Index
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
A
access control lists (ACLs), 199, 200
access controls, 197–202
access control matrix, 200
administration of, 201
auditing compliance with standards, 150
benefits of, 197
capability tables, 200
constrained user interfaces, 200
content-dependent, 201
context-dependent, 201
critical thinking exercises, 202, 345–346
ICEs and, 319–321
key concepts in, 197
models for, 198–200
recommended reading, 202
restricting employee access, 165
retail organizations and need for, 307
techniques for, 199–201
types of, 198
visitor access, 165–166
accountability. See also IAAA model
IAAA process of, 31
privacy and protection laws requiring, 67
required when implementing BCM, 258
accreditation. See also authorization; C&A
defined, 142
healthcare programs and, 289
ICSs and, 317–318
by retail organizations, 305–306
accrediting official (AO), 90
accrediting official liaison (AOL), 90–91
ACLs (access control lists), 199, 200
ACM (Association for Computing Machinery), 2, 13
acquisition. See system development and acquisition
acronyms, 421–426
Act phase (PDCA cycle), 57, 60, 142
ad hoc team formation, 56
administration
access control, 201
database, 94
system and network backups, 278–279
administrative laws, 64
AES (Advanced Encryption Standard), 43
Age of Discontinuity, The (Drucker), 19, 55–56
analog forensics, 244
analyzing
data in MSR model, 223
healthcare record risks, 284
risks, 383–386
antiforensic techniques and tools, 245–246
AO (accrediting official), 90
AOL (accrediting official liaison), 90–91
asset management, 101–109. See also assets
acceptable use of assets, 103
critical thinking exercises, 109, 335–336
information classification and handling, 103–109
inventory of assets, 102
ownership of assets, 102–103
recommended reading on, 108–109
responsibilities in, 102
types of assets, 101–102
assets
about, 2
acceptable use of, 103
classifying and handling, 103–108
defined, 33
identifying for ICSs, 313–315
impacts, segmentation and, 26
information life cycle model for, 56–57
inventory of, 102
loss of, 21
ownership of, 102–103
protecting sensitive, 10, 286–287
relationships among threats, vulnerabilities, risks, controls and, 32–33
resources required to classify, 73
responsibilities for, 102
retail organization, 302
types of, 101–102
Association for Computing Machinery (ACM), 2, 13
asymmetric cryptography, 186, 188
asymmetric encryption, 44
asymmetric warfare, 36
AT&E (awareness, training, and education), 175–183
BDM culture and, 268–269
benefits of, 177
critical thinking exercises, 183, 342–343
designing programs for, 177–178
developing, 137–138
healthcare organizations and, 290
ICEs and, 319
information assurance training, 180–181
materials for, 150
overview of, 175–176
policy training and education, 128–129
providing incident-handling, 234
purpose of, 176
recognizing importance BCM, 259
recommended reading, 182–183
retail organizations need for, 306–307
stages of, 176
types of programs, 178–181
capabilities of, 35
criminal, 36
defined, 36
motivation of, 35–37
nation states as, 36
national warfare and, 36
using antiforensic techniques and tools, 245–246
attacks. See also events
about cybercrimes, 244
eradicating malware or vulnerabilities from, 237–238
PKI heartbleed, 189
potential risks of, 383–386
retail security breaches, 295–299, 301–302
types of, 37
auditing
integrating risk management into, 120
meeting requirements for, 10–11
outsourcing service providers, 99
security responsibilities for, 94
authentication. See also IAAA model
EHRs and, 284
healthcare organizations and, 290
MSR model and, 29
PKI’s use of, 188–189
retail data and, 294
authenticity of forensic evidence, 252
authority, designated healthcare data, 285
authorization. See also access controls; IAAA model
continuous monitoring and, 42–43, 158, 218–219
defined, 31
automating
emergency notifications, 168
policy enforcement, 128
availability. See also CIA model
categorizing information impact levels for, 107, 108
cybersecurity and, 16
defined, 28
EHRs and, 283–284
MSR model and, 15
retail data for POS systems, 294
awareness, training, and education. See AT&E
B
backup generators, 169
about, 190
administration of, 278–279
BYOD and cloud, 279–280
choosing technology for, 271–273
critical thinking exercises, 280, 351
designing strategies for, 208
healthcare organization, 291
ICSs and need for, 322
importance of, 271
infrastructures for, 274–275
need for, 208
needed by retail organizations, 307
recommended reading for, 280
restoring data, 279
retention of, 277–278
scheduling, 277
software for, 275–276
tape media, 278
timeframes for, 272–273
types of, 276
banking practices and standards, 69
Basel II Banking Guidelines, 67
BCI (Business Continuity Institute), 51, 52–53
BCM (business continuity management), 257–270
about, 257
cloud computing and, 269–270
creating strategies for, 262–264
critical thinking exercises, 270, 350–351
culture of, 268–269
developing and implementing responses, 264–268
essential nature of, 259
executing, testing, maintaining, and auditing, 269
ICSs and development of, 322
identifying business needs, 259–261
illustrated, 259
levels of strategies in, 262
recommended reading, 270
retail organizations and need for, 307
risk assessments for, 261
stages in, 258–269
BCP (business continuity plan)
developing, 266
importance for healthcare organizations, 291
incident handling and emergency planning, 234
outsourcing or in-house development of, 207
Bem, Derek, 251
BI (business intelligence), 295
BIA (business impact analysis)
conducting, 260–261
determining RTOs, 272–273
importance of, 206
big data, 31
bits, least significant, 246
black-hat hackers, 36
Blu-ray disk backups, 273
Böhme, Rainer, 244
bottom-up approach
costs associated with, 79–80
situations where suitable for information assurance, 206
Boyd’s OODA loop, 60–61
bring-your-own-device programs. See BYOD
bring-your-own-software programs, 137, 171
Brooks, Fred, 153
BSI (Bundesamt für Sicherheit in der Informationstechnik), 33, 68, 355, 367
budgets and risk management, 120
bugs, 34
Bundesamt für Sicherheit in der Informationstechnik (BSI), 33, 68, 355, 367
business case development, 227
Business Continuity Institute (BCI), 51, 52–53
business continuity management. See BCM
business continuity plan. See BCP
business enabler, 17
business impact analysis (BIA), 206, 260–261
business intelligence (BI), 295
BYOD (bring-your-own-device) programs
cloud backups for, 279–280
enforcing security for, 171
guidelines for mobile device forensics, 248–249
BYOS (bring-your-own-software) programs, 137, 171
C
C&A (certification and accreditation)
accreditation vs. certification, 74, 141
advantages of, 141–142
certification baselines, 144, 146
concepts and definitions in, 142–143
considering evaluations of, 145, 147
critical thinking exercises for, 148, 339
ICSs and, 317–318
purpose of, 143
recommended reading on, 147–148
relevant for incident handlers, 233–234
by retail organizations, 305–306
roles supporting, 143–144
standards for, 11
CA (certificate authority), 188
CAP (Certified Authorization Professional) certification, 50
Capability Maturity Model (CMM), 97–98
Capability Maturity Model Integration (CMMI), 97
capability tables, 200
CCFP (Certified Cyber Professional) certification, 50
CCP (common control providers), 95–96
CD backups, 273
CEI (Computer Ethics Institute), 52–53
cell phones, 248–249
centralized access control administration, 201
centralized information assurance structures, 84–85
CEO (chief executive officer), 86–87
CERT (Computer Emergency Readiness Team), 40, 231, 243, 321
certificate authority (CA), 188
certification programs. See also C&A
about, 3
accreditation vs. certification, 74, 141
choosing, 52
critical thinking exercises, 54, 332
healthcare, 289
preparing information assurance unit members, 92
recommended reading on, 54
standards for, 50
training retail employees, 299
Certified Information Security Manager (CISM) certification, 51
Certified Information System Security Professionals (CISSP) certification, 3, 50
Certified Information Systems Auditor (CISA) certification, 3, 51
Certified Secure Software Lifecycle Professional (CSSLP) certification, 50
CFCS (Danish Centre for Cyber Security), 232
CFTT (Computer Forensics Tool Testing) program, 246
chain of custody, 207, 251, 252
change detection, 212–213
change management, 160, 190–191
Check phase (PDCA cycle), 57, 59–60, 141
checklists
for avoiding fraud and theft, 34
digital data, 249
disciplinary process, 138
information system security, 393–404
media care, 278
Chernobyl Blindness, 119
chief executive officer (CEO), 86–87
chief information officer (CIO), 88–89
chief information security officer (CISO), 89
chief risk officer. See CRO
chief security officer (CSO), 90
CIA (confidentiality, integrity, and availability) model
illustrated, 27
MSR model extension to, 13, 25
objectives of cybersecurity and, 16
CIO (chief information officer), 88–89
ciphers, 43
CISA (Certified Information Systems Auditor) certification, 3, 51
CISM (Certified Information Security Manager) certification, 51
CISO (chief information security officer), 89
CISSP (Certified Information System Security Professionals) certification, 3, 50
civil laws, 64
clear desk and clear screen policy, 172
clear text, 43
closed-circuit tv and monitors, 217
cloud computing
assessing security of acquired software, 159–160
backup solutions for, 274, 275
backups for BYOD programs, 279–280
BCM and, 269–270
certification programs in, 3
forensics for remote data, 248
managing business continuity for, 269–270
Cloud Security Alliance (CSA), 79
CMM (Capability Maturity Model), 97–98
CMMI (Capability Maturity Model Integration), 97
CMP (crisis management plan), 264–266
CMVP (Cryptographic Module Validation Program), 190
COBIT (Control Objectives for Information and Related Technology) standard, 11, 51
code, 43
codes of ethics, 52–53
collection of data. See also data
analysis and, 226
data measurement and, 222–223
principles for, 66
common control providers (CCPs), 95–96
Common Vulnerabilities and Exposures (CVE) program, 213–214
completeness of forensic evidence, 252
compliance
requirements for, 10–11
vulnerability scanner, 206
CompTIA (Computing Technology Industry Association) certifications, 50–51
Computer Ethics Institute (CEI), 52–53
computer forensic examiners, 245–251
about, 245
performing media and file system forensics, 246–248
techniques and tools for, 246
computer forensics
certification programs in, 3
chain of custody, 207, 251, 252
critical thinking exercises, 255, 349–350
establishing teams, 243–244, 253
evidence rules for, 252–253
healthcare organizations and, 291
ICEs and, 321–322
importance of, 244
incident handling and, 207
recommended reading, 253–255
retail organizations and, 307
rules of, 251
skills needed for, 245–251
Computer Forensics Tool Testing (CFTT) program, 246
Computer Security Handbook, The, 68
Computing Technology Industry Association (CompTIA) certifications, 50–51
concepts in information assurance, 25–48
accountability and IAAA process, 31
assets, threats, vulnerabilities, risks and controls, 32–33
authentication and IAAA, 29–31
controls, 40–43
critical thinking exercises, 47–48, 329–332
cryptology, 43–45
defense-in-depth strategy, 25–26
due care/due diligence, 20, 63–64
found in CIA model, 27–28
MSR concepts, 14–15
nonrepudiation, 28–29
privacy, 31–32
recommended reading on, 46–47
threats, 33–40
confidentiality. See also CIA model
categorizing information impact levels for, 107, 108
cybersecurity and, 16
defined, 27
EHRs and, 283
MSR model and, 15
privacy vs., 31
retail organizations and, 293
configuration management, 160–161, 190–191
constrained user interfaces, 200
consultants, 74
containerization software, 137
containment phase, 235–237
content
content-dependent access control, 201
forensics for, 249
content-dependent access control, 201
content filters, 186
context-dependent access control, 201
continuous monitoring
authorization and, 42–43, 158, 218–219
healthcare industry need for, 291
ICEs and, 321–322
retail organizations and, 307
contracts, employment, 134
Control Objectives for Information and Related Technology (COBIT) standard, 11, 51
controls, 40–43
assets, threats, vulnerabilities, risks and, 32–33
balance between risk and, 41–43
bottom-up approach to, 2, 78–80
ensuring selection and implementation of, 42
factors in implementing, 41
integrity for, 27–28
levels of security, 77
reviewing, 42–43
top-down approach to, 2, 78, 79–80
types of, 41
copyright laws, 65
corrective action, 227
cost advantage model, 11
costs
balancing information assurance implementation, 79–80
data breeches and, 11
information assurance benefits and, 18–19
losses from computer crime and weak security, 21
credentials. See C&A
credit cards. See also PCI-DSS
best practices and standards for, 69
EMV standard, 295
poor security and customer losses, 21–22
security breaches of, 301–302
criminal attackers, 36
criminal laws, 64
crisis management. See also BCM
BCP for, 266
developing CMP, 264–266
DRP for, 266
OEP, 267–268
critical thinking exercises
applying information assurance principles, 23–24, 328–329
applying information security concepts, 47–48, 329–332
asset management, 109, 335–336
computer forensics, 255, 349–350
developing strategies, 8, 327–328
human resource assurance, 140, 338–339
implementing information assurance, 81, 333–334
incident handling, 240–241, 348–349
leadership’s need for information assurance, 12, 328
managing information assurance, 100, 334–335
measurements and metrics, 228, 347–348
physical and environmental security, 174, 341–342
preventive tools and techniques, 195, 343–345
retail organizations, 308, 352–353
system development and acquisition, 161–162, 339–341
CRO (chief risk officer)
defined, 87–88
developing BDM culture, 268–269
establishing BCM process, 258–259
cryptanalysis, 43
Cryptographic Module Validation Program (CMVP), 190
cryptography
hashing feature for backup software, 276
PKI system and, 30
protocols and tools using, 186–187
public key, 188
cryptology, 43–45
about, 43
codes and ciphers in, 43
encryption key escrow, 44–45
types of encryption, 43–44
CSA (Cloud Security Alliance), 79
CSO (chief security officer), 90
CSSLP (Certified Secure Software Lifecycle Professional) certification, 50
customers. See also privacy
capturing information on, 294
considering social obligations to, 20
losses of, 21–22
mining data about, 31–32
privacy and surveillance cameras, 306
CVE (Common Vulnerabilities and Exposures) program, 213–214
cybercrimes, 244
cybersecurity
certification programs for, 50
information assurance vs., 299
MSR model and, 16
NICE, 132
U.S. frameworks for, 311–312
DAC (discretionary access control) model, 198, 200
Danish Centre for Cyber Security (CFCS), 232
Danish Computer Emergency Readiness Team (DKCERT), 232
data. See also backups; privacy
analyzing and reporting, 223
availability of retail POS, 294
capturing customer information, 294
checklist for digital, 249
classification levels for, 104
collection and analysis of, 66, 222–223, 226
costs of breeches in, 11
customer fears about credit card, 21–22
deriving metrics from, 22
designated personnel handling sensitive, 285
disaster recovery plan for, 266
forensics for media and file system, 246–248
importance of backing up, 271
information owner/steward, 96
information protection and security, 15–16
integrating measurement output of, 223–224
legal privacy and protection principles for, 65–67
life cycle of, 14–15
mining customer, 31–32
preparing to collect, 225–226
protecting sensitive, 10
restoring, 279
terminology for healthcare, 284
Data Encryption Standard (DES), 43
Data Protection Act (European Union), 32, 300
Data Protection Law (France), 286
database administrators, responsibilities of, 94
database backups, 272
database vulnerability scanners, 214
DCS (distributed control systems), 310
de minimus policy, 136
decentralized access control administration, 201
defense-in-depth strategy
CIA triad, 27–28
defined, 25–26
illustrated, 319
using for physical and environmental security, 164
degaussing, 173
deliberate acts, 357–362
delivery and loading areas, 166–167
Deming, Edwards, 221
denial of service (DOS) attacks, 187
DES (Data Encryption Standard), 43
detection/identification phase, 234–235
DHS (Department of Homeland Security), 231
differential backups, 276
differentiation advantage model, 11
digital signatures, 28
Disaster Recovery Institute, International (DRII), 51
disaster recovery plan (DRP), 266
disciplinary process checklist, 138
disciplining employees, 138
disclosure of information
NDAs and, 134
preventing unauthorized, 164
discretionary access control (DAC) model, 198, 200
distributed control systems (DCS), 310
distributed information assurance structures, 84, 85
distributed network scanners, 214–215
DKCERT (Danish Computer Emergency Readiness Team), 232
Do phase (PDCA cycle), 57, 58, 59
documentation
NDAs, 134
safeguarding media with, 192
writing information assurance, 6
DOS (denial of service) attacks, 187
DRII (Disaster Recovery Institute, International), 51
DRP (disaster recovery plan), 266
due care
legal implications of, 63
management’s responsibility for, 244
due diligence
checking service providers before hiring, 99
legal implications of, 63–64
duress alarms, 167
DVD-RW disks, 273
E
spamming via, 40
education. See AT&E
EHRs (electronic health records)
defined, 284
information assurance for, 281, 283
electric power systems, 169
electronic medical records, 284
Electronic Privacy Information Center, 32
electronic transaction laws, 64
employees
AT&E for, 175–183
certifying and training retail, 299
clear desk and clear screen policy for, 172
considering social obligations to, 20
defining level of confidentiality or sensitivity for, 133
disciplining, 138
errors and negligence by, 33–34
monitoring, 135, 136, 137, 205, 218
personnel management in ICSs, 311
restricting access of, 165
roles and responsibilities for IAMS, 85–86
rotating duties for, 136
sabotage by, 37–38
terminating, 138–139
tools for monitoring, 217
training and awareness of new, 137–138
workforce management systems for, 294
EMRs (electronic medical records), 284
EMV (Europay, Mastercard, Visa) standard, 295
EnCase, 250
enclaves, 166
encryption
adequacy of, 43
algorithms for, 42
asymmetric, 44
backup software support for, 276
codes and ciphers in, 43
key escrow for, 44–45
protocols and tools using, 186–187
selecting materials for, 151
symmetric, 43–44
enforcing policy, 128–129
ENISA (European Union Agency for Network and Information Security), 192–193
environment. See IT environment; physical and environmental security
ePHR, 284
equipment
maintenance for, 170
mitigating water damage to, 168–169
safeguarding, 167–171
secure disposal and reuse of, 171–172
securing off-premises, 170–171
supporting utilities for, 169–170
eradication phase, 237–238
errors and negligence, 33–34
ethical hackers, 52
ethics
critical thinking exercises applying, 54, 332
professional codes of, 52–53
used by white-hat hackers, 35–36
European Union Agency for Network and Information Security (ENISA), 192–193
events
containing effect of, 235–237
defined, 230–231
detecting and identifying, 234–235
eradicating malware or vulnerabilities from attack, 237–238
recovering from, 238–239
reviewing and follow-up after, 239–240
extensibility of information assurance, 8
external penetration tests, 215
F
facilities. See physical/facility management
FBI. See U.S. Federal Bureau of Investigations
FDI (Fixed Disk Image), 250
Federal Financial Institutions Examination Council (FFIEC), 29
Federal Information Processing Standards (FIPS), 105, 108
Federal Information Security Management Act (FISMA), 104–105, 108
FedRAMP baseline summary, 144, 146
FEMA (U.S. Federal Emergency Management Agency), 302
FFIEC (Federal Financial Institutions Examination Council), 29
file system forensics, 246–248
FIPS (Federal Information Processing Standards), 105, 108
fire, 167–168, 217. See also physical and environmental security
FISMA (Federal Information Security Management Act), 104–105, 108
Fixed Disk Image (FDI), 250
force majeure, 355–357
forensic analysts. See computer forensic examiners
forensics. See computer forensics
ForensiX, 250
fraud
controls deterring employee, 134–136
reducing, 34
rotation of duties and minimizing, 136
FTK (Forensic Toolkit), 250
full backups, 276
G
GAAP (Generally Acceptable Accounting Principles), 133
gateways, 188
general circulars, 10
Generally Acceptable Accounting Principles (GAAP), 133
generation backups, 277
GIAC (Global Information Assurance Certification), 3, 51
GLBA (Gramm-Leach-Bliley Act), 67
Global Information Assurance Certification (GIAC), 3, 51
Gramm-Leach-Bliley Act (GLBA), 67
guidelines. See also policy; standards
clear desk and clear screen policy, 172
developing policy, 125–126
disciplinary process checklist, 138
healthcare organization, 288–289
ICSs, 316–317
information classification, 103–104
media disposal, 173
monitoring employees, 135
policy, 124
retail organization, 304–305
H
hackers
black-hat, 36
ethical, 52
ethics of white-hat, 35–36
hacktivists, 36
motivation of, 35–36
hacktivists, 36
hard drives
backing up to, 273
forensics for, 247
HCISPP (healthcare security and privacy) certifications, 3, 50, 285, 289, 290
Health Information Portability and Accountability Act (HIPAA), 286, 291, 300
health records. See EHRs
healthcare, critical thinking exercises, 292, 351–352
healthcare industry, 283–292
access control for, 290
applying PDCA to data management, 285
assets for, 286–287
assuring safety of EHRs, 281, 283
AT&E for, 290
business continuity and backups for, 291
certification, accreditation, and assurance, 289
continuous monitoring, incident response, and forensics in, 291
critical thinking exercises, 292
designated personnel handling sensitive data, 285
hiring trustworthy employees for, 289
information assurance management for, 285–286
mitigating risks for, 288–291
physical and environmental security for, 290
recommended reading, 291–292
regulations and legal requirements for, 286
risk assessment for, 287
system development and acquisition standards in, 289
terminology specific to, 284
threats in, 287
vulnerabilities of, 287
healthcare security and privacy (HCISPP) certifications, 3, 50, 285, 289, 290
heartbleed attack, 189
heating, ventilation, and air conditioning (HVAC), 170
help desk, responsibilities of, 93
Henry, Patrick, 61
HIDS (host intrusion detection systems), 209–210
high assurance industries, importance of C&A in, 141
Hill, Kashmir, 31
HIPAA (Health Information Portability and Accountability Act), 286, 291, 300
honeypot/honeynet, 211
host-based vulnerability scanners, 214
host intrusion detection systems (HIDS), 209–210
hot-site vendors, 207
“How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did” (Hill), 31
human failure, 362–364
human resources, 131–140
critical thinking exercises, 140, 338–339
disciplinary process checklist, 138
employee training and awareness, 137–138
hiring healthcare employees, 289
ICSs and, 318
information assurance for, 131
monitoring and privacy expectations, 136–138
recommended reading, 139–140
recruitment process, 131–134
retail organization security, 305
security controls for employment, 135–136
security responsibilities of, 94
terminating employees, 138–139
using information categorization standards, 105
human threats, 115–116
HVAC (heating, ventilation, and air conditioning), 170
hybrid information assurance structures, 84, 85
I
IAA (information assurance architect), 92–93
IAAA (identification, authentication, authorization, and accountability) model
about, 2
MSR model extension to, 25
IaaS (Infrastructure as a Service), 269, 273
IACA (information assurance control assessor), 91–92
IAE (information assurance engineer), 92
IAMS (information assurance management systems), 55–62. See also managing information assurance
Boyd’s OODA loop, 60–61
critical thinking exercises, 62, 332–333
information life cycle model, 56–57
integrating BCM with, 258
kill chain, 61
maintaining information assurance, 55–56
managing security with PDCA cycle, 57–58
MSR model in, 56
outsourcing, 98–99
recommended reading, 61–62
ICSs (industrial control systems), 309–324
critical thinking exercises, 324, 353–354
information assurance approach to, 309–310
mitigating risk in, 316–322
personnel management, 311
recommended reading, 322–324
regulations and laws for, 311–312
risk management for, 312–316
terminology for, 310–311
top-down management in, 311
identification. See also IAAA model
detection/identification phase, 234–235
method in IAAA process, 29, 30
identification, authentication, authorization, and accountability model. See IAAA model
identity management, 29
IDS (intrusion detection systems)
firewalls vs., 205
IPS vs., 204
monitoring with, 209–210
IEC. See ISO standards
IEEE 802.1 standards, 216, 217
impacts, segmentation, assets and, 26
implementing information assurance, 75–81
balancing costs of, 79–80
critical thinking exercises, 81, 333–334
key components in, 75–77
levels of security controls, 77
recommended reading on, 80
incident handling. See also events
computer forensics and, 207, 243–244
critical thinking exercises, 240–241, 348–349
healthcare organizations and, 291
ICEs and, 321–322
importance of, 230
phases in process of, 232–240
recommended reading, 240
reporting incidents, 230–232
retail organizations and, 307
incidents. See also incident handling
defined, 230
developing response plan for, 268
individuals. See people
industrial control systems. See ICSs
industrial espionage, 38
information. See data; information classification
information assurance. See also concepts in information assurance; MSR model
acronyms in, 421–426
approach to ICSs, 309–310
architecture for small organizations, 26
balancing organization’s and individuals rights, 20
certification programs in, 3
competitive advantage of, 11
concepts of, 2
consequences in lack of, 20
core principles of, 5–8
cost effectiveness and benefits of, 18–19
critical thinking exercises on developing, 8, 327–328
cybersecurity vs., 299
designing to enable business, 17
finding best approach to, 2
ICSs and, 317–318
implementing, 75–81
information technology vs., 9
maintaining systems for, 55–56
managing for healthcare data, 285–286
measurement process for, 222–224
MSR concepts of, 14–15
periodic reassessment of, 19–20
protecting sensitive assets with, 10
relationship of concepts in, 18
retail organization metrics for, 305–306
reviewing policies regularly, 74
security standards and best practices in, 68–69
information assurance architect (IAA), 92–93
information assurance awareness programs, 178–180
information assurance control assessor (IACA), 91–92
information assurance education, 181
information assurance engineer (IAE), 92
information assurance management systems. See IAMS
information assurance units, 91–93
function of, 91
information assurance architect, 92–93
information assurance control assessor, 91–92
information assurance engineer, 92
information systems security officer, 93
information classification, 103–109
about, 103
example of, 104–107
guidelines for, 103–104
labeling and handling for, 104
information life cycle model, 56–57
Information Security Risk Analysis (Peltier), 355
Information System Audit and Control Association. See ISACA
Information System Contingency Plan (ISCP), 268
information system owners (ISOs), 95
Information System Security Association (ISSA), 51, 52–53
information system security checklist, 393–404
information systems/business analysts, 94
information systems security officer (ISSO), 93
information technology, 9
Information Technology Infrastructure Library (ITIL), 97
information warfare, 37
Infrastructure as a Service (IaaS), 269, 273
integrity. See also CIA model
categorizing information impact levels for, 107, 108
cybersecurity and, 16
defined, 27–28
EHRs and, 283
MSR model and, 15
retail organizations and, 293
intellectual property laws, 64, 65
internal penetration tests, 215
International Information System Security Certification Consortium. See (ISC)2
international laws
privacy laws, 387–391
summary of, 67
International Organization for Standardization standards. See ISO standards
Internet service providers (ISPs), 230, 236
Internet usage monitoring, 205
intrusion detection. See also IDS
host systems for, 209–210
organizational requirements for, 205
intrusion prevention systems (IPS), 204
inventory information capture systems, 294
inventory of assets, 102
IPS (intrusion prevention systems), 204
IRP (incident response plan), 268
ISACA (Information System Audit and Control Association)
certification by, 51
cloud service frameworks by, 79
codes of ethics in, 52–53
(ISC)2
codes of ethics in, 52–53
healthcare credential from, 285, 289, 290
ISCP (Information System Contingency Plan), 268
ISO (International Organization for Standardization) standards
13335 standards, 68
13569, 69
17024 standards, 50
17799/27001 standards, 11
recommended reading on, 69–70
ISOs (information system owners), 95
ISPs (Internet service providers), 230, 236
ISSA (Information System Security Association), 51, 52–53
ISSO (information systems security officer), 93
IT Baseline Protection Manual, 68
IT environment. See also software
access control administration in, 201
controlling with change and configuration management, 190–191
help-desk support for, 191–192
patch management for, 192–194
working with BYOD and BYOS programs, 136, 137, 171
ITIL (Information Technology Infrastructure Library), 97
J
JIT (just-in-time) information assurance, 56
job scope/descriptions, 132
just-in-time (JIT) information assurance, 56
K
kill chain, 61
KISA (Korea Internet & Security Agency), 113
L
LAN-based tape backups, 274
LATE mnemonic, 176
laws and regulations
compliance with, 10
computer laws, 64
critical thinking exercise for, 70, 333
due care and due diligence, 20, 63–64
Federal Information Security Management Act, 104–105
healthcare records, 286
incorporating into policy documents, 124
intellectual property laws, 64, 65
international and national privacy, 387–392
international laws and acts, 67
legal requirements for information assurance, 6, 32
meeting audit and compliance requirements, 10–11
penalties from legal/regulatory authorities, 20–21
pertaining to information assurance, 6
recommended reading for, 69–70
retail organizations, 300–301
U.S. cybersecurity frameworks, 311–312
life cycle. See also SDLC; SSDLC
information classification, 104
security based on information, 56–57
likelihood, 33
log management tools, 210–211
logic bombs, 212
loss of assets, 21
loss of infrastructure, 34
LSBs (least significant bits), 246
M
MAC (mandatory access control) model, 199
Machonachy-Schon-Ragsdale model. See MSR model
magnetic tape forensics, 247
equipment, 170
information assurance systems, 55–56
SCLC security, 158
malware
about, 35
change detection, 212–213
defined, 205
detecting, 212
eradicating, 237–238
signature detection, 212
state detection, 213
types of, 212
management controls, 41
managing information assurance, 83–100
critical thinking exercises, 100, 334–335
impact of organizational maturity on, 97–98
importance of, 83–84
outsourcing and cloud computing, 98–99
policy documents and, 123–124
recommended reading, 100
staffing required for, 85–86
structures for, 84–85
mandatory access control (MAC) model, 199
McCumber, John, 13
McKemmish, Rod, 250
measurements and metrics, 221–228
assessing awareness program effectiveness, 179
critical thinking exercises, 228, 347–348
defined, 221
improving measurement process, 224
information assurance measurement process, 222–224
integrating measurement output, 223–224
metrics program, 225–227
recommended reading, 227
media
caring for, 278
controls and documentation for, 192
performing media and file system forensics, 246–248
selecting backup, 273–274
media disposal
assuring security of, 158
guidelines for, 173
importance of, 151
sanitizing equipment before, 171–172
metrics. See measurements and metrics
mitigating risks
assuring system development and acquisition security, 153–162
healthcare industry, 288–291
ICSs, 316–322
physical and environmental security controls for, 163–174
retail organizations, 304–308
mobile devices, forensics for, 248–249
Monetary Authority of Singapore Internal Controls, 133
monitoring
continuous, 42–43, 158, 218–219
critical thinking exercises, 220, 346
e-mail, 218
employees, 135, 136, 137, 205, 218
honeypot, 211
IDS for, 209–210
log management tools, 210–211
malware, 212–213
penetration tests, 215–217
physical controls, 217
recommended reading, 219–220
tools for personnel, 217
vulnerability scanners, 213–215
motion detectors, 217
MSR (Machonachy-Schon-Ragsdale) model
balancing organizational and individual rights, 20
consequences in lack of information assurance, 20–22
cost effectiveness and benefits of, 18–19
critical thinking exercises applying, 23–24, 328–329
cybersecurity elements of, 16
enabling business using, 17
IAMS use of, 56
illustrated, 14
information assurance concepts of, 14–15
information protection, 15–16
information security elements in, 15
nonrepudiation concept in, 28–29
periodic reassessment in, 19–20
protecting organizational systems, 17
risks in healthcare records, 284
robust approach to information assurance, 19
shared responsibilities in information assurance, 19
multimedia forensics, 249
Mythical Man, The (Brooks), 153
N
NAS-based tape backups, 274
NASA, 379
nation states as attackers, 36
National Computer Network Emergency Response Technical Team - Coordination Center of China (CNERT/CC), 136
national privacy laws, 391–392
natural threats, 116
NDAs (nondisclosure agreements), 134
negligence, 20
network intrusion detection systems (NIDSs), 187, 210
network intrusion prevention systems (NIPS), 187
networks
firewalls for, 187
forensics for, 250
information security for, 151
intrusion prevention systems for, 187
network-based vulnerability scanners, 214
network surveillance, 218
NICE (U.S. National Initiative for Cybersecurity Education), 132
NIDS (network intrusion detection systems), 187, 210
NIPS (network intrusion prevention systems), 187
NIST. See U.S. National Institutes of Standards and Technology
nondisclosure agreements (NDAs), 134
nonrepudiation
cybersecurity and, 16
EHRs and, 284
MSR model and concept of, 28–29
retail data and, 294
O
object, 197
Observe, Orient, Decide, and Act (OODA) loop, 60–61
occupant emergency plan (OEP), 267–268
OCMM (Organizational Change Maturity Model), 98
OCTAVE standards, 11
OECD (Organization for Economic Co-operation and Development), 66, 133
OEP (occupant emergency plan), 267–268
off-premise safety of equipment, 170–171
OODA (Observe, Orient, Decide, and Act) loop, 60–61
operating system backups, 272
operational controls, 41
operational losses, 21
optical media forensics, 247–248
Organization for Economic Co-operation and Development (OECD), 66, 133
Organizational Change Maturity Model (OCMM), 98
organizations. See also crisis management; senior management; and specific industries
aligning BCM to business of, 260–261
balancing risks and controls, 41–43
BCM strategies for, 262
benefits of risk management for, 111–112
business continuity plan for, 266
classifying assets, 103–109
continuous monitoring of, 42–43, 158, 218–219
developing information assurance strategy for, 5–8
identifying business needs, 259–261
information assurance architecture for small, 26
levels of security controls for, 77
loss of image and reputation by, 22
managing information assurance, 55–56, 73
maturity of, 97–98
monitoring employees, 205
MSR and protection of systems in, 17
need for IDS, 204
openness in personal data policies, 66
operational losses and risk management, 21
risk-based approach to information assurance, 7
roles supporting C&A, 143–144
security officers within, 74
technological confidence of, 17
vulnerabilities created within, 367–373
writing information assurance documents, 6
Out of Crisis (Deming), 221
outsourcing information assurance
challenges when, 98–99
cloud security, 79
policy documents needed when, 124
questions about, 73
ownership of assets, 102–103
P
paradigm paralysis, 119
party, 197
passwords
identity management and, 29
sample policy for, 379–381
patent laws, 65
PCI-DSS (Payment Card Industry Data Security Standard)
requirements for, 300
vulnerability scanner compliance with, 206
PDCA (Plan-Do-Check-Act) cycle
applying to healthcare management, 285
improving processes with, 3, 56
ISO/IEC 27001 standards and, 56
managing security with, 57–58, 83
Peltier, Thomas R., 355
penalties, 20–21
penetration tests, 215–217
assessing events and incidents with, 240
external, 215
internal, 215
need for, 205
wireless, 215–217
people. See also customers; employees; privacy
individual’s legal rights to data, 66
role in implementing information assurance, 75–77
phishing, 39
physical and environmental security, 163–174
benefits of controls for, 163
clear desk and clear screen policy, 172
critical thinking exercises, 174, 341–342
disposal and reuse of equipment, 171–172
healthcare organizations and, 290
ICSs and, 318
layered defense approaches for, 164
main threats to, 163
managing removable media, 172–173
network information security vs., 151
physical security of premises, 165–167
recommended reading, 173–174
retail organization, 306
safeguarding equipment, 167–171
using physical entry controls, 165–166
physical attacks, 37
physical controls, 217
physical entry controls, 165–166
physical/facility management. See also physical and environmental security
facility disaster recovery plans, 266
security responsibilities of, 94
using physical entry controls, 165–166
PIRST (Privacy Incident Response System), 113
PKI (Public Key Infrastructure), 30, 188–189
plain text, 43
Plan phase (PDCA cycle), 57, 58–59
planning process
implementation approaches for, 75–81
incident-handling policies and responses, 233–234
overview, 71–72
physical security and disaster, 166
quick answers about, 72–74
SDLC security, 156
PLCs (programmable logic controllers), 311
point-of-sale (POS) systems, 294, 306
policy, 123–130
clear desk and clear screen, 172
components of document, 129
critical thinking exercises, 130, 337
de minimus, 136
defining framework of, 127
developing healthcare organizational, 288–289
development steps for, 126
documenting, 127–128
enforcing, 128–129
gathering information about, 127
guidelines vs., 125
hierarchy of documents for, 124
ICSs, 316–317
importance of, 123–124
incident-handling, 233
recommended reading on, 129–130
retail organizations, 304–305
review and approval of, 128
risk management, 114
sample password, 379–381
standards vs., 124–125
POS (point-of-sale) systems, 294, 306
preparation phase, 233–234
preventive tools and techniques, 185–195
backups, 190
change and configuration management, 190–191
content filters, 186
critical thinking exercises, 195, 343–345
cryptographic protocols and tools, 186–187
firewalls, 187
IT support, 191–192
media controls and documentation, 192
network intrusion prevention systems, 187
patch management, 192–194
proxy servers, 187–188
recommended reading on, 194–195
VPNs, 190
privacy
about, 31–32
confidentiality vs., 31
employee monitoring and rights of, 135, 136, 137, 205, 218
invasion of, 38–39
laws pertaining to, 65–67, 387–392
retail data and customer capture systems, 294, 301
Privacy Act (U.S.), 32
Privacy Incident Response System (PIRST), 113
procedures
developing healthcare organization, 288–289
ICSs, 316–317
policy in relation to, 124, 126
processes vs., 3
retail organization, 304–305
shortcomings in, 375–377
process-level strategies, 262
processes
C&A, 144–147
improving with PDCA cycle, 3, 56
incident handling, 232–240
procedures vs., 3
role in implementing information assurance, 75–77
professional organizations, 49–54
certification standards of, 50
codes of ethics, 52–53
critical thinking exercises, 54, 332
deciding among certification of, 52
recommended reading on, 54
programmer responsibilities, 93
protocols
types of VPN, 190
using encryption, 186–187
provisional ATO, 144
proxy servers, 187–188
Public Key Infrastructure (PKI), 30, 188–189
public keys
encryption of, 44
public key cryptography, 188
Q
QSAs (qualified security assessors), 301
R
RA (registration authority), 188, 189
RAID configurations, SAN-based tape backups and, 275
RBAC (role-based access) control model, 198–200
recommended reading
access controls, 202
asset management, 108–109
AT&E, 182–183
backups, 280
BCM, 270
C&A, 147–148
complete list of, 405–419
computer forensics, 253–255
healthcare, 291–292
human resource assurance, 139–140
IAMS, 61–62
ICSs (industrial control systems), 322–324
implementing information assurance, 80
incident handling, 240
information assurance concepts, 46–47
information assurance standards, 69–70
managing information assurance, 100
measurements and metrics, 227
monitoring, 219–220
physical and environmental security, 173–174
policy, 129–130
preventive tools and techniques, 194–195
principles of information assurance, 22–23
professional organizations, 54
retail organizations, 308
risk management, 120–121
recovery phase, 238–239
recovery point objective (RPO), 261, 272, 273
recovery time objectives (RTO), 261, 272–273
recruiting employees, 131–134
defining level of confidentiality or sensitivity, 133
including security in job descriptions, 132
legal documents protecting information, 134
training new employees, 137–138
redundant mirror drives, 274
references. See recommended reading
registration authority (RA), 188, 189
regulations. See laws and regulations
reliability of forensic evidence, 253
removable media, 172–173
reporting
incidents, 230–232
integrating risk management into, 120
reputation, organizational, 22
resource recovery strategies, 262–264
restoring data, 279
retail organizations, 293–308. See also PCI-DSS
access control for, 307
assessing risk, 303–304
assets of, 302
AT&E for, 306–307
business continuity and backups for, 307
certification, accreditation, and assurance for, 305–306
certifying and training personnel of, 299
continuous monitoring, incident response, and forensics, 307
critical thinking exercises, 308, 352–353
information assurance approach to, 293–295
legal actions against senior management of, 301–302, 305
mitigating risk, 304–308
need for information assurance, 281
physical and environmental security for, 306
privacy laws applying to, 301
recommended reading, 308
regulations and legal requirements for, 300–301
risk management for, 301–304
security breaches of, 295–299, 301–302
system development and acquisition issues in, 306
threats on, 302
vulnerabilities of, 303
retaining backups, 277–278
return on investment (ROI), 76
reverse malware engineers, 238
reviewing
controls, 42
policy and approving, 128
review phase, 239–240
Rimsfeld, Donald H., 25
risk analysis table, 383–386
risk assessments
about BCM, 261
healthcare organizations and, 287
identifying for ICSs, 315–316
retail organizations, 303–304
risk dashboards, 119
risk management, 111–122
background planning in, 112, 113–114
benefits of, 111–112
C&A and, 143
critical thinking exercises for, 121, 336–337
evaluating product C&A, 145, 147
ICSs and, 312–316
integrating with other practices, 120
mitigating risk, 149–151
planning, 72–73
providing for healthcare organizations, 287
recommended reading on, 120–121
retail organizations, 301–304
risk analysis process, 112, 117–118
sample risk analysis table, 383–386
security responsibilities for, 95
treatment of risks, 112, 118–119
vulnerability analysis, 112, 116–117
risks. See also risk management
assets, threats, vulnerabilities, controls and, 32–33
balance between controls and, 41–43
due diligence in understanding, 20
evaluating for patches, 193–194
Rivest, Shamir, and Adelman (RSA) encryption algorithm, 44
ROI (return on investment), 76
role-based access (RBAC) control model, 198–200
roles and responsibilities
IAMS employee, 85–86
sharing information and responsibilities, 19
rotation of duties, 136
RPO (recovery point objective), 261, 272, 273
RSA (Rivest, Shamir, and Adelman) encryption algorithm, 44
RTO (recovery time objectives), 261, 272–273
rules of evidence, 252–253
S
SaaS (Software as a Service), 159, 269
SAN-based tape backups, 274–275
SANS (SysAdmin, Audit, Network and Security) Institute, 3, 51, 52–53
Sarbanes-Oxley Act (SOX), 67, 133, 206
SCADA (supervisory control and data acquisition system), 310
scanners. See vulnerability scanners
scheduling backups, 277
SDLC (software development life cycle)
certification programs in, 3
incorporating security into, 34, 153–154
information assurance in phases of, 155–158
overview of, 154–155
work of information assurance teams in, 159–161
SE (social engineering) attacks, 37
secure software development life cycle. See SSDLC
secure work areas, 166
security. See also incident handling
acronyms in, 421–426
basing on information life cycle model, 56–57
breaches in retail, 295–299, 301–302
checklist for, 393–404
considering levels of controls for, 77
continuous implementation of, 3
courses and certification in, 3
cybersecurity, 16
duress alarms, 167
encryption for, 45
including in job scope/descriptions, 132
PDCA cycle for managing, 57–58
policies for, 124
practicing proper media disposal, 151
protecting physical, environmental, and network information, 151
safeguarding personal data, 66
separation of duties for, 133
standards and best practices for, 68–69
types of policy documents, 124
Security Information and Event Management (SIEM), 210–211, 231
security officers, 74
security perimeter protection, 165
segmentation, 26
senior management, 86–91
accrediting official, 90–91
CEO, 86–87
CIO, 88–89
CISO, 89
commitment to information assurance, 178
critical thinking exercises for, 12, 328
CRO, 87–88
CSO, 90
guidelines for monitoring employees, 135
integrating risk management into organization, 120
legal actions against retail, 301–302, 305
recruiting employees, 131–134
retail information assurance support by, 299
reviewing and approving policies, 124, 128
supporting BCM implementation, 258
terminating employees, 138–139
understanding Chernobyl Blindness, 119
sensors and alarms, 217
separation of duties, 133
servers, proxy, 187–188
service providers
auditing, 99
staffing for, 93–94
SIEM (Security Information and Event Management), 210–211, 231
signatures
digital, 28
malware detection of, 212
NIPS checks for, 187
SleuthKit, 250
smartcards, 31
smoke and fire detectors, 217
smoke hazards, 169
social engineering (SE) attacks, 37
software. See also SDLC
backup, 275–276
containerization, 137
patch management for, 192–194
Software as a Service, 159, 269
Software as a Service (SaaS), 159, 269
software development life cycle. See SDLC
South Korean Financial Supervisory Commission (FSC), 302, 305
SOX (Sarbanes-Oxley Act), 67, 133, 206
spamming, 40
spear phishing, 39
sprinklers, 169
spyware, 22
SSCP (Systems Security Certified Professional) certification, 50
SSDLC (secure software development life cycle)
about, 153
incorporating security into, 34, 153–154
staffing
common control providers, 95–96
information assurance units, 91–93
information system owners, 95
responsibilities of users, 96
roles and responsibilities for IAMS, 85–86
senior management, 86–91
supporting functions, 94–95
technology and service providers, 93–94
Standard Associations of Australia, 118
standard threat profile (STP), 113
standards. See also ISO standards; MSR model
applying NIST SP 800-60, 105–106
characteristics of professional standards, 50
critical thinking exercise for, 70, 333
defined, 124
defining separation of duties, 133
developing for healthcare organizations, 288–289
ICSs, 316–317
Information Technology Infrastructure Library service delivery model, 97
NIST SP 800-30, 117
NIST SP 800-94, 210
providing auditing frameworks, 11
recommended reading on, 69–70
retail organizations, 304–305
summary of best practices and, 68–69
supporting policy, 124–126
state detection, 213
state privacy laws, 391–392
steganography, 246
STP (standard threat profile), 113
strategies
aligning BCM to business, 260–261
designing backup, 208
developing information assurance, 5–8
information assurance and organizational, 7
levels of BCM, 262
subject, 197
supervisory controls, 135
supply chain management systems, 266, 294
surveillance cameras, 306
symmetric cryptography, 186, 188
symmetric encryption, 43–44
SysAdmin, Audit, Network and Security (SANS) Institute, 3, 51, 52–53
system development and acquisition, 153–162
adding information assurance in SDLC, 159–161
benefits of adding security to, 153–154
critical thinking exercises, 161–162, 339–341
healthcare standards for, 289
information assurance in SDLC phases, 155–158
issues for retail organizations, 306
overview of SDLC, 154–155
recommended reading, 161
system/network administrators, 94, 278–279
Systems Security Certified Professional (SSCP) certification, 50
T
tablet forensics, 248–249
Target, 21, 31–32, 298, 299, 305
TCO (total cost of ownership), 76
teams
ad hoc formation of, 56
adding information assurance in SDLC, 159–161
computer forensic, 243–244, 253
designing AT&E programs, 179
developing change management processes, 160
establishing IAMS for, 55–56
objectives of BCM, 257–258
technical attacks, 37
technical controls, 41
technical failure, 364–366
technology
disaster recovery plan for, 266
role in implementing information assurance, 75–77
selecting media for backups, 271–273
shortcomings creating vulnerabilities in, 373–375
technology provider responsibilities, 93–94
terminating employees, 138–139
terrorism, 36
testing
awareness levels, 179–180
BCM plan, 269
SDLC security implementation, 157
threats, 33–40
attackers as, 35–37
common, 355–366
deliberate acts, 357–362
employee sabotage, 37–38
errors and negligence as, 33–34
force majeure, 355–357
fraud and theft, 34
healthcare industry, 287
human failure, 362–364
identifying asset, 112, 114–116
identifying for ICSs, 315
industrial espionage, 38
invasion of privacy, 38–39
kinds of retail organization, 302
loss of infrastructure, 34
malware, 35
phishing and spear phishing, 39
physical and environmental, 163
spamming, 40
technical failure, 364–366
vulnerability analysis for, 112, 116–117
tools
Computer Forensics Tool Testing program, 246
forensic, 250
personnel monitoring, 217
recommended reading for preventive, 194–195
top-down approach
costs associated with, 79–80
ICSs use of, 311
situations where suitable for information assurance, 206
useful for retail organizations, 299
total cost of ownership (TCO), 76
trademarks laws, 65
training. See AT&E
Trojan horse, 212
U
UPS equipment, 169
US-CERT (U.S. Computer Emergency Readiness Team), 40, 231, 243, 321
U.S. Department of Homeland Security (DHS), 231
U.S. Federal Bureau of Investigations
Internet Crime Report, 21
U.S. InfraGuard Program, 113
U.S. Federal Emergency Management Agency (FEMA), 302
U.S. InfraGuard Program, 113
U.S. National Initiative for Cybersecurity Education (NICE), 132
U.S. National Institute of Science and Technology, 68
U.S. National Institutes of Standards and Technology, 79
accrediting official responsibilities, 90
Computer Forensics Tool Testing program, 246
role definitions of, 86
SP 800-12, 68
SP 800-30, 117
SP 800-60, 105–106
SP 800-82, 321–322
users
getting information about vulnerabilities, 40
password policies for, 379–381
responsibilities of, 96
unique identifiers for, 30
V
Verizon Data breach Investigations Reports, 9–10
virtual machines (VMs), 250–251
virtual private networks (VPNs), 190
virtual system forensics, 250–251
virtual tape libraries (VTL), 274
virus, 212
visitor access, 165–166
VMs (virtual machines), 250–251
von Moltke, Helmuth, 25
VPNs (virtual private networks), 190
VTL (virtual tape libraries), 274
vulnerabilities, 367–387
healthcare industry, 287
identifying for ICSs, 315
organizational shortcomings, 367–373
procedural shortcomings, 375–377
relationships among assets, threats, risks, controls and, 32–33
retail organization, 303
technical shortcomings, 373–375
vulnerability analysis, 112, 116–117
vulnerability scanners, 213–215
about, 23
database, 214
distributed network scanners, 214–215
host-based scanners, 214
network-based scanners, 214
selecting, 206
standards for, 213–214
W
water damage, 168–169
web sites, content filters for, 185
WEP (Wired Equivalency Privacy) keys, 216
white-hat hackers, motivation of, 36–37
wireless penetration tests, 215–217
workforce management systems, 294
worm, 212