BN.com Gift Guide

Managing Information Security [NOOK Book]

Overview

Managing Information Security offers focused coverage of how to protect mission critical systems, how to deploy security management systems, IT security, ID management, intrusion detection and prevention systems, computer forensics, network forensics, firewalls, penetration testing, vulnerability assessment, and more. It offers in-depth coverage of the current technology and practice as it relates to information security management solutions. Individual chapters are authored by leading experts in the field and ...

See more details below
Managing Information Security

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$28.49
BN.com price
(Save 42%)$49.95 List Price

Overview

Managing Information Security offers focused coverage of how to protect mission critical systems, how to deploy security management systems, IT security, ID management, intrusion detection and prevention systems, computer forensics, network forensics, firewalls, penetration testing, vulnerability assessment, and more. It offers in-depth coverage of the current technology and practice as it relates to information security management solutions. Individual chapters are authored by leading experts in the field and address the immediate and long-term challenges in the authors’ respective areas of expertise.



  • Chapters contributed by leaders in the field covering foundational and practical aspects of information security management, allowing the reader to develop a new level of technical expertise found nowhere else
  • Comprehensive coverage by leading experts allows the reader to put current technologies to work
  • Presents methods of analysis and problem-solving techniques, enhancing the reader’s grasp of the material and ability to implement practical solutions
Read More Show Less

Product Details

  • ISBN-13: 9781597495349
  • Publisher: Elsevier Science
  • Publication date: 3/3/2010
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 320
  • Sales rank: 1,124,220
  • File size: 3 MB

Meet the Author

John Vacca is an information technology consultant, professional writer, editor, reviewer and internationally-known, best-selling author based in Pomeroy, Ohio. Since 1982, John has authored 72 books, including:

Identity Theft (Cybersafety) (Publisher: Chelsea House Pub (April 1, 2012 ); System Forensics, Investigation, And Response (Publisher: Jones & Bartlett Learning (September 24, 2010); Managing Information Security (Publisher: Syngress (an imprint of Elsevier Inc.) (March 29, 2010)); Network and Systems Security (Publisher: Syngress (an imprint of Elsevier Inc.) (March 29, 2010)); Computer and Information Security Handbook (Publisher: Morgan Kaufmann (an imprint of Elsevier Inc.) (June 2, 2009)); Biometric Technologies and Verification Systems (Publisher: Elsevier Science & Technology Books (March 16, 2007)); Practical Internet Security (Hardcover): (Publisher: Springer (October 18, 2006)); Optical Networking Best Practices Handbook (Hardcover): (Publisher: Wiley-Interscience (November 28, 2006)); Computer Forensics: Computer Crime Scene Investigation (With CD-ROM), 2nd Edition (Publisher: Charles River Media (May 26, 2005)

John Vacca has also written more than 600 articles in the areas of advanced storage, computer security and aerospace technology (copies of articles and books are available upon request). John was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA's space station program (Freedom) and the International Space Station Program, from 1988 until his retirement from NASA in 1995. In addition, John is also an independent online book reviewer. Finally, John was one of the security consultants for the MGM movie titled: "AntiTrust," which was released on January 12, 2001.
Read More Show Less

Read an Excerpt

Managing Information Security


SYNGRESS

Copyright © 2010 ELSEVIER Inc.
All right reserved.

ISBN: 978-1-59749-534-9


Chapter One

Information Security Essentials for IT Managers: Protecting Mission-Critical Systems

Albert Caballero Terremark Worldwide, Inc.

Information security involves the protection of organizational assets from the disruption of business operations, modification of sensitive data, or disclosure of proprietary information. The protection of this data is usually described as maintaining the confidentiality, integrity, and availability (CIA) of the organization's assets, operations, and information.

1. Information Security Essentials for IT Managers, Overview

Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing. For information security managers, it is crucial to maintain a clear perspective of all the areas of business that require protection. Through collaboration with all business units, security managers must work security into the processes of all aspects of the organization, from employee training to research and development. Security is not an IT problem; it is a business problem.

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Scope of Information Security Management

Information security is a business problem in the sense that the entire organization must frame and solve security problems based on its own strategic drivers, not solely on technical controls aimed to mitigate one type of attack. As identified throughout this chapter, security goes beyond technical controls and encompasses people, technology, policy, and operations in a way that few other business objectives do. The evolution of a risk-based paradigm, as opposed to a technical solution paradigm for security, has made it clear that a secure organization does not result from securing technical infrastructure alone. Furthermore, securing the organization's technical infrastructure cannot provide the appropriate protection for these assets, nor will it protect many other information assets that are in no way dependent on technology for their existence or protection. Thus, the organization would be lulled into a false sense of security if it relied on protecting its technical infrastructure alone.

CISSP 10 Domains of Information Security

In the information security industry there have been several initiatives to attempt to define security management and how and when to apply it. The leader in certifying information security professionals is the Internet Security Consortium, with its CISSP (see sidebar, "CISSP 10 Domains: Common Body of Knowledge") certification. In defining required skills for information security managers, the ISC has arrived at an agreement on 10 domains of information security that is known as the Common Body of Knowledge (CBK). Every security manager must understand and be well versed in all areas of the CBK.

In addition to individual certification there must be guidelines to turn these skills into actionable items that can be measured and verified according to some international standard or framework. The most widely used standard for maintaining and improving information security is ISO/IEC 17799:2005. ISO 17799 (see Figure 1.1) establishes guidelines and principles for initiating, implementing, maintaining, and improving information security management in an organization.

A new and popular framework to use in conjunction with the CISSP CBK and the ISO 17799 guidelines is ISMM. ISMM is a framework (see Figure 1.2) that describes a five-level evolutionary path of increasingly organized and systematically more mature security layers. It is proposed for the maturity assessment of information security management and the evaluation of the level of security awareness and practice at any organization, whether public or private. Furthermore, it helps us better understand where, and to what extent, the three main processes of security (prevention, detection, and recovery) are implemented and integrated.

ISMM helps us better understand the application of information security controls outlined in ISO 17799. Figure 1.3 shows a content matrix that defines the scope of applicability between various security controls mentioned in ISO 17799's 10 domains and the corresponding scope of applicability on the ISMM Framework.

What Is a Threat?

Threats to information systems come in many flavors, some with malicious intent, others with supernatural powers or unexpected surprises. Threats can be deliberate acts of espionage, information extortion, or sabotage, as in many targeted attacks between foreign nations; however, more often than not it happens that the biggest threats can be forces of nature (hurricane, flood) or acts of human error or failure. It is easy to become consumed in attempting to anticipate and mitigate every threat, but this is simply not possible. Threat agents are threats only when they are provided the opportunity to take advantage of a vulnerability, and ultimately there is no guarantee that the vulnerability will be exploited. Therefore, determining which threats are important can only be done in the context of your organization. The process by which a threat can actually cause damage to your information assets is as follows: A threat agent gives rise to a threat that exploits a vulnerability and can lead to a security risk that can damage your assets and cause an exposure. This can be countermeasured by a safeguard that directly affects the threat agent. Figure 1.4 shows the building blocks of the threat process.

Common Attacks

Threats are exploited with a variety of attacks, some technical, others not so much. Organizations that focus on the technical attacks and neglect items such as policies and procedures or employee training and awareness are setting up information security for failure. The mantra that the IT department or even the security department, by themselves, can secure an organization is as antiquated as black-and-white television. Most threats today are a mixed blend of automated information gathering, social engineering, and combined exploits, giving the perpetrator endless vectors through which to gain access. Examples of attacks vary from a highly technical remote exploit over the Internet, social- engineering an administrative assistant to reset his password, or simply walking right through an unprotected door in the back of your building. All scenarios have the potential to be equally devastating to the integrity of the organization. Some of the most common attacks are briefly described in the sidebar titled "Common Attacks."

Impact of Security Breaches

The impact of security breaches on most organizations can be devastating; however, it's not just dollars and cents that are at stake. Aside from the financial burden of having to deal with a security incident, especially if it leads to litigation, other factors could severely damage an organization's ability to operate, or damage the reputation of an organization beyond recovery. Some of the preliminary key findings from the 2008 CSI/FBI Security Report [14] (see Figure 1.8) include

• Financial fraud cost organizations the most, with an average reported loss of close to $500,000.

• The second most expensive activity was dealing with bots within the network, reported to cost organizations an average of nearly $350,000.

• Virus incidents occurred most frequently, respondents said—at almost half (49%) of respondent organizations.

Some things to consider:

• How much would it cost your organization if your ecommerce Web server farm went down for 12 hours?

• What if your mainframe database that houses your reservation system was not accessible for an entire afternoon?

• What if your Web site was defaced and rerouted all your customers to a site infected with malicious Java scripts?

• Would any of these scenarios significantly impact your organization's bottom line?

2. Protecting Mission-Critical Systems

The IT core of any organization is its mission-critical systems. These are systems without which the mission of the organization, whether building aircraft carriers for the U.S. military or packaging Twinkies to deliver to food markets, could not operate. The major components to protecting these systems are detailed throughout this chapter; however, with special emphasis on the big picture an information security manager must keep in mind, there are some key components that are crucial for the success and continuity of any organization. These are information assurance, information risk management, defense in depth, and contingency planning.

Information Assurance

Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.

Information Risk Management

Risk is, in essence, the likelihood of something going wrong and damaging your organization or information assets. Due to the ramifications of such risk, an organization should try to reduce the risk to an acceptable level. This process is known as information risk management. Risk to an organization and its information assets, similar to threats, comes in many different forms. Some of the most common risks and/or threats are

• Physical damage. Fire, water, vandalism, power loss, and natural disasters.

• Human interaction. Accidental or intentional action or inaction that can disrupt productivity.

• Equipment malfunctions. Failure of systems and peripheral devices.

• Internal or external attacks. Hacking, cracking, and attacking.

• Misuse of data. Sharing trade secrets; fraud, espionage, and theft.

• Loss of data. Intentional or unintentional loss of information through destructive means.

• Application error. Computation errors, input errors, and buffer overflows.

The idea of risk management is that threats of any kind must be identified, classified, and evaluated to calculate their damage potential [17]. This is easier said than done.

Administrative, Technical, and Physical Controls

For example, administrative, technical, and physical controls, are as follows:

• Administrative controls consist of organizational policies and guidelines that help minimize the exposure of an organization. They provide a framework by which a business can manage and inform its people how they should conduct themselves while at the workplace and provide clear steps employees can take when they're confronted with a potentially risky situation. Some examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies that form the basis for the selection and implementation of logical and physical controls. Administrative controls are of paramount importance because technical and physical controls are manifestations of the administrative control policies that are in place.

• Technical controls use software and hardware resources to control access to information and computing systems, to help mitigate the potential for errors and blatant security policy violations. Examples of technical controls include passwords, network- and host-based firewalls, network intrusion detection systems, and access control lists and data encryption. Associated with technical controls is the Principle of Least Privilege, which requires that an individual, program, or system process is not granted any more access privileges than are necessary to perform the task.

• Physical controls monitor and protect the physical environment of the workplace and computing facilities. They also monitor and control access to and from such facilities. Separating the network and workplace into functional areas are also physical controls. An important physical control is also separation of duties, which ensures that an individual cannot complete a critical task by herself.

Risk Analysis

During risk analysis there are several units that can help measure risk. Before risk can be measured, though, the organization must identify the vulnerabilities and threats against its mission-critical systems in terms of business continuity. During risk analysis, an organization tries to evaluate the cost for each security control that helps mitigate the risk. If the control is cost effective relative to the exposure of the organization, then the control is put in place. The measure of risk can be determined as a product of threat, vulnerability, and asset values—in other words:

Risk = Asset x Threat x Vulnerability

There are two primary types of risk analysis: quantitative and qualitative. Quantitative risk analysis attempts to assign meaningful numbers to all elements of the risk analysis process. It is recommended for large, costly projects that require exact calculations. It is typically performed to examine the viability of a project's cost or time objectives. Quantitative risk analysis provides answers to three questions that cannot be addressed with deterministic risk and project management methodologies such as traditional cost estimating or project scheduling:

• What is the probability of meeting the project objective, given all known risks?

• How much could the overrun or delay be, and therefore how much contingency is needed for the organization's desired level of certainty?

• Where in the project is the most risk, given the model of the project and the totality of all identified and quantified risks?

Qualitative risk analysis does not assign numerical values but instead opts for general categorization by severity levels. Where little or no numerical data is available for a risk assessment, the qualitative approach is the most appropriate. The qualitative approach does not require heavy mathematics; instead, it thrives more on the people participating and their backgrounds. Qualitative analysis enables classification of risk that is determined by people's wide experience and knowledge captured within the process. Ultimately, it is not an exact science, so the process will count on expert opinions for its base assumptions. The assessment process uses a structured and documented approach and agreed likelihood and consequence evaluation tables. It is also quite common to calculate risk as a single loss expectancy (SLE) or annual loss expectancy (ALE) by project or business function.

Defense in Depth

The principle of defense in depth is that layered security mechanisms increase security of a system as a whole. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system [19]. This is a process that involves people, technology, and operations as key components to its success; however, those are only part of the picture. These organizational layers are difficult to translate into specific technological layers of defenses, and they leave out areas such as security monitoring and metrics. Figure 1.9 shows a mind map that organizes the major categories from both the organizational and technical aspects of defense in depth and takes into account people, policies, monitoring, and security metrics.

(Continues...)



Excerpted from Managing Information Security Copyright © 2010 by ELSEVIER Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Ch 1  Information Security  Essentials for IT Managers

Ch 2  Security Management Systems

Ch 3  Information Technology  Security Management

Ch 4  Identity Management

Ch 5  Intrusion Prevention and Detection Systems

Ch 6  Computer Forensics

Ch 7 Network Forensics

Ch 8 Firewalls

Ch 9 Penetrating Testing

Ch 10 What is Vulnerability Assessment?

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted June 7, 2013

    I¿m loving McDonalds for fast food... MyDeals247 for the best de

    I’m loving McDonalds for fast food... MyDeals247 for the best deals;))

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)