E-Book, Englisch, 270 Seiten
Blyth / Kovacich Information Assurance
2. Auflage 2006
ISBN: 978-1-84628-489-2
Verlag: Springer
Format: PDF
Kopierschutz: 1 - PDF Watermark
Security in the Information Environment
E-Book, Englisch, 270 Seiten
Reihe: Computer Communications and Networks
ISBN: 978-1-84628-489-2
Verlag: Springer
Format: PDF
Kopierschutz: 1 - PDF Watermark
This updated edition will help IT managers and assets protection professionals to assure the protection and availability of vital digital information and related information systems assets. It contains major updates and three new chapters. The book uniquely bridges the gap between information security, information systems security and information warfare. It re-examines why organizations need to take information assurance seriously.
Autoren/Hrsg.
Weitere Infos & Material
1;Second Edition Dedications;6
2;Quotations;7
3;Foreword;8
4;Second Edition Preface;10
5;Acknowledgements;14
6;Contents;15
7;Section 1 An Introduction to Information Assurance;16
7.1;1 What is Information Assurance?;17
7.1.1;1.1 Information Assurance and Its Subset: Information Security;17
7.1.1.1;1.1.1 Interruption, Interception, Modification and Fabrication;18
7.1.1.2;1.1.2 Information Assurance in Context;19
7.1.2;1.2 Information Warfare;21
7.1.2.1;1.2.1 Perspectives on Information Warfare;23
7.1.2.2;1.2.2 Nature of the Threat;24
7.1.3;1.3 Information Operations;25
7.1.3.1;1.3.1 The Physical Level;26
7.1.3.2;1.3.2 The Information Structure Level;27
7.1.3.3;1.3.3 Perceptual Level;27
7.1.4;1.4 Summary;29
7.2;2 The World of Information;30
7.2.1;2.1 What is Information?;30
7.2.2;2.2 Properties of Information;30
7.2.3;2.3 Information and Competitive Advantage;31
7.2.3.1;2.3.1 Proprietary Advantage;32
7.2.3.2;2.3.2 One-Step Ahead;32
7.2.3.3;2.3.3 Discontinuity;32
7.2.3.4;2.3.4 Implementation;33
7.2.4;2.4 Birth of the Internet and Cyber-Crime;33
7.2.5;2.5 Power of Information;35
7.2.6;2.6 Consumer-Provider Model of Information Usage;37
7.2.6.1;2.6.1 Generation, Validation and Propagation;38
7.2.6.2;2.6.2 Acquisition, Integration and Selection;38
7.2.7;2.7 Intelligence Model of Information Usage;39
7.2.8;2.8 Summary;41
7.3;3 The Theory of Risks;42
7.3.1;3.1 Threats, Vulnerabilities and Risks;42
7.3.2;3.2 Threats and Threat Agents;42
7.3.2.1;3.2.1 The Natural Threat Agents;45
7.3.2.2;3.2.2 The Unintentional Threat Agents;45
7.3.2.3;3.2.3 The Intentional Threat Agents;46
7.3.3;3.3 Threat Components Applying to Malicious Threats;48
7.3.3.1;3.3.1 Threat Agent;48
7.3.3.2;3.3.2 Capability;49
7.3.3.3;3.3.3 Threat Inhibitors;49
7.3.3.4;3.3.4 Threat Amplifiers;50
7.3.3.5;3.3.5 Threat Catalysts;51
7.3.3.6;3.3.6 Threat Agent Motivators;51
7.3.4;3.4 Vulnerabilities;52
7.3.5;3.5 Risk and Risk Management;57
7.3.5.1;3.5.1 Threat Matrix;60
7.3.5.2;3.5.2 Risk Management;61
7.3.5.3;3.5.3 Five Principles of Risk Management;61
7.3.5.4;3.5.4 Sixteen Successful Practices;61
7.3.6;3.6 Summary;64
7.4;4 The Information World of Crime;65
7.4.1;4.1 Introduction;65
7.4.2;4.2 Information Systems and Crime;66
7.4.3;4.3 Modus Operandi;67
7.4.4;4.4 Information Systems Crime Adversarial Matrix;68
7.4.4.1;4.4.1 Organisational Characteristics;69
7.4.4.2;4.4.2 Operational Characteristics;69
7.4.4.3;4.4.3 Behavioural Characteristics;70
7.4.4.4;4.4.4 Resource Characteristics;70
7.4.5;4.5 Motives of the Cyber Criminal;71
7.4.5.1;4.5.1 Power Assurance (aka Compensatory);71
7.4.5.2;4.5.2 Power Assertive (aka Entitlement);73
7.4.5.3;4.5.3 Anger Retaliatory;74
7.4.5.4;4.5.4 Sadistic;75
7.4.5.5;4.5.5 Profit Oriented;75
7.4.6;4.6 A Model of Information SystemsÌ Intrusions;76
7.4.6.1;4.6.1 Target Identification;77
7.4.6.2;4.6.2 Motivational Factors;78
7.4.6.3;4.6.3 Choice Criteria;79
7.4.6.4;4.6.4 Target Selection and Intelligence;79
7.4.6.5;4.6.5 Open Source Intelligence;80
7.4.6.6;4.6.6 Topology;81
7.4.6.7;4.6.7 The Deployment Decision;81
7.4.6.8;4.6.8 Vulnerability Management;81
7.4.7;4.7 Summary;82
7.5;5 IA Trust and Supply Chains;83
7.5.1;5.1 Introduction;83
7.5.2;5.2 Developing a Conceptual Model of Trust;84
7.5.2.1;5.2.1 NICE Model of Trust;85
7.5.2.2;5.2.2 Trust Footprint;87
7.5.3;5.3 Supply Chains;88
7.5.4;5.4 Analysis of Supply Chains;92
7.5.4.1;5.4.1 Primary Activities;93
7.5.4.2;5.4.2 Support Activities;94
7.5.4.3;5.4.3 Industry Value Chain Showing Strategic Alliances Between Organisations;94
7.5.5;5.5 Summary;96
7.6;6 Basic IA Concepts and Models;97
7.6.1;6.1 Introduction;97
7.6.2;6.2 IA Goals and Objectives;98
7.6.3;6.3 Three Basic Concepts;98
7.6.3.1;6.3.1 Access Controls;98
7.6.3.2;6.3.2 Individual Accountability;99
7.6.3.3;6.3.3 Audit Trails;100
7.6.4;6.4 The Information Value Model;101
7.6.4.1;6.4.1 Valuing Information;101
7.6.4.2;6.4.2 How to Determine the Value of Corporate Information;101
7.6.4.3;6.4.3 The Value of Information;102
7.6.5;6.5 Three Basic Categories of Information;103
7.6.5.1;6.5.1 Personal, Private Information;103
7.6.5.2;6.5.2 Business Information;104
7.6.6;6.6 Determining Information Value Considerations;105
7.6.6.1;6.6.1 Questions to Ask When Considering Information Value;106
7.6.7;6.7 Another View of Information Valuation;107
7.6.7.1;6.7.1 The Information Environment;107
7.6.7.2;6.7.2 Value of Information;108
7.6.8;6.8 The Need-To-Know Model;108
7.6.9;6.9 The Confidentiality-Integrity-Availability Model;110
7.6.9.1;6.9.1 Confidentiality;110
7.6.9.2;6.9.2 Integrity;110
7.6.9.3;6.9.3 Availability;110
7.6.10;6.10 The Protect-Detect-React-Deter Model;111
7.6.10.1;6.10.1 Protect;111
7.6.10.2;6.10.2 Detect;111
7.6.10.3;6.10.3 Case Example Ò Do not Rush to Judgement;113
7.6.10.4;6.10.4 React;114
7.6.10.5;6.10.5 Deter;115
7.6.10.6;6.10.6 Questions and Some Answers to Think About;115
7.6.11;6.11 IA Success Considerations;116
7.6.12;6.12 Summary;116
7.7;7 The Role of Policy in Information Assurance;117
7.7.1;7.1 Introduction;117
7.7.2;7.2 A Model of Policy Development;117
7.7.3;7.3 Types of IA Policies;118
7.7.4;7.4 Acceptable Usage Policy;120
7.7.5;7.5 Summary;121
8;Section 2 IA in the World of Corporations;122
8.1;8 The Corporate Security Officer;123
8.1.1;8.1 A Short History of the World of Corporate Security;123
8.1.2;8.2 The Corporate Security Officer;126
8.1.3;8.3 Corporate Security Duties and Responsibilities;127
8.1.4;8.4 Corporate Security Support Tools and Processes;128
8.1.5;8.5 The More Things Change the More They Don´t;129
8.1.6;8.6 Information Assurance: Whose Responsibility Is It?;130
8.1.7;8.7 Is IA a Corporate Security Responsibility?;131
8.1.8;8.8 Summary;133
8.2;9 Corporate Security Functions;134
8.2.1;9.1 Introduction;134
8.2.2;9.2 Corporate Security IA-Related Functions;135
8.2.2.1;9.2.1 Evaluate Current Security Requirements;135
8.2.2.2;9.2.2 Corporate Security Plan;136
8.2.2.3;9.2.3 Management Direction for Security Activities;136
8.2.2.4;9.2.4 Interface with Other Directors;137
8.2.2.5;9.2.5 Comply with Contractual, Customer and Regulatory Requirements;137
8.2.2.6;9.2.6 Corporate-Wide InfoSec Program;138
8.2.2.7;9.2.7 Corporate-Wide Crisis Management Program;138
8.2.2.8;9.2.8 Establish Common Security Processes;139
8.2.2.9;9.2.9 Provide Productive and Safe Working Environment;139
8.2.2.10;9.2.10 Corporate Security Measurement System;139
8.2.2.11;9.2.11 Common Managerial Accountabilities;140
8.2.2.12;9.2.12 Physically Secure Environment;140
8.2.2.13;9.2.13 Government Compliance Requirements;142
8.2.2.14;9.2.14 Corporate Management Guidance;142
8.2.2.15;9.2.15 Security Liaison Activities;143
8.2.2.16;9.2.16 Co-ordinate Corporate Security Policies and Procedures;143
8.2.2.17;9.2.17 Corporate-Wide Contingency Plan;144
8.2.2.18;9.2.18 Corporate Crisis Management Room;145
8.2.2.19;9.2.19 Corporate-Wide Security Measurement System;145
8.2.2.20;9.2.20 Law Enforcement Liaison;145
8.2.2.21;9.2.21 Chair Corporate Security Council;145
8.2.2.22;9.2.22 Corporate Security Policy and Procedures;146
8.2.2.23;9.2.23 CSO as IA Leader;147
8.2.3;9.3 Summary;147
8.3;10 IA in the Interest of National Security;148
8.3.1;10.1 Introduction;148
8.3.1.1;10.1.1 IA: A Definition;149
8.3.1.2;10.1.2 Levels of Protection;150
8.3.1.3;10.1.3 System Assurance;150
8.3.2;10.2 National Security Classified Information;150
8.3.2.1;10.2.1 An Example of National Security Information Impact;153
8.3.3;10.3 IA Requirements in the National Security Arena;153
8.3.3.1;10.3.1 IA Objective in the National Security Environment;155
8.3.3.2;10.3.2 Responsibilities;155
8.3.3.3;10.3.3 Collective IA Controls;156
8.3.3.4;10.3.4 Government Customer Approval Process;156
8.3.3.5;10.3.5 AIS Modes of Operation;157
8.3.3.6;10.3.6 The Appointment of the Defence Industry-Related CorporationÌs Focal Point for IA;158
8.3.3.7;10.3.7 Documenting and Gaining Government Customer Approval for Processing, Storing and Transmitting National Security Information;158
8.3.4;10.4 Summary;160
8.3.5;A Case Study;161
8.4;11 The Corporate IA Officer;165
8.4.1;11.1 The Corporate Information Assurance Officer1;165
8.4.1.1;11.1.1 CIAO Position;166
8.4.1.2;11.1.2 CIAO Duties and Responsibilities;166
8.4.1.3;11.1.3 Goals and Objectives;168
8.4.1.4;11.1.4 Leadership Position;169
8.4.1.5;11.1.5 Vision, Mission and Quality Statements;171
8.4.2;11.2 Summary;173
8.5;12 IA Organisational Functions;174
8.5.1;12.1 Determining Major IA Functions;174
8.5.2;12.2 IA Functions and Process Development;177
8.5.2.1;12.2.1 IA Requirements Function;177
8.5.2.2;12.2.2 IA Policy Function;178
8.5.2.3;12.2.3 IA Procedures Function;179
8.5.2.4;12.2.4 Systems IA Architecture Function;180
8.5.2.5;12.2.5 IA Awareness and Training Function;180
8.5.2.6;12.2.6 Access Control and Audit Records Analyses Functions;182
8.5.2.7;12.2.7 Evaluation of all Hardware, Firmware and Software Functions;184
8.5.2.8;12.2.8 Applying Risk Management Principles and Establishing a Risk Management Function;186
8.5.2.9;12.2.9 IA Tests and Evaluations Function;187
8.5.2.10;12.2.10 IA Non-Compliance Inquiries Process;188
8.5.2.11;12.2.11 IA Contingency Planning and Disaster Recovery Function;189
8.5.3;12.3 Summary;192
8.6;13 Incident Management and Response;194
8.6.1;13.1 Incident Triage;196
8.6.2;13.2 Incident Coordination;196
8.6.3;13.3 Incident Resolution;197
8.6.4;13.4 Proactive Activities;197
8.6.4.1;13.4.1 Information Provision and Sharing;197
8.6.4.2;13.4.2 Security Tools;198
8.6.4.3;13.4.3 Education and Training;198
8.6.4.4;13.4.4 Product and Services Evaluation;199
8.6.4.5;13.4.5 Site Security Auditing;199
9;Section 3 Technical Aspects of IA;200
9.1;14 IA and Software;201
9.1.1;14.1 Operating Systems and Trusted Systems;201
9.1.1.1;14.1.1 Security Policies;201
9.1.1.2;14.1.2 Models of Security;202
9.1.1.3;14.1.3 Security Methods of Operating Systems;204
9.1.1.4;14.1.4 Typical Operating System Flaws;205
9.1.2;14.2 Databases and Database Security;205
9.1.2.1;14.2.1 Physical Database Integrity;206
9.1.2.2;14.2.2 Logical Database Integrity;207
9.1.2.3;14.2.3 Element Integrity;208
9.1.2.4;14.2.4 Access Control;209
9.1.2.5;14.2.5 Auditability;210
9.1.2.6;14.2.6 User Authentication;210
9.1.2.7;14.2.7 Availability;211
9.1.2.8;14.2.8 Database Case Study;211
9.1.3;14.3 Application Software;212
9.1.3.1;14.3.1 Malicious Code;212
9.1.3.2;14.3.2 Viruses;217
9.1.3.3;14.3.3 Bots and Bot-Nets;218
9.1.4;14.4 Digital Tradecraft;219
9.1.4.1;14.4.1 Digital Tradecraft Defined;219
9.1.4.2;14.4.2 Digital Dead Drop;220
9.1.5;14.5 Steganography;221
9.1.6;14.6 Summary;222
9.2;15 Applying Cryptography to IA;223
9.2.1;15.1 Principles of Encryption;223
9.2.2;15.2 Symmetric Ciphers;225
9.2.3;15.3 Asymmetric Ciphers;225
9.2.4;15.4 Digital Signatures and Certificates;226
9.2.5;15.5 Key Management and Key Distribution;229
9.2.6;15.6 Summary;231
9.3;16 IA Technology Security;232
9.3.1;16.1 Biometrics;232
9.3.1.1;16.1.1 The Role and Function of Biometrics;232
9.3.1.2;16.1.2 Analysis of Basic Biometric Models;233
9.3.1.3;16.1.3 Fingerprint Verification;234
9.3.1.4;16.1.4 Iris Analysis;235
9.3.1.5;16.1.5 Facial Analysis;236
9.3.1.6;16.1.6 Hand Geometry;236
9.3.1.7;16.1.7 Speech Analysis;237
9.3.1.8;16.1.8 Hand-Written Signature Verification;237
9.3.1.9;16.1.9 Threats and Risks to Biometrics;238
9.3.2;16.2 EMP Weapons and HERF Guns;239
9.3.3;16.3 TEMPEST;239
9.3.4;16.4 Closed Circuit Television;241
9.3.5;16.5 Microsoft and Network Security;243
9.3.6;16.6 Summary;244
9.4;17 Security Standards;245
9.4.1;17.1 BS7799 and ISO17799;245
9.4.2;17.2 ISO13335;247
9.4.3;17.3 Common Criteria;248
9.4.4;17.4 Summary;250
10;Section 4 The Future and Final Comments;251
10.1;18 The Future, Conclusions and Comments;252
10.1.1;18.1 Information Assurance: Getting There;252
10.1.1.1;18.1.1 The New Threat of Terrorism;253
10.1.2;18.2 Welcome to the World of Constant Change;254
10.1.2.1;18.2.1 Changes in Societies;254
10.1.2.2;18.2.2 Economic, Global Competition;256
10.1.2.3;18.2.3 Technology;257
10.1.2.4;18.2.4 The IA Professional;260
10.1.3;18.3 Summary;261
11;Biography;262
12;Index;264
