 284–285for restricted sites zone, 284for trusted sites zone, 283–284
Web browser security, 255–286attacks on browsers, 268–269caching in, 264configurations of browsers for. See Web browser
configurationsconvenience in., 256cookies in, 260–262encryption in, 286evolution of, 257functioning of browsers and, 259–265hijacking attacks in, 268–269
HTTP in, 259–261Internet Explorer in, 282–286maintaining state in, 262–264operating browsers safely for. See operating Web
browsers safelyparasites on browsers, 269patches for, 271–272privacy vs., 256productivity and popularity of browsers vs.,
256–257protections in browsers for, 258–259replay attacks on browsers, 269–270risks requiring, 255–259Secure Socket Layer in, 264–268summary of, 286Transport Layer Security in, 264–265vulnerabilities of browsers and, 258
Web browsersattacks on, 268–269caching by, 264configuring. See Web browser configurationscookies and, 260–262HTTP for, 259–261maintaining state of, 262–264operating safely, 271–276Secure Socket Layer in, 264–268security of. See Web browser securityTransport Layer Security for, 264–265
Web browsing, 170, 178Web bugs, 313–314web of trust, 598–599, 692Web search engines, 780Web security
account harvesting in, 315–316ActiveX and, 306–309attacks on Web servers, 315–317browsers and. See Web browser securityclient content and, 303–309Common Gateway Interface in, 301–302HTTP in. See HTTP (Hyper Text Transfer
Protocol)Java and, 304–309JavaScript and, 303–304permissions in, 305–306PHP pages and, 302–303sandboxes in, 304–305server content and, 301–303SQL injection in, 316–317state in. See state in Web securitysummary of, 321Web services, 317–321
888
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 889
Index W
Web servicesdescriptions of, 320–321discovery of, 321overview of, 317–319standards and protocols for, 319transport of, 319Web security, 317–321XML messaging and, 319–320
Web site maintenance, 178Wellenreiter, 501WEP (Wired Equivalent Privacy). See Wired
Equivalent Privacy (WEP)WEPCrack, 502WepLab, 501white-box penetration testing, 771whitelisting, 338, 567whitening functions, 589–590whois databases, 780wide area networks (WAN), 145–146, 488–489wIDS (wireless intrusion detection system), 503WIDTH, 307WIDZ, 503WiFi Scanner, 503WiMax, 506–507Windows
configuration of, 172data protection in, 800operating safely. See operating Windows safelysecurity of. See Windows securityupdates for, 149, 191–195upgrades of, 194
Windows, hardening. See also Windows securityhosts in, 145–146, 149out-of-the-box operating system in, 151–154quick-start, 160system hardening in, 166–170
Windows 2003, 158–160Windows security
ad support in, 200–201antivirus protection in, 149, 171–173applications in, 171–175, 192–194architecture in, 176–177attacks on, 198–205auditing for, 197AUTORUN vs., 167back door attacks on, 203for business workstations, 170cleaning up systems for, 197–198denial-of-service attacks on, 203disabling unneeded services for, 164ease-of-use and, 147
file extension attacks on, 204files in, 161–162, 167firewalls in, 149, 177hackers targeting, 147–148hardening for. See Windows, hardeninghijacking attacks on, 204for home workstations, 170–171intrusion detection systems for, 177logging in, 197maintaining, 194–198Microsoft recommendations for, 149–151monitoring in, 196–197operating Windows safely for. See operating
Windows safelyoverview of, 145–146packet sniffing attacks on, 204passwords in, 163–164, 169–170patches for, 161, 191–194performance issues in, 195personal firewalls for, 173–174physical security, 175–176, 202port blocking for, 162–163ports in, 159–160Pretty Good Privacy for, 175reasons for, 148–149re-evaluation and rebuilding in, 196Registry in, 167removing unneeded components for, 164–165scanning for, 194secure FTP for, 175Secure Shell for, 174security template for, 166service packs for, 161session replay attacks on, 204signatures for, 193social engineering attacks on, 204–205spyware, 200–202summary of, 205TEMPEST attacks on, 202–203testing. See testing Windows securityTrojan horses in, 200users and, 168–169viruses in, 198–199vulnerability protections in. See Windows
vulnerability protectionsworkstations and, 175–179worms in, 199–200
Windows vulnerability protections. See alsoWindows security
academic technologies/ideas for, 155–158canary values, 157
889
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 890
W Index
Windows vulnerability protections. See alsoWindows security (continued)
library call safety in, 158McAfee for, 155operating safely for. See operating Windows
safelystack data location rearrangement, 155–156Symantec for, 154system calls, 156–157vulnerability protections, 154–158
Wired Equivalent Privacy (WEP)802.1X authentication and, 491–492Crack in, 502for IEEE 802.11 wireless security, 486, 489–496Initialization Vector in, 489–492Message Integrity Codes and, 494–495open authentication in, 490overview of, 486, 489–490per-packet mixing function of, 492–493rekeying against key reuse in, 495–496security upgrades of, 491shared key authentication in, 490–491Temporal Key Integrity Protocol and, 492–496
wireless access points, 781Wireless Application Protocol (WAP), 504–505wireless channels, 481–482wireless infrastructures, 28wireless intrusion detection system (wIDS), 503wireless network security stack, 486–489wireless proximity readers, 101wireless security
3G cellular technologies in, 507Advanced Mobile Phone System in, 470–471Bluetooth in, 503–504cell phones and. See cellular telephonesCellular Digital Packet Data in, 471Code Division Multiple Access in, 469–470electromagnetic spectrum in, 459–461Frequency Division Multiple Access in, 469future of, 506IEEE 802.11 wireless security. See IEEE 802.11IEEE 802.20 for, 507IEEE wireless LAN specifications for, 478–480of International Mobile Telephone Standard
2000, 471–472MAC layer in, 478–480Nordic Mobile Telephone in, 471Personal Digital Cellular in, 471of pervasive wireless data network technologies,
473–478PHY layer in, 478
of spread spectrum technologies, 473–478summary of, 508Time Division Multiple Access in, 469Total Access Communication System in, 471of Universal Mobile Telecommunications System,
472–473WiMax and, 506–507Wireless Application Protocol in, 504–505of wireless transmission systems, 469–473
wireless transmission systems, 469–473wireless WAN (wide area networks), 488–489WireShark, 208word processing, 170work breakdown structures (WBSs), 82–85workstations
attacks on, 198–205back door attacks on, 203business, 170denial-of-service attacks on, 203firewalls in, 177hijacking attacks on, 204home, 170–171intrusion detection systems on, 177in network architecture, 176–177not is use, 179physical security in, 175–176putting on networks, 175–177social engineering attacks on, 204–205software on, 183–184testing, 175Trojan horses on, 200viruses on, 198–199worms attacking, 199–200
world category, 237World Wars I and II, 640worms
in quantum cryptography, 627–628on Windows, 186–187on workstations, 199–200
write blockers, 735
XX.509 standard, 598, 700–702xfs, 227xinetd process, 227, 234–235XML (Extensible Markup Language), 319–320XOR function, 585–586XSS (cross-site scripting), 407–408, 827X-Window System, 435
890
Cole bindex.tex V3 - 07/28/2009 6:40pm Page 891
Index Z
YYin, Yiqun Lisa, 616Yu, Hongbo, 616
Zzero configuration networks, 519–524zero knowledge penetration testing, 772, 780zeroconf, 521–524zero-day attack prevention, 155Zimmerman, Phil, 682
zip algorithms, 296zone files, 362–364zone records, 360–361zone transfers
alternatives to, 382Domain Name System in, 381–382, 388historical problems of, 380introduction to, 379–382master-slave relationships and, 388requiring certificates in, 380–381specifying transfer sites for, 380
zones, defined, 359
891