Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Index

A

“AAA of access control”
Acceptable usage policy (AUP)
1. authorized security controls
2. change regulations
3. consequences of violations
4. copyright infringement
5. data
6. goals
7. machines
8. misuse
9. organization’s IT equipment and data
10. overview
11. personal usage
12. privacy
13. privacy disclaimers
14. protect confidential data
15. rollout
16. sanctions
17. scope
18. security
19. social media
20. use of IT resources
Access control
1. defining
2. effectiveness
3. tools
Accountability
Account reset mechanism
Address Resolution Protocol (ARP)
Adjacent systems
Administrative access
Administrative controls
1. application security
2. asset management
3. change control
4. CMM
5. documented processes
6. machines
7. policies
8. record and media management
9. security policy document
10. verbal work culture
Adversarial risk
1. advanced threats
2. bare-minimum threat
3. cyber-criminals
4. cyber-militants
5. FAIR

SeeFactor analysis of information risk (FAIR)

FBI cyber-crime
hacktivist
malicious insiders
Microsoft Windows vulnerabilities
NSA
power-ups
proximity of attacker
sample qualitative risk
sample quantitative risk
technical capability
techniques
time

Adversarial risk

SeeAttacker incentives

SeeAnnualized loss expectancy (ALS)

American Institute of Certified Public Accountants (AICPA)
Annualized loss expectancy (ALS)
Anti-business complaints
Anti-counterfeiting tool
Anti-theft software agents, laptop
Antivirus software
Antivirus solutions
Application attacks
Application barriers
Application whitelisting
Approved scanning vendor (ASV)
Assassin, open source spam
Asset management
Asset value assessment
1. examples of
2. information classification
3. internal and valuing information
Association for Certified Fraud Examiners
Assume breach mindset
1. attackers
2. failure of security
3. over—residual risk
4. rigid security policies
5. security professionals
Assumptions examples
Attachment filtering, e-mail
Attacker incentives
1. monetization schemes
2. personal
3. political
Attackers
Attacking techniques
1. exfiltration
2. kill chain
3. stealing authentication
Audited organization’s role
Auditor
1. auditing
2. external
3. internal
  1. competence
  2. independence
  3. training classes
4. role
Audits
1. antivirus software
2. audited organization’s role
3. and auditors
4. auditor’s role
5. background checks
6. bolted-on security controls
7. business-to-business
8. business transactions
9. change control
10. control objectives
11. customer intellectual property
12. definition
13. disagree with auditor’s findings
14. document review
15. evidence
16. explicit
17. as forcing function
18. guide for
19. industry audit certifications
20. IT organizations
21. IT security controls
22. IT security program
23. lawsuit
24. misconceptions
25. onsite review
26. PCI DSS
27. period of
28. pre-assessment
29. regulated industries
30. scope
31. scope control barriers
32. security program, checklist
33. SOC 1
34. SOC 2/3
35. SSAE 16 audits
36. SSAE 16 reports
37. standards types
  1. ISO 27001
  2. PCI DSS
  3. The SSAE 16
38. surveillance audits
39. third-party roles
40. Type 1
41. Type 2
42. URLS
43. workflow
Authentication
1. electronic
2. firewall
3. multi-factor
4. problem
5. sample standards and procedures
6. standards
7. tokens
Authenticator
1. tokens
2. types of
Authorization
1. limit administrative access
2. privileges
3. problems
4. role-based access control
5. service accounts
  1. sample authorization standards
  2. system authorization
Availability service principle

B

Backup policy
Badges, visitor
Biometrics
Botnet
BOYD

SeeBring your own device (BOYD)

Bridge letters
Bring your own device (BOYD)
Business continuity policy
Business impact analysis (BIA)
1. business continuity plan
2. disaster impact scenarios
3. facilities
4. normal business operations
5. sample scenario overview
6. threat mapping with FMEA to generalized threats
Business model
1. agility/ability of organization
2. BYOD
3. challenges
4. communication problems
5. communication with customers and entities
6. consumer trust
7. course of action
8. expertises
9. goods and services
10. intellectual property
11. organization’s secrets
12. problems
13. research
14. risk explanation
Business-to-business (B2B)

C

Capability Maturity Model (CMM)
Cardholder data (CHD)
Cardholder data environment (CDE)
Challenge-response fashion
Change control standards
Change control tracking
CHD

SeeCardholder data (CHD)

Chemical Facility Anti-Terrorism Standards (CFATS)
Chesterton’s fence
Chief Technology Officer (CTO)
Child pornography
Children’s Online Privacy Protection Act (COPPA)
Cisco Security report
City of Gotham Department of Accounting Services and Computer Services
Clean desk policies, office
Cobra effect
Combined technical barriers
Commercial Off The Shelf software (COTS)
Common Vulnerability Scoring Standard (CVSS)
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
Compliance impacts
1. NERC and FTC
2. PCI and HIPAA
Computing technology
Confidentiality service principle
Control design
1. best practices
2. compensating controls
3. control failure modes
4. cost of controls
5. documentation
6. financial information
7. firewall filters
8. flexibility
9. functionality
10. functions and failures
11. GAIT principles
12. hard dollar costs
13. IRS
14. key controls
15. legacy systems
16. minimum standard of care
17. reasonable standard of care
18. risk
19. standardization and measurement
20. standards bodies and organizations
21. technical controls
22. technical professionals
23. workstation antivirus blocks
Control effectiveness
Control Objectives for Information and Related Technology (COBIT)
Critical internal IT services
Cryptography
1. failures
2. infrastructure
Cryptosystem
Custom controls, Internet services security
Customer-facing IT services
Cyber-criminals
Cyber-militants
Cybernetic memory

D

Database administrative access standards
Data breaches
1. ALE
2. Privacy Rights Clearinghouse
3. Verizon Data Breach Investigations Report
Data/digital loss/leak prevention (DLP)
Data encryption, Internet services security
1. hard
2. storage crypto policy and standards
3. tokenization
4. viability against threats
Data-erasure software applications
Defense in depth
Defensive tools, specialized
Demilitarized zone (DMZ)
Deming Cycle
Denial-of-service (DoS)
DiffieHellman’s Iron Box
Diffusion of responsibility
Disaster recovery planning
DNS Security Extensions (DNSSEC)
DNS security, Internet services security
DomainKeys Identified Mail (DKIM) signatures
Domain Name Server (DNS)

E

Eidetic memory
Electronic authentication
Electronic personal health information (EPHI)
Elevated system access
E-mail security, Internet services security
1. attachment filtering
2. mail verification
3. sample policy
4. spam prevention
Empathy
Encryption, laptop
Enhanced Mitigation Experience Toolkit (EMET)
ENISA Cloud Computing Security Risk Assessment guide
Executive management, audit
Exfiltration
External auditors
External DNS server
External feedback mechanism
External vulnerability scans

F

Factor analysis of information risk (FAIR)
1. defined
2. risk modeling
Failover systems
Failure mode and effects analysis (FMEA)
1. breakdown of personnel
2. essence of
3. example of facilities
4. International Standard IEC 60812
5. Internet banking system
Failure modeling
1. analysis
2. description
3. internet banking system
FAIR

SeeFactor analysis of information risk (FAIR)

Fair and Accurate Credit Transaction Act (FACTA)
Fear Uncertainty and Doubt (FUD)
Federal Financial Institutions Examination Council (FFIEC)
Federal Information Security Management Act (FISMA)
Federal Rules of Civil Procedure (FRCP)
Federal Trade Commission (FTC)
Federated identity systems
FEMA

SeeFlood Hazard Mapmap (FEMA)

File Transfer Protocol sites (FTP)
Firewall access rules, standard
Firewall authentication
Flood Hazard map (FEMA)
FMEA

SeeFailure Mode and Effects Analysis (FMEA)

Formal disaster declaration
For-profit business
Fort Pulaski
1. exploit technology
2. Gilmore’s shore cannons
3. gun ranges
4. ownership changes hand
5. Savannah river
6. US Army Corps of Engineers
FTC

SeeFederal Trade Commission (FTC)

Function analysis
1. description
2. factors

G

Global services for customer service centers
Governance
1. asset custodian
2. asset owner
3. asset user
4. auditor
5. audit role
6. control objectives
7. CSO
8. departmental heads and roles
9. effectiveness and appropriateness
10. executive sponsorship
11. formal CSO role
12. frameworks
13. internal policy statements
14. ISMS charter
15. ISMS committee
16. ISMS Governance Strategy
17. ISMS Steering Committee
18. IT personnel
19. IT security
20. leadership
21. management
22. Puget Regional Bank ISMS charter
23. risk acceptance
24. risk and controls
25. risk elimination
26. risk reduction with controls
27. risk transfer
28. risk treatment
29. roles and responsibilities diagram
30. security departments
31. statement of applicability
32. tactics vs . strategy
Gramm-Leach-Bliley Act (GLBA)

H

Hackers
1. amateur
2. cyber-crimes
3. disgruntled sysadmin
4. ideology
5. motivations
Hacktivist
Harvesting attacks
Hash
1. password
Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Information Trust Alliance (HITRUST)
Health Insurance Portability and Accountability Act (HIPAA)
Heating ventilation and air conditioning (HVAC) systems
Heat maps
1. risk
2. simple two-dimensional qualitiative risk map
Host-based IDS (HIDS)
1. transmission encryption
Hosted systems
Human Resource Security Policy
1. agreements
2. background screening
3. confidential information and systems
4. credit checks
5. disciplinary process
6. educational and professional certification
7. employee on boarding and off boarding
8. modern building management companies
9. passport verification
10. person’s past actions
11. pre-employment screen
12. security and compliance requirements
13. security and sanity’s sake
14. security vulnerability
15. serious background checks
16. showstoppers
17. SLA
18. training
19. urgent terminations
20. user management
21. vendor support

I, J

ICMP Redirect
Identification
Impact calculation
1. See alsoIndirect impacts
2. assessment
3. assets
4. compliance

SeeCompliance impacts

customer confidential records
IT asset inventory
legal/compliance department
SLAs

Incident response policy
Indicator of compromise (IOC)
Indirect impacts
1. IT resources
2. law enforcement, management and regulation bodies
3. loss of user productivity
4. public leakage attacks
Information classification
Information security management system (ISMS)
Information Security Risk Management
Initial Report on Compliance (IROC)
Insiders
Internal audit
1. plan
2. process
  1. ISO standard for measurement
  2. measuring control
  3. publish to management
  4. records
3. role of
  1. auditor competence
  2. auditor independence
  3. external audit findings
  4. organization’s security
4. sample organization chart
Internal feedback mechanisms
International Organization for Standardization/International Electrotechnical Commission standard (ISO 27001)
Internet banking system
Internet services security
1. building custom controls
2. data encryption
  1. hard
  2. storage crypto policy and standards
  3. tokenization
3. DNS security
4. e-mail security
  1. attachment filtering
  2. mail verification
  3. sample policy
  4. spam prevention
5. malware controls
  1. anti-malware policy and standards
  2. defense
6. Web services
  1. Web application attacks
  2. Web stack
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
IP address
IPsec virtual private networks
ISMS

SeeInformation Security Management System (ISMS)

ISMS charter
ISMS steering committee
ISO 27001 audit
ISO training institutions, internal auditor
IT department
1. access control
2. authentication standards
3. challenges
4. controls
5. dragging projects
6. high-value targets
7. IKEA effect
8. infinitely long IT work queue
9. vs . IT security
10. perpetual design
11. poor hygiene
12. risk analysis
13. security champions
14. security roles
  1. builder
  2. hiring for
  3. responder
  4. testers
15. security-savvy developer
16. technical expertise
IT systems, complexity
1. attackers
2. DNS
3. fallacy of composition
4. internet calls
5. IP address
6. ISPs sending
7. ports and protocols
8. standards, web transaction
9. TCP handshake
10. vulnerability
11. web of code

K

Key management, data encryption
Kill chain
1. command and control
2. delivery
3. description
4. exploitation
5. install
6. reconnaissance
7. weaponization

L

Laptop security
Legacy, encryption
Likelihood
1. common IT security threats
2. description
3. examples of threats
4. vulnerability factors
Logical access barriers
Logical access control
1. accountability
2. authentication

SeeAuthentication

authorization

SeeAuthorization

components
organization

Logical access controls
Log repository

M

Mail verification
Malware controls, Internet services security
1. anti-malware policy and standards
2. defense
Malware-infected hosts
Mandiant Intelligence Center Report
Man-in-the-middle attack
Media Access Control (MAC)
Media and portable media controls
1. laptop controls
2. media destruction
Media files, e-mail attached
Media-shredding companies
Memorandums of Understanding (MOU)
Microsoft Security Intelligence Report
Mobile banking project
Modern operating systems
Morris worm
Multifactor authentication

N

National Hurricane Center Storm Surge map
National Institute of Standards
National Security Agency’s (NSA)
Natural disasters
Natural hazards
1. determination
2. gravitational constant
3. for North America, research
4. quantitative risk analysis
5. Seattle Hazard Explorer
6. types
Natural vs . man-made risks
Negative error cultures
NERC

SeeNorth America Electric Reliability Corporation (NERC)

Network Access Control (NAC) system
Network address translation (NAT)
Network barriers
Network File System (NFS)
Network Security
1. acceptable encryption methods
2. commercial Internet usage
3. console encryption
4. cryptographic modules
5. drive-by-download attacks
6. exfiltration of data
7. firewall
  1. designs
  2. management
8. hardening standards
9. HIDS
10. IDS deployment
11. impersonation
12. IT security attacks
13. jump hosts and firewalls
14. man-in-the-middle
15. Morris worm
16. network attacks and impacts
17. network controls
18. network denial of service
19. networking technology
20. network worm
21. ORGANIZATION
22. procedures
23. remote exploits
24. remote password guessing
25. self-replicating malware
26. sniffing attacks
27. virtual private networks
28. web encryption
29. wireless encryption
Network Time Protocol (NTP)
Network worms
Neutron stars
Nmap
NOAA Severe Storm Labs
Non-company standard browsers
Non-repudiation
North American Electric Reliability Corporation (NERC)

O

OCTAVE Cyber Risk and Resilience Management
Offices, security in
1. clean desk policies
2. locked doors
3. NAC
4. screen saver lockouts
Operational failure mode
Order takers and refunds
Organization
1. logical access control
2. passwords for authentication
3. physical security policy
4. two-factor authentication

P

Packet filter firewalls
PAN

SeePrimary Account Number (PAN)

“Paperless office”
Passwords
1. hash
2. policy
3. rotation scheme for
4. standards
Payment Application Data Security Standard (PA-DSS)
Payment Card Industry Data Security Standard (PCI DSS)
People
1. administrative rights
2. customer
3. DLP
4. employment agreements
5. Human Resource Security Policy

SeeHuman Resource Security Policy

ISMS committee
monitoring
policy violations
security policy
security professionals
security training
segregation of duties
threat of malicious insiders
user management

Personal identification numbers (PINs)
Personal incentives
Personally identifiable information (PII)
Personnel security
1. training
2. visitor security
Phishing/social engineering
Physical barriers
Physical security
1. and IT security controls
2. in offices
  1. clean desk policies
  2. locked doors
  3. NAC
  4. screen saver lockouts
3. media controls
  1. laptop controls
  2. media destruction
4. personnel security
  1. training
  2. visitor security
5. physical controls and their defeat
6. physical risk assessments
7. policy
8. problems
9. risk assessments
10. secured facilities controls
  1. access to
  2. alarms
  3. cameras
  4. environmental controls
  5. guards
  6. racks and cages
PII

SeePersonally Identifiable Information (PII)

PIN Transaction Security (PTS) Standard
Plan-Do-Check-Act (PDCA)
Point-of-Sale (POS) terminals
Poisoning attacks
Policy
1. amendment process
2. AUP

SeeAcceptable usage policy (AUP)

encryption methods
ISMS charter
and the Law
non-technical people
organizational security
potty
procedures and standards
records
security policy
1. authority
2. components of
3. goals
4. governance
5. ISMS
6. objectives
7. risk management
8. scope and limitations
9. user behavior
10. WISP
standards

Political incentives
POS

SeePoint-of-Sale (POS) terminals

Post audit improvement
1. audit report
2. bridge letters
3. controls improvement
4. deliberate actions
5. direct and indirect costs
6. expectations
7. ideas and examples
8. implementation/operation
9. Internet age
10. plans
11. policy constraints
12. quality of controls
13. risk analysis framework
14. root cause analysis
15. sample security incident register
16. security awareness training
17. security policy violation
18. security program
19. shearing layers
20. temporary solutions and work-arounds
Power Outage Data Explorer
Primary account number (PAN)
Privacy disclaimer
Privacy principle
Process barriers
Processing integrity principle
Promiscuous mode
Proxy firewalls

Q

Qualified security assessors (QSA)
Qualitative analysis
1. clarifying impact, example of
2. clarifying likelihood, example of
3. heat maps

SeeHeat maps

high impact and low likelihood
low impact and high likelihood
medium impact/likelihood
simple risk list
subject matter experts
vague/misleading

Quantitative analysis
1. data breaches

SeeData breaches

example of analysis

R

RACI diagram
Real-time Blackhole Lists (RBL)
Recovery time objective (RTO)
Redesigned processes
Reflection denial-of-service attack
Remote Desktop Protocol (RDP)
Report on Compliance (ROC)
Reputation blacklisting
Request for proposal (RFP) process
Response controls
1. after action analysis
2. backup and failover
3. business continuity planning
4. incident response plan
5. incidents
6. logging
Risk analysis
1. fuzziness of
2. GAIT principles
3. gap analysis
4. impact calculation

SeeImpact calculation

IT security information
likelihood and impact
likelihood, calculation of
qualitative

SeeQualitative analysis

quantitative

SeeQuantitative analysis

realistic, actionable and reproducible
Robert Courtney Jr., first law
security decisions

Risk modeling
1. cyber-criminals/malicious insiders
2. likelihood and impact
3. likelihood and potential damaging events
4. list of risks
5. natural vs . man-made
Role-based access control
Root cause analysis

S

SaaS

SeeSoftware-as-a-Service (SaaS)

SeeSensitive authentication data (SAD)

Safety, culture of
Sample security incident register
Sarbanes-Oxley Act of 2002 (SOX)
Schneier’s Law
Scope
1. adjacent systems
2. barriers
  1. application
  2. combined technical
  3. logical access
  4. network
  5. physical
  6. process
  7. technical
3. controls
4. double check
5. effectiveness and efficiency, controls
6. examples of
7. hints
  1. but not too small
  2. simplification
  3. start small and expand
8. IT security program
9. logical, physical, operational and human factors
10. non-IT departments
11. overlapping
12. PCI DSS
13. PII
14. public sources
15. SaaS company
16. SSAE 16 SOC 1
17. third-party process dependencies
Scope containment
Screen saver lockouts
Seattle Hazard Explorer
Secondary authentication systems
Secured facilities
1. access to
2. alarms
3. cameras
4. environmental controls
5. guards
6. racks and cages
Secure Shell (SSH) sites
Security department
1. access control
2. authentication standards
3. two-factor authentication
Security incident
Security policy
1. Internet
2. violation
Security professionals
Security service principle
Security solutions
Self-Assessment Questionnaire (SAQ)
Self-enrollment system
Semi-critical internal IT services
Sender Policy Framework (SPF)
Sensitive authentication data (SAD)
Servers, DNS
Service level agreements (SLA)
Service Organization Controls (SOC)
Session hijacking
Shorter rotation cycles
Simple Network Management Protocol (SNMP)
Simple Syndication (RSS)
Single sign-on (SSO) tools
SLA

SeeService level agreement (SLA)

Sniffing attacks
Social engineering
1. incentive
2. ring of familiarity
3. story
4. urgency
Software-as-a-Service (SaaS)
Software objects
Software service accounts
Someone else’s problem
Spam-filtering solutions
Spamhaus Project
Spam prevention, e-mail
Spam-relaying malware
Span ports
Standards for Attestation Engagements 16 (SSAE 16)
Stateful inspection firewalls
Statement of applicability (SoA)
Static web sites
StuxNet malware
Surf pornography
Symantec Security Threat Report
System administrative access standards
System administrators
System authorization

T

TCP/IP protocol
Technical barriers
Third party process dependencies
Third-party roles
Third-party security
1. agreement
2. audit reports
3. authentication and authorization
4. control gap analysis approach
5. controls
6. critical systems
7. e-commerce
8. getting answers
9. IT and security department
10. IT security programs
11. management process
12. maturity and effectiveness
13. network controls
14. organization
15. problems
16. responsibility
17. risk analysis
18. security service agreements
19. software procurement
20. technical controls
21. vulnerability and risk monitoring
Tokens, authentication
Tools, access control
Top-down approach
Trivial File Transfer Protocol (TFTP)
Two-factor authentication

U

UDP protocol
Unix operating systems
Unsolicited e-mail
Untrained internal audit team
Users
1. antivirus software works
2. automated process
3. complexity
4. confidential data leakage
5. contextual shift
6. culture clashes
7. empathy
8. intention and vision of controls
9. manual process
10. organizations
11. paradigm and goals
12. powerful techniques
13. problems faced by
14. security awareness training
15. security system
16. standards
  1. access control
  2. authentication
17. with work
18. work flow
User self-help tool
USGS Earthquakes maps
USGS Natural Hazards map

V

VERIS Community Database
Verizon Data Breach Investigations Report
Virtual LANs (VLANs)
Virtual Private Network (VPN)
Visitor security
VPN tunnel
Vulnerability management
1. activities
2. application security testing
3. automatic patching routines
4. breakdown of responsibilities
5. description
6. exploitable security vulnerabilities
7. hardening standards
8. higher priority
9. lower priority
10. network port scanner software
11. notification
12. patching
13. PCI DSS requirements
14. penetration testing
15. physical and virtual machines
16. prioritization and risk
17. scanning
18. unpatched hole
VulnPryer engine

W, X, Y, Z

Watering hole attack
Web application firewalls
Web server
Web services, Internet services security
1. Web application attacks
2. Web stack
Web sites
1. static
2. three-tier architecture for
Wi-Fi Protected Access (WPA)
Written Information Security Program (WISP)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Backmatter

Create new playlist

Sign In

Sign Up

Index

A

B

C

D

E

F

G

H

I, J

K

L

M

N

O

P

Q

R

S

T

U

V

W, X, Y, Z

Table of Contents for
Backmatter